So last week I started on sort of an experiment that was really to investigate the new Organization Administrator features of the Edge Gateway in vCloud Director 5.1. I happen to have several public vCloud Director organizations, but for this purposes I am using the VMware vCloud Service Evaluation as it was just upgraded to version 5.1. As I started poking, some things became very clear to me about the new power and features available to TRULY build a hybrid cloud. In the original versions some of what I have built could have been done, but it would have taken a lot of work with vApp Networks and other multi-edge based design. I have successfully built what I would consider a vCloud Director Hybrid Cloud Architecture that essentially mimics some of the things you would do if you simply built a new physical datacenter. Some of the things that make this possible are:
- vShield Edge Gateway multi-interfaces
- vShield Edge Gateway full firewall capabilities
- vShield Edge Gateway VPN
- Organization Administrator ability to create new networks
Below is a rather large vCloud Director Hybrid Cloud Logical Network diagram that shows the various vApps and the various networks. This has been made possible solely by the new Organization Administrator capability for adding net routed and isolated networks.
vCloud Director Hybrid Cloud Architecture – Leveraging vApps
What you will notice is I have various vApps by application type. What you can also see is that there are Virtual Machines in those vApps where some are on the Public and others are on the Private networks. I can keep different vApps for construct purposes and containers for backup and restore with future 3rd party integrations. I can add Virtual Machines on the fly to any given vApp and maintain the organizational construct of them for other users. You can see there is a CentOS Test vApp that is owned by another user.
vCloud Director Hybrid Cloud Architecture – The New Edge Gateway
To some this may look no different from what some current organizations do to create multiple firewalled networks with their primary edge firewall device. Some of this is pulled from my past experience as a Checkpoint administrator for PC Connection, and how I know we had much of our original networks setup. The power from 1.5 to 5.1 comes in the ability for the organization Administrator to create and define the different network segments you see. In the previous version this was not possible and some could argue was a barrier to truly building your public cloud based Software Defined Datacenter, (SDDC).
vCloud Director Hybrid Cloud Architecture – Firewall Rules
Something that has been there for a while in the Edge Gateway was the ability to define the basic firewall rules. However, in 5.1 you can see that we can now create and define multiple SNAT and DNAT rules, along with very finite network source and destination based rules. This is one function that again will facilitate a design like this working. What you will also notice, and I found this through trial and error, is you can even define Network Protocols with the new Edge Gateway. In the case below notice the rule for ESP from the View Security Server to the View Connection Server to that they can establish IPSEC. The ESP Protocol does not use a port rather it is an IP protocol with the ID 50. This took me about a day to figure out I can just use the ESP name or the IP Protocol ID’s that are standards. Did anyone else know this was possible?
vCloud Director Hybrid Cloud Architecture – Next Steps
Now that I have built this remote vCloud Director Hybrid Cloud, complete with multiple networks, firewall rules, and vApps I am going to try to connect it to a physical datacenter. That will be another Software Defined Datacenter running in my home lab or possibly another location. Once I can get the VPN component established I should be able to show the full multi-site functionality of such a design where some workloads like web servers are in the vCloud Direction Hybrid Cloud and others are in the primary datacenter. At that point it’s all a matter of some networking and possible Active Directory configuration. I should mention I literally built this in about 3 days and it could have gone much faster with the use of existing server templates and other means of migrating workloads to the cloud itself. I spent a good portion of the build just getting new templates spun up. Also all of this was done manually, but you could automate much of the creation through tools and the vCloud API.
There is so much here to talk about that I may use some of it on an upcoming vBrown Bag, but I am trying to think about how I can also use this for some upcoming presentations like VMUG’s and other venues. I want people to see that you can now do a lot with vCloud Director and the SOftware Defined Datacenter if you just think about the design and the requirements. I’m sure I could do even more with this given the time, but it’s enough to show the point I think.