The most common initial task that I get asked for help on is connecting a newly deployed virtual machine in vCloud Air from the catalog to the internet so you can install other packages or update the operating system. This post is probably long overdue considering the number of times I have explained the fairly simple process to people so finally I have taken a moment to explain it here. This process will apply to both subscription and OnDemand provided in OnDemand you have purchased a public IP, where subscription accounts include them already.
There is a few basic assumptions here. First is that you have access to a subscription to vCloud Air, and that you know how to configure basic NAT and Firewall rules. By design vCloud Air comes with a default routed network for every new customer and we will assume that is the one you are using for your connectivity. This is easy because all default routed networks are deployed for s new customer with the same NAT P address range so it works for screen shots well. Also by design there is NO firewall or NAT rules in the Edge Gateway and everything is allowed as you determine. This is also a good thing, since there is no assumptions on what you as a consumer want to do. We will also assume you have deployed your virtual machine and it’s been assigned an IP address it simply cannot get out to the internet yet.
In order to get a virtual machine to “see” the internet it’s composed of a minimum of three things
- Either Use Gateway DNS or configure your own
- A source NAT rule (SNAT)
- A firewall rule
NOTE: All default routed networks use 192.168.109.0
The difference is simple really. The Source NAT rule just applies the outgoing NAT information to the packets exiting the firewall. However, having the SNAT rule does not allow the traffic to be allowed out of the network, that’s the firewall rule. So in effect if you do one and not the other, you still will not have internet access from your machine. You have two ways to create these rules either in the vCloud Air interface or the vCloud Director Interface.
Ensuring DNS Configuration
Although all default routed networks are deployed with a static IP pool range and machines will get an IP there is no DNS configured on the Organization network Properties. You will need to check/edit this using the manage advanced gateway settings to get you to the vCloud Director Interface. Simply highlight and rick click the Default Routed network, and select Edit Properties
Here you can either check the option to use the gateway DNS, or better yet assign your own DNS servers. Bear in mind if you have already deployed an AD server on the same network, you can use that here as well. Another note is if machines are already deployed they will need to be shutdown and restarted to pick up this change since the setting is not DHCP it is part of the static IP setting. This option is also used for DHCP on this network if you configure that in the Edge Gateway.
Creating The NAT Rule
This is pretty simple. All you need to do is click “Add On” and select Source Nat Rule
You will need to enter the NAT source manually, and in this case I have entered the ENTIRE subnet range for 192.168.109.0/24/ You will also see a drop down where you can see any Public IP addresses you have available to NAT externally on. It really does not matter which one you use, you can use the same one for all your Source NAT rules if you like
Once updated you can see here the Source Nat rule is in place. It is okay that it is an ANY:ANY rule because you are still going to control any access into or out of the environment from the firewall rules. If you did have more public IP addresses, you could do specific SNAT and DNAT rules to support 1:1 mappings but for this purpose I want to focus on just getting your new virtual machine on the internet.
Creating The Firewall Rule
This is actually quite simple. Assuming you just want to allow ANY traffic from the INTERNAL side of the Edge Gateway to the EXTERNAL side you can do this in one rule. Again you can get more finite and complex as you wish but since we are looking in this case to allow all machines on the subnet to access internet outbound we can use a single rule. Again click “Add One” and below you will see the configuration.
Once you save this you will be allowing any protocol from all INTERNAL sources to all EXTERNAL sources. At this point you should be able to get to the internet.
To review there is 3 basic things you need to make sure a virtual machine you deploy in a brand new vCloud Air environment can reach the internet.
- Configure the Organization Network DNS
- Apply a Source NAT (SNAT) rule
- Apply a firewall rule
I hope this helps people as they are experimenting with vCloud Air. I know this one question has come up a lot, so maybe this will prevent people from struggling with it.