vCloud Catalogs, Networking, and External Dependencies

Using A Direct External Network

The first and most obvious as well as easiest is to create what we call “Direct External” Connections to the corporate network.  In some cases depending on the size of the POC, we ask for an external routable VLAN per organization so each organizations external IP space and VLAN is separate.  Because of the nature of an external network these are also by default Port Group Backed and need to be created in vCenter first.  These are just like every other “production” network in the enterprise but they are considered “External” to the cloud constructs  this allows simple, easy connectivity for all vApps to access existing dependencies like Active Directory, and allow the usual means of access to SSH or RDP.  Essentially it is just like having VM’s on the same networks……sounds like a plan, right?

Well there is a pro and con to everything.  Although this method is easy for the enterprises to follow, by default it is still binding all vCloud based vApps to the physical infrastructure and doe snot have very much flexibility.  It requires vSphere administrator to setup port groups, and network administrators to add VLAN trunks, basically no different than a standard vSphere implementation.  So does easy equal the right design?  Maybe so for some POC’s but I would submit we may want to try out the other methods to truly take advantage of the networking vCloud has to offer.  We can still use VLAN Backed Pools and VCD-NI Pools to provide isolated networks to vApps that we want to Isolate on vApp Networks, but generally the Organization Network is the same as the production network.

Using A vShield Edge NAT Routed Network

The other most common option is to put each organization behind their own NAT vShield Edge to not only minimize the External Network IP address usage but also to gain the true multi-tenancy of the organization.  This allows for multiple VLAN’s or VCD-NI networks to be created for each organization as well as the vApps themselves for fencing purposes.  Each vApp on the NAT routed organization network can still reach Active Directory for joining the domain technically, however the isolated network they are on may not be known to the Sites and Services configuration.  Also there is no way to route back to that isolated network because by default, well, it is isolated.  The core network will not know how to reach it unless static routes are configured and even then the vShield Edge firewall rules will not allow traffic through by default.

Agin this model has both pros and cons to it.  The pro is that the isolation is there, the firewalls are in place, however getting back to the VM’s for SSH and RDP although not impossible is a challenge.  You can setup jump boxes, additional external addresses to reach some of them but if you have a lot of vApps it can be tricky.  In this model we usually default to the Remote Console Connections through vCloud Director for access since it will almost always work.  That however is also a process change for many administrators, but not a giant thing to grasp over time.

<!– –>

About Chris Colotti

Chris is active on the VMUG and event speaking circuit and is available for many events if you want to reach out and ask. Previously to this he spent close to a decade working for VMware as a Principal Architect. Previous to his nine plus years at VMware, Chris was a System Administrator that evolved his career into a data center architect. Chris spends a lot of time mentoring co-workers and friends on the benefits of personal growth and professional development. Chris is also amongst the first VMware Certified Design Experts (VCDX#37), and author of multiple white papers. In his spare time he helps his wife Julie run her promotional products as the accountant, book keeper, and IT Support. Chris also believes in both a healthy body and healthy mind, and has become heavily involved with fitness as a Diamond Team Beachbody Coach using P90X and other Beachbody Programs. Although Technology is his day job, Chris is passionate about fitness after losing 60 pounds himself in the last few years.

Leave a Reply

Your email address will not be published. Required fields are marked *