How to Build a vCloud vApp DMZ

Okay I admit sometimes I spend too many late nights coming up with some goofy ideas.  However this one actually panned out as a real work vCloud Director Networking example you can use to see how flexible vCloud Director Networking could be.  The idea started from me wanting to rebuild by WordPress installation from a single server stack to a distributed two server Apache Web and MySQL setup.  Pretty standard use case for a two server setup.  Now I will NOT be covering the installs, setup etc of the applications here maybe that will be another day.

The idea was to have a single vCloud vApp with two virtual machines in it.  That itself is pretty easy and you can see below the single vApp container with the two virtual machines.

Let’s take a look at the network diagram below so I can explain what I got set up and working 

What we see is that the Web Server is connected to the 1743-Public network which is my Organization network provided for me.  That’s an easy enough one to understand for sure.  You can also see the three basic firewall rules needed below for web access to the server for HTTP/SSL/SSH.  It goes without saying that there is an external IP assigned on the internet side of the Organization Network as well.

Next we can examine the virtual machine view and see that the two virtual machines are in fact connected to two different vCloud Network interfaces.

 Note that the MySQL virtual machines also has an External IP Address assigned.  This is done automatically by the vApp vShield Edge when the virtual machine is assigned to it which we will see next.  The vCloud vApp Networking tab is where we can see that the vApp network was created before assigning it to the MySQL virtual machine.  Note that the ‘Always use assigned IP Addresses…” check box is enabled.  This is important for when you power cycle the vApp you want to maintain the networking!  You can also see that the vApp Network is attached to the Provided Organization Network so it will route outbound to the internet for patches and updates.

This is where the really cool part comes in.  We now have a Web Server connected to the org Network with an External IP and three firewall rules.  We need to now allow the Web Server to connect to the MySQL server on Port 3306 and SSH so we can manage it from the  Web Server and connect to MySQL.  That’s as easy as writing two rules in the vApp Network Firewall

These rules basically show that ONLY the Web Server IP Address can access ONLY the MySQL Server IP Address on Port 22 and 3306.

Solution Summary:

What this simple example shows is that you can create a single vApp in a flexible way but also create a vApp based DMZ for virtual Machines part of that vApp.  Provided the N-Tier servers only need to be access by the first tier, this works really well and now I we have a setup where only the Web Server is exposed to the internet, yet the MySQL tier is again protected by its own firewall.  What this really shows you is that as vCloud Administrators and Application folks, we need to not only understand networking, but now routing, and firewall rule as well.  This structure is no different from if these had been physical servers in a data center on physical switches with hardware firewalls between them.

This shows a great use case on a small-scale of what you can do for a real word application.  How do I know it is a real world scenario?  You are reading about it hosted from these very two servers shown in the diagrams.  Pretty cool right?  Next will be duplicating the setup in a second cloud connected by vShield VPN between Organization Edge Devices and putting MySQL Replication in place with a backup Web Server….just for fun.

Some may ask why I did all this with a small set of WordPress sites that only get about 900 hits a day….. because I can…..that’s why….and it’s a fun learning experience.

About Chris Colotti

Chris is active on the VMUG and event speaking circuit and is available for many events if you want to reach out and ask. Previously to this he spent close to a decade working for VMware as a Principal Architect. Previous to his nine plus years at VMware, Chris was a System Administrator that evolved his career into a data center architect. Chris spends a lot of time mentoring co-workers and friends on the benefits of personal growth and professional development. Chris is also amongst the first VMware Certified Design Experts (VCDX#37), and author of multiple white papers. In his spare time he helps his wife Julie run her promotional products as the accountant, book keeper, and IT Support. Chris also believes in both a healthy body and healthy mind, and has become heavily involved with fitness as a Diamond Team Beachbody Coach using P90X and other Beachbody Programs. Although Technology is his day job, Chris is passionate about fitness after losing 60 pounds himself in the last few years.

5 comments

  1. Great stuff Chris. Over the last year it’s been an eye opener to see how much networking ‘stuff’ can be done w/ vShield. I’ll definitely include this in my customer sessions about vCD networking/use cases.

  2. Great stuff Chris, keep up the good work! When I get back from VMworld I think I’m going to tackle migrating WordPress from Windows Server 2003 to 2008R2 and from MySQL to SQL2008R2

    • I did this all on CentOS 6.3 so there is no bloat. Maybe I will write that up on the plane but it is very nice on those platforms. Easy and small footprint leaving most disk space for the database and the file uploads.

  3. Nice write up, it’s the same thing I put in production for a customer who wanted MSSQL isolated from their web server this summer. I also had to do a double NAT on their public facing vShield edge since they wanted temporary external access to the SQL box on a public IP. Definitely need to keep the Visio diagram up to date so I knew what was going where.

Leave a Reply

Your email address will not be published. Required fields are marked *