Documente Academic
Documente Profesional
Documente Cultură
Cloud and
Connectivity
Agenda
Scope of the project
High-level Architecture
IP Address Design and Configurations
NAT configurations
Private cloud security settings
Installation of Vcloud connector server and node and VPN settings
Migration of workload to and fro public cloud
Project Demo
Tests cases and results
Problems encountered and resolutions
Scope of the project
Setup a Private Cloud named Cloud 5
Installation of Vcloud connector and nodes
Configure the Cloud Security
Validate the Hybrid cloud connectivity
Migration of Workload to the Public cloud
Test cases and the results
Problem encountered and the resolutions
High-level Architecture
IP Address Design and Configurations
IP Address Purpose
172.16.210.61-172.16.210.70 Static IP pool of external network.
172.16.210.62-172.16.210.65 IP pool sub allocated from static IP of external network for NAT rules.
172.16.210.61 External IP of organization gateway
10.201.0.1 Internal IP of organization gateway
172.16.210.63 Translated external IP of VM2
172.16.210.64 Translated external IP of VM1
10.201.0.2-10.201.0.29 Static IP pool of organization network.
10.201.0.30-10.201.0.40 DHCP pool of organization network.
10.201.0.8 IP of VM1 inside organization.
10.201.0.6 Translated IP of VM2 inside organization.
192.168.201.2 -192.168.201.20 Static IP pool of vapp network.
192.168.201.21-192.168.201.40 DHCP pool of vapp network.
192.168.201.2 IP of VM2 inside Vapp.
NAT rules organization gateway
3 DNAT rules and 1 SNAT rule are applied on the organization gateway.
SNAT:
10.201.0.0/24 mapped to 172.16.210.62 protocol any
Explanation: The rule is to allow all internal traffic that is connected to the organization
network to travel to the external network.
DNAT:
172.16.210.63 mapped to 10.201.0.6 protocol any
Explanation: The rule is to map external traffic to access VM2 which resides inside a
Vapp.
172.16.210.64 mapped to 10.201.0.8 protocol any
Explanation: The rule is to map external traffic to access VM1 which is directly connected
to the organization network.
172.16.210.65 mapped to 10.201.0.7 protocol any
Explanation: The rule is to allow external traffic to access VM3 which resides in another
Vapp.
NAT rules Vapp gateway
NAT:
IP translation is enabled on the Vapp gateway and VM W2K3-Base-
Cloud5 static IP of 192.168.201 is automatically mapped to 10.210.0.6.
Private Cloud Security
Private Cloud Security - continued
There are 5 rules in the organization gateway Cloud5 Gateway and they are as shown below.
Outbound_org:
internal mapped to any protocol any
Explanation: The rule is to allow all internal traffic that is connected to the organization network to travel to the
external network.
Inbound_public63:
any mapped to 172.16.210.63 protocol any
Explanation: The rule is to allow traffic to pass to VM2 that resides in a Vapp.
Inbound_public64:
any mapped to 172.16.210.64 protocol any
Explanation: The rule is to allow traffic to pass to VM1 that is directly connected to the organization network.
Inbound_public65:
any mapped to 172.16.210.65 protocol any
Explanation: The rule is to allow traffic to pass to VM3 that resides in a Vapp.
Inbound_gateway:
any mapped to 172.16.210.61 protocol any
Explanation: The rule is to allow traffic to pass to the external
Private Cloud Security - continued
There are 2 rules in the vapp gateway Vapp-cloud5-network and they are as shown below.
Allow_vapp_outbound:
internal mapped to any protocol any
Explanation: The rule is to allow all internal traffic to propagate to the external network.
Allow_inbound_vapp:
any mapped to 10.201.0.0/24 protocol any
Explanation: The rule is to allow external or internal traffic to reach the Vapp network.
Installation of Vcloud connector
and nodes
Install on management cluster via vCloud
Connector virtual appliances
Nodes managed by vCC server. Cloud5 node is the private cloud, and Cloud2 is the public
cloud (from the perspective of Cloud5)
Cloud2 is registered with our vCC server and allows workload / templates transfer between clouds
Installation of Vcloud connector
and nodes
1. The local endpoint is set to 172.16.210.61 which is the external IP of our private cloud
organization gateway.
2. The peer ID and IP is set to the external organization gateway of the remote cloud of IP
172.16.213.31.
3. Peer network of remote cloud is 10.81.0.0/24 which is the organization network of remote
cloud cloud2
4. Once the VPN configuration is done at our private cloud cloud5, we will create the the VPN
settings at the remote cloud cloud2 using the peer settings
Cloud Security Establish IPSec VPN
to remote Cloud
Migration of Workload to and fro the
Public cloud
workstation
EXTERNAL NETWORK
External
Router 172.16.210.254
Cloud5 Org Edge To test the outbound firewall
and NAT rules for VM1, ping
ORGANIZATION
from VM1 to the external router
NETWORK
IP 172.16.210.254.
NAT rule for VM1:
Vapp Edge 10.201.0.0/24 mapped to
VAPP 172.16.210.62 (Org Edge)
Firewall rule for VM1:
NETWORK
Internal to any protocol:
any (Org Edge)
VM1 VM2
10.201.0.8
Test cases and the results - continued
To test inbound firewall and NAT settings for VM1
workstation
EXTERNAL NETWORK
External
Router
Cloud5 Org Edge
To test the inbound firewall
ORGANIZATION and NAT rules for VM1,
NETWORK ping from the workstation
to VM1 external IP
Vapp Edge 172.16.210.64.
NAT rule for VM1:
VAPP
172.16.210.64 mapped
NETWORK
to 10.201.0.8 (Org
Edge)
VM1 VM2 Firewall rule for VM1:
10.201.0.8
Any to 172.16.210.64
(Org Edge)
Test cases and the results - continued
To test outbound firewall and NAT settings for VM2
workstation
EXTERNAL NETWORK
External
Router 172.16.210.254
Cloud5 Org Edge To test the outbound firewall
and NAT rules for VM2, ping
ORGANIZATION
from VM2 to the external router
NETWORK
IP 172.16.210.254.
NAT rule for VM2:
Vapp Edge IP translate 192.168.201.2
VAPP to 10.201.0.6 (Vapp Edge)
NETWORK 10.201.0.0/24 mapped to
172.16.210.62 (Org Edge)
Firewall rule for VM2:
VM1 VM2 Internal to any protocol:
192.168.201.2 any (same for Org and Vapp
Edge)
Test cases and the results - continued
To test inbound firewall and NAT settings for VM2
workstation
EXTERNAL NETWORK
External
Router
Cloud5 Org Edge To test the inbound firewall and
NAT rules for VM2, ping from
ORGANIZATION the workstation to VM2 external
NETWORK IP 172.16.210.63.
NAT rule for VM2:
IP translate 192.168.201.2
Vapp Edge
to 10.201.0.6 (Vapp Edge)
VAPP 172.16.210.63 mapped to
NETWORK 10.201.0.6 (Org Edge)
Firewall rule for VM2:
VM1 VM2 Any to 10.201.0.0/24 (Vapp
Edge)
192.168.201.2
Any to 172.16.210.63 (Org
Edge)
Problem encountered and the
resolutions
Vsphere client alerts insufficient memory