Configuring Hybrid

Cloud and
Connectivity
Agenda
Scope of the project
High-level Architecture
IP Address Design and Configurations
NAT configurations
Private cloud security settings
Installation of Vcloud connector server and node and VPN settings
Migration of workload to and fro public cloud
Project Demo
Tests cases and results
Problems encountered and resolutions
Scope of the project
Setup a Private Cloud named Cloud 5
Installation of Vcloud connector and nodes
Configure the Cloud Security
Validate the Hybrid cloud connectivity
Migration of Workload to the Public cloud
Test cases and the results
Problem encountered and the resolutions
High-level Architecture
IP Address Design and Configurations
IP Address Purpose
172.16.210.61-172.16.210.70 Static IP pool of external network.
172.16.210.62-172.16.210.65 IP pool sub allocated from static IP of external network for NAT rules.
172.16.210.61 External IP of organization gateway
10.201.0.1 Internal IP of organization gateway
172.16.210.63 Translated external IP of VM2
172.16.210.64 Translated external IP of VM1
10.201.0.2-10.201.0.29 Static IP pool of organization network.
10.201.0.30-10.201.0.40 DHCP pool of organization network.
10.201.0.8 IP of VM1 inside organization.
10.201.0.6 Translated IP of VM2 inside organization.
192.168.201.2 -192.168.201.20 Static IP pool of vapp network.
192.168.201.21-192.168.201.40 DHCP pool of vapp network.
192.168.201.2 IP of VM2 inside Vapp.
NAT rules organization gateway
3 DNAT rules and 1 SNAT rule are applied on the organization gateway.
SNAT:
10.201.0.0/24 mapped to 172.16.210.62 protocol any
Explanation: The rule is to allow all internal traffic that is connected to the organization
network to travel to the external network.
DNAT:
172.16.210.63 mapped to 10.201.0.6 protocol any
Explanation: The rule is to map external traffic to access VM2 which resides inside a
Vapp.
172.16.210.64 mapped to 10.201.0.8 protocol any
Explanation: The rule is to map external traffic to access VM1 which is directly connected
to the organization network.
172.16.210.65 mapped to 10.201.0.7 protocol any
Explanation: The rule is to allow external traffic to access VM3 which resides in another
Vapp.
NAT rules Vapp gateway
NAT:
IP translation is enabled on the Vapp gateway and VM W2K3-Base-
Cloud5 static IP of 192.168.201 is automatically mapped to 10.210.0.6.
Private Cloud Security
 Private Cloud Security - continued
There are 5 rules in the organization gateway Cloud5 Gateway and they are as shown below.
Outbound_org:
internal mapped to any protocol any
Explanation: The rule is to allow all internal traffic that is connected to the organization network to travel to the
external network.

Inbound_public63:
any mapped to 172.16.210.63 protocol any
Explanation: The rule is to allow traffic to pass to VM2 that resides in a Vapp.

Inbound_public64:
any mapped to 172.16.210.64 protocol any
Explanation: The rule is to allow traffic to pass to VM1 that is directly connected to the organization network.

Inbound_public65:
any mapped to 172.16.210.65 protocol any
Explanation: The rule is to allow traffic to pass to VM3 that resides in a Vapp.

Inbound_gateway:
any mapped to 172.16.210.61 protocol any
Explanation: The rule is to allow traffic to pass to the external
Private Cloud Security - continued

There are 2 rules in the vapp gateway Vapp-cloud5-network and they are as shown below.
Allow_vapp_outbound:
internal mapped to any protocol any
Explanation: The rule is to allow all internal traffic to propagate to the external network.

Allow_inbound_vapp:
any mapped to 10.201.0.0/24 protocol any
Explanation: The rule is to allow external or internal traffic to reach the Vapp network.
Installation of Vcloud connector
and nodes
Install on management cluster via vCloud
Connector virtual appliances

vCloud connect server at IP 172.16.213.234

vCloud connect node at IP 172.16.213.235

Registered with vSphere client at IP

172.16.213.220
Installation of Vcloud connector
and nodes

Nodes managed by vCC server. Cloud5 node is the private cloud, and Cloud2 is the public
cloud (from the perspective of Cloud5)
Cloud2 is registered with our vCC server and allows workload / templates transfer between clouds
Installation of Vcloud connector
and nodes

Node registered with vCC server for vCloud Director at IP 172.16.213.230

Cloud Security Establish IPSec VPN
to remote Cloud

1. The local endpoint is set to 172.16.210.61 which is the external IP of our private cloud
organization gateway.
2. The peer ID and IP is set to the external organization gateway of the remote cloud of IP
172.16.213.31.
3. Peer network of remote cloud is 10.81.0.0/24 which is the organization network of remote
cloud cloud2
4. Once the VPN configuration is done at our private cloud cloud5, we will create the the VPN
settings at the remote cloud cloud2 using the peer settings
Cloud Security Establish IPSec VPN
to remote Cloud
Migration of Workload to and fro the
Public cloud

From the vsphere client interface, we are able to copy

some catalog templates from cloud2 to our local
catalog successfully. Likewise, we could also copy the
templates from our local catalog to the remote
catalog of cloud2. We also managed to deploy the
copied template to our
Migration of Workload to and fro the
Public cloud

We published a catalog from remote cloud2 to the

content library and subscribed to the published catalog
specifying our local catalog as the sync target. After a
while, it is observed that the templates from the remote
cloud2 is synced to our local catalog.
Test cases and the results
To test outbound firewall and NAT settings for VM1

workstation

EXTERNAL NETWORK
External
Router 172.16.210.254
Cloud5 Org Edge To test the outbound firewall
and NAT rules for VM1, ping
ORGANIZATION
from VM1 to the external router
NETWORK
IP 172.16.210.254.
NAT rule for VM1:
Vapp Edge 10.201.0.0/24 mapped to
VAPP 172.16.210.62 (Org Edge)
Firewall rule for VM1:
NETWORK
Internal to any protocol:
any (Org Edge)
VM1 VM2
10.201.0.8
Test cases and the results - continued
To test inbound firewall and NAT settings for VM1

workstation

EXTERNAL NETWORK
External
Router
Cloud5 Org Edge
To test the inbound firewall
ORGANIZATION and NAT rules for VM1,
NETWORK ping from the workstation
to VM1 external IP
Vapp Edge 172.16.210.64.
NAT rule for VM1:
VAPP
172.16.210.64 mapped
NETWORK
to 10.201.0.8 (Org
Edge)
VM1 VM2 Firewall rule for VM1:
10.201.0.8
Any to 172.16.210.64
(Org Edge)
Test cases and the results - continued
To test outbound firewall and NAT settings for VM2

workstation

EXTERNAL NETWORK
External
Router 172.16.210.254
Cloud5 Org Edge To test the outbound firewall
and NAT rules for VM2, ping
ORGANIZATION
from VM2 to the external router
NETWORK
IP 172.16.210.254.
NAT rule for VM2:
Vapp Edge IP translate 192.168.201.2
VAPP to 10.201.0.6 (Vapp Edge)
NETWORK 10.201.0.0/24 mapped to
172.16.210.62 (Org Edge)
Firewall rule for VM2:
VM1 VM2 Internal to any protocol:
192.168.201.2 any (same for Org and Vapp
Edge)
Test cases and the results - continued
To test inbound firewall and NAT settings for VM2

workstation

EXTERNAL NETWORK
External
Router
Cloud5 Org Edge To test the inbound firewall and
NAT rules for VM2, ping from
ORGANIZATION the workstation to VM2 external
NETWORK IP 172.16.210.63.
NAT rule for VM2:
IP translate 192.168.201.2
Vapp Edge
to 10.201.0.6 (Vapp Edge)
VAPP 172.16.210.63 mapped to
NETWORK 10.201.0.6 (Org Edge)
Firewall rule for VM2:
VM1 VM2 Any to 10.201.0.0/24 (Vapp
Edge)
192.168.201.2
Any to 172.16.210.63 (Org
Edge)
Problem encountered and the
resolutions
Vsphere client alerts insufficient memory

Noticed that our management

cluster consumes 29.86GB out of
31.97B leaving only 2.11GB of free
capacity. Problem linked to a large
size snapshot in the VM control
centre. After deleting the large size
snapshot, the available memory
capacity had increased to 10.35GB
from 2.11GB.
Problem encountered and the
resolutions
Unable to copy catalog templates from remote cloud to local cloud

Noted that we are unable to copy

catalog templates from remote
cloud into our local cloud. Later
discovered that need to uncheck
the Enable Publishing option in the
External Publishing tab of the local
cloud catalog properties in order to
allow templates to be copied from
remote cloud to our local catalog.