VMware Cloud Director Availability 4.6

4.7 4.6
Português (Brasil) Español 日本語 English

Configure the network of the SDDC in
VMware Cloud on AWS

To allow pairing with
VMware Cloud Director Availability
 in
VMware Cloud on AWS
, first configure the network settings of the SDDC.
The access to the resource pools is limited in
VMware Cloud on AWS
 and the private IP addresses of all the cloud appliances of
VMware Cloud Director Availability
 must be explicitly allowed as well as to access the management and infrastructure components in the management resource pool, like
vCenter Server
 and
ESXi
.
VMware Cloud Director Availability
 in
VMware Cloud on AWS
 provides two services to the Internet. To use the two services in the configuration of the necessary NAT rules, you explicitly define them since both services internally use non-standard HTTPS ports. These two services in conjunction with the following two NAT rules translate the network traffic coming to the public IP address on the external port 443/TCP:
  • Towards the
    Cloud Director Replication Management Appliance
    , internally on port 8046/TCP for management interface network traffic to the
    Cloud Service
    .
  • Towards the
    Tunnel Appliance
    , internally on port 8048/TCP for replication data network traffic to the
    Public Service Endpoint
    .
  1. Log in to
    VMware Cloud on AWS
     at https://vmc.vmware.com.
  2. Add two new inventory SDDC services, for the management interface and for the
    Public Service Endpoint
    .
    1. In the VMC console, in the left pane click
      SDDCs
      .
    2. Under the SDDC click
      View Details
       and click the
      Networking & Security
       tab.
    3. In the left pane under the
      Inventory
       section, click
      Services
      .
      Repeat the following steps twice.
      • Add an inventory service for the management interface of the
        Cloud Director Replication Management Appliance
        .
      • Add another inventory service for the
        Public Service Endpoint
         of the
        Tunnel Appliance
        .
    4. To add an inventory SDDC service, click
      Add Service
      .
    5. Enter a name and optionally a description for each service.
    6. For each service, in the Service Entries column, click the
      Set Service Entries
       link.
    7. For each service, in the
      Set Service Entries
       window, from the
      Type
       drop down menu select
      Layer 3 and above
      .
    8. For each service, on the
      Port-Protocol
       tab click
      Add Service Entry
      , enter the details from the respective column, and click
      Apply
      .
      Option
      Management Interface Inventory Service
      Public Service Endpoint
       Inventory Service
      Name
      Enter a name for the service entry of the
      Cloud Director Replication Management Appliance
       management interface. For example, enter
      VCDA-Cloud-Service-Management
      .
      Enter a name for the service entry of the
      Tunnel Appliance
      Public Service Endpoint
      . For example, enter
      VCDA-Tunnel-Service-Endpoint
      .
      Service Type
      Select
      TCP
      .
      Select
      TCP
      .
      Additional Properties
      Leave the
      Source Ports
       text box blank.
      Leave the
      Source Ports
       text box blank.
      To access the management interface of the
      Cloud Director Replication Management Appliance
       in the
      Destination Ports
       text box, in enter port
      8046
      .
      To access the
      Public Service Endpoint
       of the
      Tunnel Appliance
      , in the
      Destination Ports
       text box enter port
      8048
      .
    9. To save each inventory service, click
      Save
      .
      On the
      Services
       page, both services show:
      Name
      Service Entries
      VCDA-Cloud-Service-Management
      TCP (Source: Any | Destination: 8046)
      VCDA-Tunnel-Service-Endpoint
      TCP (Source: Any | Destination: 8048)
  3. To later use in NAT rules, request two new public SDDC IP addresses.
    • Request a public IP address to access the initial setup wizard in the management interface of the
      Cloud Director Replication Management Appliance
      .
    • Request a public IP address to allow external pairing to the
      Public Service Endpoint
       of the
      Tunnel Appliance
      .
    1. On the
      Networking & Security
       tab, in the left pane under the
      System
       section click
      Public IPs
      .
    2. To request a public IP address for the
      Cloud Director Replication Management Appliance
      , click
      Request New IP
      , enter a note, and click
      Save
      .
      For example, as a note enter
      VCDA-Management-Public-IP-address
      .
    3. To request a public IP address for the
      Tunnel Appliance
      , click
      Request New IP
      , enter a note and click
      Save
      .
      For example, as a note enter
      VCDA-Tunnel-Public-IP-address
      .
  4. To forward the incoming network traffic to the correct cloud appliances and ports, add two new NAT rules.
    1. On the
      Networking & Security
       tab, in the left pane under the
      Network
       section click
      NAT
      .
      Repeat the following step twice.
      • Add a NAT rule for the management interface of the
        Cloud Director Replication Management Appliance
        .
      • Add another NAT rule for the incoming network traffic to the
        Public Service Endpoint
         of the
        Tunnel Appliance
        .
    2. To add a NAT rule, click
      Add NAT Rule
      , configure the following settings and click
      Save
      .
      Option
      Management Interface NAT
      Public Service Endpoint
       NAT
      Name
      Enter a name for the NAT rule for the
      Cloud Director Replication Management Appliance
       management interface. For example, enter
      VCDA Management Interface NAT
      .
      Enter a name for the NAT rule for the
      Tunnel Appliance
      Public Service Endpoint
      . For example, enter
      VCDA Tunnel Service Endpoint NAT
      .
      Public IP
      Select the
      VCDA-Management-Public-IP-address
      .
      Select the
      VCDA-Tunnel-Public-IP-address
      .
      Service
      Select the inventory service for the
      Cloud Director Replication Management Appliance
      management interface. For example, select
      VCDA-Cloud-Service-Management
      .
      Select the inventory service for the
      Tunnel Appliance
      Public Service Endpoint
      . For example, select
      VCDA-Tunnel-Service-Endpoint
      .
      Public Port
      Enter port
      443
      .
      Enter port
      443
      .
      Internal IP
      Enter the
      private-IP-address
       of the
      Cloud Director Replication Management Appliance
      .
      Enter the
      private-IP-address
       of the
      Tunnel Appliance
      .
      Internal Port
      8046 (non-editable)
      8048 (non-editable)
      Firewall
      Match Internal Address
      Match Internal Address
      After completing the initial configuration, to reduce the possible attack surface the NAT rule for the management interface can be disabled or removed.
      VMware Cloud Director Availability
       remains accessible from the
      Cloud Director instance
       by using the plug-in for
      VMware Cloud Director Availability
      .
  5. To later create a management group and use it in a management firewall rule, note the compute gateway source NAT
    public IP address
     of the SDDC.
    1. On the
      Networking & Security
       tab, in the left pane click
      Overview
      .
    2. Under
      Default Compute Gateway
       and under
      Workloads
      , note the
      Source NAT Public IP
       address of the SDDC.
  6. To prepare the cloud appliances access to the management gateway services like
    vCenter Server
     and
    ESXi
    , add two management groups.
    1. On the
      Networking & Security
       tab, in the left pane under the
      Inventory
       section click
      Groups
      .
    2. Click the
      Management Groups
       tab.
      Repeat the following steps two times.
      • Add a management group, containing the private IP addresses of all the deployed
        Replicator Appliance
         instances.
      • Add another management group, containing the compute gateway source NAT.
    3. To create a management group, click
      Add Group
       and for each group enter a management group name.
    4. To add trusted members to each management group, under the Compute Members column, click the
      Set Members
       link.
    5. In the
      Select Members
       window, on the
      IP Addresses
       tab enter the following IP addresses for each management group and click
      Apply
      .
      Management Group Name
      Management Group Trusted Members IP Addresses
      SNAT VCDA Management Group
      • Enter the compute gateway source NAT
        public-IP-address
         of the SDDC, as noted in the previous step.
      • Enter the subnet group of the
        VMware Cloud Director Availability
         appliances. For example, enter the
        vcda-network-segment
        .
      VCDA Replicators Management Group
      Enter the
      private-IP-addresses
       reserved within the
      vcda-network-segment
       for all the
      Replicator Appliance
       instances deployed in
      VMware Cloud on AWS
      . All
      Replicator Appliance
       instances must access the
      vCenter Server
       management gateways services for virtual machines provisioning and performing replication tasks with the
      ESXi
       hosts and datastores.
    6. To save each management group, click
      Save
      .
  7. To allow the internal communication from the cloud appliances to the
    vCenter Server
     and to the
    ESXi
     datastore in the management gateway, add two new management gateway firewall rules.
    1. On the
      Gateway Firewall
       page, click the
      Management Gateway
       tab.
      Repeat the following steps twice.
      • Add a management firewall rule for allowing the network traffic from the compute gateway source NAT to the management gateway
        vCenter Server
        .
      • Add another management firewall rule for allowing the
        Replicator Appliance
         instances writing in the destination
        ESXi
         datastore.
    2. To create a management firewall rule, click
      Add Rule
      .
    3. Configure each of the two management firewall rules and click
      Apply
       when prompted.
      Option
      vCenter Server
       Management Gateway Firewall Rule
      ESXi
       Hosts Management Gateway Firewall Rule
      Name
      Enter a name for the
      vCenter Server
       management gateway rule. For example, enter
      SNAT VCDA to vCenter Rule
      .
      Enter a name for the
      ESXi
       management gateway rule. For example, enter
      VCDA Replicators to ESXi Rule
      .
      Sources
      Click
      Any
      . In the
      Set Source
       window, select
      User Defined Groups
       and select the management group for the SNAT. For example, select
      SNAT VCDA Management Group
       and click
      Apply
      .
      Click
      Any
      . In the
      Set Source
       window, select
      User Defined Groups
       and select the management group for the private IP addresses of the
      Replicator Appliance
       instances. For example, select
      VCDA Replicators Management Group
       and click
      Apply
      .
      Destinations
      Click
      Any
      . In the
      Set Destination
       window under
      System Defined Groups
      , select
      vCenter
       and click
      Apply
      .
      Click
      Any
      . In the
      Set Destination
       window under
      System Defined Groups
      , select
      ESXi
       and click
      Apply
      .
      Services
      Click
      Any
       and select
      HTTPS (TCP 443)
      .
      To allow the
      Data Engine Service
       of the
      Replicator Appliance
       writing in the
      ESXi
       datastores, click
      Any
       and select
      HTTPS (TCP 443)
       and
      Provisioning & Remote Console (TCP 902)
      .
      Action
      Allow
      Allow
    4. After creating both management gateway firewall rules, click
      Publish
      .
  8. To prepare for accessing the compute gateway services in
    VMware Cloud on AWS
    , create four compute groups.
    1. On the
      Networking & Security
       tab, in the left pane under the
      Inventory
       section click
      Groups
      .
      Repeat the following steps four times.
      • Add a compute group for the trusted users that need access to the
        VMware Cloud Director Availability
         management interface.
      • Add a compute group for the
        Cloud Director Replication Management Appliance
        .
      • Add a compute group for all the
        Replicator Appliance
         instances.
      • Add a compute group for the
        Tunnel Appliance
        .
    2. To create a compute group, under the
      Compute Groups
       tab, click
      Add Group
       and enter a group name.
    3. To add trusted members to each compute group, under the Compute Members column, click the
      Set Members
       link.
    4. In the
      Select Members
       window, on the
      IP Addresses
       tab enter the following IP addresses for each compute group and click
      Apply
      .
      Compute Group Name
      Compute Group Trusted Members IP Addresses
      Trusted Compute Sources Group
      Enter the externally-facing
      public-IP-addresses
       of the users granted with access to the management interface of
      VMware Cloud Director Availability
      .
      Ensure that you add all the public IP addresses of each user allowed to access
      VMware Cloud Director Availability
       in
      VMware Cloud on AWS
       or the users have no access.
      VCDA Manager Compute Group
      Enter the
      private-IP-address
       of the
      Cloud Director Replication Management Appliance
      .
      VCDA Replicators Compute Group
      Enter the
      private-IP-addresses
       of all the
      Replicator Appliance
       instances.
      VCDA Tunnel Compute Group
      Enter the
      private-IP-address
       of the
      Tunnel Appliance
      .
    5. To save each compute group, click
      Save
      .
  9. To prepare for completing the initial setup wizard, allow accessing the
    VMware Cloud Director Availability
     management interface by the trusted compute sources. Also allow the cloud appliances outbound access, both by adding two new compute gateway firewall rules.
    1. On the
      Networking & Security
       tab, in the left pane under the
      Security
       section click
      Gateway Firewall
      .
      Repeat the following steps twice.
      • Add a compute gateway firewall rule for allowing the trusted compute sources access to the
        Cloud Director Replication Management Appliance
         for completing the initial setup wizard of
        VMware Cloud Director Availability
        .
      • Add a compute gateway firewall rule for allowing the
        VMware Cloud Director Availability
         appliances outbound network traffic from the compute gateway.
    2. On the
      Compute Gateway
       tab, click
      Add Rule
      .
    3. Configure each of the two compute firewall rules and click
      Apply
       when prompted.
      Option
      Inbound Compute Gateway Firewall Rule
      Outbound Compute Gateway Firewall Rule
      Name
      Enter a name for the inbound compute gateway rule. For example, enter
      VCDA Management from Trusted Compute Sources Rule
      .
      Enter a name for the outbound compute gateway rule. For example, enter
      VCDA Appliances Outbound Compute Rule
      .
      Sources
      Click
      Any
      . In the
      Set Source
       window, select the trusted compute sources group and click
      Apply
      . For example, select
      Trusted Compute Sources Group
      .
      Click
      Any
      . In the
      Set Source
       window select the three compute groups for the
      VMware Cloud Director Availability
       appliances and click
      Apply
      . For example, select all three
      VCDA Manager Compute Group
      ,
      VCDA Replicators Compute Group
      , and
      VCDA Tunnel Compute Group
      .
      Destinations
      Click
      Any
      . In the
      Set Destination
       window, select the
      Cloud Director Replication Management Appliance
       compute group and click
      Apply
      . For example, select
      VCDA Manager Compute Group
      .
      Any
      Services
      Click
      Any
      . In the
      Set Services
       window, select the
      Cloud Director Replication Management Appliance
       management interface service and click
      Apply
      . For example, select
      VCDA-Cloud-Service-Management
       TCP (Source: Any | Destination: 8046)
      .
      Any
      Applied To
      All Uplinks
      All Uplinks
      Action
      Allow
      Allow
    4. After creating both compute gateway firewall rules, click
      Publish
      .
The SDDC configuration in
VMware Cloud on AWS
 is complete and ready for the initial configuration of
VMware Cloud Director Availability
. In summary, the SDDC network in
VMware Cloud on AWS
 is configured with:
  • vcda-network-segment
    :
    A dedicated routed network for all the cloud appliances of
    VMware Cloud Director Availability
    .
  • Public IP addresses:
    Two requested public IP addresses, for the management interface of the
    Cloud Director Replication Management Appliance
    , and for the
    Public Service Endpoint
     of the
    Tunnel Appliance
    .
  • Management gateway:
    • Access from the compute gateway source NAT address to the management gateway
      vCenter Server
      , used for bridging the access from the compute gateway
      VMware Cloud Director Availability
       appliances.
    • Access from the
      Replicator Appliance
       to the management gateway
      ESXi
       datastore, used for destination of migrations.
  • Compute gateway:
    • Access from the
      Trusted Compute Sources Group
       to the management interface of the
      Cloud Service
      , used for completing the initial setup. Later, modifying the same rule allows access to all four types of management interfaces of
      VMware Cloud Director Availability
      . For more information, see Post-configure the SDDC networking in VMware Cloud on AWS.
    • Access from
      VMware Cloud Director Availability
       appliances to Internet, used for the external network traffic from the compute gateway.
For information about the summary of the SDDC network configuration, see SDDC network configuration summary.
You can now configure
VMware Cloud Director Availability
 in
VMware Cloud on AWS
 by completing the initial setup wizard of the
Cloud Director Replication Management Appliance
. For more information, see Configure VMware Cloud Director Availability in VMware Cloud on AWS.

Content feedback and comments