VMware Cloud Director Availability 4.7

4.7 4.6
Português (Brasil) Español 日本語 English

Post-configure the SDDC networking in
VMware Cloud on AWS

To allow access to the management interfaces of the
Manager Service
, the
Replicator Service
 instances and the
Tunnel Service
 in
VMware Cloud on AWS
 for performing administrative operations like certificate replacement, post-configure the network settings of the SDDC for the additional access to these three types of management interfaces.
By default, the access limited in
VMware Cloud on AWS
 and the public IP addresses of all the cloud appliances of
VMware Cloud Director Availability
 must be explicitly allowed for performing administrative operations.
VMware Cloud Director Availability
 appliances in
VMware Cloud on AWS
 provide three types of management interfaces for performing administrative tasks like certificate replacement and others. To allow these management interfaces when configuring the necessary NAT rules, you explicitly define them since the three interfaces internally use non-standard HTTPS ports. These three services in conjunction with the following three NAT rules and a firewall rule translate and allow the network traffic coming to the public IP addresses of the appliances on the external port 443/TCP:
  • Towards the
    Cloud Director Replication Management Appliance
    , internally on port 8044/TCP for the management interface of the
    Manager Service
    .
  • Towards all
    Replicator Appliance
     instances, internally on port 8043/TCP for the management interfaces of the
    Replicator Service
     instances.
  • Towards the
    Tunnel Appliance
    , internally on port 8047/TCP for the management interface of the
    Tunnel Service
    .
  1. Log in to
    VMware Cloud on AWS
     at https://vmc.vmware.com.
  2. Add three new inventory SDDC services, for the management interfaces of the
    Manager Service
    ,
    Replicator Service
    , and the
    Tunnel Service
    .
    1. In the VMC console, in the left pane click
      SDDCs
      .
    2. Under the SDDC click
      View Details
       and click the
      Networking & Security
       tab.
    3. In the left pane under the
      Inventory
       section, click
      Services
      .
      Repeat the following steps three times:
      • Add an inventory service for the
        Manager Service
         of the
        Cloud Director Replication Management Appliance
        .
      • Add another inventory service for the
        Replicator Service
         of the
        Replicator Appliance
        .
      • Add another inventory service for the
        Tunnel Service
         of the
        Tunnel Appliance
        .
    4. To add an inventory SDDC service, click
      Add Service
      .
    5. Enter a name and optionally a description for each service.
    6. For each service, in the Service Entries column, click the
      Set Service Entries
       link.
    7. For each service, in the
      Set Service Entries
       window, from the
      Type
       drop down menu select
      Layer 3 and above
      .
    8. For each service, on the
      Port-Protocol
       tab click
      Add Service Entry
      , enter the details from the respective column, and click
      Apply
      .
      Option
      Manager Service
       Inventory Service
      Replicator Service
       Inventory Service
      Tunnel Service
       Inventory Service
      Name
      Enter a name for the management interface service entry of the
      Cloud Director Replication Management Appliance
      Manager Service
      . For example, enter
      VCDA-Manager-Service-Management
      .
      Enter a name for the management interface service entry of the
      Replicator Appliance
      Replicator Service
      . For example, enter
      VCDA-Replicator-Service-Management
      .
      Enter a name for the management interface service entry of the
      Tunnel Appliance
      Tunnel Service
      . For example, enter
      VCDA-Tunnel-Service-Management
      .
      Service Type
      Select
      TCP
      .
      Select
      TCP
      .
      Select
      TCP
      .
      Additional Properties
      Leave the
      Source Ports
       text box blank.
      Leave the
      Source Ports
       text box blank.
      Leave the
      Source Ports
       text box blank.
      To access the management interface of the
      Manager Service
       in the
      Cloud Director Replication Management Appliance
       in the
      Destination Ports
       text box, in enter port
      8044
      .
      To access the management interface of the
      Replicator Service
       in the
      Replicator Appliance
      , in the
      Destination Ports
       text box enter port
      8043
      .
      To access the management interface of the
      Tunnel Service
       in the
      Tunnel Appliance
      , in the
      Destination Ports
       text box enter port
      8047
      .
    9. To save each inventory service, click
      Save
      .
      On the
      Services
       page, the three new services show:
      Name
      Service Entries
      VCDA-Manager-Service-Management
      TCP (Source: Any | Destination:
      8044
      )
      VCDA-Replicator-Service-Management
      TCP (Source: Any | Destination:
      8043
      )
      VCDA-Tunnel-Service-Management
      TCP (Source: Any | Destination:
      8047
      )
  3. To later use in NAT rules, request new public SDDC IP addresses for each of the three types of management interfaces.
    • Request a public IP address to access the management interface of the
      Manager Service
       in the
      Cloud Director Replication Management Appliance
      .
    • Request multiple public IP addresses to access the management interface of each
      Replicator Service
       in the
      Replicator Appliance
       instances.
    • Request a public IP address to access the management interface of the
      Tunnel Service
       in the
      Tunnel Appliance
      .
    1. On the
      Networking & Security
       tab, in the left pane under the
      System
       section click
      Public IPs
      .
    2. To request a public IP address for the
      Manager Service
      , click
      Request New IP
      , enter a note, and click
      Save
      .
      For example, as a note enter
      VCDA-Manager-Public-Management-IP-address
      .
      Repeat the following step for each instance of the
      Replicator Service
       deployed in the SDDC:
    3. To request a public IP address for each
      Replicator Service
      , click
      Request New IP
      , enter a note and click
      Save
      .
      For example, as a note enter
      VCDA-Replicator-Public-Management-IP-address
      . For more
      Replicator Service
       instances, for each requested public IP address enter
      VCDA-Replicator-X-Public-Management-IP-address
      , where
      X
       marks each instance.
    4. To request a public IP address for the
      Tunnel Service
      , click
      Request New IP
      , enter a note and click
      Save
      .
      For example, as a note enter
      VCDA-Tunnel-Public-Management-IP-address
      .
  4. To forward the incoming network traffic to the correct cloud appliances and ports, add new NAT rules.
    1. On the
      Networking & Security
       tab, in the left pane under the
      Network
       section click
      NAT
      .
      Repeat the following step three times:
      • Add a NAT rule for the management interface of the
        Manager Service
         in the
        Cloud Director Replication Management Appliance
        .
      • Add another NAT rule for the management interface of the
        Replicator Service
         in the
        Replicator Appliance
        . For each additional
        Replicator Service
         instance, add another NAT rule.
      • Add another NAT rule for the management interface of the
        Tunnel Service
         in the
        Tunnel Appliance
        .
    2. To add a NAT rule, click
      Add NAT Rule
      , configure the following settings then click
      Save
      .
      Option
      Manager Service
       NAT
      Replicator Service
       NAT
      Tunnel Service
       NAT
      Name
      Enter a name for the NAT rule for the management interface of the
      Cloud Director Replication Management Appliance
      Manager Service
      . For example, enter
      VCDA Replication Management NAT
      .
      Enter a name for the NAT rule for the management interface of the
      Replicator Appliance
      Replicator Service
      . For example, enter
      VCDA Replicator NAT
      . For more
      Replicator Service
       instances, for each NAT rule enter
      VCDA Replicator X NAT
      , where
      X
       marks each instance.
      Enter a name for the NAT rule for the management interface of the
      Tunnel Appliance
      Tunnel Service
      . For example, enter
      VCDA Replication Management NAT
      .
      Public IP
      Select the
      VCDA-Manager-Public-Management-IP-address
      .
      Select the
      VCDA-Replicator-Public-Management-IP-address
      .
      Select the
      VCDA-Tunnel-Public-Management-IP-address
      .
      Service
      Select the inventory service for the
      Cloud Director Replication Management Appliance
      Manager Service
      . For example, select
      VCDA-Manager-Service-Management
      .
      Select the inventory service for the
      Replicator Appliance
      Replicator Service
      . For example, select
      VCDA-Replicator-Service-Management
      .
      Select the inventory service for the
      Tunnel Appliance
      Tunnel Service
      . For example, select
      VCDA-Tunnel-Service-Management
      .
      Public Port
      Enter port
      443
      .
      Enter port
      443
      .
      Enter port
      443
      .
      Internal IP
      Enter the
      private-IP-address
       of the
      Cloud Director Replication Management Appliance
      .
      Enter all
      private-IP-addresses
       of the
      Replicator Appliance
       instances.
      Enter the
      private-IP-address
       of the
      Tunnel Appliance
      .
      Internal Port
      8044 (non-editable)
      8043 (non-editable)
      8047 (non-editable)
      Firewall
      Match Internal Address
      Match Internal Address
      Match Internal Address
  5. To allow accessing the
    VMware Cloud Director Availability
     management interfaces from the trusted compute sources, add the three new services and destinations in the inbound compute firewall rule.
    The compute rule
    VCDA Management from Trusted Compute Sources Rule
     is created first in Configure the network of the SDDC in VMware Cloud on AWS.
    1. On the
      Networking & Security
       tab, in the left pane under the
      Security
       section click
      Gateway Firewall
      .
    2. On the
      Compute Gateway
       tab, click the already created
      VCDA Manager from Trusted Compute Sources Rule
      .
    3. Configure the compute firewall rule then click
      Apply
       when prompted.
      Option
      Compute Firewall Rule
      Name
      VCDA Management from Trusted Compute Sources Rule
      .
      Sources
      Trusted Compute Sources Group
      .
      Destinations
      Click
      Any
      . In the
      Set Destination
       window, select all the compute groups of the
      VMware Cloud Director Availability
       appliances and click
      Apply
      . For example, select all three:
      • VCDA Manager Compute Group
      • VCDA Replicators Compute Group
      • VCDA Tunnel Compute Group
      Services
      Click
      Any
      . In the
      Set Services
       window, select the three newly created inventory services in addition to the
      VCDA-Cloud-Service-Management TCP (Source: Any | Destination: 8046)
      . For example, select additionally:
      • VCDA-Manager-Service-Management
         TCP (Source: Any | Destination: 8044)
      • VCDA-Replicator-Service-Management
         TCP (Source: Any | Destination: 8043)
      • VCDA-Tunnel-Service-Management
         TCP (Source: Any | Destination: 8047)
      When selected, all four management interface services are now present:
      Destination: 8046
      ,
      Destination: 8044
      ,
      Destination: 8043
      , and
      Destination: 8047
      .
      Applied To
      All Uplinks
      Action
      Allow
    4. After modifying the compute gateway firewall rule, click
      Publish
      .
      The compute firewall rule allows access to the four types of management interfaces of all services of
      VMware Cloud Director Availability
      :
      • Cloud Service
      • Manager Service
      • Each
        Replicator Service
         instance
      • Tunnel Service
The SDDC configuration in
VMware Cloud on AWS
 is complete and ready for administrative operations of the
VMware Cloud Director Availability
 services.
You can now perform administrative tasks for each
VMware Cloud Director Availability
 service. For more information, see the
Administration Guide
 for the version of
VMware Cloud Director Availability
 deployed in the SDDC.

Content feedback and comments