VCP-IaaS Study Notes: Section 4.1

This is Section 4.1 in the VCP-IaaS blueprint Guide 1.2. The rest of the (completed) sections can be found here.

Identify and differentiate the types of vCloud Organization networks

  • External network:
    • Service Provider external network, either with public IP addresses or NAT’ed internally.
  • External direct organization network: vApps are connected directly to the external network.
    • Accessible by multiple organizations. Virtual machines belonging to different organizations can connect to and see traffic on this network. This network provides direct layer 2 connectivity to machines outside of the organization. Machines outside of this organization can connect to machines within the organization directly.
  • External NAT-routed organization network: Network behind a vShield Edge appliance which controls the NAT, DHCP, VPN and other vServices.
    • Accessible only by this organization. Only virtual machines within this organization can connect to this network. This network also provides controlled access to an external network. System administrators and organization administrators can configure network address translation (NAT) and firewall settings to make specific virtual machines accessible from the external network.
  • Internal Organization network: Network which diffirent vApps (with diffirent VM’s) can connect to internally. (Do not get this mixed up with vApp networks). DHCP service available.
    • Accessible only by this organization. Only virtual machines within this organization can connect to and see traffic on this network. This network provides an organization with an isolated, private network that multiple vApps can connect to. This network provides no connectivity to machines outside this organization. Machines outside of this organization have no connectivity to machines within the organization.

Create/Modify/Delete an external network

  • Create
    • Add an external network to register vSphere network resources for vCloud Director to use. You can create organization networks that connect to an external network.
  • Prerequisites: A vSphere port group is available. If the port group uses VLAN, it can use only a single VLAN. Port groups with VLAN trunking are not supported.
  • Procedure
    • Click the Manage & Monitor tab and click External Networks in the left pane.
    • Click the Add Network button.
    • Select a vCenter Server and a vSphere port group and click Next.
    • Type the network settings and click Next.
    • Type a name and optional description for the network and click Next.
    • Review the network settings and click Finish.
  • Modify
    • Name/Description
      • Click the Manage & Monitor tab and click External Networks in the left pane.
      • Right-click the external network name and select Properties.
      • On the Name and Description tab, type a new name and description and click OK.
    • Specification
      • Click the Manage & Monitor tab and click External Networks in the left pane.
      • Right-click the external network name and select Properties.
      • On the Network Specification tab, modify the network settings and click OK.
      • You cannot modify the network mask or default gateway. If you need an external
        network with a different netmask or gateway, create one.
    • Add IP Addresses to IP Pool
      • Click the Manage & Monitor tab and click External Networks in the left pane.
      • Right-click the external network name and select Properties.
      • On the Network Specification tab, type an IP address or a range of IP addresses in the text box and click Add.
      • Click OK.
    • Delete
      • Before you can delete an external network, you must delete all of the organization networks that rely on it.
        • Click the Manage & Monitor tab and click External Networks in the left pane.
        • Rightclick the external network name and select Delete Network.

Create/Modify/Delete an external direct organization network

  • Create
    • You can create an external direct organization network that multiple organizations can access. You typically use the external network to connect to the Internet. The organization connects directly to this network.
      • Procedure
        • Click the Manage & Monitor tab and click Organization Networks in the left pane.
        • Click Add Network.
          • The Create Organization Network wizard starts.
        • Select an organization and click Next.
        • Select the type of setup and network type and click Next.
          • You can create an external direct organization network using either method.
            • Typical: Select the external network check box and select direct connection from the drop-down menu.
            • Advanced: Select External organization network – direct connection.
        • Select an external network and click Next.
          • You can deselect the Only use networks accessible by this organization check box to view external networks that are not currently available to the organization through its organization vDCs. When you deselect this check box, you can choose an arbitrary network and later create an organization vDC that can access the network.
        • Type a name and optional description and click Next.
        • Review the settings for the organization network.
  • Modify
    • Modify name and description
      • Click the Manage & Monitor tab and click Organization Networks in the left pane.
      • Right-click the organization network name and select Properties.
      • On the Name and Description tab, type a new name and optional description and click OK.
    • Modify DNS settings:
      • Click the Manage & Monitor tab and click Organization Networks in the left pane.
      • Right-click the organization network name and select Properties.
      • On the Network Specification tab, type the new DNS information and click OK.
  • Delete
    • You can delete an organization network to remove it from the organization.
    • Prerequisites: Verify that no virtual machines are connected to the organization network.
      • Procedure
        • Click the Manage & Monitor tab and click Organization Networks in the left pane.
        • Right-click the organization network name and select Delete.

Create/Modify/Delete an external NAT-routed organization network

  • Create
    • You can create an external NAT-routed organization network that only this organization can access. An external NAT-routed organization network provides NAT connectivity to machines outside this organization for better control on what is accessible.
    • Prereq: External network and a network pool.
      • Procedure
        • Click the Manage & Monitor tab and click Organization Networks in the left pane.
        • Click Add Network.
          • The Create Organization Network wizard starts.
        • Select an organization and click Next.
        • Select the type of setup and network type and click Next.
          • You can create an external routed organization network using either method.
            • Typical: Select the external network check box and select routed connection from the drop-down menu.
            • Advanced: Select External organization network – NAT-routed connection.
        • Select an external network and network pool and click Next.
          • You can deselect the Only use networks accessible by this organization check box to view external networks and network pools that are not currently available to the organization through its organization vDCs. When you deselec this check box, you can choose an arbitrary network or network pool and later create an organization vDC that can access the network or network pool
        • Use the default network settings or type your own and click Next.
        • (Optional) Type an external IP address for the network to use for NAT services, click Add, and click Next.
          • This setting is available only in advanced setup. You can add more than one external IP address.
          • Type a name and optional description and click Next.
          • Review the settings for the organization network.
        • Click Finish to accept the settings and create the organization network, or click Back to modify the settings.
  • Modify
    • View IP Use:
      • Click the Manage & Monitor tab and click Organization Networks in the left pane.
      • Right-click the organization network name and select IP Allocations.
    • Add IP Addresses to IP Pool:
      • Click the Manage & Monitor tab and click Organization Networks in the left pane.
      • Right-click the organization network name and select Properties.
      • On the Network Specification tab, type an IP address or a range of IP addresses in the text box and clickAdd.
      • Click OK.
    • Modify name and description
      • Click the Manage & Monitor tab and click Organization Networks in the left pane.
      • Right-click the organization network name and select Properties.
      • On the Name and Description tab, type a new name and optional description and click OK.
    • Modify DNS settings:
      • Click the Manage & Monitor tab and click Organization Networks in the left pane.
      • Right-click the organization network name and select Properties.
      • On the Network Specification tab, type the new DNS information and click OK.
  • Delete
  • You can delete an organization network to remove it from the organization.
  • Prerequisites: Verify that no virtual machines are connected to the organization network.
    • Procedure
      • Click the Manage & Monitor tab and click Organization Networks in the left pane.
      • Right-click the organization network name and select Delete.

Create/Modify/Delete an internal organization network

  • Create
    • You can create an internal organization network that only this organization can access. The new network provides the organization with an internal network to which multiple vApps can connect.
    • Prereq: Network pool.
      • Procedure
        • Click the Manage & Monitor tab and click Organization Networks in the left pane.
        • Click Add Network.
        • Select an organization and click Next.
        • Select the type of setup and network type and click Next.
          • You can create an internal organization network using either method.
            • Typical: Select the internal network check box.
            • Advanced: Select Internal organization network.
        • Select a network pool and click Next.
          • You can deselect the Only use networks accessible by this organization check box to view network pools that are not currently available to the organization through its organization vDCs. When you deselect this check box, you can choose an arbitrary network pool and later create an organization vDC that can access it.
        • Use the default network settings or type your own and click Next.
        • Type a name and optional description and click Next.
        • Review the settings for the organization network.
        • Click Finish to accept the settings and create the organization network, or click Back to modify the settings.
  • Modify
    • Same as the Modify bullet for External routed networks.
  • Delete
    • You can delete an organization network to remove it from the organization.
    • Prerequisites: Verify that no virtual machines are connected to the organization network.
      • Procedure
        • Click the Manage & Monitor tab and click Organization Networks in the left pane.
        • Right-click the organization network name and select Delete.

Explain the relationship between external networks and vSphere port groups

  • How virtual networking in your virtual infrastructure is set up is critical to ensuring the security of VMware vCloud Director in general and isolation of individual tenants in particular. VMware vCloud Director leverages the virtual switches and portgroups set up in the virtual infrastructure when creating Organization Networks (via External Networks and Network Pools). The different types of networks and pools at the VMware vCloudDirector layer provide different types of isolation:
    • An External Network provides no isolation between virtual machines, vApps, or organizations by design. It is “external” in order to connect to systems outside the cloud. Connecting directly to that network doesn’t give the protection of the other types of networks.
    • A VLAN-backed Network Pool provides isolation using VLANs across a vNetwork Distributed Switch. A VMware vCloud Director network isolation–backed Network Pool provides isolation by encapsulating Layer 2 packets in other Layer 2 packets (MAC-in-MAC) in the ESX or ESXi kernel, allowing the kernel whend e-encapsulating packets to direct them to the correct guest virtual machines connected to the networks created out of this sort of pool.
    • A vSphere portgroup-backed Network Pool does not enforce isolation directly, but is dependent on the portgroups not being connected to the same vSwitches and physical networks. Isolation can be provided at the physical network with VLANs or other mechanisms. Further discussion of this network type is out of the scope for this document.
  • None of the provider-level network types provide confidentiality if packets are intercepted at the physicalnetwork.

Explain the purpose and use cases for external networks

  • An external network provides connectivity “outside” an organization through an existing, preconfigure vSphere network port group. The vSphere port groups can be created using standard vSwitch port groups, vNetwork Distributed Switch port groups, or the Cisco Nexus 1000V.
  • In a public vCloud, these preconfigured port groups will provide access through the Internet to customer networks, typically using VPN or MPLS terminations.
  • When creating an external network, make sure to have sufficient vSphere port groups created and made available for virtual machine access in the vCloud.

Explain the relationship between organization networks and vShield Edge

  • External direct organization network:
    • No vShield Edge appliance.
  • External NAT-routed organization network:
    • As this is a routed network a vShield Edge Appliance is created.
    • vShield Edge is leveraged for firewalling and NAT to keep  traffic separated from other organizations on the same external provider network
  • Internal Organization network:
    • As this is a routed network a vShield Edge Appliance is created.

Explain best practices related to organization networks

  • Public vCloud
    • Create two different organization networks for each organization, one external organization network and one private internal organization network. You can do this as one step in the vCloud Director UI wizard by selecting the default (recommended) option when creating a new organization network. When naming an organization network, it is a best practice to start with the organization name and a hyphen, for example, ACME-Internet.
  • Private vCloud
    • At least one organization external network is required to connect vApps created within the organization to other vApps and/or the networking layers beyond the Private vCloud.
    • To accomplish this, create an external network in the Cloud Resources section (under Manage & Monitor of the System Administration section of the vCloud Director UI). In the wizard, be sure to select a direct connection. This external network maps to an existing vSphere network for virtual machine use as defined in the External Networks section (above).

Given organization requirements, determine the appropriate organization network type.

  • Really depends on the service the organization will be running.

Leave a Reply

Your email address will not be published. Required fields are marked *