- Import IDR OVA into vCloud Air Catalog
- Create a SNAT in vCloud Air
- Adding a second Organization Network
- DNAT for the Portal Interface
- Firewall and NAT Rules prior to Registration
- Configure IPs on the IDR
- Establishing the IPSec Tunnel To Local Environment
- Firewall Configuration in vCloud for VPN Connections
We were testing out deploying an IDR in vCloud Air to ensure the setup and configuration worked without any issues. Here is the process we ran through to successfully deploy an IDR in vCloud Air.
Import IDR OVA into vCloud Air Catalog
After you login into you vCloud Air Private Cloud you can create a VM within your VDC (Virtual Data Center). You can click on the Virtual Machines Tab and you will see the following:
Click on Create your first virtual machine and you will see the new vm wizard:
If you click on My Catalog it might be empty:
At this point you can click on Create My Virtual Machine from Scratch and it will take your vCloud instance:
From here you can upload the OVA into the default-catalog (this inside vCloud Director under Catalogs -> default_catalog -> Upload) so you can use it as a template for multiple deployments:
Create a SNAT in vCloud Air
By default, most of the traffic is blocked and no NAT is configured so you can't reach the external network. To fix this first let's get a public IP. In vCloud air go to Gateways -> GATEWAY ON VDC1 -> Public IPs and initially it will look like this:
Then click on Add IP Address and it will warn you about getting charged and after that it will allocate the IP. Now let's create the SNAT, so any machine can reach the internet. Go to Gateways -> GATEWAY ON VDC1 -> NAT Rules -> Add a NAT Rule and fill out the following (make sure it matches your environment):
The firewall is pretty restrictive as well, so go to Gateways -> GATEWAY ON VDC1 -> Firewall Rules and the following basic rules:
Adding a second Organization Network
vCloud Director offers many different networking options, most of them are covered in vApp Design Considerations . By default there is Direct – External Organization Virtual Datacenter Network (Routed) network created, from the same page:
5.4.1.5. Direct – External Organization Virtual Datacenter Network (Routed)
If the same example vApp with three virtual machines is connected to an organization virtual datacenter network that has a routed connection to an external network, the vApp is connected to an organization virtual datacenter network and is deployed there with the organization virtual datacenter network’s IP addressing. The Edge Gateway device then provides a routed connection between the organization virtual datacenter network and the external network. This scenario is shown in the following figure.Figure 11. Direct Connection to a Routed External Organization Virtual Datacenter Network
And it looks like this in vCloud Director (Navigate to Administration -> Virtual Datacenters -> VCD1 -> Org VDC Networks😞
So let's another routed network which will be our mgmt network (The IDR comes with two network interfaces, portal and mgmt). So click the green + and it will start the wizard. Choose the routed option:
I then added the following network details on the next page:
And after that you will have two networks:
I will use 192.168.109.0/24 to be the portal/DMZ (defaulted-routed-network) network and 10.10.10.0/24 as the mgmt/internal (routed-network-2) network.
DNAT for the Portal Interface
Since we want the portal to be reached external let's add a DNAT (or a port forward) from Public IP port 443 to the Internal portal IP port 443. So in vCloud Air navigate to Gateways -> GATEWAY ON VDC1 -> NAT Rules -> Add a NAT Rule and add the following DNAT:
On the next page if you are really organized you can also add a similar rule for 80:
Also don't forget to allow the firewall to access port 80 and 443 on the public IP and the internal network. I ended up created the following rules to allow that traffic:
Firewall and NAT Rules prior to Registration
As a sanity check here is a table of my NAT Rules:
Type
| Original IP | Original Port | Translated IP | Translated Port | Protocol |
|---|---|---|---|---|---|
| DNAT | 107.189.120.76 | 443 | 192.168.109.2 | 443 | TCP |
| DNAT | 107.189.120.76 | 80 | 192.168.109.2 | 80 | TCP |
| SNAT | 192.168.109.0/24 | Any | 107.189.120.76 | Any | Any |
| SNAT | 10.10.10.0/24 | Any | 107.189.120.76 | Any | Any |
| DNAT | 107.189.120.76 | 8443 | 10.10.10.2 | 443 | TCP |
The bottom one (DNAT from 8443 to MGMT_IP 443) is to allow access to the setup.jsp page and can be removed after registration. And the Firewall rules look like this:
Name
| Source | Destination | Protocol |
|---|---|---|---|
| ALLOW_INTERNAL_ICMP_OUT | Internal:Any | Any:Any | ICMP |
| ALLOW_INTERNAL_DNS_OUT | Internal:Any | Any:53 | UDP |
| ALLOW_INTERNAL_HTTP_OUT | Internal:Any | Any:80 | TCP |
| ALLOW_INTERNAL_HTTPS_OUT | Internal:Any | Any:443 | TCP |
| ALLOW_INTERNAL_UDP_1194_OUT | 10.10.10.0/24:Any | Any:1194 | UDP |
| ALLOW_EXTERNAL_HTTP_IN | Any:Any | 107.189.120.76/32:80 | TCP |
| ALLOW_EXTERNAL_HTTPS_IN | Any:Any | 107.189.120.76/32:443 | TCP |
| ALLOW_INTERNAL_HTTP_IN | Any:Any | 192.168.109.0/24:80 | TCP |
| ALLOW_INTERNAL_HTTPS_IN | Any:Any | Internal:443 | TCP |
| ALLOW_EXTERNAL_TCP_8443_IN | Any:Any | 107.189.120.76/32:8443 | TCP |
The bottom ALLOW_INTERNAL_HTTPS_IN rule can be changed after registration to only allow 443 to the portal interface network (192.168.109.0/24) and not any internal IP. And the Bottom rule can also be removed, since that allows for the port forward from 8443 to the MGMT_IP 443 , if setup.jsp access is no longer required.
Configure IPs on the IDR
First let's assign the vNics of the VM to the appropriate networks (management to default-routed-network and portal to routed-network-2). Click on the VM and then go to Networks:
Then click Add a Network and assign the NICs accordingly:
Then go back to the main VM screen and power on the IDR VM :
Then click on the VM and it will take you the properties page of the VM and you can click on Open Virtual Machine Console:
After applying the network settings I was able to access reach the 8443 port without problems:
Establishing the IPSec Tunnel To Local Environment
There is a pretty good KB on the process from VMware: Configuring IPsec VPN within VMware vCloud Air to a remote network and there is a pretty good diagram that represents all the networks:
My local networks is the mgmt network which is the 10.10.10.0/24 network and my peer networks is the 10.210.0.0/16 network which allow access to the AD in my internal network. So to start this configuration from vCloud Air go to Gateways -> GATEWAY ON VDC1, then click on Manage in vCloud director:
Once in vCloud Director to Administration -> Virtual Datacenters -> VCD1 -> Edge Gateways and right click on the default GW to choose Edge Gateway Services:
Then go to the VPN tab and click Enable VPN and then Add:
After clicking Add, the wizard will start and you can configure your VPN settings. The settings depend on your environment, but here are the options broken down:
Option
| Value | Description |
|---|---|---|
| Local Network | 10.10.10.0/24 | This is the vCloud network (Mgmt Network) we want the remote site to have access to |
| Peer Networks | 10.210.0.0/16 | This is the network we want to access at the remote site |
| Local Endpoint | 107.189.120.76 (drop down) | This is the Public IP of the Local End Point |
| Local ID | 107.189.120.76 | This can be anything, but it helps to set the IP to keep track of the configuration |
| Peer ID | 10.210.0.248 | This can be anything as well, but they recommend to either set it to the Public IP of the Remote End Point or the Private IP of the Remote End Point |
| Peer IP | X.X.X.X | This is the Public IP of the Remote End Point |
| Encryption Protocol | AES | You can use AES 256, 3DES, or AES |
| Shared Key | Left it as the generated one | We will have to use that key on the remote VPN side to ensure we can authenticate with each end point to establish the VPN Tunnel |
| MTU | 1500 | Left the Default |
Firewall Configuration in vCloud for VPN Connections
I ended up adding the following rules to ensure the VPN connection is established and to allow traffic from and to the internal networks across the VPN tunnel:
Name
| Source | Destination | Protocol | Notes |
|---|---|---|---|---|
| ALLOW_IP_SEC_ESP_AH_UDP | X.X.X.X/32:Any | 107.189.120.76/32:Any | ANY | This is so we can establish the IPSec Tunnel between the two endpoints The following is necessary:
Since the only IP protocol allowed in the vCloud UI is ICMP, I decided to use Any to make sure I cover all of the above |
| ALLOW_VPN_TRAFFIC_L_TO_R | 10.210.0.0/16:Any | 10.10.10.0/24:Any | ANY | This might be overkill but I am allowing anything from the Internal network to the vCloud MGMT network. |
| ALLOW_VPN_TRAFFIC_R_TO_L | 10.10.10.0/24:Any | 10.210.0.0/16:80 | ANY | This might be overkill but I am allowing anything from the vCloud MGMT network to the Remote Internal network. For my test, I could've just allowed 389 for the AD connection. But if you are planning to connect to internal webapps then 80 and 443 should be added here |
After all the above is done, if you go back to vCloud Director you will see the VPN connection is good:
After all the above settings, we were able to connect to the AD server and login into the web portal issues.
