Creating a secure connection between organizations (which can be in different vClouds)

Connecting one vCloud Organization Network to another isn't easy, and most of the time, rather impossible. However, this is how it works, the easy way.

Getting ready

We need two organizations, each with an Edge configured as well as an Organization Network that connects to the Edge. Make sure that the Organization Networks have different IP ranges (for example, 192.168.2.0/24 and 192.168.4.0/24).

For testing, we need vApps in both organizations that have VMs that are connected to the Edge.

How to do it...

  1. Enter the organization (either one).
  2. Click on Cloud Resources and then double-click on the OvDC you have created.
  3. Click on Edge Gateway.
  4. Right-click on the Edge and select Edge Gateway Services.
  5. Click on VPN.
  6. Check Enable VPN as shown in the following screenshot:
  7. Click on Add to add a new connection. You should now get the following screen:
  8. Name the connection and select a network in another organization under Establish VPN to.
  9. Now click on Login to Remote VCD. You should get the following screen:
  10. Fill out the remote connection with a user that has Org Admin rights.
  11. After login, the rest of the mask is filled out. We now need to select the end point of the VPN:
  12. We can leave the rest alone. Just click on OK.
  13. The VPN connection is now ready, and by clicking on OK, we let the Edge to configure itself.
  14. After the Edge has been configured, we now need to configure the firewalls in both Edges to actually let some traffic through. The following instructions have to be done on both Edge devices in each organization:
    1. Click on Edge Gateway.
    2. Right-click on the Edge and select Edge Gateway Services.
    3. Click on Firewall. You should see the following screen:
    4. Click on Add and add the following two firewall rules:
    5. Click on OK to exit the configuration.
  15. The firewalls on both Edges are now configured to allow the traffic between the networks. You should now be able to deploy a VM on both sides and perform a simple PING test.

How it works...

With this method you can connect two different environments, which can not only be in the same vCloud but could also be a physically separate vCloud, making a VPN an easy way to connect two vClouds, for example, client-based disaster recovery.

The following diagram shows such a setup:

Here vCloud creates an IPSec VPN in vCNS. vCloud not only creates the VPN on one Edge but also on both sides, sharing the encryption key between them and setting up the connection. That's why we also need to configure the firewall on both sides of the IPSec VPN tunnel. Please note that the previous firewall rules are extremely relaxed, therefore, you might want to consider a more secure approach.

The VPN is a tunnel that starts and ends with an Edge device (or if you are connecting to an outside network the end would be a VPN-capable device). vCloud/vCNS supports the following encryption standards:

  • AES-NI
  • SSL VPN
  • AES256-SHA

There's more...

There's more we can do with the VPN network, which is explained in this section.

Connecting to other networks in the same organization

Another VPN you can open up is between two Edge devices in the same organization. To do this, we need two Edges deployed in the organization, and each should have an Organization Network attached. Perform the following steps for connecting to other networks in the same organization:

  1. Navigate to Edge Gateway Services | VPN.
  2. Click on Add.
  3. Choose a network in this organization in Establish VPN to:
  4. Select the Edge you want to connect to.
  5. Select the networks you would like to attach to each other.
  6. Click on OK.
Connection to the outside

You can connect to a remote network that is not a vCloud but just a common VPN endpoint (for example, your business network). This is done by performing the following steps:

  1. Navigate to Edge Gateway Services | VPN.
  2. Click on Add.
  3. Choose a remote network in Establish VPN to::
  4. Enter the peer network definition you want to connect to (for example, 172.16.0.0/16).
  5. The Peer ID value is the IP of the VM that you want to reach.
  6. The Peer IP value is the public IP you are connecting to; if the peer VM is behind a NAT, this IP is the NAT's public IP.
  7. The Shared key value has to be the one you configured on the remote network.
  8. Don't forget to set the firewalls.
Public IPs

Instead of using the IPs' Edge received from the External Network, you can define your own public IPs. This is mostly needed if your External Network is connected through NAT to the Internet. To configure public IPs, perform the following steps:

  1. Navigate to Edge Gateway Services | VPN.
  2. Click on Configure public IPs. You should see the following screen:
  3. For each External Network that has been configured with the Edge, enter one Public IP value.
More VPN possibilities

When you log into the vCNS and have a look at the VPN settings, you will see that you can also use SSL plus VPNs. You don't have to use vCloud's VPN configurations to connect two (or more) organizations; you can use the vCNS directly to set up an SSL VPN.

Depending on the size of the vCNS, a certain number of simulations of SSL VPN connections are supported, as shown in the following table:

上一章目录下一章