Accessing a fully isolated vApp or Organization Network
It is basically the same idea as the previous recipe, but a very different solution; I call it "sitting-on-the-fence", but it is commonly known as a Jumphost.
Getting ready
This solution doesn't require a vApp router, and it works for isolated vApps and isolated Organization Networks. Depending on what you would like to build, you need different parts:
- vApp Networks: Create a vApp with multiple VMs and deploy an isolated vApp Network. Then add an additional VM of your preferred OS type (Windows or Linux).
- Organization Networks: Create an isolated Organization Network that is connected to some other vApps. Now create an additional vApp with only one VM of your preferred OS type (Windows or Linux).
To add a VM to a vApp, see the Adding a VM to a vApp recipe in Chapter 3, Better vApps.
This additional VM will be the Jumphost VM. Do not power on the Jumphost VM yet, as this is an important step in the recipe.
How to do it...
The recipe is the same for vApp and for Organization Networks. We will focus on the additional VM we have created. Perform the following steps:
- Open your vApp and click on Networking.
- Add the Direct Organization Network to the vApp (see the Forwarding an RDP (or SSH) session into an isolated vApp recipe).
- Apply the new network configuration.
- Click on Virtual Machines.
- Right-click on the Jumphost VM and select Properties.
- Click on Hardware and scroll down to NICs.
- Add a new network card to the VM by clicking on Add.
- Connect the Direct Organization Network to the new network card using a Static - IP Pool as shown in the following screenshot:
Tip
Choose the Direct Organization Network to be Primary NIC.
- Click on OK to close the window.
- Power on the Jumphost VM.
- Check what IP has been assigned to the Jumphost VM from the Direct Organization Network.
- Use RDP/SSH or any kind of file-sharing you may have configured on the gateway VM to connect to it.
- Use the VMware console to access the Jumphost VM from the inside of the vApp.
How it works...
We have placed a dual-homed VM (Jumphost VM) on the border between the two networks (it is sitting on the fence). The Jumphost VM is assigned a public IP from the External Network Pool and a private IP from the isolated vApp or Organization Network. The important thing is that the public address is the primary gateway and has the gateway address assigned to it, making it possible to route back the connection to your desktop. This can also be achieved by adding static routing to the Jumphost VM's OS; however, for most people, this is rather confusing.
The following diagram shows a Jumphost configuration for a vApp and an organization configuration:
All vanilla Linux and Windows OSs have routing between interface cards disabled. It has to be explicitly activated (see the See more section of this recipe). This means that the Jumphost VM is sitting on both the networks without connecting them. This makes the Jumphost VM rather interesting. You can now access the Jumphost VM via RDP/SSH as well as any kind of file-sharing that has been set up. This makes it possible to connect to a fully isolated network and share files between the External Network and the isolated network.
There's more…
If you take this principle further, you could create your own router, load balancer, and other kinds of gateways.
If you are using this host as a bastion host, please be aware that you will need to harden it.
See also
- The Activating Routing in Linux blog by Nikesh Jauhari at http://linuxpoison.blogspot.de/2008/01/how-to-enable-ip-forwarding.html
- The Activating Routing in Windows section at http://www.wikihow.com/Enable-IP-Routing