Using vApp Network fencing
In this recipe, we will explore vApp Network fencing. We will see how we can use this feature.
Getting ready
To play with fencing, we need to have a Direct Organization Network (or isolated, but that's not as much fun) and some VM templates.
How to do it...
- Create a new vApp using the
button. - Add two VMs to the vApp and name them.
- Connect the VMs to the Direct Organization Network using the Static - IP manual option.
- Set the manual IPs outside the range of the Static IP Pool for each VM.
- In the Configure Networking section, click on Fence vApp, as shown in the following screenshot:
- Finish the vApp creation.
- Deploy the vApp.
- After the vApp is deployed, double-click back into it and go to Virtual Machines:
- See that the VMs now have an internal and external IP. To communicate with the VMs, use the external IP.
- Now stop the vApp.
- Right-click on the vApp and choose Copy to....
- Name the vApp and click on OK.
- After the vApp has been copied, start both vApps (the original and the copy).
- Check the IPs of all VMs in all vApps.
How it works...
You may know vApp Network fencing from VMware Lab Manager, but the vCloud implementation is different.
Fencing allows you to re-use the same IPs and MAC addresses in multiple vApps. This is rather different from using an isolated network, as fencing allows full connection to the fenced VMs just with different IPs, as you can see in the following diagram:
The VMs inside the fence communicate using the internal IPs (.20 and .21), but appear to be using the external IPs (.100 and .101) for any communication to the outside. Communication is allowed out, but not in.
Fencing allows one to deploy a vApp with the same content multiple times and still use them without changing their IP or MAC addresses. However, you need to understand that the VMs inside are the same, meaning that if you have an Active Directory inside the vApp, things will go wrong. The AD will advertise itself with its internal IP that is not accessible via the outside; also, it will receive AD advertising from the original AD outside the vApp (the AD you copied it from) with the same IP.
What happens in the background is that for each fenced vApp, a new Edge device is deployed and configured. The Edge has the same name as the network; however, the HREF (the number behind the name) is different; refer to the following screenshot (compare the Names):
There's more...
Because we are again using a vApp router (Edge), we can have a look at the settings by performing the following steps:
- Right-click on the Organization Network in the vApp.
- Choose Configure Services.
- Click on Firewall and then on NAT.
Have a look at the Firewall and NAT values, as shown in the following table:
This setting allows the VMs in the fence (.20 and .21) to be reached from the VMs on the outside using the public IPs (.100 and .101). However, you should be rather careful with a configuration like that. Maybe opening up only certain ports for the inbound connection is a better idea.
In addition to all this, you can configure the external IP (DNAT) of each VM by performing the following steps:
- Right-click on the Organization Network in the vApp.
- Choose Configure Services.
- Click on NAT.
- Click on the DNAT rule and click on Edit. You should see the following screen:
- Change the Mapping Mode value to Manual and enter the IP under External IP.
- Click on OK and again on OK to activate these settings.