Introduction
TASKS
- Log into the VMCEXPERT VCDR Org assigned to your workshop (VMCEXPERT1-VCDR01, VMCEXPERT2-VCDR01, VMCEXPERT3-VCDR01)
- username: [email protected]
- password: {assigned_password}
- Click View Details
- Confirm the following:
- There are 4 Nodes deployed in the SDDC
- Tanzu Service Activated Successfully
(If the service is not activated you can activate manually or contact us in the Slack Channel). - The SDDC has Large Appliances
- Click the Networking and Security tab
- Click Groups --> Management Groups and create the following groups
| Group Name | Members |
|---|---|
| Jumphost | {IP Address of your On-Prem VPN Endpoint for your environment} I.E 66.216.10.X |
| On-Prem Mgmt-Net | 192.168.110.0/24 10.10.6.0/24 |
| Environment | On-Prem VPN Endpoint IP |
|---|---|
| VMCEXPERT1 | 66.216.10.116 |
| VMCEXPERT2 | 66.216.10.117 |
| VMCEXPERT3 | 66.216.10.120 |
- Click Gateway Firewall --> Management Gateway and create the following Firewall rule to allow access to vCenter
- Click Open vCenter
- Click Show Credentials
- Copy the cloudadmin user password
- Click Open vCenter
- Login as:
- Username: [email protected]
- Password: {Paste in the copied password}
- Confirm the following
- There are 4-nodes in the cluster
- There is a Namespaces ResourcePool
- There is a kubernetes Content Library
In the event that Tanzu services have not been activated or if the activation failed, you can perform the activation manually. Below are the steps and setting
- In the Summary tab of the SDDC, Click the Actions drop-down
- Click Activate Tanzu Kubernetes Grid
- Use the following values to configure the Networks:
| Network | CIDR |
|---|---|
| Service CIDR | 10.240.12.0/24 |
| Namespace CIDR | 10.240.8.0/22 |
| Ingress CIDR | 10.240.4.0/22 |
| Egress CIDR | 10.240.0.0/22 |
- Click Validate and Proceed
- Click Activate Tanzu Kubernetes Grid
Creating the software defined networking and the TKG Supervisor cluster takes roughly 20 minutes to complete.
Each lab kit now has an additional Desktop (Tanzu Desktop). Students access this desktop from their VDI session (There is a rdp shortcut to it on their desktop). These desktops are configured on the 10.10.6.0/24 network. There is a vPod router (10.10.6.1) that these desktops use as a gateway. This router also acts as a VPN endpoint to the Desktop. In VMC you setup the VPN to point to this endpoint.
Below is the IP permanent IP address of the vPod Router for Each environment.
| Environment | On-Prem VPN Endpoint (Router) IP |
|---|---|
| VMCEXPERT1 | 66.216.10.116 |
| VMCEXPERT2 | 66.216.10.117 |
| VMCEXPERT3 | 66.216.10.120 |
- In the SDDC, click the Networking and Security Tab
- Click VPN
- Click Add VPN
- Enter the following values for the VPN Configuration:
- NAME: Tanzu VPN
- Remote Public IP: {Router IP for your Environment} See the table above
- BGP Local IP/Prefix Length: 169.254.111.30/30
- BGP Remote IP: 169.254.111.29
- BGP Neighbor ASN: 65001
- Preshared Key: VMwareNinja1!
- Click Save
Please record and notify us of the LOCAL IP ADDRESS (SDDC VPN ENDPOINT IP) You will need to update the VPN configuration On-Prem to match the SDDC. Temporarily disable the VPN until you have configured the VPN settings On-Prem
Once the Matching configuration is set on the On-Prem router, you can enable the VPN session for the SDDC and refresh the status
Once you've successfully created the VPN session in your VCDR SDDC in VMC on AWS, you'll then configure the VPN endpoint in the On-Prem environment to instantiate the VPN between both sites.
In this task, you will configure the On-Prem VPN endpoint on the Tanzu VyOS router. A saved SSH connection to the VyOS router has been created and can be accessed via MTPutty and a template with the commands to configure the router can be found on the desktop of the Instructor's VDI desktop (32)
A complete video recording of the on-prem configuration can be found here. It is also embedded and attached below
If you haven't already, connect to the Instructor's VDI session as documented below
- Go to https://vdi.27virtual.net and login as:
- Username: vmcexpert#-32
- Password: {Your_On-Prem_VDI_Password}
- Select your VDI Desktop
- Launch google chrome browser
- Go to https://vmc.vmware.com/console/sddcs, login and select the your Environment VCDR Org
- Click View Details
- Click Networking & Security --> VPN
- Select the Info icon next to Public IP, then copy and save the SDDC VPN Local Gateway IP
- On the desktop open Notepad and paste in the IP copied in the previous step
- Launch MTPutty
- Launch the saved SSH session to the VyOS router
- Type config to put the router in configuration mode
- Resize or minimize the MTPutty window
- On the desktop open the Tanzu VPN Setup Files folder
- Open and copy the content of the VYOS Tanzu Template for... VPN file
- Paste the content into another Notepad instance
- On the Keyboard press CTRL+H
- Type X.X.X.X in the find field and
- Paste in the {saved IP from step 7} in the Replace with field
- Click Replace All
- Copy all the line that start with set vpn
- Paste them into the MTPutty session to the VyOS router
- Press Enter (This will configure the VPN Endpoint to your SDDC)
- Return to Notepad and copy the next set of commands under the set vpn commands (commit through reboot)
- Press Enter
- When Prompted Type Y to reboot the Router
- Close the MTPutty session when prompted
Wait for approximately 2 minutes (120 seconds)before proceeding to the nest steps
- In the Browser window with the VMC Console, enable the VPN session
- Refresh the configuration
- Your VPN should now report as up ans healthy
To allow access between the Kubernetes Pod, External access to the pods as well as access to vCenter we need to setup a few groups (Compute and Management) as well as Firewall rules.
- In the SDDC click the Networking and Security Tab
- Click Groups
- Click Add Group
- Define the following Compute Groups:
- Tanzu Egress
- Group Name: Tanzu Egress
- Group Type: IP Address
- Members: 10.240.0.0/22
- Tanzu Egress
- Group Name: Tanzu Ingress
- Group Type: IP Address
- Members: 10.240.4.0/22
- RFC 1918
- Group Name: RFC1918
- Group Type: IP Address
-
Members:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- Tanzu Egress
- Click Management Groups
- Confirm that Jumphost and On-Prem Mgmt-Net exist and are properly populated
- Click Add Group
- Define the following Management Group
- RFC 1918
- Group Name: RFC1918
- Group Type: IP Address
-
Members:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- RFC 1918
- Click Gateway Firewall
- Add/Modify the following Compute Gateway Firewall rules
| Name | Sources | Destination | Services | Applied To | Action |
|---|---|---|---|---|---|
| Tanzu Ingress | Any | Tanzu Ingress | ANY | All Uplinks | Allow |
| Tanzu Egress | Tanzu Egress | ANY | ANY | All Uplinks |
Allow |
| Intranet Access | RFC1918 | RFC1918 | ANY | All Uplinks |
Allow |
| Internet Access | RFC1918 | ANY | http https |
All Uplinks |
Allow |
| Default VTI Rule | VPN Tunnel Interface | Allow |
- Publish the rule
- Click Management Gateway
- Confirm the On-Prem to vCenter rule exists and is defined appropriately
-
Add a rule to allow access from the Pods. Define the rule as follows:
- Name: Internal to vCenter
- Source: RFC1918
- Destination: vCenter
- Services: HTTPS, SSO
- Publish the rule
- Click DNS
- Click the 3 vertical dots next to Management Gateway DNS Forwarder
- Click Edit
- Set Server IP 1 to 10.10.6.50
- Clear Server IP 2
- Click Save
Students will use individual domain accounts when working with Tanzu. To make this possible, the On-Prem AD (27 Virtual.net) needs to be added as an Identity source and the domain users need to be assigned rights in vCenter
- In the SDDC Console, Click Open vCenter
- Copy the CloudAdmin Password
- Log into vCenter as:
- Username: [email protected]
- Password: {Paste-in-Copied-Password}
- Click the Hamburger Menu --> Administration
- In the Left pane under Single Sign-on, click Configuration
- Click the Identity Sources tab
- Click Add to add the On-Premises AD as an Identity Source using the values below
- Identity Source name: 27 Virtual
- Base Distinguished name for Users: dc=27virtual,dc=net
- Base Distinguished name for Groups: dc=27virtual,dc=net
- Domain Name: 27virtual.net
- Domain Alias: 27Virtual
- Username: [email protected]
- Password: VMwareNinja1!
- Primary Server URL: ldap://10.10.6.50
- Click Add
- Click Global Permissions
- Click Add
- Add and assign a user the CloudGlobalAdmin role by choosing the following:
- Domain: 27virtual.net
- User/Group: vmcexpert#-users (i.e. vmcexpert3-users)
- Role: CloudGlobalAdmin
- Click Propagate to children
- Click the Hamburger Menu --> Inventory
- Select the vCenter Server --> Permissions Tab
- Click Add
- Add and assign a user the CloudAdmin role by choosing the following:
- Domain: 27virtual.net
- User/Group: vmcexpert#-users (i.e. vmcexpert3-users)
- Role: CloudAdmin
- Click Propagate to children
- In vCenter click The Hamburger Menu --> Workload Management
- Click Create Namespace
- Select the Cluster (Cluster-1)
- Name the namespace vmcexpert3-32
- Click Create
- Click Add Permission in the Permission tile
- Add the associated user account by selecting the following:
- Identity Source: 27virtual.net
- User/Group Search: vmcexpert#-xx (i.e. vmcexpert3-01)
- Role: Owner
- Click OK
- Click Add Storage in the Storage Tile
- Select vSAN Default Storage Policy
- Click OK
- Click Add VM Class in the VM Service Tile
- Select the following VM Classes
- best-effort-medium
- best-effort-small
- best-effort-xsmall
- Click OK
0 Comments
Add your comment