VMware Cloud Expert

Lab 04 - On-Premises integration with VMC on AWS

Updated on

Introduction

VMware Cloud on AWS enables customers to have a hybrid cloud platform by running their VMware workloads in the cloud while having seamless connectivity to on-premises and Amazon Web Services (AWS) native services.

Customers can use their existing AWS Direct Connect (DX) or Virtual Private Network (VPN) solutions to connect to their VMware Software-Defined Data Center (SDDC) clusters.

VMware Cloud on AWS uses NSX to control access to this network as part of the SDDC management model, and limits access to only remote traffic required to support features like cross-cluster vMotion. On top of the underlay, NSX builds overlay networks for logical VMware connectivity. Each SDDC has two types of overlay networks:

  • Appliance Subnet is used to provide connectivity to SDDC management components like vCenter. This network is created during cluster provisioning with a carved-out network range from the Infrastructure or Management subnet. Customers can optionally specify the network range of the Management subnet during cluster creation for the purpose of avoiding conflicts with other networks that will need to connect to the SDDC. Access to this network is controlled by the NSX Management Gateway (MGW) through firewall rules and IPsec tunnels.
  • One or more customer-managed logical networks for VM traffic. Those can be either routed locally within the cluster or stretched from remote on-premises clusters with a remote gateway for L3 routing. Access to this network is controlled by the NSX Compute Gateway (CGW) through firewall rules and IPsec capabilities to enable customers to connect securely to their remote workloads and the Internet.

IPSec VPN Connectivity to On-Premises

IPSec VPN

IPSec VPN can be used to provide a secure connection to your SDDC over the public Internet or AWS Direct Connect. Route-based and policy-based VPNs are supported. Either type of VPN can connect to the SDDC over the Internet. A route-based VPN can also connect to the SDDC over AWS Direct Connect.

  • Route-based VPN - creates an IPsec tunnel interface and routes traffic through it as dictated by the SDDC routing table. A route-based VPN provides resilient, secure access to multiple subnets. When you use a route-based VPN, new routes are added automatically when new networks are created.

    Route-based VPNs in your VMware Cloud on AWS SDDC use an IPsec protocol to secure traffic and the Border Gateway Protocol (BGP) to discover and propagate routes as networks are added and removed. To create a route-based VPN, you configure BGP information for the local (SDDC) and remote (on-premises) endpoints, then specify tunnel security parameters for the SDDC end of the tunnel.
  • Policy-based VPN - creates an IPsec tunnel and a policy that specifies how traffic uses it. When you use a policy-based VPN, you must update the routing tables on both ends of the network when new routes are added.

    Policy-based VPNs in your VMware Cloud on AWS SDDC use an IPsec protocol to secure traffic. To create a policy-based VPN, you configure the local (SDDC) endpoint, then configure a matching remote (on-premises) endpoint. Because each policy-based VPN must create a new IPsec security association for each network, an administrator must update routing information on-premises and in the SDDC whenever a new policy-based VPN is created. A policy-based VPN can be an appropriate choice when you have only a few networks on either end of the VPN, or if your on-premises network hardware does not support BGP (which is required for route-based VPNs).

Direct Connect (DX) Connectivity to On-Premises

AWS Direct Connect (DX) provides a dedicated network connection between your on-premises network infrastructure and a virtual interface (VIF) in your AWS VPC. A private VIF provides direct private access to your SDDC. Configure DX over a private VIF to carry workload and management traffic, including VPN and vMotion, between your on-premises data center and your connected VPC. A DX connection over a private VIF can be used for all traffic between your on-premises data center and your SDDC. It terminates in your connected Amazon VPC, provides a private IP address space, and uses BGP to advertise routes in your SDDC and learn routes in your on-premises data center.

If you just want to use DX to access AWS services in a VPC you own, you can do so over a public VIF. You cannot use a public VIF to carry the same kinds of SDDC traffic (such as vMotion) that require a private VIF or Direct Connect Gateway.

The use of AWS Direct Connect is optional. If traffic between your on-premises network and your SDDC workloads requires higher speeds and lower latency than you can achieve with a connection over the public Internet, configure VMware Cloud on AWS to use AWS Direct Connect.

TASKS

Task 1 - Accessing the On-Premises Environment

For the remaining labs, we will be using our On-Premises Environment to access the VMC on AWS Console.  In this task we'll use the VMware Horizon Client to access a VDI desktop that lives inside our On-Premises Environment.

For this lab, we will configure our On-Premises to VMware Cloud on AWS using Route-Based IPsec VPN. The On-Premises IPsec VPN Endpoint and session have already been configured.

  1.  From your Laptop/desktop open a new Google Chrome Incognito window
  2. Type https://vdi.27virtual.net in the browser address bar
  3. Click the checkbox "Check here to skip this screen and always use HTML Access"
  4. Click VMware Horizon HTML Access
  5. When prompted log in as:  (Get the login details from the Student Assignment Spreadsheet)
    • Username: VMCExpert#-XX (where # is the Environment ID and XX is your student number)
    • Password: VMwareNinja1!
  6. Select the available Desktop pool
Task 2 - Define On-Premises Management Network to restrict SDDC vCenter access

Management of workloads in vCenter can currently be done from your home or work due to the current Management Gateway firewall rule that allows "MyIP" source to access vCenter. With On-premises integration, you may want to restrict access to your VMware on AWS SDDC vCenter from your On-Premises location(s) only. In this task, we will modify the firewall rule to restrict the management of workloads running in VMC on AWS from your On-Premises lab environment only.

We'll allow traffic from our On-Prem private address range (192.168.110.0/24) for when we are communicating via a VPN, and and our On-Prem Public IP (see below) for when we are not)

  1. From your VDI Desktop Click the Google Chrome Shortcut on the Desktop,
  2. Type whatismyip.com in the address bar.
  3. Take note of and record My Public IPv4 value i.e. 66.216.10.9 (it should start with 66)

Because your VDI desktop is in the same lab environment as your On-Prem NSX deployment, the public IP of your desktop is the same as the public IP of your NSX Edge.

 

  1. In the Browser bookmark bar Click the "VMware Cloud SDDC" bookmark or type https://vmc.vmware.com/consoles/sddcs
  2. Log into the VMC SDDC Console using your VMC SDDC Student account
  3. Username: vmcexpert#-xx@vmware-hol.com (where # is the Environment ID & xx is your student number): i.e. [email protected]
  4. Password: VMware1!
  5. Click View Details at the bottom of your SDDC Tile (VMCEXPERT#-XX, where xx is your student number)
  6. In the VMware Cloud on AWS portal click the OPEN NSX MANAGER button
  7. Click ACCESS VIA THE INTERNET to connect to NSX Manager UI
  8. Click on Inventory tab
  9. Click Groups 
  10. Click Management Groups 
  11. Click Add Group
  12. Enter the following values for the New Group settings:
    • Name:   On-Prem Mgmt-Net
    • Click Set
    • Type 192.168.110.0/24  in the IP Addresses Field (Click enter after typing the IP and ensure it shows up in a blue box)
    • Also add <your On-Premises Public IP> from step 3
    • Click APPLY
  13. Click SAVE
Task 3 - Modify Gateway Firewall to restrict Access to the On-Premises Environment

We will now disable the current vCenter Inbound rule, which allows access from your PC and add two new rules restricting access to vCenter and ESXi from the On-Premises Management Networks only.

  1. Click on Security tab in your SDDC NSX Manager UI
  2. Click Gateway Firewall 
  3. Click Management Gateway
  4. Hover over the vCenter Inbound rule and click the slider on the right side of the row to disable it (it will now be switched to the left and gray instead of right and green)
  5. Click ADD RULE and define the rule as follows:
    • Name: On-Prem to ESXi Inbound
    • Source: On-Prem Mgmt-Net (You will need to hover over the source field and click the pencil. In the popup select the User Defined Groups Radio-button then check the On-Prem Mgmt-Net group)
    • Click Apply
    • Destination: ESXi (same as above except it will be found in System Defined Groups)
    • Services: HTTPS, vMotion, Provisioning & Remote Console
  6. Click ADD RULE to add a 2nd rule, use the instructions above and define it as follows:
    • Name: On-Prem to vCenter Inbound
    • Source: On-Prem Mgmt-Net (Mouse over the source field and click the pencil)
    • Destination: vCenter
    • Services: HTTPS, SSO
  7. Click Publish 
Task 4 - Test Connectivity from On-Premises

Now Let’s confirm we can access vCenter from the On-Premises desktop (VDI) but not from any other network.

NOTE: At this time this connection is still going over the Public internet, just restricted from On-Premises Management network. In the Next task we will configure IPSec VPN.

  1. At the top right of the page, click OPEN VCENTER
  2. On the Pop Up, click on the SHOW CREDENTIALS Button
  3. Click the Clipboard icon next to Password to copy the administrative user password to your clipboard.
  4. Click the OPEN VCENTER button to open a connection to the vCenter HTML5 client.
  1. In the [email protected] field enter [email protected]
  2. Right-click in the Password field and paste the password copied in the previous step.
  3. Click LOGIN.
  4. Try the same thing from your laptop/desktop, you'll notice you cannot access the SDDC vCenter except through the On-Premises environment.

NOTE: Sometimes there are caching issues with the browser. You may need to close the entire browser window and try again or use a different browser..

Task 5 - Configure Route-based IPSec VPN in your SDDC
  1. Click Networking tab in your SDDC NSX Manager UI
  2. Click VPN
  3. Click Route Based VPN
  4. Click ADD VPN
  5. Enter the following values for the VPN Settings:
  6. Name: VMC_to_On-Prem_VPN
  7. Local IP Address: <Public IP xx.xx.xx.xx> NOTE: Please choose the Public IP1 (NOT Private IP). 
    Record this Public IP, you will need it in the next task to modify the on-Premises VPN settings
  8. Remote Public IP: <On-Premises Public IP> i.e. 66.216.xx.xx NOTE: Make sure this IP starts with 66.216
  9. BGP Local IP/Prefix: 169.254.111.30/30
  10. BGP Remote IP: 169.254.111.29
  11. BGP Neighbor ASN: 65002
  12. Preshared Key: VMwareNinja1!
  13. Remote Private IP: 192.168.151.1
  14. Click SAVE
  15. Click OK

Once you've configured IPSec VPN in your VMware Cloud on AWS SDDC, you'll typically download the configuration and hand it to your On-Premises networking team. They can use the values in the document to configure a VPN endpoint On-Premises. IPSec VPN can be configured on any compliant IPSec VPN Gateway device (Physical or Virtual).

 In our On-Prem environment we are using VMware NSX as the VPN endpoint. It is important to note that NSX is not an On-Prem requirement for setting up VPN to VMC on AWS

Task 6 - Configure IPSec VPN On-Premises

The On-Premises lab environment uses VMware NSX , and IPSec VPN has already been configured. However, you'll need to modify the IPSec Session configuration, providing the Public IP address for the IPSec VPN endpoint in your SDDC.

  1. From the Google Chrome Bookmark bar of the VDI Desktop click the VI Management 
  2. Click NSX-T Local Manager bookmark
  3. If prompted with an SSL Warning message, click Advanced and then Proceed to nsxtmgr-l-01a.vcn.ninja.local
  4. Log into NSX-T Manager as:
    • admin
    • VMwareNinja1!  Note: You can also use ctrl+m to paste in the password
  5. Click the Networking tab
  6. Click VPN under the Network Services Section in the left pane
  7. Click  the IPSEC SESSIONS tab
  8. Select the 3 vertical dots next to RB-VPN-VMC
  9. Click Edit

Note: We're now working in the On-Premises Environment, so the "Remote" side is your VMC SDDC.  Keep this in mind when entering IPs.  The IP you'll provide is the VMC SDDC IP Address, Public IP1 address you recorded in Task 5, step 5 (Not your On-Premises Public IP)

  1. Make the following changes:
    • Remote IP: <Your SDDC VPN Public IP> Replace 1.1.1.1 with  Public IP1 <Public IP1 from the SDDC VPN Configuration>
    • Admin Status: Enabled (Move the slider to enable the VPN Session)
    • Remote ID: <Your SDDC VPN Public IP> Replace 1.1.1.1 with  Public IP1<Public IP1 from the SDDC VPN Configuration>
  2. Click SAVE
  3. Under the Status column, click the refresh Icon
  4. After 5-20 seconds the status should change to Success.

You may have to hit refresh or click onto another menu item then click back on VPN to refresh.

  1. In the Browser tab for your SDDC NSX Manager UI click the Home tab
  2. Click Overview
  3. On the Overview page, view the graphical dashboard status of the VPN session. It should show a successful connection

You may have to wait a few minutes or hit refresh for it to appear green.

Task 7 - Configure/Identify Private addressing for vCenter and Workload VMs

We will now confirm connectivity through the IPSec VPN tunnel. In doing this we must first create the required Firewall policy on the Compute and Management Gateways in the SDDC to allow incoming communications. The on-Premises environment is currently set to allow all out-going and in-coming connections.

  1. From the VDI Desktop open a new Browser tab to access the On-Prem vCenter VI Management
  2. In the bookmark bar click VI Management --> vSphere Client
    If prompted with an SSL Warning message, click Advanced and then Proceed to vc-l-01a.vcn.ninja.local
  3. Login in as:
    • [email protected]
    • VMwareNinja1!      Note: You can also use ctrl+m to paste in the password
  4. Power-on all the VMs and vApps in the compute Cluster
    1. Expand Shinobi-On-Prem DC
    2. Select Shotoku Compute01
    3. Click the VMs tab
    4. Select all Powered-off VMs
    5. Right-Click them
    6. Click Power --> Power On
  1. Also take note of the IP addresses of the following VMs: (You will reference them later)
    • Web-01a | 172.16.10.11
    • Web-02a | 172.16.10.12
    • App-01a | 172.16.20.11
    • Db-01a | 172.16.30.11

NOTE: We will need to create Gateway firewall rules in the SDDC to allow these VMs access through the tunnel to the web servers in the SDDC

Task 8 - Enable Private IP address resolution for the SDDC vCenter

Now that we have a VPN configured between our On-Premises environment and our VMC SDDC, we want all traffic for vCenter to go through the VPN.  To do this, we will change the name resolution for a vCenter from the Public IP (which is routed through the internet) to our Private IP (which is routed through the VPN).

In addition, we now want our VMC SDDC gateways, both management and compute, to use our On-Premises DNS servers for resolution of any addresses ending in corp.local, any other domains can still be sent to the internet, we'll use DNS Zones to accomplish this.

  1. From The VDI desktop access your VMC SDDC and click on the Settings tab
  2. Expand vCenter FQDN
  3. Click Edit
  4. From the Resolution address Drop Down Set the address  to Private IP
  5. Click Save

We'll create a DNS Zone so that all DNS lookups for vcn.ninja.local and ninja.local will be sent to our On-Premises nameserver

  1. Click the OPEN NSX MANAGER button and click ACCESS VIA THE INTERNET to connect to NSX Manager UI. Wait till page with NSX Manager will be loaded and you will see Home - Overview dashboard.
  2. Click Networking tab
  3. Choose DNS in IP Management
  4. Click the DNS Zones tab
  5. Click Add DNS Zones
  6. Click Add FQDN Zone and enter the following values
  7. Zone Name: vcn.ninja.local
  8. Domain:
    • vcn.ninja.local
    • ninja.local
  9. DNS Servers:192.168.110.10
  10. Click Save
  1. Click DNS Services Tab
  2. Select the 3 vertical dots next to Compute Gateway DNS Forwarder
  3. Click Edit
  4. Select the 3 vertical dots right to Compute Gateway Default Zone
  5. Click Edit
  1. Set DNS Servers to 192.168.110.10
  2. Click Save
  1. Click on the dropdown next to FQDN Zones
  2. Select vcn.ninja.local in the FQDN Zones field
  3. Click SAVE
  1. REPEAT STEPS 16 through 25 to Change DNS Servers to 192.168.110.10 in Management Gateway Default Zone and add the FQDN Zone to the Management Gateway DNS Forwarder 
    (If you do not perform this task, Site Recovery will fail in a future lab!)
  2. Make sure that your DNS services looks the same like on the picture.
Task 9 - Confirm vCenter restricted access

Now Let’s confirm we can still access vCenter from the VDI desktop (On-Premises) but not from any other network. Keeping in mind Private IPs are not accessible from the internet (only Internet addressable IPs).

  1.  Return to the VMC Console and go to the Setting Tab
  2. Expand the Default vCenter User and vSphere Client (HTML5) sections
  3. Take note of and copy the values for, or get the information form the excel workbook if it was previously saved:
    • Username
    • Password
    • vSphere Client URL
  4. In a new browser tab from within the VDI desktop paste in the vCenter URL and login using the information you saved from the previous step
  5. You can also confirm that the vCenter is no longer accessible from external addresses by performing the above steps on your desktop/laptop.
Task 10 - Create IP Set for On-Premises Applications

With the VPN successfully set up, you may need to allow communications between your On-Premises applications and those running in your VMC SDDC. Examples of these could include allowing your VMC workloads Active Directory and DB access where those resources resided On-Premises or vice versa. For this to happen you must modify the firewall policies between your VMC SDDC and your On-Premises Firewall. In this lab task, we will adjust the Firewall setting on the Compute Gateway of the SDDC to allow communications.

  1. At your SDDC VMware on AWS console click the OPEN NSX MANAGER button and click ACCESS VIA THE INTERNET to connect to NSX Manager UI. Wait till page with NSX Manager will be loaded and you will see Home - Overview dashboard.
  2. Click Inventory tab
  3. Click Groups 
  4. Select Compute Groups
  5. Click Add Group
  6. Name:  On-Prem 3-Tier App
  7. Click Set
  8. In the Pop Up Select the IP Addresses tab
  9. Enter the following IP Subnets
    • 172.16.10.0/24
    • 172.16.20.0/24
    • 172.16.30.0/24
  10. Click Apply
  11. Click Save
  12. REPEAT STEPS: Click Add Group
  13. Name: SDDC-Workloads
  14. Click Set
  15. In the Pop Up Select the Members tab
  16. For Category select NSX Segments
  17. Select all Subnets (Demo-Net, Desktop-Net, SDDC-cgw-network-1)
  18. Click Apply
  19. Click Save
Task 11 - Create Gateway Firewall rule for Tunnel Communications

We'll need to create firewall rules to allow our On-Prem applications and users to communicate with our VMC Applications.

  1. At SDDC NSX Manager UI click on Security tab
  2. Click Gateway Firewall
  3. On the Compute Gateway Click Add Rule three times
  4. Configure the rules as with the following information (note that we are just creating then disabling them to allow you to feel the interface process, but have another rule that we will be using for this lab):
    1. RULE 1 
      • Name: Allow On-Prem to PhotoApp
      • Source: On-Prem 3-Tier App
      • Destination: PhotoAppVM
      • Service: Any
      • Applied To: VPN Tunnel Interfaces (You may need hover over the "All Uplinks" text, click the blue pencil, click the X next to all uplinks, then select from the drop down) 
      • Action: Allow
      • Move the slider to Disable this rule
    2. RULE 2 ( follow the instructions just above)
      • Name: Allow PhotoApp to On-Prem
      • Source: PhotoAppVM
      • Destination: On-Prem 3-Tier App
      • Service: Any
      • Applied To: VPN Tunnel Interfaces
      • Action: Allow
      • Move the slider to Disable this rule
    3. RULE 3 ( follow the instructions just above)
      • Name: Allow SDDC Workloads Outbound HTTP
      • Source: SDDC-Workloads
      • Destination: ANY
      • Service: HTTP, HTTPS, "Office Server Web Services, HTTP,SSL", DNS-TCP, DNS-UDP
      • Applied To: All Uplinks
      • Action: Allow
  5. Change the "Action" dropdown on the "Default VTI Rule" to Allow instead of Drop. This allows all flows over the VPN tunnel in and out of the Compute gateway.
  6. Click Publish
Task 12 - Test Connectivity

If the ping fails, verify that webserver01 is powered on.

  1.  If your previously opened On-Prem vCenter tab is closed, open a new browser tab from within the VDI Desktop
  2. In the Bookmark bar, click VI Management --> vSphere Client (You may need to click proceed if you get a security warning)
  3. Log in as:
    • [email protected]
    • VMwareNinja1!   Note: You can also use ctrl+m to paste in the password
  4. Select web-01a VM (You can find this under vc-l-01a > Shinobi On Prem DC > Shotoku Compute01)
  5. Click LAUNCH WEB CONSOLE
  6. In the console for web-01a ping -c3 <webserver01_IP_Address> (10.10.x.11) in your SDDC (Remember that you have to log into vCenter from your VDI machine. If you do not have it written down previously, you can find the IP in your VMC SDDC > SDDC-Datacenter > Cluster-1 > Compute-ResourcePool > Webserver01)

Conclusion

A route-based VPN creates an IPsec tunnel interface and routes traffic through it as dictated by the SDDC routing table. A route-based VPN provides resilient, secure access to multiple subnets. When you use a route-based VPN, new routes are added automatically when new networks are created.

Route based VPNs in your VMware Cloud on AWS SDDC use an IPsec protocol to secure traffic and the Border Gateway Protocol (BGP) to discover and propagate routes as networks are added and removed. To create a route-based VPN, you configure BGP information for the local (SDDC) and remote (on-premises) endpoints, then specify tunnel security parameters for the SDDC end of the tunnel.

With A VPN setup between your On-Premises and VMware Cloud on AWS SDDC, you can begin to take advantage of Hybrid Solution Use-Cases, such as:

  • Hybrid Linked Mode
  • Cloud Migration
  • Disaster Recovery
  • Etc...

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Previous Article Lab 03 - SDDC Networking & Native AWS Integration
Next Article Lab 05 - L7 Security - L7 FW, FQDN Filtering & IDPS