VCP6-CMA Section 3: Create and Administer Cloud Networking

Contents:

Objective 3.1: Explain NSX Integration with vRealize Automation

Manage network services from within vRealize Automation

  • Fabric Administrators create network profiles to define existing physical networks and networks from VMs provisioned as part of multi-machine services
  • Types of network profile include:
    • External networks
      • Existing networks
      • External part of NAT and routed networks
        • Can define static IP address available on the external network
        • Prerequisite for NAT and routed networks
    • NAT virtual networks
      • Created during provisioning
      • One-to-one: Every VM is assigned an external IP from the external network profile and internal address from the NAT profile
      • One-to-many: All machines share a single IP address from the external networks
    • Routed virtual networks
      • Created during provisioning
      • Represent routable IP space divided across subnets that are linked together with a routing table
      • VMs that use the same routed network profile can communicate with each other and the external network
    • Private virtual networks
      • Created during provisioning
      • Internal network that has no connection to external or public networks
      • VMs can only communicate with each other
      • Need to use VMRC to communicate with the VM in a private network
      • Network profile defines
        • Internal network
        • Static IP ranges
        • DHCP ranges
    • Network profiles are created by the fabric Administrator:
      • Infrastructure > Reservations > Network profiles
    • When cloning VMs, the requester can assign static IP addresses from a predetermined range
      • Each IP address in the specified ranges allocated to a machine is reclaimed for reassignment when the machine is destroyed and the ReclaimDestroyedStaticIPAddresses workflow runs

Configure NSX Integration

  • Ensure that the NSX plugin is installed in vRealize Orchestrator
  • Ensure that you have created the appropriate credentials to access vRealize Orchestrator
    • For the internal instance use administrator@vsphere.local
    • Credentials should have at least execute permissions for an workflows that will be called
  • Create a vRealize Orchestrator Endpoint
    • Log in as an IaaS Administrator
    • Select Infrastructure > Endpoints > Endpoints
    • Select New Endpoint > Orchestration > vCenter Orchestrator
    • Enter a name & description
    • Type the url of the vRO server
      • 5.1: https://vro:8281
      • 5.5: https://vro:8281/vco
      • If no port is specified 8281 is assumed
    • Specify the endpoint priority custom property
      • Click New Property
      • VMware.VCenterOrchestrator.Priority = 1 (lower value is higher priority)
      • Click save & OK
    • Right click the endpoint and click Data Collection
  • Create a vSphere Endpoint for Networking and Security
    • Log in as an IaaS Administrator
    • Go to Infrastructure > Endpoints > Endpoints
    • Edit the vSphere endpoint
    • Select Specify manager for network and security platform
    • Type the URI of the NSX instance in the address box
      • https://fqdn
      • https://ip_address
    • Select the appropriate credentials
    • Click OK
    • Perform a data collection
      • Infrastructure > Compute Resources > Compute Resources
      • Point to the vSphere Compute resource and click Data Collection
    • Run the Enable Security Policy Support for Overlapping Subnets workflow
      • Log in to vRO
      • Run NSX > NSX Workflows for VCAC > Enable security policy for overlapping subnets
      • Select the NSX endpoint as the input
      • Once complete, the Distributed Firewall rules defined in the security policy are applied only on the vNICs of the security group members to which this security policy is applied

Configure IaaS for Network Integration

  • Configure the appropriate credentials for the vRealize Orchestrator Instance
  • Configure the appropriate credentials for the Networking and Security Endpoint for the vSphere compute resource
  • Configure the vRealize Orchestrator Endpoint
    • Set Endpoint Priority
    • Run Data Collection
  • Configure the vSphere Endpoint with the NSX manager endpoint
  • Run Data Collection for the vSphere Compute Resource
  • Run the Enable Security Policy Support for Overlapping Subnets workflow
  • Create a network profile
  • Create a reservation and assign networks and security groups
  • Create multi-machine blueprints
    • Can be configured to provision virtual networks based on NSX
  • Publish multi-machine blueprint

Objective 3.2: Configure and Manage vRealize Automation Networking

Identify the available NSX for vSphere Edge network services

  • An edge device offers the following services (found here)
    • Dynamic Routing
      • Provides forwarding information between layer 2 broadcast domains allowing you to decrease layer 2 broadcast domains and improve network efficiency and scale
    • Firewall
      • Supported rules include IP 5-tuple configuration with IP and port ranges for stateful inspection for all protocols
    • Network Address Translation
      • Separate controls for source and destination IP Addresses, as well as port translation
    • DHCP
      • Configuration of IP pools, gateways, DNS servers, and search domains
    • Site to Site VPN
      • Uses IPSEC to interoperate with all major VPN Vendors
    • L2 VPN
      • Provides the ability to stretch your L2 network
    • SSL VPN-Plus
      • Allows Remote users to connect to private networks behind an NSX gateway
    • Load Balancing
      • Simple and dynamic configurable Virtual IP Addresses and server groups
    • HA
      • Ensures an active NSX Edge on the network in case the primary NSX Edge VM is unavailable

Sub-allocate IP Pools

  • Click Networking & Security > NSX Managers
  • Click an NSX Manager & select manage
  • Click Grouping Opjects and then IP Pool
  • Click Add New IP Pool
  • Type a name & default gateway
  • Type the primary & secondary DNS along with the suffix & prefix length
  • Add the IP address ranges to be included in the pool and click OK

Add static IP Addresses

  • Static IP address bindings are based on the vCenter Managed Object ID and the interface ID of the requesting client
  • Static IP bindings are managed on the edge device
  • Click Manage > DHCP > Bindings
  • The following options are available when configuring a binding
    • Auto Configure DNS
    • Lease never expires
    • Interface
    • VM Name
    • VM vNIC index
    • Host Name
    • IP Address
    • Domain Name
    • Primary Name Server
    • Secondary Name Server
    • Default Gateway
    • Lease Time

Configure syslog

  • Syslog manager for NSX Manager
  • If a syslog server is specified all audit logs and system events from NSX manager are sent to the syslog server
    • Log in to the NSX Manager Virtual Appliance
    • Select Appliance Management > Manage Appliance Settings
    • Select General
    • Click Edit Syslog server
    • Type the IP and port of the syslog server
  • Syslog for an NSX Edge
    • Can configure one or two syslog servers
    • Edge events and logs related to firewall events that flow from the NSX edge appliances are sent to the syslog server
      • Log in to the vSphere Web Client
      • Click Networking & security > NSX Edges
      • Double click an Edge
      • Click monitor > Settings
      • In the Details panel, click Change next to syslog servers
      • Configure the IP / Port and protocol of the syslog server
      • Click OK

Configure Multi-Machine Blueprints for Network Virtualization

  • Fabric Administrators create new network profile templates, external network profiles and reservations that determine the available networks etc
  • Add network profiles to a multi-machine blueprint
    • Tenant administrators or business group administrators can create NAT, Routed and private network profiles for multi-machine blueprints
    • These profiles can the be assigned to virtual network adapters in the same blueprint
  • Configure network adapters for component machines
    • Tenant administrators or business group managers can configure a network adapter for multi-machine blueprints
    • The network adapter can then be assigned to one or more component blueprints in the same blueprint
  • Configure load balancers for component machines
  • Apply security on a component machine
    • Can enable App isolation and assign security groups, security tags and security policies
  • Configure reservations for routed gateways
  • Enable app isolation
    • When enabled, the firewall will block all in and out-bound traffic to the component machines
    • Component machines can communicate with each-other but cannot connect outside the firewall

Identify the NSX Distributed Firewall components

Use the logs to troubleshoot common network services