Part 58: My vCloud Journey – Design Thoughts – External Networks
A couple of weeks I attended Eric Sloof’s rather wonderful “VMware vCloud Design Best Practises” course in London. It was memorable course not least it was the first time I’d seen snow settle in London like it did. Usually, our capital is couple of degrees warm than the rest of the country, and I don’t think I’d ever seen snow lay in “downtown” (that’s for the American’s reading) London. Of course what really set the course on fire was the great attendees who contributed so much. It was one of the course that stands and falls on the delegates, and the instructors capacity to rein in the rowdy elements – such as myself. Ever since I’ve wanted to do a series of blogposts that looks away from the nitty-gritty coalface of getting things done, and focus more on the bigger questions. I guess in a small way I do that in those more hands-on posts – as I like to seamlessly integrate design, a question and practise into one meatball. But I’d rather separate those to in these design posts, especially now I feel I have much better handle on the capabilities of vCloud Director in August of last year. To be honest I think I’m ready to start to stretch my wings into other technologies in the vCloud Suite. Especially, since I think I’ve done “all the big” configuration things you might want to do with vCD – what’s before me with vCD is more mundane daily admin tasks than I’ve done to date.
So any less blather. The first topic I want to talk/think about is External Networks. In-case-you-don’t know these are PORTGROUPs on a vSphere Distributed Switch where you MANUALLY type in a VLAN ID, and then later in vCloud Direct you point to these portgroups to make the External Networks – I’ve two portgroups on my DvSwitch one called “ExternalCorpAccess” and the other called “ExternalInternetAccess” – on VLAN1 and VLAN10 respectively. I later added a portgroup called “ExternalNetworkStorage” to give my “nest” vPod of vESX hosts direct access to my storage layer.
When I was setting vCloud Director for the very first time, I was access to configure external networks using these portgroups like so:
So far so good. But what about design. My decision to create a “Corporate Network” and “The Internet” was to control whether my vApps (via the Organization Networks) could both connect to the Internet, but also publish resources internal for Internet consumption using a combination of DNAT and Firewall rules. In my model “Corp Holding, Inc” is a holding company containing 4 discrete businesses. I like this model because this “private” cloud has very “public” feel about it – because each company has separate DNS name as well have their own unique businesses that are bar in large separate. The only thing that really links them together is they report their financial statistics to the “Group”. In my case they share the same corporate backbone, which allows me to allow data flow from one Organization to another by either DNAT, Static Routing or by a more secure VPN connection. VPN is pretty critical here, because if you allow clear-text encrypted traffic to cross the External Network it becomes visible to any other tenant with Organization Network for that external network. Of course, I imagine most people protect themselves from this by either VPN or better still never-letting-that-communication happen.
But I wonder if this was very realistic? I wondered if in a public cloud space whether they would tolerate this configuration especially for Internet Connections. I started to think about how my current colocation facility handles my outbound traffic in the physical world. In my colocation you get a physical firewall (in my case Juniper thing) and tiny bundle of IP address. That allocation is just for me alone, and I don’t share them with any other rack (or tenant) – and there’s no way I can communicate to any other rack outside of my domain. So that made wonder if people create discrete external networks that have tiny bundles of IP addresses assigned to them – with each tenant assign their own external network. I put together this teen-tiny-3min video that illustrates what I mean.
Now. I personally think that the one-external network per Organization is massively overkill. Administratively burdensome. Unnecessary. But I know it can be done. I’m just curious to know if anyone does this and what the design arguments are for it. Asking around my various vCloud SP chums I discovered they don’t do this – although if a customer asked specifically for their own private external network then they would – but that’s more the “go-the-extra-mile” thinking than something they promote…