Before Partner Exchange 2014 I was spending a lot of time building out a vSphere “On Premises” lab in Washington. The reason for this is the Technical Marketing Team wanted to be able to build and document use cases for the use of vCloud Air and everything you can do with it. I plan on doing a more extensive set of posts explaining the overall setup, but I wanted to highlight some of the things we setup and show a high level logical diagram of the Hybrid Networking Connectivity. I am working on the “double-Click” versions of the first diagram to dig into the each region.
The on premises physical kit is actually very basic and simple
- 4 Dell R710 Servers boot from flash ESXi with 4 10GB ethernet ports
- VNX2 5400 with 13TB usable Storage
- 2 Arista Switches
- 5 Public IP Addresses
That’s pretty much it on the physical side. Initially the goal was to stand up 2 “Layers” of virtual machines so that we could manage the entire setup and we created two domains. I will go more into why I did this and the details later but essentially this is the high level.
Management Domain – lab.VCHSTM.org
This domain is where all the management stack machines like vCenter, vCloud Connector, vCNS Manager, vCloud Automation Center, and all those goodies live. We have all this on a routable internal network so we can get to all the management stack easily from anywhere via VPN, View Session or other means. This has its own set of Active Directory Services specific to the logins to the management stack items. This is where we can use things like vCloud Connector and other appliances to manage all the machines at the vSphere level like a customer would.
“Customer” Domain – corp.VMTM.org
The domain is all isolated and build on top of VXLAN 100%. From a networking perspective this group is routed through a vCNS Edge Gateway that is connected directly to the internet. For this reason all the subnets available to the domain are all on VXLAN and have no bridge or interconnect to the private network the management stack is on. It’s 100% isolated so the only way to manage VM’s is via the Remote Console from vCenter. The reason we did this is that THIS environment and domain is the one that is now connected to two vCloud Air clouds. We needed to create a mock up of a customer on premises environment with true internet access for the VPN connections.
This has it’s own active directory services that is also tied into the clouds we connected to where the other domain is just for management. The machines in this domain are all actual “workload” machines, like SQL Server, web servers, and other actual applications that need to also connect to their cloud based peers for various uses cases like a split web application. That’s where the real magic starts to happen.
The Hybrid Cloud Connections
So with the two domains up and running the next thing was to interconnect everything. The diagram below is where we ended up and when you think about it, the setup looks pretty simple and makes a lot of sense.
- VPN Tunnel from On Premises to Las Vegas Cloud
- VPN Tunnel from On Premises to Sterling, VA Cloud
- VPN Tunnel from Las Vegas to Sterling
This allowed us to then setup each of these in Active Directory Sites and Services with their respective networks and subnets for standing up applications. We also deployed pairs of active directory servers locally in each cloud to support local DNS and authentication. DHCP is provided in almost all cases by the Edge Gateway itself for ease of use.
We also needed to start created lots of Firewall rules which I will share later to allow the traffic to pass between these sites and allow the various subnets to communicate. It goes without saying that each site is using a unique IP range so there is no VPN conflicts. If you have ever heard Dave Hill and I present how to build your hybrid cloud in less than a day….this is the setup we always referred to. We used this lab for many of the live demonstrations I did at PEX including Disaster Recovery to Cloud. It was also used for upcoming video recordings on many topics.
We manage all the external DNS for web application use cases through DYN.com as well so as a team we have a single point to manage all the domain records for external access. We are also able to leverage their global load balancing to test running a web application in all three locations globally load balanced. At this point we have a very extensive lab to test pretty much any use case we get thrown to test and write about it. I also plan on turning the setup and firewall rules into an official document that people can use to set up something similar for proof of concept testing. The first step in getting to Hybrid Cloud is getting the “Foundation” built which is what I have built here. I think this is the third time I have set this up, but the first time using a “proper” set of lab gear other than my home lab.