Something that has come up over the past few months since going live with VMware vCloud Air is the question of ‘Direct Internet Access’. What I mean by this is some customers would like to give virtual machines the Public IP’s made available in vCloud Air instead of going through the vCloud Networking and Security Edge Gateway. Another question has been if we can remove the Edge and use something else in its place. The simple answer to both of these specific questions is that you cannot do them directly. However, like anything else you can get creative in your solution to get you something that works for you. In fact Massimo and I were just discussing this today.
In the past I have shown how you can create VPN connections and even the customer Direct Connections to vCloud Air. These would each utilize the vCNS Edge Gateway as the end point. However, in the case of the VPN itself, or something you might want to load balance with an F% or other appliance you can in fact do something interesting. We know you get an Edge Gateway with either a default-routed network, and you can create more. We also know you get 2 Public IP addresses with your Virtual Private Cloud account depending on the offering. Below is an image of something you could do to provide something interesting.
What Massimo and I were discussing is although you need to have a vCNS Edge in place to pass the traffic, you can in effect make it “transparent” except for a few NAT rules and even disable the firewall completely. It truly then becomes nothing more than pass through gateway and you can do whatever you like behind it. We see that the Load Balanced Network and the VPN Network are masked to /32 to only allow a single address on that network. The two public IP’s are then assigned a single Any:Any Destination NAT and the firewall in the Edge is Disabled. This effectively means now it is transparently passing the traffic to the two 3rd part devices where you can use those to control the rest of the rules using vCloud Air Isolated Networks.
Essentially you get what you want using your own appliances to control the traffic, if you wanted to. I would argue that on the VPN side the Edge itself is full IPsec and very easy to set up, but the point is people are asking for ways to use other virtual appliances, so this is just one simple, quick example. When I get my bigger lab setup this may very well be a use case we expand on showing some more detail.