Okay I admit sometimes I spend too many late nights coming up with some goofy ideas. However this one actually panned out as a real work vCloud Director Networking example you can use to see how flexible vCloud Director Networking could be. The idea started from me wanting to rebuild by WordPress installation from a single server stack to a distributed two server Apache Web and MySQL setup. Pretty standard use case for a two server setup. Now I will NOT be covering the installs, setup etc of the applications here maybe that will be another day.
The idea was to have a single vCloud vApp with two virtual machines in it. That itself is pretty easy and you can see below the single vApp container with the two virtual machines.
Let’s take a look at the network diagram below so I can explain what I got set up and working
What we see is that the Web Server is connected to the 1743-Public network which is my Organization network provided for me. That’s an easy enough one to understand for sure. You can also see the three basic firewall rules needed below for web access to the server for HTTP/SSL/SSH. It goes without saying that there is an external IP assigned on the internet side of the Organization Network as well.
Next we can examine the virtual machine view and see that the two virtual machines are in fact connected to two different vCloud Network interfaces.
Note that the MySQL virtual machines also has an External IP Address assigned. This is done automatically by the vApp vShield Edge when the virtual machine is assigned to it which we will see next. The vCloud vApp Networking tab is where we can see that the vApp network was created before assigning it to the MySQL virtual machine. Note that the ‘Always use assigned IP Addresses…” check box is enabled. This is important for when you power cycle the vApp you want to maintain the networking! You can also see that the vApp Network is attached to the Provided Organization Network so it will route outbound to the internet for patches and updates.
This is where the really cool part comes in. We now have a Web Server connected to the org Network with an External IP and three firewall rules. We need to now allow the Web Server to connect to the MySQL server on Port 3306 and SSH so we can manage it from the Web Server and connect to MySQL. That’s as easy as writing two rules in the vApp Network Firewall
These rules basically show that ONLY the Web Server IP Address can access ONLY the MySQL Server IP Address on Port 22 and 3306.
Solution Summary:
What this simple example shows is that you can create a single vApp in a flexible way but also create a vApp based DMZ for virtual Machines part of that vApp. Provided the N-Tier servers only need to be access by the first tier, this works really well and now I we have a setup where only the Web Server is exposed to the internet, yet the MySQL tier is again protected by its own firewall. What this really shows you is that as vCloud Administrators and Application folks, we need to not only understand networking, but now routing, and firewall rule as well. This structure is no different from if these had been physical servers in a data center on physical switches with hardware firewalls between them.
This shows a great use case on a small-scale of what you can do for a real word application. How do I know it is a real world scenario? You are reading about it hosted from these very two servers shown in the diagrams. Pretty cool right? Next will be duplicating the setup in a second cloud connected by vShield VPN between Organization Edge Devices and putting MySQL Replication in place with a backup Web Server….just for fun.
Some may ask why I did all this with a small set of WordPress sites that only get about 900 hits a day….. because I can…..that’s why….and it’s a fun learning experience.