Enabling Access To VMware Cloud On AWS Networking
Welcome to an Introduction to VMware Cloud on AWS Networking.
In this blog, we’ll cover your options for getting into your vSphere Environment both for management and your workloads.
To get started, logged into the console at https://vmc.vmware.com, you’ll be presented with a summary of your SDDC. It should look something like the image below, with some basic information about your SDDCs. In the example to the right, there’s only one SDDC available.
Here we’re going to click on the name of the SDDC and take a closer look at the details. It looks much the same as the first page but focused on this particular SDDC. Notice the new menu options above the dashboard.
Clicking on Network will let you begin to explore the networking configured for your use. The configuration is very basic and gives customers a secure starting point. At this stage in the configuration, the vCenter server isn’t accessible at all.
If we take a closer look at the diagram provided by the console, notice the firewall rules on the left and the VPN configurations on the right. Just below the VPN configurations is the AWS VPC information. At a glance, there are no firewall rules defined on either gateway except the default deny all rules. So we’ll need to create additional rules to allow access into the vSphere Environment.
Management Gateway (vCenter Web Client/HTML5 UI Access)
At this point, there’s a decision to make.
The first option would be to open the vCenter to the Internet (still over SSL), either wide open to any address or limit the source addresses that would have access (the more secure method for this option).
That being said, the second option would be to setup a VPN connection to the Management Gateway and access the vCenter UI through the VPN only, which is the most secure option. This would involve setting up the IPSEC VPN tunnel and making some adjustments to firewall rules and DNS Entries. We’ll cover all of this up next. Below is a closeup of the default settings for the Management gateway.
First and foremost, regardless of the option let’s create the firewall rules. Clicking ADD RULE will expand a new rule set to create. Here you’ll define a number of settings. Keep in mind this is the Management Gateway doesn’t affect your VMs unless they’re trying to reach to your vCenter Server.
- Rule Name – The friendly name for your rule.
- Action – Hard set to Allow as the default rule is deny.
- Source – Where is the traffic coming from, this could be either an IP, CIDR Network (A.B.C.D/X), “any,” or one of the network objects such as “vCenter” or “ESXi Management Only.”
- Destination – Where is the traffic is going to, this could be either an IP, CIDR Network (A.B.C.D/X), “any,” or one of the network objects such as “vCenter” or “ESXi Management Only.”
- Service – Any of several ports.
- Any (All Traffic) – Only Available to vCenter or ESXi Management Only sources.
- ICMP (All ICMP) – Available to any destination option.
- HTTPS (TCP 443) – Only Available to vCenter as a destination.
- SSO (TCP 7444) – Only Available to vCenter as a destination.
- Provisioning (TCP 902) – Only Available to ESXi Management Only as a destination.
- Remote Console (TCP 903) – Only Available to ESXi Management Only as a destination.
Note: Between the source and destination fields, one of them (and only one) must be one of the predefined network objects (vCenter, ESXi Management Only).
If you’re looking for more information on the Ports, please refer to the vSphere 6.5 Documentation
Option 1 – vCenter UI access from the Internet
At a minimum for this option to work, you’ll need to configure one rule to let HTTPS Traffic in. So add this rule, modifying to your situation as needed:
- Rule Name – SSL Traffic Inbound to vCenter
- Source – “any,” “Your Public IP Address” or “Your Public IP Network”
- Destination – Click the dropdown and Select “vCenter”
- Service – HTTPS (TCP 443)
Once you click SAVE, the rule should be active. You can verify this by clicking on Connection Info tab near the top of the page and using the URLs, username and password listed there.
In the DNS section of the Management Gateway, you have the option to change the DNS Servers if necessary, but unless you have a specific reason for doing so, this will only be used for the the Hybrid Linked Mode configuration and other internal services.
If this is working, go ahead and skip down to the Compute Gateway or continue reading Option 2 for a more secure method.
Option 2 – vCenter UI access from the VPN
Getting started with this option is more involved. First you’ll need to have your own VPN Endpoint configured and ready to go. This will dictate the VPN settings on the VMware Cloud on AWS side of things.
Expanding the VPN Tab and clicking ADD VPN you’ll see the screen below with the typical configuration settings for VPNs:
- VPN Name – Friendly name for this VPN
- Remote Gateway Public IP – The Public IP for peering the VPN Endpoints together.
- Remote Gateway Private IP (Optional) – The Internal NAT IP used in some VPN configurations.
- Remote Networks – The list of networks in CIDR Format that need to be exposed from your side of the VPN.
- Local Gateway IP – The local Public IP for peering the VPN Endpoints together. This is hard set to the Public IP of the Gateway (both Management and Compute).
- Local Network – The List of Networks in CIDR Format that need to be exposed from the VMware Cloud on AWS side. This is hard set to the management network provided during the SDDC creation for Management Gateway VPNs.
- Encryption – One of AES, AES 256, AES GCM and 3DES.
- Perfect Forward Secrecy – Enabled or Disabled.
- Diffie Hellman – One of DH2, DH5, DH14, DH15, DH16.
- Pre-Shared Key – The Plaintext string securing the VPN tunnel.
Once you’ve filled this out according to your configuration click on SAVE. When you first finish the configuration, you’ll notice a large red circle indicating the service is disconnected. If you click the refresh button next to the Status, you’ll get an updated status that’s hopefully connected. If not, you can click on the info button (the small (i) button next to the status refresh) and get a peek at the issue. This gives some pretty raw VPN status messages, so I hope you have your IPSEC hat on!
After you’ve completed your troubleshooting or had everything go smoothly the first time, the status indicator should be green. While this ends the VPN configuration, there’s still a matter of the firewall and DNS Settings to truly finish the configuration.
As in Option one, the same firewall rules apply, only you’ll specify your internal networks as the Source. This will enable vSphere Web Client and HTML5 UI access, but this would currently be to the Public IP of the vCenter. This doesn’t really secure the flow of traffic at that point outside of what we’ve already done with the first option. To remedy this, VMware has added a function on the Console to alter some DNS settings. If we expand the last Tab of the Management Gateway section, DNS, we see the option to edit some basic DNS Settings.
Clicking EDIT on the far right of this section will let you change the DNS servers to either a public DNS server of your choice, or an Internal DNS server you’d like to reach back over the VPN. (Keep in mind if you need the VMware Cloud on AWS vCenter to reach your vCenter, you’ll need to add the Any/Any Rule mentioned in Option 1 to allow the vCenter Access outside of it’s own environment. The last setting you’ll see deals with a specific DNS resolution, the vCenter Server’s FQDN itself. This IP address is by default a public IP address, but with this setting you can change the resolution to the vCenter’s internal IP address. This does NOT change the actual URL to access the vSphere client as you may be aware, the vCenter Appliance does not work well with IP Address or FQDN changes.
Note: This same section is also where you’d make DNS changes to allow for Hybrid Linked Mode.
This simple but powerful change will ensure that the only path to access your vCenter is over a secure, private connection. Today this connectivity is limited to VPN, but later evolutions of the product will likely see things such as AWS DirectConnect service paving the way for high speed direct access into the environment.
Compute Gateway (Customer Workloads)
Now that we have squared away the management access to the environment, we can switch over to the fun stuff, let’s enable some VM traffic so you can deploy VMs in a meaningful way. So let’s take a look at our options on the console for configuring this.
As you can see, there are very similar options to the Management Gateway with a few key additions. Here you’ll be able add public IPs and then consume them with NAT and firewall rules, though neither of those are necessary to complete the initial configuration.
Here you’ll repeat the firewall and VPN steps from above, though this time you’ll have less restrictive firewall rules and should be able to set the source and destination networks as you see fit and any logical networks added through the vSphere HTML5 UI will show up as network objects for the firewall and VPN Configuration.
And it’s that simple! Your SDDC is now ready to deploy virtual machines.