VCAP-CID Study Notes: Objective 3.1

This is Objective 3.1 in the VCAP-CID blueprint Guide 2.8. The rest of the sections/objectives can be found here.

Bold items that have higher importance and copied text is in italic.

Knowledge

• Identify network isolation technologies available for a vCloud design.
  • For internal networks
    • VXLAN (dynamically created vSphere port groups)
      • Virtual eXtensible LAN (VXLAN) network pools use a Layer 2 over Layer 3 MAC in UDP encapsulation to provide scalable, standards-based traffic isolation across Layer 3 boundaries (requires distributed switch).
    • vCloud Network Isolation-backed (dynamically created vSphere port groups)
      • vCloud Director Network Isolation-backed (VCD-NI) network pools are backed by vCloud isolated networks. A vCloud isolated network is an overlay network uniquely identified by a fence ID that is implemented through encapsulation techniques that span hosts and provides traffic isolation from other networks (requires distributed switch).
    • VLAN-backed (dynamically created vSphere port groups)
      • VLAN-backed network pools are backed by a range of preprovisioned VLAN IDs. For this arrangement, all specified VLANs are trunked into the vCloud environment (requires distributed switch).
    • vSphere port group-backed (manually created vSphere port groups)
      • vSphere port group-backed network pools are backed by preprovisioned port groups, distributed port groups, or third-party distributed switch port groups.

• The vCAT Architecting a VMware vCloud document has good considerations on all the versions on page 52.
• The vCAT Implementation Examples also have great examples on hot to implement VXLAN, VCDNI and VLAN-backed pools.
• Another great document to read is the vShield Edge Design Guide: http://www.vmware.com/files/pdf/techpaper/vShield-Edge-Design-Guide-WP.pdf
• Identify features and functionality of vShield Edge firewall.
  • This Product Paper has a good overview what a vShield Edge can do: http://www.vmware.com/files/pdf/products/vShield/VMware-vShield5-Edge-Datasheet.pdf
  • This KB (2042799) shows all the vShield Edge configurations limits. http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2042799
  • The VMware vCloud® Networking and Security Overview document has some lines on the firewall as well. http://www.vmware.com/files/pdf/products/vcns/vmware-vcloud-networking-and-security-overview.pdf

 

Skills and Abilities

• Based on a given logical design, determine appropriate network isolation technologies for a physical vCloud design
  • You will need to base that on the feature of each isolation technology.
  • Based on the requirements (and constraints) you will get a logical design for the network, bot internal and exteranl connections. This needs to be translated in choosing an isolation method. Also you could end up with all of them if the use-cases require so.
• Based on a given logical design, determine network service communication requirements (DNS, LDAP, IPv6 and NTP) for a physical vCloud design
  • This KB (1030816) has a greate overview of the ports needed in for vCloud Director:
    • http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1030816
  • But if you just want a list this KB (2034426) is better
    • http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2034426
• Analyze communication requirements for a given application.
  • This is either based on internal and new vCloud application (multi-tier), or single applications that need external access from a routed network.
    • Multi-tier applications are workload consisting of multiple seperate virtual machines, each with a role within the application. A Web service, with a web front end, and application server to work out request from the web service, and database server to keep all that data processed by the application server.
      • These server each have communication requirements that so the application works and is secure.
    • Single virtual machines running in a vCloud can also have various communication requirements, like inbound http access, ldap access for authentication, file level access to file server etc. This list is really anything you can think of as all application need to communicate to other applications and some point.
  • This can also apply to workloads that will get migrated into a vCloud instance. In this example a dependancy list of applications and their servers is something that is needed. Unfortunately most organizations don’t have that software but VMware has several options for customers if they need to map out their current workload dependencies.
    • VMware Application Dependency Planner
      • A tool for VMware Partners to use to map dependencies for both virtual and physical systems
        • Its agentsless and uses port mirror features available in vSphere vSwitches to create a dependecy map.
    • vCenter Operations Manager Infrastructure Navigator
      • A tool to map out dependencies of virtual environments. A Part of vCops Advanced packages.
• Given an application security profile, determine the required vShield edge services (static routing, IPSEC VPN, IP masquerading, NAT, DHCP, etc.).
  • The vShield Edge services are and are only for routed networks, or DHCP for interna organization networks.
    • Static Routing
      • You can configure an edge gateway to provide static routing services. After you enable static routing on an edge gateway, you can add static routes to allow traffic between vApp networks routed to organization vDC networks backed by the edge gateway.
    • IPSEC VPN
      • You can create VPN tunnels between organization vDC networks on the same organization, between organization vDC networks on different organizations, and between an organization vDC network and an external network
    • IP masquerading
      • You can configure certain vApp networks to provide IP masquerade services. Enable IP masquerading on a vApp network to hide the internal IP addresses of virtual machines from the organization vDC network.
      • When you enable IP masquerade, vCloud Director translates a virtual machine’s private, internal IP address to a public IP address for outbound traffic.
    • NAT (SNAT and DNAT)
      • A source NAT rule translates the source IP address of outgoing packets on an organization vDC that are being sent to another organization vDC network or an external network.
      • A destination NAT rule translates the IP address and port of packets received by an organization vDC network coming from another organization vDC network or an external network.
    • DHCP
    • Load Balancer
      • Edge gateways provide load balancing for TCP, HTTP, and HTTPS traffic. You map an external, or public, IP address to a set of internal servers for load balancing. The load balancer accepts TCP, HTTP, or HTTPS requests on the external IP address and decides which internal server to use. Port 809 is the default listening port for TCP, port 80 is the default port for HTTP, and port 443 is the default port for HTTPS.
    •  Firewall
      • Firewall rules are enforced in the order in which they appear in the firewall list. You can change the order of the rules in the list. When you add a new firewall rule to an edge gateway, it appears at the bottom of the firewall rule list. To enforce the new rule before an existing rule, reorder the rules.
  • Application security profiles can be very different and its best to know what these service can do to be able to determine which ones you should configure

• Given security requirements, determine firewall configuration.
  • This is involves configuring the Edge Firewall to fulfill the security requirements of a application.
  • Just have in mind that the firewall rules are enforced in the order in which they appear in the firewall list, so make sure the order is correct 🙂 (not allow all first , then deny some)
• Given compliance, application and security requirements, create a vApp network design.
  • Instead of having a great time drawing all available configurations of vApp designs I’ll tell you to read from page 56 to 59 in the vCAT  Architecting a VMware vCloud document where most of the network design are explained (and with pictures).
• Given compliance, application and security requirements, create a private vCloud network design.
  • This really can’t be explained any better than on pages 65-66 in the vCAT  Architecting a VMware vCloud document.
  • The thing is you really need to know how you can use the diffrent networking features of vCloud (direct, routed, vApp networks) to be able to create a vCloud network design.
  • Also the Private VMware vCloud Implementation Example is a great reference document for vCloud designs.
  • And as for most Physical designs they work as an expansion on logical designs with information on physical layout and attributes.
• Given compliance, application and security requirements, create a public vCloud network design.
  • Same goes for this one, pages 64-65 in the vCAT  Architecting a VMware vCloud document.
  • Like in the previous bullet the Public VMware vCloud Implementation Example is a great reference.