Architecture pattern for a bastion VPC to manage VMware Cloud Foundation for Classic - Automated instance in Classic
This architecture pattern presents Client VPN-based connectivity to a VMware Cloud Foundation for Classic - Automated instance provisioned in IBM Cloud® classic infrastructure. This solution uses a bastion VPC with client-to-site VPNaaS and a connecting IBM Cloud Transit Gateway, or alternatively by using a VPC provisioned with classic connectivity. IBM Cloud DNS Services are used in VPC with a custom resolver.
Deploying a bastion VPC for managing vCenter Server deployment in Classic
The following diagram presents an overview for an architecture pattern for deploying bastion VPC to manage vCenter Server deployment in Classic.
This architecture pattern deployment is summarized as follows:
- Create a VPC for the Bastion hosts. Choose a VPC prefix, which does not overlap with
your Classic. For example, the default VPC prefix of the MZR and Zone typically works on this step. Provision a subnet with a size of your preference, for example,
/27
or larger. - Provision client-to-site VPNaaS for OpenVPN based VPN connectivity. Configure your preferred authentication method for the clients. Use a prefix for your clients, which does not
overlap with the rest. You might use SNAT when the VPN clients communicate with your connected resources. Advertise
10.0.0.0/8
to your client, or smaller prefix based on your preference. - Use classic connectivity, or provision a IBM Cloud Transit Gateway and add your VPC and Classic as connections to it. This provides routed connectivity between your Bastion VPC, Classic, and connected VPN clients.
- Provision a DNS service with a local domain of your choice. For example,
bastion.ibmcloud.local
. - Provision a custom resolver to your Bastion VPC subnet. Also, configure it as the DNS server for your VPN clients.
- Configure a DNS forwarder in your custom resolver to point to your VMware Cloud Foundation for Classic - Automated instance AD root domain, for example,
vcs-zyx.ibmcloud.local
. - If you need, provision Windows® or Linux® Bastion hosts to your Bastion VPC subnet. You might access them through internet by using OpenVPN client.
If you use any IP address range from the Class A block 10.0.0.0/8
as the VPC prefix, you must add a route to your Classic servers to access the VPC hosted servers. Classic servers have a default setting for routes to IBM Cloud private
network (10.0.0.0/8
) and IBM Cloud Services networks (166.8.0.0/14
and 161.26.0.0/16
) with BCR as a next-hop. If your VPC uses something else, ensure that your Classic assets are routed to it through
the BCR.
Considerations
When you design or deploy this architecture pattern, consider that you might alternatively use classic Virtual Server Instances for Jump or bastion hosts. Configure the server DNS to point toward vCenter Server Instance Active Directory™ or
DNS server, or create entries in the hosts
file.