IBM Cloud Docs
Architecture patterns for the vCenter Server deployment default connectivity options

Architecture patterns for the vCenter Server deployment default connectivity options

When you deploy a VCF for Classic - Automated instance in your IBM Cloud® classic infrastructure, the deployment consists of a number of network constructs and VMware® management components.

This architecture pattern gives an overview for standard private and public connectivity options for a standard deployment. This pattern also includes an overview for the standard VMware Cloud Foundation for Classic - Automated components, basic cluster types, and customer topologies deployed as part of the IBM Cloud automation.

VMware vCenter Server components overview

When you deploy a VCF for Classic - Automated instance in your IBM Cloud classic infrastructure, the deployment consists of the components that are presented in the following diagram.

vCenter Server deployment overview
vCenter Server deployment overview

The following steps summarize a standard deployment.

  1. Depending on the network preference selection, your instance is deployed with both public and private connectivity or private connectivity only.
  2. Upon your selection, a VCF for Classic - Automated instance can be deployed with various bare metal server hardware options. You can select an initial deployment to include one consolidated cluster or separate management and workload clusters. You can optionally deploy a gateway cluster to host Juniper® vSRX or your own routing or firewall device. The solution can be expanded after the initial deployment by adding more hosts to existing clusters, or by adding new clusters.
  3. Your clusters can have multiple datastores. You can use VMware vSAN™ with local SSDs or IBM Cloud File Storage for Classic (NFS), where you can have one or more LUNs with different performance and size characteristics. You can expand the volumes as your needs grow.
  4. The automation deploys a vCenter Server appliance on the management or consolidated cluster. Your vCenter Server has an IP address from the IBM Cloud classic infrastructure provided 10/8 address space.
  5. The automation deploys three VMware NSX™ managers and a cluster is formed which uses NSX virtual IP for High Availability. Your NSX managers have an IP address from the IBM Cloud classic infrastructure provided 10/8 address space.
  6. The automation deploys an Active Directory for authentication and name resolution. You can select between a single Windows virtual server instance in IBM Cloud IaaS hypervisor or two highly available dedicated Windows Server VMs (with bring your own license) on the VMware management cluster.
  7. The automation deploys four edge nodes in your deployment and forms two NSX edge clusters - Services edge cluster and Workload edge cluster.
  8. The services edge cluster is used to host services Tier 0 Gateway, which provides network connectivity services for your management components.
  9. Workload edge cluster hosts workload Tier 0 and Tier 1 Gateways for your workloads. A predefined example overlay network topology with one Tier 1 Gateway is provided by the automation. You can customize it for your own requirements by changing or deleting example segments or by adding new segments.

VMware vCenter Server clusters

The vCenter Server deployment might consist of several clusters. The following diagram provides an overview of the key cluster types.

vCenter Server clusters
vCenter Server clusters

This clustering can be summarized as follows:

  1. You can select an initial deployment to include one consolidated cluster or separate management and workload clusters.
  2. You can optionally deploy a gateway cluster to host Juniper vSRX or your own routing or firewall device.
  3. You can expand the solution after initial deployment, by adding more hosts to existing clusters, by adding new clusters or by adding NFS storage to your instance.
  4. Each cluster might have different bare metal server hardware options and different storage options.
  5. The automation deploys four edge nodes in your deployment and forms two NSX edge clusters - Services edge cluster and Workload edge cluster.
  6. The services edge cluster is used to host services Tier 0 Gateway, which provides network connectivity services for your management components.
  7. Workload edge cluster hosts workload Tier 0 and Tier 1 Gateways for your workloads. A predefined example overlay network topology with one Tier 1 Gateway is provided by automation. You can customize it for your own needs by changing or deleting example segments or by adding new segments.

The gateway cluster must not be mixed with the NSX edge cluster, which consists of VMware NSX™ edge transport nodes. The gateway cluster provides compute capacity for hosting Juniper vSRX, Fortinet FortiGate, or other third-party routers or firewalls. The VLAN routing can be controlled by gateway appliance configuration though IBM Cloud Classic portal.

NSX topology

When you deploy a VCF for Classic - Automated instance in your IBM Cloud Classic Infrastructure, you obtain the default network topology as presented in the following diagram.

NSX default network topology
NSX default network topology

The default topology can be summarized as follows:

  1. Depending on the network preference selection, your instance is deployed with both public and private connectivity or private connectivity only.
  2. The automation deploys an NSX Tier 0 (T0) Gateway in the NSX workload edge cluster. The T0 gateway is attached to both IBM Cloud private and public networks or IBM Cloud private network only based on the selection.
  3. The automation deploys an example NSX overlay topology with a Tier 1 (T1) Gateway and a few example overlay segments attached both to the T1 and T0 Gateways. You might customize the topology based on your needs.
  4. There are default firewall rules (deny any) and example SNAT/DNAT rules in the T1 and T0 Gateway Firewalls for private or public connectivity. You must customize them to fit your needs.
  5. The deployed T0 gateway has a default route 0.0.0.0/0 to the internet with FCR as a next-hop.
  6. The deployed T0 gateway has routes to IBM Cloud private network 10.0.0.0/8 and IBM Cloud Services networks 166.8.0.0/14 and 161.26.0.0/16 with BCR as a next-hop.
  7. IBM Cloud Services can be reached through IBM Cloud private network by using Cloud Services Endpoints when it uses IBM Cloud private network addresses. You need SNAT to access these endpoints.

Private connectivity

When you deploy a VCF for Classic - Automated instance in your IBM Cloud classic infrastructure, you obtain the default private network topology as presented in the following diagram.

Access to IBM Cloud Private network
Access to IBM Cloud Private network

Private connectivity pattern is summarized as follows:

  1. The automation deploys an NSX Tier 0 (T0) Gateway in the NSX workload edge cluster. The T0 gateway provides connectivity to IBM Cloud private network.
  2. The deployed T0 gateway has a route to IBM Cloud private network 10.0.0.0/8 and IBM Cloud Services networks 166.8.0.0/14 and 161.26.0.0/16 with BCR as a next-hop.
  3. The automation deploys an example NSX overlay topology with a Tier 1 (T1) Gateway and a few example segments attached both to the T1 and T0 Gateways. You can customize the topology based on your needs.
  4. IBM Cloud Services can be reached through IBM Cloud private network by using Cloud Services Endpoints when it uses IBM Cloud private network addresses.
  5. When you use BYOIP on NSX overlay networks, you must use SNAT at T0 or T1. If you use SNAT at T1, you can advertise the NAT IP addresses from T1 to T0, where proxy arp is used.
  6. You can create DNAT rules on T0 Gateway to access your workloads from IBM Cloud private networks.
  7. You can use IP addresses from IBM Cloud private portable subnet that is deployed for NSX Edge Uplinks for the NAT. Alternatively, you can order IBM Cloud Private static subnets that are routed toward your T0's private HA VIP to be used for NAT-ing or on segments.

Public connectivity

When you deploy a VCF for Classic - Automated instance in your IBM Cloud classic infrastructure, you obtain the default public network topology as presented in the following diagram.

Access to IBM Cloud Public network
Access to IBM Cloud Public network

Public connectivity pattern is summarized as follows:

  1. The automation deploys an NSX Tier 0 (T0) Gateway in the NSX workload edge cluster. The T0 gateway provides connectivity to IBM Cloud public network.
  2. The deployed T0 gateway has a default route 0.0.0.0/0 to the internet with FCR as a next-hop.
  3. The automation deploys an example NSX overlay topology with a Tier 1 (T1) Gateway and a few example segments attached both to the T1 and T0 Gateways. You can customize the topology based on your needs.
  4. You can use IP addresses from IBM Cloud private portable subnet that is deployed for NSX Edge Uplinks for NAT or for NSX network services (for example IPSec VPN).
  5. The automation deploys example SNAT rules for outbound internet access. You can customize and delete these rules based on your needs.
  6. You can configure DNAT rules to access your workloads that are attached to NSX segments through internet.
  7. You can order IBM Cloud Public static subnets for your HA VIP to allocate public subnets directly to NSX segments. They are routed through the T0 public uplink HA VIP.