Configuring a virtual data center in VMware Cloud Foundation as a Service using the VMware Cloud Director Console
This tutorial may incur costs. Use the Cost Estimator to generate a cost estimate based on your projected usage.
This tutorial is to demonstrate the basic steps to operationalize an IBM Cloud® for VMware Cloud Foundation as a Service single-tenant or multitenant virtual data center (VDC) after initial instance provisioning. This tutorial should take about 20-30 minutes to complete and assumes that a VMware Cloud Foundation as a Service instance and a VDC have already been provisioned.
Objectives
In this tutorial, you will learn:
- How to create VDC networks inside your VDC.
- How to create virtual machines (VMs) and attach them to your VDC network.
- How to configure network address translation (NAT) and firewall (FW) rules on your VDC edge gateway.
The following diagram presents an overview of the solution to be deployed.
This tutorial is divided into the following steps:
- Log in to the instance's VMware Cloud Director Console and deploy VDC networks
- Create VMs
- Create IP Sets and Static Groups
- Create NAT rules
- Create firewall rules
- Connect to the VM using integrated web console
- Connect to the VM through the Internet and validate connectivity
An alternative tutorial with Terraform is also available.
Before you begin
This tutorial requires:
- An IBM Cloud billable account.
- Check for user permissions. Be sure that your user account has sufficient permissions to create and manage VMware Cloud Foundation as a Service resources.
- A pre-provisioned VMware Cloud Foundation as a Service single-tenant instance.
- A pre-provisioned VDC on the VMware Cloud Foundation as a Service single-tenant instance.
Log in to the instance and deploy the initial network
The first step is to log in to your VMware Cloud Foundation as a Service single-tenant instance's VMware Cloud Director Console and deploy the initial networks that will be used for testing.
Log in to the VMware Cloud Foundation as a Service single-tenant instance's VMware Cloud Director Console:
- In the VMware Cloud Foundation as a Service table, click a VMware Cloud Foundation as a Service instance name.
- On the Summary tab, review the information.
- If this is the first time that you access the VMware Cloud Director console for the VDC region, you must set the admin credentials to generate an initial, complex, and random password.
- On the VDC details page, click VMware Cloud Director Console to access the console.
- Use the admin username and password to log in to the VMware Cloud Director Console for the first time.
- After the admin is logged in to the VMware Cloud Director Console, you can create extra users who have roles that allow them to access the VMware Cloud Director Console.
Next, you will create the following VDC networks:
Network type | Name | IP subnet |
---|---|---|
routed network | net-application |
192.168.100.1/24 |
routed network | net-db |
192.168.101.1/24 |
isolated | net-isolated-db |
192.168.102.1/24 |
Routed VDC networks are attached to the edge gateway while an isolated VDC network is a standalone network without any platform provided routing capabilities. You can create more networks based on your needs by following the same logic and steps.
The recommendation is to use RFC 1918 addresses, for example IP subnets from the 10.0.0.0/8
, 172.16.0.0/12
or 192.168.0.0/16
ranges.
To create a VDC network:
- In the top menu navigation, click Networking. Then click New to create a new VDC network. New Organization VDC Network wizard will appear.
- Select the Organization Virtual Data Center (Default) and then select the VDC you want to deploy the new network to. In most cases there will be a single VDC. Click Next to continue.
- Select network type as Routed (default) for routed networks
net-application
andnet-db
and select Isolated for the isolated networknet-isolated-db
. Click Next to continue. - For Edge Connection, select the edge that was provisioned for you and leave all other settings as default. Isolated networks do not have a gateway connection. Click Next to continue.
- Provide a name and the gateway CIDR for the new network. CIDR includes the IP address of the gateway and the network mask length, e.g.
192.168.100.1/24
. This IP address can either be related to your internal network or created specifically for IBM Cloud. In this example,net-application
is used as the name and192.168.100.1/24
is used for the gateway CIDR. Click Next to continue. - Create a static IP pool for your new network. While optional, a static IP pool allows VMs to automatically be assigned an IP address upon provisioning. This pool should be part of the subnet created during the previous step, and for this example
192.168.100.10 – 192.168.100.19
is used for thenet-application
routed network. Follow the same logic for the other networks. To add a static IP pool, type the range in the box provided and click Add. Click Next to continue when complete. - For DNS use the IBM Cloud public DNS servers, which are
161.26.0.10
and161.26.0.11
respectively. The DNS suffix can be left blank. Click Next to continue. - For Segment Profile, leave as default and Click Next to continue.
- Review your input and click Finish to complete the New Organization VDC Network wizard and finish creating your first VDC network.
Upon completion of these tasks, your new network will be deployed and will appear in the networks tab. This may take a few seconds to complete. Repeat the process for the other two networks, or more if needed in your solution.
Create VMs and connect to the VM using the console
In this step, you will create a few VMs inside your VDC and you will attach them to the VDC networks that were created in the previous step.
You will create the following VMs:
Virtual machine name | Operating System | Networks |
---|---|---|
jump-server-1 |
Windows Server 2022 | net-application |
application-server-1 |
RedHat Linux 8 | net-application |
db-server-1 |
RedHat Linux 8 | net-db , net-isolated-db |
The first server will be used as a jump server, which you can optionally reach through the public Internet. The other two servers are examples of application and database servers.
To create a VM:
- In the top menu navigation click Applications.
- Click Virtual Machines in the sub navigation tabs.
- Click New VM to launch the new VM window.
- Select the target VDC and click Next to continue.
- The new VM wizard will appear. There are five fields that must be filled out. Note depending on the size of your display you may need to scroll down to see all fields.
- Name –
jump-server-1
- Computer name – This field is auto-populated from the name.
- Templates – For this example the
Windows 2022
template is used. - Storage policy – The values here depend on what was provisioned in the instance. In this example,
4 IOPS/GB
is used (VDC Default). - NICs – Check the box for connected and then in the drop-down field below network select the network created in the first step. In this example,
net-application
is used. In the drop-down below IP mode, selectStatic-IP Pool
.
- Name –
- Leave all other values at their defaults and click OK when complete.
The new VM will be created. Provisioning of the VM may take several minutes to complete. Upon completion, the VM will automatically power on. Repeat the process for the other VMs, application-server-1
and db-server-1
.
VM db-server-1
requires two NICs, but as the default template only has one. So, you need to add that post initial provisioning. After the VM has been created, click Details. Then select NICs under the Hardware, and you can add the 2nd NIC to the VM and attach
that to the correct network segment.
Review the other hardware options and see what you can change and how. See Edit Virtual Machine Properties section on VMware Cloud Director Tenant Guide for more details.
Create IP Sets and Static Groups
IP Sets and Static Groups are used as part of configuration of the firewall rules are required. Unlike with some other firewalls, you must use Static Groups and IP Sets to configure firewalls to identify sources and destinations, IP addresses cannot be used directly in the rules.
Before configuring IP Sets, find out your Public IP addresses assigned for your VDC. Use the IBM Cloud portal to obtain the allocated public IP addresses.
In these examples, public-ip-0
refers to the first IP address provided in the list of available IP addresses, and should be noted as a normal IP address notation aaa.bbb.ccc.ddd
. Likewise, public-ip-1
refers
to the second IP address and so on.
You will create the following IP Sets and Static Groups:
Type | Name | Members or IP addresses |
---|---|---|
IP Set | ipset-dnat-to-jump |
public-ip-0 |
IP Set | ipset-snat |
public-ip-1 |
Static Group | sg-private-networks |
net-application and net-db |
To create an IP Set:
- In the top menu navigation, click Networking.
- Click Edge Gateways and select your VDC's Edge Gateway.
- Under Security, click IP Sets.
- Click New to create a new IP Set.
- In the new IP Set window, enter a name and the IP range for this IP Set. In this example,
ipset-dnat-to-jump
is used as the name andpublic-ip-0
(the first actual public IP obtained in the previous task) is used. - Click Add to add the IP Set then click Save to complete the window.
Repeat the process for the other required IP Sets, or more if needed in your solution.
To create a Static Group:
- In the top menu navigation, click Networking.
- Click Edge Gateways and select your VDC's edge gateway.
- Under Security, click Static Groups.
- Click New to create a new Static Group. Enter the name and Click Save.
- Select the created Static Group and click Manage Members. Select the
net-application
andnet-db
networks created in the previous step. Click Save.
Upon completion of these tasks, the new IP Sets and Static Groups will be added.
Create NAT rules to allow VMs to access the Internet
The next step is to create NAT rules to allow your VMs to access the public Internet and you to access the VMs over the public Internet.
You will create the following NAT rules in this tutorial.
Name | Type | External IP | Internal IP | Destination IP | Priority | Firewall Match |
---|---|---|---|---|---|---|
snat-to-inet-app |
SNAT | public-ip-1 |
192.168.100.0/24 |
any | 100 | Match Internal Address |
snat-to-inet-db |
SNAT | public-ip-1 |
192.168.101.0/24 |
any | 100 | Match Internal Address |
Name | Type | External IP | Internal IP | Application | Priority | Firewall Match |
---|---|---|---|---|---|---|
dnat-to-jump |
DNAT | public-ip-0 |
192.168.100.10/32 |
|
90 | Match External Address |
Double-check the IP addresses of the VMs you created using the VMware Cloud Director Console. You can use the info button during the rule creation to check available external IP addresses.
When creating your own NAT rules, understand your required traffic flows and design your NAT rules to match this. Check that your rules do not overlap to cause unwanted effects.
Some values, such as Priority
, Firewall Match
are configured under Advanced Settings. If an address has multiple NAT rules, the rule with the highest priority is applied. A lower value means a higher precedence for
this rule. Firewall Match determines how the firewall matches the address during NATing. You can use Match Internal Address
, Match External Address
or Bypass
.
In some cases you may need to prevent network address translation for some traffic when a DNAT
or SNAT
rule is in place to match an any
rule. A NO SNAT
rule prevents the translation of the
internal IP address of packets sent from an organization VDC out to an external network or to another organization VDC network. A NO DNAT
rule prevents the translation of the external IP address of packets received by an organization
VDC from an external network or from another organization VDC network.
To create a destination NAT (DNAT) rule:
- In the top menu navigation, click Networking.
- Click Edge Gateways and select your VDC's Edge Gateway.
- In the left navigation under Services, click NAT.
- Click New to create a new NAT rule.
- The Add NAT Rule wizard will appear. There are four fields that must be filled out.
- Name – In this example,
dnat-to-jump
is used. - Interface type – Select
DNAT
(destination NAT) as the interface type. - External IP – Input one of the public IP addresses provided by IBM Cloud to your instance. You may click the information button to the right of the field to see these IP addresses. In this example,
public-ip-0
(the first actual public IP obtained in the previous step) is used. - ** Internal IP** – This is the IP address of the VMs you created in the previous step. In this example,
192.168.100.10/32
is used. - Application - Leave empty.
- Expand Advanced Settings and configure values for
Priority
andFirewall Match
.
- Name – In this example,
- Click Save when complete.
The new NAT rule will be created. This may take a few seconds to complete. Repeat the process for other destination NAT rules, if needed in your solution.
To create a source NAT (SNAT) rule:
- In the top menu navigation, click Networking.
- Click Edge Gateways and select your VDC's Edge Gateway.
- In the left navigation under Services, click NAT.
- Click New to create a new NAT rule.
- The Add NAT Rule wizard will appear. There are four fields that must be filled out.
- Name – In this example,
snat-to-inet
is used. - Interface type – Select
SNAT
(source NAT) as the interface type. - External IP – Input one of the public IP addresses provided by IBM Cloud to your instance. You may click the information button to the right of the field to see these IP addresses. In this example,
public-ip-1
(the second actual public IP obtained in the previous step) is used. - Internal IP – This is the CIDR range of the network you created in the previous step. In this example,
192.168.100.0/24
is used. - Application - Leave empty.
- Expand Advanced Settings and configure values for
Priority
andFirewall Match
.
- Name – In this example,
- Click Save when complete.
The new NAT rule will be created. This may take a few seconds to complete. Repeat the process for other source NAT rules, if needed in your solution.
Create firewall rules
The next step is to create firewall rules. By default, the VMware Cloud Foundation as a Service single-tenant instance has been provisioned with a default firewall rule that will drop all traffic for ensuring basic network security. Additional rules must be put in place to allow the traffic from the previously created network to access the Public Internet and for you to access the VMs from the Public Internet.
Name | Applications | Source | Destination | Action | IP protocol |
---|---|---|---|---|---|
dnat-to-jump |
RDP , ICMP ALL |
Any |
ipset-dnat-to-jump |
Allow | IPv4 |
egress-to-inet |
N/A | sg-private-networks |
Any |
Allow | IPv4 |
default_rule |
N/A | Any |
Any |
Drop | IPv4 |
The default_rule
has been pre-provisioned by IBM Cloud. It is listed above just for illustration purposes.
The IP addresses used in the firewall rules must match with the settings in your NAT rules. In this example, two different ways have been used for illustration purposes.
It is generally not advised to use RDP over public Internet. The rule listed above is just used for illustration purposes.
To create a firewall rule:
- In the top menu navigation, click Networking.
- Click Edge Gateways and select your VDC's Edge Gateway.
- In the left navigation under Services, click Firewall.
- Click Edit Rules.
- Click New on Top to create a new firewall rule above the
default_rule
(drop any). - A new entry in the firewall rule list will be created. To complete the entry:
- Name – In this example,
dnat-to-jump
is used. - Application - Click the pencil icon next to Applications and select
RDP
andICMP ALL
from the applications list. You can filter with a name. Click Save when complete. - Source – Click the pencil icon next to source and toggle the slider next to Any source to green (enabled). Click Keep when complete.
- Destination – Click the pencil icon next to destination and select IP Set
ipset-dnat-to-jump
(or Static Group if that would have been used). Click Keep when complete.
- Name – In this example,
- Review the inputs and click Save when complete.
The new firewall rule will be created. This may take a few seconds to complete. Repeat the process for the other firewall rules, or more if needed in your solution.
Connect to the VM using the web console
Prior to logging in to the VM for the first time you will need to get the provisioned password.
To get the password:
- Click Details on the VM.
- Click Guest OS Customizations.
- Click Edit.
- The password auto generated during VM provisioning will be listed under Specify Password. Copy this password to a safe space to be used upon initial login. Click Discard when this password has been saved.
To connect to the VM using the web console:
- Click Launch Web Console to open a local console to the VM.
- Using the web console, log in to the VM using root as the user ID and the password you captured from the previous step.
- You should then be able to ping Internet resources such as
www.ibm.com
, showing that the networking is complete and working.
Connect to the VMs though the Internet and validate connectivity
The final step is to connect to the VM through the Internet to validate the deployment and its network connectivity.
To connect to the VM through the Internet:
- You should be able to ping the public IP address
public-ip-0
from your laptop or workstation, showing that the networking is complete and working. - You should be able to use RDP to connect to your Jump Server using the public IP address
public-ip-0
and the username and password collected in the previous step. - You can then disable the FW rule
dnat-to-jump
created in the previous step by editing the rule and its State by sliding the State to Disabled (gray).
Reference material
Check the following VMware Cloud Director™ Tenant Portal Guides for more detailed information: