In Previous post, i have finished the deployment of both of my vCloud Director Cells. In this post, i will show you, how to install the load balancer for Cloud Cells. i am using the VMware product vCNS (vCloud Network & Security formerly known as vShied) as a load balancer. i already deployed vCNS in my environment, which i am using for both vCloud Director and also for Cells load balancing.
In this Lab we perform following tasks
Following are the steps to install/configure the vCloud director (Cell-2) server.
- Configure Load balancer for Cloud Cells
- Test load balancer
- Firewall filter Settings
1-Configure load balancer for Cloud Cells
In vShield Manager-> go on the left hand side to the DataCenter section and select your DataCenter not the cluster. On the right hand side click “Network virtualization” and “Edges”.
Before we start configuring the vShield Edge Load Balancer, make sure you have all the IPs noted down that you will need for configuration. The vShield Edge Load Balancer will get two IP addresses in the user network. Assume these are our public IP’s and public network is configured at vSphere level.
- 10.150.100 (http)
- 10.150.101 (console Proxy)
On the management network (Internal IP) which connect to the vCloud cells.
- 168.150.30 (Mgmt. Network)
Now press the plus sign to create a new Edge device.
The wizard will pop up and will ask for the name of the Edge device. For the name, I entered: “vCloud Load Balancer“. The hostname is “vcloud.vmlab.com“, this is the outside FQDN.
You may leave the “tenant field empty” and I “did not enable HA”. Press “Next”
You’ll be asked to enter the “credentials for this edge device”. If you want to use the same credentials you use for the vShield Manager, just leave it like it is. Click “Next”
In this screen you can select the Appliance size, choose “Compact” and you can specify where the appliance should be place. Click on the “little plus (+)” to configure placement.
Select the Cluster/Resource pool and the DataStore. I choose the “VDC-RES-Cluster-B (Silver)” resource pool because in production this appliance goes to Mgmt. area rather than resource group. Click “Add”.
In this next step, configuring the “interfaces” of the Edge device. Click the “plus (+) sign” to add a new interface.
The first interface will be the “external interface”. On this interface we will connect two IP addresses, the HTTP (10.0.150.100) and Console Proxy address (10.0.150.101). Click the “plus (+) sign” to add a new interface. Name it: “External“. Click “Select”
Select the “port group” for “external Network” connect to.
Make sure the connectivity status is “connected” and then click the “plus (+) sign” to add IP addresses associated to external network.
Enter the “IP addresses” and the “Subnet mask”. In our case: IPs are “10.0.150.100” ,“10.0.150.101” and Subnet mask “255.255.255.0”. Click “Save” the IP settings and you will return to the first wizard.
Leave “MAC addresses empty”, adjust “MTU” if needed, and leave “Enable Proxy ARP” and “Send ICMP Redirect empty”. Click “Save”.
Now add the “second interface (Internal)” which will be connected to the internal address “192.168.150.30” in the same way you did for the external interface. After completion click “Add”
Review the interfaces Configurations. Click “Next”.
In the wizard, you will get the “Default Gateway” screen. In Production it should be enable, select the external NIC and enter the correct gateway address. In my lab I don’t have any gateway so leave as default. Click “Next”
Now the firewall & HA screen will ask to enable the firewall. Since this is a device that could be connected to the big bad world, enable the firewall policy and set the default to “Deny”. Enable “logging”. Click “Next”
Review the summary of your configured information. Click “Finish”
If you look at your “vCenter Server tasks” you should be able to see the deployment of an OVF file.
When done you should see the following in the vShield Manager
In next step , configure the real load balancing. First we need a “Pool” of servers (Cells Server) that offer the same functionality. In our case the Pool of servers will hold all vCloud cells. Second we then need a “Virtual server”. The virtual server is published to the outside world.
Click the “vCloud Load Balancer” we’ve just created and click “Actions” -> “Manage”.
Here you’ll see an overview of the “configured settings”.
Click “Load Balancer” and be sure that “Pools” is selected. Click the plus sign to start the “Add Pool”
The name will be “vCloud-HTTP” (no spaces allowed). Click “Next”
Next we configure the services. Enable HTTP and HTTPS and choose the balancing method “Least connections“. Leave the ports unchanged at 80 and 443.Click “Next”.
Now the Health Check screen appears. Only select HTTP (although I think HTTPS should work too) and for the URI for HTTP Service use: “/cloud/server_status“. Be sure to start with a forward slash. Click “Next”.
Now click on “green (+) sign” to enter each member of the pool.
Be aware that we are only defining the HTTP part of the vCloud cell, so we add only the HTTP addresses of the vCloud cells for this pool.
In my case add two IP addresses: 192.168.150.9 (cell1) and 192.168.150.11 (cell2). Add them both with a weight value of “1″. Leave the defaults of HTTP and HTTPS.
Click “Add” for second IP
Review information. Click “Next”
Complete the setup. Click “Finish”
Now you first (http) pool has been defined.
Next we’ll add the “Console Proxy servers” to the pool. Run the same wizard again and name it “vCloud-Console“. In the “Services screen” you have to pay a little attention, you only need TCP over port 443, not HTTPS !!!
This is because the console proxy traffic travels over port 443 but it is no HTTPS traffic. In other words, on the services screen select TCP and change the port to 443, Select the “Least Connections” balancing method. Click “Next”
In the Health Check screen select “TCP and monitor port 443”, leave the URI for HTTP Service empty.
In the next screen we will again need to add some IP addresses. Enter the IP addresses of the “Console proxy” of the vCloud Cells (192.168.150.10 / 192.168.150.12). Click “Next” and finish the wizard.
When “finished”, You now return to the vShield Manager screen.
A little above the list of pools you see the “ENABLE” button, click this to enable the pool and push the “Publish Changes” button.
Now “both options” has been configured
We now have a pool of servers defined that can accept the traffic for the load balancing. Now we need to define the services that the load balancer will allow from the outside.
Click “Virtual Servers” and then the plug sign to start the “Add Virtual Server” wizard.
You are now prompted to enter a name for this virtual server, use “vSrv-vCloud-HTTP“. Next enter the IP address of the “outside HTTP interface 10.0.150.100”. Select the pool “vCloud-HTTP” and enable HTTP and HTTPS. Leave the defaults of persistence method cookie for HTTP and SSL_SESSION_ID for HTTPS. Click “Add”.
Again “Click + plus” to add a new virtual server. Name this server “vSrv-vCloud-Console“. Next enter the IP address of the “outside HTTP interface 10.0.150.101”. Select the pool “vCloud-Console” and enable TCP and change the port to 443. Click “Add”.
When both Virtual Servers has added, Click “Publish Changes”.
That’s it. Your vCloud Edge Load Balancer is ready.
2-Test Load Balancer
First go to your “DNS Server” and add following DNS Entries.
- vcloud.vmlab.com (10.0.150.100)
- vcloud-vmrc.vmlab.com (10.0.150.101)
In my lab I added this in my “internal DNS” because I don’t have “public DNS”. You just assume, these are public IPs and my internal DNS is public DNS server. In production you will replace these IPs with real Public IPs and enter in your public DNS Servers.
Second go to your “management Server” VM and add “new network” which maps to public network.
Assign a Public Network Range IP.
In my case it would be “10.0.150.150/255.255.255.0” as shown below
After configuration. Ping the vcloud.vmlab.com (10.0.150.100) from Mgmt. Server.it is the public IP of vCloud cell HTTP traffic. As you see below it’s not pining.
Ping is failed because we enable the firewall during configuration and by default it drops all traffic. You can see this in Network Virtualization- > Firewall -> Check “default rule”.
3-Firewall Filter Settings
Now I am going to add some rule which allow following protocols
- ICMP (ping traffic)
- http/https traffic (for vCloud Cells) behind firewall
Make sure click on “publish” button when you entered all the rules in order to save (commit) these rules in firewall.
You can see the rules definition details in below screen.
Now try to ping the public FQDN (vcloud.vmlab.com) from Mgmt. Server. You will see its pinging successfully.
Now test the “https traffic” rule as well by opening the https://vcloud.vmlab.com URL. Which is HTTP Interface of load balancer. As you can see it’s also working fine one thing more. In below screen at top right corner you can see “yellow lock sign” appeared. Its mean our “vCloud cells certificate” is also “trusted/valid”.
You may enter the “vCloud administrator credentials” to access the cloud for further configuration.