Cloud Lab-51: vCloud Director Organizations – “vApp Network traffic flow and Testing”

In previous posts, i had showed you different usecases of vApp in vCloud director. today lets move forward and see how traffic flow in vApp networks. for testing, I choose the most complex vApp Network use case “vApp Network (Routed) -> Organization vDC Network (Routed)”. I just want to show you, how we reach from vApp Routed Network to external network which is behind a Firewall. 

LAB-51 TASKS

In this Lab we will perform following tasks

  1. Architecture diagram for vApp Network for network flow testing. 
  2. vApp Network Default Behavior
  3. Goal 1 – (Allow traffic from 192.168.11.0/24 -> 192.168.32.0/24)
    • vApp5-Network Firewall Configuration
    • Testing after VApp5 Firewall Configuration
  4. Goal 2 – (Allow traffic from 192.168.11.0/24 -> 10.0.150.0/24)
    • SkyNet-Prod-Edge Firewall Configuration
    • Testing after SkyNet-Prod-Edge Firewall Configuration

1-Architecture diagram for vApp Network for network flow testing.

cloudlab51-vCloudOrganization-Firewalltesting1

NOTE: For sake of test, I am going to allow ping from “vApp5-Web1” VM to all the way at “External Network”.

As you can see in  Architecture diagram “IP’s color in green” represent our goal which we need to reach from our “vApp5-web1” VM.

Let get started and see how we are able to reach from start to end. Following are the list of IPs which are in above Architecture diagram.

  • 168.11.100 (vApp5-Web1)
  • 168.11.101 (vApp5-Web2)
  • 168.11.1 (vApp5 Network Firewall-Internal IP)
  • 168.32.3 (vApp5 Network Firewall-External IP)
  • 168.32.3 (vApp5 Network Firewall-External IP)
  • 168.32.1 (Org VDC Edge Firewall-Internal IP)
  • 168.150.201 (Org VDC Edge Firewall-External IP)

2-vApp Network Default Behavior

To test the default vApp Network behavior. Open a SSH Session on “vApp5-Web1” console and login using your “root” credentials.

cloudlab51-vCloudOrganization-Firewalltesting2

Be default we are able to ping or reach only following vApp Network IPs as shown in below table in “bold”.

Sr. IP’s Description Ping (Y/N)
1 192.168.11.100 vApp5-Web1 IP Address Y
2 192.168.11.101 vApp5-Web2 IP Address Y
3 192.168.11.1 vApp5-Web1 and Web2 Gateway and vApp5 Network Firewall (Internal IP) N
4 192.168.32.3 vApp5-Web1 External IP and vApp5 Network Firewall (External IP) N
5 192.168.32.4 vApp5-Web2 External IP and vApp5 Network Firewall (External IP) N
6 192.168.32.1 Organization VDC Firewall Internal IP connected to vApp5 Network Firewall External IP’s   N
7 10.0.150.201 Organization VDC Firewall External IP connected to Organization Network Firewall N

Ping 192.168.11.101 (vApp5-Web2). As you can see we are able to get reply from this IP.

cloudlab51-vCloudOrganization-Firewalltesting3

Ping 192.168.11.1 (vApp5 Network Firewall-Internal IP). As you can see we are not able to get reply from this IP.

cloudlab51-vCloudOrganization-Firewalltesting4

cloudlab51-vCloudOrganization-Firewalltesting5

It is because this IP address is belong to our “vApp5 Network firewall”. In order to ping this IP or the whole 192.168.11.0/24 network. We should add an “ICMP (ping)” rule or allow “firewall default action” from “deny” to “allow”.

3-Goal 1 – (Allow traffic from 192.168.11.0/24 -> 192.168.32.0/24)

After allow traffic in “vApp5 Network Firewall”. We are able to ping or reach the following vApp Network IPs as shown in below table in “Bold”.

Sr. IP’s Description Ping (Y/N)
1 192.168.11.100 vApp5-Web1 IP Address Y
2 192.168.11.101 vApp5-Web2 IP Address Y
3 192.168.11.1 vApp5-Web1 and Web2 Gateway and vApp5 Network Firewall (Internal IP) Y
4 192.168.32.3 vApp5-Web1 External IP and vApp5 Network Firewall (External IP) Y
5 192.168.32.4 vApp5-Web2 External IP and vApp5 Network Firewall (External IP) Y
6 192.168.32.1 Organization VDC Firewall Internal IP connected to vApp5 Network Firewall External IP’s  Y
7 10.0.150.201 Organization VDC Firewall External IP connected to Organization Network Firewall N

NOTE:  Sr 1-2 IP’s are already pingable or reachable.

1-vApp5-Network Firewall Configuration.

To allow traffic pass through the vApp5-Network firewall. Go to “vApp5-vAppRoutedOrgRouted” vApp> in “Networking” Tab -> right click on the “vApp5-Network-Routed” network -> Choose “Configure services” as shown below.

cloudlab51-vCloudOrganization-Firewalltesting6

In “Firewall” Tab. As you can see “firewall is enable” and its default action is “deny”. That is way no traffic is able to pass through the firewall.

cloudlab51-vCloudOrganization-Firewalltesting7

For sake of demonstration, I just changed the default action from “deny” to “allow”. But In production you should only allow certain traffic in firewall by adding specific rule and allow it explicitly. In later posts, I will show you how to add a rule for specific traffic.

cloudlab51-vCloudOrganization-Firewalltesting8

After change in firewall. Click “Apply” button to commit the changes.

cloudlab51-vCloudOrganization-Firewalltesting9

2-Testing after VApp5 Firewall Configuration

Now ping following IP’s

  • 168.11.1 (vApp5 Network Firewall-Internal IP)
  • 168.32.3 (vApp5 Network Firewall-External IP)
  • 168.32.3 (vApp5 Network Firewall-External IP)
  • 168.32.1 (Org VDC Edge Firewall-External IP)

if you see below, now we are able to ping or reach to everyone.

cloudlab51-vCloudOrganization-Firewalltesting10

cloudlab51-vCloudOrganization-Firewalltesting11

cloudlab51-vCloudOrganization-Firewalltesting12

cloudlab51-vCloudOrganization-Firewalltesting13

4-Goal 2 – (Allow traffic from 192.168.11.0/24 -> 10.0.150.0/24)

After allow traffic in “SkyNet-Prod-Edge” firewall. which is connected to Our “OrgVCD-Routed-Network”. We are able to ping “192.168.150.0/24” network as shown in below table in “Bold”.

Sr. IP’s Description Ping (Y/N)
1 192.168.11.100 vApp5-Web1 IP Address Y
2 192.168.11.101 vApp5-Web2 IP Address Y
3 192.168.11.1 vApp5-Web1 and Web2 Gateway and vApp5 Network Firewall (Internal IP) Y
4 192.168.32.3 vApp5-Web1 External IP and vApp5 Network Firewall (External IP) Y
5 192.168.32.4 vApp5-Web2 External IP and vApp5 Network Firewall (External IP) Y
6 192.168.32.1 Organization VDC Firewall Internal IP connected to vApp5 Network Firewall External IP’s  Y
7 10.0.150.201 Organization VDC Firewall External IP connected to Organization Network Firewall Y

NOTE:  Sr 1-6 IP’s are already pingable or reachable.

1-SkyNet-Prod-Edge Firewall Configuration.

To allow traffic pass through the SkyNet-Prod firewall. Navigate to your organization VDC network “SkyNet-Prod-OrgVDC” ->In “Edge Gateway” Tab -> Right Click on “SkyNet-Prod-Edge” Firewall -> Choose “Edge Gateway Service”

cloudlab51-vCloudOrganization-Firewalltesting14

Go to “Firewall” Tab. As you can see below, “firewall is enable” and  its default action is “deny”.That is way no traffic is able to pass through the firewall.

cloudlab51-vCloudOrganization-Firewalltesting15

For sake of demonstration, I just changed the default action from “deny” to “allow”. But In production you should only allow certain traffic in firewall by adding specific rule and allow it explicitly. In later posts, I will show you how to add a rule for specific traffic.

cloudlab51-vCloudOrganization-Firewalltesting8

After change in firewall. Click “Apply” button to commit the changes.

2-Testing after SkyNet-Prod-Edge Firewall Configuration

Now ping Following IP’s

  • 168.150.201 (Org VDC Edge Firewall-External IP)

As you can see, we are able to ping our Firewall External IP and also able to reach on external organization Network 10.0.150.0/24. Which was our primary goal.

cloudlab51-vCloudOrganization-Firewalltesting16

You are wondering where I get the 10.0.150.201 (Firewall IP) .To see the external IP address of the firewall

Navigate to your organization VDC network “SkyNet-Prod-OrgVDC” ->In “Edge Gateway” Tab -> Right Click on “SkyNet-Prod-Edge” Firewall -> Choose “External IP Allocations”

cloudlab51-vCloudOrganization-Firewalltesting17

Now you see the IP Addresses of the Edge Firewall as shown below.

cloudlab51-vCloudOrganization-Firewalltesting18

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s