Cloud Lab-58: vCloud Director Organizations- “DNAT Use Case – Allow SSH Access from External Network to vApps” (Part 1)

NATING Overview

In vCloud Director, you have more granular control over the NAT configuration in the Edge Gateway. Specifically you can configure Source NAT (SNAT) rules, which control traffic leaving the Edge Gateway’s external interface(s), and Destination NAT (DNAT) rules, which control traffic arriving at the Edge Gateway’s external interface(s).

In today’s post , lets see how we configure DNAT in vCloud Director. due to the length of this post, i divided it into three parts. lets see what we will cover in “part 1”

LAB-58 TASKS (Part 1)

In this Lab, we will perform following tasks

  1. DNAT Use Case Scenario
  2. Architecture diagram for DNAT Use Case Scenario
  3. Information required for DNAT Configuration
  4. Create DNAT Rule For “vApp5-Web1”

1-DNAT Use Case Scenario

DNAT rules are applied on the “external interface” and you are use it for the NAT translation. In this Use Case, I am going to add a rule that forwards traffic destined for “TCP port 22 (SSH)” of “vApp5-Web1” and “TCP Port 1010 (SSH)” of “vApp5-Web2” on the “public IP at port 22″ into the “private IP” address of the Redhat Linux Server which are installed on my vApps. if you dont understand, what i am saying. please look into the Scenario diagram which is pretty self explanatory.

2-Architecture diagram for DNAT Use Case Scenario

cloudlab58-vCloudOrganization-DNATUsecase1

3-Information required for DNAT Configuration

  1. External Client IP Information
  2. vApp5-Web1 IPs Information (Both Internal and External)
  3. External IP Address of VSE (Skynet-Prod-Edge2)
  4. Sub Allocation Pool IP Range of “SkyNet-Prod-Edge2”

NOTE: SkyNet-Prod-Edge2″ is VSE firewall which is connected to External Network and my vApps are behind it as you can see in architecture diagram

1-External Client IP Information

Here is my “Client/Mgmt PC” machine which is connected to my “external Network” of vCloud director. His IP address is “10.0.150.150/24” as shown below and my external Network ID would be 10.0.150.0/24.

cloudlab58-vCloudOrganization-DNATUsecase2

2-vApp5-Web1 IPs Information (Both Internal and External)

Our Goal is to access “vApp5-Web1” Machine from External Network. This VM is behind our vShield Edge Firewall.  Note the vApp5-Web1 (IP Address).

In My Case it is 

192.168.11.100 (Internal) & 192.168.33.4 (External)

cloudlab58-vCloudOrganization-DNATUsecase3

As you can see below. In our “vApp Network” Firewall is enabled (by default).

cloudlab58-vCloudOrganization-DNATUsecase4

3-External IP Address of VSE (Skynet-Prod-Edge2)

My “vApp5” VM’s are in Organization VDC “SkyNet-Prod-OrgvDC”. it is connected to Network “SkyNet-Prod-Org-Routed2” which is routed and behind vShied Edge Firewall “Skynet-Prod-Edge2”.

cloudlab58-vCloudOrganization-DNATUsecase5

To get the vShield External IP Address. Right Click on VSE Firewall ”SkyNet-Prod-Edge2” -> Choose “External IP Allocations”

cloudlab58-vCloudOrganization-DNATUsecase6

As you see below. VSE External IP address is “10.0.150.243” and it’s connected to vSphere Distributed Switch Port Group “External-Public2”

cloudlab58-vCloudOrganization-DNATUsecase7

4-Sub Allocation Pool IP Range of SkyNet-Prod-Edge2

you will need to know your VSE “Sub Allocation Pool” IP range. Because VSE will use IP address from this IP Pool for your NAT Services.

You can find this by Right Click on VSE Firewall ”SkyNet-Prod-Edge2” -> Choose “Properties”

cloudlab58-vCloudOrganization-DNATUsecase8

As you can see his Sub Allocation Pool IP range. Which is “10.0.150.245- 10.0.150.250”

cloudlab58-vCloudOrganization-DNATUsecase9

Now we have all the information let create a “NAT (DNAT) Rule” to access our Linux VM from our Mgmt Server (Client) using “SSH”.

4-Create DNAT Rule For “vApp5-Web1”

To create a NAT Rule -> Go to You VSE and Right Click on “SkyNet-Prod-Edge2”-> Choose “Edge Gateway Service”

cloudlab58-vCloudOrganization-DNATUsecase10

In NAT Tab -> Choose “Add DNAT”

cloudlab58-vCloudOrganization-DNATUsecase11

Choose Your External Network in “Applied On”, in my case it would be “External-Public2”. Choose an “External IP Address” from the “Sub Allocation IP Range” of VSE. I choose IP “10.0.150.249”. Which will be translated/Masquerade onto “vApp5-Web1” VM External IP address “192.168.33.4”-> Click “OK”

cloudlab58-vCloudOrganization-DNATUsecase12

Verify your Added Rules -> Click “OK”

cloudlab58-vCloudOrganization-DNATUsecase13

By default Firewall Action is “deny” on your Organization “vDC Routed Network . We have to add a firewall rule to allow the “SSH traffic” for “vApp5-Web1” VM. which, i will cover in my next post.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s