Happy birthday to IBM Cloud for VMware Solutions! Two years ago today VMware Cloud Foundation and VMware vCenter Server on IBM Cloud became generally available. Sixteen releases later, we’ve come a long way! If you’re in Barcelona for VMworld 2018, stop by our booth and say hi!
IBM Cloud for VMware Solutions deploys VMware vCenter Server (VCS) environments using a network architecture consisting of three VLANs: one private VLAN used for management traffic and for NSX VTEPs, a second private VLAN used for storage traffic and vMotion, and a public VLAN.
Initially a sample NSX configuration is deployed for your use, including a distributed logical router (DLR), and an edge services gateway (ESG) that provides NAT service outbound from a logical switch (VXLAN) to both the IBM Cloud private network (10.0.0.0/8 addresses) and the public Internet.
The simple case is to deploy your virtual machines onto the logical switch and take advantage of the ESG to access the private and public networks. (Note that the ESG is initially configured with the sample NAT rule disabled, so you will need to enable it.) However, in our case study we want to deploy a virtual machine that will be used as part of the management stack to manage vCenter, ESXi hosts, and deploy workloads into vCenter. As a result, we prefer to have our virtual machine live directly on the private management network, but it will still need access to the public network, for example to download updates. This means we will need both to assign a private IP to the VM, and also to reconfigure the ESG to provide NAT from the private network to the public network.
You can discover the management VLAN on which your VCS instance is deployed by logging into the IBM Cloud infrastructure portal, displaying details for your bare metal servers, and identifying the Private interface. This information is important if you later need to order additional private portable IP addresses for your use. IBM Cloud infrastructure provides two different kinds of IP addresses: (1) primary subnets whose allocation IBM Cloud manages for bare metal servers and virtual servers, and (2) portable subnets whose allocation is typically managed by you and not by IBM Cloud. Note however that IBM Cloud for VMware Solutions orders and manages several portable subnets for your VCS instance. The only portable subnets associated with the VCS that are available for your use are those that are attached to the private and public interfaces of the sample ESG deployed in your instance. We will use one of these addresses for our VM’s deployment.
- Establish connectivity to your VCS environment (e.g., using the IBM Cloud VPN)
- Login to your vCenter web client UI
- Click the Home icon and navigate to Networking & Security
- Select NSX Edges and double click on the customer-nsx-edge
- Select the Manage tab, Settings item, and view the list of Interfaces. Note the interface with a 10.x.x.x/26 address. This represents the private portable subnet available to you for your use. One IP address is used by the ESG but the remaining addresses (excluding the network address, gateway address = network+1, broadcast address) are available to you for your use. The ESG can be configured to serve as a NAT for any address in the same subnet as itself. Note well that you will be responsible to manage the assignment of addresses within this subnet to prevent conflict!
- Configure the ESG firewall to allow outbound traffic from the 10.x.x.x/26 network
- Select the Firewall tab and add a new rule after the “All outgoing customer VMs” rule
- Configure this rule to allow outgoing traffic from the management network; the source IP specification should be the same subnet as the ESG, for example 10.123.171.128/26
- Click to Publish Changes
- Configure the ESG to NAT traffic from the private to the public network
- Select the NAT tab and add a new SNAT rule
- Configure this rule to operate on the Public Uplink, for all protocols, for the source IP range matching the ESG subnet (e.g., 10.123.171.128/26), and with a translated IP address matching the public IP address for the ESG (use the same address as the existing NAT rule). Ensure that the rule is enabled.
- Click to Publish Changes
- Deploy and configure your virtual machine
- IBM Cloud maintains a mirror of many popular Linux distributions, available only on the private network.
- Ensure that your VM is attached to the management network. Attach its adapter to the SDDC-DPortGroup-Mgmt port group.
- Configure the network adapter using an address from the ESG subnet. Set its default gateway to point to the ESG rather than to the IBM Cloud backend customer router (BCR). Identify the DNS server(s) for your instance by viewing one of your hosts’ TCP/IP configuration in vCenter. For example, if using RHEL:
# ifcfg-ens192 HWADDR=00:50:56:b0:88:39 NAME=ens192 GATEWAY=10.123.171.132 DNS1=10.123.158.32 DOMAIN=example.com DEVICE=ens192 ONBOOT=yes USERCTL=no BOOTPROTO=static NETMASK=255.255.255.192 IPADDR=10.123.171.133 NETWORK=10.123.171.128 BROADCAST=10.123.171.191
- Configure the adapter’s static routes to point to the BCR (i.e., the subnet gateway address) for all private network addresses. Note that IBM Cloud uses both subnets 10.0.0.0/8 and 18.104.22.168/16 for internal traffic. For example, if using RHEL:
# route-ens192 10.0.0.0/8 via 10.123.171.129 dev ens192 22.214.171.124/16 via 10.123.171.129 dev ens192
- Configure NTP to point to time.service.networklayer.com
The result is that we can access both the private and public networks from our VM:
[root@localhost ~]# ### Ping vCenter [root@localhost ~]# ping -c 1 10.123.170.130 | fgrep transmitted 1 packets transmitted, 1 received, 0% packet loss, time 0ms [root@localhost ~]# ### Ping Google DNS [root@localhost ~]# ping -c 1 126.96.36.199 | fgrep transmitted 1 packets transmitted, 1 received, 0% packet loss, time 0ms
IBM Cloud offers a VPN service for your account which you can use to access your dedicated IBM Cloud network. The VPN access is available from your browser using a Java applet, but is also available using a standalone VPN application for Windows, Linux, or macOS.
Unfortunately, I’ve found that the version 2.0 update of the MotionPro Plus application for macOS has broken my VPN access. Not only has it lost all of the passwords I had previously saved, but when I do enter my password and attempt to connect to the IBM Cloud, it immediately disconnects.
While we await a fix from Array Networks, it is possible to revert to an older version of MotionPro:
- View the macOS Launchpad and find the MotionPro+ icon
- Click and hold the icon until it begins to jiggle, then release. Note that this will delete your MotionPro configuration.
- Click the X to uninstall MotionPro+
- From the Array Networks support site, download the MacOS MotionPro client corresponding to AG-OS 188.8.131.52
- Open the disk image and run the MotionPro installer package within the image. The installer will also install some command line tools
- Recreate your MotionPro configuration
See also: managing SoftLayer VPN subnet access.
Kurtis Martin and I recently published a tutorial that shows how you can securely connect your VMware workload running in the IBM Cloud to other IBM Cloud services. This enables you to seamlessly extend your VMware application with valuable cognitive, data, and developer services available in the IBM Cloud.
Read more at IBM developerWorks: Securely connect your private VMware workloads in the IBM Cloud.
I presented a brief overview highlighting this tutorial at the IBM booth at VMworld 2017. Watch my overview here:
IBM’s Interconnect conference is March 19-23 this year. There’s quite a few interesting sessions currently lined up related to VMware and IBM Cloud:
- Monday at 2pm, Dream Payments deploys international payment networks with IBM Cloud for VMware Solutions
- Tuesday at 11:30am, Achieving and maintaining security and compliance in a hybrid cloud
- Tuesday at 2:30pm, Networking Magic: Intercontinental vMotion on IBM Bluemix Infrastructure in minutes
- Tuesday at 3:45pm, A deep dive into the cloud transformation journey of a large European bank
- Wednesday at 11:15am, Breaking virtualization beyond datacenter boundaries at CIBC
- Wednesday at 11:15am, Addressing workload / data geo-fencing challenges in cloud by leveraging NIST Publication IR 7904
- Wednesday at 2pm, Next generation digital workplace-as-a-service with Cancom AHP on IBM Bluemix with VMware
- Wednesday at 3:15pm, VMware on IBM Cloud: A Clarient case study on the death of traditional CAPEX
- Wednesday at 3:15pm, ONTAP Select on IBM Cloud: Deploying a validated software-defined storage solution for hybrid cloud
- Wednesday at 4:15pm, Design and deployment of VMware on IBM Cloud: Multiplus case study
- Thursday at 8:30am, IBM and VMware: Connecting it all
- Thursday at 10:30am, DevOps within the hybrid cloud: Deploying to the VMware platform on the IBM Cloud
- Thursday at 10:30am, Puzzled? Learn how IBM solutions complete each other to drive your digital transformation
I hope to see you at Interconnect 2017!
The IBM SoftLayer VPN only supports connection to 64 of your private subnets. If you have more than 64 private subnets in your SoftLayer account, you need to switch your VPN’s subnet management from Automatic to Manual, and select the specific subnets to which you want to connect.
The process for selecting subnets in the UI is not simple, especially if your account has hundreds of subnets. The subnets are not sorted, the dialog is small, and the pagination is slow.
However, it is possible to manage your VPN subnets programmatically using the SoftLayer API. I have created a Python script that allows you to manage your SoftLayer VPN subnet access. The script requires your SoftLayer username, API key, and a list of private IP addresses to which you want to connect. The script locates the subnets in your account that match your selected IP addresses, and assigns exactly these subnets to your SoftLayer VPN account.
You should wait a few minutes after running the script for it to take effect.
Last week I helped to facilitate an IBM PureApplication pattern camp in Kuala Lumpur, where we helped PureApplication customers and business partners from Malaysia, Thailand and Vietnam to build their own patterns. While there was snow and ice back home in Raleigh, it was very bright and warm in Kuala Lumpur!
Along the way we had a chance to discuss best practices for script packages and scripting, high availability and disaster recovery, multi-system deployment, IBM Bluemix running directly on PureApplication System, and best practices for backup. It’s exciting to see PureApplication growing in Southeast Asia!