VMware vshield Edge Design Guide

Similar documents
VMware vshield App Design Guide TECHNICAL WHITE PAPER

What s New with VMware vcloud Director 8.0

The Technology Foundations of VMware vshield

VMware vcloud Air. Enterprise IT Hybrid Data Center TECHNICAL MARKETING DOCUMENTATION

Storage Considerations for VMware vcloud Director. VMware vcloud Director Version 1.0

What s New in VMware vcloud Director 8.20

vshield Administration Guide

VMware vcloud Networking and Security Overview

VMWARE SERVICE PROVIDER PROGRAM PRODUCT USAGE GUIDE Q2

VMware vcloud Director for Service Providers

VMware vsphere 4. The Best Platform for Building Cloud Infrastructures

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

VMware vcloud Architecture Toolkit Hybrid VMware vcloud Use Case

vcloud Director Administrator's Guide

Solution Brief: VMware vcloud Director and Cisco Nexus 1000V

VMWARE MICRO-SEGMENTATION AND SECURITY DEPLOY SERVICE

VMware vcloud Director Evaluator s Guide TECHNICAL WHITE PAPER

Dedicated Hosted Cloud with vcloud Director

vshield Quick Start Guide

TECHNICAL WHITE PAPER - MAY 2017 MULTI DATA CENTER POOLING WITH NSX WHITE PAPER

Redefining Networking with Network Virtualization

How to Use a Tomcat Stack on vcloud to Develop Optimized Web Applications. A VMware Cloud Evaluation Reference Document

What s New in VMware vcloud Automation Center 5.1

VMware vcloud Service Definition for a Public Cloud. Version 1.6

VMware vrealize Suite and vcloud Suite

VMware vcloud Director Infrastructure Resiliency Case Study

Eliminate the Complexity of Multiple Infrastructure Silos

HARNESSING THE HYBRID CLOUD TO DRIVE GREATER BUSINESS AGILITY

Architecting Tenant Networking with VMware NSX in VMware vcloud Director

VMware Cloud Provider Pod Designer User Guide. October 2018 Cloud Provider Pod 1.0

SAN Virtuosity Fibre Channel over Ethernet

Monitoring Hybrid Cloud Applications in VMware vcloud Air

VMware vcloud Requirements for a Cloud

CLOUD PROVIDER POD RELEASE NOTES

DISASTER RECOVERY- AS-A-SERVICE FOR VMWARE CLOUD PROVIDER PARTNERS WHITE PAPER - OCTOBER 2017

Cloud Provider Pod Designer User Guide. November 2018 Cloud Provider Pod 1.0.1

Scalable Licensing with Selective Monitoring in VMware vrealize Operations

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

SOLUTION BRIEF Enterprise WAN Agility, Simplicity and Performance with Software-Defined WAN

vcloud Director Tenant Portal Guide vcloud Director 8.20

CLOUD PROVIDER POD RELEASE NOTES

WHITE PAPER SEPTEMBER 2017 VCLOUD DIRECTOR 9.0. What s New

What s New in VMware vsphere 4.1 Performance. VMware vsphere 4.1

Intermedia. CX-E Cloud Hosting Provider. Introduction. Why Intermedia for CX-E Cloud? Cost of Ownership

Workload Mobility and Disaster Recovery to VMware Cloud IaaS Providers

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Customer Onboarding with VMware NSX L2VPN Service for VMware Cloud Providers

DEPLOY MODERN APPS WITH KUBERNETES AS A SERVICE

vcloud Director Administrator's Guide

DEPLOY MODERN APPS WITH KUBERNETES AS A SERVICE

DEPLOYING A VMWARE VCLOUD DIRECTOR INFRASTRUCTURE-AS-A-SERVICE (IAAS) SOLUTION WITH VMWARE CLOUD FOUNDATION : ARCHITECTURAL GUIDELINES

vcloud Director User's Guide 04 OCT 2018 vcloud Director 9.5

CLOUD PROVIDER POD. for VMware. Release Notes. VMware Cloud Provider Pod January 2019 Check for additions and updates to these release notes

7 Things ISVs Must Know About Virtualization

3 Ways Businesses Use Network Virtualization. A Faster Path to Improved Security, Automated IT, and App Continuity

CONFIDENTLY INTEGRATE VMWARE CLOUD ON AWS WITH INTELLIGENT OPERATIONS

Mobile Secure Desktop Implementation with Pivot3 HOW-TO GUIDE

VMWARE CLOUD FOUNDATION: INTEGRATED HYBRID CLOUD PLATFORM WHITE PAPER NOVEMBER 2017

Creating a VMware Software-Defined Data Center REFERENCE ARCHITECTURE VERSION 1.5

What s New in VMware vsphere 4: Virtual Networking W H I T E P A P E R

W H I T E P A P E R. What s New in VMware vsphere 4: Virtual Networking

vcenter Operations Management Pack for NSX-vSphere

Installing and Configuring vcloud Connector

Cross-vCenter NSX Installation Guide. Update 3 Modified on 20 NOV 2017 VMware NSX for vsphere 6.2

vcloud Director User's Guide

VMware vcloud Director Configuration Maximums vcloud Director 9.1 and 9.5 October 2018

vcloud Director User's Guide

IBM Cloud for VMware Solutions NSX Edge Services Gateway Solution Architecture

VMWARE SOLUTIONS AND THE DATACENTER. Fredric Linder

Architecture and Design. 17 JUL 2018 VMware Validated Design 4.3 VMware Validated Design for Management and Workload Consolidation 4.

vcloud Director User's Guide

VMWARE CLOUD FOUNDATION: THE SIMPLEST PATH TO THE HYBRID CLOUD WHITE PAPER AUGUST 2018

10 QUESTIONS, 10 ANSWERS. Get to know VMware Cloud on AWS The Best-in-Class Hybrid Cloud Service

REDUCE TCO AND IMPROVE BUSINESS AND OPERATIONAL EFFICIENCY

WHITE PAPER SEPTEMBER VMWARE vsphere AND vsphere WITH OPERATIONS MANAGEMENT. Licensing, Pricing and Packaging

What s New in VMware vsphere 4:

What s New in VMware vsphere Availability

Advanced Architecture Design for Cloud-Based Disaster Recovery WHITE PAPER

VMware vsphere 4 and Cisco Nexus 1000V Series: Accelerate Data Center Virtualization

The Virtualisation Security Journey: Beyond Endpoint Security with VMware and Symantec

Paperspace. Architecture Overview. 20 Jay St. Suite 312 Brooklyn, NY Technical Whitepaper

Branch Office Desktop

Certified Reference Design for VMware Cloud Providers

VMware Cloud Provider Platform

Architecture and Design. Modified on 21 AUG 2018 VMware Validated Design 4.3 VMware Validated Design for Software-Defined Data Center 4.

VMware Integrated OpenStack Quick Start Guide

Introducing VMware Validated Designs for Software-Defined Data Center

Sample excerpt. HP ProCurve Threat Management Services zl Module NPI Technical Training. NPI Technical Training Version: 1.

vcloud Director User's Guide

VMWARE EBOOK. Easily Deployed Software-Defined Storage: A Customer Love Story

Cross-vCenter NSX Installation Guide. Update 6 Modified on 16 NOV 2017 VMware NSX for vsphere 6.3

VMware Validated Design for NetApp HCI

vcloud Air Advanced Networking Services Guide

Introducing VMware Validated Designs for Software-Defined Data Center

REVISED 6 NOVEMBER 2018 COMPONENT DESIGN: VMWARE IDENTITY MANAGER ARCHITECTURE

PROTECT WORKLOADS IN THE HYBRID CLOUD

21CTL Disaster Recovery, Workload Mobility and Infrastructure as a Service Proposal. By Adeyemi Ademola E. Cloud Engineer

2V0-642 vmware. Number: 2V0-642 Passing Score: 800 Time Limit: 120 min.

Introducing VMware Validated Designs for Software-Defined Data Center

VMWARE AND NETROUNDS ACTIVE ASSURANCE SOLUTION FOR COMMUNICATIONS SERVICE PROVIDERS

Transcription:

ware Technical WHITE PAPER

ware Overview The new virtual datacenter (vdc) infrastructure deployments enable IT to provide on-demand infrastructure services to its customers on a common, shared infrastructure while maintaining isolation, security and flexibility of resources. This deployment is also termed cloud infrastructure or multitenant infrastructure, where instead of providing internal organizations with siloed physical infrastructures, IT delivers isolated virtual datacenters that are hosted on a common physical infrastructure. By pooling the physical resources on the back end, hardware utilization and consolidation is increased. Similarly, underlying infrastructure can be pooled into tiers and offered to users at discrete service levels and prices. From the end-user point of view, each system is still separate, with its own network, storage and services offering. However, the separation and isolation between tenants/ customers are not provided through separate physical racks but through secure multitenancy architecture using a ware firewall. Figure 1 provides a simplified illustration of a multitenant virtual datacenter hosting three tenants. Each tenant is allocated with its compute, storage and network resources. The resources are carved out to each tenant from a common pool of physical infrastructure. The isolation and security between tenants are provided through a firewall. The goal of this document is to help customers understand where and how a firewall can be deployed to secure and isolate tenants/organizations, while providing some reference designs along the way. This document will also help VI administrators and network administrators understand the deployment of security and other network services in virtual datacenters using a firewall. First, a brief explanation of the multitenant infrastructure use case is provided. Subsequently, the needs of such an environment are discussed along with the traditional design approaches and challenges. Finally, three reference designs are provided to help customers understand the security and other network services deployment in a virtual datacenter using the firewall product, as well as the advantages of these designs. Internet Core Network DMZ Campus Network Virtual Datacenter (vdc) Perimeter 1 (Tenant A) Perimeter 2 (Tenant B) Perimeter 3 (Tenant C) Figure 1. Virtual Datacenter TECHNICAL WHITE PAPER / 2

ware Multitenancy Use Case Description Multitenancy environments might differ from each other based on specific services and SLA requirements from tenants as well as special security requirements from regulatory environments they operate in. Following are the typical tenant requirements that service providers have to be able to fulfill. 1) NAT, load balancing, IPSec VPN services support 2) Secure separation from other tenants 3) Predictable service quality and high availability 4) Scalability of services 5) Rapid provisioning and on-demand deployments Let us first look at the traditional multitenant design approaches and their challenges before diving into the virtual datacenter or cloud-based multitenant architecture deployments based on. Traditional Multitenant Designs As shown in Figure 2, a traditional multitenant design requires three physical siloed infrastructures in order to provide services to three different organizations or companies. Each silo has its own set of equipment (storage, network, server) that addresses specific needs of that organization. To support secure remote access to different users of an organization, separate VPN devices are installed per organization. Also, additional services such as load balancers, IPS devices and other network and security services if required are incorporated in the aggregation layer of the design. Internet Remote Access VPN Gateway VPN Gateway VPN Gateway L2-L3 Switch L2-L3 Switch L2-L3 Switch Aggregation FIrewall FIrewall FIrewall Load Balancer Load Balancer Load Balancer Access Switch Switch Switch Company X Company Y Company Z Figure 2. Siloed Multitenancy Deployment TECHNICAL WHITE PAPER / 3

ware Isolation between different organizations in traditional design is achieved through physical separation of devices as well as through the firewall rules and separate routing domains. This physical separation reduces the complexity of the deployment but adds rigidity to the infrastructure. The following are key disadvantages of the traditional design: Underutilized resources. Less flexibility and scalability of the solution. Deployment of physical devices takes time and adds to CAPEX and OPEX. Figure 3 shows another deployment where the customer has successfully consolidated the server infrastructure and is achieving a better consolidation ratio by serving different tenants on one cluster. In this design, traffic isolation between different tenants is through VLANs, and security is introduced by deploying separate physical firewalls at the aggregation layer for each tenant. The following are some disadvantages of this design option: VLAN complexity of provisioning and managing. Longer provisioning cycle with deployment of hardware firewall devices. The firewalls become choke points, as all tenant traffic flows through the security device. Internet Access- Aggregation L2-L3 Switch VLAN 1002 VLAN 1001 Firewalls VLAN 1001 VLAN 1002 VLAN 1001 VLAN 1002 Port Group Company X n/w Port Group Company Y n/w PG-Z Port Group Company Z n/w Port Group to Links vds/vss () (VLAN 1001) PG-Z (VLAN 1002) Virtual to Ext. Switch Links (Uplink Ports) ware + vshield Company X Company Y Company Z Figure 3. VLAN + FW Multitenancy Deployment To overcome these challenges with traditional designs, and to meet business requirements mandating increased agility and efficiency, IT departments are embracing the new cloud computing strategy. According to NIST, cloud computing is defined as a model for enabling on-demand network access to a shared pool of computing resources (network, storage, servers, services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This model is sometimes referred to as the Infrastructure as a Service (IaaS) model, where the service provider offers the compute, storage and network infrastructure to the customer/consumer on demand. These cloud computing models are categorized as follows, based on who is the service provider and who is the customer/consumer: Private cloud: IT department acting as a service provider and providing cloud infrastructure to several internal organizations TECHNICAL WHITE PAPER / 4

ware Public cloud: Service provider selling the cloud infrastructure to an industry or the general public (ware vcloud Express) Hybrid cloud: IT department of a company with private cloud deployment makes use of public cloud infrastructure to satisfy the instantaneous infrastructure need (cloud bursting) of its internal organizations Many enterprises are deploying cloud service (private cloud) offerings to their internal organization and taking advantages of increased operational efficiency and agility over shared infrastructure. However, leveraging shared infrastructure introduces additional challenges in terms of how security and isolation can be maintained across internal organizational resources and how service level agreements (SLAs) can be provisioned and administered based on particular organizational needs. The ware vshield product family helps address the security and isolation challenges faced in the multitenant, or cloud, infrastructure. Design Approach with ware This section provides details on how to build a multitenant deployment and how to implement isolation and security for individual tenants. A security design approach using a firewall can be based on the following approaches: VLAN isolation Cloud network isolation port group isolation (PGI) Common Components The following are the common components in the design. This list doesn t include the external network and storage infrastructure that are required to build the virtual infrastructure. It is assumed that based on the customer environment, there will be iscsi or FC SAN infrastructure and also network switches and router infrastructure. Hosts Six physical hardware servers provide compute, memory and network resources based on the configuration of the hardware (for example, an HP ProLiant DL380 rackmountable server with two Intel Xeon CPUs (four cores each), 96GB memory, 2x10GB network interface cards running ware ESX /ESXi servers). Customers can have different hardware capacities, which will drive the decision on how many virtual machines or workloads can be hosted on a particular hardware. Cluster A cluster is a collection of ware ESX/ESXi hosts and associated virtual machines with shared resources. When a host is added to a ware Distributed Resource Scheduler (ware DRS) cluster, the host s resources become part of the cluster s resources. There is one cluster with six hosts. Number of tenants Depending on the service provider s infrastructure resources and its needs, multiple tenants can be hosted. For purposes of illustration, in this design three tenants are considered. They might be three different companies for a service provider or three different organizations for an internal IT deployment. Each tenant gets its own set of compute, storage and network resources from a common resource pool. The number of tenants will depend on the customer s (in this case, IT or the service provider) need to provide services to different tenants, as well as on the capacity of available resources that can be shared across tenants. These tenants are referred to as company X, company Y and company Z in the designs. ware The firewall provides network perimeter security and services to a tenant. It isolates the tenant s stub network from the shared (uplink) networks and provides common perimeter security services such as DHCP, VPN and NAT. One firewall is deployed per tenant or port group. TECHNICAL WHITE PAPER / 5

ware Design Option 1: VLAN Isolation This design approach utilizes a network infrastructure s ability to provide isolation through VLANs. Each of the three tenants that must be supported in this design must have its own VLAN for its own virtual machine traffic. Additional VLANs are required if tenants want to separate storage and management traffic from normal virtual machine traffic. For purposes of simplified illustration, assume that all storage, network and management traffic of a tenant is assigned to one VLAN. As shown in Figure 4, is associated with company X, VLAN 1001 is associated with company Y, and VLAN 1002 is associated with company Z. There is also a provider VLAN, VLAN 100, which is associated with an external network of different companies perimeters. This VLAN separation of traffic between tenants provides layer-2 isolation between tenants but doesn t provide security from layer-3-and-above attacks. To protect from higher-layer network attacks, one ware vshield Edge virtual machine, acting as a firewall, is deployed per tenant. The virtual machine has two network interfaces. One of the interfaces is connected to the uplink port through the (VLAN 100) port group and provides access to the external world. The other interface of the virtual machine is connected to the internal port group,, which is part of the company X network. All virtual machines of the company X tenant connect to the internal port group, (), and these virtual machines are allowed to communicate with each other without going through the firewall virtual machine. However, if the company X virtual machine attempts to access external devices, traffic must flow through the virtual machine. Depending on the security rules defined, the access will be allowed or denied. The firewall is a virtual machine that can be scaled up or down based on the amount of traffic that a particular tenant must handle. Also, the firewall virtual machine is protected through the ware DRS and ware High Availability (ware HA) features of the ware 4.1 ( ) platform. So when a host on which is running goes down, that virtual machine restarts immediately on another available host in that cluster. Similar to the deployment of virtual machine for company X, deploy for company Y and company Z and configure the internal network by creating separate port groups and PG-Z where respective-company virtual machines will be connected. As shown in Figure 4, VLANs 1000, 1001 and 1002 are configured on, and PG-Z respectively. The external network infrastructure at the access and aggregation layers requires VLAN configuration that will provide layer-2 isolation at the network level. However, customers that have their network infrastructure architected with separate layer-2 domains and are familiar with the operation can utilize the network design as is and can deploy a firewall to provide layer-3-andabove security. A ware firewall can successfully provide a perimeter security solution that is scalable, flexible, resilient and secure. If a tenant wants to deploy its own NAT, DHCP and VPN services, the firewall also provides the capability to enable those services per tenant. In design option 3, an extranet use case is described in which partner access to a tenant resource is provided through a secure IPSec tunnel. TECHNICAL WHITE PAPER / 6

ware Internet Access- Aggregation L2-L3 Switch VLAN 1002 VLAN 1001 Provider VLAN (VLAN 100) VLAN 1001 VLAN 1002 Port Group Company X n/w Port Group Company Y n/w PG-Z Port Group Company Z n/w External Uplink Port Group Internal Company Links vds/vss () (VLAN 100) (VLAN 1001) PG-Z (VLAN 1002) External Uplink vds to Ext. Switch Links ware + vshield Company X Company Y Company Z Figure 4. Multitenancy with VLAN Isolation Figure 5, Figure 6 and Figure 7 illustrate in detail the various traffic flows that can occur between the virtual machines of different tenants and how firewall rules can allow or deny these flows based on security policies. To simplify the diagram, a two-host cluster with two different tenants (X and Y) and their virtual machine resources is shown. Three traffic flows are illustrated in the following: Tenant Y virtual machine on host 1 communicating to tenant X virtual machine on host 2 (different-host communication). This communication is shown by a green circle with numbers in Figure 5. VLAN 1001 VLAN 1001 Cluster 2 8 3 7 vds/vss 1 9 4 Host 1 6 Host 2 Tenant X Communicating Tenant Y Communicating Uplink Trunk ports Port Group Corp. n/w (VLAN 100) Port Group Tenant X n/w () 5 VLAN 1001 VLAN 100 Port Group Tenant Y n/w (VLAN 1001) Indicates Route of the Packet Packet flow from Tenant Y to Tenant X on Different Host Figure 5. Different-Tenant-on-Different-Host Communication TECHNICAL WHITE PAPER / 7

ware Tenant X virtual machine on host 1 communicating to tenant X virtual machine on host 2. This communication is shown by a blue circle with numbers in Figure 6. VLAN 1001 VLAN 1001 Cluster vds/vss 1 5 2 Host 1 4 Host 2 Tenant X s Communicating 3 Uplink Trunk Ports Port Group Corp. n/w (VLAN 100) Port Group Tenant X n/w () Port Group Tenant Y n/w (VLAN 1001) VLAN 1001 VLAN 100 Indicates Route of the Packet Packet Flow from Tenant X to Tenant X on Different Host Figure 6. Same-Tenant-on-Different-Host Communication Tenant Y virtual machine on host 1 communicating to tenant X virtual machine on host 1 (same-host communication). This communication is shown by an orange circle with numbers in Figure 7. VLAN 1001 VLAN 1001 Cluster 2 10 vds/vss 3 16 1 9 4 15 8 11 Host 1 Host 2 Tenant X Communicating 14 Uplink Trunk Ports 13 12 Tenant Y Communicating Port Group Corp. n/w (VLAN 100) Port Group Tenant X n/w () 5 VLAN 1001 VLAN 100 6 7 Port Group Tenant Y n/w (VLAN 1001) Indicates Route of the Packet Packet flow from Tenant Y to Tenant X on Same Host Figure 7. Different-Tenant-on-Same-Host Communication TECHNICAL WHITE PAPER / 8

ware The following are the key challenges of the VLAN-backed isolation design: Limitation on number of tenants supported due to VLAN limitations (4K VLAN) Configuring and managing VLAN across the switching infrastructure Design Option 2: Cloud Network Backed Isolation (PGI) To overcome the challenges faced by the VLAN deployments, ware has introduced a new approach: providing isolation through traffic encapsulation. With this approach, there is no need for customers to worry about multiple VLANs for isolation. They only must provide a single layer-2 domain. All tenants virtual machines will be part of the same layer-2 domain. This design requires customers to use a virtual distributed switch (vds). The three tenants that must be supported in this design will be part of one VLAN. As shown in Figure 8, tenants X, Y and Z are part of the same layer-2 domain. Port groups X, Y and Z are the internal port groups on which tenant virtual machines are connected. All traffic from virtual machines that are connected to a port group is allowed to flow through. However, when a virtual machine connected to Port group attempts to communicate with a virtual machine connected to Port group, the traffic is not allowed, even if those virtual machines are in the same layer-2 domain. The vds keeps track of where the traffic is coming from and where it is headed. It determines whether the traffic can flow directly or whether it must go through a ware firewall. The isolation between tenants that are in the same layer-2 domain is maintained through the platform, which is aware of the association of virtual machines to the port groups. The virtual machine has two network interfaces. One of the interfaces is connected to the uplink port through the port group and provides access to the external world. The other interface of the vshield Edge virtual machine is connected to the internal port group, which is part of the company X network. All virtual machines of the company X tenant connect to port group, and these virtual machines are allowed to communicate with each other without going through the firewall virtual machine. However, if the company X virtual machine attempts to access external devices, traffic must flow through the virtual machine. Depending on the security rules defined, the access will be allowed or denied. Also, the firewall virtual machine is protected through the ware DRS and ware HA features of the platform. So when a host on which is running goes down, that virtual machine gets restarted immediately on another available host in that cluster. Similar to the deployment of the virtual machine for company X, deploy the for company Y and company Z. Configure the internal network by creating separate port groups and PG-Z where the respective company Y and company Z virtual machines will be connected. As shown in Figure 8, all the port groups (, and PG-Z) are in the same layer-2 domain, and isolation between different companies is achieved through the method of encapsulation. The advantage of this method over the VLANbased isolation is that there is no need for complex configuration at the access aggregation layer, thereby simplifying operational challenges. Also, there is no number of VLAN limitations in this deployment. TECHNICAL WHITE PAPER / 9

ware Internet Access- Aggregation L2-L3 Switch Infrastructure Provider VLAN (VLAN 100) PG-Z Port Group Company X n/w Port Group Company Y n/w Port Group Company Z n/w External Uplink Port Group Internal Company Links vds External Uplink () (VLAN 100) () PG-Z () vds to Ext. Switch Links ware + vshield Company X Company Y Company Z Traffic Flow Not Allowed Figure 8. Multitenancy with PGI Isolation The following figures illustrate in detail the different traffic flows that can occur between different tenant virtual machines and how firewall rules can allow or deny these flows based on the security policies. To simplify the diagram on a two-host cluster, two different tenants, X and Y, have their resources (virtual machine) running. Three traffic flows are illustrated, as follows: Tenant Y virtual machine on host 1 communicating to tenant X virtual machine on host 2 (different-host communication). This communication is shown by a green circle with numbers in Figure 9. Cluster 2 8 vds/vss 3 1 7 9 4 Host 1 6 Host 2 Tenant X Communicating Uplink Trunk Ports Tenant Y Communicating Port Group Corp. n/w (VLAN 100) Port Group Tenant X n/w () 5 VLAN 100 Port Group Tenant Y n/w (VLAN 1001) Indicates Route of the Packet Packet Flow from Tenant X to Tenant X on Different Host Figure 9. Different-Tenant-on-Different-Host Communication TECHNICAL WHITE PAPER / 10

ware Tenant X virtual machine on host 1 communicating to tenant X virtual machine on host 2. This communication is shown by a blue circle with numbers in Figure 10. Cluster vds 1 5 2 Host 1 4 Host 2 Tenant X Communicating Uplink Trunk Ports 3 Port Group Corp. n/w (VLAN 100) Port Group Tenant X n/w () VLAN 100 Port Group Tenant Y n/w () Indicates Route of the Packet Packet Flow from Tenant Y to Tenant X on Different Host Figure 10. Same-Tenant-on-Different-Host Communication Tenant Y virtual machine on host 1 communicating to tenant X virtual machine on host 1 (same-host communication). This communication is shown by an orange circle with numbers in Figure 11. Cluster 2 9 vds 3 14 1 8 4 13 7 10 Host 1 Host 2 Tenant X Communicating Tenant Y Communicating Uplink Trunk Ports 12 11 Port Group Corp. n/w (VLAN 100) Port Group Tenant X n/w () 5 VLAN 100 6 Port Group Tenant Y n/w (VLAN 1001) Indicates Route of the Packet Packet Flow from Tenant Y to Tenant X on Same Host Figure 11. Different-Tenant-on-Same-Host Communication TECHNICAL WHITE PAPER / 11

ware Comparison of Two Options The following table compares the two design options of multitenancy deployments described in previous sections on operational and scalability parameters. Table 1 Design comparison Parameters VLAN Isolation Cloud Network Isolation VLAN Limitations Maximum 4K VLANS No VLAN limitations Complexity High Lower Scalability Not scalable Simple to scale Management Complex Simple Provisioning Time consuming Automated Design Option 3: Extranet Partner Access The partner access use case is very prominent in today s collaborative work environment. Companies work with different partners to take advantage of their unique skills, and they all must share information. So if an organization wants to take advantage of a service that is provided by a partner, it must establish a secure communication channel that enables them to communicate securely. IT or the service provider must provision this secure tunnel that can be used by this organization, by deploying physical devices on local and remote site. The deployment of physical devices across two sites, along with the configuring of tunnels, results in considerable time before communication service can be enabled between the partner and the organizations. However, the following design using a ware firewall shows how simple it is to deploy and configure a site to a site virtual private network (VPN). The following section provides some details on how to enable the VPN service for a typical use case. The firewall product provides NAT, DHCP, load balancing and VPN services along with firewall capability. This design depicts a use case where a tenant or organization wants to provide access to its resources to a partner over a secure link. As shown in Figure 12, Org X and Org Z are providing access to their respective resources through an IPSec tunnel. Customers can enable these services on the fly without the complexity of the physical infrastructure deployment. TECHNICAL WHITE PAPER / 12

ware Partner of Org X Partner of Org Z Internet Access- Aggregation L2-L3 Switch IPsec Tunnel IPsec Tunnel Port Group Company X n/w Port Group Company Y n/w PG-Z Port Group Company Z n/w External Uplink Port Group Internal Company Links vds/vss External Uplink PG-Z vds to Ext. Switch Links ware + vshield Org X Org Y Org Z Figure 12. Extranet Partner Access The following simple steps are required to configure the VPN tunnel from Org X to the partner of Org X: 1. In the Client, go to Inventory > Networking. 2. Select an internal port group that is protected by a. In this case, it is. 3. Click the tab. 4. Click the VPN link. 5. Type an External IP Address for the VPN service on the. 6. Type the NATed Public IP that represents the External IP Address to the external network. 7. Select the Log check box to log VPN activity. 8. Click Apply. Next, identify a peer site. Click the VPN link after choosing the port group and tab. 1. Under Peer Site Configuration, click Create Site. 2. Type a name to identify the site in Site Name. 3. Type the IP address of the site in Remote EndPoint. 4. Type the Shared Secret. 5. Type an MTU threshold. 6. Click Add. TECHNICAL WHITE PAPER / 13

ware Next, add a tunnel to connect to the site. Click the VPN link after choosing the port group and tab. 1. Under Peer Site Configuration, select the appropriate peer from the Select or create a site drop-down list. 2. Click Add Tunnel. 3. Double-click the Tunnel Name cell and type a name to identify the tunnel. 4. Double-click the Remote Site Subnet cell and enter the IP address in CIDR format (A.B.C.D/M). 5. Double-click the Encryption cell and select the appropriate encryption type. 6. Click Commit. Similarly, IT can configure a tunnel for Org Z and its partner. The agent can be deployed behind a NAT device. In this deployment, the NAT device translates the VPN address of a into a publicly accessible address facing the Internet. Remote VPN routers use this public address to access the. Remote VPN routers can be located behind a NAT device as well. In this case, IT must provide both the VPN native address and the NAT public address to set up the tunnel. On both ends, static one-to-one NAT is required for the VPN address. Conclusion ware is a key component of the cloud, or multitenant, architecture. It provides perimeter security to tenants, as well as additional services (NAT, DHCP, load balancing and VPN) that are easy to deploy and manage. The simplified isolation through vds technology is a key differentiator that enables customers to deploy scalable private/public cloud services without the complexity of a VLAN implementation. ware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com Copyright 2011 ware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. ware products are covered by one or more patents listed at http://www.vmware.com/go/patents. ware is a registered trademark or trademark of ware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: W-TWP-vShield-EDGE-USLET-101

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback