Cloud Infrastructure Network Design

Cloud Infrastructure Network Design #

The network design for the Cloud Infrastructure validated solution covers logical networking and security design decisions for VMware Cloud Director and the supporting infrastructure, private cloud services, and external solutions, such as Usage Meter, VMware Chargeback, RabbitMQ, and VMware Cloud Provider Lifecycle Manager deployed on top of а VMware Cloud Foundation.

VMware NSX provides networking services for infrastructure management components and workloads in VMware Cloud Foundation such as load balancing, routing and virtual networking. [Read more]

Network Segments #

In VMware Cloud Foundation, the Cloud Infrastructure components are placed on pre-defined NSX segments (known as application virtual networks or AVNs) for dynamic routing and load balancing. NSX segments provide flexibility for workload placement by removing the dependence on traditional physical data center networks. This approach also improves the management applications' security and mobility, reducing the integration effort with the existing customer network.

This validated solution uses an implementation of the VMware Cloud Foundation application virtual networks feature in the management domain provided by NSX. The application virtual networks in the management domain can be either overlay-backed NSX segments or VLAN-backed NSX segments.

Type Description
Overlay-backed NSX segment The routing to the VMware Cloud Foundation VLAN-backed management network segment and other networks can use dynamic routing protocols or static routing. Routed access to the VLAN-backed management network segment is provided through an NSX Tier-1 and Tier-0 gateways. Recommended option to facilitate scale out to a multi instance design supporting disaster recovery.
VLAN-backed NSX segment Two unique VLANs, network subnets, and vCenter Server portgroups are required.

Network Design of Cloud Infrastructure deployment

Logical design

Design Decisions on Network Segment

Decision ID Design Decision Design Justification Design Implication
VCF-VCD-NET-001 Place the Cloud Infrastructure components on NSX overlay segments. Provides a consistent deployment model for management applications and a potential to extend to a second VMware Cloud Foundation instance for disaster recovery. VMware NSX is required to support this networking configuration.
VCF-VCD-NET-002 Create separate overlay segments for the Management and DMZ (public web access) traffic. Enhance security by separating different traffic types on different networks. More logical networking objects for management exist.

Logical Routing #

Use separate Tier-1 Gateways to enable more granular security control for the different Cloud Infrastructure components traffic types.

Design Decisions on Logical Routing

Decision ID Design Decision Design Justification Design Implication
VCF-VCD-NET-003 Create individual Tier-1 Gateway for the Management and DMZ traffic. Provide well-defined traffic separation and adaptable security controls. More logical networking objects for management exist.

IP Addressing #

Allocate statically assigned IP addresses and host names to the Cloud Infrastructure components and the load balancer services from their corresponding Management and DMZ networks.

Design Decisions on IP Addressing

Decision ID Design Decision Design Justification Design Implication
VCF-VCD-NET-004
  • Allocate statically assigned IP addresses to the Cloud Infrastructure components from their corresponding Management and DMZ networks.
  • Allocate statically assigned IP addresses for the DMZ load balancer virtual service.
    Using statically assigned IP addresses ensures deployment stability and makes it simpler to maintain and easier to track. Requires precise IP address management.

    Name Resolution #

    Name resolution provides the translation between an IP address and a fully qualified domain name (FQDN), which makes it easier to remember and connect to components across the SDDC. The IP address of each Cloud Infrastructure component and the DMZ load balancer VIP must have a valid internal DNS forward (A) and reverse (PTR) record.

    Design Decisions on Name Resolution

    Decision ID Design Decision Design Justification Design Implication
    VCF-VCD-NET-005 Configure DNS servers for Cloud Infrastructure components. Ensures that all Cloud Infrastructure components have accurate name resolution on which its services depend.
    • DNS infrastructure services should be highly available in the environment.
    • Firewalls between the Cloud Infrastructure components and the DNS servers must allow DNS traffic.
    • Must provide two or more DNS servers unless a DNS geographic load balancing is activated.
    VCF-VCD-NET-006 Configure forward and reverse DNS records for each Cloud Infrastructure component IP Management and DMZ interfaces' IP addresses and for the DMZ (web access) load balancer virtual service IP address. Cloud Infrastructure components are accessible using a fully qualified domain name instead of IP addresses only.
    • Must provide individual DNS records for each Cloud Infrastructure component and the NSX Advanced Load Balancer Virtual Services.
    • Firewalls between the Cloud Infrastructure components and the DNS servers must allow DNS traffic.

    Load Balancing #

    VMware Cloud Director server group deployment requires a load balancer to manage the connections to the VMware Cloud Director services. This validated solution uses load-balancing services provided by NSX Advanced Load Balancer in the management domain. [Read more]

    Time Synchronization #

    The system time for the Cloud Infrastructure components, along with dependencies and integrations, must be synchronized and must use the same timezone.

    Design Decisions on Time Synchronization

    Decision ID Design Decision Design Justification Design Implication
    VCF-VCD-NET-007 Configure NTP servers for each Cloud Infrastructure component.
    • Ensures that Cloud Infrastructure components has accurate time synchronization on which its services depend.
    • Assists in preventing time mismatch between the Cloud Infrastructure components and dependencies.
    • NTP infrastructure services should be highly available in the environment.
    • Firewalls between the Cloud Infrastructure components and the NTP servers must allow NTP traffic.
    • Must provide two or more NTP servers unless an NTP geographic load balancing is activated.

    Cloud Infrastructure Security Requirements #

    Cloud Infrastructure operations require a secure network environment. Connect all Cloud Infrastructure components to a secured and monitored network.

    Use the reference table below to discover up-to-date information on the network ports and protocols used by the Cloud Infrastructure components.

    VMware Cloud Infrastructure Ports and Protocols

    Cloud Infrastructure component VMware Ports and Protocols
    VMware Cloud Director [ VMware Cloud Director Ports and Protocols.]
    VMware Cloud Provider Lifecycle Manager [ VMware Cloud Provider Lifecycle Manager Ports and Protocols.]
    vCloud Usage Meter [ VvCloud Usage Meter Ports and Protocols.]