Networking and Security Design for VMware Cloud Director on VMware Cloud Foundation

Networking and Security Design for VMware Cloud Director on VMware Cloud Foundation #

Network Design for VMware Cloud Foundation #

VMware NSX provides networking services for infrastructure management components and workloads in VMware Cloud Foundation such as load balancing, routing and virtual networking. [Read more]

Network Design for VMware Cloud Director #

For secure access to the UI and API of VMware Cloud Director, the Primary and Secondary Cells are placed on cross-instance NSX segments.

Network Design of VMware CLoud Director Deployment on Overlay-Backed NSX Segments

Logical design

Network Segments #

The network segment design consists of characteristics and decisions for placement of the VMware Cloud Director in the VMware Cloud Foundation Management domain.

This validated solution uses an implementation of the VMware Cloud Foundation application virtual networks feature in the management domain provided by NSX. The application virtual networks in the management domain can be either overlay-backed NSX segments or VLAN-backed NSX segments.

Type Description
Overlay-backed NSX segment The routing to the VMware Cloud Foundation VLAN-backed management network segment and other networks can use dynamic routing protocols or static routing. Routed access to the VLAN-backed management network segment is provided through an NSX Tier-1 and Tier-0 gateways. Recommended option to facilitate scale out to a multi instance design supporting disaster recovery.
VLAN-backed NSX segment Two unique VLANs, network subnets, and vCenter Server portgroups are required.

Design Decisions on Network Segmentr

Decision ID Design Decision Design Justification Design Implication
VCF-VCD-NET-001 Place the VMware Cloud Director cells on NSX overlay segments. Provides a consistent deployment model for management applications and a potential to extend to a second VMware Cloud Foundation instance for disaster recovery. VMware NSX is required to support this networking configuration.
VCF-VCD-NET-002 Create separate overlay segments for VMware Cloud Director management and dmz (public web access) traffic. Enhance security by separating different traffic types on different networks. More logical networking objects for management exist.

Logical Routing #

Use separate Tier-1 Gateways to enable more granular security control for the different types of traffic in the VMware Cloud Director instances.

Design Decisions on Logical Routing

Decision ID Design Decision Design Justification Design Implication
VCF-VCD-NET-003 Create individual Tier-1 Gateway for the VMware Cloud Director management and dmz traffic. Provide well-defined traffic separation and adaptable security controls. More logical networking objects for management exist.

IP Addressing #

Allocate statically assigned IP addresses and host names to the VMware Cloud Director cell and the load balancer from their corresponding management and dmz networks.

Design Decisions on IP Addressing

Decision ID Design Decision Design Justification Design Implication
VCF-VCD-NET-004
  • Allocate statically assigned IP addresses to the VMware Cloud Director cells from their corresponding management and dmz networks.
  • Allocate statically assigned IP address for the dmz load balancer virtual service.
    Using statically assigned IP addresses ensures deployment stability and makes it simpler to maintain and easier to track. Requires precise IP address management.

    Name Resolution #

    Name resolution provides the translation between an IP address and a fully qualified domain name (FQDN), which makes it easier to remember and connect to components across the SDDC. The IP address of each VMware Cloud Director cell and the dmz load balancer VIP must have a valid internal DNS forward (A) and reverse (PTR) record.

    Design Decisions on Name Resolutuion

    Decision ID Design Decision Design Justification Design Implication
    VCF-VCD-NET-005 Configure DNS servers for VMware Cloud Director infrastructure. Ensures that VMware Cloud Director has accurate name resolution on which its services depend.
    • DNS infrastructure services should be highly available in the environment.
    • Firewalls between the VMware Cloud Director cells and the DNS servers must allow DNS traffic.
    • Must provide two or more DNS servers unless a DNS geographic load balancing is activated.
    VCF-VCD-NET-006 Configure forward and reverse DNS records for each VMware Cloud Director cell IP management and dmz interfaces' IP addresses and for the dmz (web access) load balancer virtual service IP address. VMware Cloud Director is accessible using a fully qualified domain name instead of IP addresses only.
    • Must provide individual DNS records for each VMware Cloud Director cell and the NSX Advanced Load Balancer Virtual Service.
    • Firewalls between the VMware Cloud Director cells and the DNS servers must allow DNS traffic.

    Load Balancing #

    VMware Cloud Director' server group deployment requires a load balancer to manage the connections to the VMware Cloud Director services. This validated solution uses load-balancing services provided by NSX Advanced Load Balancer in the management domain. [Read more]

    Time Synchronization #

    The system time for the VMware Cloud Director cells, along with dependencies and integrations, must be synchronized and must use the same timezone.

    Design Decisions on Time Synchronization

    Decision ID Design Decision Design Justification Design Implication
    VCF-VCD-NET-007 Configure NTP servers for each VMware Cloud DIrector cell.
    • Ensures that VMware Cloud Director has accurate time synchronization on which its services depend.
    • Assists in preventing time mismatch between the VMware Cloud Director and dependencies.
    • NTP infrastructure services should be highly available in the environment.
    • Firewalls between the VMware Cloud Direcotr cells and the NTP servers must allow NTP traffic.
    • Must provide two or more NTP servers unless an NTP geographic load balancing is activated.

    VMware Cloud Director Security Requirements #

    VMware Cloud Director operations require a secure network environment. Connect all VMware Cloud Director servers to a secured and monitored network. For information on the network ports and protocols used by VMware Cloud Director, see [VMware Ports and Protocols.]