Networking and Security Design for VMware Cloud Director on VMware Cloud Foundation #
Network Design for VMware Cloud Foundation #
VMware NSX provides networking services for infrastructure management components and workloads in VMware Cloud Foundation such as load balancing, routing and virtual networking. [Read more]
Network Design for VMware Cloud Director #
For secure access to the UI and API of VMware Cloud Director, the Primary and Secondary Cells are placed on cross-instance NSX segments.
Network Design of VMware CLoud Director Deployment on Overlay-Backed NSX Segments
Network Segments #
The network segment design consists of characteristics and decisions for placement of the VMware Cloud Director in the VMware Cloud Foundation Management domain.
This validated solution uses an implementation of the VMware Cloud Foundation application virtual networks feature in the management domain provided by NSX. The application virtual networks in the management domain can be either overlay-backed NSX segments or VLAN-backed NSX segments.
Type | Description |
---|---|
Overlay-backed NSX segment | The routing to the VMware Cloud Foundation VLAN-backed management network segment and other networks can use dynamic routing protocols or static routing. Routed access to the VLAN-backed management network segment is provided through an NSX Tier-1 and Tier-0 gateways. Recommended option to facilitate scale out to a multi instance design supporting disaster recovery. |
VLAN-backed NSX segment | Two unique VLANs, network subnets, and vCenter Server portgroups are required. |
Design Decisions on Network Segmentr
Decision ID | Design Decision | Design Justification | Design Implication |
---|---|---|---|
VCF-VCD-NET-001 | Place the VMware Cloud Director cells on NSX overlay segments. | Provides a consistent deployment model for management applications and a potential to extend to a second VMware Cloud Foundation instance for disaster recovery. | VMware NSX is required to support this networking configuration. |
VCF-VCD-NET-002 | Create separate overlay segments for VMware Cloud Director management and dmz (public web access) traffic. | Enhance security by separating different traffic types on different networks. | More logical networking objects for management exist. |
Logical Routing #
Use separate Tier-1 Gateways to enable more granular security control for the different types of traffic in the VMware Cloud Director instances.
Design Decisions on Logical Routing
Decision ID | Design Decision | Design Justification | Design Implication |
---|---|---|---|
VCF-VCD-NET-003 | Create individual Tier-1 Gateway for the VMware Cloud Director management and dmz traffic. | Provide well-defined traffic separation and adaptable security controls. | More logical networking objects for management exist. |
IP Addressing #
Allocate statically assigned IP addresses and host names to the VMware Cloud Director cell and the load balancer from their corresponding management and dmz networks.
Design Decisions on IP Addressing
Decision ID | Design Decision | Design Justification | Design Implication |
---|---|---|---|
VCF-VCD-NET-004 |
|
Using statically assigned IP addresses ensures deployment stability and makes it simpler to maintain and easier to track. | Requires precise IP address management. |
Name Resolution #
Name resolution provides the translation between an IP address and a fully qualified domain name (FQDN), which makes it easier to remember and connect to components across the SDDC. The IP address of each VMware Cloud Director cell and the dmz load balancer VIP must have a valid internal DNS forward (A) and reverse (PTR) record.
Design Decisions on Name Resolutuion
Decision ID | Design Decision | Design Justification | Design Implication |
---|---|---|---|
VCF-VCD-NET-005 | Configure DNS servers for VMware Cloud Director infrastructure. | Ensures that VMware Cloud Director has accurate name resolution on which its services depend. |
|
VCF-VCD-NET-006 | Configure forward and reverse DNS records for each VMware Cloud Director cell IP management and dmz interfaces' IP addresses and for the dmz (web access) load balancer virtual service IP address. | VMware Cloud Director is accessible using a fully qualified domain name instead of IP addresses only. |
|
Load Balancing #
VMware Cloud Director' server group deployment requires a load balancer to manage the connections to the VMware Cloud Director services. This validated solution uses load-balancing services provided by NSX Advanced Load Balancer in the management domain. [Read more]
Time Synchronization #
The system time for the VMware Cloud Director cells, along with dependencies and integrations, must be synchronized and must use the same timezone.
Design Decisions on Time Synchronization
Decision ID | Design Decision | Design Justification | Design Implication |
---|---|---|---|
VCF-VCD-NET-007 | Configure NTP servers for each VMware Cloud DIrector cell. |
|
|
VMware Cloud Director Security Requirements #
VMware Cloud Director operations require a secure network environment. Connect all VMware Cloud Director servers to a secured and monitored network. For information on the network ports and protocols used by VMware Cloud Director, see [VMware Ports and Protocols.]