4. Networking Examples : 4.5 VXLAN ORG Network for Disaster Recovery : 4.5.2 Example
   
4.5.2 Example
In keeping with the reference infrastructure and methodology defined in the VMware vCloud Director Infrastructure Resiliency Case Study, this example uses a cluster that has ESXi members in both the primary and the recovery site. The premise is that workloads run in the primary site where the ESXi hosts are Connected. At the recovery site, the ESXi servers are in maintenance mode, but configured in the same cluster and attached to all the same vSphere Distributed Switches (VDS). The solution approach considered within the following sections is developed on the basis of the VMware vCloud Director Infrastructure Resiliency Case Study, and the prerequisites it defines are applicable to this solution. The failover of a management cluster for a vCloud infrastructure, in the absence of stretched Layer 2 networking, is also contained within this document.

The following figure shows the logical architecture for this example.
Figure 14. Example Logical Architecture
All ESXi hosts in the resource cluster are connected to a common VDS with defined site-specific port groups for external networks, Internet and Internet_DR. In conjunction with this, an organization virtual datacenter network is defined and results in a port group from the VXLAN-backed network pool being deployed. The following figure shows the physical architecture for this example.
Figure 15. Example Physical Architecture
Note: For testing, a single switch and router/firewall were deployed to simulate the separate networks for the primary and recovery sites. Although this is not entirely consistent with a real world deployment, this configuration is representative for lab testing. The router shown in Figure 15 provides routing capability among all networks, with the exception of the pools network.
The ESXi hosts deployed in the production site are connected to a common Layer 3 management network. Similarly, the ESXi hosts deployed in the recovery site are connected to a common Layer 3 management network, but in a different Layer 3 than that of the network for the production site. In addition, the Internet external networks are the primary networks that will be used for vApp connectivity and are also in a different Layer 3 than the Internet network available at the recovery site. These are attached to vCloud Director as two distinct external networks.
vCloud Networking and Security Edge firewall rules, NAT translations, load balancer configurations, and VPN configurations must be reproduced on the DR side to maintain consistent configurations and make sure that everything will work after recovery. As shown in Figure 16, the example uses the vCloud API upon failover to duplicate the primary site configuration to the failover site. This eliminates much of the manual reconfiguration on the recovery side that would otherwise be required.
Figure 16. vCloud Director Network Configuration
The two Internet networks (Internet and Internet_DR) have been defined as external networks, with their respective IP configurations. In conjunction with this, a new organization virtual datacenter network (VXLAN-backed) called "Production" is defined. Finally, an Edge Gateway device is deployed (note the appliance is deployed in the Production site) with connectivity between the organization network and the two external networks. To facilitate virtual machine connectivity between the Production organization virtual datacenter network and the external network a number of destination NAT (DNAT) and source NAT (SNAT) rules are required. An example of these rules is shown in the following table.
Note: Although there is no technical reason for the Internt_DR DNAT rule to be disabled, the SNAT rule must be disabled so that network traffic is not inadvertently passed over the wrong interface to the Internet_DR network because it is not available in the production site.
Table 11. Sample NAT Rules
Applied On
Type
Original IP Address
Original Port
Translated IP Address
Translated Port
Protocol
Enabled
Internet
SNAT
192.168.1.0/24
*
10.16.133.171
*
TCP/UDP
Yes
Internet_DR
SNAT
192.168.1.0/24
*
192.168.192.2
*
TCP/UDP
No
Internet
DNAT
10.16.133.171
*
192.168.1.100
*
TCP/UDP
Yes
Internet_DR
DNAT
192.168.192.2
*
192.168.1.100
*
TCP/UDP
No
 
Note: An alternative to the chosen configuration is to implement a solution where the vCloud Networking and Security Edge Gateway is connected only to the active external network. It was decided to predefine the connections since this would present options for preconfiguring rules for the recovery site and thereby reduce reconfiguration steps during a recovery process.
During a vCloud DR process the expectation is that there is a requirement for the external IP addresses used to access the workloads to change to those used in the recovery site.