4. Networking Examples : 4.5 VXLAN ORG Network for Disaster Recovery : 4.5.3 VXLAN Example Testing Summary : 4.5.3.1. Test 1 – Prove Connectivity and Verify NAT Configuration
   
4.5.3.1. Test 1 – Prove Connectivity and Verify NAT Configuration
The purpose of this test is to verify that predefining connections to both the production and recovery sites is viable, and that following a disaster recovery scenario the required connectivity could be established to a recovered vApp. The following is the high-level test procedure.
To prove connectivity and verify the NAT configuration
1. Validate connection to the vApp from a client device on the production external network 10.16.133.0/24 (SSH was used).
2. Change the default route defined on the vCloud Networking and Security Edge Gateway from the Internet network to the Internet_DR network and validate connectivity to the vApp. This uses the directly attached network so connectivity is maintained.
3. Fail over the vApp to the recovery site.
4. Validate connection to the vApp from a client device on the production external network 10.16.133.0/24. It fails, because the NAT addressing of the vApp is no longer connected to the directly attached vCloud Networking and Security Edge interface on the 10.16.133.0/24 network.
5. Enable the previously disabled SNAT/DNAT rules and validated connectivity from a client device on the failover external network 192.168.192.0/24 (Internet_DR) to the new address translated with NAT.
6. Remove the original Internet external network so that all connectivity is forced through the desired Internet_DR external interface on the vCloud Networking and Security Edge Gateway.
7. Validate connectivity from the vApp to the original client device on the 10.16.133.0/24 network (Internet) to the original client device (global routing between Internet and Internet_DR network should permit this to take place). This works because the Sophos UTM performs a NAT translation of the 192.168.192.0/24 to 10.16.1333.0/24 network on behalf of the vCloud Networking and Security Edge device.
During testing, the first three steps behave entirely as expected. Network traffic from the Internet network can successfully pass to the virtual machine defined in the vApp. Similarly, if the appropriate DNAT rule is enabled, network traffic can pass from the Internet_DR network.
When attempting to validate step 4, some interesting observations can be made. Despite reconfiguring the connection to the Internet_DR network as the default route, connections are still attempting to leave the vCloud Networking and Security Edge Gateway device over the original locally attached Internet interface, despite the default route being updated to go out the Internet_DR interface. If the client device is then connected to the Internet_DR network with an appropriate IP address, then network connections can be established as expected. The following figure illustrates the end result of this test.
Figure 17. Removed External Network
To guarantee that network connections are directed over the correct interfaces on the vCloud Networking and Security Edge Gateway, the only fail safe” option is to remove the Internet external network forcing all network traffic over the interface connected to the Internet_DR network.
Note: Upon removing an external network from an Edge Gateway, any rules associated with it are deleted. In the case of this scenario all predefined SNAT/DNAT rules were deleted.