4.6.2 Example
In keeping with the reference infrastructure and methodology defined in the VMware vCloud Director Infrastructure Resiliency Case Study, this example uses a cluster that has ESXi hosts at both the primary and the recovery site. Workloads run in the primary site where the ESXi hosts are Connected. At the recovery site, the ESXi hosts are in maintenance mode, but configured in the same cluster and attached to the same VMware vSphere Distributed Switches™. The solution approach is developed on the basis of the VMware vCloud Director Infrastructure Resiliency Case Study, and the prerequisites it defines are applicable to this solution. The failover of a management cluster for a vCloud infrastructure in the absence of stretched Layer 2 networking is covered elsewhere in this document.
The following figure shows the logical architecture for this example.
Figure 15. Example Logical Architecture
All ESXi hosts in the resource cluster are connected to a common vSphere Distributed Switch with defined site-specific port groups for external networks, Internet and Internet_DR. In conjunction with this, an organization virtual datacenter network is defined and results in a port group from the VXLAN-backed network pool being deployed. The following figure shows the physical architecture for this example.
Figure 16. Example Physical Architecture
NoteFor testing, a single switch and router/firewall were deployed to simulate the separate networks for the primary and recovery sites. Although this is not entirely consistent with a real world deployment, this configuration
is representative for lab testing. The router
shown in Figure 16 provides routing capability among all networks, with the exception of the pools network.
The ESXi hosts deployed in the production site are connected to a common Layer 3 management network. Similarly, the ESXi hosts deployed in the recovery site are connected to a common Layer 3 management network, but in a different Layer 3 than that of the network for the production site. In addition, the Internet external networks are the primary networks that will be used for vApp connectivity and are also in a different Layer 3 than the Internet network available at the recovery site. These are attached to vCloud Director as two different external networks.
vCloud Networking and Security
Edge firewall rules, NAT translations, load balancer configurations, and VPN configurations must
be reproduced on the DR side to maintain consistent configurations and make sure that everything will work after recovery. As shown in Figure 17, t
he example uses the vCloud API upon failover to duplicate the primary site configuration to the failover site. This eliminates much of the manual reconfiguration that would otherwise be required on the recovery side.
Figure 17. vCloud Director Network Configuration
The two Internet networks (Internet and Internet_DR) have been defined as external networks, along with their respective IP configurations. In conjunction with this, a new organization virtual datacenter network (VXLAN-backed) called "Production" is defined. Finally, an Edge Gateway device is deployed (note the appliance is deployed in the Production site) with connectivity between the organization network and the two external networks. To facilitate virtual machine connectivity between the production organization virtual datacenter network and the external network a number of destination NAT (DNAT) and source NAT (SNAT) rules are required. An example of these rules is shown in the following table.
NoteAlthough there is no technical reason for the Internt_DR DNAT rule to be disabled, the SNAT rule must be disabled so that network traffic is not inadvertently passed over the wrong interface to the Internet_DR network because it is not available in the production site.
Table 11. Sample NAT Rules
Applied On | Type | Original IP Address | Original Port | Translated IP Address | Translated Port | Protocol | Enabled |
Internet | SNAT | 192.168.1.0/24 | * | 10.16.133.171 | * | TCP/UDP | Yes |
Internet_DR | SNAT | 192.168.1.0/24 | * | 192.168.192.2 | * | TCP/UDP | No |
Internet | DNAT | 10.16.133.171 | * | 192.168.1.100 | * | TCP/UDP | Yes |
Internet_DR | DNAT | 192.168.192.2 | * | 192.168.1.100 | * | TCP/UDP | No |
NoteAn alternative to the chosen configuration is to implement a solution where the vCloud Networking and Security Edge Gateway is connected only to the active external network. It was decided to predefine the connections because this enables options for preconfiguring rules for the recovery site and thereby reduces the number of reconfiguration steps during a recovery process.
During a vCloud DR process there is a requirement for the external IP addresses used to access the workloads to change to those used in the recovery site.
