Network configuration of VMware infrastructure (NAT, DHCP, Firewall, Static Routing, VPN).
After creating virtual machines, you can proceed to network configuration.
Now, there are 3 options for connecting virtual machines to each other:
· external network with public IP addresses;
· LAN with Internet access through NAT;
· An isolated local network without Internet access.
In addition, when you activate the service, you are provided with a virtual router "Edge Gateway", through which routing and provision of services for external networks and local networks with Internet access through NAT is performed.
Our support staff add external networks, so you have nothing to worry about. You can only configure services yourself (such as NAT or Firewall) for external networks.
To add an existing network from vDC to vApp, see the additional instructions.
Isolated LANs and LANs with Internet access through NAT are created using the network management interface. Go to the Networks item in the left menu and click New to create a new network.
Enter the network settings.
For example, you need to create a network with Internet access through EdgeGateway, with the name "MyFirstNetwork" and an address space of 192.168.2.0/24.
In the "Name" field, specify the name "MyFirstNetwork".
In the "Type" field, select "Routed Network connecting to an existing edge gateway".
In the "Network Gateway CIDR" field, specify the address of the gateway with the CIDR mask - "192.168.2.1/24".
Check the box "Use Gateway DNS".
In the "Static IP Pool" field, specify the desired address range that will be issued to clients statically (not via DHCP) - "192.168.2.2 - 192.168.2.254" and click "New" to add this range to the list.
Click "SAVE" at the bottom of the page.
Configuring network services (DHCP, NAT, Firewall, Static Routing)
To configure network services (DHCP, NAT, Firewall, Static Routing), go to the left menu to the Edges item and click CONFIGURE SERVICES.
If the CONFIGURE SERVICES link is inactive, you must first convert EdgeGateway to Advanced mode by clicking CONVERT TO ADVANCED.
In a few seconds, the CONFIGURE SERVICES link will be available.
This tab allows configurштп firewall rules.
Firewall operates with several types of rules:
- Internal - these are built-in rules that cannot be changed.
- Default Policy is a built-in rule that defines the default filter behavior for connections not matching other rules. Accept - allow such connections, Deny - discard them.
- User - rules created by the user.
In the example two rules are created allowing connections from any address to HTTPS (TCP / 443) address port 220.127.116.11 and connections from address 18.104.22.168 to SSH (TCP / 22) address port 22.214.171.124.
All other connections are blocked by the default Deny policy.
After making the changes, click on "Save changes".
On the DHCP tab, you can enable the DHCP server, which will issue "gray" addresses to the machines.
In the example, a DHCP server is enabled and addresses from the pool 192.168.2.2 - 192.168.2.9 with a DNS server and a gateway 192.168.2.1, and a subnet mask of 255.255.255.0 are configured.
On Edge Gateway you can configure both source (source address spoofing) and destination (destination address spoofing) NAT. To do this, go to the NAT tab in the Edge gateway service menu.
To configure source NAT, click SNAT RULE. Set the value Applied on to inet_user1 in the window that appears.
In the Original Source IP / Range field, enter the address of the virtual machine or the entire internal network to which you must provide Internet access through NAT.
In the Translated Source IP / Range field, enter the external address of your EdgeGateway (see a quick tip - where is the external IP address).
To configure destination NAT, press DNAT RULE. Set the value "Applied on" to inet_user1 in the window that appears.
In the Original IP / Range field, enter the external address of your EdgeGateway.
Select the desired protocol.
In the Original port, specify the port on the external address on which the connections will be established.
In the Translated IP / Range field, specify the address of the virtual machine on the local network that you want to provide access to through NAT.
In the Translated port, specify the port on which the virtual machine will accept connections.
In some cases it may be necessary to use static routes. For example, if you have a software router with a VPN and / or an isolated network behind it, etc.
To do this, go to Routing -> Static Routes and click +.
In the Network field, specify the network located behind your software router, in the Next Hop field, specify the address of your router. Select the EdgeGateway interface behind which your router is.
The VPN topic is too extensive to discuss in this article. Articles about VPN and implementation examples are listed in a separate section of the Knowledge Base.