Networking Guide
Table Of Contents
- VMware vCloud Air Networking Guide
- Contents
- About this Networking Guide
- Overview of Gateways and Networks
- About Managing Gateways and Networks
- Network Security and Secure Access
- Network Connectivity for Virtual Machines
- Direct Connect for vCloud Air
- Features of Direct Connect
- Reasons to Order Direct Connect
- Direct Connect Service Overview
- Direct Connect with Cross Connect
- Direct Connect for Network Exchange
- Direct Connect Use Cases
- About the Ordering and Provisioning Workflow
- Work with Your Provider to Set up Connection
- Order Direct Connect to vCloud Air
- Work with VMware to Complete Order
- View Direct Connect in vCloud Air
- Route Traffic Through Direct Connect
- Index
Table 3‑2. Security Differences Between Network Types
Gateway Network Internal Network
REQUIRED FOR
n
Virtual machines that need access to external networks.
n
Workloads that need to be isolated.
n
Workloads subject to specific security policies; for
example, compliance rules that a particular application
cannot be connected directly to the Internet.
BENEFITS
n
Connecting virtual machines to gateway networks
gives those virtual machines access to the networking
services provided by a gateway—firewall, NAT, and
load balancing.
NOTE You can have an instance of a dual NIC on a virtual
machine and can connect one interface of the virtual
machine to the gateway network and the other interface to
the internal network.
n
Internal networks are not connected to gateways;
therefore, they are ideal for running internal
applications.
n
Virtual machines running applications you want to
isolate from direct Internet traffic, such as your log
servers, tracking servers, and database servers.
The following security functionality is available in vCloud Air:
n
Gateway: firewall, IP address management, and routing
n
Threat mitigation: third-party antivirus, traffic analysis, and threat mitigation appliances
n
Third-party appliances: virtual appliances of your choice allowing you to deploy your own security
policies
n
VXLAN: the foundation for elastic portable virtual data centers
Third-party Virtual Appliances
vCloud Air supports threat mitigation by allowing you to deploy your own antivirus solution (such as,
MacAfee antivirus) and configure static routing between the gateway interfaces so that all traffic traverses
the antivirus first, and then travels to your virtual machines.
vCloud Air supports the deployment of third-party virtual appliances into the cloud. For example, if you
are using policies based on a Palo Alto security appliance, or appliances deployed onsite at your data center,
you can deploy that same third-party virtual appliance in vCloud Air and run network traffic to your virtual
machines through the appliance. By using the same virtual appliance in vCloud Air that you used onsite in
your data center, vCloud Air can become an extension of your onsite cloud. vCloud Air supports the
deployment of all third-party virtual appliances supported by VMware vSphere; such as, F5, RSA (for
secure ID), and Riverbed (caching).
Additionally, you can use a third-party appliance with your internal networks in vCloud Air. Internal
networks (which are not connected to the gateway) can connect to a third-party appliance; the third-party
virtual appliance can have access to the gateway.
About Firewall Rules
You configure all networking security policies on the gateway by creating firewall rules. (vCloud Air does
not require configuring security groups like some of the other cloud providers.) You configure firewall rules
to manage the traffic flowing in and out of your vCloud Air cloud. Additionally, you can configure firewall
rules to secure network traffic between any and all interfaces on a gateway.
Firewall rules in vCloud Air have the following characteristics:
n
Consist of 5 tuple policies (protocol, source/destination IP address, source/destination port)
n
Can have multiple policies across multiple networks
VMware vCloud Air Networking Guide
28 VMware, Inc.