View Only

How to use network services with IBM Cloud VCFaaS?

By SAMI KURONEN posted Tue January 14, 2025 03:48 AM

Like

How to use network services with IBM Cloud VCFaaS?

IBM Cloud for VMware Cloud Foundation (VCF) as a Service (VCFaaS) has been available since November 2022. In early 2024, my colleague Bryan Buckland wrote a blog about getting started with the offering. We decided to take this introduction to bit deeper and now we focus on the new enhanced networking features and concepts that have been introduced in the 2^nd half of 2024, and for the new features that will be introduced in the very near future. In this first blog of a series or blogs, I will focus on the basic virtual data center networking concepts. To get the most of this, we need to get familiar with the basic concepts of the solution. So, let’s spend some time with the IBM Cloud for VMware Cloud Foundation as a Service offering and how it has been architected.

Overview of the offering and its key concepts

What is IBM Cloud for VMware Cloud Foundation as a Service, also known as VCFaaS? VCFaaS is a managed service for hosting VMware workloads in IBM Cloud. The “managed” here refers to IBM Cloud managing the underlying software defined datacenter (SDDC) up to the hypervisor, including the software defined networking (SDN) provided by VMware NSX. VCFaaS is available in single-tenant (VCFaaS-ST) or multi-tenant (VCFaaS-MT) configurations with the choice to reserve dedicated resources to host your VMware workloads. In both options, you can flexibly grow your resource consumption as the need demands - the key difference is the underlying hardware where the multi-tenant shares compute resources between tenants and single-tenant has dedicated compute resources for your workloads. In the multi-tenant option, IBM Cloud manages the underlying capacity, and you just configure your consumption limits or reservations. In the single tenant configuration, capacity management is a customer responsibility, and you can add or remove storage and hosts to your VCFaaS-ST instance on-demand. The other aspects of these options are pretty much identical.

The following diagram depicts the core elements and concepts of the offering.

IBM Cloud for VMware Cloud Foundation as a Service is built on VMware Cloud Director, which abstracts the underlying VMware’s SDDC stack to virtual data centers (VDCs). As a comparison, a VDC provides logically an equivalent concept as a Virtual Private Cloud (VPC) does in any public clouds. A virtual data center is a logically isolated environment provided to a cloud user inside their organization. Within the VDC, a tenant can provision and manage resources such as networks, vApps, VMs and disks – on a very similar way as in a public cloud VPC. All compute, storage and network resources belong to the VDC, which also defines a logical boundary for each.

What is an organization then? A VCD organization is a top-level container that may contain one or more Virtual Data Centers with their resources and catalog entities. An IBM Cloud An IBM Cloud account has one VCD organization per one IBM VCFaaS site, and in the VFCaaS-MT the organization is created in the site when the first VDC is ordered and in the VCFaaS-ST the organization is created when the single tenant site is ordered. When you are designing your solution, take this aspect into account. Also consider using IBM Cloud Enterprise accounts, for example if you need separation between business units.

A VMware Cloud Director Site is an IBM Cloud terminology for the VCFaaS offering. It refers to a collection of resources managed in a specific physical IBM Cloud data center location. For example, a Site called “IBM VCFaaS Multitenant – FRA” is a group of servers and storage that share a common VMware Cloud Director database and portal in an IBM Cloud multi-zone region (MZR) in Frankfurt. Depending on the deployment model, the site has slightly different characteristics. In the multi-tenant VCFaaS-MT, a site is a single deployment of a VMware Cloud Director across an IBM Cloud multi zone region (MZR). The site is created by IBM when the VCFaaS-MT service is made generally available in that region. In the single-tenant VCFaaS-ST, a site is a customer dedicated VMware deployment in an IBM Cloud multi zone region. The site is provisioned when you order a VCFaaS-ST instance in this specific location.

Resources deployed in the platform have a physical boundary where the live and how they can span. A resource pool defines the physical location for the VDC and a resource pool defines the boundary of physical compute and storage resources for the VDC. VDCs created against a resource pool are bound to use the infrastructure from that resource pool. For example, in VCFaaS-MT, when ordering a virtual data center to a specific location, like FRA02, the site is backed by a resource pool, but you do not specifically have to select it.

VMware SDDC environments include components like vCenter Servers, ESXi hosts, NSX managers and edge nodes, Aria operations etc. VMware Cloud Director provides easy to use management capabilities to the whole VMware SDDC stack where you do not have to be an expert in managing neither VMware vCenter nor NSX. Also, the lifecycle of the underlying platform is managed by IBM Cloud, which reduces the amount of day-to-day management work significantly. In a nutshell, the VCFaaS offering provides a managed platform for hosting your VMware workloads while allowing you to focus on your core business applications.

Virtual data center network architecture

To get back to the networking topic, let’s take a a look at the network architecture and a basic network topology of the virtual data center.

As shown in the diagram above, your virtual data center network topology includes two types of routers or gateways – edge and provider gateways inside a virtual data center. These gateways are logical network constructs provided by VMware NSX. The key architectural distinction between these is that edge gateway provides routing and network services inside your VDC while the provider gateway connects your VDC to external networks – such as IBM Cloud Private network and the public Internet.

Inside a virtual data center, you can deploy two types of virtual networks – routed or isolated virtual data center networks. By its definition, a routed virtual data center network is routed through its connection to the edge gateway. This routing option provides a L3 routed access to other virtual datacenters or to other connected networks. The underlying SDN provides various capabilities for enhancing routing latency and performance, and some of these have been made available for you via the portal. For example, the distributed routing option provides fast and efficient east-west routing. But sometimes these come with some limitations, too. For example, if you want to use firewalling between virtual data center networks attached to the same edge gateway, the distributed routing option must be disabled. North-south traffic can still be firewalled with the edge gateway firewall even with the option disabled. So this leads to some decisions that you must do, mostly related to network security. Isolated virtual data center networks are logically isolated L2 domains, segments that allow you to connect two or virtual machines within the virtual data center, but they are not attached to the edge gateway, and therefore they do not have any routing, firewall or NAT services. Some customers use the isolated VDC networks when deploying their own firewall appliances within the VDC, we can discuss about this in a future blog, if there is interest.

Connectivity to and from the VDC is key, and there we have two basic options. Virtual data centers can be deployed with or without public connectivity. The latter is an option, if you want to keep all traffic 100% private, where the public option allows your workloads to be connected to the public Internet through the provider gateway. VDCs provide connectivity to IBM Cloud services and private endpoints by default. If you want to expand to other IBM Cloud IaaS platforms (Classic, VPCs or Power Virtual Servers), IBM Cloud Transit Gateways provides this interconnectivity. With on-premises connectivity needs over private WANs, IBM Cloud Direct Link is the offering for these needs, attached to the Transit Gateways. See an example topology in the following diagram.

Each VDC can use the embedded networking services provided in edge and provider gateways starting from basic IP routing and optional network services such as network address translation (NAT), gateway firewalls or DHCP. The networking services provided by edge and provider gateways are implemented using NSX edge clusters, where the edge gateway is implemented as a Tier 1 gateway and a provider gateway is a Tier 0 VRF. As there are variable bandwidth and performance requirements, the offering includes two options for your edge networking deployments:

Efficiency edge nodes provide a cost effective solution for most use cases. Efficiency edge nodes provide networking services for multiple virtual data centers in the specific VCFaaS site, and your provider and edge gateways (or VRFs) get a logical share of the available resources in that edge cluster deployment.
Dedicated Performance edge nodes are purposed for higher bandwidth and more predictable performance needs. Performance edge nodes are single tenant and they are used only by a single virtual data center.

Both edge cluster options are built with high availability and resiliency within the specific IBM Cloud data center, so the key criteria for your selection are mostly defined by your performance requirements. But as always there are some exceptions, and we will discuss these under the future regional HA blog topic. However, it is important to note that you must select your network setup when you deploy your virtual data center – it cannot be changed afterwards without destroying the virtual data center.

When designing your virtual data center networking solution, it is good to take a look at the network flows a bit deeper. As shown in the following diagram, you can now do NATing and firewalling in both provider and edge gateways. In the past it was only possible to do these at the edge gateway, so think what does this change mean in your network design and configurations.

Network address translation (NAT) is an embedded function on the provider and edge gateways and you can do NATing on either of these. When considering NATing, always design your NAT rules considering the desired traffic path and think how you see the packets at the next router. For example, if you do source NAT (SNAT) at the edge gateway to get egress Internet access from your virtual data center network. If you created a matching “destination any rule”, then the IP packets sent from the virtual machine towards the provider gateway have already been NATted. If you wanted to have a Transit Gateway connection for private connectivity, then the source IP of the packets might not be what you wanted. Alternatively, you might consider doing SNAT for public traffic at the provider gateway, where the rules would only match the traffic going to the Internet and the private traffic going to the Transit Gateway would have the original source IP address of the virtual machine. You can also do NO_NAT rules where you define the traffic not to be NATted by source and destination IPs, and then you might also need to set some priorities for the rules. Both options work, but you must select a solution that fits your needs. The new options to allow NAT rules for public traffic at the provider gateway might simplify your NAT rule design significantly.

A gateway firewall (FW) is an embedded firewall running on both provider and edge gateways. Provider gateway firewall allows all traffic by default while edge gateway firewall denies all traffic by default. You can customize these rules post initial provisioning. When considering firewalling, always design and check your firewall rules on the Gateway firewalls in the traffic path to see that you match the correct source and destination IP. Note that with the NAT rules you can select which IP you match in the firewall rules, the public (or external) or private (internal). It is recommended to select one way to match the FW rules and then follow that path for all. When it comes to firewall rules in general, so think where do you implement firewalling. Also consider simplicity and rules management aspects. You have options to create security groups and IP sets, which are key for managing the firewall rules in a logical way.

What about the scope of the networks? Can other virtual data centers in the organization see your networks? Each virtual data center provides its own network topology and own networks. By default, the scope of the network is the virtual data center, but there is an option to expand the scope to other virtual datacenters in the VCFaaS site with Data Center Groups (DCGs). There is also an option to deploy virtual data centers without an edge, and you may wonder why? I think sharing networks between virtual data centers needs a dedicated blog, focusing just on Data Center Groups and how you can use these in your network designs.

What's next?

Now that we have introduced the basic concepts, it is time to think about external connectivity in more details. How do you access your virtual machines from the Internet, or how do your virtual machines access the Internet, IBM Cloud private networks and services? How about connections to on-premises, using VPNs, IBM Cloud Interconnectivity services and so on. What are the best practices for each and how do you configure these? As there are a lot of topics to discuss, I decided spit this into multiple blogs, and the next one will focus on public networking, and then following with topic to cover VPNs and using IBM Cloud interconnectivity options. Stay tuned…

0 comments

31 views

IBM Cloud

Discuss IBM Cloud with IT ops managers, solution architects, SREs, and other cloud professionals

VMware on Cloud