Multi-Cloud Networking

Objective

This guide provides instructions on how to seamlessly connect and secure applications between multiple cloud networks using VoltMesh and VoltConsole.

The steps to connect and secure applications between multiple cloud networks are:

Seq
Figure: Multi-Cloud Networking and Security Setup Steps

The following images shows the topology of the example for the use case provided in this document:

Top
Figure: Multi-Cloud Networking and Security Sample Topology

Using the instructions provided in this guide, you can setup Amazon Virtual Private Cloud (Amazon VPC) site, data center cloud gateway, setup secure networking between the 2 clouds, and setup end-to-end monitoring.


Prerequisites

  • VoltConsole SaaS account.

    Note: If you do not have an account, see Create a Volterra Account.

  • Amazon Web Services (AWS) account.

    Note: This is required to deploy a Volterra site.

  • Private cloud environment (data center) with networking connectivity to internet and TOR from the hardware.

    Note: The management IP address for your hardware is required.


Configuration

The use case provided in this guide sets up Volterra sites as gateways for the ingress and egress traffic for the two cloud networks. The datacenter gateway site is on a physical hardware in an on-premise datacenter location. This datacenter also has TOR behind which we have VM based hosts sitting on two different subnet.

The following actions outline the activities in setting up secure networking between the AWS VPC and private data center cloud.

  • Volterra AWS VPC Site is deployed using the VoltConsole.
  • Volterra VMware sits is deployed on the ESXi host using the OVA template.
  • The two cloud environments are connected using the Volterra global network and secured using the network policies.
  • Local-breakout for hosts on the VMware site is configured. This allows inside network hosts to access the internet using SNAT. This is achieved by configuring a Fleet and related objects - Virtual Networks, Network Interfaces, and Network Connectors on the VMware site.

Note: Ensure that you keep the Amazon Elastic IP VIPs ready for later use in configuration.

Step 1: Deploy Site (Public Cloud)

The following video shows the site deployment workflow:

Perform the following steps to deploy Volterra site in your VPC:

Step 1.1: Start creating AWS VPC site object.
  • Select Manage -> Site Management -> AWS VPC Site in the configuration menu of the System namespace. Click Add AWS VPC Site.
  • Enter a name for your VPC object in the metadata section.
Step 1.1.1: Configure site type selection.
  • Go to Site Type Selection section` and perform the following:

    • Select a region in the AWS Region drop-down field. This example selects us-east-2.
    • Select New VPC Parameters for the Select existing VPC or create new VPC field. Enter the name tag in the AWS VPC Name Tag field and enter the CIDR in the Primary IPv4 CIDR blocks field. This example sets 192.168.32.0/22 as the CIDR.
    • Select Ingress/Egress Gateway (Two Interface) for the Select Ingress Gateway or Ingress/Egress Gateway field.

aws vpc basic
Figure: AWS VPC Site Configuration of Site Type

Step 1.1.2: Configure ingress/egress gateway nodes.
  • Click Edit to open the two-interface node configuration wizard and enter the configuration as per the following guidelines.

    • Select an option for the AWS AZ name field that matches the configured AWS Region.
    • Select New Subnet for the Select Existing Subnet or Create New field in the Subnet for Inside Interface section. Enter a subnet address in the IPv4 Subnet field.
    • Similarly configure a subnet address for the Subnet for Outside Interface section.

inside outside cidr
Figure: Ingress/Egress Gateway Nodes Configuration

Note: This example sets 192.168.32.128/25 as inside subnet and 192.168.32.0/25 as outside subnet.

Step 1.1.3: Complete AWS VPC site object creation.
  • Select Automatic Deployment for the Select Automatic or Assisted Deployment field.
  • Select the AWS credentials object for the Automatic Deployment field.

Note: Select Create new aws credentials to create the credentials. See Step 1 of the Secure Kubernetes Gateway quickstart for more information.

  • Select an instance type for the node for the AWS Instance Type for Node field in the Site Node Parameters section.
  • Enter your public SSH key in the Public SSH key field. This is required to access Volterra site once it is deployed.

autodep ssh
Figure: Automatic Deployment and Site Node Parameters

  • Click Save and Exit to complete creating the AWS VPC object. The AWS VPC site object gets displayed.
Step 1.2: Deploy AWS VPC site.
  • Click on the Apply button for the created AWS VPC site object. This will create the VPC site.

tf applied
Figure: Terraform Apply for the VPC Object

  • Verify that the site is created and ready to use. Navigate to Sites -> Site List. Click on your site to load its dashboard.

site db new
Figure: Site Dashboard and Health Details

  • Click on the Interfaces tab to check the interface status and details such as throughput. You can view inside and outside interfaces using the Inside and Outside options.

int in out
Figure: Site Dashboard Interfaces View


Step 2: Deploy Site (Private DC)

Deploying site in your private data center consists of downloading the Volterra site image and installing gateway site on the data center. In this

Note: Refer to the Prerequisites chapter for data center site deployment prerequisites.

The following video shows the data center site deployment workflow:

Perform the following steps for deploying gateway site on the data center:

Step 2.1: Create site token.
  • Log into the VoltConsole and select Manage -> Site Management. Select Site Tokens and click Add site token.

    SiteToken
    Figure: Create site token

  • Enter a name for your site token and click Add site token to create the token. Note down the token value (UID) for using it in the site installation.
Step 2.2: Download and install the Volterra site image on your data center.
Step 2.3: Install the VM with the OVA template.
  • Log into VSphere webclient and import the OVA template.
  • Right-click on the Templates and click New VM from This Template.

new vm
Figure: Create New VM from Template

  • Enter a name for your virtual machine and click NEXT.
  • Select the ESXi host in the compute resources screen and click NEXT.
  • Select the datastore in the storage screen and click NEXT.
  • Select Customize this virtual machine's hardware and Power on virtual machine after creation in the clone options screen and click NEXT. This is to add a second network interface to the VM as this example demonstrates ingress and egress traffic.

vm customize hw
Figure: Customize Hardware

  • Click ADD NEW DEVICE and select Network Adapter in the customize hardware screen. Ensure that the new device is mapped to VM Inside Network option. The inside network is connected to the inside subnets and outside network is connected to the existing DMZ. Click NEXT.

vm inside nw
Figure: VM Inside Network

  • Enter the following vApp properties and click NEXT:

    • Hostname
    • Token - Enter the token created in Step 2.1
    • Cluster Name
    • Certified Hardware - Enter vmware-multi-nic-voltmesh
    • Latitude and Longitude

vapp props
Figure: Customize vApp Properties

  • Click FINISH. The VM gets booted up.
Step 2.4: Perform site registration in VoltConsole.
  • Log into the VoltConsole and navigate to Manage -> Site Management -> Registrations. Click Pending Registrations tab. Find the registration request for your site and accept the registration.
  • Wait for the registration to complete and the site to come up. You can find the site in the Sites -> Site List view. Click on your site to open the site dashboard and ensure that its healthscore is 100 and its interfaces are up in the Interfaces tab.

Step 3: Connect Networks

Connecting networks includes configuring local-breakout for hosts on the VMware site. That is, allowing inside network hosts to access the Internet using SNAT. This is done by configuring a Fleet and related objects - Virtual Networks, Network Interfaces, and Network Connectors. This includes creating network connectors with one in SNAT mode and other in the direct mode to the global network.

After that, connect both the VMware and AWS inside networks using Volterra’s ADN.

The following video shows the workflow of connecting and securing the two networks:

Perform the following to connect and secure the two cloud networks:

Step 3.1: Open the VMware site local UI dashboard and check the interfaces.
  • Go to Sites -> Site List. Click on your VMware site listed and click Nodes tab and click on the node to open the Node Status view. Copy the IP field value displayed.

node ip
Figure: Node IP for Local UI

  • Open a browser window and enter the https://<ip>:65500 URL. Enter admin user and your password. The site local UI dashboard gets loaded.

local ui
Figure: Local UI Dashboard

  • Scroll down and check the eth0 and eth1 interfaces status.
Step 3.2: Create a fleet .
  • Navigate to Manage -> Site Management->Fleets. Click Add fleet.
  • Enter a name for your fleet and enter a label in the Fleet Label Value field. This label is later used to apply to the site.

fleet basic
Figure: Fleet Name and Label

Step 3.2.1: Configure virtual networks .
  • Click Select outside virtual network object and click Add new virtual network.
  • Enter a name for your outside network and select Site Local(Outside) Network for the Select Type of Network field. Click Continue to create network and add to the fleet configuration.

vn outside
Figure: Outside Virtual Network

  • In the fleet configuration screen, click Select inside virtual network object and click Add new virtual network. Enter a name for your inside network and select Site Local Inside Network for the Select Type of Network field. Click Continue to create network and add to the fleet configuration.
Step 3.2.2: Configure network interfaces .

Go to the Network Interfaces section and configure the following:

  • Click on the List of Interfaces field select Create new interface.
  • Enter a name for the interface, select the Ethernet Interface for the Interface Type field. Click Configure.
  • Select eth1 in the Ethernet Device field.
  • Go to IP Configuration section and select DHCP Server for the Select Interface Address Method field. Click Edit under the DHCP Server option to open DHCP server configuration. Perform the configuration as per the following guidelines:

    • Click Edit in the DHCP Networks, Pools, Gateway section to open DHCP network configuration.
    • Enter a prefix in the Network Prefix field.
    • Enter start IP address and end IP address in the Starting IP and Ending IP fields respectively.
    • Click Apply to apply the settings to the DHCP server configuration. This sets the DHCP pool, default gateway, and DNS server address.

dhcp net
Figure: DHCP Network Configuration

  • Click Apply in the DHCP Server configuration to apply the DHCP server to the ethernet interface configuration.
  • Select Site Local Network Inside in the Select Virtual Network field in the ethernet interface configuration.

eth int
Figure: Ethernet Interface Configuration

  • Click Apply to set the ethernet interface to the network interface configuration.

ni final
Figure: Network Interface Configuration

  • Click Continue to create and add the network interface to the fleet.
Step 3.2.3: Configure network connector and complete fleet creation .

This step creates a network connectors with one in SNAT mode and other in the direct mode to the global network.

  • Click Select network connector object and click Add new network connector.
  • Enter a name for the network connector and click Continue to add the network connector to the fleet. This sets the network connector to function in the default SNAT mode that connects site local inside network to site local outside network. This is used for the data center private cloud for establishing connectivity from inside subnets to outside network through the Volterra site deployed on the VMware VM.

vmw nc
Figure: Network Connector for Private DC

  • Scroll down and click Save and Exit in the fleet configuration screen to create the fleet.

At this point, you can verify that the inside subnets can communicate with each other but accessing outside of their networks is not possible. You can use ping command to verify the same.

Step 3.2.4: Add VMware site to the fleet .
  • Click Sites -> Site List. Click ...->Edit for your VMware site to open its configuration edit form.
  • Click on the Labels field and add ves.io/fleet with the value of fleet label you created in previous step.

site to fleet
Figure: Add Fleet Label to Site

  • Click Save changes to apply fleet settings to the site.
  • Verify that the fleet interfaces are applied to the site. Check the site local UI dashboard for ethernet interfaces section. The interface Eth1 gets IP address assigned by the DHCP server configured in the fleet.

local ui eth1
Figure: Ethernet Interface Details in Local UI Dashboard

At this point, you can verify that the inside subnets can access outside networks via the Volterra site by means of SNAT. You can verify the same with the ping command.

Note: To check connectivity over internet, you can execute ping 8.8.8.8 to Google DNS server.

Step 3.3: Establish private connection between public cloud and private DC .

To connect the subnets inside the private DC with the public cloud over internet, create a network connector of the type that functions from site local inside to global network. This also requires you to create a global network. This can be directly performed from the fleet configuration to apply it to fleet in case of VMware site. For AWS site, it requires enabling it in the site configuration.

Step 3.3.1: Edit fleet to add network connector and global network .
  • Click Manage -> Site Management -> Fleets. Find your fleet from the displayed list and click ... -> Edit to open its configuration edit form.
  • Scroll down to the network connectors section and click Select network connector object. Click Add new network connector.
  • Enter a name for the network connector and select Direct, Site Local Inside to a Global Network for the Select Network Connector Type field.
  • Click on the Global Virtual Network field and select Create new global vn. This opens a new virtual network creation form. Enter a name and select Global Network for the Select Type of Network field. Click Continue to apply the network and return to the network connector form.

global vn
Figure: Global Virtual Network Creation

  • Click Continue to create and the network connector to the fleet.

nc global
Figure: Network Connector with Global Network

  • Click Save and Exit to save the fleet configuration.
Step 3.3.2: Enable the global network in AWS site and add route to it.
  • Navigate to Manage -> Site Management -> AWS VPC Site. Find your site object and click ... -> Edit to open its configuration edit form.
  • Click Configure in the Network Config section.
  • Enable Show Advanced Fields in the Advanced Options section.
  • Select Connect Global Networks for the Select Global Networks to Connect field. Click Configure for the Global Network Connections field. Select the global network created in Step 3.3.1 for the Global Virtual Network field and click Apply.
  • Select Simple Static Route for the Static Route Config Mode field and enter IP address for route to this network.

    Note: You can get the IP address for the route from AWS.

nc global
Figure: Global Network and Static Route for Public Cloud Site

  • Click Apply to add the network configuration. Click Save and Exit to save updates to the site configuration.

Now you can verify that the connectivity is enabled between the VMware subnets and the AWS cloud EC2 instances. You can use ping to verify the same.


Step 4: Secure Networks

Securing networks includes applying network policies to restrict the network accesses for chosen networks. It also includes applying forward proxy policies to allow access to chosen URLs. This is achieved by means of creating a network firewall with the policies and applying to the fleet.

This example creates a network policy that allows access only from one subnet of the private DC to the AWS cloud and blocks access for all other subnets. It also creates a forward proxy policy that blocks access to a specific domain and allows everything else.

Perform the following steps to setup secure networks.

Step 4.1 Create and add network firewall to the fleet.
  • Click Manage -> Site Management -> Fleets. Find your fleet from the displayed list and click ... -> Edit to open its configuration edit form.
  • Scroll down to the Network Firewall section and click Select network firewall object. Click Add new Network Firewall. Enter a name for the firewall.
Step 4.1.1 Create and add network policies to the fleet.
  • Scroll down to Network Policy section and select Active Network Policies. Click on the Network Policy field and select Create new network policy.

net pol fw
Figure: Network and Policy for Network Firewall

  • Enter a name for the policy and add the prefix of a subnet (for which you want to allow access) in the IPv4 Prefix List field. Click Configure on the Egress section to configure an egress rule.

    • Set a name for the egress rule and select Allow for the Action field.
    • Click Add item and add another rule with Allow action and set the name as allow-all.

allow egress rules
Figure: Egress Allow Rules

  • Click Apply.
  • Click Continue to add the rule to the policy.
  • Click Add item in the network policy configuration to add another policy. Add the prefix of a subnet (for which you want to block access) in the IPv4 Prefix List field. Click Configure on the Egress section to configure an egress rule.

    • Set a name for the egress rule and select Deny for the Action field.
    • Click Add item and add another rule with Allow action and set the name as allow-all.

egress deny rule
Figure: Egress Deny Rule for a Subnet

  • Click Apply and click Continue to add the rule to the policy.
  • Click Add item in the network policy configuration to add another policy to allow local breakout access. Select Any Endpoint for the Select Endpoint field. Click Configure on the Ingress section to configure an ingress rule.

    • Set a name for the ingress rule and select Allow for the Action field.
    • Click Apply and click Continue to add the rule to the policy.

all net pols
Figure: Egress Deny Rule for a Subnet

  • Click Continue to add the policies to the firewall. This creates the firewall object and loads the fleet firewall configuration screen.
Step 4.1.2 Complete firewall creation and addition to the fleet.
  • Click Select network firewall object to add the firewall to the fleet configuration.
  • Click Save and Exit in the fleet configuration to save changes to fleet.
Step 4.1.3 Verify the policy operation.
  • Verify that access from only one subnet is allowed to the EC2 instances of AWS. Also, verify that the site local breakout and internet access is still allowed. Enter ping command to an EC2 instance IP address from both subnets and only one is allowed.
  • You can also verify the policy and rule hits from Volt Console. Navigate to Security -> Firewall -> Network Policies. Check the Hits field for your policy.

pol hits
Figure: Policy Hits

  • Click on the value on the Hits field for your policy to view the rule hits.

rul hits
Figure: Rule Hits

Step 4.2 Enable forward proxy for network connector of the private DC.
  • Go to Manage -> Networking -> Network Connectors. Click ... -> Edit for the VMware site network connector you created.

nc en fprx
Figure: Enable Forward Proxy for VMware Networks

  • Click Enable Forward Proxy for the Select Forward Proxy field. Click Save and Exit.

This is required to apply the forward proxy policies.

Step 4.3 Create and add forward proxy policies.
  • Click Security -> Firewall -> Network Firewall. Find your network firewall from the displayed list and click ... -> Edit to open its configuration edit form.
  • Scroll down to Forward Proxy Policy section and select Active Forward Proxy Policies. Click on the Forward Proxy Policy field and select Create new forward proxy policy.

fwdprx blk fb
Figure: Forward Proxy Policy for Network Firewall

  • Enter a name and select All Proxies on Site for the Select Forward Proxy field.

    • Select Denied connections for the Select Policy Rules section and click Configure under the TLS Domains field.
    • Click Add item. Select Exact Value from the drop-down list of the Enter Domain field and enter www.facebook.com for the Exact Value field.

blk fb rule
Figure: Blocking Rule for Specific Domain

  • Click Apply. This applies the rule to the forward proxy policy.
  • Click Continue to apply the forward policy to the firewall.
  • Click Save and Exit to save the changes to firewall configuration. This blocks access to Facebook.

Concepts