subcollection | copyright | lastupdated | lasttested | content-type | services | account-plan | completion-time | use-case | ||
---|---|---|---|---|---|---|---|---|---|---|
solution-tutorials |
|
2024-01-05 |
tutorial |
vmwaresolutions, vpc |
paid |
1h |
ApplicationModernization, Vmware |
{{site.data.keyword.attribute-definition-list}}
{: #vpc-bm-vmware-pgwip} {: toc-content-type="tutorial"} {: toc-services="vmwaresolutions, vpc"} {: toc-completion-time="1h"}
This tutorial may incur costs. Use the Cost Estimator to generate a cost estimate based on your projected usage. {: tip}
This tutorial is part of series, and requires that you have completed the related tutorials in the presented order. {: important}
If your VMware Virtual Machines require public Internet Access, you need to use either Public Gateway (outbound) or Floating IP (inbound). This tutorial provides an example for these use cases for a VMware VM's VLAN NIC. {: shortdesc}
{: #vpc-bm-vmware-pgwip-objectives}
If your VMware Virtual Machines require public Internet Access, you need to use either Public Gateway (outbound) or Floating IP (inbound). This tutorial will provide you examples how to configure internet access for your VMware Virtual Machines using these {{site.data.keyword.vpc_short}} network constructs.
{: caption="Figure 1. Deploying Public Gateway and/or Floating IPs for a VMware Virtual Machines" caption-side="bottom"}
{: #vpc-bm-vmware-pgwip-prereqs}
This tutorial requires:
- Common prereqs for VMware Deployment tutorials in {{site.data.keyword.vpc_short}}
This tutorial is part of series, and requires that you have completed the related tutorials. Make sure you have successfully completed the required previous steps:
- Provision a {{site.data.keyword.vpc_short}} for VMware deployment
- Provision {{site.data.keyword.dns_full_notm}} for VMware deployment
- Provision {{site.data.keyword.bm_is_short}} for VMware deployment
- Provision vCenter Appliance
- Provision vSAN storage cluster
- Provision NFS storage and attach to cluster
- Provision {{site.data.keyword.vpc_short}} Subnets and configure Distributed Virtual Switch Portgoups for VMs
Login with IBM Cloud CLI with username and password, or use the API key. Select your target region and your preferred resource group.
The used variables e.g. $VMWARE_VPC, $VMWARE_SUBNET_VM1 and $VMWARE_PUBLIC_GW are defined in the previous steps of this tutorial. {: note}
{: #vpc-bm-vmware-pgwip-outbound} {: step}
{{site.data.keyword.vpc_short}} subnets are private by default. If your VMware Virtual Machines on the VM subnet ($SUBNET_VM1
) need outbound internet access, a Public Gateway is needed. A Public Gateway enables a subnet and all its attached virtual or {{site.data.keyword.bm_is_short}} instances to connect to the internet. After a subnet is attached to the Public Gateway, all instances in that subnet can connect to the internet. Public Gateways use Many-to-1 SNAT.
-
As you already provisioned a Public Gateway (
$PUBLIC_GW
) in the previous step for this {{site.data.keyword.vpc_short}} Zone, you only need to attach that to the VM subnet ($SUBNET_VM1
).ibmcloud is subnetu $VMWARE_SUBNET_VM1 --public-gateway-id $VMWARE_PUBLIC_GW
{: codeblock}
-
After you have attached your newly created subnet to public gateway, you should be able access Internet from the VM, e.g.:
ping 1.1.1.1
{: codeblock}
To control outbound Internet access from your virtual machines, you can use security groups or access control lists. In this example, the default security group allows all outbound Internet access. {: tip}
{: #vpc-bm-vmware-pgwip-inbound} {: step}
If you want to access the VMware Virtual Machines directly from the Internet, you need to provision a Floating IP to the VLAN NIC. Floating IP addresses are IP addresses that are provided by IBM Cloud platform and are reachable from the public Internet. You can reserve a Floating IP address from the pool of available addresses that are provided by IBM, and you can associate it with a network interface of your server, and VLAN NIC in this case. That VLAN NIC will keep its private IP address, and the Floating IP provides a One-to-One NAT to this private IP. Note that, associating a floating IP address with an instance removes the instance from the public gateway's Many-to-1 SNAT.
-
Create a floating IP for the First Virtual Machines (VM1) VLAN NIC and record the IP.
VMWARE_VM_FIP=$(ibmcloud is ipc floating-ip-vm-1 --nic-id $VMWARE_VNIC_VM1 --output json | jq -r .address)
{: codeblock}
echo "Public IP for your VLAN NIC : "$VMWARE_VM_FIP
{: codeblock}
To control access to your virtual machine, you may need to update the VLAN NIC's security group (or access control lists). {: tip}
-
If you provisioned the VM's VLAN interface with the default {{site.data.keyword.vpc_short}} security group, use following commands:
VMWARE_VM_FIP_SG=$(ibmcloud is vpc $VMWARE_VPC --output json | jq -r .default_security_group.id)
{: codeblock}
ibmcloud is sg-rulec $VMWARE_VM_FIP_SG inbound tcp --port-min <your_port_number> --port-max <your_port_number> --remote <add_your_IP_here>
{: codeblock}
-
If you provisioned a new security group for the VLAN interface e.g. with a name 'your-security-group', use can use following commands:
VMWARE_VM_FIP_SG=$(ibmcloud is bm-nic $ESX1 $VMWARE_VNIC_VM1 --output json | jq -r '.security_groups[] | select(.name == "your-security-group")'.id)
{: codeblock}
ibmcloud is sg-rulec $VMWARE_VM_FIP_SG inbound tcp --port-min <your_port_number> --port-max <your_port_number> --remote <add_your_IP_here>
{: codeblock}