Multi-Cloud Networking

• Go to the Site Type Selection section and perform the following:
  • Select a region in the AWS Region drop-down field. This example selects us-west-2.
  • Select New VPC Parameters for the VPC field. If you want a specific name for the AWS VPC, select Choose VPC Name in the AWS VPC Name field and then enter your preferred name. Otherwise, leave the drop-down selection set to Autogenerate VPC Name. Enter the CIDR in the Primary IPv4 CIDR blocks field. This example sets 192.168.32.0/22 as the CIDR.
  • Select Ingress/Egress Gateway (Two Interface) for the Select Ingress Gateway or Ingress/Egress Gateway field.

Figure: AWS VPC Site Configuration of Site Type

• Select Configure to open the two-interface node configuration wizard.

• Select Add Item in the Ingress/Egress Gateway (two Interface) Nodes in AZ section to add the Two Interface Node.

  • Select an option for the AWS AZ name field that matches the configured AWS Region. This example selects us-west-2a.
  • Select New Subnet for the Workload Subnet field, and then enter the subnet address in the IPv4 Subnet field.
  • Similarly configure a subnet address for the Subnet for Outside Interface section.
  

  Figure: Two Interface Node Configuration

  Note: This example sets 192.168.32.128/25 as the workload subnet and 192.168.32.0/25 as the outside interface subnet.

• Then select Apply to return to the two-interface node configuration wizard.

Figure: Ingress/Egress Gateway Nodes Configuration

Note: The Site Network Firewall configuration will be done as part of step 4 of this quick start guide.

• Select Apply to complete the two-interface node configuration and return to the AWS VPC site object creation.

• Select the AWS credentials object under the Automatic Deployment field.

Note: Select Add Item in the Cloud Credentials drop-down menu to create the credentials. You will need an AWS access key ID and AWS secret access key. See Step 1 of the Secure Kubernetes Gateway quick start for more information.

• Make a selection in the AWS Instance Type for Node field.
• Enter the public key for remote SSH if necessary.
• Select Save and Exit to complete creating the AWS VPC object. The AWS VPC site object gets displayed.

Figure: Automatic Deployment and Site Node Parameters

• Use the Outside (Site Local) Virtual Network pull-down to see and select the Add Item option.
• Enter a name for your outside network and select Site Local(Outside) Network for the Select Type of Network field. Select Continue to create the network and add it to the fleet configuration.

Figure: Outside Virtual Network

• In the Fleet Configuration screen, create the inside virtual network in the same way. Select Select inside virtual network object and select Add Item. Enter a name for your inside network and select Site Local Inside Network for the Select Type of Network field. Select Continue to create network and add to the fleet configuration.

Go to the Network Interfaces section and configure the following:

• Use the Select Interface Config pulldown to select List of Interfaces.
• Use the List of Interfaces pulldown to select the Add Item option.
• Enter a name for the interface, select the Ethernet Interface for the Interface Type field, and then select Configure to setup the ethernet interface.
• Select eth1 in the Ethernet Device field.
• Go to the IP Configuration section and select DHCP Server for the Select Interface Address Method field. Select Configure under the DHCP Server option to open DHCP server configuration. Perform the configuration using the following guidelines:
  • Select Configure in the DHCP Networks section to open DHCP server configuration.
  • Enter a prefix in the Network Prefix field.
  • Select Add Item in the DHCP Pools section and enter the starting and ending IP addresses.
  • Select Apply at the bottom of the form to add the settings to the DHCP server configuration. This sets the DHCP pool, default gateway, and DNS server address.

Figure: DHCP Network Configuration

• Select Apply in the DHCP Server configuration to apply the DHCP server to the ethernet interface configuration.
• Select Site Local Network Inside in the Select Virtual Network field in the ethernet interface configuration.

Figure: Ethernet Interface Configuration

• Select Apply to set the ethernet interface to the network interface configuration.

Figure: Network Interface Configuration

• Select Continue to create and add the network interface to the fleet.

This step creates a network connector with one in SNAT mode and the other in the direct mode to the global network.

• Select Add Item in the Network Connectors section and then use the Network Connectors drop-down menu to select Add Item.
• Enter a name for the network connector and select Continue and then Select Network Connector to add the network connector to the fleet. This sets the network connector to function in the default SNAT mode that connects site local inside network to site local outside network. This is used for the data center private cloud for establishing connectivity from inside subnets to outside network through the Site deployed on the VMware VM.

Figure: Network Connector for Private DC

• Scroll down and select Save and Exit in the fleet configuration screen to create the fleet.

At this point, you can verify that the inside subnets can communicate with each other but accessing outside of their networks is not possible. You can use ping command to verify the same.

• Select Manage > Site Management > AWS VPC Sites.
• Select ...>Manage Configuration for your VMware site and then select Edit Configuration in the upper right corner to open its configuration edit form.
• Select in the Labels field and add ves.io/fleet with the value of fleet label you created in previous step.

Figure: Add Fleet Label to Site

• Select Save and Exit to apply fleet settings to the site.

• Verify that the fleet interfaces are applied to the site. Check the site local UI dashboard for ethernet interfaces section. The interface Eth1 gets IP address assigned by the DHCP server configured in the fleet.

Figure: Ethernet Interface Details in Local UI Dashboard

At this point, you can verify that the inside subnets can access outside networks via the Site by means of SNAT. You can verify the same with the ping command.

Note: To check connectivity over internet, you can execute ping 8.8.8.8 to Google DNS server.

• Scroll down to the Firewall Policy section and select Active Firewall Policies. Use the Select Item pull-down menu and select Add Item. This policy will allow all traffic for the server1 prefix.

Figure: Network and Policy for Network Firewall

• Enter a name for the policy and add the prefix of the server1 subnet (for which you want to allow access) in the IPv4 Prefix List field.

• Select Configure on the Connections From Policy Endpoints section to configure an egress rule. Select Add Item to create the egress rule.

  • Set a name for the egress rule and select Allow for the Action field.

  • Select Apply to add the egress rule to the list of egress rules.

    

    Figure: Egress Allow Rules

• Select Apply to save the egress rules list.

• Select Continue to save the server1 firewall policy

• Select Add item in the Firewall policy section to add another policy for the server2 prefix. This one will deny access to a subnet.

• Select the Select Item field and select Add Item.

• Enter a name for the policy and add the prefix of the server2 subnet (for which you want to block access) in the IPv4 Prefix List field.

• Select Configure on the Connections From Policy Endpoints section to configure an egress rule. Select Add Item to create the egress rule that denies traffic to a subnet.

  • Set a name for the egress rule and leave Deny for the Action field.

  • Select List IP Prefix Set in the Select Other Endpoint field.

  • Select in the reference field and then select Add Item.

  • Enter a name for the prefix set, enter the subnet prefix, and press Continue.

  • Select Apply to add the egress rule to the list of egress rules.

    

    Figure: Egress Deny Rule for a Subnet

• Select Add Item to create a second egress rule that allows all other traffic.

  • Set a name for the egress rule and select Allow for the Action field.
  • Select Add item to add the egress rule to the list of egress rules.

• Select Apply to save the egress rule list, and select Continue to complete the server2 policy.

• Select Add Item to add a third policy slot for the local internet breakout. Then use the Select Item pull-down menu to select Add Item.
• Enter a name for the new firewall policy.
• Select Any Endpoint for the Endpoint(s) field in the Policy For Endpoints section.
• Select Configure on the Connections To Policy Endpoints section to configure an ingress rule that allows all traffic, and then selectAdd Item to create the ingress rule.
  • Enter a name for the ingress rule.
  • Select Allow for the Action field.
  • Select Apply to add the ingress rule to the list of ingress rules.
  • Select Apply to add the list to the network policy.
• Select Configure on the Connections From Policy Endpoints section to configure an egress rule for this network policy, and then selectAdd Item to create the egress rule.
  • Set a name for the egress rule.
  • Select Allow for the Action field.
  • Select Apply to add the egress rule to the list of egress rules.
• Select Apply to save the egress rule list, select Continue to complete the third firewall policy, select Continue to add the network firewall to the fleet configuration, and finally select Save and Exit in the fleet configuration to save changes to fleet.

• Verify that access from only one subnet is allowed to the EC2 instances of AWS. Also, verify that the site local breakout and internet access is still allowed. Enter ping command to an EC2 instance IP address from both subnets and only one is allowed.

• You can also verify the policy and rule hits from Console. Navigate to Manage > Firewall > Firewall Policies. Check the Hits field for your policy.

Figure: Policy Hits

• Select the value in the Hits column for your policy to view the rule hits.