Cloud Foundation Holodeck: vRealize Automation - Dynamic Networks

VCF Experience Program: Consuming VMware Cloud Resources with vRealize Cloud Assembly – Part 2 Dynamic Networks

Overview

This module continues exploration of consumption of a VCF based VMware Cloud using vRealize Cloud Assembly.  Participants will gain experience with using vRealize Automation Cloud Assembly to deploy application workloads onto dynamically created NSX Segments and firewall policies.

It is anticipated that this module will take 60-90 minutes to complete.

This module consists of the following exercises

1. Create Cloud Assembly Network Profile for OC-DB-Cloud-Seg
2. Create Cloud Assembly Network Profile for OC-Web-Cloud-Seg
3. Review vRealize Cloud Template
4. Deploy Opencart from Cloud Template
5. Review Deployed Application
6. Delete Deployed Application

Exercise 1: Create OC-DB-Cloud-Seg Cloud Assembly Network Profile

In this exercise we will configure a new Network Profile in Cloud Assembly for the OC-DB-Cloud-Seg segment. This Network Profile will specify a “Routed” network, which directs Cloud Assembly to deploy a dynamic NSX segment and T1 router

[Step 1] Connect to vRealize Cloud Assembly (if necessary)

1. Click + in the Chrome browser to open a new window
2. Click the vRealize bookmark folder and select vRA
3. Click GO TO LOGIN PAGE
4. Login: Username:  configadmin Password:  VMware123!
5. Click Cloud Assembly

[Step 2] Create OC-DB-Cloud-Seg Network Profile

1. Click Infrastructure -> Network Profiles

 

2. Click New Network Profile
3. On the Summary tab, Click on Account/Region and select Holodeck Site-1 / mgmt-datacenter-01
4. Set the name to “OC-DB-Cloud-Seg”
5. In the Capabilities section create the following tags

• “oc-cloud-network:oc-db”
• “DeploymentType:Holodeck”

 

 

[Step 2.1] Add Networks on Networks Tab

1. Click on Networks tab, then Add Network
2. Click in the Filter area; type “edge”  and select the Any: property
3. Select both VCF-edge segments shown (This allows VRA created routed networks to reach the outside via the Tier-0 uplinks)

 

4. Click Add. 

[Step 2.2] Add Network Policy on Network Policies Tab

1. Click Network Policies tab
2. Set Isolation policy to On-demand network
3. Set transport zone to mgmt-domain-tz-overlay01
4. Set External network to VCF-edge_EC-01_segment_uplink1_11
5. Set Tier-0 logical router to VLC-Tier-0
6. Set Edge Cluster to EC-01
7. Leave Source set to Internal (VRA will act as IPAM for this segment)
8. Set CIDR to “10.1.5.1/24”
9. Set Subnet size to “/28 (-14 IP addresses)”
10. Leave IP range assignment Static and DHCP

[Step 2.3] Load Balancers Tab

1. No configuration changes are needed at this time in the Load Balancers tab

[Step 2.4] Security Groups Tab

1. No configuration changes are needed at this time in the Security tab
2. Click Create button
3. Your result should look like

Exercise 2: Create OC-Web-Cloud-Seg Cloud Assembly Network Profile

In this exercise we will configure a new Network Profile in Cloud Assembly for the OC-Web-Cloud-Seg segment

[Step 1] Connect to vRealize Cloud Assembly (if necessary)

1. Click + in the Chrome browser to open a new window
2. Click the vRealize bookmark folder and select vra.vcf.sddc.lab
3. Click GO TO LOGIN PAGE
4. Login: Username:  configadmin Password:  VMware123!
5. Click Cloud Assembly

[Step 2] Create OC-Web-Cloud-Seg Network Profile

1. Click Infrastructure -> Network Profiles
2. Click New Network Profile
3. On the Summary tab, Click on Account/Region and select Holodeck Site-1 / mgmt-datacenter-01
4. Set the name to “OC-Web-Cloud-Seg”
5. In the Capabilities section search for or create the following tags

• “oc-cloud-network:oc-web”
• “DeploymentType:Holodeck”

 

 

[Step 2.1] Add Networks on Networks Tab

1. Click on Networks tab, then Add Network
2. Click in the Filter area; type “edge”  and select the Any: property
3. Select both VCF-edge networks
4. Click Add button

 

 

[Step 2.2] Add Network Policy on Network Policies Tab

1. Click Network Policies
2. Set Isolation policy to On-demand network
3. Set transport zone to mgmt-domain-tz-overlay01
4. Set External network to VCF-edge_EC-01_segment_uplink1_11
5. Set Tier-0 Logical router to VLC-Tier-0
6. Set Edge Cluster to EC-01
7. Leave Source at Internal (VRA will act as IPAM for this segment)
8. Set CIDR to “10.1.6.1/24”
9. Set Subnet size to “/28 (-14 IP addresses)”
10. Leave IP Range Assignment Static and DHCP

 

[Step 2.3] Load Balancers Tab

1. No configuration changes are needed at this time in the Load Balancers tab

 

[Step 2.4] Security Groups Tab

1. No configuration changes are needed at this time in the Security Groups tab
2. Click Create button

 

Exercise 3: Upload and Review “Holodeck OpenCart Cloud Network” Cloud Template

This exercise will upload the cloud template that will deploy an instance of the OpenCart demo application to the networks you created in the previous exercises.

[Step 1] Connect to vRealize Cloud Assembly (if necessary)

1. Click + in the Chrome browser to open a new window
2. Click the vRealize bookmark folder and select vra.vcf.sddc.lab
3. Click GO TO LOGIN PAGE
4. Login: Username:  configadmin Password:  VMware123!
5. Click Cloud Assembly

[Step 2] Upload Cloud Template

1. Click Design
2. Click New From -> Upload

 

3. Name the template Holodeck OC Cloud Network
4. Select VLC-Holodeck for project

 

5. Click Select File
6. Select C:\VLC\VLC-Holo-Site-1\Holo-Build\Holo-VRA-Lab-File directory
7. Select Holodeck Opencart Cloud Network Lab v4.yml file then click Open

 

8. Click upload

 

 

[Step 3] Review Cloud Template

Prior to deployment, we will take a quick look at what the template will deploy.  As this is now an active template, please be careful to not make any changes.

1. Click on the link for the Holodeck OC Cloud Network template uploaded in the previous step

 

2. Note we have nine resources. 
   • 2 Network resources which create on demand NSX networks and T1 routers
   • On demand NSX Load Balancer and virtual servers for this instance of Opencart
   • 1 or more Apache web servers (number of servers set when the user deploys the template)
   • An instance of MySQL for this Opencart application
   • 2 Allow Security objects attached to respective virtual machines, to create on demand security policies per VM type. These rules explicitly set what traffic is allowed to pass to the virtual machine
   • 2 Deny All resources that effectively block all traffic not explicitly allowed by the allow security resources.  The allow and deny rules are separate resources to ensure the allow rules are always examined first

 

 

3. Click on the OC-Web-Cloud-Seg resource

This highlights the relevant part of the yaml file for this cloud template

Note the OC-Web-Cloud-Seg resource will create a new “routed” network. It will match with a network profile that has the capabilities oc-cloud-network:oc-web and DeploymentType:Holodeck.

 

 

4. Click on the OC-DB-Cloud-Seg resource

The OC-DB-Cloud-Seg has constraints of oc-fixed-network:oc-db and DeploymentType:Holodeck that will need to be matched by a corresponding network profile

 

 

5. Click on the OC-Cloud-LB load balancer resource.

The Load balancer resource will create a new load balancer and virtual server resources on the OC-Web-Cloud-Seg segment, with members of the server pool (instances) based on the number of OC-Apache-Cloud web servers this template deploys. The load balancer is configured to listen on Port 80 Protocol and Port) and talk to the backend Apache server on Port 80 (InstanceProtocol and InstancePort).

 

 

6. Click on the OC-Apache-Cloud-Sec-Group resource

This resource creates an on demand distributed firewall policy that applies to virtual machines created by the OC-Apache-Cloud VM resource.  This creates a set of rules similar to what you have created and used in the previous OpenCart lab modules. Notice this group depends on the OC_Apache_Deny_All resource. This means the allow rules will get created after the Deny rule, allowing specific traffic to flow

 

 

7. Click on the OC-MySQL-Cloud-Sec-Grp resource

This resource creates specific security rules that apply to virtual machines created by the OC—MySQL-Cloud resource.

Notice the OC-MySQL-Cloud-FW resources uses a source of '${resource["OC-Apache-Cloud-Sec-Grp"].id}' 

This sets the source to VM’s created in the OC-Apache-Cloud-Sec-Grp. Similar to the last example, the SQL allow rules depend in the Deny_All rule being established first

8. Click on the OC-Apache_Deny_All resource

Notice it and the corresponding OC-DB_Deny_All block all inbound traffic to their respective resource

Exercise 4: Deploy Holodeck-OC-Cloud-Network Cloud Template

This exercise will deploy an instance of the OpenCart demo application to the networks you created in the previous exercises.

[Step 1] Connect to vRealize Cloud Assembly (if necessary)

1. Click + in the Chrome browser to open a new window
2. Click the vRealize bookmark folder and select vra.vcf.sddc.lab
3. Click GO TO LOGIN PAGE
4. Login: Username:  configadmin Password:  VMware123!
5. Click Cloud Assembly

[Step 2] Test Cloud Template

1. If necessary, click Design
2. Click on the Holodeck OC Cloud Network link

 

3. Click Test

 

4. Click Test

 

5. Your result should be

 

6. Click the X to close the test window

[Step 3] Deploy Cloud Template

1. Click Deploy

 

2. Leave as Create a new deployment
3. Name the deployment Opencart Cloud Network
4. Leave Cloud Template Version as Current Draft
5. Click Next

 

6. Leave Node Size as small
7. Leave Front End Cluster Size at medium
8. Click Deploy

 

9. Observe the deployment process beginning

 

10. In about 10-15 minutes you should see a Create Successful status

 

11. Notice that this deployment took approximately 7 minutes
12. Click History
13. Scroll back and review the sequence of resource creation

Exercise 5: Review Provisioning Diagram

This exercise will review the Cloud Assembly Provisioning Diagram following a deployment. This is one of the best troubleshooting tools available for diagnosing failing deployments. This exercise will only show the initial network allocation to familiarize you with navigating the provisioning diagram

[Step 1] Access Provisioning diagram

1. If your deployment history is still on screen, simply click on the Provisioning diagram link

 

2. Alternately access the diagram from Resources->Deployments, and selecting your deployment

 

3. Then click History and Provisioning Diagram

[Step 2] Review Network Allocation for OC-Web-Cloud-Seg

1. The initial screen presented will default to the first network provisioned, which in this lab is OC-Web-Cloud-Seg
2. In the Request row, this box describes the item to be created. In this case we are creating a new  network space due to the type ROUTED
3. In the Projects row, this box shows the project that this template is contained.  Access to resources can be controlled with projects
4. In the Network Profiles row, shows the various network profiles Cloud Assembly walks through to choose where to allocate this network. In effect, Cloud Assembly chooses the first Network Profile it finds that meets the constraints of the object being provisioned. The chosen Network Profile is out lined in GREEN while the unchosen profiles are outlined in RED and show which constraints were not matched.
5. Network Profile OC-Web-Cloud-Seg meets the constraints of this resource
6. The remaining Network Profiles do not meet the constraints and are ineligible

 

[Step 3] Review Network Allocation for OC-DB-Cloud-Seg

 

1. Click on the blue Network Allocation box and select the OC-DB-Cloud-Seg

 

 

2. Notice how the Network Profile that meets the constraints for OC-DB-Cloud-Seg changes

 

Exercise 6: Review deployed Opencart application

This exercise will review the components deployed by the Cloud Template.

[Step 1] Test web servers

1. Select Resources-> Deployments
2. Click the > next to Opencart Cloud Network
3. Note the following

 

• Two deployed OC-Apache-Cloud-XXX web servers on the 10.1.6.x network, with IP addresses controlled by Cloud Assembly for DHCP on the OC-Web-Cloud-Seg. (Note: The numeric suffix after the resources name is set by Cloud Assembly to keep resource names unique. This naming mechanism was chosen during initial Cloud Assembly setup in this environment).
• An OC-MySQL-Cloud-XXX resource in the 10.1.5.x network
• An NSX Load Balancer on the 10.1.6.x network, with IP address in the range controlled by Cloud Assembly on the OC-Web-Cloud-Seg

 

4. Double click on the OC-Cloud-LB-XXX IP and go to that IP address (or open a new browser window to that IP address

5. You should open a page that looks like this

[Step 2] Review in vCenter Server

1. Click + in the Chrome browser to open a new window if necessary
2. Click the Mgmt Domain Folder then vCenter bookmark in the bookmark bar
3. Login: Username:  administrator@vsphere.local Password:  VMware123!
4. From Hosts and Clusters view, Select one of the OC-Apache-Cloud webservers identified in the Cloud Assembly Deployment Summary.  In this example the machines are OC-Apache-Cloud-473 and  OC-Apache-Cloud-474
5. Notice: CPU and Memory sizes match “Flavor = Small” from Cloud Assembly Flavor Mapping

The VM is connected to OC-Web-Cloud-Seg based on the OC-Web-Cloud-Seg Network Profile selected for this VM. This was selected by the constraint oc-cloud-network:oc-web being matched in the network profile

 

• 

 

 

[Step 3] Review in NSX Manager

1. Open a new tab in the Chrome browser(If needed)
2. Click the Mgmt Domain folder and Mgmt NSX shortcut in the bookmark bar (click advanced / proceed to nsx-mgmt.vcf.sddc.lab, if required to accept the certificate)
3. Log into NSX Manager as user: admin with the password: VMware123!VMware123!
4. From the NSX-T Manager interface click the Networking tab
5. Select Network Topology
6. Click on to expand the Tier-1 gateways

 

 

7. You should see the OC-Web-Cloud-Seg-XXX resources on the left. Note that when using a network of type ROUTED, Cloud Assembly dynamically allocates an NSX Tier-1 distributed router per segment created

 

8. Click once on the 2 Services link. Note that Cloud Assembly has created a Load Balancer on this Tier-1

 

9. Expand the two virtual machines on the segment, and click on the 1 Service on the segment.  Notice our two OC-Apache-Cloud-XXX virtual machines, and the DHCP service on the segment.  In cases of network type ROUTED, Cloud Assembly takes care of DHCP for virtual machines on the segment (versus NSX in the fixed network case)

10. Scroll to right of network topology map to find the OC-DB-Cloud-Seg-XXX segment and associated Tier-1 router.  Here we only have one service on thr Tier-1 router (default gateway firewall rules) and no load balancer

 

11. Click Networking -> Load Balancing. Notice the on demand OC-Cloud-LB-XXX resource

 

12. Click on the virtual servers link within this load balancer line. Note the Virtual Server IP address created on the 10.1.6.x network under Cloud Assembly control

 

13. Click on the Server Pool link. Notice the dynamically created server pool created by Cloud Assembly

 

14. Close the server pool view
15. Click Security -> Distributed Firewall. Note the four On Demand security policies created by Cloud Assembly. BY creating the Deny_All rules first, we ensure that the explicit Allow rules for Apache and MySQL are evaluated first.

 

16. Click the > next to the OC-MySQL-Cloud-Sec-Grp
17. Notice the rules created based on the rules configured on the OC-MySQL-Cloud-Sec-Grp in the cloud template (Cloud template snippet included for reference)

 

 

Exercise 7: Delete deployed Opencart application

This exercise will delete the components deployed by Cloud Assembly.

[Step 1] Connect to vRealize Cloud Assembly (if necessary)

1. Click + in the Chrome browser to open a new window
2. Click the vRealize bookmark folder and select vra.vcf.sddc.lab
3. Click GO TO LOGIN PAGE
4. Login: Username:  configadmin Password:  VMware123!
5. Click Cloud Assembly

[Step 2] Delete Deployment 

1. Click Close on the deployment history if needed
2. Click the three dots next to Opencart Fixed Network
3. Click Delete

 

4. Click Submit (The delete process usually takes 2-3 minutes to complete)

 

 

 

 

5. Optional: If you have a vCenter Server window open during the delete process, you will see virtual machines power off and being deleted

 

 

Module summary

This module builds on the concepts introduced in the SDN and VRA with preexisting networks module. In this module the network and security requirements for the application are configured as part of the application definition.  This is a key concept of shifting to a cloud consumption model.