Beruflich Dokumente
Kultur Dokumente
Date: 2017-03-29
Version: 1.0
Figure 4 is a simplified network diagram which shows the management and workload ESGs. It also shows
a NSX Distributed Logical Router (DLR) and workload VXLAN. These components are intended to be an
initial landing point for customer workloads without requiring the specific knowledge to set them up within
NSX. This can facilitate a decreased time to value when deploying VCS/VCF for demonstration purposes
or customer POCs. A DLR is typically employed to route inter-VCF/VCS traffic which is typically termed
“east-west” traffic between separate layer 2 networks within the instance. This is in contrast to a ESG
which functions to facilitate “north-south” network traffic traversing in and out of the VCS/VCF instance.
While a single ESG could suffice for both management and customer traffic, the separation of management
and customer traffic is a design decision made to primarily to keep from accidental misconfiguration of the
management edge. Note that misconfiguration or disabling the management ESG does not keep the
VCF/VCS instance from functioning, but would disable all portal management functions.
2.2.1.3 Subnets
The following subnets will be utilized for the purposes of the Management ESG:
Interface Interface IP v4 subnet Range Description
Type type
Public Uplink IBM Cloud /30 – renders Public internet facing interface
Uplink portable public one assignable
IP address.
Private Uplink IBM Cloud /26 – renders Internal private network facing
Uplink portable 61 assignable interface
private IP addresses
(existing
management)
Internal Internal Link local 169.254.0.0/16 Internal interface used for ESG
HA pair communication
Table 3 NSX ESX IP Configuration
As Figure 6 Example Customer network flow diagram shows, the Workload ESG is attached to both the
public and private IBM Cloud networks. This allows for workload access to and from internet facing
traffic, but also allows for a site-to-site VPN to be created from either public or private IBM Cloud
networks. This is useful especially in a POC process as it allows for drastically decreased time to value
with regards to connecting to on-premises networks since it can take months to bring up a dedicated WAN
due to particular customer security requirements. However, once a dedicated link is in place, the VPN can
be “flipped” over to traverse that link without affecting the overlay network inside the VPN tunnel or
within the VCF/VCS instance. Once this is done, the public interface for the workload ESG can simply be
removed if it is desired from a security perspective.
The topology portrayed in the diagram above consists of the following NSX components:
NSX Edge appliance (ESG)
Distributed Logical Router (DLR)
VXLAN (L2 over L3)
In this design, a DLR is employed to allow for potential “east-west” routing between local
workload connected L2 networks. As this topology is intended to be a simple example, only one
L2 network intended for workloads is described. Adding additional security zones can be achieved
by simply adding additional VXLANs attached to new interfaces on the DLR. The following are
the DLR interfaces to be configured:
Interface Interface Connected Description
Type To
Transit Uplink Workload- Transit VXLAN between the Workload ESG
Uplink Transit and the Workload DLR
2.2.2.2 Subnets
The following are example subnets to be utilized for the purposes of the Workload ESG:
Interface Interface IP v4 subnet Range Description
Type type
Public Uplink Uplink IBM Cloud /30 – renders one Public internet
(ESG) portable public assignable IP facing interface.
address. (Customer can
order additional IPs
separately)
Private Uplink Uplink IBM Cloud /26 – renders 61 Internal private
(ESG) portable private assignable IP network facing
(existing addresses interface
management)
2.2.2.4 Routing
Within this design, the only requirement for Workloads traversing the DLR to the Workload ESG
is to access the internet. The Workload ESG needs to understand the path to the workload
VXLAN and any future workload VXLAN/subnets created behind the DLR. While this could be
achieved via static routes on the ESG, the intent of the workload topology is that of a
demonstrated best practice design. As such, OSPF will be configured between the Workload ESG
and the downstream DLR. See https://pubs.vmware.com/NSX-
6/index.jsp?topic=%2Fcom.vmware.nsx.admin.doc%2FGUID-6E985577-3629-42FE-AC22-
C4B56EFA8C9B.html
For configuration procedure.
Area OSPF OSPF interface IP OSPF authentication
type
51 stub Assign an IP for each the DLR and ESG on the None
transit RFC1918 network
Table 11 Dynamic Routing
2.3 Multi-Site
2.3.1 Overview
One key differentiator between IBM Cloud and other cloud offerings is the ability to provision dedicated
compute capability across the globe and have that on demand infrastructure automatically network
connected within the customer’s private IBM Cloud account. The software defined network capabilities of
Cloud Foundation in concert with IBM Cloud provide a granular defined global infrastructure. Capable of
being built within days within just a few mouse clicks. The following describes a multi-site architecture
example of what can be achieved with the out of the box capability of Cloud Foundation.