VMware vCloud Director - 1.5 User’s Guide
vCloud Director User's Guide
vCloud Director 1.5
This document supports the version of each product listed and
supports all subsequent versions until the document is replaced
by a new edition. To check for more recent editions of this
document, see http://www.vmware.com/support/pubs.
EN-000635-00
vCloud Director User's Guide
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright © 2010, 2011 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and
intellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks
and names mentioned herein may be trademarks of their respective companies.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
2 VMware, Inc.
Contents
vCloud Director User's Guide 7
Getting Started with vCloud Director 9
1
Understanding VMware vCloud Director 9
Log In to the Web Console 10
Using vCloud Director 10
Set Mozilla Firefox Options 11
Set Microsoft Internet Explorer Options 12
Set User Preferences 13
Change Your Password 13
Managing Users and Groups 15
2
Managing Users 15
Working with Groups 18
Managing Cloud Resources 21
3
Managing Virtual Datacenters 21
Managing Organization Networks 22
Managing Expired Items 36
Working in an Organization 37
4
Understanding Leases 37
Set Up an Organization 38
Review Your Organization Profile 40
Modify Your Email Settings 41
Modify Your Organization's Policies 41
Set Default Domain for Organization Virtual Machines 42
Manage Users and Groups in Your Organization 42
Manage Resources in Your Organization 42
Manage Virtual Machines in Your Organization 43
Viewing Organization Log Tasks and Events 43
VMware, Inc.
Working with Catalogs 45
5
Add a New Catalog 45
Access a Catalog 46
Publish a Catalog 46
Share A Catalog 47
Change the Owner of a Catalog 47
Delete a Catalog 48
Modify the Properties of Your Catalog 48
Understanding Catalogs and Their Contents 48
3
vCloud Director User's Guide
Working in Published Catalogs 49
Working with Media Files 51
6
Upload Media Files 51
Resume the Upload of a Media File 52
Copy Media Files to a Catalog 52
Move Media Files to Another Catalog 52
Delete Media Files 53
Modify Media File Properties 53
Working with vApp Templates 55
7
Open a vApp Template 55
Add a vApp Template to My Cloud 56
Download a vApp Template 56
Upload an OVF Package as a vApp Template 57
Resume the Upload of a vApp Template 57
Copy a vApp Template from a Public Catalog to an Organization Catalog 58
Copy a vApp Template Between an Organization's Catalogs 58
Move a vApp Template Between an Organization's Catalogs 59
Delete a vApp Template 59
Save a vApp as a vApp Template 59
Modify vApp Template Properties 60
Working with vApps 61
8
Create a vApp From a vApp Template 62
Create a New vApp 62
Copy a vApp 64
Start a vApp 64
Start a vApp with an Older Version of VMware Tools 64
Stop a vApp 65
Suspend a vApp 65
Discard the Suspended State of a vApp 65
Reset a vApp or Virtual Machine 66
View vApp Virtual Machines 66
Add Virtual Machines to a vApp 66
Remove Virtual Machines from a vApp 67
Set vApp Start and Stop Options 67
Working with Networks in a vApp 68
Display a vApp Diagram 78
Modify a vApp Name and Description 78
Modify vApp OVF Environment Properties 79
Reset vApp Leases 79
Share a vApp 79
Change the Owner of a vApp 80
Upgrade the Virtual Hardware Version for a vApp 80
Save vApp as a vApp Template to Your Catalog 81
Copy a vApp to Another vDC 81
Move a vApp to Another vDC 81
4 VMware, Inc.
Delete a vApp 82
Contents
Working with Virtual Machines 83
9
Open a Virtual Machine Console 84
Power On a Virtual Machine 84
Power Off a Virtual Machine 84
Reset a vApp or Virtual Machine 85
Suspend a Virtual Machine 85
Resume a Suspended Virtual Machine 85
Discard the Suspended State of a Virtual Machine 85
Insert a CD/DVD 86
Eject a CD/DVD 86
Insert a Floppy 86
Eject a Floppy 86
Upgrade the Virtual Hardware Version for a Virtual Machine 87
Connect Remotely to a Virtual Machine 87
Copy or Move a Virtual Machine to a vApp 87
Delete a Virtual Machine 88
Modify Virtual Machine General Properties 88
Modify Virtual Machine CPUs and Memory 89
Modify Virtual Machine OVF Environment Properties 89
Configuring Virtual Machine Resource Allocation Settings 90
Modifying Virtual Machine Hard Disks 91
Modifying Virtual Machine Network Interfaces 92
Installing VMware Tools 94
Guest Operating Systems 104
Index 115
VMware, Inc. 5
vCloud Director User's Guide
6 VMware, Inc.
vCloud Director User's Guide
The VMware vCloud Director User's Guide provides information about managing organizations, catalogs, vApps,
and virtual machines.
Intended Audience
This book is intended for anyone who wants to set up and configure organizations in
VMware vCloud Director. The information in this book is written for non-system administrators, including
organization administrators who will create and set up vApps, catalogs, and virtual machines.
VMware, Inc. 7
vCloud Director User's Guide
8 VMware, Inc.
Getting Started with vCloud Director 1
When you log in to the vCloud Director Web console, the Home tab provides access to your resources and
links to common tasks.
You can also set your user preferences and view the product help.
This chapter includes the following topics:
n
“Understanding VMware vCloud Director,” on page 9
n
“Log In to the Web Console,” on page 10
n
“Using vCloud Director,” on page 10
n
“Set Mozilla Firefox Options,” on page 11
n
“Set Microsoft Internet Explorer Options,” on page 12
n
“Set User Preferences,” on page 13
n
“Change Your Password,” on page 13
Understanding VMware vCloud Director
VMware® vCloud Director provides role-based access to a Web console that allows the members of an
organization to interact with the organization's resources to create and work with vApps and virtual machines.
Before you can access your organization, a vCloud Director system administrator must create the organization,
assign it resources, and provide the URL to access the Web console. Each organization includes one or more
organization administrators, who finishes setting up the organization by adding members and setting policies
and preferences. After the organization is set up, non-administrator users can log in to create, use, and manage
virtual machines and vApps.
Organizations
An organization is a unit of administration for a collection of users, groups, and computing resources. Users
authenticate at the organization level, supplying credentials established by an organization administrator
when the user was created or imported. System administrators create and provision organizations, while
organization administrators manage organization users, groups, and catalogs.
Users and Groups
An organization can contain an arbitrary number of users and groups. Users can be created locally by the
organization administrator or imported from a directory service such as LDAP. Groups must be imported from
the directory service. Permissions within an organization are controlled through the assignment of rights and
roles to users and groups.
VMware, Inc.
9
vCloud Director User's Guide
Virtual Datacenters
An organization virtual datacenter (vDC) provides resources to an organization. vDCs provide an environment
where virtual systems can be stored, deployed, and operated. They also provide storage for virtual media,
such as floppy disks and CD ROMs. An organization can have multiple vDCs.
Organization Networks
An organization network is contained within a vCloud Director organization and is available to all the vApps
in the organization. An organization network allows vApps within an organization to communicate with each
other. An organization network can be connected to an external network or isolated and internal to the
organization. Only system administrators can create organization networks, but organization administrators
can manage organization networks, including the network services they provide.
vApp Networks
A vApp network is contained within a vApp and allows virtual machines in the vApp to communicate with
each other. You can connect a vApp network to an organization network to allow the vApp to communicate
with other vApps in the organization and outside of the organization, if the organization network is connected
to an external network.
Catalogs
Organizations use catalogs to store vApp templates and media files. The members of an organization that have
access to a catalog can use the catalog's vApp templates and media files to create their own vApps.
Organizations administrators can copy items from public catlogs to their organization catalog.
Log In to the Web Console
Use the organization URL to log in to your organization and access the Web console.
Contact your organization administrator if you do not know the organization URL.
Procedure
1 In a browser, type the URL of your organization and press Enter.
For example, type https://cloud.example.com/cloud/org/myOrg.
2 Type your user name and password and click Login. .
What to do next
The Web console displays a list of the common tasks and resources available to you based on your role. An
organization administrator can click the Set up this organization link on the Home tab to finish setting up a
newly created organization. See “Set Up an Organization,” on page 38 for more information.
Using vCloud Director
When you log into vCloud Director, the first page you see is the Home page. The information that appears on
this page are the most common tasks for your role.
Organization administrators see the Set up this organization link as their first task. They also see tasks under
these headings.
n
Organizations and resources
n
Content
n
Users & Groups
10 VMware, Inc.
The vApps in your organization are displayed for easy access.
Catalog authors see links to these tasks.
n
Add Cloud Computer System
n
Build new vApp
n
Manage Catalogs
n
New Catalog
vApp authors see links to these tasks.
n
Add Cloud Computer System
n
Build new vApp
vApp users see links to these tasks.
n
Add Cloud Computer System
The vApps in your organization are displayed for easy access.
Console Access Only users have a read-only access to vCloud Director.
Set Mozilla Firefox Options
Chapter 1 Getting Started with vCloud Director
These options and settings help you display and use the vCloud Director Web console in Mozilla Firefox.
Prerequisites
You have the following.
n
At least Firefox 3.x
n
SSL 3.0 Encryption
n
TLS 1.0 Encryption
Procedure
1 In Firefox, select Tools > Options.
2 Click Content and select the JavaScript check box.
3 Click Privacy.
4 In the Firefox will: drop-down menu, select Use custom settings for history.
5 Select the Accept cookies from sites.
This selection also selects the Accept third-party cookies check box.
6 Click OK.
Bypass the Proxy in Mozilla Firefox
You can configure the Firefox proxy server to bypass certain Web addresses.
If all of these conditions exist, you can configure Firefox to bypass specific Web addresses.
n
The internal network is configured with a proxy server to access the external network.
n
The browser's proxy server connection has no local exceptions.
n
The proxy is not configured to look in the internal network after not finding or connecting to the target
on the external network.
n
The user looks for a target on the internal network using Firefox.
VMware, Inc. 11
vCloud Director User's Guide
Procedure
1 Select an option.
Operating System Action
Windows
Linux
Tools > Options
Edit > Preferences
2 Click the Advanced button.
3 On the Network tab, click the Settings button.
4 Enter the IP of the cell or load balancer in the No Proxy for: field.
The specified Web addresses are bypassed by the Firefox proxy server.
Set Microsoft Internet Explorer Options
These options help you display and use the vCloud Director Web console in Microsoft Internet Explorer.
You have the following.
n
At least Internet Explorer 7.
n
SSL 3.0 Encryption
n
TLS 1.0 Encryption
Procedure
1 In Internet Explorer, select Tools > Internet Options.
2 Click the Security tab.
3 Select the Internet content zone for the vCloud Director server.
4 Click Custom Level and select Enable or Prompt for these options.
n
Download signed ActiveX controls
n
Run ActiveX controls and plug-ins
n
Allow META REFRESH
n
Active scripting of Microsoft web browser control
5 Click OK.
6 Click the Advanced tab.
7 If you are using Internet Explorer on Windows 2003, complete these tasks.
a Select Start > Settings > Control Panel.
b Select Add or Remove Programs.
c Click Add/Remove Windows Components.
d Disable Internet Explorer Enhanced Security Configuration.
Bypass the Proxy in Internet Explorer
You can configure the Internet Explorer proxy server to bypass certain Web addresses.
If all of these conditions exist, you can configure Internet Explorer to bypass specific Web addresses.
n
The internal network is configured with a proxy server to access the external network.
12 VMware, Inc.
Chapter 1 Getting Started with vCloud Director
n
The browser's proxy server connection has no local exceptions.
n
The proxy is not configured to look in the internal network after not finding or connecting to the target
on the external network.
n
The user looks for a target on the internal network using Internet Explorer.
Procedure
1 Type the IP address of the cell or load balancer so that VMware Remote Console (VMRC) can bypass the
proxy setting.
2 Select Tools > Internet Options.
3 On the Connections tab, click LAN Settings in the bottom panel.
4 In the Proxy Server panel, click Advanced.
5 In the Exception panel, in the Do not use proxy server for addresses beginning with: text box, type the
IP address of the cell or load balancer.
If the configuration management vehicle supports the use of regular expressions, you must type the DNS
name of the cell or load balancer.
6 Click OK.
The specified Web addresses are bypassed by the Internet Explorer proxy server.
Set User Preferences
You can set certain display and system alerts preferences that take effect every time you log in to the system.
Procedure
1 In the title bar of the Web console, click Preferences.
2 Click the Defaults tab.
3 Select the page to display when you log in.
4 Select the number of days or hours before a runtime lease expires that you want to receive an email
notification.
5 Select the number of days or hours before a storage lease expires that you want to receive an email
notification.
6 Click OK.
Change Your Password
If you have a local (non-LDAP) user account, you can change your password.
Procedure
1 Log in to your organization.
2 In the title bar of the Web console, click Preferences.
3 On the Change Password tab, type your current password, type your new password, and retype your
new password.
4 Click OK.
vCloud Director logs you out.
VMware, Inc. 13
vCloud Director User's Guide
What to do next
Log in using your new password.
14 VMware, Inc.
Managing Users and Groups 2
An organization administrator is the only one who can add users and groups to an organization. The
organization administrator assigns each user or group a role within the organization. Your role controls what
you can see and do in vCloud Director.
An organization administrator can create local user accounts within an organization or import users and
groups from an LDAP server. Contact your system administrator to set up an LDAP connection.
These default roles exist in vCloud Director.
Organization
Administrator
Catalog Author
vApp Author
vApp User
Console Access Only
Contact your system administrator to create custom roles.
This chapter includes the following topics:
n
“Managing Users,” on page 15
n
“Working with Groups,” on page 18
Managing Users
The Users page displays a list of users your organization. You can see whether the users are active, their role,
and whether they are local or LDAP.
As an organization administrator, you can complete these operations.
n
Add a new user
n
Import users from LDAP
Administers the organization
Creates and publishes new catalogs
Creates vApps and uses catalogs
Uses vApps created by others
Uses virtual machine guest operating systems and siews virtual machine state
and properties
VMware, Inc.
n
Send email notifications
n
Deactivate a user
n
Modify a user's properties
n
Delete a user
15
vCloud Director User's Guide
Add a Local User
Adding local users allows organization administrators to provide access to users who do not exist on an LDAP
server. You can also add local users if you do not plan to use an LDAP server.
Procedure
1 Click Administration.
2 In the left pane, select Members > Users.
3 Click the New User button.
4 Type the user name and password.
5 Select a role.
To create a custom role, contact your system administrator.
6 (Optional) Type the contact information.
7 Select the stored and running virtual machine quota limits for this user.
8 Click OK.
The new user appears on the Users page.
Import an LDAP User
Organization administrators can import users from an LDAP server.
Contact a system administrator to configure LDAP settings for your organization.
Prerequisites
The LDAP settings for the organization must be set up and working.
Procedure
1 Click Administration.
2 In the left pane, select Members > Users.
3 Click the Import Users from LDAP button.
4 Type the full or partial user name and click Search.
5 Select a user and click Add.
6 Select a role for the imported user.
7 Click OK.
vCloud Director imports the selected user from your LDAP server into your organization.
Edit a User
An organization administrator can edit local user properties such as the password, role, contact information,
and quotas. For LDAP users, you can only edit their role and quotas.
Procedure
1 Click Administration.
2 In the left pane, select Members > Users.
3 Select a user, right-click, and click Properties.
16 VMware, Inc.
Chapter 2 Managing Users and Groups
4 Modify the necessary properties and click OK.
Delete a User
If a user leaves the company or moves to another organization, an organization administrator can delete a user
from the organization.
Procedure
1 Click Administration.
2 In the left pane, select Members > Users .
3 Select a user, right-click, and select Disable Account.
4 Reselect this user, right-click, and select Delete.
5 Click OK .
The user is deleted from your organization.
Send User Notifications
An organization administrator can send an email notification to users to notify them of events or issues in the
organization.
Procedure
1 Click Administration.
2 In the left pane, select Members > Users.
3 Click the Notify button.
If you select a user and then click this button, the user's name appears as the recipient.
4 Select the recipients and type a subject.
5 Type the message.
6 Click Send Email.
The notification is sent to the selected recipients.
Delete Users in Lost and Found
If a user in your organization is removed from a group, if their group is disabled/removed in LDAP, or if the
user is deleted/disabled in LDAP, the user appears on the Lost & Found page. An organization administrator
can delete the user from the system and assume ownership of the user's objects (for example vApps and vApp
templates).
Procedure
1 Click Administration.
2 In the left pane, select Members > Lost & Found.
3 Right-click a user in the list and click Delete.
4 Click OK.
vCloud Director transfers ownership of the user's objects to you unless you deselect the Transfer user's
objects to me check box.
VMware, Inc. 17
vCloud Director User's Guide
Disable or Enable User Accounts
An organization administrator can disable a user account to log the user out of the Web console and prevent
the user from logging in again. You can enable a user to allow them to log in.
Procedure
1 Click Administration.
2 In the left pane, select Members > Users.
3 Select a user, right-click, and select Disable Account or Enable Account.
Disable user accounts have a red circle in the Enabled column and enabled user accounts have a green check
mark.
What to do next
After you disable a user's account, you can delete that user. See “Delete a User,” on page 17
View and Change a User's Role
An organization administrator assigns a role when adding a user to the organization. The organization
administrator can change the user's role later to give the user more rights or fewer rights.
Procedure
1 Click Administration.
2 In the left pane, select Members > Users.
3 Select a user, right-click, and select Properties.
4 In the User role in organization: drop-down menu, select a new role for the user.
The definition of each role appears as a tool tip.
5 Click OK.
Working with Groups
On the Groups page, you can review the list of groups in your organization.
You can see group names and their assigned roles. As an organization administrator, you can import groups
into your organization, delete groups from your organization, and modify the role of a group.
Import a Group
An organization administrator can import LDAP groups into an organization.
Contact a system administrator to configure LDAP settings for your organization.
Prerequisites
The LDAP settings for the organization must be set up and working.
Procedure
1 Click Administration.
2 In the left pane, select Members > Groups.
3 Click the Import Groups from LDAP button.
4 Type the full or partial group name and click Search.
18 VMware, Inc.
Chapter 2 Managing Users and Groups
5 Select a group and click Add.
6 Select a role for the group.
All the users in the group will be assigned this role.
7 Click OK.
The group is imported into your organization.
Delete a Group
An organization administrator can delete a group to remove it from the organization.
Deleting a group from an organization affects users who are members of the organization based solely on their
membership in the deleted group. These users will not be able to log in to the organization. When you delete
a group from an organization the group still exists in LDAP.
Procedure
1 Click Administration.
2 In the left pane, select Members > Groups.
3 Select a group, right-click, and select Delete.
4 Click Yes.
Modify the Role of a Group
An organization administrator can review and modify the role assigned to a group in your organization.
Procedure
1 Click Administration.
2 In the left pane, select Members > Groups.
3 Select a group, right-click, and select Properties.
4 Select another role for this group.
5 Click OK.
The new role for this group appears in the Groups page.
VMware, Inc. 19
vCloud Director User's Guide
20 VMware, Inc.
Managing Cloud Resources 3
A vCloud Director system administrator creates and assigns virtual datacenters and networks to an
organization. An organization administrator can view information about these resources and perform a limited
set of management tasks. Contact your system administrator if you need more organization virtual datacenters
or organization networks..
This chapter includes the following topics:
n
“Managing Virtual Datacenters,” on page 21
n
“Managing Organization Networks,” on page 22
n
“Managing Expired Items,” on page 36
Managing Virtual Datacenters
Virtual datacenters (vDCs) provide processor, memory, and storage resources to your organization. They are
assigned to your organization by your system administrator. An organization can have multiple vDCs.
Display Virtual Datacenters
When you display the vDCs in your organization, you can monitor the resources, users, and policy settings
that you manage.
You are an organization administrator.
Procedure
1 Click Administration.
2 In the left pane, select Cloud Resources > Virtual Datacenters.
A list of vDCs in your organization appears in the right pane.
3 For details about a vDC, right-click, and select Open.
The vApps, vApp templates, media, and networks attached to this vDC are displayed. When you click
through each tab, you can right click on an object to see the operations you can complete.
Review Virtual Datacenter Properties
You can review the properties of the vDCs that are assigned to your organization.
Procedure
1 Click Administration.
2 Select Cloud Resources > Virtual Datacenters.
VMware, Inc.
21
vCloud Director User's Guide
3 Select a vDC, right-click, and select Properties.
4 Review the properties and click OK.
What to do next
To modify your organizational vDCs, contact your system administrator.
Monitor Your Virtual Datacenter
You can monitor the vDC assigned to your organization and determine when to request additional capacity.
You are an organization administrator.
Procedure
1 Click Administration.
2 Select Cloud Resources > Virtual Datacenters.
3 Click the Monitor button.
Details about the processor, memory, storage, and allocation model appear.
What to do next
Contact your system administrator for more capacity.
Manage Your Virtual Datacenters
You can review information such as the status, allocation model, and the number of vApps in a vDC in your
organization.
You are an organization administrator
Procedure
1 Click Administration.
2 In the left pane, select Cloud Resources > Virtual Datacenters.
3 Click the Manage button.
4 Review the information.
What to do next
You can open the vDC to see the objects in it, notify users about issues or changes, or review the vDCs
properties. Contact your system administrator to make changes to your vDC.
Managing Organization Networks
Organization networks are created and assigned to your organization by a system administrator. An
organization administrator can view information about his networks, configure network services, and more.
There are three type of organization networks.
22 VMware, Inc.
Table 3-1. Types of Organization Networks
Organization Network Type Description
Chapter 3 Managing Cloud Resources
Direct Accessible by multiple organizations. Virtual machines belonging to different
Routed Accessible only by this organization. Only virtual machines within this
Internal Accessible only by this organization. Only virtual machines within this
organizations can connect to and see traffic on this network.
This network provides direct layer 2 connectivity to machines outside of the
organization. Machines outside of this organization can connect to machines
within the organization directly.
organization can connect to this network.
This network also provides controlled access to an external network. System
administrators and organization administrators can configure network address
translation (NAT), firewall, and VPN settings to make specific virtual machines
accessible from the external network.
organization can connect to and see traffic on this network.
This network provides an organization with an isolated, private network that
multiple vApps can connect to. This network provides no connectivity to
machines outside this organization. Machines outside of this organization have
no connectivity to machines within the organization.
Configuring Network Services for an Organization Network
An organization administrator can configure network services, such as DHCP, firewalls, network address
translation (NAT), VPN, and static routing for certain organization networks.
The network services available depend on the type of organization network.
Table 3-2. Network Services Available by Network Type
Organization Network Type DHCP Firewall NAT VPN Static Routing
Direct
Routed X X X X X
Internal X
Configure DHCP for an Organization Network
Organization administrators can configure certain organization networks to provide DHCP services to virtual
machines in the organization.
When you enable DHCP for an organization network, connect a NIC on virtual machine in the organization
to that network, and select DHCP as the IP mode for that NIC, vCloud Director assigns a DHCP IP address to
the virtual machine when you power it on.
Prerequisites
An routed organization network or an internal organization network.
Procedure
1 Click Administration.
2 Select Cloud Resources > Networks.
3 Right-click the organization network name and select Configure Services.
4 Click the DHCP tab and select Enable DHCP.
VMware, Inc. 23
vCloud Director User's Guide
5 Type a range of IP addresses or use the default range.
vCloud Director uses these addresses to satisfy DHCP requests. The range of DHCP IP addresses cannot
overlap with the static IP pool for the organization network.
6 Set the default lease time and maximum lease time or use the default values.
7 Click OK.
vCloud Director updates the network to provide DHCP services.
Enable the Firewall for an Organization Network
An organization administrator can configure certain organization networks to provide firewall services. Enable
the firewall on an organization network to enforce firewall rules on incoming traffic, outgoing traffic, or both.
When you enable the firewall, you can specify a default firewall action to deny all incoming and outgoing
traffic or to allow all incoming and outgoing traffic. You can also add specific firewall rules to allow or deny
traffic that matches the rules to pass through the firewall. These rules take precedence over the default firewall
action. See “Add a Firewall Rule to an Organization Network,” on page 24.
If a system administrator specified syslog server settings and those settings have been applied to the
organization network, then you can log events related to the default firewall action. For information about
applying syslog server settings, see “Apply Syslog Server Settings to an Organization Network,” on
page 35. To view the current syslog server settings see “View Syslog Server Settings for an Organization
Network,” on page 35.
Prerequisites
A routed organization network.
Procedure
1 Click Administration.
2 Select Cloud Resources > Networks.
3 Right-click the organization network name and select Configure Services.
4 Click the Firewall tab and select Enable firewall.
5 Select the default firewall action.
6 (Optional) Select the Log check box to log events related to the default firewall action.
7 Click OK.
Add a Firewall Rule to an Organization Network
An organization administrator can add firewall rules to an organization network that supports a firewall. You
can create rules to allow or deny traffic that matches the rules to pass through the firewall.
For a firewall rule to be enforced, you must enable the firewall for the organization network. See “Enable the
Firewall for an Organization Network,” on page 24.
When you add a new firewall rule to an organization network, it appears at the bottom of the firewall rule list.
For information about how to set the order in which firewall rules are enforced, see “Reorder Firewall Rules
for an Organization Network,” on page 25.
If a system administrator specified syslog server settings and those settings have been applied to the
organization network, then you can log firewall rule events. For information about applying syslog server
settings, see “Apply Syslog Server Settings to an Organization Network,” on page 35. To view the current
syslog server settings see “View Syslog Server Settings for an Organization Network,” on page 35.
24 VMware, Inc.
Chapter 3 Managing Cloud Resources
Prerequisites
A routed organization network.
Procedure
1 Click Administration.
2 Select Cloud Resources > Networks.
3 Right-click the organization network name and select Configure Services.
4 Click the Firewall tab and click Add.
5 Type a name for the rule.
6 Select the traffic direction.
7 Type the source IP address and select the source port.
For incoming traffic, the source is the external network. For outgoing traffic, the source is the organization
network.
8 Type the destination IP and select the destination port.
For incoming traffic, the destination is the organization network. For outgoing traffic, the destination is
the external network.
9 Select the protocol.
10 Select the action.
A firewall rule can allow or deny traffic that matches the rule.
11 Select the Enabled check box.
12 (Optional) Select the Log network traffic for firewall rule check box.
If you enable this option, vCloud Director sends log events to the syslog server for connections affected
by this rule.
13 Click OK and OK.
Reorder Firewall Rules for an Organization Network
Firewall rules are enforced in the order in which they appear in the firewall list. An organization administrator
can change the order of the rules in the list.
When you add a new firewall rule to an organization network, it appears at the bottom of the firewall rule list.
To enforce the new rule before an existing rule, reorder the rules.
Prerequisites
A routed organization network with two or more firewall rules.
Procedure
1 Click Administration.
2 Select Cloud Resources > Networks.
3 Right-click the organization network name and select Configure Services.
4 Click the Firewall tab.
5 Drag the firewall rules to establish the order in which the rules are applied.
6 Click OK.
VMware, Inc. 25
vCloud Director User's Guide
Enable IP Masquerading for an Organization Network
An organization administrator can configure certain organization networks to provide IP masquerade services.
Enable IP masquerading on an organization network to hide the internal IP addresses of virtual machines from
the external network.
When you enable IP masquerade, vCloud Director translates a virtual machine's private, internal IP address
into a public IP address for outbound traffic.
Prerequisites
A routed organization network.
Procedure
1 Click Administration.
2 Select Cloud Resources > Networks.
3 Right-click the organization network name and select Configure Services.
4 Click the NAT Mapping tab and select Enable IP Masquerade.
5 Click OK.
Add a Port Forwarding Rule to an Organization Network
An organization administrator can configure certain organization networks to provide port forwarding by
adding a NAT mapping rule. Port forwarding provides external access to services running on virtual machines
on the organization network.
When you configure port forwarding, vCloud Director maps an external IP address and a port to a service
running on a port on a virtual machine for inbound traffic.
When you add a new port forwarding rule to an organization network, it appears at the bottom of the NAT
mapping rule list. For information about how to set the order in which NAT mapping rules are enforced, see
“Reorder NAT Mapping Rules for an Organization Network,” on page 27.
Only system administrators can assign external IP addresses to a network. Contact your system administrator
if your organization network lacks external IP addresses.
Prerequisites
A routed organization network and an external IP address.
Procedure
1 Click Administration.
2 Select Cloud Resources > Networks.
3 Right-click the organization network name and select Configure Services.
4 Click the NAT Mapping tab and click Add.
5 Select Port Forwarding and configure the port forwarding rule.
a Select an external IP address.
b Select an external port.
c Type the IP address of the destination virtual machine.
n
If the virtual machine is fenced, type its external IP address.
n
If the virtual machine is not fenced, type its internal IP address.
26 VMware, Inc.
Chapter 3 Managing Cloud Resources
d Select an internal port.
e Select a protocol for the type of traffic to forward.
f Click OK.
6 Click OK.
Add an IP Translation Rule to an Organization Network
An organization administrator can configure certain organization networks to provide IP translation by adding
a NAT mapping rule.
When you add a new IP translation rule to an organization network, it appears at the bottom of the NAT
mapping rule list. For information about how to set the order in which NAT mapping rules are enforced, see
“Reorder NAT Mapping Rules for an Organization Network,” on page 27.
When you create an IP translation rule for a network, vCloud Director adds a DNAT and SNAT rule to the
vShield Edge associated with the network's port group. The DNAT rule translates an external IP address to an
internal IP address for inbound traffic. The SNAT rule translates an internal IP address to an external IP address
for outbound traffic. If the network is also using IP masquerade, the SNAT rule takes precedence.
Only system administrators can assign external IP addresses to a network. Contact your system administrator
if your organization network does not have external IP addresses.
Prerequisites
A routed organization network and an external IP address.
Procedure
1 Click Administration.
2 Select Cloud Resources > Networks.
3 Right-click the organization network name and select Configure Services.
4 Click the NAT Mapping tab and click Add.
5 Select IP Translation and configure the rule.
a Select an external IP address.
b Type the IP address of the destination virtual machine.
n
If the virtual machine is fenced, type its external IP address.
n
If the virtual machine is not fenced, type its IP address.
c Click OK.
6 Click OK.
Reorder NAT Mapping Rules for an Organization Network
NAT mapping rules are enforced in the order in which they appear in the NAT mapping list. An organization
administrator can change the order of the rules in the list.
When you add a new NAT mapping rule (IP translation or port forwarding) to an organization network, it
appears at the bottom of the NAT mapping rule list. To enforce the new rule before an existing rule, reorder
the rules.
Prerequisites
A routed organization network with two or more NAT mapping rules.
VMware, Inc. 27
vCloud Director User's Guide
Procedure
1 Click Administration.
2 Select Cloud Resources > Networks.
3 Right-click the organization network name and select Configure Services.
4 Click the NAT Mapping tab.
5 Click and drag the rules to establish the order in which the rules are applied.
6 Click OK.
Enable Site-to-Site VPN for an Organization Network
An organization administrator can enable site-to-site VPN for an organization network and then create a secure
tunnel to another network.
vCloud Director supports site-to-site VPN between organization networks in the same organization,
organization networks in different organizations (including organization networks in different instances of
vCloud Director), and remote networks.
Prerequisites
n
A routed organization network.
n
vShield Manager 5.0.
Procedure
1 Click Administration.
2 Select Cloud Resources > Networks.
3 Right-click the organization network name and select Configure Services.
4 Click the Site-to-Site VPN tab and select Enable site-to-site VPN.
5 (Optional) Type a public IP address.
If the external network to which the organization network is routed is behind a NAT device, you must
provide a publicly accessible IP address that faces the Internet.
6 Click OK.
What to do next
Create a VPN tunnel to another network.
Create a VPN Tunnel Within an Organization
An organization administrator can create a VPN tunnel between two organizations networks in the same
organization.
If the tunnel endpoints have a firewall between them, you must configure it to allow the following IP protocols
and UDP ports:
n
IP Protocol ID 50 (ESP)
n
IP Protocol ID 51 (AH)
n
UDP Port 500 (IKE)
n
UDP Port 4500
28 VMware, Inc.
Chapter 3 Managing Cloud Resources
Prerequisites
n
At least two routed organization networks with nonoverlapping IP subnets and site-to-site VPN enabled
on both networks.
n
vShield Manager 5.0.
Procedure
1 Click Administration.
2 Select Cloud Resources > Networks.
3 Right-click the organization network name and select Configure Services.
4 Click the Site-to-Site VPN tab and click Add.
5 Type a name and optional description.
6 Select a network in this organization from the drop-down menu and select a peer network.
7 Review the tunnel settings and click OK.
vCloud Director configures both peer network endpoints.
Create a VPN Tunnel Between Organizations
An organization administrator can create a VPN tunnel between two organization networks in different
organizations. The organizations can be part of the same vCloud Director installation or a different installation.
If the tunnel endpoints have a firewall between them, you must configure it to allow the following IP protocols
and UDP ports:
n
IP Protocol ID 50 (ESP)
n
IP Protocol ID 51 (AH)
n
UDP Port 500 (IKE)
n
UDP Port 4500
Prerequisites
n
A routed organization network in each of the organizations. The organization networks must have
nonoverlapping IP subnets and site-to-site VPN enabled.
n
vShield Manager 5.0.
Procedure
1 Click Administration.
2 Select Cloud Resources > Networks.
3 Right-click the organization network name and select Configure Services.
4 Click the Site-to-Site VPN tab and click Add.
5 Type a name and optional description.
6 Select a network in another organization from the drop-down menu.
VMware, Inc. 29
vCloud Director User's Guide
7 Click Connect to another organization, type the login information for the peer organization, and click
Continue.
Option Description
vCloud URL
Organization
Username
Password
8 Select a peer network.
9 Review the tunnel settings and click Connect.
vCloud Director configures both peer network endpoints.
Create a VPN Tunnel to a Remote Network
An organization administrator can create a VPN tunnel between an organization network and a remote
network.
Base URL of the vCloud instance that contains the peer organization. For
example, https://www.example.com. Do not include /cloud
or /cloud/org/
Organization name that is used as the unique identifier in the organization
URL. For example, if the organization URL is
https://www.example.com/cloud/org/myOrg, type myOrg.
User name of an organization administrator or system administrator that has
access to the organization.
Password associated with the user name.
orgname
in the URL.
If the tunnel endpoints have a firewall between them, you must configure it to allow the following IP protocols
and UDP ports:
n
IP Protocol ID 50 (ESP)
n
IP Protocol ID 51 (AH)
n
UDP Port 500 (IKE)
n
UDP Port 4500
Prerequisites
n
A routed organization network and a routed remote network that uses IPSec.
n
vShield Manager 5.0.
Procedure
1 Click Administration.
2 Select Cloud Resources > Networks.
3 Right-click the organization network name and select Configure Services.
4 Click the Site-to-Site VPN tab and click Add.
5 Type a name and optional description.
6 Select a remote network from the drop-down menu.
7 Type the peer settings.
8 Review the tunnel settings and click OK.
vCloud Director configures the organization peer network endpoint.
What to do next
Manually configure the remote peer network endpoint.
30 VMware, Inc.
Loading...