VMware vCloud Director - 5.1 User’s Guide
vCloud Director User's Guide
vCloud Director 5.1
This document supports the version of each product listed and
supports all subsequent versions until the document is replaced
by a new edition. To check for more recent editions of this
document, see http://www.vmware.com/support/pubs.
EN-000818-00
vCloud Director User's Guide
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright © 2010–2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and
intellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks
and names mentioned herein may be trademarks of their respective companies.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
2 VMware, Inc.
Contents
vCloud Director User's Guide 7
Getting Started with vCloud Director 9
1
Understanding VMware vCloud Director 9
Log In to the Web Console 10
Using vCloud Director 10
Set Mozilla Firefox Options 11
Set Microsoft Internet Explorer Options 12
Set User Preferences 13
Change Your Password 14
Managing Users and Groups 15
2
Managing Users 15
Working with Groups 19
Managing Cloud Resources 21
3
Managing Virtual Datacenters 21
Managing Organization vDC Networks 22
Managing Expired Items 34
Working in an Organization 35
4
Understanding Leases 35
Set Up an Organization 36
Review Your Organization Profile 38
Modify Your Email Settings 39
Modify Your Organization's Policies 39
Set Default Domain for Organization Virtual Machines 40
Enable Your Organization to Use an SAML Identity Provider 40
Manage Users and Groups in Your Organization 41
Manage Resources in Your Organization 41
Manage Virtual Machines in Your Organization 42
Viewing Organization Log Tasks and Events 42
VMware, Inc.
Working with Catalogs 45
5
Add a New Catalog 45
Access a Catalog 46
Publish a Catalog 46
Share A Catalog 47
Change the Owner of a Catalog 47
Delete a Catalog 48
Modify the Properties of Your Catalog 48
3
vCloud Director User's Guide
Understanding Catalogs and Their Contents 48
Working in Published Catalogs 49
Working with Media Files 51
6
Upload Media Files 51
Resume the Upload of a Media File 52
Copy Media Files to a Catalog 52
Move Media Files to Another Catalog 52
Delete Media Files 53
Modify Media File Properties 53
Working with vApp Templates 55
7
Open a vApp Template 55
Add a vApp Template to My Cloud 56
Download a vApp Template 56
Upload an OVF Package as a vApp Template 57
Resume the Upload of a vApp Template 57
Copy a vApp Template from a Public Catalog to an Organization Catalog 58
Copy a vApp Template Between an Organization's Catalogs 58
Move a vApp Template Between an Organization's Catalogs 59
Delete a vApp Template 59
Save a vApp as a vApp Template 59
Modify vApp Template Properties 60
Working with vApps 61
8
Create a vApp From a vApp Template 62
Create a New vApp 62
Import a Virtual Machine as a vApp 64
About the vApp Placement Engine 64
Copy a vApp 66
Start a vApp 66
Start a vApp with an Older Version of VMware Tools 66
Stop a vApp 67
Suspend a vApp 67
Discard the Suspended State of a vApp 67
Reset a vApp or Virtual Machine 68
View vApp Virtual Machines 68
Add a Virtual Machine to a vApp 68
Import a Virtual Machine to a vApp from vSphere 69
Remove Virtual Machines from a vApp 69
Set vApp Start and Stop Options 70
Working with Networks in a vApp 71
Editing vApp Properties 82
Display a vApp Diagram 84
Change the Owner of a vApp 84
Upgrade the Virtual Hardware Version for a vApp 85
Save vApp as a vApp Template to Your Catalog 85
Create a Snapshot of a vApp 86
4 VMware, Inc.
Revert a vApp to a Snapshot 86
Remove a Snapshot of a vApp 86
Copy a vApp to Another vDC 86
Move a vApp to Another vDC 87
Delete a vApp 87
Contents
Working with Virtual Machines 89
9
Open a Virtual Machine Console 90
Power On a Virtual Machine 90
Power Off a Virtual Machine 90
Reset a vApp or Virtual Machine 91
Suspend a Virtual Machine 91
Resume a Suspended Virtual Machine 91
Discard the Suspended State of a Virtual Machine 91
Insert a CD/DVD 92
Eject a CD/DVD 92
Insert a Floppy 92
Eject a Floppy 93
Upgrade the Virtual Hardware Version for a Virtual Machine 93
Connect Remotely to a Virtual Machine 93
Create a Snapshot of a Virtual Machine 94
Revert a Virtual Machine to a Snapshot 94
Remove a Snapshot of a Virtual Machine 94
Copy or Move a Virtual Machine to a vApp 94
Delete a Virtual Machine 95
Editing Virtual Machine Properties 95
Installing VMware Tools 101
Guest Operating Systems 112
Index 123
VMware, Inc. 5
vCloud Director User's Guide
6 VMware, Inc.
vCloud Director User's Guide
The VMware vCloud Director User's Guide provides information about managing organizations, catalogs, vApps,
and virtual machines.
Intended Audience
This book is intended for anyone who wants to set up and configure organizations in
VMware vCloud Director. The information in this book is written for non-system administrators, including
organization administrators who will create and set up vApps, catalogs, and virtual machines.
VMware, Inc. 7
vCloud Director User's Guide
8 VMware, Inc.
Getting Started with vCloud Director 1
When you log in to the vCloud Director Web console, the Home tab provides access to your resources and
links to common tasks.
You can also set your user preferences and view the product help.
This chapter includes the following topics:
n
“Understanding VMware vCloud Director,” on page 9
n
“Log In to the Web Console,” on page 10
n
“Using vCloud Director,” on page 10
n
“Set Mozilla Firefox Options,” on page 11
n
“Set Microsoft Internet Explorer Options,” on page 12
n
“Set User Preferences,” on page 13
n
“Change Your Password,” on page 14
Understanding VMware vCloud Director
VMware® vCloud Director provides role-based access to a Web console that allows the members of an
organization to interact with the organization's resources to create and work with vApps and virtual machines.
Before you can access your organization, a vCloud Director system administrator must create the organization,
assign it resources, and provide the URL to access the Web console. Each organization includes one or more
organization administrators, who finishes setting up the organization by adding members and setting policies
and preferences. After the organization is set up, non-administrator users can log in to create, use, and manage
virtual machines and vApps.
Organizations
An organization is a unit of administration for a collection of users, groups, and computing resources. Users
authenticate at the organization level, supplying credentials established by an organization administrator
when the user was created or imported. System administrators create and provision organizations, while
organization administrators manage organization users, groups, and catalogs.
Users and Groups
An organization can contain an arbitrary number of users and groups. Users can be created locally by the
organization administrator or imported from a directory service such as LDAP. Groups must be imported from
the directory service. Permissions within an organization are controlled through the assignment of rights and
roles to users and groups.
VMware, Inc.
9
vCloud Director User's Guide
Virtual Datacenters
An organization virtual datacenter (vDC) provides resources to an organization. vDCs provide an environment
where virtual systems can be stored, deployed, and operated. They also provide storage for virtual media,
such as floppy disks and CD ROMs. An organization can have multiple vDCs.
Organization vDC Networks
An organization vDC network is contained within a vCloud Director organization vDC and is available to all
the vApps in the organization. An organization vDC network allows vApps within an organization to
communicate with each other. An organization vDC network can be connected to an external network or
isolated and internal to the organization. Only system administrators can create organization vDC networks,
but organization administrators can manage organization vDC networks, including the network services they
provide.
vApp Networks
A vApp network is contained within a vApp and allows virtual machines in the vApp to communicate with
each other. You can connect a vApp network to an organization vDC network to allow the vApp to
communicate with other vApps in the organization and outside of the organization, if the organization vDC
network is connected to an external network.
Catalogs
Organizations use catalogs to store vApp templates and media files. The members of an organization that have
access to a catalog can use the catalog's vApp templates and media files to create their own vApps.
Organizations administrators can copy items from public catalogs to their organization catalog.
Log In to the Web Console
Use the organization URL to log in to your organization and access the Web console.
Contact your organization administrator if you do not know the organization URL.
Procedure
1 In a browser, type the URL of your organization and press Enter.
For example, type https://cloud.example.com/cloud/org/myOrg.
2 Type your user name and password and click Login. .
What to do next
The Web console displays a list of the common tasks and resources available to you based on your role. An
organization administrator can click the Set up this organization link on the Home tab to finish setting up a
newly created organization. See “Set Up an Organization,” on page 36 for more information.
Using vCloud Director
When you log into vCloud Director, the first page you see is the Home page. The information that appears on
this page are the most common tasks for your role.
Organization administrators see the Set up this organization link as their first task. They also see tasks under
these headings.
n
Organizations and resources
n
Content
10 VMware, Inc.
n
Users & Groups
The vApps in your organization are displayed for easy access.
Catalog authors see links to these tasks.
n
Add Cloud Computer System
n
Build new vApp
n
Manage Catalogs
n
New Catalog
vApp authors see links to these tasks.
n
Add Cloud Computer System
n
Build new vApp
vApp users see links to these tasks.
n
Add Cloud Computer System
The vApps in your organization are displayed for easy access.
Console Access Only users have a read-only access to vCloud Director.
Chapter 1 Getting Started with vCloud Director
Set Mozilla Firefox Options
These options and settings help you display and use the vCloud Director Web console in Mozilla Firefox.
Prerequisites
You have the following.
n
At least Firefox 3.x
n
SSL 3.0 Encryption
n
TLS 1.0 Encryption
Procedure
1 In Firefox, select Tools > Options.
2 Click Content and select the JavaScript check box.
3 Click Privacy.
4 In the Firefox will: drop-down menu, select Use custom settings for history.
5 Select the Accept cookies from sites.
This selection also selects the Accept third-party cookies check box.
6 Click OK.
Bypass the Proxy in Mozilla Firefox
You can configure the Firefox proxy server to bypass certain Web addresses.
If all of these conditions exist, you can configure Firefox to bypass specific Web addresses.
n
The internal network is configured with a proxy server to access the external network.
n
The browser's proxy server connection has no local exceptions.
n
The proxy is not configured to look in the internal network after not finding or connecting to the target
on the external network.
VMware, Inc. 11
vCloud Director User's Guide
n
The user looks for a target on the internal network using Firefox.
Procedure
1 Select an option.
Operating System Action
Windows
Linux
Tools > Options
Edit > Preferences
2 Click the Advanced button.
3 On the Network tab, click the Settings button.
4 Enter the IP of the cell or load balancer in the No Proxy for: field.
The specified Web addresses are bypassed by the Firefox proxy server.
Set Microsoft Internet Explorer Options
These options help you display and use the vCloud Director Web console in Microsoft Internet Explorer.
You have the following.
n
At least Internet Explorer 7.
n
SSL 3.0 Encryption
n
TLS 1.0 Encryption
Procedure
1 In Internet Explorer, select Tools > Internet Options.
2 Click the Security tab.
3 Select the Internet content zone for the vCloud Director server.
4 Click Custom Level and select Enable or Prompt for these options.
n
Download signed ActiveX controls
n
Run ActiveX controls and plug-ins
n
Allow META REFRESH
n
Active scripting of Microsoft web browser control
5 Click OK.
6 Click the Advanced tab.
7 If you are using Internet Explorer on Windows 2003, complete these tasks.
a Select Start > Settings > Control Panel.
b Select Add or Remove Programs.
c Click Add/Remove Windows Components.
d Disable Internet Explorer Enhanced Security Configuration.
12 VMware, Inc.
Chapter 1 Getting Started with vCloud Director
Bypass the Proxy in Internet Explorer
You can configure the Internet Explorer proxy server to bypass certain Web addresses.
If all of these conditions exist, you can configure Internet Explorer to bypass specific Web addresses.
n
The internal network is configured with a proxy server to access the external network.
n
The browser's proxy server connection has no local exceptions.
n
The proxy is not configured to look in the internal network after not finding or connecting to the target
on the external network.
n
The user looks for a target on the internal network using Internet Explorer.
Procedure
1 Type the IP address of the cell or load balancer so that VMware Remote Console (VMRC) can bypass the
proxy setting.
2 Select Tools > Internet Options.
3 On the Connections tab, click LAN Settings in the bottom panel.
4 In the Proxy Server panel, click Advanced.
5 In the Exception panel, in the Do not use proxy server for addresses beginning with: text box, type the
IP address of the cell or load balancer.
If the configuration management vehicle supports the use of regular expressions, you must type the DNS
name of the cell or load balancer.
6 Click OK.
The specified Web addresses are bypassed by the Internet Explorer proxy server.
Set User Preferences
You can set certain display and system alert preferences that take effect every time you log in to the system.
You can also change the password for your system administrator account.
Procedure
1 In the title bar of the Web console, click Preferences.
2 Click the Defaults tab.
3 Select the page to display when you log in.
4 Select the number of days or hours before a runtime lease expires that you want to receive an email
notification.
5 Select the number of days or hours before a storage lease expires that you want to receive an email
notification.
6 Click the Change Password tab.
7 (Optional) Type your current password and type your new password twice.
8 Click OK.
VMware, Inc. 13
vCloud Director User's Guide
Change Your Password
If you have a local user account, you can change your password.
Procedure
1 Log in to your organization.
2 In the title bar of the Web console, click Preferences.
3 On the Change Password tab, type your current password, type your new password, and retype your
new password.
4 Click OK.
vCloud Director logs you out.
What to do next
Log in using your new password.
14 VMware, Inc.
Managing Users and Groups 2
An organization administrator is the only one who can add users and groups to an organization. The
organization administrator assigns each user or group a role within the organization. Your role controls what
you can see and do in vCloud Director.
An organization administrator can create local user accounts within an organization or import users and
groups from an LDAP server. Contact your system administrator to set up an LDAP connection.
These default roles exist in vCloud Director.
Organization
Administrator
Catalog Author
vApp Author
vApp User
Console Access Only
Contact your system administrator to create custom roles.
This chapter includes the following topics:
n
“Managing Users,” on page 15
n
“Working with Groups,” on page 19
Managing Users
The Users page displays a list of users for your organization. You can see whether the users are active, their
role, and whether they are local or LDAP.
As an organization administrator, you can complete these operations.
n
Add a new user
n
Import users from LDAP
Administers the organization
Creates and publishes new catalogs
Creates vApps and uses catalogs
Uses vApps created by others
Uses virtual machine guest operating systems and shows virtual machine state
and properties
VMware, Inc.
n
Send email notifications
n
Deactivate a user
n
Modify a user's properties
n
Delete a user
15
vCloud Director User's Guide
Add a Local User
Adding local users allows organization administrators to provide access to users who do not exist on an LDAP
server. You can also add local users if you do not plan to use an LDAP server.
Procedure
1 Click Administration.
2 In the left pane, select Members > Users.
3 Click the New User button.
4 Type the user name and password.
5 Select a role.
To create a custom role, contact your system administrator.
6 (Optional) Type the contact information.
7 Select the stored and running virtual machine quota limits for this user.
8 Click OK.
The new user appears on the Users page.
Import an LDAP User
Organization administrators can import users from an LDAP server.
Prerequisites
Verify that the LDAP settings for the organization are set up and working. Contact a system administrator to
configure LDAP settings for your organization.
Procedure
1 Click Administration.
2 In the left pane, select Members > Users.
3 Click the Import Users button.
4 Select a Source to import users from.
If your organization has only an LDAP server or SAML provider configured, the source is read-only.
Option Description
LDAP
SAML
5 Click OK.
Import users from an LDAP server.
a Type a full or partial name in the text box and click Search Users.
b Select the users to import and click Add.
Import users from your organization's SAML provider. Type the user names
of the users to import and click Add. Separate multiple users with carriage
returns.
vCloud Director imports the selected user from your LDAP server to your organization.
16 VMware, Inc.
Chapter 2 Managing Users and Groups
Edit a User
An organization administrator can edit local user properties such as the password, role, contact information,
and quotas. For LDAP users, you can only edit their role and quotas.
Procedure
1 Click Administration.
2 In the left pane, select Members > Users.
3 Select a user, right-click, and click Properties.
4 Modify the necessary properties and click OK.
Delete a User
If a user leaves the company or moves to another organization, an organization administrator can delete a user
from the organization.
Procedure
1 Click Administration.
2 In the left pane, select Members > Users .
3 Select a user, right-click, and select Disable Account.
4 Reselect this user, right-click, and select Delete.
5 Click OK .
The user is deleted from your organization.
Send User Notifications
An organization administrator can send an email notification to users to notify them of events or issues in the
organization.
Procedure
1 Click Administration.
2 In the left pane, select Members > Users.
3 Click the Notify button.
If you select a user and then click this button, the user's name appears as the recipient.
4 Select the recipients and type a subject.
5 Type the message.
6 Click Send Email.
The notification is sent to the selected recipients.
VMware, Inc. 17
vCloud Director User's Guide
Delete Users in Lost and Found
If a user in your organization is removed from a group, if their group is disabled/removed in LDAP, or if the
user is deleted/disabled in LDAP, the user appears on the Lost & Found page. An organization administrator
can delete the user from the system and assume ownership of the user's objects (for example vApps and vApp
templates).
Procedure
1 Click Administration.
2 In the left pane, select Members > Lost & Found.
3 Right-click a user in the list and click Delete.
4 Click OK.
vCloud Director transfers ownership of the user's objects to you unless you deselect the Transfer user's
objects to me check box.
Disable or Enable User Accounts
An organization administrator can disable a user account to log the user out of the Web console and prevent
the user from logging in again. You can enable a user to allow them to log in.
Procedure
1 Click Administration.
2 In the left pane, select Members > Users.
3 Select a user, right-click, and select Disable Account or Enable Account.
Disable user accounts have a red circle in the Enabled column and enabled user accounts have a green check
mark.
What to do next
After you disable a user's account, you can delete that user. See “Delete a User,” on page 17
View and Change a User's Role
An organization administrator assigns a role when adding a user to the organization. The organization
administrator can change the user's role later to give the user more rights or fewer rights.
Procedure
1 Click Administration.
2 In the left pane, select Members > Users.
3 Select a user, right-click, and select Properties.
4 In the User role in organization: drop-down menu, select a new role for the user.
The definition of each role appears as a tool tip.
5 Click OK.
18 VMware, Inc.
Working with Groups
On the Groups page, you can review the list of groups in your organization.
You can see group names and their assigned roles. As an organization administrator, you can import groups
into your organization, delete groups from your organization, and modify the role of a group.
Import a Group
An organization administrator can import LDAP groups or groups from an SAML identity provider to an
organization.
Contact a system administrator to configure LDAP settings for your organization.
Prerequisites
The LDAP settings for the organization must be set up and working or you must have the organization
configured to use an SAML identity server.
Procedure
1 Click Administration.
2 In the left pane, select Members > Groups.
Chapter 2 Managing Users and Groups
3 Click the Import Groups button.
4 Select the Source to import from.
If your organization has only an LDAP server or SAML provider configured, the source is read-only.
Option Description
LDAP
SAML
Import groups from an LDAP server.
a Type a full or partial name in the text box and click Search Groups.
b Select the groups to import and click Add.
Import groups from an SAML provider. Type the group name or names and
click Add. Separate multiple groups with carriage returns.
5 Select a role for the group.
All the users in the group assigned this role.
6 Click OK.
The group is imported in your organization.
Delete a Group
An organization administrator can delete a group to remove it from the organization.
Deleting a group from an organization affects users who are members of the organization based solely on their
membership in the deleted group. These users will not be able to log in to the organization. When you delete
a group from an organization the group still exists in LDAP.
Procedure
1 Click Administration.
2 In the left pane, select Members > Groups.
3 Select a group, right-click, and select Delete.
VMware, Inc. 19
vCloud Director User's Guide
4 Click Yes.
Modify the Role of a Group
An organization administrator can review and modify the role assigned to a group in your organization.
Procedure
1 Click Administration.
2 In the left pane, select Members > Groups.
3 Select a group, right-click, and select Properties.
4 Select another role for this group.
5 Click OK.
The new role for this group appears in the Groups page.
20 VMware, Inc.
Managing Cloud Resources 3
A vCloud Director system administrator creates and assigns virtual datacenters and networks to an
organization. An organization administrator can view information about these resources and perform a limited
set of management tasks. Contact your system administrator if you need more organization virtual datacenters
or organization vDC networks..
This chapter includes the following topics:
n
“Managing Virtual Datacenters,” on page 21
n
“Managing Organization vDC Networks,” on page 22
n
“Managing Expired Items,” on page 34
Managing Virtual Datacenters
Virtual datacenters (vDCs) provide processor, memory, and storage resources to your organization. They are
assigned to your organization by your system administrator. An organization can have multiple vDCs.
Display Virtual Datacenters
When you display the vDCs in your organization, you can monitor the resources, users, and policy settings
that you manage.
You are an organization administrator.
Procedure
1 Click Administration.
2 In the left pane, select Cloud Resources > Virtual Datacenters.
A list of vDCs in your organization appears in the right pane.
3 For details about a vDC, right-click, and select Open.
The vApps, vApp templates, media, and networks attached to this vDC are displayed. When you click
through each tab, you can right click on an object to see the operations you can complete.
Review Virtual Datacenter Properties
You can review the properties of the vDCs that are assigned to your organization.
Procedure
1 Click Administration.
2 Select Cloud Resources > Virtual Datacenters.
VMware, Inc.
21
vCloud Director User's Guide
3 Select a vDC, right-click, and select Properties.
4 Review the properties and click OK.
What to do next
To modify your organizational vDCs, contact your system administrator.
Monitor Your Virtual Datacenter
You can monitor the vDC assigned to your organization and determine when to request additional capacity.
You are an organization administrator.
Procedure
1 Click Administration.
2 Select Cloud Resources > Virtual Datacenters.
3 Click the Monitor button.
Details about the processor, memory, storage, and allocation model appear.
What to do next
Contact your system administrator for more capacity.
Manage Your Virtual Datacenters
You can review information such as the status, allocation model, and the number of vApps in a vDC in your
organization.
You are an organization administrator
Procedure
1 Click Administration.
2 In the left pane, select Cloud Resources > Virtual Datacenters.
3 Click the Manage button.
4 Review the information.
What to do next
You can open the vDC to see the objects in it, notify users about issues or changes, or review the vDCs
properties. Contact your system administrator to make changes to your vDC.
Managing Organization vDC Networks
Organization vDC networks are created and assigned to your organization vDC by a system administrator.
An organization administrator can view information about networks, configure network services, and more.
You can use direct, routed, or internal organization vDC networks.
22 VMware, Inc.
Table 3-1. Types of Organization vDC Networks
Organization vDC Network Type Description
Chapter 3 Managing Cloud Resources
Direct Accessible by multiple organizations. Virtual machines belonging to different
Routed Accessible only by this organization. Only virtual machines in this organization
Internal Accessible only by this organization. Only virtual machines in this organization
organizations can connect to and see traffic on this network.
This network provides direct layer 2 connectivity to virtual machines outside of
the organization. Virtual machines outside of this organization can connect to
virtual machines in the organization directly.
can connect to this network.
This network also provides controlled access to an external network. System
administrators and organization administrators can configure network address
translation (NAT), firewall, and VPN settings to make specific virtual machines
accessible from the external network.
can connect to and see traffic on this network.
This network provides an organization with an isolated, private network that
multiple vApps can connect to. This network provides no connectivity to
machines outside this organization. Machines outside of this organization have
no connectivity to machines in the organization.
Configuring Oganization vDC Network Services
An organization administrator can configure services, such as DHCP, firewalls, network address translation
(NAT), VPN, and static routing for certain organization vDC networks.
The network services available depend on the type of organization vDC network.
Table 3-2. Network Services Available by Network Type
Organization vDC Network
Type DHCP Firewall NAT VPN Static Routing
Direct
Routed X X X X X
Internal X
Configure DHCP for an Organization vDC Network
Organization administrators can configure certain organization vDC networks to provide DHCP services to
virtual machines in the organization.
When you power on a virtual machine with the following configuration, vCloud Director assigns a DHCP IP
address to that virtual machine.
n
A NIC connected to an organization vDC network that has DHCP enabled.
n
The IP mode for the connected NIC set to DHCP.
Prerequisites
Verify that you have a routed organization vDC network or an internal organization vDC network.
Procedure
1 Click Administration and select the organization vDC.
2 Click the Org vDC Networks tab, right-click the organization vDC network name and select Configure
Services.
3 Select Enable DHCP.
VMware, Inc. 23
vCloud Director User's Guide
4 Type a range of IP addresses or use the default range.
vCloud Director uses these addresses to satisfy DHCP requests. The range of DHCP IP addresses cannot
overlap with the static IP pool for the organization vDC network.
5 Set the default lease time and maximum lease time or use the default values.
6 Click OK.
vCloud Director updates the network to provide DHCP services.
Configure the Firewall for an Organization vDC Network
An organization administrator can configure certain organization vDC networks to provide firewall services.
Enable the firewall on an organization vDC network to enforce firewall rules on incoming traffic, outgoing
traffic, or both.
When you enable the firewall, you can specify a default firewall action to deny all incoming and outgoing
traffic or to allow all incoming and outgoing traffic. You can also add specific firewall rules to allow or deny
traffic that matches the rules to pass through the firewall. These rules take precedence over the default firewall
action. See “Add a Firewall Rule to an Organization vDC Network,” on page 24.
If a system administrator specified syslog server settings and those settings were applied to the organization
vDC network, then you can log events related to the default firewall action. For information about applying
syslog server settings, see “Apply Syslog Server Settings to an Organization vDC Network,” on page 33. To
view the current syslog server settings see “View Syslog Server Settings for an Organization vDC Network,”
on page 33.
Prerequisites
Verify that a routed organization vDC network is in place.
Procedure
1 Click Administration and select the organization vDC.
2 Click the Org vDC Networks tab, right-click the organization vDC network name, and select Configure
Services.
3 Click the Firewall tab and select Enable firewall to enable firewall services, or deselect it to disable firewall
services.
4 Select the default firewall action.
Option Description
Deny
Allow
Blocks all traffic except when overridden by a firewall rule.
Allows all traffic except when overridden by a firewall rule.
5 (Optional) Select the Log check box to log events related to the default firewall action.
6 Click OK.
Add a Firewall Rule to an Organization vDC Network
An organization administrator can add firewall rules to an organization vDC network that supports a firewall.
You can create rules to allow or deny traffic that matches the rules to pass through the firewall.
When you add a new firewall rule to an organization vDC network, it appears at the bottom of the firewall
rule list. For information about how to set the order in which firewall rules are enforced, see “Reorder Firewall
Rules for an Organization vDC Network,” on page 26.
24 VMware, Inc.
Chapter 3 Managing Cloud Resources
If a system administrator specified syslog server settings and those settings have been applied to the
organization vDC network, then you can log firewall rule events. For information about applying syslog server
settings, see “Apply Syslog Server Settings to an Organization vDC Network,” on page 33. To view the current
syslog server settings see “View Syslog Server Settings for an Organization vDC Network,” on page 33.
Prerequisites
Verify that you have a routed organization vDC network and enable the firewall for the organization vDC
network. See “Configure the Firewall for an Organization vDC Network,” on page 24
Procedure
1 Click Administration and select the organization vDC.
2 On the Org vDC Networks tab, right-click the organization vDC network name and select Configure
Services.
3 Click the Firewall tab and click Add.
4 Type a name for the rule.
5 (Optional) Select Match rule on translated IP to have the rule check against translated IP addresses rather
than original IP addresses and choose a traffic direction to apply this rule on.
6 Type the traffic Source.
Option Description
IP address
Range of IP addresses
CIDR
internal
external
any
Type a source IP address to apply this rule on.
Type a range of source IP addresses to apply this rule on.
Type the CIDR notation of traffic to apply this rule on.
Apply this rule to all internal traffic.
Apply this rule to all external traffic.
Apply this rule to traffic from any source.
7 Select a Source port to apply this rule on from the drop-down menu.
8 Type the traffic Destination.
Option Description
IP address
Range of IP addresses
CIDR
internal
external
any
Type a destination IP address to apply this rule on.
Type a range of destination IP addresses to apply this rule on.
Type the CIDR notation of traffic to apply this rule on.
Apply this rule to all internal traffic.
Apply this rule to all external traffic.
Apply this rule to traffic with any destination.
9 Select the Destination port to apply this rule on from the drop-down menu.
10 Select the Protocol to apply this rule on from the drop-down menu.
11 Select the action.
A firewall rule can allow or deny traffic that matches the rule.
12 Select the Enabled check box.
13 (Optional) Select the Log network traffic for firewall rule check box.
If you enable this option, vCloud Director sends log events to the syslog server for connections affected
by this rule. Each syslog message includes logical network and organization UUIDs.
VMware, Inc. 25
vCloud Director User's Guide
14 Click OK and click OK again.
Reorder Firewall Rules for an Organization vDC Network
Firewall rules are enforced in the order in which they appear in the firewall list. An organization administrator
can change the order of the rules in the list.
When you add a firewall rule to an organization vDC network, the new rule appears at the bottom of the
firewall rule list. To enforce the new rule before an existing rule, reorder the rules.
Prerequisites
Verify that a routed organization vDC network with two or more firewall rules is in place.
Procedure
1 Click Administration and select the organization vDC.
2 Click the Org vDC Networks tab, right-click the organization vDC network name, and select Configure
Services.
3 Click the Firewall tab.
4 Drag the firewall rules to establish the order in which the rules are applied.
5 Click OK.
Enable VPN for an Organization vDC Network
An organization administrator can enable VPN for an organization vDC network, then create a secure tunnel
to another network.
vCloud Director supports VPN between organization vDC networks in the same organization and remote
networks.
Prerequisites
Verify that the following items are in place.
n
A routed organization vDC network.
n
vShield Manager 5.1.
Procedure
1 Click Administration and select the organization vDC.
2 Click the Org vDC Networks tab, right-click the organization vDC network name, and select Configure
Services.
3 Click the VPN tab and select Enable VPN.
4 (Optional) Type a public IP address.
5 Click OK.
What to do next
Create a VPN tunnel to another network.
26 VMware, Inc.
Chapter 3 Managing Cloud Resources
Create a VPN Tunnel In an Organization
An organization administrator can create a VPN tunnel between two organizations vDC networks in the same
organization.
If the tunnel endpoints have a firewall between them, configure the firewall to allow the following IP protocols
and UDP ports:
n
IP Protocol ID 50 (ESP)
n
IP Protocol ID 51 (AH)
n
UDP Port 500 (IKE)
n
UDP Port 4500
Prerequisites
Verify that the following items are in place.
n
At least two routed organization vDC networks with nonoverlapping IP subnets and VPN enabled on
both networks.
n
vShield Manager 5.1.
Procedure
1 Click Administration and select the organization vDC.
2 Click the Org vDC Networks tab, right-click the organization vDC network name, and select Configure
Services.
3 Click the VPN tab and click Add.
4 Type a name and optional description.
5 Select a network in this organization from the drop-down menu and select a peer network.
6 Review the tunnel settings and click OK.
vCloud Director configures both peer network endpoints.
Create a VPN Tunnel Between Organizations
An organization administrator can create a VPN tunnel between two organization vDC networks in different
organizations. The organizations can be part of the same vCloud Director installation or a different installation.
If the tunnel endpoints have a firewall between them, you must configure it to allow the following IP protocols
and UDP ports:
n
IP Protocol ID 50 (ESP)
n
IP Protocol ID 51 (AH)
n
UDP Port 500 (IKE)
n
UDP Port 4500
Prerequisites
n
A routed organization vDC network in each of the organizations. The organization vDC networks must
have nonoverlapping IP subnets and site-to-site VPN enabled.
n
vShield Manager 5.1.
VMware, Inc. 27
vCloud Director User's Guide
Procedure
1 Click Administration and select the organization vDC.
2 Click the Org vDC Networks tab, right-click the organization vDC network name, and select Configure
Services.
3 Click the VPN tab and click Add.
4 Type a name and optional description.
5 Select a network in another organization from the drop-down menu.
6 Click Connect to another organization, type the login information for the peer organization, and click
Continue.
Option Description
vCloud URL
Organization
Username
Password
7 Select a peer network.
Base URL of the vCloud instance that contains the peer organization. For
example, https://www.example.com. Do not include /cloud
or /cloud/org/
Organization name that is used as the unique identifier in the organization
URL. For example, if the organization URL is
https://www.example.com/cloud/org/myOrg, type myOrg.
User name of an organization administrator or system administrator that has
access to the organization.
Password associated with the user name.
orgname
in the URL.
8 Review the tunnel settings and click Connect.
vCloud Director configures both peer network endpoints.
Create a VPN Tunnel to a Remote Network
An organization administrator can create a VPN tunnel between an organization vDC network and a remote
network.
If the tunnel endpoints have a firewall between them, configure it to allow the following IP protocols and UDP
ports:
n
IP Protocol ID 50 (ESP)
n
IP Protocol ID 51 (AH)
n
UDP Port 500 (IKE)
n
UDP Port 4500
Prerequisites
Verify that the following items are in place.
n
A routed organization vDC network and a routed remote network that uses IPSec.
n
vShield Manager 5.1.
Procedure
1 Click Administration and select the organization vDC.
2 Select Cloud Resources > Networks.
3 Click the Organization vDC Network tab, right-click the organization vDC network name, and select
Configure Services.
28 VMware, Inc.
Chapter 3 Managing Cloud Resources
4 Click the VPN tab and click Add.
5 Type a name and optional description.
6 Select a remote network from the drop-down menu.
7 Type the peer settings.
8 Review the tunnel settings and click OK.
vCloud Director configures the organization peer network endpoint.
What to do next
Manually configure the remote peer network endpoint.
Enable Static Routing for an Organization vDC Network
An organization administrator can configure certain organization vDC networks to provide static routing
services. After you enable static routing on an organization vDC network, you can add static routes to allow
traffic between different vApp networks routed to the organization vDC network.
Prerequisites
Verify that a routed organization vDC network is in place.
Procedure
1 Click Administration.
2 Select Cloud Resources > Networks.
3 Right-click the organization vDC network name and select Configure Services.
4 On the Static Routing tab, select Enable static routing and click OK.
What to do next
Create static routes.
Add Static Routes Between vApp Networks Routed to the Same Organization vDC Network
An organization administrator can add static routes between two vApp networks that are routed to the same
organization vDC network. Static routes allow traffic between the networks.
You cannot add static routes between overlapping networks or fenced vApps. After you add a static route to
an organization vDC network, configure the network firewall rules to allow traffic on the static route. For
vApps with static routes, select the Always use assigned IP addresses until this vApp or associated networks
are deleted check box.
Static routes only function when the vApps included in the routes are running. If you change the parent
network of a vApp, delete a vApp, or delete a vApp network, and the vApp includes static routes, those routes
cannot function and you must remove them manually.
Prerequisites
Verify that the following conditions are met.
n
vShield Manager 5.1 is installed.
n
A routed organization vDC network is in place.
n
Static routing is enabled on the organization vDC network.
n
Two vApp networks are routed to the organization vDC network.
VMware, Inc. 29
vCloud Director User's Guide
n
The vApp networks are in vApps that were started at least once.
Procedure
1 Click Administration.
2 Select Cloud Resources > Networks.
3 Right-click the organization vDC network name and select Configure Services.
4 Click the Static Routing tab and click Add.
5 Type a name, network address, and next hop IP address.
The network address is for the first vApp network to which you want to add a static route. The next hop
IP address is the external IP address of that vApp network's router.
6 Select Within this network, and click OK.
7 Click OK.
8 Repeat Step 4 through Step 7 to add a route to the second vApp network.
Example: Static Routing Example
vApp Network 1 and vApp Network 2 are both routed to Org Network Shared. You can create static routes
on the organization vDC network to allow traffic between the vApp networks. You can use information about
the vApp networks to create the static routes.
Table 3-3. Network Information
Network Name Network Specification Router External IP Address
vApp Network 1 192.168.1.0/24 192.168.0.100
vApp Network 2 192.168.2.0/24 192.168.0.101
Org Network Shared 192.168.0.0/24 NA
On Org Network Shared, create a static route to vApp Network 1 and another static route to vApp Network
2.
Table 3-4. Static Routing Settings
Static Route to
Network Route Name Network Next Hop IP Address Route
vApp Network 1 tovapp1 192.168.1.0/24 192.168.0.100 In this network
vApp Network 2 tovapp2 192.168.2.0/24 192.168.0.101 In this network
What to do next
Create firewall rules to allow traffic on the static routes.
Add Static Routes Between vApp Networks Routed to Different Organization vDC Networks
An organization administrator can add static routes between two vApp networks that are routed to different
organization vDC networks. Static routes allow traffic between the networks.
You cannot add static routes between overlapping networks or fenced vApps. After you add a static route to
an organization vDC network, configure the network firewall rules to allow traffic on the static route. For
vApps with static routes, select the Always use assigned IP addresses until this vApp or associated networks
are deleted check box.
30 VMware, Inc.
Loading...