博客

如何在本地和Draas之间启用工作量沟通

  • 2021年10月26日
  • 0答复
  • 358次观看
如何在本地和Draas之间启用工作量沟通
Ayushkapoor
秩

Nutanix客户可以从其本地数据中心到Nutanix Draas服务建立安全的虚拟专用网络(VPN)连接,以复制两者之间的工作负载和设置通信。VPN解决方案还可以使本地Prism之间的安全通信®Nutanix Draas服务中的中央实例和生产虚拟私有云(VPC)。

该博客将涵盖以下内容:

在以下情况下,如何在本地和您的nutanix draas之间启用工作量沟通:

  • Nutanix在Nutanix draas上托管了Nutanix VPN设备的本地VPN设备。
  • 第三方VPN在您的nutanix draas上向Nutanix VPN设备的本地VPN。

Nutanix VPN设备在Nutanix VPN nutanix draas的Nutanix VPN设备的本地

在连接两侧使用Nutanix托管VPN设备时,部署过程会自动创建具有EBGP的IPSEC隧道作为在其顶部运行的路由协议。双方之间的这些路线使用EBGP广告。

默认情况下,Nutanix Draas向本地VPN宣传了负载平衡器子网。这是A /29子网,它是Nutanix Draas目标的专用子网。为此,请登录到Draas Prism Central(PC)实例,然后转到“VPN“ 在下面网络安全然后单击“VPN连接”在VPN连接页面上的“已发送路由”部分下的“负载平衡器子网信息”。

从本地到Nutanix Draas服务网络,我们仅重新分配了连接的本地子网。例如,如果我们将VPN设备与Prism Central和Prism Element群集相同的子网部署,则该子网将通过EBGP从本地重新分配到Nutanix Draas实例。Nutanix将Nutanix与Prism中央和Prism元素集群在同一子网中部署Nutanix,应从其他本地基础设施中进行分割。在DRAA中,Prism Central和Prism Element之间的通信群簇与XI负载平衡器子网复制需要复制工作负载

当在XI上运行实时工作负载或在VM上失败到DRAA(计划的故障转移)时,工作负载子网之间还需要在本地和DRAAS基础结构之间进行通信以使您的应用程序工作。例如,如果我们运行实时工作负载或执行XI的完整子网故障转移,并且DRAA上的VMS在子网10.10.200.0/24上运行,并且我们的On-Prem具有在子网10.10.101.0/24上运行的VM,则是理想的。交通流量应如下所示。

  • 来自本地VM(10.10.101.10/24)的流量应首先转到其网关,该网关在核心开关上或本地侧面的防火墙上。
  • 在路由器上添加静态路由,将流量重定向到本地VPN设备。对于目标子网10.10.200.0/24,其下助线为10.10.100.10,即本地VPN Appliance的IP。笔记- In this case, if the same device hosts the gateway of both 10.10.101.0/24 and 10.10.100.0/24 subnet then it shouldn’t be a problem because 10.10.101.0/24 subnet would know how to route the traffic to the next hop 10.10.100.10. If the gateway of both the on-prem subnets are hosted on different devices then we would need to make sure to route the traffic to the on-prem VPN appliance by specifying the appropriate next hop in each router.
  • 一旦流量到达本地VPN设备,它将将流量发送到XI侧VPN的虚拟隧道界面(VTI)。
  • XI侧VPN将将流量发送到上游虚拟路由器,该路由器托有XI侧子网10.10.200.0/24的网关。
  • 现在,流量将发送到XI侧的VM,例如10.10.200.10/24。
  • 对于反向路径,在XI侧添加静态路线。XI需要此路线,以将目的地的流量路由到本地子网至VPN连接。在XI上添加静态路线。对于目标子网10.10.101.0/24,下一个XI侧VPN连接的跳跃(请参阅下一个有关如何配置此静态路由的部分)。
  • XI侧VM将将流量发送到虚拟路由器,然后根据先前配置的路由将其发送到XI侧的VPN设备。
  • XI侧VPN将将流量发送到本地VPN设备的VTI界面,该电源的默认路由将所有流量发送到其网关10.10.100.1/24
  • 现在,流量将路由到10.10.101.0/24子网的网关,从那里到本地VM。

从xi侧添加静态路线

  • 登录到XI PC,然后转到网络和安全性下的“虚拟私有云”
  • 点击生产
  • 现在,单击如下所示的路线
  • 点击创建静态路由
  • 输入本地工作负载子网信息。
  • 选择VPN连接“ VPN - 连接”作为下一个Hop链接。
  • 点击节省

将第三方防火墙n-Prem部署到Draas服务的Nutanix VPN设备

在使用第三方防火墙和DRAAS服务的Nutanix VPN设备之间使用隧道时,部署会创建具有EBGP或静态路由的IPSEC隧道。

默认情况下,DRAAS服务将XI负载平衡器子网宣传到本地站点,该网站是XI DC中的专用子网,用作工作负载复制的目标网络。从本地开始,最初,我们只将棱镜元素的子网和棱镜中心的子网重新分布回XI DC,并在双方之间的开放端口进行端到端的通信。

当在XI上运行实时工作负载或通过VM失败到DRAA(计划的故障转移)时,工作量子网之间还需要在本地和DRAAS基础架构之间进行通信,以使您的应用程序工作。例如,如果我们运行实时工作负载或执行XI的完整子网故障转移,并且DRAA上的VMS在子网10.10.200.0/24上运行,并且我们的On-Prem具有在子网10.10.101.0/24上运行的VM,则是理想的。交通流量应遵循如下所示的路径:

  • 来自本地VM(10.10.101.10/32)的流量应首先转到其网关,该网关要么位于Onprom侧的物理网络设备上。
  • 通过IPSEC运行BGP时,我们可以在物理网络设备的重新分布配置文件中添加我们的网络,并将本地网络宣传到XI。您还需要打开防火墙规则,以通过IP策略或区域之间的本地和XI侧子网之间的通信,具体取决于如何配置防火墙。在IPSEC上使用静态路由时,您需要在物理网络设备上添加静态路线。例如,要到达XI侧目标子网10.10.200.0/24下一个跳跃是第三方防火墙VPN隧道。此外,您需要使用IP策略或区域之间在双方之间打开防火墙规则。笔记- 如果重新分配,请确保您的防火墙具有有关本地子网的信息,并根据本地网络配置适当地重新分配路线,即静态,OSPF,Connected等。
  • 接下来,防火墙/VPN将将流量发送到XI侧VPN的VTI接口
  • 收到后,XI侧VPN将将流量发送到上游虚拟路由器,该路由器托管XI侧subnet的网关10.10.200.0.0/24
  • 现在,流量将发送到XI侧的VM,10.10.200.10/32
  • 如果我们在IPSEC上使用静态路由,那么对于反向路径,您需要在XI侧添加静态路由。XI需要此路线,以将原始子网的流量路由到VPN连接。在XI上添加一个静态路由,该路由将是目标子网10.10.101.0/24,并在下一个VPN连接的下跳(请参阅上一节中有关如何在XI中配置此静态路由的部分)。相反,如果我们在IPSEC上使用EBGP,则XI将通过EBGP接收子网信息,在这种情况下,我们无需从XI侧添加静态路由。
  • 在相反的方向上,XI侧VM将将流量发送到虚拟路由器,然后将其发送到XI侧的VPN设备。
  • XI侧VPN将将流量发送到本地第三方防火墙的VTI接口。
  • 现在,流量将发送到另一个子网的网关,并从那里发送到本地VM。

©席2021 Nutanix,Inc。保留所有权利。Nutanix,Nutanix徽标和所有Nutanix产品,此处提到的功能和服务名称是美国和其他国家的Nutanix,Inc。的注册商标或商标。本文提到的其他品牌名称仅用于识别目的,可能是其各自持有人的商标。这篇文章可能包含指向不属于Nutanix.com一部分的外部网站的链接。Nutanix不控制这些站点,并对任何外部站点的内容或准确性不承担所有责任。我们决定链接到外部站点的决定不应被视为对该站点上任何内容的认可。本文中包含的某些信息可能与从第三方来源以及我们自己的内部估计和研究获得的研究,出版物,调查和其他数据有关。尽管我们认为这些第三方研究,出版物,调查和其他数据是在本文之日起可靠的,但它们尚未独立验证,并且我们对任何信息的充分性,公平性,准确性或完整性都没有任何陈述从第三方来源获得。

这篇文章可能包含明确和暗示的前瞻性陈述,这些陈述不是历史事实,而是基于我们当前的期望,估计和信念。此类陈述的准确性涉及风险和不确定性,并取决于未来的事件,包括可能无法控制的事件,实际结果可能与此类陈述所预期的或暗示的事件可能存在重大差异。本文所包含的任何前瞻性陈述仅在此期开始,除了法律要求外,我们没有义务更新或修改任何此类前瞻性陈述,以反映后续事件或情况。

Nutanix customers can set up a secure Virtual Private Network (VPN) connection from their on-premises datacenter to the Nutanix DRaaS service to replicate their workloads and setup communication between the two. A VPN solution also enables secure communication between your on-premises Prism<\/span>\u00ae<\/span> Central instance and the production Virtual Private Cloud (VPC) in the Nutanix DRaaS service.<\/span><\/p>

This blog will cover the following:<\/span><\/p>

How to enable workload communication between on-premises and your Nutanix DRaaS in the following scenarios:<\/span><\/p>

  • Nutanix managed VPN appliance on-premises to Nutanix VPN appliance on your Nutanix DRaaS.<\/span><\/li>\t
  • Third party VPN on-premises to Nutanix VPN appliance on your Nutanix DRaaS.<\/span><\/li><\/ul>

    Nutanix VPN Appliance On-premises to Nutanix VPN Appliance on Nutanix DRaaS<\/h3>

    When using the Nutanix managed VPN appliance on both sides of the connection, the deployment process automatically creates an ipsec tunnel with EBGP as the routing protocol running on top of it. These routes between both sides are advertised using EBGP.<\/span><\/p>

    By default, the Nutanix DRaaS advertises a load balancer subnet to the on-premises VPN. This is a \/29 subnet which is a dedicated subnet for the Nutanix DRaaS target. To do this, login to the DRaaS Prism Central (PC) instance and go to \u201cVPN<\/strong>\u201d under Network & Security<\/strong> and click on \u201cVPN Connection<\/strong>\u201d to view the load balancer subnet information under the sent route section on the VPN connection page. <\/span><\/p>

    From on-premises to the Nutanix DRaaS Services network, we only redistribute the connected on-premises subnet. For example, if we deploy the VPN appliance in the same subnet as the Prism Central and Prism Element cluster, this subnet would be redistributed via EBGP from on-premises to the Nutanix DRaaS instance. Nutanix deploys Nutanix the VPN appliance in the same subnet as Prism Central and Prism Element clusters which should be segmented from other on-premises infrastructure. The communication between Prism Central and Prism Element clusters to the Xi load balancer subnet in the DRaaS is required for replicating the workload<\/span>.<\/p>

    When running live workloads on Xi or failing over the VMs to the DRaaS (planned failover), communication between the on-prem and DRaaS infrastructure is also required between the workload subnets for your applications to work. For instance, if we run the live workloads or do a full subnet failover to Xi and the VMs on DRaaS are running on subnet 10.10.200.0\/24 and our on-prem has VMs running on subnet 10.10.101.0\/24, then the ideal traffic flow should follow the path as shown below.<\/span><\/p>

    \"//www.jhbzcj.com/next/community-blog-154/\"<\/figure>
    • Traffic from the on-prem VM (10.10.101.10\/24) should first go to its gateway which is either on the core switch or the firewall on the on-prem side. <\/span><\/li>\t
    • Add a static route on the router to redirect traffic to the on-prem VPN appliance. for destination subnet 10.10.200.0\/24 with a next-hop of 10.10.100.10,\u00a0 the IP of on-prem VPN appliance.<\/span> Note<\/strong> - In this case, if the same device hosts the gateway of both 10.10.101.0\/24 and 10.10.100.0\/24 subnet then it shouldn\u2019t be a problem because 10.10.101.0\/24 subnet would know how to route the traffic to the next hop 10.10.100.10. If the gateway of both the on-prem subnets are hosted on different devices then we would need to make sure to route the traffic to the on-prem VPN appliance by specifying the appropriate next hop in each router. <\/span><\/li>\t
    • Once the traffic reaches the on-prem VPN appliance, it will send the traffic to the Virtual Tunnel Interface (VTI) of the Xi side VPN. <\/span><\/li>\t
    • Xi side VPN will send the traffic to the upstream virtual router which hosts the gateway for the Xi side subnet 10.10.200.0\/24.<\/span><\/li>\t
    • Traffic will now be sent to the VM on the Xi side, for example 10.10.200.10\/24.<\/span><\/li><\/ul>
      \"//www.jhbzcj.com/next/community-blog-154/\"<\/figure>
      • For the reverse path, add a static route on the Xi side. This route is needed for Xi to route the traffic destined to on-prem subnets to the VPN connection. Add a static route on Xi. For destination subnet 10.10.101.0\/24 with a next hop of the Xi side VPN connection (Refer to the next section on how to configure this static route).<\/span><\/li>\t
      • The Xi side VM will send the traffic to the virtual router which will then send it to the VPN appliance on the Xi side per the previously configured route.<\/span><\/li>\t
      • Xi side VPN will send the traffic to the VTI interface of the on-prem VPN appliance which has a default route to send all the traffic to its gateway 10.10.100.1\/24<\/span><\/li>\t
      • Now the traffic will be routed to the 10.10.101.0\/24 subnet\u2019s gateway and from there to the on-prem VM. <\/span><\/li><\/ul>

        Adding a static route from the Xi side<\/h3>
        • Login to Xi PC and go to \u201cVirtual Private Clouds\u201d under Network & Security<\/li>\t
        • Click on Production<\/li>\t
        • Now, click on Routes as shown below<\/li><\/ul>
          \"//www.jhbzcj.com/next/community-blog-154/\"<\/figure>
          • Click on Create Static Routes<\/strong><\/span><\/li><\/ul>
            \"//www.jhbzcj.com/next/community-blog-154/\"<\/figure>
            • Enter the on-premises workload subnet information. <\/span><\/li>\t
            • Select the VPN connection \u201cvpn-connection\u201d as the Next Hop Link.<\/span><\/li><\/ul>
              \"//www.jhbzcj.com/next/community-blog-154/\"<\/figure>
              • Click Save<\/strong><\/span><\/li><\/ul>

                Deploying Third-Party Firewalls n-prem to the Nutanix VPN Appliance on DRaaS Services<\/span><\/h3>

                When using a tunnel between a third-party firewall on-prem and a Nutanix VPN appliance on DRaaS Services, the deployment creates an IPSec tunnel with either EBGP or static routing.<\/span><\/p>

                By default, DRaaS Services advertise a Xi load balancer subnet to the on-prem site which is a dedicated subnet in Xi DC used as a target network for workload replication. From on-prem, initially we only redistribute the subnet of Prism Element and Prism Central back to the Xi DC and open ports between the two sides to have end-to-end communication. <\/span><\/p>

                When running live workloads on Xi or failing over VMs to the DRaaS (planned failover), communication between the on-prem and DRaaS infrastructure is also required between the workload subnets for your applications to work. For instance, if we run the live workloads or do a full subnet failover to Xi and the VMs on DRaaS are running on subnet 10.10.200.0\/24 and our on-prem has VMs running on subnet 10.10.101.0\/24, then the ideal traffic flow should follow the path as shown below:<\/span><\/p>

                \"//www.jhbzcj.com/next/community-blog-154/\"<\/figure>
                • Traffic from the on-prem VM (10.10.101.10\/32) should first go to its gateway which is either on the physical network equipment on the onprem side. <\/span><\/li>\t
                • When running BGP over IPSec we can add our networks in the redistribution profile of the physical network equipment and advertise the on-prem network to Xi. You would also need to open the firewall rules to allow the communication between the on-prem and the Xi side subnets through IP policies or Zones, depending on how the firewall is configured. When using static routing over IPSec you would need to add a static route to the physical network equipment. For example, to reach the Xi side Destination subnet 10.10.200.0\/24 the next hop is the 3rd party firewall VPN tunnel. In addition, you need to open the firewall rules between the two sides using IP policies or Zones. Note<\/strong> - In case of redistribution, make sure that your firewall has the information about your on-prem subnet and redistribute the routes appropriately i.e. static, ospf, connected etc depending on on-premises network configuration. <\/span><\/li>\t
                • Next the firewall\/VPN will send the traffic to the VTI interface of the Xi side VPN<\/span><\/li>\t
                • Once received, the Xi side VPN will send the traffic to the upstream virtual router which hosts the gateway for the Xi side subnet 10.10.200.0\/24 <\/span><\/li>\t
                • Traffic will now be sent to the VM on the Xi side,10.10.200.10\/32<\/span><\/li>\t
                • If we are using static routing over IPSec, then for the reverse path you need to add a static route on the Xi side. This route is needed for Xi to route the traffic destined to the on-prem subnet to theVPN connection. Add a static route on Xi which will be destination subnet 10.10.101.0\/24 with a next hop of the VPN connection (Refer to the previous section on how to configure this static route in Xi). If instead we use EBGP over IPSec, then Xi will receive the subnet information via EBGP and in this case we would not need to add the static route from the Xi side. <\/span><\/li>\t
                • In the reverse direction, the Xi side VM will send the traffic to the virtual router which will then send it to the VPN appliance on the Xi side. <\/span><\/li>\t
                • The Xi side VPN will send the traffic to the VTI interface of the on-prem third-party firewalls.<\/span><\/li>\t
                • Now the traffic will be sent to the other subnet\u2019s gateway and from there to the on-premises VM. <\/span><\/li><\/ul>

                  \"\u00a9\ufe0f\" 2021 Nutanix, Inc. All rights reserved. Nutanix, the Nutanix logo and all Nutanix product, feature and service names mentioned herein are registered trademarks or trademarks of Nutanix, Inc. in the United States and other countries. Other brand names mentioned herein are for identification purposes only and may be the trademarks of their respective holder(s). This post may contain links to external websites that are not part of Nutanix.com. Nutanix does not control these sites and disclaims all responsibility for the content or accuracy of any external site. Our decision to link to an external site should not be considered an endorsement of any content on such a site. Certain information contained in this post may relate to or be based on studies, publications, surveys and other data obtained from third-party sources and our own internal estimates and research. While we believe these third-party studies, publications, surveys and other data are reliable as of the date of this post, they have not independently verified, and we make no representation as to the adequacy, fairness, accuracy, or completeness of any information obtained from third-party sources.<\/p>

                  This post may contain express and implied forward-looking statements, which are not historical facts and are instead based on our current expectations, estimates and beliefs. The accuracy of such statements involves risks and uncertainties and depends upon future events, including those that may be beyond our control, and actual results may differ materially and adversely from those anticipated or implied by such statements. Any forward-looking statements included herein speak only as of the date hereof and, except as required by law, we assume no obligation to update or otherwise revise any of such forward-looking statements to reflect subsequent events or circumstances.<\/p>","quoteUsername":"ayushkapoor","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

该主题已关闭以供评论
Learn more about our cookies.<\/a>","cookiepolicy.button":"Accept cookies","cookiepolicy.button.deny":"Deny all","cookiepolicy.link":"Cookie settings","cookiepolicy.modal.title":"Cookie settings","cookiepolicy.modal.content":"We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.<\/a>","cookiepolicy.modal.level1":"Basic
Functional","cookiepolicy.modal.level2":"Normal
Functional + analytics","cookiepolicy.modal.level3":"Complete
Functional + analytics + social media + embedded videos"}}}">
Baidu