I did some trial and error experiments in my lab until I reached some good results that I thought I’d share with you through this blog post. So, with all that being said, I’d highly recommend trying this in your lab thoroughly before applying in production. To the best of my knowledge, everything you will see here is supported, however, you have to use with caution.

A high level overview.

I won’t go into the detailed benefits of vShield Edge/App and how they are two solid networking and security solutions. I just want to give you a glimpse on what you can achieve/expect from integrating them with vCloud Director:

• By adding the Load Balancing functionality of Edge, you can have simple (yet very powerful) load balancing for web applications in your cloud. The LB is currently limited to http but you can expect more protocols to show up in future releases (Hey, don’t qoute me on that . I will show you in details how to configure this in vCD/vSE later in the post.
• By adding the VPN functionality of Edge, you can do things like site-to-site VPN tunneling using IPsec. I will have a detailed blog post on this interesting subject soon.
• Adding the vShield App functionalities will give you another great tools like traffic visibility that you won’t normally have in these sophisticated inter-VM-networking. Think of it like NetFlow but with new ways to reach very deep levels of Org/vApp networks. You can also do some application level firewalling or even apply them on the vCD External Networks level to enforce some global security policies across all of your tenants. (I will talk about that as well in details in future posts).

First thing first. Licensing.

Before you can test anything here, you must have the appropriate licenses for vShield Manager. Remember, I’m referring here explicitly to the Edge and App (Endpoint is out of my scope here). You will need to get your licenses and apply them first in vCenter Server. This can be done like any other vSphere licenses. You have to note though that these licenses can be applied only after you associate your vCenter Server with the vCloud Director.

Preparing vShield Manager.

After applying the required licenses, you need to go to your vSM web portal and login with your user/pass (admin/default). Once you are there, click on Setting & Reports on the left panel, and then press on the Register button on the right side to register your vSM as an extension in vCenter Server. (Screenshot below)

After registering the vSM extension in vCenter, you will find a new icon in the “Solutions and Applications” tab. In addition to that, and in fact what interest us here, you will find two new tabs called “vShield Edge” and “vShield App” as shown in the screenshot below.

Installing and configuring vShield App

Although you can see the “vShield App” tab present in vCenter, you won’t be able to use anything there until you install the vShield Zones component in vSM. You do that but returning back to the vSM web portal (or now in the vCenter Solutions and Applications section), and selecting your ESX hosts that are present in the “Datacenter” list. On the right side, you will find the link to install the vShield App on the designated host. The setup is pretty straight forward, you just need to enter the IP settings and choose the appropriate datastore and network for storing/managing the appliance. (screenshot below).

Now to the real fun!

Okay, so now that we’ve taken care of all these pre-requisites to license and install the Edge/App components, it’s time to put them in action. I’ve tried to continue using screenshots for the procedures, but I found that really hard. I compiled instead this video (kind of quick and dirty) to make it easier and better to follow.

You can right-click on the image to save the high-resolution video. You can also view the video on You Tube or Vimeo.

And this is a quick illustration showing the setup in the video. We have an Organization called “ITDev” with an organization network which we created under the name “OrgNet-ITDev-Routed_LB”. This OrgNet is routed to an external network with the subnet 172.30.0.0/23.

Important notes

These are some of the notes that I’ve taken throughout the process of testing this integration:

• It is very important to note that you should *NOT* mess with the Firewall and NAT tabs of the vSphere/vShield Edge panels. Anything you can do inside vCloud Director, keep it there. The moment you start to mix things with each others, you will end up with a huge mess, and probably a broken configuration. Remember, the only objective of this post is to empower your cloud with added features that are not currently there in the vCD GUI. We are not trying here to replace the vCD portal with the vSphere Client!
• Make sure you have Abobe Flash Player installed and configured properly with your IE browser. I used here a remote lab to test and configure all that, and while in my initial phase, i had a quite hard time working with the vShield Edge screens. Nothing seemed to work and things used to freeze. After a lot of looking here and there i figured that Adobe was not installed on IE (i use Firefox to access the vCD). Once the Flash Player was installed and configured with IE, everything worked just fine.
• I mentioned earlier that you need to associate you vCenter Server first with vCloud Director in order to be able to apply the vShield Licenses. Make sure also after that to apply the full licenses of Edge in vCenter as it might be still using the basic vSE licensed features.
• DNS, DNS, DNS and D.N.S.

That’s all folks. I will come back with more posts on this subject when I have the time to touch on the vShield App use cases, as well as the VPN features inside vCD.

Quick Highlights from Reflex’s technology section around vTrust:

• Dynamic Policy Enforcement and Management– the ability to specify government regulation, corporate compliance, data center policy, best practice or security rules that adapt and move with the virtual assets (virtual machines, virtual network, group of VMs, hosts, clusters, vLAN, etc.), thus policy is enforced regardless of location, type of network connection, or type of virtual switch
• Policy Extends into the Cloud – vTrust can facilitate and automate the use of cloud and SaaS services by providing a cloud security API that enables enterprises and hosting/cloud solution providers to secure individual virtualization resources in the cloud
• Virtual Segmentation – create virtual trust zones on shared resources by dynamically partitioning the virtual infrastructure into separate virtual resources with different network communication policies (firewall rules)
• Virtual Quarantine – enforce data center policy when VMs are provisioned (VMs must meet certain criteria to be allowed on the network). Easily detect rogue or unauthorized guests or virtual machines which do not meet regulatory or compliance requirements
• Virtual Networking Policies – create and enforce a DMZ, block specific kinds of network traffic between virtual machines (P2P, IM, FTP, etc.), ensure only specific protocols are used on specific ports or networks, etc.