Google Cloud Platform Virtual Edge Deployment Guide · 6 Add a branch-to-branch route entry in...

Google Cloud Platform Virtual Edge Deployment Guide

VMware SD-WAN by VeloCloud 3.4

You can find the most up-to-date technical documentation on the VMware website at:

https://docs.vmware.com/

If you have comments about this documentation, submit your feedback to

[email protected]

VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com

Copyright © 2020 VMware, Inc. All rights reserved. Copyright and trademark information.


VMware, Inc. 2

https://docs.vmware.com/

mailto:[email protected]

http://pubs.vmware.com/copyright-trademark.html

Contents

1 Google Cloud Platform Virtual Edge Deployment Guide 4Google Cloud Virtual Edge Deployment Overview 4

Topology A - Virtual Edge Deployment on Google Cloud VPC Topology 6

Topology B - Virtual Edge Deployment on Google Cloud Single-Arm Topology 7

Topology C - Virtual Edge Deployment on Google Cloud with Deployment Manager 9

Enable Deployment Manager 12

Create a VPC Network 14

Create Inbound Firewall Rules 16

Provision an Edge on SD-WAN Orchestrator 18

Create a Virtual Edge Instance on GCP 21

Create a LAN Client Instance 24

Add a Route in a VPC Network 26

Add a Branch-to-Branch Route in a VPC Network 28

SSH Login to Edge using External IP 29

Verify Edge Activation 29

VMware, Inc. 3

Google Cloud Platform Virtual Edge Deployment Guide 1This document provides instructions for deploying Virtual VMware SD-WAN Edge on Google Cloud Platform (GCP).

This chapter includes the following topics:

n Google Cloud Virtual Edge Deployment Overview

n Topology A - Virtual Edge Deployment on Google Cloud VPC Topology

n Topology B - Virtual Edge Deployment on Google Cloud Single-Arm Topology

n Topology C - Virtual Edge Deployment on Google Cloud with Deployment Manager

n Create a VPC Network

n Create Inbound Firewall Rules

n Provision an Edge on SD-WAN Orchestrator

n Create a Virtual Edge Instance on GCP

n Create a LAN Client Instance

n Add a Route in a VPC Network

n SSH Login to Edge using External IP

n Verify Edge Activation

Google Cloud Virtual Edge Deployment OverviewMore customers are moving workload to Public Cloud infrastructure and expect to extend SD-WAN from remote sites to public cloud to guarantee SLA. There are multiple options offered by VMware SD-WAN, leveraging distributed VMware SD-WAN Gateways to establish IPSec towards public cloud private network or deploy virtual edge directly on Google Cloud Platform (GCP).

VMware, Inc. 4

For small branch deployment that demand throughput less than 1G, single virtual edge can be deployed in the Private GCP network. For larger data center deployments that demand multi-gig throughput, hub clustering can be deployed.

Note In the VMware SD-WAN Hub clustering design, a Layer 3 Instance is leveraged on the LAN side to run BGP between hubs in the cluster and the Layer 3 Instance for route distribution in LAN. Since the GCP router does not support dynamic routing protocol, a third-party virtual router is required in the GCP infrastructure.

This document illustrates the high-level workflow of the following topologies to deploy a virtual SD-WAN Edge (vVCE) on GCP:

n Topology A - Virtual Edge Deployment on Google Cloud VPC Topology

n Topology B - Virtual Edge Deployment on Google Cloud Single-Arm Topology

n Topology C - Virtual Edge Deployment on Google Cloud with Deployment Manager

Prerequisitesn GCP account and login information.

n Familiarity with GCP networking concepts. For more information, see https://cloud.google.com/vpc/docs/overview.

n RSA Public key. For more information, see https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys.

n GCP Template. For more information, see https://cloud.google.com/deployment-manager/docs/fundamentals.

n SD-WAN Orchestrator target and admin account to login.

GCP Machine TypesBandwidth throughput and the number of network interfaces need to be considered when sizing the VMware SD-WAN Virtual Edge.

Throughput 30 Mbps 50 Mbps 100 Mbps 200 Mbps 400 Mbps 1 Gbps

vCPU 2 2 2 2 4 4

Memory 4 GB 4 GB 4 GB 8 GB 8 GB 8 GB

Machine Type vCPUs Memory (Gb) Max NICs

n2-highcpu-4 4 4 4

n2-highcpu-8 8 8 8


VMware, Inc. 5

https://cloud.google.com/vpc/docs/overview

https://cloud.google.com/vpc/docs/overview

https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys

https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys

https://cloud.google.com/deployment-manager/docs/fundamentals

https://cloud.google.com/deployment-manager/docs/fundamentals

Topology A - Virtual Edge Deployment on Google Cloud VPC TopologyDescribes the Virtual Edge deployment on the Google Cloud Virtual Private Cloud (VPC) with three VPC networks, each for a subnet connected to the Edge as shown in the following topology diagram.

Google Cloud Platform (GCP)

VPC

InternetVMware SD-WAN Orchestrator

Address:4.5.6.7 Aliases:demo:velocloud.net

vVCE External IP: 11.12.13.14 #cloud-config velocloud: vce: vco:4.5.6.7 activation_code:ABCD-PQRS-EFGH-WXYZvco_ignore_cert_errors:true

MGMT VPC network

Firewall rules: Inbound Rules SSH (TCP port 22) Source: 0.0.0.0/0 n1-standard-4

(4 vcpu, 15 GB memory)

GE1 (eth0) 172.16.102.21 GE3 (eth2) 172.16.101.21

GE2 (eth1) 172.16.100.21

Public VPC network

Public VPC subnet GW 172.16.100.1

Firewall rules: Inbound Rules SSH (TCP port 22) Source: 172.16.102.0/24VCMP (UDP port 2426) Source: 0.0.0.0/0

Private VPC network

Private VPC subnet GW 172.16.101.1

Private VPC subnet-Add a new route for specific branch-to-branchroute and specify next hop IP as GE3(eth2)interface of the edge

Firewall rules: Inbound Rules SSH (TCP port 22) Source: 172.16.102.0/24

MGMT VPC subnetGW 172.16.102.1

High-Level WorkflowTo deploy a VMware SD-WAN Virtual Edge on Google Cloud Platform, perform the following steps:

1 Create three Virtual Private Cloud (VPC) networks (MGMT VPC network, Public VPC network, and Private VPC network), each for a subnet connected to the Edge (n1-standard-4) as shown in the topology diagram.

n MGMT VPC subnet for console/management access to the Edge through Management Interface GE1.

n Public VPC subnet for Internet access from the Edge through WAN-side Interface GE2.

n Private VPC subnet for LAN-side device access through LAN-side Interface GE3.

For steps, see Create a VPC Network.

2 Create inbound firewall rules for VPC networks: Management, Private, and Public. For steps, see Create Inbound Firewall Rules.

3 Provision a SD-WAN Edge on the VMware SD-WAN Orchestrator as follows:

a Create an edge of type Virtual Edge.

b Change GE1 interface to Routed from Switchedand disable WAN Overlay and NAT Direct Traffic.


VMware, Inc. 6

https://console.cloud.google.com/

c Change GE2 interface to Routed from Switched and enable WAN Overlay and NAT Direct Traffic.

d Disable WAN Overlay and NAT Direct Traffic for GE3 interface, which will be the next hop for devices connected to Private Subnets (LAN devices).

For more information, see Provision an Edge on SD-WAN Orchestrator.

4 Create and launch a virtual SD-WAN Edge (vVCE) instance of machine type n1-standard-4 (4 vCPU, 15 GB memory) on GCP, and add three interfaces in the VPC networks as follows:

n First interface in Management VPC network with IP forwarding enabled. You do not need to configure an external IP for this interface.

n Second interface in Public VPC network. You have to create a new static IP address and reserve the static IP address for this interface.

n Third interface in Private VPC network. You do not need to configure an external IP for this interface.

For steps, see Create a Virtual Edge Instance on GCP.

The Edge instance will be activated against the SD-WAN Orchestrator and the Edge will be able to establish the VCMP tunnel to the Gateway.

5 Create a LAN Client instance. For steps, see Create a LAN Client Instance.

6 Add a new default route (0.0.0.0/0) entry in route table of Private VPC network pointing to the edge, with the next hop IP address as the edge's GE3 interface IP.

For steps, see Add a Route in a VPC Network.

7 Verify if the virtual edge is up in the SD-WAN Orchestrator.

Topology B - Virtual Edge Deployment on Google Cloud Single-Arm TopologyDescribes the Virtual Edge deployment on the Google Cloud Virtual Private Cloud (VPC) with three VPC networks, each for a subnet connected to the Edge as shown in the following Single-Arm topology diagram.


VMware, Inc. 7


VPC

InternetVMware SD-WAN Orchestrator

Address:4.5.6.7 Aliases:demo:velocloud.net

vVCE External IP: 11.12.13.14 #cloud-config velocloud: vce: vco:4.5.6.7 activation_code:ABCD-PQRS-EFGH-WXYZvco_ignore_cert_errors:true

MGMT VPC network

Firewall rules: Inbound Rules SSH (TCP port 22) Source: 0.0.0.0/0

MGMT VPC subnetGW 10.10.1.1

GE2 (eth1) 10.10.2.21

GE1 (eth0) 10.10.1.21

n1-standard-2(2 vcpu, 7.5 GB memory)

Public VPC subnet GW10.10.2.1

Private VPC subnetGW 10.10.3.1

Private VPC subnet-Add a new route for specific branch-to-branchroute and specify next hop IP as GE2(eth1)interface of the edge

Public VPC network

Firewall rules: Inbound RulesSSH(TCP port 22)Source: 10.10.1.0/24VCMP (UDP port2426)Source: 0.0.0.0/0

High-Level WorkflowTo deploy a VMware SD-WAN Virtual Edge on Google Cloud Platform, perform the following steps:

1 Create two Virtual Private Cloud (VPC) networks with subnets connected to the Edge as shown in the topology diagram.

n MGMT VPC network with a MGMT VPC subnet for console/management access to the Edge through Management Interface GE1.

n Public VPC network with two subnets: Public VPC subnet for Internet access and Private VPC subnet for LAN-side devices.

For steps, see Create a VPC Network.

2 Create inbound firewall rules for VPC networks: Management and Public. For steps, see Create Inbound Firewall Rules.

3 Provision a SD-WAN Edge on the SD-WAN Orchestrator as follows:

a Create an edge of type Virtual Edge.

b Change GE1 interface to Routed from Switched and disable WAN Overlay and NAT Direct Traffic.

c Change GE2 interface to Routed from Switched and enable WAN Overlay and NAT Direct Traffic.

d Add a static route on the Edge that points to the Private VPC network with next hop as default gateway of the VPC network and interface as GE2.



VMware, Inc. 8


4 Create and launch a virtual SD-WAN Edge (vVCE) instance of machine type n1-standard-2 (2 vCPU, 7.5 GB memory) on GCP, and add two interfaces in the VPC networks as follows:

n First interface in Management VPC network. Select None for External IP and enable IP forwarding.

n Second interface in Public VPC network. Create a new External IP address by clicking Create IP address from the External IP drop-down menu, and reserve the new static IP address for this interface.

For steps, see Create a Virtual Edge Instance on GCP.

Note For Single-Arm topology, do not add a third interface in the Private VPC network.

The Edge instance will be activated against the SD-WAN Orchestrator and the Edge will be able to establish the VCMP tunnel to the Gateway.

5 Create a LAN Client instance. For steps, see Create a LAN Client Instance.

6 Add a branch-to-branch route entry in route table of Private VPC network pointing to the edge, with the next hop IP address as the edge's GE2 interface IP.

For steps, see Add a Branch-to-Branch Route in a VPC Network.

7 Verify if the virtual edge is up in the SD-WAN Orchestrator.

Topology C - Virtual Edge Deployment on Google Cloud with Deployment ManagerDescribes the Virtual Edge deployment on the Google Cloud Virtual Private Cloud (VPC) using a Deployment Manager (DM), with three VPC networks: Management VPC (10.0.2.x/24), Public VPC (10.0.0.x/24), and Private VPC (10.0.1.x/24), each for a subnet connected to the Edge as shown in the following topology diagram.


VMware, Inc. 9

us-west1 (Oregon)

10.0.2.4/24Mgmt Subnet

n1-standart-4


10.0.0.4/24 10.0.1.4/24

Public Subnet Private Subnet

34.83.80.249

34.82.243.159GE12.6

GE20.4

eth01.5 ubuntu-srv

Linux-JH35.19.184.51

GE31.4

eth02.4

vVCE instance <— RFC1918

Gateway

The Virtual Edge routes between the two subnets. The Public VPC Routes will forward all offnet traffic to the Internet Gateway. The Gateway Router in the Private subnet will forward all traffic to the LAN facing interface on the Virtual Edge (GE3). In this example, a default route is used to forward “ALL” traffic from the workloads, but is not necessary. RFC1918 summarization or specific branch/hub prefixes can be used to narrow what is sent to the Virtual Edge. For example, if the workloads in the Private Subnet still needs to be accessible via SSH from publicly sourced IPs then the VPC Router could be configured to point the default route (0.0.0.0/0) to Internet Gateway and RFC1918 summarization to Virtual Edge.

High-Level WorkflowTo deploy a VMware SD-WAN Virtual Edge on Google Cloud Platform using a Deployment Manager, perform the following steps:

1 Enable the Cloud Deployment Manager API in GCP. For steps, see Enable Deployment Manager.

2 Provision a SD-WAN Edge on the SD-WAN Orchestrator as follows:

a Create an edge of type Virtual Edge and make a note of the activtion key that will be displayed on the top of the screen once the edge is provisioned.

b Configure a VLAN IP address (use 169.254.0.1 /24) for the edge. Do not enable Advertise and DHCP.

c Configure virtual edge interfaces as folows:

n Change GE2 interface capability to Routed from Switched and enable WAN Overlay and DHCPAddressing.

n For GE3 interface, disable WAN Overlay and NAT Direct Traffic as this interface will be used for the LAN-side gateway.


VMware, Inc. 10



Note The SD-WAN Orchestrator needs the Device Settings configured first before edge activation. If this step is missed, the virtual edge activates but then goes offline a few minutes later.

3 Deploy the GCP image by creating the VPC networks first and then deploying the DM template with the relative reference for each interface. CLOUD-INIT is also used in the template to supply SD-WAN Orchestrator target and activation key for the vEdge.

a Create three Virtual Private Cloud (VPC) networks (MGMT VPC network, Public VPC network, and Private VPC network), each for a subnet connected to the Edge (n1-standard-4) as shown in the topology diagram.

n Mgmt Subnet for console/management access to the Edge through Management Interface GE1.

n Public Subnet for Internet access from the Edge through WAN-side Interface GE2.

n Private Subnet for LAN-side device access through LAN-side Interface GE3.

For steps on how to create VPC networks, see Create a VPC Network.

b Modify the Deployment Manager (DM) template. The following is a sample DM template. You can use this template, but ensure to make necessary changes for your environment.

# "VMware SD-WAN by VeloCloud GCP Deployment Manager Template (34020191029)"

# gcloud deployment-manager deployments create velocloud-vce --config gcp_dm.yaml

# gcloud deployment-manager deployments delete velocloud-vce

resources:

- type: compute.v1.instance

name: dm-gcp-vce-01

properties:

zone: us-west1-a

machineType: https://www.googleapis.com/compute/v1/projects/gcp-nsx-sdwan/zones/us-west1-

a/machineTypes/n1-standard-4

canIpForward: true

disks:

- deviceName: boot

type: PERSISTENT

boot: true

autoDelete: true

initializeParams:

sourceImage: https://www.googleapis.com/compute/v1/projects/gcp-nsx-sdwan/global/

images/vce-340-62-r34-20190821-tt-image

networkInterfaces:

- network: https://www.googleapis.com/compute/v1/projects/gcp-nsx-sdwan/global/networks/

velo-mgmt-vpc

subnetwork: projects/gcp-nsx-sdwan/regions/us-west1/subnetworks/velo-mgmt-sn


velo-public-vpc

subnetwork: projects/gcp-nsx-sdwan/regions/us-west1/subnetworks/public-sn

accessConfigs:

- name: External NAT

type: ONE_TO_ONE_NAT


VMware, Inc. 11


velo-private-vpc

subnetwork: projects/gcp-nsx-sdwan/regions/us-west1/subnetworks/velo-private-sn

metadata:

items:

- key: user-data

value: |

#cloud-config

velocloud:

vce:

vco: 13.52.27.116

activation_code: YPTF-PN33-THTX-28V5

vco_ignore_cert_errors: false

For information about GCLOUD CLI, see https://cloud.google.com/sdk/gcloud/.

4 Verify if the virtual edge is activated in the SD-WAN Orchestrator.

Once the instance is running in GCP and all information provided was correct, the virtual edge will reach out to the SD-WAN Orchestrator with the activation key, activate and perform software update if needed (and reboot if upgraded). Typical deployment time is between 3 to 4 minutes.

Enable Deployment ManagerDeployment Manager is an infrastructure deployment service that automates the creation and management of Google Cloud resources. Deployment Manager uses the underlying APIs of each Google Cloud service to deploy your resources.

The Google Cloud Deployment Manager V2 API provides services for configuring, deploying, and viewing Google Cloud services and APIs via templates which specify deployments of Cloud resources. To enable the Cloud Deployment Manager V2 API and create credentials, perform the following steps.

Prerequisites

n GCP account and login information.

n Familiarity with GCP Deployment Manager supported resource types. For more information, see https://cloud.google.com/deployment-manager/docs/configuration/supported-resource-types.

Procedure

1 Log on to the GCP Console.

2 Go to APIs & Services > Dashboard.

The APIs & Services page appears.

3 Click Enable APIS AND SERVICES.

4 Use the Search textbox to find the Deployment Manager API.


VMware, Inc. 12

https://cloud.google.com/sdk/gcloud/

https://cloud.google.com/deployment-manager/docs/configuration/supported-resource-types


5 Click Cloud Deployment Manager V2 API and then click Enable.

The Cloud Deployment Manager API will be enabled. To use this API, you must create credentials.

6 Click Credentials > CREATE CREDENTIALS and select one of the following options to create credentials:

n API key

n OAuth client ID

n Service account

n Help me choose

7 Clicking API key will create an API key, which you can use in your application.

8 In the API key created pop-up window, click RESTRICT KEY, if you want to restrict your key to prevent unauthorized use in production, or else click CLOSE.


VMware, Inc. 13

Results

The Deployment Manager and Compute Engine APIs are enabled and you can use the API to deploy your virtual edge resource.

What to do next

You can deploy virtual edge with the Deployment Manager. For complete steps, see Topology C - Virtual Edge Deployment on Google Cloud with Deployment Manager.

Create a VPC NetworkYou can choose to create an Automatic mode or Custom mode Virtual Private Cloud (VPC) network. Automatic mode networks create one subnet in each Google Cloud region automatically when you create the network. For Custom mode VPC networks, you have to create a network and then create subnets that you want within a region. You can create subnets when you create the network or you can add subnets later, but you cannot create instances in a region that has no subnet defined.

Prerequisites

Ensure you have a Google account and access/login information to the Google Cloud Platform (GCP) Console.

Procedure


2 Click VPC Networks.

The VPC Networks page appears.


VMware, Inc. 14


3 Click Create VPC network.

The Create a VPC network page appears.

4 In the Name textbox, enter a unique name for the VPC network.

5 Under Subnets, choose Custom or Automatic as the Subnet creation mode. If you choose Custom, then in the New subnet area, specify the following configuration parameters for a subnet:

a In the Name textbox, enter a unique name for the subnet.

b From the Region drop-down menu, select a region for the subnet.

c In the IP address range textbox, enter an IP address range.


VMware, Inc. 15

d To define a secondary IP range for the subnet, click Create secondary IP range.

e Private Google access: Choose whether to enable Private Google Access for the subnet when you create it or later by editing it.

f Flow logs: Choose whether to enable VPC flow logs for the subnet when you create it or later by editing it.

g Click Done.

6 To add more subnets, click Add subnet and repeat the steps in Step 5. You can also add more subnets to the network after you have created the network.

7 Choose the Dynamic routing mode for the VPC network.

Dynamic (BGP) routing exchanges route information using TCP port 179.

8 Click Create.

Results

The VPC network and subnet are created.

What to do next

Create Inbound Firewall Rules

Create Inbound Firewall RulesFirewall rules are defined at the network level, and only apply to the network where they are created. To create inbound firewall rules for a VPC network, perform the steps on this procedure.

Prerequisites

n Ensure you have a Google account and access/login information to the Google Cloud Platform (GCP) Console.

n Ensure you have created the VPC networks.

n Review the firewall rule components and ensure to become familiar with firewall configuration components as used in Google Cloud.

Procedure




3 Click on the VPC network for which you want to add firewall rules.

The VPC network details page for the selected VPC network appears.


VMware, Inc. 16


4 Go to the Firewall rules tab and click Add firewall rule.

The Create a firewall rule page appears.

5 In the Name textbox, enter a unique name for the firewall rule.

6 Optionally you can enable firewall logging by clicking On under Logs. By default, firewall logging is disabled.

7 For Direction of traffic, choose ingress.

8 For Action on match, choose Allow or Deny.

9 From the Targets drop-down menu, select the targets for the rule:

n If you want the rule to apply to all instances in the network, choose All instances in the network.


VMware, Inc. 17

n If you want the rule to apply to select instances by network (target) tags, choose Specified target tags, then type the tags to which the rule should apply into the Target tags textbox.

n If you want the rule to apply to select instances by associated service account, choose Specified service account, indicate whether the service account is in the current project or another one under Service account scope, and choose or type the service account name in the Target service account field.

10 From the Source filter drop-down menu, select IP ranges.

11 In the Source IP ranges textbox, enter the CIDR blocks to define the source for incoming traffic by IP address ranges. Use 0.0.0.0/0 for a source from any network.

12 Define the Protocols and ports to which the rule will apply:

n Select Allow all or Deny all, depending on the action, to have the rule apply to all protocols and ports.

n Define specific protocols and ports:

n Select tcp to include the TCP protocol and ports. Enter all or a comma delimited list of ports, such as 20-22, 80, 8080.

n Select udp to include the UDP protocol and ports. Enter all or a comma delimited list of ports, such as 67-69, 123.

n Select Other protocols to include protocols such as ICMP, VCMP, SNMP, and so on as per the requirement.

13 (Optional) You can create the firewall rule but not enforce it by setting its enforcement state to disabled. Click Disable rule, then select Disabled.

14 Click Create.

Results

The firewall rules are created for the selected VPC network.

What to do next

n Provision an Edge on SD-WAN Orchestrator

n Create a Virtual Edge Instance on GCP

Provision an Edge on SD-WAN OrchestratorTo provision a SD-WAN Edge, perform the steps on this procedure.

Prerequisites

Ensure you have the SD-WAN Orchestrator host name and admin account to login.


VMware, Inc. 18

Procedure

1 Log in to the SD-WAN Orchestrator application as Admin user, with your login credentials.

The SD-WAN Orchestrator screen appears.

2 Go to Configure > Edges.

3 Click New Edge.

The Provision New Edge dialog box appears.

4 In the Name text box, enter a unique name for the Edge.

5 From the Model drop-down menu, select Virtual Edge.

6 From the Profile drop-down menu, select Quick Start Profile and click Create.

The Edge is provisioned, and the activation key is displayed on the top of the page. Make a note of the activation key to use it for launching the Edge from the Google Cloud Platform (GCP) Console.


VMware, Inc. 19

7 Configure Virtual Edge interfaces. The following steps are explained considering Topology A - Virtual Edge Deployment on Google Cloud VPC Topology.

a Click the Device tab and go to the Interface Settings area.

b Update configurations of Virtual Edge interfaces (GE1 Interface, GE2 Interface, and GE3 Interface by clicking the Edit corresponding to the interface and then selecting the Override Interface checkbox, as follows:

n Change GE1 interface capability to Routed and disable WAN Overlay and NAT Direct Traffic.

n Change GE2 interface capability to Routed and ensure WAN Overlay and NAT Direct Traffic are enabled.

n For GE3 interface, disable WAN Overlay and NAT Direct Traffic, which will be the next hop for devices connected to Private VPC subnets (LAN devices).

Note If you are using an Edge instance with only two interfaces as illustrated in Topology B - Virtual Edge Deployment on Google Cloud Single-Arm Topology, then the Public interface (GE2) will be used for both WAN and LAN connectivity. For the LAN network to point to the GE2 interface, under Static Route Settings, configure a static route on the Edge that points to the Private VPC subnet as shown in the following sample screenshot.

Results

An edge is provisioned on SD-WAN Orchestrator.


VMware, Inc. 20

What to do next

Create a Virtual Edge Instance on GCP.

Create a Virtual Edge Instance on GCPIn the Google Cloud Console, you can create a Virtual Machine (VM) instance using a boot disk image, a boot disk snapshot, or a container image. To create a virtual machine (VM) instance using a boot disk image, perform the steps on this procedure.

Prerequisites


Procedure


2 Click Compute Engine > VM instances.

The VM instances page appears.


VMware, Inc. 21


3 Click CREATE INSTANCE.

The Create an instance page appears.

4 In the Name textbox, enter a unique name for your instance.

5 From the Region drop-down menu, select the region where the VPC networks are created.

6 Select a machine configuration for your instance. From the Machine type drop-down menu, select an option based on the topology configured.

Google Cloud recommends to use n1-standard-4 (4 vCPU, 15 GB memory) machine type for Topology A - Virtual Edge Deployment on Google Cloud VPC Topology and n1-standard-2 (2 vCPU, 7.5 GB memory) machine type for Topology B - Virtual Edge Deployment on Google Cloud Single-Arm Topology.


VMware, Inc. 22

7 In the Boot disk area, click Change to configure your boot disk as the SD-WAN Edge image.

a Click the Custom images tab.

b From the Show images from drop-down menu, select a VMware SD-WAN project.

c Choose the image you want and click Select.

Note If you could not choose a GCP boot image, contact your VMware SD-WAN by VeloCloud Support Provider. If your Support Provider is a Partner, please contact their support desk. If your Support Provider is VMware, see https://kb.vmware.com/s/article/53907 for more instructions.

8 In the Identity and API access area, from the Service account drop-down menu, select your project name.

9 In the Firewall area, to permit HTTP or HTTPS traffic to the VM instance, select Allow HTTP traffic or Allow HTTPS traffic.

10 Expand Management, security, disks, networking, sole tenancy.

11 Click the Management tab and in the Metadata area, provide the cloud-init user data (activation data) in the following sample format for activation purpose. According to your SD-WAN Orchestrator set up, you must change the SD-WAN Orchestrator name and activation code.

Sample cloud-init user-data

#cloud-config

velocloud:

vce:

vco: 13.52.27.116

activation_code: YPTF-PN33-THTX-28V5

vco_ignore_cert_errors: false

12 Click the Security tab and in the SSH Keys area, provide your SSH public key that will be used to ssh to the edge.

Sample SSH public key

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCPM4LkRn+n8aF/C5fIson

ktjfiwGuAlaB7buCz8xj8SMvKlPoOl+TG0IE8zyZ1ox/Y6+/2G799S+Euvn8gT5zAg6x

0T9Y8Hor4o9MT6rWCbrf4W/FepNrCz9hEBK6LHRtglhqVB+q8cY6bYjmlfHttNFuWAO7

VlUlfsfSczzIDtByOwuCNcLk59o/cwffUURfZvZS8b2f1pd4dq6GJonN6V81jjJ7emGi

eBcnZzEnCr9ix/p+6Dvu0eklNhAJXCXeaxmPyjiDlxe7+GzgumKB1vGEjpgklV/QU8Bo

CQM7uIApph0OXsSpJosZLAK2PqeQ6pkGpBXsq64bik98CvITT vcadmin

Note Add vcadmin at the end of the key as only the vcadmin user is allowed to ssh by default.

13 Click the Networking tab and add interfaces for the configured VPC networks, as follows.

a Under Network interfaces, click the edit icon.

b From the Network drop-down menu, select the network to which you want to add an interface.


VMware, Inc. 23

https://kb.vmware.com/s/article/53907

c Configure External IP and IP forwarding as follows:

n For Management network - Select None for External IP and enable IP forwarding.

n For Public network - Create a new External IP address by clicking Create IP address from the External IP drop-down menu, and reserve the new static IP address for this interface.

n For Private network - Select None for External IP.

d Click Done.

e To add another interface, click Add network interface and repeat the above steps from b to d.

14 Click Create.

Results

A virtual edge instance is created and the Compute Engine automatically starts the edge instance after it is created.

What to do next

Create a LAN Client Instance

Create a LAN Client InstanceDescribes how to create a LAN Client instance on the GCP console.

Prerequisites


Procedure


2 Click Compute Engine > VM instances.

The VM instances page appears.


VMware, Inc. 24


3 Click CREATE INSTANCE.

The Create an instance page appears.

4 In the Name textbox, enter a unique name for your LAN Client instance.

5 From the Region drop-down menu, select the region where the VPC networks are created.

6 Select a machine configuration for your instance. From the Machine type drop-down menu, select an option based on the topology configured.

7 In the Boot disk area, click Change.

a Click the OS images tab and choose a Linux-based image to create a boot disk.

b Click Select.


VMware, Inc. 25

8 In the Identity and API access area, from the Service account drop-down menu, select your project name.

9 In the Firewall area, to permit HTTP or HTTPS traffic to the VM instance, select Allow HTTP traffic or Allow HTTPS traffic.

10 Expand Management, security, disks, networking, sole tenancy.

11 Click the Security tab and in the SSH Keys area, provide your SSH public key that will be used to ssh to the edge.

Note Add vcadmin at the end of the key as only the vcadmin user is allowed to ssh by default.

12 Click the Networking tab and add an interface in the Private VPC network as follows:

a Under Network interfaces, click the edit icon.

b From the Network drop-down menu, select your Private network.

c From the External IP drop-down menu, click None.

d From the IP forwarding drop-down menu, choose on if you want to enable IP Forwarding.

e Click Done.

13 Click Create.

Results

A LAN Client instance is created.

What to do next

Based on the configured network topology, add route in the Private or Public VPC network pointing to the edge. For steps, see Add a Route in a VPC Network.

Add a Route in a VPC NetworkDescribes how to add a new default route in a Private Virtual Private Cloud (VPC) network pointing to an Edge as illustrated in General Topology.

Prerequisites


n Ensure you have created VPC networks.

Procedure





VMware, Inc. 26


3 Click on the VPC network (Private VPC network) for which you want to add a new default route.

The VPC network details page appears.

4 Go to the Routes tab and then delete the default route that was created during the VPC network creation.

5 Click Add route. The Create a route page appears.

a In the Name textbox, enter a unique name for the route entry.

b In the Destination IP range textbox, specify the new default route (for example, 0.0.0.0/0).

c In the Priority textbox, specify a priority for the route. A priority is only used to determine routing order if routes have equivalent destinations.

d From the Next hop drop-down menu, select Specify IP address.

e In the Next hop IP address textbox, enter the IP address of the edge interface in the selected VPC network. For example, IP address of the GE3 interface as illustrated in Topology A - Virtual Edge Deployment on Google Cloud VPC Topology

f Click Create.

Results

A route entry is added in the route table of the selected VPC network.

What to do next

SSH Login to Edge using External IP


VMware, Inc. 27

Add a Branch-to-Branch Route in a VPC NetworkDescribes how to add a branch-to-branch route in a Public Virtual Private Cloud (VPC) network pointing to an Edge as illustrated in Single-Arm Topology.

Prerequisites


n Ensure you have created VPC networks.

Procedure




3 Click on the VPC network (Public VPC network) for which you want to add a branch-to-branch route.

The VPC network details page appears.

4 Go to the Routes tab and click Add route. The Create a route page appears.

a In the Name textbox, enter a unique name for the route entry.

b In the Destination IP range textbox, specify the IP address of a branch in the enterprise network, for example 172.16.0.0/20.

c In the Priority textbox, specify a priority for the route. A priority is only used to determine routing order if routes have equivalent destinations.

d From the Next hop drop-down menu, select Specify IP address.


VMware, Inc. 28


e In the Next hop IP address textbox, enter the IP address of the edge interface in the selected VPC network. For example, IP address of the GE2 interface as illustrated in Topology B - Virtual Edge Deployment on Google Cloud Single-Arm Topology.

f Click Create.

Results

A route entry is added in the route table of the selected VPC network.

What to do next

SSH Login to Edge using External IP

SSH Login to Edge using External IPTo use SSH to log into an edge using External (static) IP and verify activation, enter the following command.

ssh -i private key vcadmin@ External IP of the edge

Use the private key and External IP of the edge generated in Create a Virtual Edge Instance on GCP.

Verify Edge ActivationDescribes how to verify the virtual edge activation.

1 Login to the SD-WAN Orchestrator.

2 Go to Monitor > Edges.

3 In the VeloCloud Edges screen, you can verify whether your virtual edge is activated successfully.


VMware, Inc. 29

Google Cloud Platform Virtual Edge Deployment Guide · 6 Add a branch-to-branch route entry in...

Documents

Transcript of Google Cloud Platform Virtual Edge Deployment Guide · 6 Add a branch-to-branch route entry in...