Creating Services Using Fenced Networks

Creating a fenced service is the final step in configuring fenced networks. See Network Fencing for an overview of the entire process.

With the IP pool and deployment destinations configured for network fencing, you can now create services ready for isolation. Existing services may also be reconfigured to use fencing by choosing to edit them and following the same steps.

Access through:

Configuration > Self-Service

Available to:

Commander Role of Superuser, Enterprise Admin

To create services using fenced networks:

  1. Click the Catalog tab.
  2. Click Add Service.
  3. On the Service Description page, provide a name and description for the service. Including details to indicate that the service is fenced ensures Service Portal users have the information they need to make appropriate decisions. A custom icon provides a visual cue that the service is fenced, and a category for fenced services is also recommended.
  4. On the Components page, click Add and choose either VM Template, Image or AMI.
  5. Enable Allow VMs in the catalog if the source of the service you want to add isn't a template. Use the Applications view and/or the search to refine the list of VMs or virtual services displayed, select your choice from the list, and click Add to Service. Once you have added all required components, click Close.
  6. Enable Deploy components as part of fenced network to have the service deployed in an isolated network.
  7. A subpage is added to the Add Service wizard for each component you added to the service in the previous step. On each subpage, you see tabs allowing you to customize options for each component in the service. At minimum, you see Infrastructure, Resources, Attributes and Form tabs. If you have integrated with external systems such as Puppet or Chef, additional tabs allow further customization. Adding elements to the Form tab allows requesters to change the default settings you configure on the other tabs. For more information on component-specific settings, see Adding vCenter Services to the Catalog.
  8. On the Deployment page, choose to deploy the service as individual components or as a virtual service. If you choose to deploy the service as a virtual service, you must also choose whether to use the default naming format or override it with one you define.
  9. Use the arrow controls to choose the deployment order of the components.

    When deployed as a virtual service, this order will also be the startup order used when powering the service on. Powering the service off will use the reverse order.

  10. Select a completion workflow for the entire service, if required.
  11. When you select to deploy as a fenced network on the Components page, the Fencing Configuration page appears. On this page, you define how the networking for the components will be defined on the vRouter.
    • In the External Router Interface section, the IP Address Assignment setting controls how the public external addressing for components is assigned. Choose DHCP to dynamically allocate addresses from a DHCP server on the network to which you're deploying the fenced service, or choose From IP pool to have Commander allocate an address from the IP pool configured for the deployment destination.
    • In the Internal Router Interface section, use the IP Address field to enter the address to assign as the gateway for the components on the vRouter deployed with the service.
    • Use the Subnet Mask field to configure a subnet mask other than the default 255.255.255.0.

      For each component, the NICs are identified in the Component Interface Configuration list.

  12. Set the Access mode for each NIC:
    • In/Out: Communication to and from the external public network is allowed on all ports.
    • In Only: Inbound communications from the external public network are allowed on all ports, but no outbound communications are allowed on any port.
    • Out Only: Outbound connections to the external public network are allowed on all ports, but no inbound communications are allowed on any port. Click Add Ports to create port forwarding rules for specific exceptions. See below for more information.
    • None: No communications to or from the external public network is allowed on any port. Click Add Ports to create port forwarding rules for specific exceptions. See below for more information.
  13. Set the Address Mode for each NIC, which defines how fenced components obtain IP addresses.
    • DCHP: The IP address will be assigned by the router providing the fence.
    • Static: The address you provide in the Static IP Address field will be used. Commander assigns the specified IP address to that component if requested over DHCP. The base image can be configured either with this static IP address, or with DHCP.
    • Static Assign: The address you enter in the Static IP Address field will be used. Entering the address provides the router with information needed to create a route to the VM, and Commander with the information to use during customization. If a customization spec isn't assigned to component in the service catalog, Commander will automatically create one and apply the static IP address through it. You can optionally add a Host Name; otherwise, the VM name will be used in the guest OS.
  14. By default, the vRouter in a fenced network redirects traffic from all public ports on the vRouter to all private ports on the fenced VM. You may want to expose only specific ports; specific application services in the fence can then be contacted via the exposed ports. For example, if one of the fenced VMs is a web server, you might want to expose only ports 80 and 443 so that clients on the external public network can access the website, while still blocking all other inbound communications.

    To expose only specific ports, under Port Forwarding, click Add Ports.

    Note: To configure port forwarding for a component, its Access Mode must be Out Only or None.

    fence_svc_config_page

    If your service has multiple components, in the Component Name drop-down menu, select the component you want to configure.

    • In the Public Port field, enter a port number. The public port is the port on the vRouter that external traffic will connect through.
    • In the Private Port field, enter a port number. The private port is the port on the fenced VM that the vRouter will direct traffic to.

    Note: You can specify a public port only once, but multiple public ports can forward to the same private port. For example, you can forward public ports 80 and 443 to private port 443.

    See Viewing Fencing Information for VMs to learn how users can view the public IP address for accessing the VM when port forwarding is configured.

  15. On the Visibility page, specify who is able to request the service:
    • Do not publish: Allows you to complete the configuration of the service without making it available for anyone to request. You can also use this selection to render a service temporarily unavailable by editing it later.
    • Publish – Global: Makes the service available to all users allowed to request services.
    • Publish - Specific organizations, users and groups: Allows you to limit who can see the service to those users you define.
  16. On the Summary page, review your choices and click Finish.