For the farmers in the Frost poem, keeping good neighbors meant keeping the wall mended to control boundaries. But what does it mean for an admin managing a virtual environment? Pretty much the same thing. In place of pathways and stones, you have networks and routers. Instead of livestock, you have applications and VMs.
In a virtual environment, fenced VMs can be in communication with other VMs inside the fence and, if you wish, outside the fence too. The network traffic in and out of the fence is controlled by the router, which acts as a gatekeeper. As the admin, you decide what the network traffic will be, and the router does the work.
So what kind of things are you going to put in your fence? Well, that all depends on what you need. Maybe you’re a system admin in a school, tasked with setting up sandbox environments where students can do whatever they want with no internal or external access. Or maybe you work at a development shop and have lab environments using the same subnets that are frequently created and torn down. Maybe you want limited access opening the routing for one VM, say a Web Server, with other supporting VMs safely isolated. Fenced networks can provide both cattle (short-lived, high churn) and pet (longer living, maintained) services.
Okay, you’ve decided you need a fence. So who makes good fences?
If you want to stick with VMware products, VMware’s highly regarded LabManager has been retired, replaced by vCloud Automation Center… unless you’re a service provider, in which case you could use vCloud Director… but wait, its roadmap is somewhat “cloudy”, so you should probably use vCAC, which has been criticized for being overly complicated and has since been renamed vRealize Automation, so I guess you could use that…. Or maybe you’re looking for something simpler, in which case you could try Embotics® vCommander™. In less than 30 minutes, you can have a fenced application configured and ready for automatic deployment. Let me show you how easy it is.
After installing vCommander and adding a vCenter so that vCommander can manage it:
- Set up an IP pool. Key consideration: What external network will you use?
- Set up a deployment destination for the fence.
- Create a fenced service.
- Request the service.
If you’ve already set up automatic approval and deployment, the fenced service will be deployed; otherwise, you can manually deploy the service. Once it’s deployed, you now have a fully functioning fenced system. Go ahead and play around with it.
When you’re finished, delete the VMs in the fence and vCommander will take care of the cleanup — the virtual service, router and network created for the fenced service will be deleted. In cases where you know the lifespan of the fence, you can use an expiry policy to automatically delete the VMs, triggering the fence tear-down. Of course, this typically only applies if the fenced application is a short-lived cow.
The total time and effort from setup to tear-down is minimal. To learn how to set it up start-to-finish, see Network Fencing.