Configure the Client Network
The client network is the network on which the VCH endpoint VM makes the Docker API available to Docker clients. By designating a specific client network, you isolate Docker endpoints from the public network. Virtual container hosts (VCHs) access vSphere Integrated Containers Management Portal and vSphere Integrated Containers Registry over the client network.
Options
The sections in this topic each correspond to an entry in the Configure Networks page of the Create Virtual Container Host wizard, and to the corresponding vic-machine create
options.
Client Network
A port group on which the VCH makes the Docker API available to Docker clients. Docker clients use this network to issue Docker API requests to the VCH.
- The port group must exist before you create the VCH. For information about how to create a VMware vSphere Distributed Switch and a port group, see Create a vSphere Distributed Switch in the vSphere documentation.
- All hosts in a cluster should be attached to the port group. For information about how to add hosts to a vSphere Distributed Switch, see Add Hosts to a vSphere Distributed Switch in the vSphere documentation.
- You can use the same port group as the client network for multiple VCHs.
If you do not specify this option, the VCH uses the public network for client traffic.
Create VCH Wizard
- Expand the Advanced view.
- Select an existing port group from the Client network drop-down menu.
vic-machine Option
--client-network
, --cln
You designate the client network by specifying the vic-machine create --client-network
option.
--client-network port_group_name
If you specify an invalid port group name, vic-machine create
fails and suggests valid port groups.
Static IP Address
By default, vSphere Integrated Containers Engine uses DHCP to obtain an IP address for the VCH endpoint VM on the client network. You can optionally configure a static IP address for the VCH endpoint VM on the client network.
- You can only specify one static IP address on a given port group. If the client network shares a port group with the public network, you can only specify a static IP address on the public network. All of the networks that share that port group use the IP address that you specify for the public network.
- If you set a static IP address for the VCH endpoint VM on the public network, you must specify the gateway address for the public network. If the client network is L2 adjacent to its gateway, you do not need to specify the corresponding gateway for the client network.
- If the client network shares a port group with the management network, and the public network does not use that port group, you can set a static IP address for the VCH endpoint VM on either of the client or management networks.
If you assign a static IP address to the VCH endpoint VM on the client network, and you do not specify one of the TLS options, vSphere Integated Containers Engine uses this address as the Common Name with which to auto-generate trusted CA certificates. If you do not specify one of the TLS options, two-way TLS authentication with trusted certificates is implemented by default when you deploy the VCH with a static IP address on the client network. If you assign a static IP address to the VCH endpoint VM on the client network, vSphere Integated Containers Engine creates the same certificate and environment variable files as described in the
--tls-cname
option.IMPORTANT: If the client network shares a port group with the public network you cannot set a static IP address for the endpoint VM on the client network. To assign a static IP address to the VCH endpoint VM you must set a static IP address on the public network. In this case, vSphere Integated Containers Engine uses the public network IP address as the Common Name with which to auto-generate trusted CA certificates, in the same way as it would if you had set a static IP on the client network.
You specify the address as an IPv4 address with a network mask.
Create VCH Wizard
- Select the Static radio button.
- Enter an IP address with a network mask in the IP Address text box, for example
192.168.3.10/24
.
The Create Virtual Container Host wizard only accepts an IP address for the client network. You cannot specify an FQDN.
vic-machine Option
--client-network-ip
, no short name
You specify addresses as IPv4 addresses with a network mask.
--client-network-ip 192.168.2.10/24
You can also specify the address as a resolvable FQDN.
--client-network-ip=vch27-team-a.internal.domain.com
Gateway
The gateway to use if you specify a static IP address for the VCH endpoint VM on the client network.
You specify gateway addresses as IP addresses without a network mask.
Create VCH Wizard
Enter the IP address of the gateway in the Gateway text box, for example 192.168.2.1
.
You must enter a gateway address even if the client network is L2 adjacent to the gateway.
vic-machine Option
Specify a gateway address as an IP address without a network mask in the --client-network-gateway
option. If the client network is L2 adjacent to its gateway, you do not need to specify the gateway.
--client-network-gateway 192.168.2.1
Routing Destination
The default route for the VCH endpoint VM is always on the public network. As a consequence, if you specify a static IP address on the client network and that network is not L2 adjacent to its gateway, you must specify the routing destination for that network as a comma-separated list of CIDRs. For example, setting a routing destination of 192.168.2.0/24,192.168.128.0/24
informs the VCH that it can reach all of the vSphere management endoints that are in the ranges 192.168.2.0-255 and 192.168.128.0-192.168.128.255 by sending packets to the specified gateway.
Ensure that the address ranges that you specify include all of the systems that will connect to this VCH instance.
Create VCH Wizard
If you set a static IP address on the client network, optionally enter the routing destination as a comma-separated list of CIDRs in the Routing destination text box.
For example, enter 192.168.2.0/24,192.168.128.0/24
.
vic-machine Option
You specify the routing destination or destinations in a comma-separated list in the --client-network-gateway
option, with the address of the gateway separated from the routing destinations by a colon (:
).
--client-network-gateway 192.168.2.0/24,192.168.128.0/24:192.168.2.1
This example informs the VCH that it can reach all of the client network endoints that are in the ranges 192.168.2.0-255 and 192.168.128.0-192.168.128.255 by sending packets to the gateway at 192.168.2.1.
What to Do Next
If you are using the Create Virtual Container Host wizard, the bridge network and the public network are the only networks that it is mandatory to configure.
- To configure further advanced network settings, remain on the Configure Networks page, and see the following topics:
- If you have finished configuring the network settings, click Next to configure VCH Security settings.
Example vic-machine
Command
This example vic-machine create
command deploys a VCH with the following networking configuration:
- Directs public traffic to
vic-public
and Docker API traffic tovic-client
. - Sets two DNS servers for use by the public, management, and client networks.
- Sets a static IP address for the VCH endpoint VM on each of the public and client networks.
- Specifies the gateway for the public network.
- Does not specify a gateway for the client network. It is not necessary to specify a gateway on either of the client or management networks if those networks are L2 adjacent to their gateways.
- Because this example specifies a static IP address for the VCH endpoint VM on the client network,
vic-machine create
uses this address as the Common Name with which to create auto-generated trusted certificates. Full TLS authentication is implemented by default, so no TLS options are specified.
vic-machine-operating_system create --target 'Administrator@vsphere.local':password@vcenter_server_address/dc1 --compute-resource cluster1 --image-store datastore1 --bridge-network vch1-bridge --public-network vic-public --public-network-ip 192.168.1.10/24 --public-network-gateway 192.168.1.1 --client-network vic-client --client-network-ip 192.168.2.10/24 --dns-server 192.168.10.10 --dns-server 192.168.10.11 --thumbprint certificate_thumbprint --name vch1