Configure the Management Network
The management network is the network on which the VCH endpoint VM connects to vCenter Server and ESXi hosts. By designating a specific management network, you isolate connections to vSphere resources from the public network. The VCH uses this network to provide the
attach function of the Docker API.
- What to Do Next
The sections in this topic each correspond to an entry in the Configure Networks page of the Create Virtual Container Host wizard, and to the corresponding
vic-machine create options.
A port group that the VCH uses to communicate with vCenter Server and ESXi hosts. Container VMs use this network to communicate with the VCH.
- The port group must exist before you create the VCH. For information about how to create a VMware vSphere Distributed Switch and a port group, see Create a vSphere Distributed Switch in the vSphere documentation.
- All hosts in a cluster should be attached to the port group. For information about how to add hosts to a vSphere Distributed Switch, see Add Hosts to a vSphere Distributed Switch in the vSphere documentation.
- Because the management network provides access to your vSphere environment, and because container VMs use this network to communicate with the VCH, always use a secure network for the management network.
- Container VMs communicate with the VCH endpoint VM over the management network when an interactive shell is required. While the communication is encrypted, the public keys are not validated, which leaves scope for man-in-the-middle attacks. This connection is only used when the interactive console is enabled (
err), and not for any other purpose.
- Ideally, use separate networks for the management network and container networks.
- You can use the same port group as the management network for multiple VCHs.
- The most secure setup is to make sure that VCHs can access vCenter Server and ESXi hosts directly over the management network, and that the management network has route entries for the subnets that contain both the target vCenter Server and the corresponding ESXi hosts. If the management network does not have route entries for the vCenter Server and ESXi host subnets, you must configure asymmetric routing. For more information about asymmetric routing, see Asymmetric Routes.
When you create a VCH,
vic-machine create checks that the firewall on ESXi hosts allows connections to port 2377 from the management network of the VCH. If access to port 2377 on ESXi hosts is subject to IP address restrictions, and if those restrictions block access to the management network interface,
vic-machine create fails with a firewall configuration error:
Firewall configuration incorrect due to allowed IP restrictions on hosts: "/ha-datacenter/host/localhost.localdomain/localhost.localdomain" Firewall must permit dst 2377/tcp outbound to the VCH management interface
For information about how to open port 2377, see Open the Required Ports on ESXi Hosts.
NOTE: If the management network uses DHCP,
vic-machine checks the firewall status of the management network before the VCH receives an IP address. It is therefore not possible to fully assess whether the firewall permits the IP address of the VCH. In this case,
vic-machine create issues a warning.
Unable to fully verify firewall configuration due to DHCP use on management network VCH management interface IP assigned by DHCP must be permitted by allowed IP settings Firewall allowed IP configuration may prevent required connection on hosts: "/ha-datacenter/host/localhost.localdomain/localhost.localdomain" Firewall must permit dst 2377/tcp outbound to the VCH management interface
If you do not specify a management network, the VCH uses the public network for management traffic.
Create VCH Wizard
- Expand the Advanced view.
- Select an existing port group from the Management network drop-down menu.
You designate a specific network for traffic between the VCH and vSphere resources by specifying the
vic-machine create --management-network option when you deploy the VCH. If you specify an invalid port group name,
vic-machine create fails and suggests valid port groups.
By default, vSphere Integrated Containers Engine uses DHCP to obtain an IP address for the VCH endpoint VM on the management network. You can optionally configure a static IP address for the VCH endpoint VM on the management network.
- You can only specify one static IP address on a given port group. If the management network shares a port group with the public network, you can only specify a static IP address on the public network. All of the networks that share that port group use the IP address that you specify for the public network.
- If you set a static IP address for the VCH endpoint VM on the public network, you must specify the gateway address for the public network. If the management network is L2 adjacent to its gateway, you do not need to specify the corresponding gateway for the management network.
- If the client and management networks both use the same port group, and the public network does not use that port group, you can set a static IP address for the endpoint VM on either or both of the client and management networks.
You specify the address as an IPv4 address with a network mask.
Create VCH Wizard
- Select the Static radio button.
- Enter an IP address with a network mask in the IP Address text box, for example
The Create Virtual Container Host wizard only accepts an IP address for the management network. You cannot specify an FQDN.
--management-network-ip, no short name
You can specify addresses as IPv4 addresses with a network mask.
You can also specify addresses as resolvable FQDNs.
The default route for the VCH endpoint VM is always on the public network. As a consequence, if you specify a static IP address on the management network and that network is not L2 adjacent to its gateway, you must specify the routing destination for that network. You specify a routing destination as a comma-separated list of CIDRs.
For example, setting a routing destination of
192.168.3.0/24,192.168.128.0/24 informs the VCH that it can reach all of the vSphere management endoints that are in the ranges 192.168.3.0-255 and 192.168.128.0-192.168.128.255 by sending packets to the specified gateway.
Ensure that the address ranges that you specify include all of the systems that will connect to this VCH instance.
Specify the gateway to use if you specify a static IP address for the VCH endpoint VM on the management network. You specify gateway addresses as IP addresses without a network mask.
When you provide a gateway for the management network, it is mandatory to provide at least one routing destination.
Note: The Routing destination:Gateway layout of the text box applies to the 1.4.3 and later releases. Routing Destination and Gateway are separate text boxes in the previous 1.4.x releases.
Create VCH Wizard
If you set a static IP address and gateway on the management network, enter a comma-separated list of CIDRs and the IP address of the gateway in the Routing destination:Gateway text box.
For example, enter
192.168.3.0/24,192.168.128.0/24 for the Routing destination and
192.168.3.1 for Gateway.
--management-network-gateway, no short name
Specify a gateway address as an IP address without a network mask. If the client network is L2 adjacent to its gateway, you do not need to specify the gateway.
You specify the routing destination or destinations in a comma-separated list in the
--management-network-gateway option, with the address of the gateway separated from the routing destinations by a colon (
--management-network-gateway routing_destination_1, routing_destination_2:gateway_address
This example informs the VCH that it can reach all of the vSphere management endoints that are in the ranges 192.168.3.0-255 and 192.168.128.0-192.168.128.255 by sending packets to the gateway at 192.168.3.1.
You can route incoming connections from ESXi hosts to VCHs over the public network rather than over the management network by configuring asymmetric routes.
This option allows containers on bridge networks to indirectly access assets on the management or client networks via the public interface, if those assets are routable from the public network. If the management network does not have route entries for the vCenter Server and ESXi host subnets, and you do not set
--asymmetric-routes, containers that run without specifying
-d remain in the starting state.
In this scenario, use the
--asymmetric-routes option to allow management traffic from ESXi hosts to the VCH to pass over the public network. By setting the
--asymmetric-routes option, you set reverse path forwarding in the VCH endpoint VM to loose mode rather than the default strict mode. For information about reverse path forwarding and loose mode, see https://en.wikipedia.org/wiki/Reverse_path_forwarding.
Create VCH Wizard
You cannot configure asymmetric routes in the Create Virtual Container Host wizard.
--asymmetric-routes option takes no arguments. If you do not set
--asymmetric-routes, all management traffic is routed over the management network.
If you are using the Create Virtual Container Host wizard, the bridge network and the public network are the only networks that it is mandatory to configure.
- To configure further advanced network settings, remain on the Configure Networks page, and see the following topics:
- If you have finished configuring the network settings, click Next to configure VCH Security settings.
vic-machine create command deploys a VCH with the following configuration:
- Directs public, client, and management traffic to networks
- Sets two DNS servers for use by the public, management, and client networks.
- Sets a static IP address and subnet mask for the VCH endpoint VM on the public, client, and management networks.
- Specifies the gateway for the public network.
- Specifies a gateway and routing destinations for the client and management networks.
- Because this example specifies a static IP address for the VCH endpoint VM on the client network,
vic-machine createuses this address as the Common Name with which to create auto-generated trusted certificates. Full TLS authentication is implemented by default, so no TLS options are specified.
--asymmetric-routesto allow incoming connections from ESXi hosts to VCHs over the public network rather than over the management network.
vic-machine-operating_system create --target 'Administrator@vsphere.local':password@vcenter_server_address/dc1 --compute-resource cluster1 --image-store datastore1 --bridge-network vch1-bridge --public-network vic-public --public-network-ip 192.168.1.10/24 --public-network-gateway 192.168.1.1 --client-network vic-client --client-network-ip 192.168.2.10/24 --client-network-gateway 192.168.2.0/24,192.168.128.0/24:192.168.2.1 --management-network vic-management --management-network-ip 192.168.3.10/24 --management-network-gateway 192.168.3.0/24,192.168.128.0/24:192.168.3.1 --dns-server 192.168.10.10 --dns-server 192.168.10.11 --thumbprint certificate_thumbprint --name vch1 --asymmetric-routes