Connecting Oracle Ravello applications with VeeamPN and Elastic IP’s


Background.

If you are not familiar with the concept of an application in Ravello, it is a grouping of virtual machines that run in a defined region (notice I avoided saying container there, could become even more confusing). A region is a geographic location where there are compute resources available. Pretty much every public cloud operates in this fashion. A region will be a location in a country and within each region are usually availability zones, which is a grouping of datacentres close to each other in that region to help protect against datacentre failure.

Anyways, I have some applications running in different regions that I would like to connect with software-defined networking. The only tool I have any kind of familiarity with is the free tool, VeeamPN. Check out the webpage for further info and just ignore the fact it says it’s for Microsoft Azure, its available as an OVA download. VeeamPN is a site to site and site to client VPN software based on OpenVPN. I am going to use it to create a Site to Site VPN between 2 Oracle Ravello regions to simulate a production and a disaster recovery location.

So let’s look at that other thing I put in the title, Elastic IP’s, what is that then? It is a public IP address that persists across application power cycles, IE it is not ephemeral. If an Elastic IP was not used, a different public IP is assigned to a virtual machine following a power cycle. The Elastic IP is perfect for this use case as it means we can define a static IP for the VeeamPN hub server.

Getting started.

Now I mentioned there is an OVA available for VeeamPN but I could not get this to work correctly with Ravello. I followed Anthony Spiteri’s guide on deploying VeeamPN from a Linux repo here. As this uses Ubuntu server, I decided to save some build time and grabbed a pre-built copy of Ubuntu server from the Ravello Repo.

The desired connectivity will look like this, a typical hub and spoke arrangement for a site to site VPN.

site layout

 

Now we can start with the deployment. Open the Ravello Repo and search for Ubuntu. You should see something like below. Add it to your library.

VeeamPN112

VeeamPN109a

 

Deploying the VM and assigning Elastic IP.

Now, either create a new application or add to an existing application the Ubuntu VM.

VeeamPN111

The first warning you will receive is that a key pair needs to be created to allow SSH access to the VM. This helps to lock down access to the VM.

Create a new key pair.

VeeamPN113

VeeamPN114

You will be given a PEM file to download once the key pair has been generated. If you are using Putty on a Windows machine for SSH access, the PEM file will need to be converted to Putty native PPK format first before you can use it to connect using SSH. Check out this guide here on how to do that.

Click on NICs tab and click on open.

VeeamPN116

I found that setting a static IP here for the internal address did not work very well. I opted to reserve an IP in the Ravello DHCP scope instead.

VeeamPN117

Choose the Elastic IP option.

VeeamPN134

Create a new elastic IP

Select the desired region for the Elastic IP to be available in.

And the new public IP will be available for consumption.

Also, expose the required ports on the VM to external networks as detailed in the system requirements for VeeamPN.

These are:

TCP/UDP 1194
TCP/UDP 6197
HTTPS 443
SSH 22

This is achieved by adding supplied services as below.

Install VeeamPN binaries onto Ubuntu server.

Once the VM first powers on, open the Ravello console and login with username: ubuntu / password: ravelloCloud. Or alternatively, connect with Putty via the Elastic IP we assigned earlier.

Now run the following commands to install VeeamPN:

sudo -s
curl -k http://repository.veeam.com/keys/veeam.gpg | apt-key add -
echo "deb http://repository.veeam.com/VeeamPN/public testing VeeamPN" > /etc/apt/sources.list.d/veeampn.list
apt-get update
apt-get -y install veeam-vpn-ui veeam-vpn-svc

VeeamPN135

Once this process has completed, it would be a good idea save the VM to the your Ravello library before any configuration takes place. You need one of these VM’s per site you would like to deploy a site to site VPN.

Once the binaries have installed open up a web browser and point it to https://YourElasticIP.

Configure VeeamPN Hub.

The steps for initial setup are detailed here on the Veeam website.

Login with username: ubuntu / password: ravelloCloud. This is the default login credentials for the Ubuntu server deployed from Ravello Repo. Change your password.

VeeamPN133

Choose Network Hub config

VeeamPN132

Wait for self signed cert generation.

VeeamPN130

Enter a display name for the Hub, up the encryption level if you wish.

VeeamPN131

Enter the Elastic IP address for the hub appliance and enable or disable services as required.

VeeamPN129

Configure VeeamPN site settings.

The first step is to create a client on the hub. This will generate a XML config file that can imported onto another VeeamPN server.

Create a client.

Select entire site for Site to Site VPN

Specify a display name and network subnet for remote site.

VeeamPN125

And you are done.

VeeamPN124

Clicking finish generate the XML file for download.

 

Configure VeeamPN site server.

Remember I said save the VM to the Ravello library after the binaries have installed but before configuring the hub? You should have a unconfigured VeeamPN VM server that you can deploy again here. Deploy the VM and adjust the IP settings accordingly. The site servers do not need an Elastic IP address.

Log into the web interface and this time choose to configure a site rather than a hub.

VeeamPN122

Import the XML file.

VeeamPN121

And that’s it done. You should see in the hub site that the remote site has connected successfully.

VeeamPN120

Final thoughts.

There is no way in Ravello to add routing options to the software routers that are deployed as part of an application. You will need to add static routes to each VM you would like to talk over VPN tunnel.

In Windows that is:

route add 192.168.0.0 mask 255.255.255.0 10.0.1.200 -p

VeeamPN119

Which is route add the destination / the subnet mask of the destination and the path to take, in this case the site VPN server and make it a persistent route.

I covered how to perform the same operation on Linux here.

 

Ian

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.