Bluemix VPN + SoftLayer Vyatta = Cloud Communication

Overview

One of the great things about being in a connected world is the ability to have private only systems talk to each other through gateway devices. Today you will look at using the Bluemix VPN Service connected to a SoftLayer Vyatta Network Gateway Device to enable communication between Private-Only Bluemix containers and SoftLayer instances.

Prerequisites

Installing and configuring the Bluemix command line

Besides the VPN service, an IBM container is required in order to test the connection between Bluemix and SoftLayer. To push the test container into the Bluemix account, the Cloud Foundry command line app and its associated IBM Container plugin needs to be installed, following these instructions.

After the Cloud Foundry CLI and IBM container plugin has been installed, log in by issuing the following command: cf login. The following prompts will appear:

  • Bluemix username
  • Bluemix Password
  • Organization (if you have more than one on the account)
  • Space (if you have more than one on the account)
$ cf login
API endpoint: https://api.ng.bluemix.net

Email> genericuser@gmail.com

Password>
Authenticating...
OK

Select an org (or press enter to skip):
1. tinylab
2. tinylayer

Org> 1
Targeted org tinylab

Select a space (or press enter to skip):
1. dev
2. tunnel
3. demospace

Space> 2
Targeted space tunnel

API endpoint:   https://api.ng.bluemix.net (API version: 2.40.0)
User:           genericuser@gmail.com
Org:            tinylab
Space:          tunnel

To start working with the container service, run the command cf ic login. The command will download the associated certificates that allow communication with the Bluemix container registry service.

$ cf ic login
Deleting the old configuration file...
Retrieving client certificates from IBM Containers...
Storing client certificates in /Users/ryan/.ice/certs/...

Storing client certificates in /Users/ryan/.ice/certs/containers-api.ng.bluemix.net/cad48f71-c998-4ebd-8b12-65489188c91d...

OK
The client certificates youre retrieved.
(yadda yadda yadda)

Creating a Bluemix Container

The Bluemix VPN Service requires at least one running container in order to expose the container group networking to the VPN service. The following Dockerfile is used to build and push a simple apache container image to the Bluemix container registry. The container will include any files in the public-html folder in the current working directory. Create that directory if it does not exist and a simple index.html page.

FROM httpd:2.4
COPY ./public-html/ /usr/local/apache2/htdocs/

EXPOSE 80

VOLUME ["/url/local/apache2/htdocs"]

Retrieve the container namespace. This is used when pushing the container to Bluemix

$ cf ic namespace get
tinybot

In the same directory as the Dockerfile use the build command to build the container and push the container image to the Bluemix account:

$ cf ic build -t registry.ng.bluemix.net/tinybot/apache:v1 .
Sending build context to Docker daemon 112.6 kB
Step 1 : FROM httpd:2.4
 ---> 8919e97cfbc2
Step 2 : COPY ./public-html/ /usr/local/apache2/htdocs/
 ---> Using cache
 ---> aca4ed2ca247
Step 3 : EXPOSE 80
 ---> Using cache
 ---> 7560e3d90f07
Step 4 : VOLUME /url/local/apache2/htdocs
 ---> Using cache
 ---> 08ac969c541b
Successfully built 08ac969c541b
The push refers to a repository [registry.ng.bluemix.net/tinybot/apache] (len: 1)
08ac969c541b: Image already exists
aca4ed2ca247: Image already exists
aed455149560: Image already exists
f36c3a629f42: Image already exists
cd658ce1233c: Image already exists
38d79807548c: Image already exists
73e8d4f6bf84: Image already exists
v1: digest: sha256:e3f08d67b4a08531821bfa171f7c89e368980f2a32f7a8e7fa33d1332ad88a17 size: 29830

Once the container image is pushed to the registry, access the Bluemix web Dashboard and click Start Containers to create a new IBM container. Select the apache container and on the subsequent page provide a name for the container and choose the container size. Ensure that under Public Ports it shows 80/tcp. Click the CREATE button and after a few minutes the container will be active.



- Figure 1: List of Available Containers on your account


- Figure 2: Container creation page

With the container created use the cf ic ps -a command to view the container details and status:

$ cf ic ps -a
CONTAINER ID        IMAGE                                            COMMAND             CREATED             STATUS                   PORTS               NAMES
f372d24b-94d        registry.ng.bluemix.net/tinybot/apache:latest    ""                  20 minutes ago      Running 20 minutes ago   80/tcp              myapachetest

To test the connectivity to the container from a SoftLayer instance use the inspect command to get the containers private IP.

 $ cf ic inspect f372d24b-94d |grep IPAddress
            "IPAddress": "172.31.0.3",

Let's get Bluemix and SoftLayer talking

The Bluemix containers support requesting and binding Public IP's, but for some use cases this is not required nor ideal. This is where the VPN connection comes in to play. Once a connection has been established to the secure VPN tunnel, an endpoint on one side of the tunnel can communicate with any endpoint on the other side of the tunnel without requiring any special client software.

Step 1: Create VPN service in Bluemix

The Bluemix VPN Service uses the time-tested, mature Internet Protocol Security (IPsec) protocol suite to build a secure communication channel between a private on-premises data center and IBM Bluemix cloud resources. You can read over the official documentation here.

  1. Login to the Bluemix interface here
  2. Click Services & APIs.
  3. Search for VPN and click on VPN.
  4. Choose the space for the VPN Service to reside in.

Step 2: Create the VPN Connection in Bluemix

After the VPN service has been created in Bluemix portal, click on CREATE GATEWAY to create the Gateway connection.

This will take a few moments and when it completes, grab the IP of the new Gateway to use in the next step as well as the Container group IP ranges. The default IKE and IPSec policies can be used for the VPN connection to the SoftLayer Vyatta.

Step 3: Use Gateway as a Service to configure the Vyatta

With the Gateway IP and Container group IP's in hand, next up is to configure the Vyatta. Log in to the Gateway as a Service dashboard, find the Vyatta that will be used for the tunnel and click Manage Tunnels. On the next page click Add Tunnel. On the subsequent page you can leave all of the default options checked.

Scroll to the bottom of the page and click Next. On the 'Select VLAN(s)' page ensure that the public and private Associated VLANs are highlighted (1919 and 1710 in my example) and then click Next.

On the network configutation page, make the following changes:

  • Provide the IBM VPN Gateway IP as well as the Container Group IP ranges. These will likely be 172.31.0.0/16 and 172.30.0.0/16.
  • Delete the GRE Tunnel Subnet near the bottom of the page.
  • Select Advanced IPSec Configuration. Use the following configuration:
    • IPSec Encryption: aes-128
    • Diffie-Hellman group: 2
    • ESP - Perfect Forward Security: Enable
    • Pre-shared Secret: Enter the preshared secret key that will be used for the IPsec tunnel.

Click Next to review the tunnel configuration and then select the check box to agree with the gateway configuration overwrite. Click next and then Finish to start the Vyatta reconfiguration process to create the tunnel to Bluemix. An email will be generated when the Vyatta has been re-configured.

Step 4: Create a New VPN Site Connection in Bluemix

Back in the Bluemix dashboard, provide the following details to establish a connection between the SoftLayer Vyatta, and the IBM VPN gateway.

  • Select ADD NEW in the VPN Site Connections section.
  • Use the following configuration:
    • Name: Tunnel_to_SL
    • Description: (Optional) Description of the connection
    • Preshared Key String: Enter the preshared secret key that you used while configuring the Vyatta
    • Admin State: Default value: UP
    • Customer Gateway IP: The Vyatta Gateway IP
    • Customer Subnet: Remote The Private subnets in CIDR format from the Associated SoftLayer Vyatta VLAN's. Select the plus sign to save the subnet details.

After a few minutes, the VPN Connection will be created. If the page does not update after a few moments, refresh your browser to check on the connection. If the tunnel is up the page will report the VPN Site Connection as Active.

Confirm the tunnel is up on the Vyatta device. Issue the following commands to check if the IPsec connection has been established with Bluemix:

vyatta@tunnel:~$ show vpn ipsec status
IPSec Process Running PID: 19581

4 Active IPsec Tunnels

IPsec Interfaces :
        bond1v1 (no IP on interface statically configured as local-ip for any VPN peer)

vyatta@tunnel:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------
134.168.25.182                          50.23.106.238

    Tunnel  State  Bytes Out/In   Encrypt  Hash  NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----  -----  ------  ------  -----
    1       up     0.0/0.0        aes128   sha1  yes    1103    3600    all
    2       up     0.0/0.0        aes128   sha1  yes    1042    3600    all
    3       up     0.0/0.0        aes128   sha1  yes    1033    3600    all
    4       up     0.0/0.0        aes128   sha1  yes    823     3600    all

Connecting a SoftLayer VSI to a Bluemix Container

Provision a new VSI behind the Associted VLAN of the Vyatta Gateway device. To Obtain the Associated VLAN log in to the SoftLayer portal and navigate to Network > Gateway Appliances > Click on the Vyatta being used for the tunnel. Once the VSI has been created, log in and set a static route to allow communication with the Bluemix VPN through the Vyatta. You will use the VSI's Gateway IP when setting the route:

root@bmtest:~#  ip route|grep eth0
10.0.0.0/8 via 10.54.202.65 dev eth0
10.54.202.64/26 dev eth0  proto kernel  scope link  src 10.54.202.109

root@bmtest:~#  route add -net 172.31.0.0 netmask 255.255.0.0 gw 10.54.202.65 

Once the route has been added, test the connection by pinging the IBM container.

$ root@bmtest:~# ping -c 3 172.31.0.3
PING 172.31.0.3 (172.31.0.3) 56(84) bytes of data.
64 bytes from 172.31.0.3: icmp_seq=1 ttl=62 time=44.4 ms
64 bytes from 172.31.0.3: icmp_seq=2 ttl=62 time=44.1 ms
64 bytes from 172.31.0.3: icmp_seq=3 ttl=62 time=44.0 ms

--- 172.31.0.3 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 44.008/44.187/44.445/0.253 ms

Test the connection to the Apache service on the container.

$ root@bmtest:~# curl http://172.31.0.3
<html>
  <head>
    <title>Hello From Docker</title>
  </head>
<body>
          <h1>Hello from an IBM Container</h1>
    <p>This is the home page for the HelloWorld youb application. </p>

  </body>
</html>