Score:2

VMware vSphere: Change the IP that vSphere sees/reports without changing the IP configured in the guest OS

cn flag

I have an integration that attempts to use the IP that vSphere detects for a vm guest, but sometimes the IP that vSphere detects is not the IP that the integration should use. The most straightforward example is where the the guest's network traffic passes through a 1:1 NAT (each guest has a unique IP after passing through the NAT, but it is a different IP than the one vSphere sees) prior to being seen by the app that is integrating with vSphere.

Creating an internal to external map of the NAT is easy enough, but the integration consumer won't use that map, only what it gets from vSphere. Thus, I'd like to simply push that mapping back into vSphere so that vSphere reports the NAT IP to the integration instead of the internal IP. Is this possible?

I've thought about putting the NAT IP in a tag, but the integration won't use a tag value for the IP either, only what it gets from vSphere as the guest IP.

I know people are going to say to get rid of the NAT, but it is necessary for application specific reasons. In addition, there are other scenarios where the IPs vSphere sees aren't what I want the integration to see.

Edit: As guessed, one of the big reasons for the NAT is load balancing, and ensuring correct routing through the load balancer. We're aware that there are non-NAT options to deal with the routing complexities around load balancers, but they all come with tradeoffs and the NAT is the one we feel is least-bad.

As I hinted, there are non-NAT reasons for wanting to do this as well, centered around VMware reporting too many IPs (where all are technically present, but most are service specific destinations and only one is used to originate traffic. We'd like to only see the IP that originates traffic) or VMware not detecting any at IPs all (It's rare, but it does happen).

John Mahowald avatar
cn flag
At a high level, what are the application level reasons why these guests do not have the IP addresses of interest? Can you describe the path of a connection as it traverses routers and middleboxes?
John Mahowald avatar
cn flag
Are the load balancers VMware guests or something else? A tool that only knows guest IPs may have trouble finding hardware load balancers or service meshes.
Score:3
cn flag

VMware guest IPs are from the guest's interfaces via tools integration. I don't know of a way for it to be otherwise. If some other IP is required, within those constraints this is not going to work.

I know people are going to say to get rid of the NAT, but it is necessary for application specific reasons.

Yes, consider designs without NAT. IPv6 provides unique IP addresses, either from global unicast, or LAN-only unique local addresses. Routing is possible anywhere, as address space does not overlap. Filter through firewalls to apply security policy as usual.

Without more detail on application design this is just a guess, but there are reasons even without NAT the guest IPs are not useful. Perhaps connections terminate on some load balancer or other proxy in front, and that is of interest.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.