That's true. You can experiment with Dedicating a host to the customer. I can't advise (from top of my head) if also the customer's VR will be created there (but you can do one-time live migrate if needed to that host) - all customer VMs will be created on this host while there are free resources there.
Andrija On Tue, 3 Dec 2019 at 19:32, Alessandro Caviglione <c.alessan...@gmail.com> wrote: > Yes, I thought about your idea, but I would not introduce too many hops... > in addition I cannot manage Public IPs directly from Barracuda VA. > Is there a kind of parameter I can configure to deploy all costumer's > instance on tha same VR's host? > > On Tue, Dec 3, 2019 at 6:57 PM Andrija Panic <andrija.pa...@gmail.com> > wrote: > > > Hi, > > > > it's not possible to completely replace (i.e. not without complete ACS > code > > base change....), but you might want to see if the following helps: > > - Assign one or more (as required, one at minimum) additional Public IPs > on > > the VR, and then configure Static Nat from that Public IP to the internal > > IP of the Baracuda appliance (which you would deploy from template - ACS > > 4.13 supports appliances for VMware, so you should be able to answer all > > the questions that are input to the appliance, so to speak...) > > - Then attach this Baracuda to all the networks whose VMs you want to > > "protect" > > > > Effectively trafic goes as follows: internet ---> VR (Public IP, Static > > NAt to...) ---> Baracuda/internal appliance - and the VMs would use > > Baracuda as the default gateway. > > This does imply not being able to manage IPs via DHCP, since for any > > DHCPDISCOVER, the dnsmasq inside VR will also offer an IP, beside > Baracuda > > doing that... > > (configure ACLs to forbid ANY outgoing traffic from networks where you > have > > your user VMs - Baracuda appliance is on the dedicated private network > > (which you can consider as "public" or "north-side" to the Baracuda > > appliance) so here you allow all outgoing traffic from this network to > > Internet) > > > > Then you would be able to use Baracuda as the endpoint for the VPN > tunnels. > > Far from perfect, but might work for you, if you can live with the > > limitations. > > > > Best, > > Andrija > > > > On Tue, 3 Dec 2019 at 17:20, Alessandro Caviglione < > c.alessan...@gmail.com > > > > > wrote: > > > > > Hi guys, > > > I'm trying to understand if it's possible to replace a VR for a single > > > customer. > > > I've ACS 4.13 with vSphere 6.7 and Advanced Networking, one of my > client > > > wants to use Barracuda Virtual Firewall because he wants to connect > Cloud > > > network to offices networks using TINA VPN (proprietary protocol) > instead > > > IPSec. > > > So, is it possible to replace VR with the Barracuda Virtual Appliance? > > > > > > Thank you > > > > > > > > > -- > > > > Andrija Panić > > > -- Andrija Panić
