Adding IP groups

IP groups supply IP addresses when the deployment process requests them.

Before you begin

You must have administrative access to the range of valid IP addresses that you want to add to the IP group that you are creating. You must be assigned the Cloud group administration role with permission to Manage cloud resources (Full permission) to perform these steps.

For an overview of IP groups and how they are used with Cloud Pak System, see IP groups overview.

Important: Do not use host names in the .local domain, for example: machine1.mycompany.local. Ensure that the host names for your IP addresses are in a domain other than .local. The system does not support host names in the .local domain.
The computer name (also called NetBIOS name) of a Windows operating system is derived from its DNS host name. Since a DNS host name can be up to 63 characters in length, while a computer name is limited to 15 characters, the following rules apply:
  1. If the DNS host name of the Windows operating system consists of 15 characters or less, the DNS host name is used as the computer name.
  2. If the DNS host name of the Windows operating system consists of more than 15 characters, the computer name is set to the first 15 characters of the DNS host name. When this rule is used, duplicate computer names can occur since multiple DNS host names can share the same first 15 characters. For example, for DNS host names ipas-lpar-184-027 and ipas-lpar-184-028, the resulting computer names would be the same; ipas-lpar-184-0. To ensure that any derived computer name is unique, it is good practice to limit DNS host names to 15 characters or less.
To deploy virtual system instances within an Active Directory (AD) domain environment, use the following guidelines:
  • DNS servers specified in the IP group must be domain-aware. Refer to Microsoft documentation for details.
  • If possible, align your DNS hierarchy with the AD domain hierarchy to avoid potentially confusing DNS names.
  • DNS host names should be 15 characters or less in length. This avoids potential unexpected results in joining a virtual system instance to the domain.
Important: These guidelines do not apply when using a Microsoft integrated AD/DNS solution.
For information about Windows domains in the environment profile, see the Related tasks section.

About this task

IP addresses are only accessible to the system when they are included in IP groups. When you create an IP group, the group is given an address and a netmask that defines the IP group. Then, you define a pool of IP addresses within the IP group that are available to hypervisors. The system validates the information when you create the cloud group.

You can use the console, the command line interface, or the REST API to complete this task. For the command line and REST API information, see the Related information section.


IP Group for Compute Nodes

Most IP Groups are used to supply IP addresses for virtual machines. You can also create one IP Group that supplies IP addresses for compute nodes. This type of IP Group was formerly referred to as the MKS Console IP Group because of its original purpose in providing access to the MKS (mouse, keyboard, screen) service used to access the console of virtual machines. In addition to providing MKS console access, attaching IP addresses to compute nodes also makes them accessible to external users.

To set up an IP Group for compute nodes, create an IP Group using the following steps and select Compute Nodes as the Used For option. In Step 5, when you add IP addresses to the IP group, the number of IP addresses should equal the number of compute nodes on the system. These IP addresses are used to create a VMkernel Port to the compute node so that you can access the virtual machine console.
Avoid trouble: Make sure that ports 443, 902, and 903 are open for the IP addresses that you define in the IP Group for compute nodes. If the network firewall is configured to block these ports, issues with network connectivity to the VMware ESXi server occur, and the following error message is displayed when attempting to use the VMware Remote Console: An error occurred while transferring data.

Also note that these IP addresses should not be publicly accessible. If malicious users repeatedly attempt to log in to the ESXi hosts using incorrect credentials, the accounts can be locked. The locking will interfere with your ability to externally access the compute node and also for Cloud Pak System to manage the compute node.

Consider the following when you enable a Virtual Manager external IP address and ICMP (ping) is enabled between the subnet of that address and the subnet of the IP Group for compute nodes. When an IP address from the IP Group for compute nodes is attached to a compute node, Cloud Pak System will attempt to register the compute node with the virtual manager using that address. This requires ports 443 (TCP) and 902 (TCP/UDP) to be open between the two subnets. If ICMP is disabled between the subnets, IP addresses can still be attached to compute nodes to allow MKS (mouse, keyboard, screen) console access, but the compute nodes will remain registered with the virtual manager using their internal IPv6 addresses.

Note: You cannot migrate virtual machines between compute nodes that have an IP address attached and those that do not. Therefore, you should ensure that all compute nodes in a given cloud group are assigned an IP address from the IP Group for compute nodes. If the cloud group uses system-level High Availability, the compute nodes used for High Availability and belonging to all other cloud groups that use system-level High Availability should also all have IP addresses applied. The best practice is to add enough IP addresses for all compute nodes to the IP Group and make sure every compute node has an IP address applied.

The IP addresses for the IP Group for compute nodes should be in the same subnet as deployed instances (workloads). If deployed instances are in a different subnet than the IP addresses, the two subnets must be able to communicate with each other. If there is a firewall between the subnets, ports 443, 902, and 903 must be open for the IP addresses that you defined in the IP Group.

After the IP Group for compute nodes is created, use the Attach all button to assign the IP addresses to the compute nodes. You can also select specific IP addresses for individual compute nodes by selecting a compute node from the drop down list. Note that attaching or detaching IP addresses results in a brief disconnection of the compute node from the Virtual Manager. You may want to perform these options while the system is in maintenance mode or while a compute node is in maintenance mode, otherwise, management operations for virtual machines can fail during this period. These actions have no effect on running workloads. Once an IP address is in Applied status, you can access the compute node by that IP address and use the MKS console to access virtual machines on that compute node.
Note: After an IP address is attached to the compute node, the node connects to vCenter with FQDN name associated with the IP address.
Note: You might be prompted to download and install the VMware Remote Console plug-in on first use. Follow the link that is provided on the prompt and install the plug-in to continue.

Procedure

  1. Click Cloud > Architecture > IP Groups.
  2. Click the New icon in the toolbar.
  3. Complete the following fields on the Describe the IP group you want to add window:
    Name
    Enter a unique IP group name to represent and identify the IP group.
    Version
    Select IPv4 or IPv6 from the list to specify the version.
    Attention: Workloads that require IP caching must be deployed to cloud groups with only IPv4 IP groups.
    Used For
    Select the Compute nodes option to use this IP group for compute nodes.
    Select the Cloud Management option to use this IP group for system access to virtual machines. Select the Data option to use this IP group for user access to virtual machines.
    Note: A Cloud Management IP group normally requires one or more routes to be defined to allow proper routing of VM management traffic. For information about adding routes, see the Routes parameter in the Viewing and modifying IP groups topic of the Related tasks section.
    Network address
    Enter a valid network address. This address is associated with the IP group represented as a string in dotted decimal notation, for example: 192.168.98.0 for IPv4 or 2001:218:420::/64 for IPv6.
    Netmask
    Attention: This field applies only to IPv4.
    Enter a value for the netmask. This network mask is associated with the network address of the IP group that is represented as a string in dotted decimal notation, for example: 255.255.255.0.
    Gateway
    Enter a gateway name. This default gateway is associated with the IP group represented as a string in dotted decimal notation. For example, if you are adding IPv4 or IPv6 IP addresses, the IP address might be 192.168.98.1. The gateway information is required.
    Important: The gateway must be an IP address that can be resolved by the address resolution protocol (ARP), even if the network itself is not routed. 
    Primary DNS
    Provide the primary Domain Name System (DNS) value for the IP group. This DNS server is used for the IP group represented as a string in dotted decimal notation, for example: 192.168.98.2.
    Important: If the IP addresses for the DNS servers are not set up correctly, the deployment can fail. The failure is due to the Secure Shell (SSH) connection with the virtual machine failing.
    Secondary DNS
    You can add an optional secondary DNS value for the IP group. This secondary DNS server is used for the IP group represented as a string in dotted decimal notation, for example: 192.168.98.2.
    VLAN
    Specifies the virtual local area network.
    In cloud group
    Specifies the cloud group for which you want to add this IP group.

    The system includes three default cloud groups. You can select one of these three cloud groups, or you can create your own. For more information on adding a cloud group, see the Related tasks section. If you want to add the IP group to a cloud group other than a default cloud group, leave this field blank, create a cloud group and edit this field with the new cloud group.

  4. Click OK.
    The name of the IP group is displayed in the left pane. The configuration information is displayed in the right pane.
  5. In the IP addresses section, add the range of IP addresses.
    1. Select IP Range in the Add by menu.
      This selection determines how your IP addresses are listed when they are added.
    2. Type the starting IP address in the start ip field.
    3. Type the ending IP address in the end ip field.
      Use the two entry fields to specify the first and last IP addresses in the range of IP addresses to include in the IP group.
    4. Click Add.
    If you want to add IP addresses as host names instead, select Host name in the Add by menu. Click Add to enter the space-delimited list of host names.

    When a host name is specified for an IP address, the host name resolves to the IP address. However, what is entered is what is stored. Therefore, if you enter the host name, the host name is stored and not the IP address to which it resolves. If any of the host names you enter cannot be resolved to an IP address, a warning message is displayed next to any entry that cannot be resolved. If a host name is resolved to an IP address, but the IP address is not valid for the specified subnet, an error message is displayed and the host name is not added to the IP group.

  6. Optional: Add more IP addresses or host names.
    You can add more IP address ranges or host names to the IP group by repeating the previous step.