VMware Cloud Director provides direct access to tenant’s VM consoles via proxying the vSphere console traffic from ESXi hosts running the workload, through VCD cells, load balancer to the end-user browser or console client. This is fairly complex process that requires dedicated TCP port (by default 8443), certificate and a load balancer configuriation without SSL termination (SSL pass-through).
Especially the dedicated certificate requirement is annoying as any change to this certificate cannot be done at the load balancer level, but must be performed on every cell in the VCD server group and those need to be restarted.
However, VMware Cloud Director 10.3.3 for the first time showcases newly improved console proxy. It is still an experimental feature and therefore not enabled by default, but can be accessed in the Feature Flags section of the provider Administration.
- Console proxy traffic is now going over the default HTTPS 443 port together with UI/API. That means no need for dedicated port/IP/certificate.
- This traffic can be SSL terminated at the load balancer. This means no need for specific load balancing configuration that needed the SSL pass through of port 8443.
- The Public Addresses Console Proxy section is irrelevant and not used
- Load balancer application rules based on the URL can be used to secure such traffic or direct it to specific cells. Such traffic can be identified based on the following pattern:
GET https://vcloud.fojta.com/443;cst-ylR8ood/c2uM3TQGqw4GkwtDd7C8EtiJViZ3PzUBynysw1X3pDg1rt5QTpUDdE0gujaWGOniwcM9vNktCSJPHOUWpJqiLccY88wRJzvxWF9kIKvZzH+ZGPOTxE7Ul63BNa7FJbdZdQ6Bc/IjLRQ6MT/9yUF9U/5uF3wLQwzS+tmrr58v9x22nihCa0z/Eoteuatds6tBfKP9NyRPRvUbzyThNr7hJYO4uKo6p4xzkRoYCSoTk/d7iI2oA5T7qtUy/lToutkrxlYRQF3SEkMac7/tAYD9yfqcHtSCdiZ7E+E=-cpZbzXaCy74FCi2iF+f4vM+kEmkjvC7/iQJxwg==–tp-4A:3E:7C:11:28:AE:26:B0:54:E8:53:48:53:67:7D:FC:AC:6C:BA:A0– HTTP/1.1
Notice the /443 and the certificate thumbprint at the end.
The followin diagram shows the high level implementation (credit and shout-out goes to Francois Misiak – the brain behind the new functionality).
As this feature has not yet been tested at scale it is marked as experimental but it is expected that this will be the default console proxy mechanism starting in the next major VMware Cloud Director release. Note that you will still be able to revert to the legacy one if needed.