Move your VMware and KVM applications to the cloud without making any changes

  • August 21, 2015

How to configure SSH and RDP access for nested VMs running on top of ESXi hosts in Ravello Systems

In this document we describe how to enable ingress connectivity to the nested VMs running on top of VMware ESXi™/ vCenter in Ravello, also referred to as 2nd level VMs. Since Ravelo DHCP does not support nested virtual machines we will use static IP configuration.. For more information on using DHCP, and the additional configuration needed, see this post from Ohad, detailing the steps.

The Ravello DHCP servers do not give out IPs to the nested virtual machines, so we need to configure them with static IPs and create a virtual IP so they can be accessed from the Internet or remotely from outside of the Ravello Application Environment.

The steps included here:

Add an additional NIC to an ESXi node

  1. Add an additional NIC to a hosted ESXi node in the Ravello UI . This additional NIC will be used to create an uplink for a segregated vSwitch on ESXi. The nested VMs will use this switch as an external gateway

  2. Define a subnet for nested VMs by configuring the newly created NIC with IP/Subnet information.
    In this example, I am using subnet 10.20.30.x/24 to define my external network:


    1. IP address:
    2. Subnet:
    3. Gateway:
    4. DNS: (optional)

    The IP address can be used for the first nested guest VM or it can remain a placeholder.

    The optional DNS Server can be any IP. Ravello will create the DNS server as defined. You may also substitute your own DNS server running within the same Application Environment. his DNS server can then be assigned statically in your nested ESXi VMs.

  3. To reserve additional IPs for nested VMs select Advanced > Add and enter a different IP address from the same subnet and use the same gateway address as in step 2.
  4. To provide ingress connectivity to a specific TCP/UDP port go to the Services tab and click on Add Supplied Service. Then fill in a port number and select the designated address of the VM (i.e. – as in our example used in the previous step).

    Common ports to enable are:
    22 for SSH
    3389 for RDP
    443 for HTTPS
    80 for HTTP

    To configure 1:1 network address translation, select “IP” as the protocol in the services. This forwards all traffic from the public IP to the private IP and can be useful when running a nested virtual router or networking virtualization software such as VMware NSX.

    To use port forwarding without consuming a public IP for a service, configure “Port forwarding” on the virtual interface:

    When the virtual machine has been started, the port mapping shows in the summary of the virtual machine. In my case, port 22 on the virtual machine is reachable through

    It is also possible to provision more than one routed subnet on the same physical ESXi interface. This prevents you from having to create a new vSwitch and interface when you wish to configure virtual machines to use a separate subnet.

    As shown below, I’ve created an additional virtual IP in a separate subnet with a separate router:

    When we look at the network topology, a separate router is created and traffic can be routed between the virtual machines in different subnets.

  5. Using the vSphere Client (shown here) or the vSphere Web Client connect either directly to the hosted ESXi node or vCenter and create a new vSwitch of type “Virtual machine port group” (not VMkernel) on the ESXi node that will run the nested VMs. Bind it to the additional NIC created in step 1. VMs that need external connectivity must have their vNICs assigned to a port group on this vSwitch.

    Do not assign an IP address or VMkernel IP Stack to the new vSwitch.

  6. For each nested VM you want to access remotely, assign a static IP from the pool created in step 2. In the nested VMs assign a static IP configuration. Use an IP address and gateway from step 2:
    1. IP: 10.20.30.x
    2. Netmask:
    4. DNS:,
  7. Test external access by connecting to a known website or pinging a remote server from within a 2nd Level VM. After verifying external access, you can test accessing the VM from an external source.

    You can find the external IP/hostname on the summary tab of the ESXi node. There is a drop down list for the available NICs with IP information for each additional IP you defined.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.