The VMware SASE Orchestrator stores and exports, through APIs, sensitive information about customers and their networks. To protect the on-premises customer-sensitive information from external attack and to restrict access to their APIs, VMware SD-WAN supports configuration of a Bastion Orchestrator (Public Orchestrator) in an Internet-facing demilitarized zone (DMZ) for the purpose of staging and activation of a SD-WAN Edge. With the Bastion Orchestrator feature enabled, an Operator Super user can activate a provisioned Edge against the Bastion Orchestrator by using the activation key received from the Production (Private) Orchestrator. The activated Edge is then promoted from the Bastion Orchestrator to the Production Orchestrator through a secure communication.
Note: In this document, the term "Bastion Orchestrator" is used interchangeably with the term "Public Orchestrator", and the term "Production Orchestrator" is used interchangeably with the term "Private Orchestrator".
The following diagram illustrates the architecture and activation workflow of the Bastion Orchestrator.
The Bastion Orchestrator architecture consists of two Orchestrator instances in communication with one another. The public-facing instance of the Bastion pair is 'Bastion Orchestrator', and the private instance is 'Production Orchestrator. The Bastion Orchestrator - Edge activation workflow includes the following steps:
  1. Configuring Bastion Orchestrator
  2. Preparing Production Orchestrator
  3. Staging an SD-WAN Edge to the Bastion Orchestrator
  4. Activating an SD-WAN Edge against the Bastion Orchestrator
  5. Promoting an activated Edge from the Bastion Orchestrator to the Production Orchestrator

Limitations

  • During the Bastion configuration, you can stage only one Operator Super user account to the Bastion Orchestrator. Once the Bastion connection is established between the Bastion and Production Orchestrators, the Operator Super user account can be used for emergency purposes to gain access to the Bastion Orchestrator. The Operator Super user who is staged will have access to only the Bastion Orchestrator configuration page.
  • Unpairing of Bastion Orchestrator from the Production Orchestrator (Return to Standalone Mode operation) is not supported.
  • For activating an Edge, the Edge must be in "Certificate Acquire" mode. While promoting the Edge, for bringing the WAN links with the gateway as UP, the Gateway must be in "Certificate Acquire" or "Certificate Required" mode.
  • After the promotion of an Edge from Bastion Orchestrator to Production Orchestrator, if you want to upgrade the Edge Software image, ensure to configure the vco.trusted.uuids system property on the Production Orchestrator as follows:
    [
    {
        "uuid": "72292451-d34f-45df-ac47-2ff1fd274ba2",
        "sessionSecret": "a3c0930b-43c5-41a6-b50b-5095aee50598"
    }
]

    Where, uuid and sessionSecret are UUID and Session Secret values of the Bastion Orchestrator. You can get the UUID and Session Secret from the vco.uuid and session.secret system properties, respectively.

  • Once the Gateway and Edges are staged and activated in the Bastion Orchestrator, you cannot perform the Remote diagnostics tests using the Production Orchestrator for the staged Gateway and Edges in the Bastion Orchestrator; however, you can request and generate remote diagnostic bundle from the Production Orchestrator .
  • The Bastion-staged profile, which is created for the purpose of staging an Enterprise customer to Bastion Orchestrator, should have minimum configuration related to Global segments. When the profile entities are updated, only the Device settings, Business policy, and Firewall under Global segment will be synchronized with the Bastion Orchestrator. The following Profile configurations will not be synchronized with the Bastion Orchestrator:
    • Segments other than Global segment
    • Network segments configurations
    • Object groups

Disaster Recovery for Bastion Orchestrator

Essentially, Disaster Recovery (DR) functionality is supported for Production (Private) Orchestrator, but for Bastion (Public) Orchestrator as it is stateless and receives its instructions from Production Orchestrator, the DR functionality for Bastion Orchestrator is currently not supported.

Newly Supported features in the 5.4.0 Release

In the 5.4.0 release, the following new features are introduced for the Bastion Orchestrator:
  • Ability to view events of a Staged Edge from the Production Orchestrator through the Bastion Orchestrator.
  • Ability to request diagnostic bundle from the Production Orchestrator through the Bastion Orchestrator of a Staged Edge.
  • If an Edge promotion fails due to some reason, the Edge goes back to the last known good configuration i.e. connected back to Bastion.
  • Ability to configure and send the Edge upgrade (Software and Firmware upgrades) related information to the Bastion Orchestrator while staging the SD-WAN Edge to Bastion Orchestrator. This allows the Edge to get upgraded immediately after the Edge is activated against the Bastion Orchestrator. For more information, see Stage a SD-WAN Edge to Bastion Orchestrator.