VMware Cloud Director Availability 4.0

Today VMware has release VMware Cloud Director Availability 4.0. It’s a milestone release that not only do we have a new name for the product but several key new features that service Providers have been asking for!

Release notes: https://docs.vmware.com/en/VMware-Cloud-Director-Availability/4.0/rn/VMware-Cloud-Director-Availability-40-Release-Notes.html

The change of name from VMware vCloud Availability to VMware Cloud Director Availability is the first change to note but having run the GA version in the last couple of days there are some far more interesting changes I wanted to share.

Upgrades

The upgrade took 3-4 mins per appliance. Probably the easiest upgrade yet. Upgrades are via Internet or ISO.

Remember the order of precedence for upgrades:

  1. Upgrade all VMware Cloud Director Availability appliances in the local cloud site.
  2. Upgrade all VMware Cloud Director Availability appliances in remote cloud sites.
  3. Upgrade all VMware Cloud Director Availability On-Premises Appliance nodes.

Note: The licence key for VCDA 4.0 is different from previous versions and any new replications may not be able to be configured. Service Providers should have an updated Licence Key from LicenceWeb prior to the upgrades being conducted on their Cloud sites.

Replication Data Information

Typically the number one question from a Service Provider is what RPO can they offer. This question is very difficult to answer due to the numerous variables (source/destination storage performance, network throughput capability, compressibility of the data, rate of change of data of the protected VM, etc).

In VCDA 4.0 we now have the information easily presented on how long each syncronization takes and the data transferred. This leads to more accurate RPOs that can be offered per Tenant base on quantatative data.

file:///var/folders/1y/tm4pwdrd0tn1b5tvxvnscm380000gn/T/TemporaryItems/(A%20Document%20Being%20Saved%20By%20screencaptureui%2019)/Screenshot%202020-06-02%20at%2018.46.05.png

We also have the new capability of allowing Tenants to retain particular instances so they don’t disapear over time. This may be useful for times when customers are running upgrades of applications or other significant changes to their workloads and want another copy of their data available in the Cloud.

Other information that is now available is summated CPU, Memory and Storage requirements for being able to fail over the protected VMs successfully.

Graphs are also available to show the growth of data being retained over time. This includes the summated storage of all replicated Point In Time Instances retained and stored instances.

Policy Changes

Policy’s now have a big brother called SLA Profiles. With this the Service Provider can set standardised SLAs as offerings to Tenants. The defined SLAs assist Tenants in selecting easily defined protection policies which can drive consistancy across their many protected VMs.

Other policy changes relate to per-Tenant throughput limiting to avoid any one tenant overwhelming the Service Provider Internet uplinks.

Other items to note

Within the VCDA Manager there is now a notification if the solution is not integrated with VMware Usage Meter. As of June 2020 Hotfix 4 for Usage Meter 3.6.1 is required for automated reporting of the replicated VMs.

Multiple NICs are now supported on the Tunnel Appliance which should open up better traffic flow options, especically for Internet vs cross-site replication traffic flows. Bear in mind this particular setting is global to a site and should be used carefully in concert with the Per-Tenant policies.

Finally, the OpenAPI framework has improved since the previous version which allows for Tenants is have an easier experiance in building out their disaster recovery scripted workflows.

Credit to the Cloud Director Availability team for a great upgrade to the platform!

Posted in VMWare | Tagged , , , , , , , | Leave a comment

vCloud Director 9.7 MindMap

One of my primary roles within the VMware PSO Team in the METNA region has been to be the main Architect for vCloud Director based Service Providers. One of the tools I’ve come up with over that period has been a MindMap showing the areas that need to be covered in a design. It’s usually received positively and helps focus the workshops into knowing what we need to cover each day.

I am sharing this MindMap to help others.

Please feel free to DM me on Twitter @RossWynne for any edits or omissions that you spot!

vCloud Director MindMap for version 9.7
Posted in VMWare | Tagged , , , , | Leave a comment

Joining the Mothership

Joining the Mothership!
After a really enjoyable year with Triangle I received an awesome (& unusual) chance to join VMware.

I’ve signed up to be a Senior Consultant (SDDC) covering the Middle East & North Africa (MENA), a pretty large region that will certainly help clock up the air miles! It’s a big life change in so many ways… After 10 years contracting this will be my first permanent role, my family will be moving nearly 6000km from Dublin to Dubai, and we will have new lifestyles, cultures & customs to embrace. I certainly wasn’t expecting to be packing up our home and becoming an expat when the year started!

I want to thank Triangle for giving me some great opportunities during the year. It was very much an enjoyable experience getting to work with their client base and getting to design & implement solutions around so much of the VMware product stack. Not once did I dread getting up & going to work which is a real sign of an enjoyable job!

Now to crack on with the rest of my first day as a VMware Employee!

Posted in VMWare | Leave a comment

NSX for vSphere 6.3 and NSX-T 1.1 Released

VMware NSX for vSphere 6.3 has been released today and with it comes a host of new bells and whistles:

  • vSphere 6.5 Support
  • VMware Integrated Containers Support
  • Centralised dashboard for Services and Operations
  • Faster Upgrades
    • Future NSX Manager upgrades will no longer require a reboot. VMware claim this will mean upgrades are 5 times quicker. How that claim is measured will be tested when NSX 6.3.1 drops!
  • Universal Security Tags
    • In previous releases when dealing with a multi-site, multi-vCenter deployment the only options for Dynamic Security Policies for DFW rules were to use either MAC address or IP lists. With this release the concept of universal security tags will allow for dynamic rulesets for the implementation of DFW rules across multiple vCenter/NSX deployments.
  • Branch Office
    • To bring NSX to highly dispersed environments beyond the datacenter VMware is introducing a special SKU based on Per VM licencing to fit that model. This is something I’ve been hoping for as a lot of customers don’t have the VM density per host to justify the per socket cost of NSX.
  • Increased vCloud Director support
    • As part of the NSX 6.3 release the foundations have been laid for vCloud NFV customers and Service Providers to provide advanced NSX functionality as part of a self-service platform. The list of capabilities to be exposed in vCloud Director has not been released but I’d be surprised if micro-segmentation wasn’t one of these capabilities (only speculation of course as I’m not privy to that information!)
  • Integration with vRA 7.2
    • There are now additional enhancements relating to the consumption of NSX load balancers and NAT functionality
  • Licencing
    • Announced as part of the press release is that customers who already own valid NSX licences are now entitled to use either NSX for vSphere or NSX-T in their environments (as long as they stay within their licensed limits of course!)
  • Customer Base Has Grown
    • VMware NSX finished 2016 with more than 2,400 customers!
  • Training and Certification
    • VMware has said that there has been over 11,000 professionals who have attended NSX training and there are now more than 7,000 NSX certified professionals worldwide.

NSX-T 1.1 has a few new features of note:

  • VMware Photon Support
  • Added supported for vendor KVM platforms, namely Canonical and Red Hat
  • Added/Updated support for OpenStack Newton and Mitaka
  • New Beta Program for customers looking to network and secure containers
    • If a customer is looking to utilise container frameworks that are part of the Container Network Interface (CNI) project then VMware has a beta program for you! Contact your TAM for more information

Read more, and see some of the changes at the following link

Posted in NSX, VMWare | Tagged , | Leave a comment

How to Re-IP a vCloud Director Cell

There’s been a comment on the vExpert Slack asking about how to Re-IP a VCD (vCloud Director) cell. Here’s a rough method to carry out the task.

The basic method would be to:

  • Log into the VCD Cell in question that needs to be re-IP’d
  • Enter ‘service vmware-vcd stop’
  • On the Database Server for the vCloud Director cells log into the SQL Manager session with an account with edit rights on the vCloud database
  • Open up a new query window and select the vCloud Director database as the target of the script
  • Execute the following SQL statements:

select name from cells;

update cells set primary_ip=’<new-cell-ip-address>’ where name=’<name-of-the-cell>’;

  • Back on the vCloud Director Cells navigate into the $VCLOUD_HOME/etc directory and change the following values in the global.properties file:

‘vcloud.cell.ip.primary’ – Change it to the new primary IP address

‘consoleproxy.host.https’ – Change it to the new console proxy IP address

‘vcloud.cell.ips’ – Change both the IPs in the field appropriately

  • Change the IP address of the VM via whatever means the OS requires & update DNS records
  • When the VM has been successfully re-IP’d then start the VCD service on the cell with the command:

‘service vmware-vcd start’

PS: Be careful with any SSL certs that have IP’s embedded as Subject Alternative Names (SAN). You may need to generate new SSL certs and replace the existing ones if needs be.

Posted in VMWare | Tagged , , , | Leave a comment

My VCAP6-NV Deploy Experience

vmw-lgo-cert-adv-pro-6-ntwk-virt-deploy-k

The VCAP6-NV Deploy exam is very similar to the original VCIX-NV and from a casual review of the blueprint the only major item added has been multi-site NSX. The main ‘spoiler’ I can give for the exam is that of all the blueprint items there were roughly 3-4 small items that weren’t asked. In the older VCIX-NV there were a few items on that blueprint that you would look at and pretty much be certain that it couldn’t possibly be asked in an exam setting however this time everything was possible. Whomever came up with the exam environment should get a pat on the back, the layout is superbly thought out and, for the most part, no longer dependent on previous questions being completed successfully for latter questions to be attempted.

Of the 4 VCAPs I’ve taken so far this year the NV exam was the toughest. The quantity of questions and the tasks themselves required absolute concentration to the point I was mentally drained coming out of the exam.
Tips:

  • As with all networking exams (CCNA or NSX) before I click start, I write down a netmask/cidr conversion table. I do this so I’m not having to do mental arithmetic whilst second guessing myself in the middle of a question.
  • Open the C# client and use where practical, as much as the web-client is the future there’s still plenty of day-to-day tasks that are quicker to do in the fat client.
  • Open two web-client sessions to each vCenter. One for NSX tasks and the other for any vSphere tasks you can’t do in the fat client
  • Honestly don’t expect to pass just because you’re a vSphere god. You need a CCNA level of knowledge to troubleshoot some of the questions. Routing, subnets and a basic understanding of the OSI model is a must if you’re aiming to deploy NSX in real life so it logically stands that the deployment exam will require a basic understanding of the fundamentals.
  • In my exam I had repeating keystrokes which was mightily annoying for typing passwords. The staff at the test center reset my exam connection and while the issue wasn’t nearly as bad it did improve things to the point I could get the tasks done (with a dose of patience).
  • With all the will in the world it’s pretty difficult to replicate the exam environment in a home lab. Use the VMware Hands On Labs liberally.
  • Watch your SPELLING!!! As far as I’m aware the exams are corrected via script. You may build out a perfect solution to a question but if you screw up on the naming of a logical switch or edge router I wouldn’t be too confident of getting high marks at the end.

When I sat the VCIX-NV I had to wait nearly 2 weeks for the result. These days it’s only a few hours. Thankfully I passed!

Posted in NSX, VMWare | Tagged , , , | 3 Comments

My VCAP6-DCV Deploy Experience

vmw-lgo-cert-adv-pro-6-data-ctr-virt-deploy-k

I’ve managed to squeeze in a couple of VMware VCAP exams this month. The first of which was the VCAP6-DCV Deploy exam (the old DCA) in New Horizons in Dublin city center. A three hour experience that is only for those admins who enjoy pain and suffering the challenge of fixing very broken vSphere environments.

The lab itself was well laid out and the control center Windows desktop was very responsive. The overlay of the questions made the whole experience feel like a VMware Hands On Lab to the point that when I first looked at the screen my heart stopped as I thought that it was a HOL and not the exam! Check out the Dave Davis’s blog post on how the deploy exam is laid out on screen.

There was also no screen refresh lag! For my DCA there were constant screen refresh issues and every click had to be thought through. This time the whole lab was responsive, tasks executed quickly and even the web-client didn’t crash once!

The questions themselves were a mix of real life BAU and also the rare one-off config changes you’d usually make when initially deploying an environment. My notes I took after the exam reads as a list of pretty straightforward tasks but in the context of time pressure it’s not so easy.

Tips:

  • Be well fed and rested prior to the exam. In the build up to a VCP or VCAP it can be all too easy to just keep looking through notes, Pluralsight videos or playing in a lab. While this is perfectly fine it’s also a 3hr exam that is mentally exhausting as you try to remember the sub-sub-sub-menu item in the web-client you need or the right esxcli command.
  • Use the C# client liberally. Don’t use the web-client unless the task requires it. I’ve heard of people sitting the VCAP5.5 exam and thinking they must only use the web-client, don’t, you’ll run out of time and risk failing the exam. I’ve said it in multiple forums, the vSphere web-client is not fit for purpose especially in situations where you have to fix something quickly.
  • Most of the blueprint was asked in some way. Know how to do it all and the exam will be just a battle against time.
  • If a question is outside your comfort zone then mark it down and move on. Get a first pass through the questions and then come back to the more challenging questions. Hopefully you’ll have plenty of time left to look up documentation and answer the tougher questions.

I received the result via email within an hour of finishing the exam and passed thankfully!

 

I’ll cover the VCAP6-NV Deploy in the next blog post…

Posted in VMWare | Tagged , , , , , | 3 Comments

VMware NSX vExpert 2016

vExpert-2016-NSX-Badge

On Friday I got the good news that I made it onto the VMware vExpert NSX program for 2016. This particular program is for current vExperts who have a passion for NSX to gain insight into what is coming down the pipeline and help provide feedback where possible on the product. Currently there are over 1300 VMware vExperts worldwide and given the many solutions VMware provides it’s a positive move to target information to particular groups and given more targeted information to share with the wider IT community. This is the first time the vExpert program has created a product specific sub-program and it will be interesting to see if there will be further vExpert programs for Cloud or Desktop.

With NSX Transformers having gone GA in May and NSX bringing extra functionality with every single point release I’m hoping myself and the 115 other NSX vExperts will be keeping busy this year!

Posted in NSX, VMWare | Tagged , , | 1 Comment

My VCAP6-CMA Design (Beta) Experience

VMW-LGO-CERT-ADV-PRO-6-CLD-MGMT-AUTO-DESIGN-K

I recent sat the VCAP6-CMA Design beta and thought it might be worth writing up a few words on the experience. The beta is under NDA so please don’t expect a brain dump here, I enjoy sitting certification exams and I have no interest in getting barred from sitting others just to have a few extra page hits on my blog! (Sorry!) I have already sat the VCAP5 DCD & CID exams so the exam itself wasn’t as daunting as my first time taking them as I knew what to expect.
The difference this time around for me was:
1. There was no multiple choice questions. It was drag & drop style questions with plenty of Visio questions mixed in.
2. The exam was 4 hours long however the actual exam is likely to be 2-2.5 hours long when it goes GA.
3. I could go forward and back between questions which was very useful when I figured I might have screwed up an earlier question. It also was a way to validate that I’d joined all the elements in the visio questions the way I wanted.
4. Some of the questions were slam dunks and others were mightily perplexing. Not from the point of view of not having studied enough but from either the odd misspelling or the instructions that begged for a little more context.
5. If you have sat the VCP6-Cloud/CMA exam you’re probably well aware of certain obsessions the question setters loved to ask about. More of the same I’m afraid!
6. The exam itself is one of the most ‘do-able’ design exams I’ve had yet and if you know your stuff you’ll breeze through it. There’s no nasty questions really, just some unclear ones but I’m hoping my comments that I left during the exam will be read and acted upon for the good of future test takers.
7. Was it a good test of design knowledge? Well it will validate your knowledge of how vRA is put together and how it interlinks with each component. I think the DCV Design exam validates actual design principles a lot more than the CMA version. It might be controversial but I also think the multiple choice questions had a place in the exam. They tended to be able to ask a lot more probing questions and allowed far more items in the blueprint to to questioned. [I fear that I’m going to regret that statement if they add them back into the VCAP7 Design exams!]
8. Is this exam actually worthwhile? It’s based on 6.x but 7.0 has already been released. The exam validates a general vRA knowledge but some questions would be answered somewhat differently if it was a vRA 7.0 exam. I’m not so sure this exam should have been released based on 6.x but it has and it’s unlikely to be changed in this calendar year so no point in whinging about it! 😉
9. I wish to morn the lack of VCD questions. There is some vCloud Air and VCD references but if you’re a vCloud Air Partner then this exam won’t validate your staff or prospective employee’s knowledge which I think is a bit of a shame. VCD is making a quiet comeback after the Virtustream debacle and I think there’s still a place for it in a certification track.

Did I pass? I honestly don’t know! If I didn’t pass I’m pretty sure I’ll pass the second time as I’ve a sure fire knowledge of the types of questions asked. There’s been exams I thought I barely scraped a pass on and ended up with high marks and then others I thought I nailed and had barely passed. There was nearly 40 design questions over the 4 hours but in some documents I saw online it stated about half that number of questions will be on the actual exam so I won’t know which questions will get pulled from the beta and carry on to the GA version.

To sum up it’s not an exam it be feared if you’ve already worked on a real vRA 6.x deployment. If you haven’t then you really need to study hard all the reference documentation thoroughly and study every diagram meticulously!

Posted in VMWare | Tagged , , , , , | 5 Comments

NSX Guest Introspection & Data Security – Simple DLP

This week has been pretty heavy on demonstrating NSX and its various security capabilities. One of capabilities that is the slightly ignored is the inbuilt DLP capabilities for finding private data such as credit card numbers, SWIFT codes, VAT numbers, driving licence ID numbers etc on deployed VMs. Usually most conversations around NSX are about Microsegmentation and the L7 deep packet inspection capabilities that will help with Data Leakage however I’d like to point out there is yet another side to the product namely the Guest Introspection & Data Security services.

One of the usual threats customers can have is insider threats where an employee or contractor may copy sensitive data from a main server and leave it on their desktop to do with what they will at a later stage. If you are using NSX within a Horizon VDI deployment with NSX underneath then it’s only a matter of a few clicks and you’ll be able to keep track of where your sensitive data is on your infrastructure. From a real world experience I’ve seen text files of customer banking details being left on unsecured fileshares without the proper permissions structure (by accident) but in the wrong hands it would have been enough to trigger a trip to the Data Protection Commissioner and get scolded and fined for such a security breach. This one NSX service would have caught that file and potential data breach.

I certainly am not claiming the out of the box capabilities are as good as third party security tooling however when you have the capability to secure your data at no added cost to you as part of your NSX deployment you’d be foolish not to try it out and see the results!

 

You will find below a handful of screenshots showing the simple steps I took to deploy these capabilities and the results.

These services are native to the NSX platform and require no special licences. They are deployed on the next tab along from where you would configure vxlan. The deployment is simple and at most requires an IP Pool or DHCP scope to be available.

Screen Shot 2016-02-24 at 17.48.12

Once deployed you will hopefully see that the installation has succeeded and the services are ‘Up’.

Screen Shot 2016-02-24 at 17.42.32

So at this point you have simply deployed a couple of service VMs on each host that aren’t doing a hell of a lot. What you now need to do is decide on what VMs in your environment you want to monitor and create a Security Group in Service Composer to match those VMs. In my case I simply wanted to scan the Windows 7 VMs in my lab so my Security Group was dynamically created based on the VM OS being Windows 7!

Next was actually setting up a Security Policy which again was pretty straightforward.

Screen Shot 2016-02-24 at 17.54.59

As you can see from the screenshot I am looking to find some credit card data one the VMs. Once this security policy is created it needs to be applied to the security group you wish to scan. This is done just like if you were applying firewall polices to a security group.

The final step to setup the scanning for my credit card data is to configure the elements of the data security tab in the NSX manager.

Screen Shot 2016-02-24 at 17.59.27

 

As you can see I was scanning for certain types of credit card and financial details within a myriad of file types. There are plenty of other data types preconfigured within the system but at this point I haven’t spotted how to add other RegEx formats (probably just need to RTFM!).

Screen Shot 2016-02-24 at 17.31.04

 

So what were the results of setting the policy? Well other than a false positive within an Adobe Reader cab file it picked up my Visa, MasterCard and Swift banking codes in some text files I left on my W7 desktop.

 

Screen Shot 2016-02-24 at 15.50.08

Screen Shot 2016-02-24 at 18.06.35

 

Posted in NSX, VMWare | Tagged , , , | 4 Comments