Utilizing Central Point of Management (CPoM) in VMware vCloud Director 9.7

One of the extremely exciting additions to VMware vCloud Director (vCD) is the ability to present vCenter instances securely to tenant organizations utilizing the vCD user interface – this is referred to as Central Point of Management, or what we abbreviate to as CPoM. Tom Fojta did a great job highlighting what’s new inside of vCD 9.7 here.

In this post, I am going to review the steps required to successfully deploy your first vCenter-SDDC to an organization inside of vCloud Director 9.7. You will need to utilize the CloudAPI, but do not be alarmed, I will walk you through these steps.

First off, what the heck is CPoM?

CPoM is the ability to present a dedicated vCenter instance to an organization, or tenant, via the vCloud Director user interface. In the past, we’ve had many providers providing hosted or dedicated private cloud services.

With the addition of this functionality, we can now utilize vCloud Director to manage both shared and dedicated cloud resources from a single portal.

In essence, the VMware Cloud Provider team is delivering on the promise of transforming vCloud Director into a services platform – and this additional functionality demonstrates that.

So, how do we get started?

High-Level Steps

  1. Add new vCenter instance to vCD Provider Management – UI
  2. Creating a new SDDC instance – API
  3. Publish to specific org/tenant – API
  4. Add Tenant permissions and CPoM Plugin -UI
  5. Proxy Configuration – UI
  6. Enjoy dedicated vCenter-SDDC access via vCD

Adding new vCenter Instance to vCD Provider Management

First up, we need to add this dedicated vCenter instance to the provider management.

My tenant is T1 and will be adding vcsa-01b.corp.local to their organization.

Before, we go into the steps, let’s review the documentation that talks about the high-level steps required.

Managing SDDCs and SDDC Proxies

One important note – you cannot attach an existing vCenter that’s utilized as a provider VDC (pVDC). This is pointed out in the documentation –

First, let’s navigate to vSphere Resources -> vCenters and click the Add button –

Let’s plug in our required connection data –

Next up is the configuration of the NSX-V Manager. I had a conversation with Engineering on this and the applicability for CPoM. While this is not mandatory for accessibility, a tenant can also proxy NSX commands via the proxy configuration. Therefore, depending on your use case, you may or may not want to set this up.

Once completed, we can now see the new vCenter (and what I called vCenter-T1 since it will be dedicated to organization T1) being added to the vCD Provider UI.

Once the operation is complete, we should see this as enabled, but not published to a SP or Tenant.

Creating a new SDDC instance

This has be done via the CloudAPI. First off, let’s explore the new API Explorer which provides some examples and how to parse this utilizing Postman, Curl, or whatever you choose. Navigate to https://vcd-fqdn/api-explorer/provider

Under the sddcs section, we have the following commands available –

Okay, let’s get our bearer-token first. If you are new on setting up Postman for connectivity, Fojta did a great blog post on utilizing the new bearer token with the CloudAPI functionality here.

Get our initial token and pass it through as a variable –

POST https://vcd-fqdn/api/sessions

Now, I want to view the current list of sddcs inside of this vCD instance. I realize we do not have any as of yet, but let’s see what it returns.

GET https://vcd-fdqn/cloudapi/1.0.0/sddcs

As expected, we do not have any SDDCs just yet. Let’s create our first one!

Our POST command will require a JSON body like the below. There are many more fields, but these are the required fields.

  "name":"<name of your new SDDC>",
  "description":"<description for your new SDDC>",
"vcId":"<ID of the VC recorded>"

But before we add it, we have a prerequisite – we need to get the vCenter ID of the newly added vCenter instance.

To do this, we need to run a GET command to vCenter ID. You will need to run the following:

GET https://vcd-fdqn/api/admin/extension/vimServerReferences

Okay, here’s my results –

And here is my “vCenter-T1” ID!

So for my vCenter-T1, my ID is the following:


We will add this to the body for when we add this as a new SDDC.

Creation of my JSON body –

"description":"T1 dedicated vCenter",

Alright, ready to hit the Send button…

And accepted…

I could use the Postman API to check the task, but I also see it running in the UI…


Let’s check and see what we have from the API now. Excellent, we now see vCenter-T1 as a new SDDC –

We also see the new ID for this SDDC:

This will be important as we will need this to publish it to the organization T1. First, let’s check and ensure it’s not published to anyone yet.

GET https://vcd-fdqdn/cloudapi/1.0.0/sddcs/urn:vcloud:sddc:29bf292b-07df-4d2f-9155-97dce2bad95d/tenants

As expected, no one has this from a tenant perspective –

Next pre-requisite – we need to get the orgID so we can create the body for the POST to publish this to T1. Our body will need to look like this:


Okay, let’s do a GET to /api/org –

Now, let’s crack open the T1 org further – /api/org/<org-ID> to get the URN –

So for my T1 organization, my ID is:


Assembling my body for the POST –


Let’s send it!

Got a 200 OK –

Now, if I do a GET to see what tenants/orgs have it..

GET https://vcd-fqdn/cloudapi/1.0.0/sddcs/urn:vcloud:sddc:29bf292b-07df-4d2f-9155-97dce2bad95d/tenants

We can see T1 has it published:

Behold, I can see the new vCenter-T1 from my T1 Org Admin! But why is it showing a red X?

Because by default, when you add the new SDDC, it defaults to false on “enabled”

So we have to enable it, here’s the body for my PUT – (changed it from false to true)

"name": "vCenter-T1",
"id": "urn:vcloud:sddc:29bf292b-07df-4d2f-9155-97dce2bad95d",
"enabled": true,
"vcId": "urn:vcloud:vimserver:419173a9-56bd-471f-929c-3f00c287d21b"


And green check mark in the T1 org admin view!

Add Tenant permissions and CPoM Plugin

By default, the rights bundles and the organization admin global role does not have SDDC access. Also, we need to publish the CPoM Plugin. Let’s do that first.

Under Provider UI, hit the hamburger menu -> Customize Portal, check the CPoM Extension and Publish –

Publish to selected tenants –

Let’s now provide the correct permissions.

On the Provider UI, toggle to Administration -> Tenant Access Control -> Rights Bundles – select the respective rights bundle you need to provide SDDC access and click Edit:

Under Infrastructure – SDDC, we can see the SDDC View and Manage option. Click View –

Ensure this rights bundle is published to your respective organizations –

Now, under Organization Administrator for the Global Role, add this new view permission –

Finally, publish –

Now, any organization admin can see the associated/published SDDC from their login. This can also apply to another role you might deem necessary.

Proxy Configuration and Logging In

There are three steps that need to take place for successful login:

  1. Checking out the default proxy to line up to the vCD VIP/cells
  2. Activating the proxy
  3. Downloading and configuring the proxy configuration file
  4. Importing the .PEM for certificate management

First, let’s GET the existing proxy configuration –


Now let’s get the explicit body for this default proxy –

GET https://vcd-fqdn/cloudapi/1.0.0/sddcProxies/urn:vcloud:sddcProxy:625ddc5a-66ee-4d1a-94a3-603a83604cd2

Now if I wanted to create a specific one, I can do a POST and do the following –

We can now see I have two proxies now. So, this is a great way to explicitly state what you’re trying to do.

Next, click on Manage Proxies –

Activate the default proxy –

Now activated, one can download the proxy configuration file, configure it to your browser and also download the proxy certificate (and upload it).

The proxy configuration file is pretty basic –

We can also see how it does the redirection from the cell to the T1-vCenter (check the bottom URL):

Again, before we can successfully login, ensure you’ve configured your browser for the PAC/proxy configuration. If you click the ? icon, there is a tutorial on configuring it for Chrome, Firefox, etc.

Once clicked, you are prompted for the org user along with the access token, and voila! Login.


I am extremely pleased with this new functionality inside of vCloud Director. While you need to know how to utilize the CloudAPI for initial configuration, it’s quite simple and elegant to utilize with Postman. The API-Explorer provides examples too. This is the first iteration of the CPoM service and will only get better as time progresses.

I believe this is a solid use case for dedicated private cloud alongside existing cloud organization VDCs – great way to provide distinct cloud services in a secure manner.

More to come, enjoy!


How does VMware vCloud Availability for Cloud-to-Cloud 1.5 interoperate with vCD Cross-VDC Networking?

I get this question quite a bit due to the new vCloud Director 9.5 Cross-VDC networking functionality – does vCloud Availability for Cloud-to-Cloud 1.5 (C2C) work with stretched networking inside of Cross-VDC networking?

The answer is: yes!

This is another great addition for recoverability considerations as one could fail over between vCloud Director instances without modifying the guest OS IP address. Furthermore, based on the application architecture, one could have active-active applications and ensure replication/failover in the event of a disaster.

Let’s go through my example high-level design I’ve worked up in my lab –

Example Cross-VDC setup with vCloud Availability for Cloud-to-Cloud 1.5

In the above diagram, we can see I have two active vCloud Director instances, Site-A and Site-B. I have two organizations, “Daniel” that resides in Site-A along with “Daniel-B” that resides in Site-B.

C2C is deployed on each site in the combined model and I have multi-site pairing completed so I can easily manage this between my two sites –

Within my Cross-VDC networking setup, I currently have my active egress setup to Site-A as depicted in the diagram above.

Last of all, I ran a protected workflow from Site-A to Site-B for my Stretched-vApp-VM –

From there, one can either migrate or failover the workload and without any guest OS IP changes. I am going to do a video shortly, but here’s a short GIF I created that shows the ease of use of failing over between my Site-A and Site-B –


After failover, I can then access Stretched-vApp-VM from the new NAT address on Site-B.

An Organization Administrator could also configure active/active or active/passive egress points for additional resiliency. This provides further capability inside of vCloud Director, especially with stretched networking and a complementary availability solution.



How is ECMP metered when configured in the Provider architecture within the VMware Cloud Provider Program?

Recently, I received a request from one of our aggregators regarding how Equal Cost Multipathing (ECMP) is metered within the VMware Cloud Provider Program (VCPP), specifically Tom Fojta’s recommendation on architecting Provider-managed NSX Edges and Distributed Logical Router (DLR) in ECMP mode, specifically this diagram from the Architecting a VMware vCloud Director Solution – 

As shown in the diagram above – How does Usage Meter handle bill these tenant virtual machines (VMs) when we have a provider NSX architecture that utilizes ECMP? 

For you TL;DR readers – any VM connected to a Tenant Edge / direct network that has ECMP enabled northbound, NSX Advanced will be charged for said VM. Read on if you want to learn how this is done. 

First off, let’s talk about why this matters. Per the Usage Meter Product Detection whitepaper (this can be found on VMware Partner Central), we can see how Usage Meter detects specific NSX features based on the pattern of usage. Regarding dynamic ECMP, it is metered by the “Edge gateway” which could be a little ambiguous. If one utilizes ECMP, they would be metered for NSX Advanced within VCPP. 

One of the scenarios from the whitepaper does show ECMP-enabled Edges but not an Edge that is abstracted away from the provider environment – 

My initial reaction was that Usage Meter would not look at the northbound provider configuration and the interconnectivity to vCloud Director. However, I was not confident and wanted to verify this explicit configuration and expected metering. Let’s review my findings. 

Lab Setup

In the above diagram, we can see I created a similar Provider managed NSX configuration with ECMP enabled from the DLR to the two Provider Edges with dynamic routing enabled (BGP). From there, I expose a LIF/Logical Switch named “ECMP-External-Network” to vCloud Director that is then exposed to my T2 organization as a new External Network.

From there, I created a dedicated Tenant Edge named “T2-ECMP-ESG” that will be attached to this newly created network along with a VM named “T2-ECMP-VM.” The goal is to verify how T2-ECMP-VM and T2-TestVM are metered by Usage Meter with this newly created Tenant Edge. 

Lab Configuration

My Edges are setup for BGP and reporting the correct routes from the southbound connected DLR (and tenant Edges) – 

From the DLR, we can see that I have two active paths to my Provider Edges (Provider-Edge-1 and 2) – 

Last of all, my T2-ECMP-ESG is operational and attached to the newly created ECMP External Network – 

Last of all, I have my VM’s created and powered on (remember, Usage Meter will only meter powered on VM’s). We can see T2-ECMP-VM is attached to a org routed network from T2-ECMP-ESG named “T2-ECMP-Network” – 


Let’s work from the north to south – start with the Provider Edges and show how Usage Meter detects and bills. 

Note – I have vROps Enterprise in my lab environment, so we will see Usage Meter picking up vROps registration and placing it in the appropriate bundle.

Provider Edges / DLR

As expected, the Provider Edges and DLR are detected along with registration to vROps. By design, NSX Edges are charged for the Advanced SP Bundle as they are metered as a management component (minimum Advanced bundle / 7-point). However, in my case, we see detection, and then registration to vROps Enterprise. Therefore, since it’s a bundle ID (BND) of 12, this is correlated to Advanced Bundle with Management (10-point) – 

Tenant Edge – T2-ECMP-ESG

Just like the Provider Edges and DLR, we see T2-ECMP-ESG register to UM along with vROps Enterprise registration. Same billing model as above. 

Tenant VM – T2-TestVM

I would not expect any change to this VM, but wanted to showcase that having a separate Edge with standard networking (i.e. no ECMP) will bill based off the NSX SP Base level. As expected, T2-TestVM was handled by Usage Meter just as anticipated – we can see registration, NSX SP Base usage, along with registration to vROps Enterprise – 

Tenant VM – T2-ECMP-VM

Finally, let’s take a look at my T2-ECMP-VM – as discussed before, this is wired to a Tenant Edge that is connected to the ECMP-enabled DLR via an External Network. 

We see initial registration, registration to vROps Enterprise, then NSX Advanced usage! This would be metered at Advanced Bundle with Networking and Management due to the NSX Advanced usage (12-point). 

Summary of Findings

Here’s what we learned:

  1. Edges/DLR Control VM’s are not charged for NSX usage since UM handles them as a management component. If you are using vROps, it will place it in the most cost effective bundle.
  2. Utilizing ECMP at the provider-level DOES impact any southbound connected VM from a billing perspective, even if an Edge sits in between the ECMP enabled configuration and the tenant VM. Per the findings, NSX Advanced will be metered. 
  3. Therefore, be aware of any NSX provider architecture and the use of NSX specific features. 

Again, this shows the logic inside of Usage Meter and how it relates to metering for tenant workloads. Cheers!


A New VMware Badge Appears: VMware Specialist – Cloud Provider 2019

Many of you may be aware of the new VMware Specialist – Cloud Provider badge. However, I am going to spend some time to highlight the effort and provide some guidance on this new badge/exam. Also, it’s officially announced with many of our other great announcements at VMware Europe!

What is it?

Well, the Specialist Cloud Provider badge is a renewed effort that the VMware Cloud Provider team is establishing a solid, fundamental certification/qualification platform for our Cloud Service Providers. This is the first step on setting a level of qualification to present solution knowledge around the VMware Cloud Provider Program (VCPP) stack and solution-set, especially VMware vCloud Director for Service Providers 9.x.

This is an online, un-proctored, exam that can be scheduled through Pearson Vue. The only prerequisite we’ve established is an active VCP certification. I was honored to be part of the team to develop this exam while Wade Holmes led the overall effort with many of my esteemed peers. It is 40 questions and you have 60 minutes for the exam.

What does it cover?

Just like with any other VMware certification – read, read, and read the blueprint: all of the answers are there. I believe the team did a great job of putting many links into this blueprint for material to prepare for. However, I’m going to highlight a few points that everyone should be aware of –

  1. This exam covers vCloud Director 9.1 functionality. Even though 9.5 is out as of this blog post, this was written when 9.1 was the current release.
  2. Sections 3, 5, and 6, are not present on this exam. Therefore, there are no troubleshooting questions. Be prepared to focus on core fundamentals and conceptual features of vCD.
  3. vCloud Availability for Cloud-to-Cloud 1.5 is present also on this exam, there is no vCloud Availability for DR questions. Moreover, vCD Extender is also present.

How can I prepare?

This answer is simple – work with vCD and the VCPP stack and you’re golden! 🙂

On a serious note, there’s a lot of great material on the blueprint, but we have two great VMware Education courses on vCloud Director:

VMware vCloud Director Fundamentals [V8.x] – this is an on-demand course that goes over core fundamentals of vCD. While it is dated for 8.x, it is very applicable. This is a self-paced course and can be done in about 3 hours.

VMware vCloud Director: Install, Configure, Manage [V9.x] – if you are very new to vCD, I recommend taking this course after the Fundamentals course. This provides a comprehensive experience (including lab time) of building out a vCD environment. This can be done online or in-person.

Read the documentation – we have a mess of many different docs we’ve referenced. Also, check out the many YouTube videos we have under our Cloud Provider page! 

Final thoughts

I believe this is a very fair exam for individuals that work with the VMware Cloud Provider solution set. The questions and concepts focus on the value and core fundamentals.

I’ve been receiving a lot of great and positive feedback, which is excellent. This was my first exam creation experience and I truly enjoyed the process, and look forward to the next step for our VMware Cloud Providers. If you’re at VMworld Europe, please don’t hesitate to contact me to meet up! Thank you.