vCloud Director Extender – Org Admin Permissions Script

On June 11th, there was a new release of vCloud Director (vCD) Extender that included a change in the organization administrator permissions. Big thanks to my peer Tomas Fojta for his collaboration and working with the Business Unit on further enhancing this permissions structure.

I have updated the PowerShell permissions script that will add these to the specified org. Note this is ONLY for version of vCD Extender, so I am leaving my previous revisions alone.

I am probably stating the obvious here, but this can also be added via the vCD API. Here are the right references to add if you so choose:

<RightReference href="{url}/right/105191de-9e29-3495-a917-05fcb5ec1ad0" name="Organization vDC Gateway: View L2 VPN" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/eeb2b2a0-33a1-36d4-a121-6547ad992d59" name="Organization vDC Gateway: Configure L2 VPN" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/66b32e08-1eeb-37ac-9266-ffbd19b39dd8" name="Right: View" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/4886663f-ae31-37fc-9a70-3dbe2f24a8c5" name="Catalog: Add vApp from My Cloud" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/438e45e9-9389-3e29-9073-638b36921a2a" name="Disk: Create" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/1e5ad20d-1023-34d1-b073-1ea30bce3854" name="Disk: Delete" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/7bbee458-b3c5-3252-ba5a-b1781b1c7b92" name="Disk: Edit Properties" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/fd036ae5-b78b-3c9f-8f28-a7f6b33d0d92" name="Disk: View Properties" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/2cd03d47-38e1-337a-907c-8d5b6a5258f2" name="Organization vDC Distributed Firewall: Configure Rules" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/4e61b5b8-0964-36b6-b021-da39aea724fc" name="Organization vDC Distributed Firewall: View Rules" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/9dc33fcb-346d-30e1-8ffa-cf25e05ba801" name="Organization vDC Gateway: Convert to Advanced Networking" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/d1c77fc0-a4b9-3d99-bd4b-d7fab35e4fae" name="Organization vDC Gateway: View" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/2cd2d9d7-262c-34f8-8bee-fd92f422cc2c" name="General: Administrator Control" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/0b8c8cd2-5af9-32ad-a0bd-dc356503a552" name="General: Administrator View" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/b0cfe989-521b-3d7f-9bc2-f23c74a99633" name="Organization vDC Network: Edit Properties" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/2c8d98ef-4acc-3be4-9214-fcb9682b7a19" name="Organization vDC Network: View Properties" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/6cb3596a-15eb-3c2f-a657-5f14f2039719" name="Organization Network: Edit Properties" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/194c71a1-3d68-3156-b789-6a6384028b78" name="Organization Network: View" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/60be4106-1f9f-325c-8ff4-8bf2c6d9bc0a" name="Organization Network: Create or Delete" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/2dc8abec-2e0d-3789-a5f9-ce0453160b53" name="vApp: Create / Reconfigure" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/df05c07f-c537-3777-8d9b-a9cfe8d49014" name="vApp: Delete" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/c2a29357-1b2a-3f9d-9cd6-de3d525d49f3" name="vApp: Edit Properties" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/580860cd-55bc-322d-ac39-4f9d8e3e1cd2" name="vApp: Power Operations" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/4965b0e7-9ed8-371d-8b08-fc716d20bf4b" name="vApp: Copy" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/8832800f-575f-3501-ad84-8e15f3898f11" name="vApp: Change Owner" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/5250ab79-8f50-33f9-8af5-015cb39c380b" name="vApp: Edit VM Properties" type="application/vnd.vmware.admin.right+xml"/>


Below is the updated PowerShell script. Again, another thanks to Jon Waite for letting me borrow his initial code!

# vCloud Director Extender Permissions Setup - initially created by KiwiCloud.Ninja - modified by Daniel Paluszek -
# Creation Date: 2018-June-15
# Version 2.1 - for vCD Extender and vCloud Director 9.1
# Adds specific permissions required for vCD Extender Org Admin to connect successfully to cloud instance.
# NOTE: These are tested on version vCD and vCD Extender
# Note that Organization roles (e.g. Organizational Administrator) still need to be edited to add these rights once is executed
# NOTE: You must be connected to the vCloud API (Connect-CIServer) with a System administrative user prior to running the script for this to work.
# Add your Org name and vCD instance name below
$OrgToUpdate = '&lt;INSERT-ORG-NAME&gt;'
$APIendpoint = '&lt;INSERT-IP-OR-FQDN-OF-VCD&gt;'

Function vCloud-REST(
[string]$Method = 'Get',
[string]$ApiVersion = '27',
[int]$Timeout = 40
$mysessionid = ($global:DefaultCIServers | Where { $_.Name -eq $APIendpoint }).SessionId
$Headers = @{"x-vcloud-authorization" = $mysessionid; "Accept" = 'application/*+xml;version=' + $ApiVersion}
if (!$ContentType) { Remove-Variable ContentType }
if (!$Body) { Remove-Variable Body }
[xml]$response = Invoke-RestMethod -Method $Method -Uri $URI -Headers $headers -Body $Body -ContentType $ContentType -TimeoutSec $Timeout
Write-Host "Exception: " $_.Exception.Message
if ( $_.Exception.ItemName ) { Write-Host "Failed Item: " $_.Exception.ItemName }
Write-Host "Exiting."
return $response
} # Function vCloud-REST End

# Adds required permissions for vCD Extender connectivity - still require to apply permissions in the UI once executed!
$newrights = @{}
$newrights.Add("Organization vDC Gateway: View L2 VPN", "105191de-9e29-3495-a917-05fcb5ec1ad0")
$newrights.Add("Organization vDC Gateway: Configure L2 VPN", "eeb2b2a0-33a1-36d4-a121-6547ad992d59")
$newrights.Add("Right: View", "66b32e08-1eeb-37ac-9266-ffbd19b39dd8")
$newrights.Add("Catalog: Add vApp from My Cloud", "4886663f-ae31-37fc-9a70-3dbe2f24a8c5")
$newrights.Add("Disk: Create", "438e45e9-9389-3e29-9073-638b36921a2a")
$newrights.Add("Disk: Delete", "1e5ad20d-1023-34d1-b073-1ea30bce3854")
$newrights.Add("Disk: Edit Properties", "7bbee458-b3c5-3252-ba5a-b1781b1c7b92")
$newrights.Add("Disk: View Properties", "fd036ae5-b78b-3c9f-8f28-a7f6b33d0d92")
$newrights.Add("Organization vDC Distributed Firewall: Configure Rules", "2cd03d47-38e1-337a-907c-8d5b6a5258f2")
$newrights.Add("Organization vDC Distributed Firewall: View Rules", "4e61b5b8-0964-36b6-b021-da39aea724fc")
$newrights.Add("Organization vDC Gateway: Convert to Advanced Networking", "9dc33fcb-346d-30e1-8ffa-cf25e05ba801")
$newrights.Add("Organization vDC Gateway: View", "d1c77fc0-a4b9-3d99-bd4b-d7fab35e4fae")
$newrights.Add("General: Administrator Control", "2cd2d9d7-262c-34f8-8bee-fd92f422cc2c")
$newrights.Add("General: Administrator View", "0b8c8cd2-5af9-32ad-a0bd-dc356503a552")
$newrights.Add("Organization vDC Network: Edit Properties", "b0cfe989-521b-3d7f-9bc2-f23c74a99633")
$newrights.Add("Organization vDC Network: View Properties", "2c8d98ef-4acc-3be4-9214-fcb9682b7a19")
$newrights.Add("Organization Network: Edit Properties", "6cb3596a-15eb-3c2f-a657-5f14f2039719")
$newrights.Add("Organization Network: View", "194c71a1-3d68-3156-b789-6a6384028b78")
$newrights.Add("Organization Network: Create or Delete", "60be4106-1f9f-325c-8ff4-8bf2c6d9bc0a")
$newrights.Add("vApp: Create / Reconfigure", "2dc8abec-2e0d-3789-a5f9-ce0453160b53")
$newrights.Add("vApp: Delete", "df05c07f-c537-3777-8d9b-a9cfe8d49014")
$newrights.Add("vApp: Edit Properties", "c2a29357-1b2a-3f9d-9cd6-de3d525d49f3")
$newrights.Add("vApp: Power Operations", "580860cd-55bc-322d-ac39-4f9d8e3e1cd2")
$newrights.Add("vApp: Copy", "4965b0e7-9ed8-371d-8b08-fc716d20bf4b")
$newrights.Add("vApp: Change Owner", "8832800f-575f-3501-ad84-8e15f3898f11")
$newrights.Add("vApp: Edit VM Properties", "5250ab79-8f50-33f9-8af5-015cb39c380b")

$myendpoint = $global:DefaultCIServers | Where { $_.Name -eq $APIendpoint }

if (!$myendpoint.IsConnected) {
Write-Host "Not connected to this vCloud endpoint, use 'Connect-CIServer' before running this script."

$org = Get-Org -Name $OrgToUpdate -Server $APIendpoint

if (!$org) {
Write-Host "Couldn't match organization with name $OrgToUpdate, exiting."

$rightsuri = 'https://' + $APIendpoint + "/api/admin/org/" + $org.Id.Substring($org.Id.LastIndexOf(':')+1) + "/rights"

[xml]$rights = vCloud-REST -URI $rightsuri -ContentType 'application/' -Method 'Get' -ApiVersion '27.0'

# Add the new API v27 'RightsReference' elements to the XML returned:
foreach($newrule in $newrights.Keys) {
$newright = $rights.CreateElement("RightReference", "")

# Update the Organization with the ammended rights:
vCloud-REST -URI $rightsuri -ContentType 'application/' -Body $rights.InnerXml -Method 'Put' -ApiVersion '27.0'

Happy migrating,


vCloud Director Extender Released!

I am happy to announce that vCloud Director Extender was released earlier this week as we can see below –

We can also see the release notes have been posted here:

So, what’s new with this release?

Updated Items

  1. Tested operational scale – a significant amount of testing and evaluation was put into this release to verify the number of deployments, cold or warm migrations, and L2VPN network extensions (or DC Extensions). This allows the Provider to plan accordingly based on these guidelines.
    1. Up to 20 connected on-prem Managers to a single Provider Extender Manager instance.
    2. Migrate up to 50 VM’s via warm migration simultaneously to a Provider
    3. 300 to 1500 cold migrations from a single to multiple on-prem instances to a Provider
    4. Up to 5 L2VPN extensions per on-prem instance, or up to 20 extensions from multiple tenant instances to a Provider.
  2. Support for older vCenter instances – this was a big ask from our Providers where they were working with clients that had 5.5 instances. This allows for a seamless migration to a vCloud environment.
  3. Offline seeding to a target cloud – minimizes the amount of initial sync time before cutover. Very nice addition.
  4. Co-existence with vCloud Availability for DR – another great value point for current Providers that are running vCAv DR2C for DR as a Service (DRaaS) simultaneously. Note that you can only migrate or protect a VM with one of the products, not both.
    1. Another note – I am currently running vCloud Availability for Cloud to Cloud (vCAv-C2C) in my test environment and this seems to co-exist with vCD Extender. However, this has not been certified as of yet!
  5. Testing a cutover in a war migration that does consistency checks to verify functionality.

Last of all, there was a permissions update for the organization administrator role. Please review this blog post for my updated permissions script and the necessary org admin rights.

Thank you!


VMware vCloud Availability for Cloud-to-Cloud DR – Pairing and Usability (2 of 2)

Continuation of VMware vCloud Availability for Cloud-to-Cloud DR – Pairing and Usability (1 of 2)

This post covers pairing and usability of VMware vCloud Availability for Cloud-to-Cloud DR.

Previous blog posts:

Blog Post – what is vCloud Availability for Cloud-to-Cloud DR? 

Blog Post – vCloud Availability for Cloud-to-Cloud DR – Installation and Setup

  1. Part 2:
    1. Initial authentication between the two sites
    2. Migrating a workload in the same site
    3. Protecting a workload between two sites
    4. Testing the protected workload
    5. Edit Options
    6. Failing Over

Initial authentication between the two sites

  1. This is pretty simple and very similar (if not exactly) like vCAv-DR2C. Go to Paired Clouds -> click the actions button to authenticate on the paired remote site. For me, this is SiteB. 
  2. We need to provide the organization name, the username of the org admin, and password. Note this must be an organization admin for pairing. 
  3. Complete! 
  4. Now, I can do the same on my second site, SiteB. 

Migrating a workload in the same site

  1. So let’s work through a use case where I want to migrate a vApp or VM between two different oVDCs in the SAME vCloud Director instance. This question came up on the vExpert Slack channel and I thought this was supported, but wanted to make 100% sure. The answer is yes – fully supported. So let’s go through how I made this happen.
  2. From the DR Workloads tab, let’s click on the Discovery button – 
  3. From here, our source is going to be our same site, which is SiteA/Org1, which should show host in parenthesis. 
  4. Let’s select my test vApp, which is properly named “vApp_test” for this exercise. 
  5. Now our destination is the same vCD instance, or SiteA/Org1. Let’s select it –
  6. We can now see the other org VDC available, which is my Org1-Gold-oVDC. This is the only selection available as we cannot move it to the same oVDC and I do not have more than two oVDC’s inside of this organization. From here, we can also select the Storage Profile, Target PRO, and if we want to add in any Point-in-Time instances along with data connection type. 
  7. Once we click finish, we get our setup screen… 
  8. We can now see the vApp is being configured and in the “Protecting” status. 
  9. Complete! All green and in the “Protected” state so it’s ready for migration over to my destination oVDC. 
  10. Let’s go ahead and click Failover and get the confirmation window on what we want to do. I can select the DR Network (I didn’t set up networking for this test) and if I want to turn on the target VM. 
  11. We can now see the status has changed to “Failing Over” – 
  12. From my vCD instance, I can see the vApp being imported… 
  13. Source/Original vApp is being powered off.. 
  14. Under Tasks on the vCAv portal, I can see the migration tasks underway – 
  15. Complete! We have successfully migrated over the vApp to the new orgVDC. We also see the original/source vApp was completely powered off, or in the Stopped state. 
  16. In conclusion, very simple and intuitive to migrate between the same vCD instance. Theoretically, you could deploy this at a single site and use this for local migration.

Protecting a workload between two sites

  1. So let’s cover migration between the two sites – SiteA and SiteB. In this exercise, we will be protecting a workload in SiteB and protecting it to SiteA. This is very similar to our exercise above (migrating between the same site) while we are selecting the paired site for protection.
  2. Let’s go ahead and click on Discovery and select our source site (SiteB) – 
  3. Now we can select our vApp that we will be protecting to SiteA – 
  4. Select our destination, which mine is SiteA/Org1 – 
  5. From our final screen, we can select the appropriate oVDC, storage profile, and my target RPO. For this exercise, I’ll be adding in some Point-in-Time instances too. Click OK and let’s get to protecting…
  6. I tried to grab the transition log, but it was too fast. But I do see the initial replication succeeded along with my protected vApp showing “Protected” – awesome! 
  7. I also like the event pop up we get when something changes. We can see this in the above screenshot that shows my newest protected vApp is good to go.

Testing the protected workload

  1. Testing is the ability to bring up the protected workload at the destination site in an isolated network of your choosing – this allows the application owner to verify everything is operational and could be used for regulatory purposes too.
  2. Testing is pretty easy – it can be orchestrated from either site (source or destination) and it’s with a click of a button –
  3. We get the confirmation screen and the choice of our test network we want to utilize. Once I hit the Start button, I can see the status changes to “Failover Testing Initializing.” 
  4. On my SiteA, I can see within the logs the failover testing is underway while we have a transition of a vApp inside of SiteA – 
  5. Alright, now it shows Failover Test Ready which is great. Now, my app owner can test their app on the destination and verify functionality. 
  6. One of the nice additions is the quick launch buttons on the test workload – we can hover over the two icons and see quick launch buttons to get to each site. Very nice addition. 
  7. Finally, when our testing is done, we can click the Cleanup button to remove the test VM and go back to our normal, Protected state. Pretty straightforward. 

Edit Options on protected workload

  1. Clicking the Edit button provides us with the ability to make changes to a current protected workload –
  2. From the options pane, we can see the following – 
  3. We get our standard RPO slider – from 5 minutes to 24 hour RPO selection – while providing the ability to keep point-in-time instances for further retention.
  4. Moreover, all traffic is encrypted but we can also further optimize by compressing data. Very similar to vSphere Replication, the replicators will attempt to compress the data to minimize network traffic.
  5. Last of all, we have the ability to quiesce the operating system by using VMware Tools.

Failing Over

  1. In our last example, we will fail over my core-B vApp from SiteB to SiteA. Failover can be done from either site (especially important if I lost my source site) and very straightforward.
  2. Let’s select Failover from the UI – 
  3. As discussed before, our standard options and what network we want to select. 
  4. We can see it transitioned to Failing Over… 
  5. Voila! Failed over. Now we can click the quick launch shortcut and start doing whatever we need to do. 
  6. Another thing to note – even with a failed over workload, we can reverse the replication and reprotect it back to our original site, assuming the site is still operational. This is done by selecting the Reverse button. Now, this will show as outgoing from my SiteA to SiteB.

That’s it, folks! My hope is this was informational for any providers that are considering to utilize Cloud to Cloud for migration and DR needs for their multi-site vCloud Director environments. It’s a great tool and is very intuitive for our tenants and providers.



VMware vCloud Availability for Cloud-to-Cloud DR – Pairing and Usability (1 of 2)

As a continuation of my vCloud Availability for Cloud-to-Cloud DR (vCAv-C2C) series, we will be covering the initial pairing and usage of C2C in this blog post.

Blog Post – what is vCloud Availability for Cloud-to-Cloud DR? 

Blog Post – vCloud Availability for Cloud-to-Cloud DR – Installation and Setup

I will break this post into the following sections and into two blog posts:

  1. Part 1:
    1. The pairing of the two vCD/vCAv sites
    2. Logging into the vCAv Portal and Portal Overview
    3. Provider view of the vCAv Portal
  2. Part 2:
    1. Initial authentication between the two sites
    2. Migrating a workload in the same site
    3. Protecting a workload between two sites
    4. Testing the protected workload
    5. Edit Options
    6. Failing Over

The pairing of the two vCD/vCAv Sites

  1. First, the Provider must set up an association between the two vCAv sites before the tenant can authenticate within the vCAv portal.
  2. This is done in the Replication Manager portal – point your browser to https://<vcav-rep-mgr>:8046, authenticate, and click on Sites -> New site
  3. We then assign a Site name, the full URL of the respective peer replication manager, and the appliance password. Within my setup, I did this on both sites, SiteA and SiteB. 
  4. Once we hit OK, you will receive a Task succeeded message – 
  5. Now, if we click on the Sites subsection, we can now see our local site along with our newly peered site. From SiteA and SiteB, I can see each respective site. 
  6. Complete! Now we are ready to log into the vCAv Portal.

Logging into the vCAv Portal and Portal Overview

  1. Point your browser to the fully qualified domain name along with port 8443 – this is the default port the portal runs (can be changed). 
  2. Logging in is very similar to vCAv-DR2C – you utilize the username@org-name parameter. For my SiteA, I have an “Org1” while my SiteB is “Org2” – for SiteA, I am logging in as org1admin@org1 with the appropriate password.
  3. Once authenticated, I get the very clean interface that shows the Cloud Topology. We haven’t started any replications/migrations yet, so I don’t have any ingress/egress traffic yet.  
  4. On the home page, you get a very clear view of the topology, workload statistics, and even the Organization VDC status. I thought this was a very efficient use of current oVDC utilization along with what’s being used within each oVDC. 
  5. Under the DR Workloads tab, we would be able to see incoming and outgoing protected workloads. Since we haven’t set up any yet, nothing to show yet. 
  6. Paired Clouds shows available vCD/vCAv instances and their authentication status. Since the Provider paired with SiteB, we have it available but it shows unauthenticated. We still need to authenticate with the appropriate credentials that reside on SiteB. 
  7. Last of all, Tasks will show any previous or current tasks and the event log. This will show logs for any connected site, so very easy to see exactly is going on between the paired sites. 
  8. For those of you that have used vCAv-DR2C, this is very similar to that experience with a few minor enhancements. The learning curve is very minimal and we will go through a few test scenarios.

Provider view of the vCAv Portal

  1. The development team did a great job from a provider view on providing very useful information.
  2. First of all, we get to see a current status ticker that shows state of the vCAv environment. I thought this was extremely useful and intuitive to gain an operational understanding of the health of the current environment. 
  3. I didn’t mention this in the previous portal post, but this is also available there too. You can expand and see the details of the current replications/migrations between sites. This is done by clicking the carrot icon in the top right corner. 
  4. If you scroll down also, you get to see the pVDC view of the current environment with a resource utilization rollup. Very similar experience to what we see now in vCD 9.1 Multi-Site. 
  5. Under the Orgs tab, we get to see the current organization and any registered vApps and current status. 
  6. One very nice item is that shield/checkmark icon. If we click that, we can actually impersonate the organization admin and assist with any tasks that the organization may be having trouble with. All done through this single interface! 
  7. I won’t cover DR Workloads as it’s the same as the tenant view, but just a macro-rollup of all protected workloads. However, under Administration, we get to see Configuration and Registration. From here, we can actually register other components to monitor from this dashboard along with resource threshold display. Very nice! 

Onto the next post, where we will review migrations and protection operations. Thanks!