VMworld 2018 Sessions for VMware Cloud Providers

This is a very exciting time for us at VMware, especially in the Cloud Provider Program. I am elated to say there are over 34 sessions that are tied to VMware Cloud Providers at VMworld 2018 – we are only publishing the sessions that are allowed currently…

I believe this is the most we’ve ever had at a VMworld. This signifies the importance of our Cloud Providers to VMware and our channel partners. As many of you have experienced, we are in a significant growth space and these sessions are very important for us to showcase what VMware is delivering around Cloud Providers. Moreover, this is a very important venue for us to present our current and future investments in VCPP.

I was honored when two of my sessions were accepted a few months ago. While it’s a little stressful on ensuring we are creating valuable content for our Cloud Service Providers, I am looking forward to presenting this material at VMworld.

Why VMware vSAN Is the Best Solution for Cloud Provider Environments [HCI1145BU]

The first session I have is with Greg Kaffenberger who is one of my esteemed colleagues inside of the VMware Cloud Provider team. We’ve noticed there’s some confusion around how vSAN works inside of our subscription model. Our goal is to demystify and showcase how vSAN is a sustainable operating model for Cloud Service Providers.

A lot of great content created that will be reviewed in this hour. Unfortunately, I wish we had more time – we’ve had to cut a lot but we will make the best of it!

Case Study: Hybrid Cloud with vCloud Extender from Customer to Provider [HYP1142BU]

I am co-presenting with Raffaelo Poltronieri at CloudItalia and we are stoked about speaking about vCloud Director Extender. While many of you have seen my Extender posts over the past year, we will be talking about some of the best practices and lessons learned with one of our strategic partners. Moreover, I will be discussing the goals going forward for our extensibility solutions – significant investment is going in to ensure we make it easy for our Cloud Providers to provide hybridity between on-prem and vCloud environments.

A few callouts I want to make as these are sessions you should not miss –

  • Consuming Cloud Provider SD-WAN Services [BRE3038BU] – this reviews VeloCloud for VCPP and it is very top of mind for many providers. Providing seamless connectivity between sites in a secure, multi-tenant, architecture is critical.
  • Delivering Custom Services Through vCloud Director Extensibility [HYP1803BU] – you will continue to see further development in UI Extensibility inside of vCloud Director. Milko and Martin will do a great job discussing what’s possible inside of the new vCD H5 UI.
  • Introducing VMware Cloud Provider Pod [HYP1499BU] – I can’t speak much about this right now, but check out what Wade Holmes and Yves Sandfort will be presenting. This is a new initiative and we’d love to get feedback from our Cloud Providers.

Honestly, they are all awesome. I was going to continue to list more, but there’s some valuable content being created by amazing leaders in this organization.

I will be at VMworld Saturday to Thursday – please reach out if ever want to talk about any of our solutions!

See you there,

-Daniel

Automate retrieving the Horizon Usage Report for VMware Cloud Providers

For VMware Cloud Providers that are using Horizon, monthly usage collection is not automated or collected by Usage Meter currently. This is a manual process that requires the Provider to retrieve the highwater mark concurrent usage on a monthly basis.

This post will document the automation of reporting of Horizon statistics in a Cloud Provider environment. I have tested this in my environment with vSphere 6.5 with Horizon 7.x.

First off, I did not do this by myself. Winston Blake and Carahsoft provided the initial script and I built off of it from there. Moreover, I received guidance from Luis Ayuso, Ray Heffer, and Wouter Kursten – this is the power of the #vCommunity! This is the first time I’ve created PowerShell code and published it to a git repo.

What does this PowerShell script provide?

  1. Creation of secure string for storing service account password
  2. Collection of Horizon Concurrent Usage data
  3. Outputs this to a file
  4. Emails this to a specified recipient(s)

What does it not provide?

  1. Setup of Windows Scheduled Task
  2. Reset of Highest Count in Horizon – yes, this is a bummer but will explain further on why.

High-Level Steps:

  1. Create a service account for running the usage collection.
  2. Download scripts to a folder on your View Manager server.
  3. Modify scripts and input folder and SMTP parameters.
  4. Run Part 1 of 2 – the securestring/password PS script.
  5. Create a basic task in Task Scheduler
    1. Test Run
  6. Enjoy emailed reports on a monthly basis and a quick link on resetting the highest count.

Create a service account

  1. In my lab environment, I created an account called “horizonsvc” in my domain. This is just a non-privileged account that I will utilize for read-only access to the Horizon environment. While the PowerShell script does convert the password to a securestring, this is just another best practice rather than running it as the default administrator account.
  2. In AD, we can see my Horizon Service Account – 
  3. And we also see that I added this user that’s attached to the Administrators (Read Only) group that provides limited permissions (no modifications available). 

Download scripts to a folder on your View Manager server

My repo is located here – https://github.com/dpaluszek/horizon-vcpp

VCPP Horizon Reporting
https://github.com/dpaluszek/horizon-vcpp
0 forks.
0 stars.
0 open issues.
Recent commits:

The first file is the password file that will store the service account password in a secure string.

https://github.com/dpaluszek/horizon-vcpp/blob/master/horizon-password.ps1

Next, the second file does the work on collection while creating the file and emailing it out –

https://github.com/dpaluszek/horizon-vcpp/blob/master/horizon-usage-script.ps1

While this does automate the collection of the highwater mark of concurrent users, it does NOT reset the usage after collection. This has to be manually done and there is a link inside of the received email to do this operation.

Here’s why –

  1. There’s not a direct API/PowerShell command today that can reset this.
  2. However, one can see this field under the ADSI structure under “OU=Properties, OU=Global, CN=Counters” – we can see pae-NumCCUCountHigh which is the variable we need. 
  3. After my testing of changing this variable (along with Wouter’s help), it seems to be delayed on propagation and I do not know the long term effects of this while View Manager is running. Last of all, I do not know if this would be a production-supported operation – but researching other options and what the BU can do in the future.

Modify scripts and input parameters

Let’s walk through each file and what needs to be modified before running this in your environment:

  1. horizon-password.ps1
    1. On line 8, we need to change the location directory of where you are going to save this file. I suggest putting it in the same location as the two PS scripts along with the two files that will be created
    2. #Replace "C:\directory\" with the target directory for your secure string text file.
      read-host -AsSecureString -prompt "Please enter the password" | ConvertFrom-SecureString | Out-File C:\horizon\$filename.txt
      
      
  2. horizon-usage-script.ps1
    1. Line 8/9 –  we need to utilize the same directory location as in 1B –
      1. ##Replace "C:\DIRECTORY\file.txt" with the path to your encrypted service account password
        
        $password = get-content C:\horizon\file.txt | ConvertTo-SecureString
    2. Line 10/11 – change it to your service account. As an example, I am utilizing “CORP\horizonsvc” as my account.
      1. ##Replace "DOMAIN\username" with service account name previously used in Part 1 of 2
        
        $credentials = new-object -TypeName System.Management.Automation.PSCredential -argumentlist "CORP\horizonsvc",$password
    3. Line 13/14 – Modify your FQDN of your View Instance. For example, I am using “view-01a.corp.local”
      1. ##Replace FQDN with hostname of your Horizon Manager server.
        
        $hznode ="view-01a.corp.local"
    4. Line 30 – Another directory change –
      1. $file = "c:\horizon\horizon-usage-$timestamp.txt"
    5. Lines 40 to 43 – this is your SMTP/email information. Update with your SMTP server, recipient, and sender.
      1. ##Change the three variables below for your environment: smtpserver, recipient, and sender. 
        
        $smtpserver = "mail.rainpole.com"
        
        $recipient = "administrator@rainpole.com"
        
        $sender = "administrator@rainpole.com"

Run Part 1 of 2 – securestring/password PS script

  1. This is pretty straightforward – we open up PowerShell and .\ the first script and input your service account password – 
  2. We can now see the service account password stored in the file. 

Create a basic task in Task Scheduler

  1. This could be run locally on the View Manager server or some other Windows server that can traverse the network and hit the View instance.
  2. Right click -> Create a Basic Task, provide a name – I am using Horizon Usage Report 
  3. Select Monthly as we will want to run this on the last day of the month before the next calendar month – 
  4. We will have this start at the end of the month but selecting all calendar months and the last day of the month. I have 11:45 PM local time to give us a 15-minute buffer to run the operation (even though this takes a few seconds to run). 
  5. We want to select Start a Program since we will call on PowerShell – 
  6. I just typed in “powershell.exe” since it should be in your path already. Under Add Arguments, put the full path to your usage script. For example, I am using “C:\horizon\horizon-usage-script.ps1” 
  7. Summary page, but make sure you check the box for Open the Properties dialog for this task as we want to make sure this task runs even if there’s not a logged in user – 
  8. Change the radio button to “Run whether user is logged on or not” and press OK – 
  9. It will then prompt your for credentials to save this task – 
  10. Okay, now we are ready to run it!

Test Run and Expected Output

  1. Let’s try to test run our newly created task – 
  2. We can see the task completes pretty quickly, about 2 seconds – 
  3. Ah, we got the email! We can see the body with the URL to reset the highest count along with the attached usage. 
  4. In the file, we can see in my lab environment I had a count of 2 for the NumConnectionsHigh. This is what I’d report under BizPortal/iAsset for my monthly usage. 
  5. While the file was created in my directory – 

As for the reset highest count, I am still evaluating all options and will be discussing this internally. I am hoping this is valuable for our VMware Cloud Providers and alleviating some of the operational reporting burden.

Again, big thanks to the vCommunity for the help. I had quite a bit of fun and continue to learn more from an automation/programming perspective.

Enjoy!

-Daniel

vCloud Director Extender 1.1.0.1 – Org Admin Permissions Script

On June 11th, there was a new release of vCloud Director (vCD) Extender that included a change in the organization administrator permissions. Big thanks to my peer Tomas Fojta for his collaboration and working with the Business Unit on further enhancing this permissions structure.

I have updated the PowerShell permissions script that will add these to the specified org. Note this is ONLY for version 1.1.0.1 of vCD Extender, so I am leaving my previous revisions alone.

I am probably stating the obvious here, but this can also be added via the vCD API. Here are the right references to add if you so choose:

<RightReferences>
<RightReference href="{url}/right/105191de-9e29-3495-a917-05fcb5ec1ad0" name="Organization vDC Gateway: View L2 VPN" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/eeb2b2a0-33a1-36d4-a121-6547ad992d59" name="Organization vDC Gateway: Configure L2 VPN" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/66b32e08-1eeb-37ac-9266-ffbd19b39dd8" name="Right: View" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/4886663f-ae31-37fc-9a70-3dbe2f24a8c5" name="Catalog: Add vApp from My Cloud" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/438e45e9-9389-3e29-9073-638b36921a2a" name="Disk: Create" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/1e5ad20d-1023-34d1-b073-1ea30bce3854" name="Disk: Delete" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/7bbee458-b3c5-3252-ba5a-b1781b1c7b92" name="Disk: Edit Properties" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/fd036ae5-b78b-3c9f-8f28-a7f6b33d0d92" name="Disk: View Properties" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/2cd03d47-38e1-337a-907c-8d5b6a5258f2" name="Organization vDC Distributed Firewall: Configure Rules" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/4e61b5b8-0964-36b6-b021-da39aea724fc" name="Organization vDC Distributed Firewall: View Rules" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/9dc33fcb-346d-30e1-8ffa-cf25e05ba801" name="Organization vDC Gateway: Convert to Advanced Networking" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/d1c77fc0-a4b9-3d99-bd4b-d7fab35e4fae" name="Organization vDC Gateway: View" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/2cd2d9d7-262c-34f8-8bee-fd92f422cc2c" name="General: Administrator Control" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/0b8c8cd2-5af9-32ad-a0bd-dc356503a552" name="General: Administrator View" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/b0cfe989-521b-3d7f-9bc2-f23c74a99633" name="Organization vDC Network: Edit Properties" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/2c8d98ef-4acc-3be4-9214-fcb9682b7a19" name="Organization vDC Network: View Properties" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/6cb3596a-15eb-3c2f-a657-5f14f2039719" name="Organization Network: Edit Properties" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/194c71a1-3d68-3156-b789-6a6384028b78" name="Organization Network: View" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/60be4106-1f9f-325c-8ff4-8bf2c6d9bc0a" name="Organization Network: Create or Delete" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/2dc8abec-2e0d-3789-a5f9-ce0453160b53" name="vApp: Create / Reconfigure" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/df05c07f-c537-3777-8d9b-a9cfe8d49014" name="vApp: Delete" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/c2a29357-1b2a-3f9d-9cd6-de3d525d49f3" name="vApp: Edit Properties" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/580860cd-55bc-322d-ac39-4f9d8e3e1cd2" name="vApp: Power Operations" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/4965b0e7-9ed8-371d-8b08-fc716d20bf4b" name="vApp: Copy" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/8832800f-575f-3501-ad84-8e15f3898f11" name="vApp: Change Owner" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/5250ab79-8f50-33f9-8af5-015cb39c380b" name="vApp: Edit VM Properties" type="application/vnd.vmware.admin.right+xml"/>
</RightReferences>

 

Below is the updated PowerShell script. Again, another thanks to Jon Waite for letting me borrow his initial code!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# vCloud Director Extender Permissions Setup - initially created by KiwiCloud.Ninja - modified by Daniel Paluszek - paluszek.com
# Creation Date: 2018-June-15
# Version 2.1 - for vCD Extender 1.1.0.1 and vCloud Director 9.1
# Adds specific permissions required for vCD Extender Org Admin to connect successfully to cloud instance.
# NOTE: These are tested on version vCD 9.1.0.7905680 and vCD Extender 1.1.0.1
# Note that Organization roles (e.g. Organizational Administrator) still need to be edited to add these rights once is executed
# NOTE: You must be connected to the vCloud API (Connect-CIServer) with a System administrative user prior to running the script for this to work.
# Add your Org name and vCD instance name below
$OrgToUpdate = '&lt;INSERT-ORG-NAME&gt;'
$APIendpoint = '&lt;INSERT-IP-OR-FQDN-OF-VCD&gt;'

Function vCloud-REST(
[Parameter(Mandatory=$true)][string]$URI,
[string]$ContentType,
[string]$Method = 'Get',
[string]$ApiVersion = '27',
[string]$Body,
[int]$Timeout = 40
)
{
$mysessionid = ($global:DefaultCIServers | Where { $_.Name -eq $APIendpoint }).SessionId
$Headers = @{"x-vcloud-authorization" = $mysessionid; "Accept" = 'application/*+xml;version=' + $ApiVersion}
if (!$ContentType) { Remove-Variable ContentType }
if (!$Body) { Remove-Variable Body }
Try
{
[xml]$response = Invoke-RestMethod -Method $Method -Uri $URI -Headers $headers -Body $Body -ContentType $ContentType -TimeoutSec $Timeout
}
Catch
{
Write-Host "Exception: " $_.Exception.Message
if ( $_.Exception.ItemName ) { Write-Host "Failed Item: " $_.Exception.ItemName }
Write-Host "Exiting."
Return
}
return $response
} # Function vCloud-REST End

# Adds required permissions for vCD Extender connectivity - still require to apply permissions in the UI once executed!
$newrights = @{}
$newrights.Add("Organization vDC Gateway: View L2 VPN", "105191de-9e29-3495-a917-05fcb5ec1ad0")
$newrights.Add("Organization vDC Gateway: Configure L2 VPN", "eeb2b2a0-33a1-36d4-a121-6547ad992d59")
$newrights.Add("Right: View", "66b32e08-1eeb-37ac-9266-ffbd19b39dd8")
$newrights.Add("Catalog: Add vApp from My Cloud", "4886663f-ae31-37fc-9a70-3dbe2f24a8c5")
$newrights.Add("Disk: Create", "438e45e9-9389-3e29-9073-638b36921a2a")
$newrights.Add("Disk: Delete", "1e5ad20d-1023-34d1-b073-1ea30bce3854")
$newrights.Add("Disk: Edit Properties", "7bbee458-b3c5-3252-ba5a-b1781b1c7b92")
$newrights.Add("Disk: View Properties", "fd036ae5-b78b-3c9f-8f28-a7f6b33d0d92")
$newrights.Add("Organization vDC Distributed Firewall: Configure Rules", "2cd03d47-38e1-337a-907c-8d5b6a5258f2")
$newrights.Add("Organization vDC Distributed Firewall: View Rules", "4e61b5b8-0964-36b6-b021-da39aea724fc")
$newrights.Add("Organization vDC Gateway: Convert to Advanced Networking", "9dc33fcb-346d-30e1-8ffa-cf25e05ba801")
$newrights.Add("Organization vDC Gateway: View", "d1c77fc0-a4b9-3d99-bd4b-d7fab35e4fae")
$newrights.Add("General: Administrator Control", "2cd2d9d7-262c-34f8-8bee-fd92f422cc2c")
$newrights.Add("General: Administrator View", "0b8c8cd2-5af9-32ad-a0bd-dc356503a552")
$newrights.Add("Organization vDC Network: Edit Properties", "b0cfe989-521b-3d7f-9bc2-f23c74a99633")
$newrights.Add("Organization vDC Network: View Properties", "2c8d98ef-4acc-3be4-9214-fcb9682b7a19")
$newrights.Add("Organization Network: Edit Properties", "6cb3596a-15eb-3c2f-a657-5f14f2039719")
$newrights.Add("Organization Network: View", "194c71a1-3d68-3156-b789-6a6384028b78")
$newrights.Add("Organization Network: Create or Delete", "60be4106-1f9f-325c-8ff4-8bf2c6d9bc0a")
$newrights.Add("vApp: Create / Reconfigure", "2dc8abec-2e0d-3789-a5f9-ce0453160b53")
$newrights.Add("vApp: Delete", "df05c07f-c537-3777-8d9b-a9cfe8d49014")
$newrights.Add("vApp: Edit Properties", "c2a29357-1b2a-3f9d-9cd6-de3d525d49f3")
$newrights.Add("vApp: Power Operations", "580860cd-55bc-322d-ac39-4f9d8e3e1cd2")
$newrights.Add("vApp: Copy", "4965b0e7-9ed8-371d-8b08-fc716d20bf4b")
$newrights.Add("vApp: Change Owner", "8832800f-575f-3501-ad84-8e15f3898f11")
$newrights.Add("vApp: Edit VM Properties", "5250ab79-8f50-33f9-8af5-015cb39c380b")

$myendpoint = $global:DefaultCIServers | Where { $_.Name -eq $APIendpoint }

if (!$myendpoint.IsConnected) {
Write-Host "Not connected to this vCloud endpoint, use 'Connect-CIServer' before running this script."
Exit
}

$org = Get-Org -Name $OrgToUpdate -Server $APIendpoint

if (!$org) {
Write-Host "Couldn't match organization with name $OrgToUpdate, exiting."
Exit
}

$rightsuri = 'https://' + $APIendpoint + "/api/admin/org/" + $org.Id.Substring($org.Id.LastIndexOf(':')+1) + "/rights"

[xml]$rights = vCloud-REST -URI $rightsuri -ContentType 'application/vnd.vmware.admin.org.rights+xml' -Method 'Get' -ApiVersion '27.0'

# Add the new API v27 'RightsReference' elements to the XML returned:
foreach($newrule in $newrights.Keys) {
$newright = $rights.CreateElement("RightReference", "http://www.vmware.com/vcloud/v1.5")
$newright.SetAttribute("href","https://$APIEndpoint/api/admin/right/$($newrights.Item($newrule))")
$newright.SetAttribute("name",$newrule)
$newright.SetAttribute("type","application/vnd.vmware.admin.right+xml")
$rights.OrgRights.AppendChild($newright)
}

# Update the Organization with the ammended rights:
vCloud-REST -URI $rightsuri -ContentType 'application/vnd.vmware.admin.org.rights+xml' -Body $rights.InnerXml -Method 'Put' -ApiVersion '27.0'

Happy migrating,

-Daniel

vCloud Director Extender 1.1.0.1 Released!

I am happy to announce that vCloud Director Extender 1.1.0.1 was released earlier this week as we can see below –

We can also see the release notes have been posted here: https://docs.vmware.com/en/vCloud-Director-Extender/1.1/rn/vCloud-Director-Extender-11-Release-Notes.html

So, what’s new with this release?

Updated Items

  1. Tested operational scale – a significant amount of testing and evaluation was put into this release to verify the number of deployments, cold or warm migrations, and L2VPN network extensions (or DC Extensions). This allows the Provider to plan accordingly based on these guidelines.
    1. Up to 20 connected on-prem Managers to a single Provider Extender Manager instance.
    2. Migrate up to 50 VM’s via warm migration simultaneously to a Provider
    3. 300 to 1500 cold migrations from a single to multiple on-prem instances to a Provider
    4. Up to 5 L2VPN extensions per on-prem instance, or up to 20 extensions from multiple tenant instances to a Provider.
  2. Support for older vCenter instances – this was a big ask from our Providers where they were working with clients that had 5.5 instances. This allows for a seamless migration to a vCloud environment.
  3. Offline seeding to a target cloud – minimizes the amount of initial sync time before cutover. Very nice addition.
  4. Co-existence with vCloud Availability for DR – another great value point for current Providers that are running vCAv DR2C for DR as a Service (DRaaS) simultaneously. Note that you can only migrate or protect a VM with one of the products, not both.
    1. Another note – I am currently running vCloud Availability for Cloud to Cloud (vCAv-C2C) in my test environment and this seems to co-exist with vCD Extender. However, this has not been certified as of yet!
  5. Testing a cutover in a war migration that does consistency checks to verify functionality.

Last of all, there was a permissions update for the organization administrator role. Please review this blog post for my updated permissions script and the necessary org admin rights.

Thank you!

-Daniel