A New VMware Badge Appears: VMware Specialist – Cloud Provider 2019

Many of you may be aware of the new VMware Specialist – Cloud Provider badge. However, I am going to spend some time to highlight the effort and provide some guidance on this new badge/exam. Also, it’s officially announced with many of our other great announcements at VMware Europe!

What is it?

Well, the Specialist Cloud Provider badge is a renewed effort that the VMware Cloud Provider team is establishing a solid, fundamental certification/qualification platform for our Cloud Service Providers. This is the first step on setting a level of qualification to present solution knowledge around the VMware Cloud Provider Program (VCPP) stack and solution-set, especially VMware vCloud Director for Service Providers 9.x.

This is an online, un-proctored, exam that can be scheduled through Pearson Vue. The only prerequisite we’ve established is an active VCP certification. I was honored to be part of the team to develop this exam while Wade Holmes led the overall effort with many of my esteemed peers. It is 40 questions and you have 60 minutes for the exam.

What does it cover?

Just like with any other VMware certification – read, read, and read the blueprint: all of the answers are there. I believe the team did a great job of putting many links into this blueprint for material to prepare for. However, I’m going to highlight a few points that everyone should be aware of –

  1. This exam covers vCloud Director 9.1 functionality. Even though 9.5 is out as of this blog post, this was written when 9.1 was the current release.
  2. Sections 3, 5, and 6, are not present on this exam. Therefore, there are no troubleshooting questions. Be prepared to focus on core fundamentals and conceptual features of vCD.
  3. vCloud Availability for Cloud-to-Cloud 1.5 is present also on this exam, there is no vCloud Availability for DR questions. Moreover, vCD Extender is also present.

How can I prepare?

This answer is simple – work with vCD and the VCPP stack and you’re golden! 🙂

On a serious note, there’s a lot of great material on the blueprint, but we have two great VMware Education courses on vCloud Director:

VMware vCloud Director Fundamentals [V8.x] – this is an on-demand course that goes over core fundamentals of vCD. While it is dated for 8.x, it is very applicable. This is a self-paced course and can be done in about 3 hours.

VMware vCloud Director: Install, Configure, Manage [V9.x] – if you are very new to vCD, I recommend taking this course after the Fundamentals course. This provides a comprehensive experience (including lab time) of building out a vCD environment. This can be done online or in-person.

Read the documentation – we have a mess of many different docs we’ve referenced. Also, check out the many YouTube videos we have under our Cloud Provider page! 

Final thoughts

I believe this is a very fair exam for individuals that work with the VMware Cloud Provider solution set. The questions and concepts focus on the value and core fundamentals.

I’ve been receiving a lot of great and positive feedback, which is excellent. This was my first exam creation experience and I truly enjoyed the process, and look forward to the next step for our VMware Cloud Providers. If you’re at VMworld Europe, please don’t hesitate to contact me to meet up! Thank you.

-Daniel

Managing access to the VMware vCloud Availability for Cloud-to-Cloud Plugin to vCloud Director 9.5

With C2C 1.5, a new plugin was introduced inside of the vCloud Director 9.x context switching menu. By default, all organizations and org admins receive this plugin once C2C is installed. Moreover, C2C will also upgrade any existing (older) plugins and register the new one insie of vCD (or if the plugin is missing for some reason, it will register and publish to all). 

What if we wanted to restrict/control access and mask this from specific tenants? Well, I plan on walking through how this is done using the new /cloudapi inside of 9.5.

Recently, I was in my lab environment researching the ability to control access to the Availability plugin. 

So, this led me to investigate further and discover the full capacity of the plugin management from the new vCloud Director 9.5 API (with the help of Jeff Moroski)

With vCD 9.5, we introduced the use of bearer tokens for authentication. Tomas Fojta did a great job of writing up a how-to guide on using bearer tokens inside of Postman while embedding the token after login.

First off, how did I control accessibility to the Availability plugin? Let’s walk through the API and discuss how one can control access to the plugin.

Steps

First off, POST to your vCD instance to grab the access token –

https://vcd-fqdn/api/sessions


From there, I’m ready to run a GET to see what extensions are registered to this vCD instance (remember, uncheck the Accept/XML header since this is JSON) –

https://vcd-fqdn/cloudapi/extensions/ui

We can see my plugin has a identifier associated of –

"id": "urn:vcloud:uiPlugin:c450bdf8-764f-4631-a319-1c849873c176",

So, let’s see which tenants have access to this now. Here’s my GET API string –

https://vcd-fdqn/cloudapi/extensions/ui/urn:vcloud:uiPlugin:c450bdf8-764f-4631-a319-1c849873c176/tenants

As shown above, I can see all of my tenants have access to the Availability plugin. If I needed to force publish to all (for any other type of plugin), Jeff stated that I needed to append “publishAll” to propagate to all tenants.

Let’s go ahead and remove access to the “Daniel” organization for C2C. Right now, I see this in my UI –

This requires a POST command with the JSON body that has the “Daniel” organization inside of it –

https://vcd-fqdn/cloudapi/extensions/ui/urn:vcloud:uiPlugin:c450bdf8-764f-4631-a319-1c849873c176/tenants/unpublish

[
	{
        "name": "Daniel",
        "id": "urn:vcloud:org:aa663210-b11f-4c14-8dca-1efab8dec429"
    }
]

I received a 200 OK message, so it looks like it worked, let’s go check.

A quick refresh, voila! Gone.

Again, this is a great way to verify and control the accessibility to the Availability plugin (or any vCD plugin) in vCloud Director 9.5. Cheers!

-Daniel

Migrate VMs and Networking to vCloud Director – Video Walkthrough

I wanted to provide a quick walkthrough on how easy it is to import a VM (or adopt a VM) into a tenant organization for vCloud Director.

Tomas Fojta covers a lot of great detail on when this was introduced in vCD 8.20 here. 

In this video, I go through and show how I moved a tenant workload (DanielApp) along with a 172.16.102.0/24 network to vCloud Director and NSX.

While this does require a stepped process, it’s a pretty seamless process.

Migration Steps:

  1. Move the routing interface from the current physical underlay to the NSX Edge inside of the vCloud Director tenant organization (DCP-Edge-01)
  2. Switch over the VMNIC for the workloads to the logical switch presented by DCP-Edge-01
  3. Drag the VM to the orgVDC resource pool that’s provisioned by vCloud Director. Done!

Note 1 and 2 do require some level of coordination with your network team with a brief maintenance window (route changes and validation). Moreover, the important distinction is we are allowing a tenant to utilize NSX functionality alongside vCloud Director.

Step 3 is the easiest. vCloud Director does all of the work and shows it in the UI without any further intervention. This is a great feature that demonstrates vCD can be utilized for existing tenant workloads that may be in a “naked” vCenter environment (or utilizing an existing CMP they are moving away from).

Anyway, here’s the video I created that shows me moving DanielApp to vCloud Director under my “Daniel” organization.

 

Last bit I’ll leave you with – while it’s great to migrate both the network and to vCD, this may not be possible based on use case. Other migration method could be exposing the existing distributed virtual portgroup as a vCD External Network to the pVDC, then the oVDC. Then it’s as simple as just dragging in the VM(s) to the resource pool.

However, I do lose any self-service and NSX functionality, which could include overlapping networks when I scale out tenants.

Happy migrating!

-Daniel

vCloud Director 9.5 – Multi-Site and Cross-VDC Permissions Requirement

I was recently asked by a colleague of mine on why the Organization Administrator role did not have access to multi-site nor Datacenter Groups which is a new feature inside of vCloud Director 9.5. As it turns out, my orgadmin did not have the permissions required either!

However, under my system administrator, I see it perfectly fine.

So, what gives? Well, this relates to the new Global Roles and Rights Bundles setup.

By default, organization administrators are NOT given the permissions required for multi-site or datacenter group (Cross-VDC) setup. Therefore, this is as expected but requires the new vCD 9.5 RBAC functionality to provide these permissions.

I will walk through setting this up so your organization administrator (or any specific role for that matter) can successfully access to the Datacenter Groups menu.

Starting with Rights Bundles –

From Provider H5 UI, navigate to Administration -> Access Control -> Rights Bundles 

I will be utilizing the Default Rights Bundle as where I’ll establish the correct permissions for multi-site and Datacenter groups. For Providers that want to monetize this, we can either fall back to the existing legacy rights bundle (see above with the Org IDs) or create a new rights bundle. Click on the radio button and press Edit –

Now we are presented with a screen that shows the different rights categories –

For the multi-site, we need to just scroll down a little bit and we can see the section under Administration. Expand and check the applicable boxes.

Cross VDC is at the bottom, scroll down and expand.

Click Save when finished. Now, we need to Publish this to all tenants or select tenants. In my environment, I am going to publish this to all.

Rights Bundles are a way of assigning specific permissions to organizations while Global Roles are a way of assigning rights to users within those organizations. Therefore, if an org does not have permissions to the specific permissions inside of an assigned rights bundle, it will not show within that organization – nor will it show any permissions! Any org must have a rights bundle attached to it.

Publish the Global Role –

Now, we need to place these permissions inside of the Organization Administrator role. In this example, I will need to add these specific permissions inside of the Org Admin role, and then publish it to my tenants.

So, let’s go ahead and modify my Organization Administrator role and add these permissions.

Scroll down and add in Multisite capability…

While adding VDC Group permissions…

Now we are ready to publish this to all tenants –

Now, let’s test it – it works! I can log in with my specific org admin users and now see Datacenter Groups and Multi-site configuration.

Now, what if I attempt to re-modify the Org Admin role and publish it to a specific tenant (i.e. remove these permissions from Wissam)?

Ah ha! Does not work, because we already have a role applied. Good failsafe.

This definitely provides quite a bit of opportunity to Providers on granular permissions and managing them. I will be also asking our team to revise this documentation that shows the org admin as having these permissions by default (which they do not).

Thanks!

-Daniel