Recap from VMworld 2018 and VMware Cloud Provider Sessions

VMware VMworld is always an amazing experience, but taxing for VMware personnel – from meetings, sessions, and nightly events, it can wear one down. However, I truly enjoy seeing everyone and this was my first time speaking at a VMworld, which I’m very grateful for.

I wanted to provide a recap of my two sessions along with sessions all VMware Cloud Providers should watch.

Why vSAN is the Best Solution for Cloud Provider Environments

This was done with my colleague, Greg Kaffenberger, who is part of our Cloud Strategy team. Our intent was to provide a high-level summary of items we’ve learned when collaborating with Providers on vSAN designs and implementations.

One thing I learned from this process of creating a session is it’s VERY difficult to cover everything you want. Moreover, you want to hit the high-level points. Some of the initial feedback we received was our material was too complex. Greg and I did quite a bit of summarization or sticking the detailed points in the speaker notes section.

Anyway, I thought this session went pretty well. Here’s the YouTube video along with the link to the slides for anyone to utilize –

 

Slide Deck on Google Drive

Case Study: Hybrid Cloud with vCloud Extender from Customer to Provider

This was a very exciting session with Raff Poltronieri at CloudItalia on a solution I’ve spent a lot of time with, vCloud Director Extender. We partnered together to review vCD Extender in technical detail along with the architecture. Raff covered CloudItalia’s experience along with a demonstration of one of their customers migrating from their on-prem environment to CloudItalia’s vCD instance. Furthermore, CloudItalia’s business is now growing because of their utilization of vCloud Director Extender.

vCD Extender, vCloud Availability, our new Data Protection solution for vCD, is just the start of these value-added products for vCloud Director. I am very excited to see what comes in the next 9 to 12 months for vCloud Director, especially around our availability, migration, and data protection products for Cloud Providers.

Video and Google drive to the slide deck below –

Slide Deck on Google Drive

Other Sessions to Review

William Lam did a great job of summarizing and providing the ability to download all recorded sessions here.

These are the other ones I suggest reviewing if you did not catch them live:

  1. Introducing VMware Cloud Provider Pod 
    1. VCPP’s new solution on instantiating a vCD environment, inclusive of all Cloud Provider components. Presented by Yves Sandfort and Wade Holmes.
  2. Delivering Custom Services Through vCloud Director
    1. There are endless possibilities on providing custom services and integration through vCD. This session reviews some of the use cases we worked on so far.
  3. VMware Data Protection Simplicity Meets Power: Converged, Cloud and Beyond
    1. This is covering our new partnership with Dell/EMC on Data Protection capabilities built into vCD.
  4. Cloud Provider Transformation with vCloud Director, NSX, and vRealize Suite
    1. John White at Expedient does a great job going through their environment and how they’ve utilized the VMware Cloud Provider architecture to provide services to their tenants.
  5. Multitenant Managed Service Provider Platform for VMware Cloud Services
    1. This is reviewing our new MSP solution / Cloud Provider Hub and what’s possible with VMC in regards to Cloud Providers.

There’s many more here – this link should be filtered to sessions that have been marked for Cloud Provider Program. 

I truly look forward to the next opportunity to speak and share what I’ve learned on this incredible journey at VMware.

-Daniel

VMware vCloud Availability for Cloud to Cloud 1.5 is announced! What’s New?

I am excited to announce that vCloud Availability for Cloud to Cloud 1.5 (vCAv-C2C) will be released for VMware Cloud Providers at end of September. This has been a long and fruitful journey between strategic design partners and our internal teams.

In this post, I will review what’s new inside of vCloud Availability for Cloud to Cloud 1.5.

Don’t know what vCloud Availability for Cloud to Cloud is – don’t worry, check out this intro post!

To start, our lightboard video as an intro to C2C and what’s new with 1.5 –

A quick summary of what I’ll be discussing:

    1. Enterprise Scale
    2. Service Provider Policies for Offer Management
    3. Seamless and unified experience with integration to vCloud Director
    4. vRealize Orchestrator Integration (Compatible with C2C 1.0)
    5. vRealize Operations Day 2 Monitoring Pack (Compatible with C2C 1.0)
    6. Public API
    7. Enhanced Usage Reporting

Scale

Let’s talk about scalability for C2C for a moment. The BU has certified the following for C2C 1.5 –

  • 110 concurrent failover protections
  • Over 3,000 active protections across 100 tenants. This is a variable number as it will depend on the number of active tenants along with protected operations. However, in discussing this with Engineering, we’ve seen 4,000 VM’s protected by vCAv-C2C.
  • Scale up to 7 tested replication instances.

Again, this has been an important enhancement as we have received multiple requests regarding scale. I would also say this is the maximum configuration we’ve tested so far. This does not mean our technology is limited to these numbers. If there’s something specific you’d like to see, please talk to your VMware Cloud Provider field team.

Policies

With C2C 1.5, Cloud Service Providers (CSPs) can now manage access control for vCloud Availability – Cloud to Cloud DR on per tenant organization basis. By default, all tenant organizations are disabled and CSPs can choose to enable C2C DR service for one or many organizations. This allows CSPs to deliver Cloud to Cloud DR as a value-added service to their tenants.

As we can see from above, I have the Default Policy along with “Org1 Policy” that I created that I applied to my Org1 organization.

So, if an org that has not been whitelisted for Cloud to Cloud usage, what do they see? Well, they would get an error when attempting outgoing or incoming replications such as the below:

In addition to white-listing organizations, C2C DR also allows a CSP to create and assign new policies for select organization, thus giving them an opportunity for tiered offering and providing them better control on their capacity management. Following new policies have been added:

  1. Limit the maximum number of outgoing and/or incoming replications per organization
  2. Limited maximum number of replicated VM’s per organization
  3. Limited maximum number snapshots created by VM
  4. Allow to set lower limit on RPO per organization

Again, providing a granular application to specific orgs. We could create multiple policies and have different policies associated with each of them.

Last of all, we can see the compliance state on each org –

Integrated vCD UI

While using the vCloud Director portal extensibility capability, the team has now introduced an integrated C2C plugin for vCD!

Once C2C is deployed and registered to your vCD instance, we will see the Availability link in the context switching menu (or what we like to call the hamburger menu).

From there, the tenant user can navigate to C2C from the vCD interface, thus providing fully integrated and seamless experience and alleviating need of any console hopping.

vRealize Orchestrator Integration

This is an awesome addition as now we can provide unique workflows on a per tenant/use-case basis in an automated fashion. Now, combine this with the power of the new vRO/vCD integration within the Content Library!

From vRO, we can see we have a new section vCloud Availability –

The first thing we would need to do is connect to each respective site –

From here, we have multiple options available that were built by our team, including IP address change after failover:

vRealize Operations Day 2 Monitoring Pack

We are now introducing a management pack for vRealize Operations. This will allow the Provider team to have a single monitoring and analytics tool for providing vCAv-C2C statistics and rollups of the environment.

There a few out of the box dashboards available –

From here, we can get a picture of what’s going on from an operational perspective, including any RPO violations set by vCAv policies. While my test environment is clean, this gives you an idea of what to expect.

As a last note – vRealize Orchestrator and vRealize Operations plug-in have their own release cycles and would typically lag a little bit behind the core Cloud to Cloud releases. The vRO and vROPs plug-ins for Cloud to Cloud are currently supported only for C2C 1.0 release). Please reach out to your VMware Cloud Provider field team if you’d like to discuss these further.

Public API

There is now an API available for C2C operations. Public API are generated through Swagger which is quickly becoming a de-facto standard for generating APIs. This allows for additional extensibility to Providers on managing C2C operations along with potential opportunity to integrate their Cloud to Cloud DR use-cases into their own Cloud management portal if this wish to do so.

Start off by going to the API documentation here

The steps to set up the Swagger client is fairly easy. I was able to do this in a Windows environment by using the PowerShell commands.

Start with downloading the JSON file –

Then, download the swagger-codegen client and run the generate command to generate the Java client –

And now the build is ready for .java files with the C2C parameters. I hope to have time to play around with this further.

Enhanced Usage Reporting

While Usage Meter integration is underway, we can pull reports from the C2C appliances by logging into the application console – documentation is here. 

We start by SSH’ing or opening the console to the C2C appliance. From there, we need to authenticate again in the h4 context so we can type in the ‘usage-report’ command –

Now, I am able to run ‘usage-report’ and find out my usage –

Again, a lot of great content and additions to C2C 1.5. Please check it out!

-Daniel

Security Compliance – Pre-configure your vApp firewall rules inside vCloud Director using NSX DFW (Part 1 of 2)

This is a joint blog series with Wissam Mahmassani 

Today, we will be discussing pre-configured firewall rules for vApps inside of vCloud Director (vCD).

Recently, I received a request from a new provider that wants to deploy a specific vApp when they onboard a new tenant (or organization). This specific vApp will need to have NSX Distributed Firewall rules in place – the vApp will be the same for every tenant and will need to be secured accordingly.

While this is a Provider managed approach, this is a very simple way of “stamping” out vApps or other required virtual machines that need specific policies applied to them. Moreover, we would like an automatic way to pick up the associated DFW rules so it’s one less step for the Provider.

Overall Steps:

  1. Creation of a Security Group with Dynamic Membership
  2. Creation of a Security Policy
  3. Activating Security Policy against Security Group
  4. Creating vApp that meets dynamic membership criteria

Creation of a Security Group with Dynamic Membership

  1. Navigate to Menu -> Networking and Security -> Service Composer
  2. The first thing we are going to do is create a Security Group that will associate the VMs based on criteria.
  3. The easiest way to do this is by using a dynamic membership policy. We want to apply this group to any VM’s that meet a specific name. In my example, I’m going to be utilizing “mgmt-pod” as my criteria – 
  4. Click Finish, and we are off to the next step.

Creation of a Security Policy

  1. Let’s click on the Security Policies tab inside of Service Composer and create a new Security Policy – 
  2. Let’s give it a name – I am using Standard vApp DFW Rules. 
  3. From here, we can click on Firewall Rules and create our rules. In my example, I am going to let HTTPS traffic in and block everything else. Typically, for micro-seg rules, we would create granular rules to secure all types of traffic. I am using these just as an example. 
  4. Creating DFW policies is fairly straightforward in the Service Composer – 

Activating Security Policy against Security Group

  1. Now, we are ready to apply our newly created policy to our group. Click the Apply button while your newly created policy is selected – 
  2. From the pop-up window, we will select our Standard vApp Rule group as a Selected Object – 
  3. Success – now we can see it has been applied –
  4. From the DFW view, we can see a new section created with associated DFW rules – 
    1. Solid note from Tom Fojta“Do not forget the order of DFW sections is important. If tenant’s DFW VDC section is above and he creates any-any-allow rule it will nullify provider rules. Tenant sections are created by default on top unless forced with API to be created at the bottom.”

Creating vApp that meets dynamic membership criteria

  1. Now from my Provider UI, I am going to go ahead and create my Management vApp for a new tenant. Again, the context is this would be managed by the Provider initially while we are inheriting the Security Group set forth above. 
  2. Once my vApp is up, I can verify that I am unable to access via ICMP which meets my criteria. We can see the Standard vApp Rule group was associated with the vApp and I am unable to ping it. 

While this is not the only path of securing Provider-managed VM’s for a tenant. Check out Wissam’s approach here by utilizing Resource Pools!

-Daniel

vCloud Director Extender 1.1.0.1 – Org Admin Permissions Script

On June 11th, there was a new release of vCloud Director (vCD) Extender that included a change in the organization administrator permissions. Big thanks to my peer Tomas Fojta for his collaboration and working with the Business Unit on further enhancing this permissions structure.

I have updated the PowerShell permissions script that will add these to the specified org. Note this is ONLY for version 1.1.0.1 of vCD Extender, so I am leaving my previous revisions alone.

I am probably stating the obvious here, but this can also be added via the vCD API. Here are the right references to add if you so choose:

<RightReferences>
<RightReference href="{url}/right/105191de-9e29-3495-a917-05fcb5ec1ad0" name="Organization vDC Gateway: View L2 VPN" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/eeb2b2a0-33a1-36d4-a121-6547ad992d59" name="Organization vDC Gateway: Configure L2 VPN" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/66b32e08-1eeb-37ac-9266-ffbd19b39dd8" name="Right: View" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/4886663f-ae31-37fc-9a70-3dbe2f24a8c5" name="Catalog: Add vApp from My Cloud" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/438e45e9-9389-3e29-9073-638b36921a2a" name="Disk: Create" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/1e5ad20d-1023-34d1-b073-1ea30bce3854" name="Disk: Delete" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/7bbee458-b3c5-3252-ba5a-b1781b1c7b92" name="Disk: Edit Properties" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/fd036ae5-b78b-3c9f-8f28-a7f6b33d0d92" name="Disk: View Properties" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/2cd03d47-38e1-337a-907c-8d5b6a5258f2" name="Organization vDC Distributed Firewall: Configure Rules" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/4e61b5b8-0964-36b6-b021-da39aea724fc" name="Organization vDC Distributed Firewall: View Rules" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/9dc33fcb-346d-30e1-8ffa-cf25e05ba801" name="Organization vDC Gateway: Convert to Advanced Networking" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/d1c77fc0-a4b9-3d99-bd4b-d7fab35e4fae" name="Organization vDC Gateway: View" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/2cd2d9d7-262c-34f8-8bee-fd92f422cc2c" name="General: Administrator Control" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/0b8c8cd2-5af9-32ad-a0bd-dc356503a552" name="General: Administrator View" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/b0cfe989-521b-3d7f-9bc2-f23c74a99633" name="Organization vDC Network: Edit Properties" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/2c8d98ef-4acc-3be4-9214-fcb9682b7a19" name="Organization vDC Network: View Properties" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/6cb3596a-15eb-3c2f-a657-5f14f2039719" name="Organization Network: Edit Properties" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/194c71a1-3d68-3156-b789-6a6384028b78" name="Organization Network: View" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/60be4106-1f9f-325c-8ff4-8bf2c6d9bc0a" name="Organization Network: Create or Delete" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/2dc8abec-2e0d-3789-a5f9-ce0453160b53" name="vApp: Create / Reconfigure" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/df05c07f-c537-3777-8d9b-a9cfe8d49014" name="vApp: Delete" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/c2a29357-1b2a-3f9d-9cd6-de3d525d49f3" name="vApp: Edit Properties" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/580860cd-55bc-322d-ac39-4f9d8e3e1cd2" name="vApp: Power Operations" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/4965b0e7-9ed8-371d-8b08-fc716d20bf4b" name="vApp: Copy" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/8832800f-575f-3501-ad84-8e15f3898f11" name="vApp: Change Owner" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/5250ab79-8f50-33f9-8af5-015cb39c380b" name="vApp: Edit VM Properties" type="application/vnd.vmware.admin.right+xml"/>
</RightReferences>

 

Below is the updated PowerShell script. Again, another thanks to Jon Waite for letting me borrow his initial code!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# vCloud Director Extender Permissions Setup - initially created by KiwiCloud.Ninja - modified by Daniel Paluszek - paluszek.com
# Creation Date: 2018-June-15
# Version 2.1 - for vCD Extender 1.1.0.1 and vCloud Director 9.1
# Adds specific permissions required for vCD Extender Org Admin to connect successfully to cloud instance.
# NOTE: These are tested on version vCD 9.1.0.7905680 and vCD Extender 1.1.0.1
# Note that Organization roles (e.g. Organizational Administrator) still need to be edited to add these rights once is executed
# NOTE: You must be connected to the vCloud API (Connect-CIServer) with a System administrative user prior to running the script for this to work.
# Add your Org name and vCD instance name below
$OrgToUpdate = '&lt;INSERT-ORG-NAME&gt;'
$APIendpoint = '&lt;INSERT-IP-OR-FQDN-OF-VCD&gt;'

Function vCloud-REST(
[Parameter(Mandatory=$true)][string]$URI,
[string]$ContentType,
[string]$Method = 'Get',
[string]$ApiVersion = '27',
[string]$Body,
[int]$Timeout = 40
)
{
$mysessionid = ($global:DefaultCIServers | Where { $_.Name -eq $APIendpoint }).SessionId
$Headers = @{"x-vcloud-authorization" = $mysessionid; "Accept" = 'application/*+xml;version=' + $ApiVersion}
if (!$ContentType) { Remove-Variable ContentType }
if (!$Body) { Remove-Variable Body }
Try
{
[xml]$response = Invoke-RestMethod -Method $Method -Uri $URI -Headers $headers -Body $Body -ContentType $ContentType -TimeoutSec $Timeout
}
Catch
{
Write-Host "Exception: " $_.Exception.Message
if ( $_.Exception.ItemName ) { Write-Host "Failed Item: " $_.Exception.ItemName }
Write-Host "Exiting."
Return
}
return $response
} # Function vCloud-REST End

# Adds required permissions for vCD Extender connectivity - still require to apply permissions in the UI once executed!
$newrights = @{}
$newrights.Add("Organization vDC Gateway: View L2 VPN", "105191de-9e29-3495-a917-05fcb5ec1ad0")
$newrights.Add("Organization vDC Gateway: Configure L2 VPN", "eeb2b2a0-33a1-36d4-a121-6547ad992d59")
$newrights.Add("Right: View", "66b32e08-1eeb-37ac-9266-ffbd19b39dd8")
$newrights.Add("Catalog: Add vApp from My Cloud", "4886663f-ae31-37fc-9a70-3dbe2f24a8c5")
$newrights.Add("Disk: Create", "438e45e9-9389-3e29-9073-638b36921a2a")
$newrights.Add("Disk: Delete", "1e5ad20d-1023-34d1-b073-1ea30bce3854")
$newrights.Add("Disk: Edit Properties", "7bbee458-b3c5-3252-ba5a-b1781b1c7b92")
$newrights.Add("Disk: View Properties", "fd036ae5-b78b-3c9f-8f28-a7f6b33d0d92")
$newrights.Add("Organization vDC Distributed Firewall: Configure Rules", "2cd03d47-38e1-337a-907c-8d5b6a5258f2")
$newrights.Add("Organization vDC Distributed Firewall: View Rules", "4e61b5b8-0964-36b6-b021-da39aea724fc")
$newrights.Add("Organization vDC Gateway: Convert to Advanced Networking", "9dc33fcb-346d-30e1-8ffa-cf25e05ba801")
$newrights.Add("Organization vDC Gateway: View", "d1c77fc0-a4b9-3d99-bd4b-d7fab35e4fae")
$newrights.Add("General: Administrator Control", "2cd2d9d7-262c-34f8-8bee-fd92f422cc2c")
$newrights.Add("General: Administrator View", "0b8c8cd2-5af9-32ad-a0bd-dc356503a552")
$newrights.Add("Organization vDC Network: Edit Properties", "b0cfe989-521b-3d7f-9bc2-f23c74a99633")
$newrights.Add("Organization vDC Network: View Properties", "2c8d98ef-4acc-3be4-9214-fcb9682b7a19")
$newrights.Add("Organization Network: Edit Properties", "6cb3596a-15eb-3c2f-a657-5f14f2039719")
$newrights.Add("Organization Network: View", "194c71a1-3d68-3156-b789-6a6384028b78")
$newrights.Add("Organization Network: Create or Delete", "60be4106-1f9f-325c-8ff4-8bf2c6d9bc0a")
$newrights.Add("vApp: Create / Reconfigure", "2dc8abec-2e0d-3789-a5f9-ce0453160b53")
$newrights.Add("vApp: Delete", "df05c07f-c537-3777-8d9b-a9cfe8d49014")
$newrights.Add("vApp: Edit Properties", "c2a29357-1b2a-3f9d-9cd6-de3d525d49f3")
$newrights.Add("vApp: Power Operations", "580860cd-55bc-322d-ac39-4f9d8e3e1cd2")
$newrights.Add("vApp: Copy", "4965b0e7-9ed8-371d-8b08-fc716d20bf4b")
$newrights.Add("vApp: Change Owner", "8832800f-575f-3501-ad84-8e15f3898f11")
$newrights.Add("vApp: Edit VM Properties", "5250ab79-8f50-33f9-8af5-015cb39c380b")

$myendpoint = $global:DefaultCIServers | Where { $_.Name -eq $APIendpoint }

if (!$myendpoint.IsConnected) {
Write-Host "Not connected to this vCloud endpoint, use 'Connect-CIServer' before running this script."
Exit
}

$org = Get-Org -Name $OrgToUpdate -Server $APIendpoint

if (!$org) {
Write-Host "Couldn't match organization with name $OrgToUpdate, exiting."
Exit
}

$rightsuri = 'https://' + $APIendpoint + "/api/admin/org/" + $org.Id.Substring($org.Id.LastIndexOf(':')+1) + "/rights"

[xml]$rights = vCloud-REST -URI $rightsuri -ContentType 'application/vnd.vmware.admin.org.rights+xml' -Method 'Get' -ApiVersion '27.0'

# Add the new API v27 'RightsReference' elements to the XML returned:
foreach($newrule in $newrights.Keys) {
$newright = $rights.CreateElement("RightReference", "http://www.vmware.com/vcloud/v1.5")
$newright.SetAttribute("href","https://$APIEndpoint/api/admin/right/$($newrights.Item($newrule))")
$newright.SetAttribute("name",$newrule)
$newright.SetAttribute("type","application/vnd.vmware.admin.right+xml")
$rights.OrgRights.AppendChild($newright)
}

# Update the Organization with the ammended rights:
vCloud-REST -URI $rightsuri -ContentType 'application/vnd.vmware.admin.org.rights+xml' -Body $rights.InnerXml -Method 'Put' -ApiVersion '27.0'

Happy migrating,

-Daniel