Overview of VMware vCloud Availability 3.0 – Introduction, Roles, Deployment Process

In this series of blog posts, I will be discussing the new release of VMware vCloud Availability 3.0 (vCAv). This is a very exciting release for the VMware Cloud Provider team. vCAv 3.0 will be out shortly (by end of our fiscal quarter) and I want to provide my insight into this platform. I will be focusing on the following points –

  1. Introduction to vCAv 3.0
  2. High-Level Architecture
  3. vCAv 3.0 Service Roles
  4. Deployment Process
  5. Deployment Approach for Provider
  6. Deployment for Tenant (On-Premises)
  7. Protection Workflow
  8. Resources

Introduction to vCAv 3.0

First off, let’s discuss what vCAv provides from a functionality perspective. vCAv is what I like to call “functional convergence.” In the past, we had many different products that provided some level of availability or migration capability –

In my opinion, this was a duplication of appliances and could be confusing to customers. The team has done a great job of putting forth a significant investment into vCAv 3.0 to simplify the architecture. Therefore, here’s where we are today –

Therefore, no need for multiple tools for migration, DR from/to Cloud, or between Clouds. We now have a single solution that answers all of the above.

vCAv 3.0 Key Functionality

So what does vCAv 3.0 provide?

  1. Simple, Unified Architecture
    1. There is a single OVF for the Provider and the Tenant. On the Provider side, each role can be easily deployed used by the vSphere Client or CLI.
    2. Deployment is very intuitive and scalable – each role can be quickly deployed in a matter of minutes.
    3. On-Premises Appliance is unified and provides vCenter UI integration for management.
  2. On-Premises Migration and Protection
    1. On-Premises appliance provides the same UI experience as connected to the Cloud instance, but built into vCenter.
    2. Migration and/or protection of workloads can be done with a few clicks.
    3. Allows for protection/migration to and from vCloud instances.
  3. Cloud to Cloud Migration and Protection
    1. Very similar behavior to C2C 1.5, we can protect workloads (vApps and VM’s) between vCD instances.
  4. Network Mapping and Re-Addressing
    1. One of the new additions is the ability to re-address and map out protected workflows for faster recovery at the destination site.
    2. This maps to existing vCD oVDC Network constructs such as Static IP pools.
  5. Scale
    1. As discussed before, the team is aware of scalability requirements for Providers. For this version, here is the stated guidelines:
      1. 300 tenants with active protections paired to vCloud Director instance
      2. 20 vCAv Replicator instances per instance
      3. 500 active protections per vCAv Replicator instance
      4. 9,500 active protections across tenants to a Cloud
      5. 5TB protected VM size (contingent upon Cloud storage)

Business Value

Direct and native vCloud Director integration for providers and tenants – with the ability to provide self-service, this provides a unique experience that meets DRaaS requirements and migration functionality.


Ease of Operationalization – I’ve done several deployments during the development process and it’s one of the easiest VMware Cloud Provider solutions to deploy. Once we review the roles and concepts, anyone should be able to operationalize this with ease.

Cost-Effective Approach – vCAv 3.0 will be part of the VMware Cloud Provider Program (VCPP). This is based on the monthly consumption of points, which is a very cost-effective solution that can be modeled and productized for DRaaS and migration offerings.

High-Level Architecture

In the following diagram, we can see how this all comes together with a single, on-premises vCenter along with two vCD instances. One can pair this up with vCD multi-site federation capability.

Moreover, this pairs very well with existing vCD services such as CrossVDC Networking or L2VPN connectivity between on-premises and organization VDCs.

vCAv 3.0 Service Roles

Let’s review the distinct service roles of vCAv 3.0.

Provider

On the Provider side, we have the following –

  1. Cloud Replication Management
    1. This is a logical entity that consists of the core of vCAv 3.0.
    2. vCloud Availability Portal – User Interface for the tenant and provider. All UI configuration ingresses from this service and applies all to all necessary connected components.
    3. vCloud Availability vApp Replication Manager – communicates directly to vCD and understands tenancy constructs such as organizations, vApps, etc. Also responsible for enabling protections or migrations.
    4. vCloud Availability Replication Manager – understands vCenter and ESXi concepts and will interoperate between the replicators and protected vCenters.
  2. vCloud Availability Replicator – lightweight node responsible for executing on the host-based replication from a specific host. Typically, you deploy a replicator per vCenter.
  3. vCloud Availability Tunnel – this is the tunneling service that is responsible for providing secure connectivity between on-premises vCenter(s) and connected vCD instances.

Each of these roles can be deployed separately or in a combined virtual appliance. For production deployments (which we will review later), the recommendation is standalone deployments for each role.

Tenant / On-Premises

On the tenant side, we have a single appliance that has a combined appliance approach –

  1. vCloud Availability Replicator – just like on the Provider side, the Replicator is responsible for executing the host-based replication (HBR) process
  2. vCloud Availability Tunnel – provides secure connectivity between on-premises and vCloud environment. All traffic securely ingresses and egresses through this service.
  3. vCloud Availability Plugin – this plugin provides local vCenter UI management that is the same experience as connecting the vCAv Cloud environment.

Deployment Process

While this blog series will cover the Provider and On-Premises side in further detail, we will have the following steps to execute on for a successful deployment.

Provider:

  1. Deployment of Cloud Replication Management (CRM) Instance
  2. Deploy vCAv Replicator(s)
  3. Deploy vCAv Tunnel
  4. Configuration of CRM instance and start of site wizard
  5. Configuration of Replicator
  6. Configuration of Tunnel
  7. Validation

Tenant:

  1. Deploy vCAv On-Premises Appliance
  2. Start configuration wizard
  3. Connect to vCAv Cloud Tunnel
  4. Configuration of local placement
  5. Validation

Next up, I will review the Provider deployment process in further detail while providing the step-by-step procedures. Stay tuned!

-Daniel

How is ECMP metered when configured in the Provider architecture within the VMware Cloud Provider Program?

Recently, I received a request from one of our aggregators regarding how Equal Cost Multipathing (ECMP) is metered within the VMware Cloud Provider Program (VCPP), specifically Tom Fojta’s recommendation on architecting Provider-managed NSX Edges and Distributed Logical Router (DLR) in ECMP mode, specifically this diagram from the Architecting a VMware vCloud Director Solution – 

As shown in the diagram above – How does Usage Meter handle bill these tenant virtual machines (VMs) when we have a provider NSX architecture that utilizes ECMP? 

For you TL;DR readers – any VM connected to a Tenant Edge / direct network that has ECMP enabled northbound, NSX Advanced will be charged for said VM. Read on if you want to learn how this is done. 

First off, let’s talk about why this matters. Per the Usage Meter Product Detection whitepaper (this can be found on VMware Partner Central), we can see how Usage Meter detects specific NSX features based on the pattern of usage. Regarding dynamic ECMP, it is metered by the “Edge gateway” which could be a little ambiguous. If one utilizes ECMP, they would be metered for NSX Advanced within VCPP. 

One of the scenarios from the whitepaper does show ECMP-enabled Edges but not an Edge that is abstracted away from the provider environment – 

My initial reaction was that Usage Meter would not look at the northbound provider configuration and the interconnectivity to vCloud Director. However, I was not confident and wanted to verify this explicit configuration and expected metering. Let’s review my findings. 

Lab Setup

In the above diagram, we can see I created a similar Provider managed NSX configuration with ECMP enabled from the DLR to the two Provider Edges with dynamic routing enabled (BGP). From there, I expose a LIF/Logical Switch named “ECMP-External-Network” to vCloud Director that is then exposed to my T2 organization as a new External Network.

From there, I created a dedicated Tenant Edge named “T2-ECMP-ESG” that will be attached to this newly created network along with a VM named “T2-ECMP-VM.” The goal is to verify how T2-ECMP-VM and T2-TestVM are metered by Usage Meter with this newly created Tenant Edge. 

Lab Configuration

My Edges are setup for BGP and reporting the correct routes from the southbound connected DLR (and tenant Edges) – 

From the DLR, we can see that I have two active paths to my Provider Edges (Provider-Edge-1 and 2) – 

Last of all, my T2-ECMP-ESG is operational and attached to the newly created ECMP External Network – 

Last of all, I have my VM’s created and powered on (remember, Usage Meter will only meter powered on VM’s). We can see T2-ECMP-VM is attached to a org routed network from T2-ECMP-ESG named “T2-ECMP-Network” – 

Findings

Let’s work from the north to south – start with the Provider Edges and show how Usage Meter detects and bills. 

Note – I have vROps Enterprise in my lab environment, so we will see Usage Meter picking up vROps registration and placing it in the appropriate bundle.

Provider Edges / DLR

As expected, the Provider Edges and DLR are detected along with registration to vROps. By design, NSX Edges are charged for the Advanced SP Bundle as they are metered as a management component (minimum Advanced bundle / 7-point). However, in my case, we see detection, and then registration to vROps Enterprise. Therefore, since it’s a bundle ID (BND) of 12, this is correlated to Advanced Bundle with Management (10-point) – 


Tenant Edge – T2-ECMP-ESG

Just like the Provider Edges and DLR, we see T2-ECMP-ESG register to UM along with vROps Enterprise registration. Same billing model as above. 

Tenant VM – T2-TestVM

I would not expect any change to this VM, but wanted to showcase that having a separate Edge with standard networking (i.e. no ECMP) will bill based off the NSX SP Base level. As expected, T2-TestVM was handled by Usage Meter just as anticipated – we can see registration, NSX SP Base usage, along with registration to vROps Enterprise – 

Tenant VM – T2-ECMP-VM

Finally, let’s take a look at my T2-ECMP-VM – as discussed before, this is wired to a Tenant Edge that is connected to the ECMP-enabled DLR via an External Network. 

We see initial registration, registration to vROps Enterprise, then NSX Advanced usage! This would be metered at Advanced Bundle with Networking and Management due to the NSX Advanced usage (12-point). 

Summary of Findings

Here’s what we learned:

  1. Edges/DLR Control VM’s are not charged for NSX usage since UM handles them as a management component. If you are using vROps, it will place it in the most cost effective bundle.
  2. Utilizing ECMP at the provider-level DOES impact any southbound connected VM from a billing perspective, even if an Edge sits in between the ECMP enabled configuration and the tenant VM. Per the findings, NSX Advanced will be metered. 
  3. Therefore, be aware of any NSX provider architecture and the use of NSX specific features. 

Again, this shows the logic inside of Usage Meter and how it relates to metering for tenant workloads. Cheers!

-Daniel

VMware vCloud Director Rights Correlation to VCPP NSX Bundles

I was recently asked by a colleague if we have any existing collateral on VMware vCloud Director (vCD) that maps to the VMware Cloud Provider Program (VCPP) NSX levels that are currently available to partners. Well, there wasn’t, until now. 🙂

First, let’s talk about the NSX bundles inside of VCPP –

There are three levels identified within VCPP:

  1. NSX-SP Base – this is is your fundamental level of NSX. It does include your normal Edge services, Edge Firewall, NAT, Load Balancing, Dynamic/Static Routing, IPSEC/SSL VPN+, and Distributed Routing and Switching. This is typically referred to as “vCNS” mode (callout to the vCD old days) but does use NSX.
  2. NSX-SP Advanced – this includes Base, plus ECMP and Distributed Firewall functionality. Service Insertion, AD Integrated Firewall, etc. are all functions that the Provider can consume from the backend management.
  3. NSX-SP Enterprise – this includes Advanced along with HW VTEP integration, cross-vCenter NSX functionality, along with the L2VPN (Remote Gateway) solution. The new addition here is vCD 9.5 Multi-Site and Cross-VDC capability.

To state the obvious – vCloud Usage Meter will take care of automatic metering based off of what NSX functionality is used, this has been available since version 3.6. Check out this post that discusses how Usage Meter detects NSX (and vROPs) usage.

Last of all, the “Convert to Advanced Gateway” inside of vCloud Director for organization Edges DOES NOT mean you will be using NSX Advanced right away! This is just a change in how vCD presents the Edge UI (with Advanced, it’ll show the H5) along with the API rights available. I demonstrate this in the above post too.

So let’s talk about the NSX levels and how they can pertain to vCD rights and role. I worked up the following roles in my vCD environment:

  1. NSX SP-Base Rights
  2. NSX SP-Advanced Rights
  3. NSX SP-Enterprise Rights

So what does one gain when using these rights? Well, they are now aligned to the VCPP NSX bundles and can be utilized as a starting to monetize NSX inside of a vCD environment.

Now, in my experience, these specific vCD permissions will apply to the VCPP NSX levels as stated above. The big thing I found in my testing is ECMP can be toggled with Static Routing, so I set this as “View Only” for any routing capability for SP-Base.

If you are using vCD 9.5, one could also create a rights bundle that is published to an organization along with utilizing Global Roles to make this *much* easier.

The steps for this would be: Creation of Rights Bundle(s) -> Publish to org(s) -> Creation of Global Roles -> Publish to org(s) -> Apply role to user(s)

Alright, here are the three exports for these rights required. This is not comprehensive for all vCloud permissions required, but gives you an idea of what to append to your existing role (which could be easily done via REST API). Note that the exports below show my vCD instance (vcd-01a.corp.local) along with the org UUID, so replace this if you are doing a POST.

NSX SP-Base:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Role xmlns="http://www.vmware.com/vcloud/v1.5" xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1" xmlns:vssd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData" xmlns:common="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:rasd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData" xmlns:vmw="http://www.vmware.com/schema/ovf" xmlns:vmext="http://www.vmware.com/vcloud/extension/v1.5" xmlns:ovfenv="http://schemas.dmtf.org/ovf/environment/1" xmlns:ns9="http://www.vmware.com/vcloud/versions" name="NSX SP-Base Rights" id="urn:vcloud:role:0fbafcf0-1cce-4457-9f1d-d7bbacc189fd" href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/role/0fbafcf0-1cce-4457-9f1d-d7bbacc189fd" type="application/vnd.vmware.admin.role+xml">
<Link rel="edit" href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/role/0fbafcf0-1cce-4457-9f1d-d7bbacc189fd" type="application/vnd.vmware.admin.role+xml"/>
<Link rel="remove" href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/role/0fbafcf0-1cce-4457-9f1d-d7bbacc189fd"/>
<Description></Description>
<RightReferences>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/9dc33fcb-346d-30e1-8ffa-cf25e05ba801" name="Organization vDC Gateway: Convert to Advanced Networking" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/2a097e48-f4c4-3714-8b24-552b2d573754" name="Organization vDC Gateway: View Load Balancer" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/d9dabcab-579e-33c5-807b-dc9232bf7eff" name="Organization vDC Gateway: View BGP Routing" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/209cde55-55db-33f1-8357-b27bba6898ed" name="Organization vDC Gateway: Configure IPSec VPN" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/c9e19573-3d54-3d4a-98f2-f56e446a8ef9" name="Organization vDC Gateway: Configure NAT" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/84ddb40f-a49a-35e1-918e-3f11507825d7" name="Organization vDC Gateway: Configure Syslog" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/92b7d500-6bb6-3176-b9eb-d1fda4ce444d" name="Organization vDC Gateway: Configure SSL VPN" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/72c5e652-c8d7-3f19-ab83-283d30cb679f" name="Organization vDC Gateway: Configure Remote Access" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/a5f5fc99-9afc-347b-9a31-f65f61f4416b" name="Organization vDC Gateway: Distributed Routing" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/d1c77fc0-a4b9-3d99-bd4b-d7fab35e4fae" name="Organization vDC Gateway: View" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/65439584-6aad-3c2c-916f-794099ee85bf" name="Organization vDC Gateway: View Remote Access" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/cdb0edb0-9623-30a8-89de-b133db7cfeab" name="Organization vDC Gateway: View SSL VPN" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/27be9828-4ce4-353e-8f68-5cd69260d94c" name="Organization vDC Gateway: Configure Load Balancer" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/82beb471-ab7f-3e2b-a615-136ba6645525" name="Organization vDC Gateway: View IPSec VPN" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/9740be24-4dd7-373c-9237-91896338c11e" name="Organization vDC Gateway: View Static Routing" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/fb860afe-2e15-3ca9-96d8-4435d1447732" name="Organization vDC Gateway: View NAT" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/ff3fc70f-fd25-3c0a-9d90-e7ff82456be5" name="Organization vDC Gateway: Configure System Logging" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/7fee6646-ec0c-34c9-9585-aff6f4d92473" name="Organization vDC Gateway: View Firewall" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/eb525145-08e5-3934-91ef-ec80837c9177" name="Organization vDC Gateway: View OSPF Routing" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/8e16d30d-1ae3-3fff-8d4b-64c342b186a9" name="Organization vDC Gateway: View DHCP" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/b755b050-772e-3c9c-9197-111c286f563d" name="Organization vDC Gateway: Configure Firewall" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/be1abe9a-7ddc-38f6-bdf3-94affb01e46b" name="Organization vDC Gateway: Configure DHCP" type="application/vnd.vmware.admin.right+xml"/>
    </RightReferences>
</Role>

NSX SP-Advanced:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Role xmlns="http://www.vmware.com/vcloud/v1.5" xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1" xmlns:vssd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData" xmlns:common="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:rasd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData" xmlns:vmw="http://www.vmware.com/schema/ovf" xmlns:vmext="http://www.vmware.com/vcloud/extension/v1.5" xmlns:ovfenv="http://schemas.dmtf.org/ovf/environment/1" xmlns:ns9="http://www.vmware.com/vcloud/versions" name="NSX SP-Advanced Rights" id="urn:vcloud:role:1cde673c-3573-4e3a-a520-d03a83caef8d" href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/role/1cde673c-3573-4e3a-a520-d03a83caef8d" type="application/vnd.vmware.admin.role+xml">
    <Link rel="edit" href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/role/1cde673c-3573-4e3a-a520-d03a83caef8d" type="application/vnd.vmware.admin.role+xml"/>
    <Link rel="remove" href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/role/1cde673c-3573-4e3a-a520-d03a83caef8d"/>
    <Description></Description>
    <RightReferences>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/2cd03d47-38e1-337a-907c-8d5b6a5258f2" name="Organization vDC Distributed Firewall: Configure Rules" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/c9e19573-3d54-3d4a-98f2-f56e446a8ef9" name="Organization vDC Gateway: Configure NAT" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/d1c77fc0-a4b9-3d99-bd4b-d7fab35e4fae" name="Organization vDC Gateway: View" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/b755b050-772e-3c9c-9197-111c286f563d" name="Organization vDC Gateway: Configure Firewall" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/fb860afe-2e15-3ca9-96d8-4435d1447732" name="Organization vDC Gateway: View NAT" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/4e61b5b8-0964-36b6-b021-da39aea724fc" name="Organization vDC Distributed Firewall: View Rules" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/209cde55-55db-33f1-8357-b27bba6898ed" name="Organization vDC Gateway: Configure IPSec VPN" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/82beb471-ab7f-3e2b-a615-136ba6645525" name="Organization vDC Gateway: View IPSec VPN" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/9dc33fcb-346d-30e1-8ffa-cf25e05ba801" name="Organization vDC Gateway: Convert to Advanced Networking" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/3b337aef-42a8-3ed1-8616-341152bc5790" name="Organization vDC Gateway: Configure OSPF Routing" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/8e16d30d-1ae3-3fff-8d4b-64c342b186a9" name="Organization vDC Gateway: View DHCP" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/2a097e48-f4c4-3714-8b24-552b2d573754" name="Organization vDC Gateway: View Load Balancer" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/2c4eb5ac-15f5-33f0-8b4a-680b3a1d3707" name="Organization vDC Gateway: Configure BGP Routing" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/9740be24-4dd7-373c-9237-91896338c11e" name="Organization vDC Gateway: View Static Routing" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/84ddb40f-a49a-35e1-918e-3f11507825d7" name="Organization vDC Gateway: Configure Syslog" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/65439584-6aad-3c2c-916f-794099ee85bf" name="Organization vDC Gateway: View Remote Access" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/cdb0edb0-9623-30a8-89de-b133db7cfeab" name="Organization vDC Gateway: View SSL VPN" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/a5f5fc99-9afc-347b-9a31-f65f61f4416b" name="Organization vDC Gateway: Distributed Routing" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/72c5e652-c8d7-3f19-ab83-283d30cb679f" name="Organization vDC Gateway: Configure Remote Access" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/92b7d500-6bb6-3176-b9eb-d1fda4ce444d" name="Organization vDC Gateway: Configure SSL VPN" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/d9dabcab-579e-33c5-807b-dc9232bf7eff" name="Organization vDC Gateway: View BGP Routing" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/be1abe9a-7ddc-38f6-bdf3-94affb01e46b" name="Organization vDC Gateway: Configure DHCP" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/ff3fc70f-fd25-3c0a-9d90-e7ff82456be5" name="Organization vDC Gateway: Configure System Logging" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/27be9828-4ce4-353e-8f68-5cd69260d94c" name="Organization vDC Gateway: Configure Load Balancer" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/eb525145-08e5-3934-91ef-ec80837c9177" name="Organization vDC Gateway: View OSPF Routing" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/f72af304-97b0-379e-9d6d-68eb89bdc6cf" name="Organization vDC Gateway: Configure Static Routing" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/7fee6646-ec0c-34c9-9585-aff6f4d92473" name="Organization vDC Gateway: View Firewall" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/a100f6a0-2c81-3b61-90c3-c4dbd721b3a8" name="Organization vDC Distributed Firewall: Enable/Disable" type="application/vnd.vmware.admin.right+xml"/>
    </RightReferences>
</Role>

Finally, NSX-SP Enterprise:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Role xmlns="http://www.vmware.com/vcloud/v1.5" xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1" xmlns:vssd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData" xmlns:common="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:rasd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData" xmlns:vmw="http://www.vmware.com/schema/ovf" xmlns:vmext="http://www.vmware.com/vcloud/extension/v1.5" xmlns:ovfenv="http://schemas.dmtf.org/ovf/environment/1" xmlns:ns9="http://www.vmware.com/vcloud/versions" name="NSX SP-Enterprise Rights" id="urn:vcloud:role:61d589ab-27ca-4e7a-be3e-656e0dcaa587" href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/role/61d589ab-27ca-4e7a-be3e-656e0dcaa587" type="application/vnd.vmware.admin.role+xml">
    <Link rel="edit" href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/role/61d589ab-27ca-4e7a-be3e-656e0dcaa587" type="application/vnd.vmware.admin.role+xml"/>
    <Link rel="remove" href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/role/61d589ab-27ca-4e7a-be3e-656e0dcaa587"/>
    <Description></Description>
    <RightReferences>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/d6b35bfc-3309-3573-8e3d-6bdd1cb2b61f" name="vDC Group: Configure" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/9dc33fcb-346d-30e1-8ffa-cf25e05ba801" name="Organization vDC Gateway: Convert to Advanced Networking" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/72c5e652-c8d7-3f19-ab83-283d30cb679f" name="Organization vDC Gateway: Configure Remote Access" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/eeb2b2a0-33a1-36d4-a121-6547ad992d59" name="Organization vDC Gateway: Configure L2 VPN" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/f72af304-97b0-379e-9d6d-68eb89bdc6cf" name="Organization vDC Gateway: Configure Static Routing" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/92b7d500-6bb6-3176-b9eb-d1fda4ce444d" name="Organization vDC Gateway: Configure SSL VPN" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/2cd03d47-38e1-337a-907c-8d5b6a5258f2" name="Organization vDC Distributed Firewall: Configure Rules" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/65439584-6aad-3c2c-916f-794099ee85bf" name="Organization vDC Gateway: View Remote Access" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/c9e19573-3d54-3d4a-98f2-f56e446a8ef9" name="Organization vDC Gateway: Configure NAT" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/105191de-9e29-3495-a917-05fcb5ec1ad0" name="Organization vDC Gateway: View L2 VPN" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/be1abe9a-7ddc-38f6-bdf3-94affb01e46b" name="Organization vDC Gateway: Configure DHCP" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/63c53fdf-80e5-3e31-ab26-ec7cc36ea759" name="Multisite: System Operations" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/cdb0edb0-9623-30a8-89de-b133db7cfeab" name="Organization vDC Gateway: View SSL VPN" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/4e61b5b8-0964-36b6-b021-da39aea724fc" name="Organization vDC Distributed Firewall: View Rules" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/8e16d30d-1ae3-3fff-8d4b-64c342b186a9" name="Organization vDC Gateway: View DHCP" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/ff3fc70f-fd25-3c0a-9d90-e7ff82456be5" name="Organization vDC Gateway: Configure System Logging" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/a100f6a0-2c81-3b61-90c3-c4dbd721b3a8" name="Organization vDC Distributed Firewall: Enable/Disable" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/2a097e48-f4c4-3714-8b24-552b2d573754" name="Organization vDC Gateway: View Load Balancer" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/b755b050-772e-3c9c-9197-111c286f563d" name="Organization vDC Gateway: Configure Firewall" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/eb525145-08e5-3934-91ef-ec80837c9177" name="Organization vDC Gateway: View OSPF Routing" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/6ad5a05b-0d30-3bb5-acb1-02e7710a5ae6" name="vDC Group: View" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/209cde55-55db-33f1-8357-b27bba6898ed" name="Organization vDC Gateway: Configure IPSec VPN" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/7fee6646-ec0c-34c9-9585-aff6f4d92473" name="Organization vDC Gateway: View Firewall" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/fb860afe-2e15-3ca9-96d8-4435d1447732" name="Organization vDC Gateway: View NAT" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/27be9828-4ce4-353e-8f68-5cd69260d94c" name="Organization vDC Gateway: Configure Load Balancer" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/84ddb40f-a49a-35e1-918e-3f11507825d7" name="Organization vDC Gateway: Configure Syslog" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/3b337aef-42a8-3ed1-8616-341152bc5790" name="Organization vDC Gateway: Configure OSPF Routing" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/6edbfce1-4705-3cff-8dc7-8c03d36a6d45" name="Site: Edit" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/a5f5fc99-9afc-347b-9a31-f65f61f4416b" name="Organization vDC Gateway: Distributed Routing" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/9740be24-4dd7-373c-9237-91896338c11e" name="Organization vDC Gateway: View Static Routing" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/975d07ed-9c05-3277-a926-3c65933eb738" name="Site: View" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/82beb471-ab7f-3e2b-a615-136ba6645525" name="Organization vDC Gateway: View IPSec VPN" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/2c4eb5ac-15f5-33f0-8b4a-680b3a1d3707" name="Organization vDC Gateway: Configure BGP Routing" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/d9dabcab-579e-33c5-807b-dc9232bf7eff" name="Organization vDC Gateway: View BGP Routing" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/d1c77fc0-a4b9-3d99-bd4b-d7fab35e4fae" name="Organization vDC Gateway: View" type="application/vnd.vmware.admin.right+xml"/>
    </RightReferences>
</Role>

I hope this helps others on aligning to the VCPP NSX levels and how to establish NSX capabilities inside of a vCD environment.

Thanks!

-Daniel

A New VMware Badge Appears: VMware Specialist – Cloud Provider 2019

Many of you may be aware of the new VMware Specialist – Cloud Provider badge. However, I am going to spend some time to highlight the effort and provide some guidance on this new badge/exam. Also, it’s officially announced with many of our other great announcements at VMware Europe!

What is it?

Well, the Specialist Cloud Provider badge is a renewed effort that the VMware Cloud Provider team is establishing a solid, fundamental certification/qualification platform for our Cloud Service Providers. This is the first step on setting a level of qualification to present solution knowledge around the VMware Cloud Provider Program (VCPP) stack and solution-set, especially VMware vCloud Director for Service Providers 9.x.

This is an online, un-proctored, exam that can be scheduled through Pearson Vue. The only prerequisite we’ve established is an active VCP certification. I was honored to be part of the team to develop this exam while Wade Holmes led the overall effort with many of my esteemed peers. It is 40 questions and you have 60 minutes for the exam.

What does it cover?

Just like with any other VMware certification – read, read, and read the blueprint: all of the answers are there. I believe the team did a great job of putting many links into this blueprint for material to prepare for. However, I’m going to highlight a few points that everyone should be aware of –

  1. This exam covers vCloud Director 9.1 functionality. Even though 9.5 is out as of this blog post, this was written when 9.1 was the current release.
  2. Sections 3, 5, and 6, are not present on this exam. Therefore, there are no troubleshooting questions. Be prepared to focus on core fundamentals and conceptual features of vCD.
  3. vCloud Availability for Cloud-to-Cloud 1.5 is present also on this exam, there is no vCloud Availability for DR questions. Moreover, vCD Extender is also present.

How can I prepare?

This answer is simple – work with vCD and the VCPP stack and you’re golden! 🙂

On a serious note, there’s a lot of great material on the blueprint, but we have two great VMware Education courses on vCloud Director:

VMware vCloud Director Fundamentals [V8.x] – this is an on-demand course that goes over core fundamentals of vCD. While it is dated for 8.x, it is very applicable. This is a self-paced course and can be done in about 3 hours.

VMware vCloud Director: Install, Configure, Manage [V9.x] – if you are very new to vCD, I recommend taking this course after the Fundamentals course. This provides a comprehensive experience (including lab time) of building out a vCD environment. This can be done online or in-person.

Read the documentation – we have a mess of many different docs we’ve referenced. Also, check out the many YouTube videos we have under our Cloud Provider page! 

Final thoughts

I believe this is a very fair exam for individuals that work with the VMware Cloud Provider solution set. The questions and concepts focus on the value and core fundamentals.

I’ve been receiving a lot of great and positive feedback, which is excellent. This was my first exam creation experience and I truly enjoyed the process, and look forward to the next step for our VMware Cloud Providers. If you’re at VMworld Europe, please don’t hesitate to contact me to meet up! Thank you.

-Daniel