Xtravirt — Using VMware Automation to address a Virtual...

by Sam McGeown

VMware have put a lot of development into their latest release of vRealize Automation 7.3 and it certainly feels like a bigger release than a ‘.1’ version –  as is evident in the “What’s New” section of the  release notes.

 As part of a push to make it easier to manage and operate a vRA-based cloud platform, VMware have made some great improvements – the main features that stand out for me are:

•  Automated failover for the PostgreSQL database, and IaaS Manager Service – something that many customers have been asking for and now finally have, is a fully “HA” distributed platform.

• A new API for installation, upgrade and migration of the platform itself. This means scripted installs, upgrades and migrations are now simple and can be orchestrated.

• Parameterised blueprints – this allows out-of-the-box support for one of the most frequently asked for blueprint options – t-shirt sizes. In addition, the new Component Profiles will simplify the number of blueprints required and reduce catalogue management.

• Integration with vRealize Operations 6.6 (vROps); allowing intelligent placement of workloads based on analytics data and a Workload Placement Policy.

• Enhanced integration with IPAM – an extended IPAM framework allowing deeper integration with Infoblox initially, but expect other IPAM providers to start providing plugins.

• Enhanced integration with ServiceNow – a new plugin version will deepen the integration with ServiceNow as a CMDB and governance engine, with support for things like day 2 operations.

 There have been huge improvements and developments with the NSX integration, with all the native functionality now using the REST API rather than the vRealize Orchestrator (vRO) Plugin – this is great news and will simplify operations and troubleshooting. The plugin is still available for custom integrations if required.

 The main highlights for me are:

• Deeper integration with NSX Load Balancers – which allows customised load balancer configuration per-blueprint (algorithms, persistence, health monitors, port, etc.)  as well as day 2 reconfiguration of the load balancer. This is a fantastic improvement!

• NSX Security Group and Tag integration – much better integration with the UI and the ability to add and remove Security Groups and Tags as a day 2 operation

• NSX Edge Sizing and HA – Edge Gateways can be customised on a per blueprint basis to size correctly or in HA mode for resilient services like load balancing, NAT and firewall.

 vRA 7.3 should also have a greater appeal to those who have developer environments, with its deeper integration with Puppet, Docker, vSphere Integrated Containers and Docker volumes.

• Puppet as a “1^st class citizen” – this is part of a wider move to get configuration management tools integrated with the platform, but it’s starting with Puppet. This means drag and drop configuration management in the blueprint designer, and day 2 configuration management for deployed applications.

• Container management has been improved with support for vSphere Integrated Containers, alongside the traditional Docker hosts, and support for Docker volumes.

 And for those who are already running vRA, there are a couple of bug-bears that have been relieved, such as:

• A force destroy option to get rid of those “stuck” deployments. These would previously require a CloudClient command line clean up, or a database edit under the watchful eye of GSS.

• Improved integration with Storage Policies – anyone who has used the SPBM plugin will know that it’s been a little … clunky. A new plugin, shipped with the latest version of vRO, will make it easier to leverage vSAN and VVOL based storage.

• Role based access for vRO – given the huge power within the SDDC that vRO has, it’s great to see this finally being implemented.

 That’s a vast number of really significant improvements for a single point release and in this blog I’ve only drawn out the ones that I know customers will love. This release is without a doubt, a massive step forward in the maturity of VMware’s Cloud Management Platform.

 If you are considering a move to a Cloud Management platform and need assistance in deciding on the right solution for you and your organisation, please contact us and we’d be happy to use our wealth of knowledge and experience to assist you.

by Simon Eady

Having missed VMworld 2016, I was looking forward to attending this year, especially after the big announcements from the 2016 events and VMworld US 2017.

Hardly surprising, VMware on AWS featured heavily and the available sessions to attend were numerous. But, due to the current and future projects I’m engaged with, my primary focus this time was on vRealize Operations and vRealize Automation.

Of all the key note announcements made, the HCX one was the most impressive. Available in late 2017 via IBM and OVH, HCX will allow you to connect your private cloud to any VMware cloud vendor, allowing you to seamlessly move your apps easily into the cloud and back.

I’ve heard it said that whoever nails the flexibility of moving around in the cloud will be a huge success. So, I believe HCX will be a very attractive offering to those businesses looking for an option to easily “burst” into the cloud when required.

The first session I attended was “How to build a software defined DR practice with vSAN and SRM”. This was very useful as nearly every customer I have visited in the past 12 months was using either one or both products so it was good to understand how they can be used together with great effect.

Some key take-aways from the session were:

• vSphere Replication is free with Essentials Plus and higher
• vSphere Replication is not limited to just SRM you can get a little creative with it if you wish
• The SRM Roadmap finally as an appliance on it
• For SRM to work the products need to be the same version
• SRM supports vSAN stretched clusters, this is great to be able to move VMs to other DCs in separate vCenters (migration workflows)
• vSAN Stretched Cluster requires 5ms RTT 1-Gbe (works on L2 and L3 networks) a 3^rd site is needed for the witness server.

 Another area I am upskilling in is PowerShell/PowerCLI so it was beneficial to get along to the “Introduction to the PowerCLI Repository” session presented by Kyle Ruddy. If automation and daily operations is your thing, then you need to get your head into Powershell and PowerCLI ASAP.

So why Powershell/PowerCLI? Well, in this rapidly changing industry the cloud is king and it functions via automation and there are many products and languages that enable this. From a VMware point of view, PowerCLI is extremely powerful and fortunately relatively straight forward to learn (if you invest some time). The bonus here is that Powershell (which is what PowerCLI sits on) works very nicely with Azure, so if you can get competent with it you will effectively be killing 2 birds with one stone. If you are a sysadmin or consultant and have not yet made the jump to learning a language then now is the time. Staying relevant and valuable as an IT professional, and learning a language is key because automation has arrived and it is here to stay.

As someone who does not personally find coding easy, I have found a great deal of value from learning it, however, I have also found it to be a reasonable learning curve.

A key feature of VMworld events are the Design Workshops and this year I was fortunate to be invited to attend a vRealize Operations Design Workshop. While the content is under an NDA I can say that VMware have really got a good handle on getting feedback from experts and customers alike. I thoroughly enjoyed the workshop and am really looking forward to what comes next for the product. On a similar product theme, I was also invited to attend a TAM session focused on vROps.

Taking a break from the main sessions, I had my first experience of a hackathon. It was an excellent learning experience as well as a chance to meet new people from the wider vCommunity. The team I was a part of was called “one pod to rule them all” which focused on automating the deployment of various VMware products, to which we made some good progress but the 4 hours quickly disappeared. My key take-away from this, is that the Hackathon is a fun learning exercise along with being a great way to meet new people. So, if you have an opportunity to attend a hackathon near you, I would strongly encourage you to try it out.

The solutions exchange AKA the vendor hall provided another aspect to VMworld. I always enjoy wandering around the solutions exchange as I like to see what is new from the vendors and it helps get a feel for where the market place is right now. I made sure I visited a few vendors with whom I have worked with in the past and present, such as Blue Medora but also took time to check out anything new that caught my eye. This year I found a product and company called Morpheus. If you are looking at implementing your own in house and hybrid cloud solution they are very much worth a look.

For anyone that has attended before you will (I hope) be keenly aware of the fantastic networking opportunities at the conference and of course the evening activities.  If I was not in a session or in the Solutions Exchange, then I spent most of my time in the VMTN area (community’s area) catching up with and meeting new people from the wider vCommunity. I have no doubt in my mind that one of the huge strengths to the VMware eco-system is the community behind it. Having the VMTN lounge apart of the vBrownbag stage was a genius idea as you could blog, chat, network and learn all at the same time.

For me personally, aside from the sessions, the key strength to VMworld is the networking component. It is what you make of it, so getting involved and meeting people brings such great value to the event.

Rounding up, it was an excellent VMworld, good solid announcements and superb sessions to attend and as always, the networking and evening events were absolutely worth the trip.

To find out more about how your organisation can benefit from VMware products and solutions, please contact us and we’ll be happy to use our wealth of knowledge and experience to assist you.

**About the Author **

Simon Eady is an Xtravirt Senior Consultant with over 20 years’ experience in the IT industry. He has delivered a wide range of projects including solutions for server consolidation, data centre migration and upgrade, and deployment of Microsoft and VMware product sets.  His specialist areas include VMware virtualisation products and Microsoft Server Technologies and solutions. Simon is also a vExpert 2017 and leader of the South West UK VMUG (VMware User Group).

by Gregg Robertson

Recently I was fortunate enough to design and build an enterprise level distributed installation of the vRealize Automation suite of products and integrate it into an enterprise environment. I’ve done several vRA/vCAC deployments before but each time I do a new deployment I like to collate information, read all the latest articles and make sure what worked in the past for me hasn’t changed or more likely has been enhanced so I can provide an even better deployment.

For those unsure of what an enterprise distributed deployment comprises of I have added a logical diagram below

For my current deployment it was based on vRealize Automation 6.1 due to it being part of a Hybrid Cloud deployment but the architecture and layout are exactly the same for 6.2. (note this is defined after collecting customer requirements based on amount of workloads, NSX load balancing and the requirement of application services so make sure you have reasons for design decisions)

Resources

For the resources I used, some are ones I used in the past to learn how to do an enterprise deployment and some are ones I re-read prior to this deployment. I have listed them below to save me looking for them again but also to maybe help other people:

• The first place anyone should start is the vRA documentation centre which has a large portion of the vRA documentation you will need to have read and at some points follow along with to do your deployment.
• One of the most important documents to utilise is the Installation and Configuration document. As I mentioned, I was deploying vRA 6.1 so utilised the following document from page 43 onwards.

• One challenge when deploying an enterprise level deployment of vRA is that you should at a minimum use internally signed certificates. For vRA if you are changing one on the components then you need to change all of them or else you will have a plethora of problems (I have spent countless hours in the past helping companies who have tried their own PoC , have only changed a few certificates and then deployed workloads that they now want to keep). For this portion I like to follow Eiad Al-Aqqad’s resources as to me they seem really straight forward and have worked really well in the past

• http://www.virtualizationteam.com/cloud/vcloud-automation-center-6-certificates-a-to-z.html

• http://www.virtualizationteam.com/cloud/generating-certificates-for-vcac-6-iaas-web-server-manager-service.html
• http://www.virtualizationteam.com/cloud/generating-certificates-for-the-identity-appliancevcac-appliance.html

NB: Make sure when importing the certificate into the appliances remember to remove the bag attributes at the beginning of the PEM file and start from —BEGIN CERTIFICATE—– until ——–END CERTIFICATE————-

• Once you have the certificates prepared then you can start the deployments. I used the identity appliance rather than the vCenterSSO due to the identity appliance following the same upgrade schedule as all the other vRA components and in the past I have hit a few problems due to people using vCenter SSO. There are positives and negatives of using SSO so make sure you look at both options and select the correct option for your deployment. The official documentation is good but I also used Emad and Grants blogs for the deployment of the identity appliance

• Next portion is the configuration of the external vPostgres database and for this I used the vRA appliance and disabled the services that were not required. For this i used the official documentation. If you don’t know how to deploy the vRA appliances then go to the next step , follow that then come back to this step (Although I do worry if you don’t know how to deploy an appliance)

• http://emadyounis.com/vrealize-automation/vrealize-automation-6-1-formally-vcloud-automation-center-identity-appliance-deployment-configuration/

• http://pubs.vmware.com/vra-62/topic/com.vmware.vra.install.doc/GUID-A57BEE9C-BC0D-42D3-9ACD-E2F003E6B8F2.html

NOTE: VMware no longer recommend using an external postgres database. The 6.2 documentation has been updated to reflect this.

• Now you need to deploy the vRA appliances. This is fairly straight forward and really shouldn’t cause you any issues.

• Next are the IaaS components. This is SO MUCH easier than the vCAC 4.1 days now that there is the pre-req script. The script can be found here. Before installation of the IaaS components ensure you have ntrights.exe downloaded, a windows iso attached to the virtual machine (2012 requires this but 2008 never did) and java 7u75 downloaded in an easily searchable folder (java version is correct as of this posting). For these steps I was going to break it down into a few blog postings but fellow vBrownbag member, Jonathan Frappier has done such a cracking job I recommend you follow his:

•  Now that the components are installed it is time to grant permissions, create the required tenant/s for your cloud workloads apart from the default tenant and create all the business groups. Again Jonathan has broken this down brilliantly and this is what I re-read prior to my deployments

•  Now on to the application services, adding and preparing of vSphere templates and creating entitlements so that services can be requested. Again Jonathan has covered it perfectly ( as does the official documentation that you should be following alongside these)

• Now for the vRO deployment as well as including NSX into vRA and installing the NSX plug-in to the vRO server. For vRO I used the windows method rather than the appliance route due to us being unable to do multi-hop WinRM using the PowerShell plugin when we need to run PowerShell scripts locally on multiple servers rather than locally on the vRO server. For this I used Sid Smith’s articles as well as the standard VMware documentation:

• http://www.virtxpert.com/deploy-vrealize-automation-appliance-vrealize-automation-series-part-2/

• http://www.virtxpert.com/configure-vrealize-automation-appliance-vrealize-automation-series-part-3/

• http://www.virtxpert.com/install-vrealize-automation-iaas-components-vrealize-automation-series-part-4/

• http://www.virtxpert.com/install-vrealize-automation-iaas-sql-installation-vrealize-automation-series-part-5/

• http://www.virtxpert.com/install-vrealize-automation-iaas-installation-vrealize-automation-series-part-6/

• http://www.virtxpert.com/configure-vrealize-permissions-vrealize-automation-series-part-7/

• http://www.virtxpert.com/add-vcenter-endpoint-vrealize-automation-series-part-8/
• http://www.virtxpert.com/configure-fabric-groups-vrealize-automation-series-part-9/
• http://www.virtxpert.com/adding-business-groups-vrealize-automation-series-part-10/

• http://www.virtxpert.com/creating-reservations-vrealize-automation-series-part-11/

• http://www.virtxpert.com/deploying-application-services-vrealize-automation-series-part-12/

• http://www.virtxpert.com/preparing-vsphere-templates-vrealize-automation-series-part-13/
• http://www.virtxpert.com/adding-blueprints-vsphere-templates-vrealize-automation-series-part-14/

• http://www.virtxpert.com/creating-entitlements-vrealize-automation-series-part-15/

• http://pubs.vmware.com/vsphere-60/topic/com.vmware.vrealize.orchestrator-install-config.doc/GUID-64F03876-2EAB-4DB3-A95D-89842425FF7A.html

• http://dailyhypervisor.com/vrealize-automation-vcac-6-1-adding-a-vco-endpoint/
• http://dailyhypervisor.com/vmware-nsx-6-1-vcac-6-1-connecting-nsx-to-vcac/

Troubleshooting

Along the way I hit a few errors and spent a fair bit of time with VMware support also on a few of them. The main ones are listed below:

• Received a 401 error in the Infrastructure Tab of vRA

• Received a 404 error when opening thevRA portal

•  Received a “Failed to retrieve form from provider” when requesting an Application Service catalog item in vRA

• Received errors about trust relationships failing between the components

• Received a “Failed to retrieve form from provider” when requesting a  catalog item in vRA (this is using multi-machine rather than application services). This error is one I still have a ticket with engineering open for as what is happening is that when we do a quiesced backup of the vRO database this at times causes one of the vRO nodes to stop due to a timeout in connectivity to the database. Currently the only way fix is to start the stopped node. I will update this if/when VMware engineering give a realistic solution.

• http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2110207

• http://www.virtualizationteam.com/cloud/vcac-6-service-unreachable-reference-error-repo404.html

• http://kb.vmware.com/kb/2086649

• http://kb.vmware.com/kb/2110207

Gregg Robertson joined the Xtravirt consulting team in December 2011. As well contributing to the Xtravirt blog, Gregg blogs on his own site at www.thesaffageek.co.uk .

If you’d like any assistance with a virtualisation project or simply want to learn more about how Xtravirt can help your organisation, please _contact us, and we’d be more than happy to use our real world experiences to support you._

by Simon Eady

For the last few months and certainly very recently (at the London VMUG meeting) I have had the chance to talk to peers and vExperts and share “war stories” with regards to vRealize Operations Manager.

What has become a consistent theme in all the stories is just how much compute resources vROps requires when you “go big” and not just what is clearly defined in the sizing spreadsheet.

For example some of the large deployments I have either been involved in or heard about (to monitor upwards and beyond of 30000 VMs) required the deployment of Large vROps nodes.

A single large node collecting data for a large deployment as outlined above requires the following resources.

• 16x vCPU
• 48GB RAM
• 2TB Storage
• 1700 IOPS

About the Author

By Curtis Brown

The somewhat anticipated release of VMware vSphere 6.7 Update 1 is now with us.  So, the burning question now is “Can I upgrade?”.  The answer is not quite as simple as a yes or no as this is always a mine field, particularly where interoperability is concerned.  My intention with this article is to save you some of the leg work with respect to investigating product interoperability.

However please note, this article doesn’t dig into hardware compatibility, or compatibility with third party products, simply because of the vast array of possible scenarios.

Compatibility with Horizon View 7

The most common starting point is VMware Horizon 7 itself.   By checking the VMware product Interoperability Matrix, we can see that the minimum release of VMware Horizon that is validated with VMware vSphere 6.7 Update 1 is the latest release, 7.6.

VMware Horizon 7.6 - COMPATIBLE

VMware App Volumes

VMware App Volumes 2.14 and the more recent patch release are both listed as a valid configuration.  This would also be the recommended release for use with VMware Horizon 7.6, although it has quite a generous level of backward compatibility.

One observation of note is that the poorly adopted cul-de-sac release 3.0 product has not been validated against 6.7, but as this was explicitly incompatible with 6.5, so this is not particularly surprising.

VMware App Volumes 2.14.2 - COMPATIBLE

VMware vRealize Operations for Horizon

With respect to VMware vRealize Operations support in general, release 6.6.1 or later is required.  This is driven by vSphere rather than Horizon which can work with older vROps releases.

For a VMware Horizon environment running on VMware vSphere 6.7 Update 1, the VMware vRealize Operations for Horizon plugin needs to be on 6.6.0 to support VMware Horizon 7.6 to retain compatibility through to VMware vSphere.

However, care should be taken with the compatibility between the Horizon plugin and vRealize Operations itself.  As the Horizon component only supports Horizon 7.6 directly on release 6.6.0 of the plugin, the interoperability matrix dictates that VMware vRealize Operations should be running on release 6.7.

VMware vRealize Operations Manager 6.7 - COMPATIBLE
VMware vRealize Operations for Horizon 6.6 - COMPATIBLE

Of course, for features, guest operating system compatibility, the latest version is recommended.

VMware User Environment Manager 9.5 - COMPATIBLE

VMware NSX for vSphere

Although not every VMware Horizon deployment uses VMware NSX, it’s included to flag a possible concern. With respect to straight VMware vSphere interoperability, VMware NSX for vSphere 6.4.2 and 6.4.3 both support for vSphere 6.7 Update 1.  However, the supported Horizon release (7.6) has yet to be validated with NSX 6.4.2 or 6.4.3.  This is  unlikely to cause an issue, and validation is likely to be only a matter of time, though it may be enough to cause a pause for thought.

VMware NSX for vSphere 6.4.3 - SUBJECT TO CONFIRMATION BY VMware REGARDING HORIZON 7.6

Upgrading Desktop Templates

With respect to upgrading templates, the back-end components should be upgraded prior to the agents within the image.  As such, upgrading this rather depends on how many change windows are being used to upgrade the above components.  In all cases, VMware have limited support for backward compatibility for agents, so there is flexibility here.  The VM templates have the following components/dependencies:

• VMware App Volumes Agent – used for registering the VM and the logged in user to App Volumes manager.
  
• VMware UEM Agent – used for managing the user persona via UEM.
  
• VMware vRealize Operations for Horizon Agent – although a version is integrated as part of the VMware Horizon Agent, for full functionality in line with the release of vRealize Operations for Horizon, the dedicated agent is recommended.
  
• VMware Horizon Agent – this is used to provide components for managing deployment, assignment and the remote desktop protocol to the desktop.  It is recommended that this is installed after VMware Tools has been upgraded.
  
• VMware Tools – required for interaction with vSphere, as well as providing optimised device drivers for the guest OS.
  
• The VM virtual hardware version – this is defined by the VMware ESXi release. Upgrading should only be carried out once VMware Tools are upgraded but can be beneficial for performance reasons.
  

Where hardware GPUs are deployed, there are further considerations.  For example, if the templates are deployed using a vDGA (Dedicated Graphics) or Nvidia vGPU configuration, further investigation into supported Nvidia drivers should be carried out.

What to upgrade first?

Where to start upgrading will be driven from your starting point, so it’s well worth looking at compatibility of the release that you’re starting at with the relevant components.

Upgrading VMware vRealize Operations and the Horizon plugin is likely to be the best starting point as this supports all the monitored components backwards for a number of releases. In addition, it is the least disruptive activity for users.

After this, updating App Volumes Managers would be the next step.

Upgrading VMware Horizon follows the order it has always followed – VMware Composer, followed by Connection Servers and Security Servers.  The recommendation, however, would be to take the time to retire any Security Servers and replace them with VMware Unified Access Gateway appliances instead.

Where deployed, VMware NSX would be next on the list..

After this, the vCenter upgrade followed by the VMware ESXi hosts should take place.  In the case of the latter, as mentioned previously, pay close attention where hardware GPUs are deployed as this may need upgraded drivers and software in-line with the vSphere release.  If vSAN is deployed, this would take place as the closing step of upgrading all the ESXi hosts in the cluster, ensuring that there is enough space to carry out such an upgrade.

With respect to the desktop templates, upgrading of components can be staged, but the supporting services must be in place first.

Closing Thoughts

Although there are a fair few items to consider, so long as the components are upgraded with consideration to each other and in the proper order, it’s possible to uplift the entire stack to support VMware vSphere 6.7 Update 1.  The only caveat is the lack of interoperability testing  between releases of VMware Horizon 7.6 and NSX 6.4, though it should be remembered that there is no direct connection between the two products and VMware have yet to actually publish test results for this combination.

If you are looking to get the best from VMware infrastructure and understand your upgrade and compatibility options, please contact us, and we’d be happy to use our wealth of knowledge and experience to assist you.

About the Author

Curtis Brown joined the Xtravirt consulting team in October 2012. His specialist areas include End User Compute solutions and Virtual Infrastructure design and implementation with particular strength in VDI, storage integration, backup and Disaster Recovery design/implementation. He was awarded VMware vExpert 2018 and is a graduate of the VMware Advanced Architecture Course 2018.

About Xtravirt

Xtravirt are an experienced consulting firm dedicated to delivering outcomes to help customers solve their IT challenges. We design and build strategies to help customers unlock the full potential of cloud, datacentre and workspace technology.

We are the VMware Global and EMEA Professional Services partner of the year.

www.xtravirt.com

by Michal Grzeszczak

My name is Michal Grzeszczak and I am a senior consultant at Xtravirt (www.xtravirt.com), an independent cloud consulting business and VMware Master Services Competent Partner.  In this blog, I’d like to share with you my experience of L2 bridging with VMware® NSX-T Data Center and help you to understand some of the differences between NSX-T and NSX-V, as well as cover some NSX use cases.  

Customer background:

The customer is one of the leading organisations in the betting and gambling industry and have been using NSX-V for some time now. When it came to their new greenfield environment, they decided to deploy NSX-T 2.4 Data Center. This decision was largely based on the fact that NSX-T Data Center provides bridging firewalls natively for L2 software bridging, which was their main requirement. Also, given that NSX-T will be the de facto network and security virtualisation platform offered by VMware going forward, by specifying it for this environment the customer is able to future proof the deployment. 

Future upgrades are also accounted for as upgrading from NSX-T 2.4 to future NSX-T releases is simpler than performing upgrades from a previous version of V or T.

NSX-T 2.4 was a major update and brought many changes to the architecture of the product, the main ones being:

• The NSX Manager and NSX Controllers were merged into one appliance deployed in a Cluster of 3 Nodes therefore minimising the footprint of the solution and operational complexity. 
• The other major change was the introduction of the new Simplified UI which “requires just the bare minimum of user input, offering strong default values with prescriptive guidance for ease of use. This means fewer clicks and page hops are required to complete configuration tasks.”

NOTE: In NSX 2.4 two UIs are presented - one is the new Simplified UI, the other one is Advanced. The latter is taken from NSX-T 2.3. The future plan is to remove the Advanced UI and provide all of the functionality via the Simplified UI.

 What are the key benefits of choosing NSX-T over NSX-V?

 There are many benefits of NSX-T over NSX-V, to name a few:

• NSX-T doesn’t require vCenter, however it can be added to NSX-T as a Compute Manager and allows for up to 16 Compute Managers per NSX 2.4 solution . There is no longer a 1:1 requirement like there was with NSX-V. 
• KVM Hypervisor support
• Bare Metal Edges provide sub-second failover 
• Data Plane Development Kit (DPDK) Optimising Forwarding - DPDK is a set of data plane libraries and network interface controller drivers for fast packet processing
• New, more flexible Overlay technology - Geneve replaces     VXLAN  https://docs.vmware.com/en/VMware-Validated-Design/4.3/com.vmware.vvd.sddc-nsxt-design.doc/GUID-CF3C47CA-9BEB-4213-8F08-1494261BF3EC.html 
• Bi-directional Forwarding Detection support
• BGP (Border Gateway Protocol) expanded functionality with features like Route Maps
• Much clearer User Interface (UI)

What were the specific use cases for this case customer and the design considerations?

USE CASE 1 - NSX-T Edge L2 Bridging - Integration of physical, non-virtualised database servers that require L2 connectivity to the virtualised environment. 

Design considerations:

• In NSX-T 2.4 two options are possible to bridge L2 workloads - using ESXi Bridge Clusters or Edge Bridge Profiles. The latter is recommended to use as the former will be deprecated in future. 
• Ideally the use of dedicated Bare Metal Edges, however this is not a requirement. 
• The possibility to deploy Edge Bridges in collapsed vSphere Clusters >     Management + Edge or Compute + Edge
• Consider having active and standby Edge Nodes on different hosts to avoid throughput drop, because VLAN traffic needs to be forwarded to both Edge Nodes in promiscuous mode.
• Overlay traffic can be tagged on a Distributed Port Group or Uplink Profile, but please avoid double tagging. 
• VLAN traffic should not be tagged on the Uplink Profile.
• Distributed Port Group for VLAN traffic connecting to the Edge Node should be in a Trunk Mode. The reason for this is due to the fact that Edge doing Bridging adds 802.1Q tag when transposing Overlay traffic to VLAN. 
• Consider having the same MTU value across your environment - if you can, choose MTU of 9000 for better performance. 
• Several Bridge Profiles can be configured, and a given Edge can belong to several Bridge Profiles. By creating two separate Bridge Profiles, alternating active and backup Edge in the configuration, the user can easily make sure that two Edge nodes simultaneously bridge traffic between Overlay and VLAN

Constraints:

• Edge Cluster with minimum 2 Edge Nodes in Active/Standby mode is needed.
• Standby uplinks are not supported on the Edge Node.
• Source Based Load Based Teaming is not supported on the Edge Node.
• The port group on the VSS/VDS sending and receiving traffic on the VLAN side should be in promiscuous mode, allowing MAC Address changes and Forge Transmits.

Deployment:

• Follow the deployment guide here - https://youtu.be/IwpujflzJhY 
• Or here https://docs.vmware.com/en/VMware-NSX-T-Data-Center/2.3/com.vmware.nsxt.admin.doc/GUID-7B21DF3D-C9DB-4C10-A32F-B16642266538.html 

Validation:

• Log in to the Edge Node with your credentials.
• Type “nsxcli”.
• “Get l2bridge-ports-config” will show the Bridge Port State (Active Edge will have Forwarding, Standby will have Stopped), VLAN ID configured and Bridge UUID which can be copied and used to do a packet capture on the Edge Node.
• To do the packet capture type “start capture interface “copied Bridge UUID” and hit enter, ping from VM to Physical Server to see the flows. 

USE CASE 2 - NSX bridging firewall - Secure communication between physical database servers and Overlay workloads.

• The configuration of the bridging firewall can be done currently only on the Advanced UI.
• Security rules are configured per Logical Switch aka Segment in Simplified UI. 
• NSX-T grouping objects like NSGroups can be used to provide abstraction from the IP based approach.

USE CASE 3 - vRealize Network Insight - Monitoring tool that can provide visibility into both Physical and Virtual environments. 

• NSX-T 2.4 is fully supported with the latest vRealize Network Insight version 4.1.
• Make sure you are allowing ports for communication between vRNI and other devices after the deployment. For example, ESXi Hosts to vRNI Collector on UDP 2055. The full list of ports needed can be found here - https://docs.vmware.com/en/VMware-vRealize-Network-Insight/3.9/com.vmware.vrni.install.doc/GUID-FDDA5F2F-7C3B-472A-A17D-39582FBD5996.html 
• There is a new website that provides in-depth information about new features in vRNI, definitely worth visiting - https://vrealize.vmware.com/t/vmware-network-management/  

What were the outcomes?

Overall, this deployment was a complete success as we were able to satisfy all of the requirements that the customer had. All the production physical databases were able to communicate on the same L2 segments, virtualised and connected to NSX-T segments workloads. On top of that, communication between those workloads was secured by NSX-T Bridging Firewall. vRealize Network Insight was used to provide visibility into the environment. Its ability to quickly troubleshoot network and firewall related issues in both virtual and physical realms allows admins to take a breath in the never-ending battle of making the networks stable.

I hope you enjoyed my blog, if you’d like to talk to Xtravirt about your business’s networking and security requirements, then please send an email to info@xtravirt.com

Some Useful links:

You can read more about the NSX-T 2.4 release here: https://blogs.vmware.com/networkvirtualization/2019/02/introducing-nsx-t-2-4-a-landmark-release-in-the-history-of-nsx.html/ 

By Michal Grzeszczak, Senior Consultant, Xtravirt

As a Senior Consultant at Xtravirt, I recently spent time with a customer, a major European airline, to plan and oversee the deployment of VMware NSX^®.

In the aviation industry, a data breach could have catastrophic repercussions.  Concerned about data security, the customer chose VMware NSX for its security capabilities.  This is because NSX allows for micro-segmentation, a practice through which workloads are individually cordoned off to prevent any East-West movement in the event of a breach.  In contrast to most IT networks, where one firewall protects the entire perimeter, a breach in a micro-segmented network can only impact a small subset of data.

With the objective to increase environment security and control East-West traffic, the project was managed in five key phases:

Phase 1 – Discovery and Planning

Xtravirt kicked off the project with a 2-day planning workshop with key technical staff and subject matter experts.  In this phase we confirm and capture the full scope of requirements and ensure we fully understand the current environment.  This process reveals any prerequisites, potential roadblocks and validates the use case.

In this instance, the customer has two data centres, one vCenter Server (version 6.5) and uses vRealize Network Insight (vRNI) to monitor their environment.

During the initial discovery phase, it became apparent that vRealize Network Insight (vRNI) could be used to better understand East-West traffic and to map the customer’s applications to the security policy that could be provided by NSX Distributed Firewall (NSX DFW).

Both solutions, vRNI and NSX DFW, are quite unique in the market and help solve many typical problems associated with securing workloads in modern data centres. In this instance, they helped to:

- gain a better understanding of the flows of the applications, how they communicate with the outside world as well as within the application itself

- secure East-West traffic and avoid reliance on the perimeter firewall to segment those workloads.

Phase 2 – Installation and configuration of vRNI

The installation and configuration of vRNI onto the customer’s environment involved adding the “Data Sources” to the vRNI, where the data (flows) would be collected. There are many data sources supported by vRNI, including for example - vCenter, NSX-V, NSX-T, as well as third party devices like Cisco, AWS and Arista.   A list of supported solutions can be found here: https://docs.vmware.com/en/VMware-vRealize-Network-Insight/3.6/com.vmware.vrni.install.doc/GUID-4BA21C7A-18FD-4411-BFAC-CADEF0050D76.html

After adding the necessary sources, vRNI collected all the flows for a 30-day monitoring period.  Other VMware solutions such as Application Rule Manager, allow for a maximum of 7-days monitoring and provide a great option for small applications. However, vRNI’s 30-day monitoring period is especially useful when applications in the environment are particularly active during specific times, like a payroll application.

Phase 3 – Defining workloads

The next step was to define which workloads were part of which application.  In this particular case, we had 4 main requirements:

- micro-segmentation of Application “A” which consisted of 3 tiers. Each tier needed to talk to other tiers only on needed ports, thus securing flows within the application.

- micro-segmentation of Application “B” which consisted of 3 sub-applications.  The goal here was to secure traffic between sub-applications and not within each sub-application.

- mapping of the shared services (active directory, monitoring etc.) that are necessary for the applications to function properly.

- mapping of the users that need access to those applications.

As the users and shared services communicate with all applications in the environment, we started with the first two requirements.

It is very easy to create a logical application in vRNI. You simply add workloads to the tiers that make each application. In the case of Application “A”, the action was to create three tiers, each with corresponding workloads. In the case of application “B”, even when dealing with multiple applications, the process was the same as the requirement was to secure Inter-Application flows. We simply added workloads from each sub-application to the corresponding Tier in vRNI.

Phase 4 – Security planning

The next step was to go to the “Plan Security” section of vRNI and select our new logical application. That presented us with a “pizza” view of the tiers of the application, in both application cases. We then selected each tier of the pizza/application and extracted incoming and outgoing flows to a .csv file. This part of the application mapping can be done directly in vRNI.  However, due to the complexity of the applications, we needed to view these flows in an Excel sheet.

The most time-consuming part of the implementation at this point had been to map flows from vRNI to the design document section for security rules / security groups / IPSets in NSX DFW. Use of filtering options in Excel and colour coding the types of traffic allowed us to have a clear visual representation of the flows in the environment. We divided the flows into Shared Services, Inter-Application communication between applications that we were mapping, Intra-Application communication between workloads that we were mapping as well as user access.

Phase 5 – Application Mapping

Establishing communication between mapped applications and unmapped applications is the final stage. Under the scope of the engagement our role was to map 2 out of 70 applications. Our role as consultants was to ensure knowledge transfer and develop a repeatable process so the customer could complete their own application mapping.

Once the whole environment is mapped, then Security Groups / IPSets in DFW can be created for all applications.  Specific rules will be put in place to cover necessary flows between applications.

During the process of application mapping we were able to get necessary information about Shared Services and Users. The former was mapped into a separate NSX DFW section on top of all the other sections to be checked by DFW first (rules in NSX DFW are checked top to bottom). These sections will need to be constantly updated as more applications will be mapped and will require additional ports to be open to communicate with Shared Services. The latter was divided into floors, buildings and countries with corresponding IPSets to provide more controlled access. Those IPSets were added to two Security Groups - “Super Users” and “General Users” and were added to each application’s section to allow for management traffic.

Conclusion

By scoping out the project with the customer from the offset and having a clear and concise goal in place we were able to decide on the right tools for the job and move forward with minimal stumbling blocks. vRNI gave us a clearer picture of the road ahead and defined the East – West traffic that needed to be segmented and controlled to ensure that any potential data breaches could be stopped fast and with minimal leakage.

vRNI and NSX DFW created the perfect combination for a creating a market leading security solution and better still working to a planned and repeatable process made the whole operation smooth from beginning to end.

Find out more

If you would like to learn more about how Xtravirt can help you improve the security of your IT environment, contact us and we’d be happy to use our wealth of knowledge and experience to assist you.

Xtravirt (www.xtravirt.com) are the VMware Global Services Partner of the Year and have achieved the VMware Master Services Competency for Network Virtualization – a testament to our expertise in delivering NSX environments.  

About the author

Michal Grzeszczak joined the Xtravirt consulting team in September 2017. He has an in-depth understanding of NSX along with experience in software-defined networking, virtualization and data centre support.

by Curtis Brown

VMware NSX® network virtualisation platform has been around for a little while now delivering an operational model for networking that forms the foundation of the Software-Defined-Data-Centre.  It’s often associated more with server virtualisation or as a component within a Cloud Automation solution and with good reason; it’s readily able to deliver a scaled, secure environment, while providing several mechanisms to deliver advanced network functionality such as firewalling, load balancing and anti-malware protection.  However, one area where its application is frequently overlooked is in the world of End User Compute – more specifically virtual desktop infrastructure.

Wouldn’t it be nice if…

Consider a full-on Horizon deployment (though, to be fair, these components could be replaced in the most part for an element of your choice) –

•  Horizon View – This will publish Virtual Desktops in Pools, with these pools assigned to Active Directory based Groups/Users.
• App Volumes – This gives you a mechanism for delivering defined stacks of applications to the Virtual Desktops.Again, you can assign using Groups or users.
• User Environment Manager – You use this to manage environmental and application settings.

 So, you have the mechanisms in place to deliver Virtual Desktops, complete with some granular application and settings delivery.  This is all pretty good, but wouldn’t it be nice if you could provide some intelligent network capabilities too?

Finetuned Firewalling.

Now take VMware NSX - this has some nice features that you can leverage in a VDI estate.

One of the key areas of concern is hardening the estate.  There’s been a pretty big play in the NSX world around using NSX to provide segmentation – both at a macro level, separating workloads into different VXLANs on virtual switches – and at the micro level using the Distributed Firewall to provide firewall rules at the Vmnic. Both strategies can be used here.

You can also separate Pools at a macro level or a micro level if you wish to, with the latter being particularly interesting.

The Distributed Firewall can provide a great deal of flexibility when defining firewall rules and can leverage several different identifiers, including vSphere entities and Active Directory objects.  Using these, you can generate a rule bases to lock down traffic quite tightly, in conjunction with the VDI solution and application delivery mechanism.  Take this example:

You can set up a standard DFW ruleset that applies to your desktops that will prevent traffic between the virtual desktops, while still providing the core services and application support for anything required for the desktop. This means you can control LDAP traffic between the desktops and Domain Controllers or PCoIP between the desktops, the Connection Servers or direct to physical endpoints if you wish.

 With App Volumes, you can define an AppStack with several applications which may well have discrete client/server network traffic requirements.  The DFW can apply rules based upon the user logged into the desktop, so you can create and apply rules specific for these client server applications and tie them to the same Active Directory object that applies the AppStack.

 The net result is that you end up with a combined ruleset applied to a desktop that is not just tied to a broad pool, but also to discrete needs for users within the pool. This provides strict granular access based upon the needs of the desktop and the application set for the user.  And let’s remember that this is applied at the desktop’s connection to the network – not at any perimeter level.

Malware Protection

NSX also provides the ability to integrate a compatible antivirus/antimalware solution into the mix. This is not, however, limited to the more publicised Guest Introspection where virus scanning is offloaded at the hypervisor level.  NSX can also integrate with both virtual and physical appliances such as Fortigate for intrusion detection, perimeter firewalling and more.

At the Infrastructure Level

As with any VDI estate, you have the upstream infrastructure to consider, several services can be provided here too.  

Using VMware NSX Edge Gateway appliances, you can provide perimeter firewalling between networks.

For Horizon View, both Connection Servers as well as Access Gateways/Security Servers require Load Balancers, as do App Volumes Managers.  The NSX Edge appliances are capable of being configured to provide load balancing services.

Perimeter firewalling using NSX Edge can also be provided, so you can have a DMZ layer for the Security Servers/Access Gateways as well.

Generally speaking, you could deploy something like this for the Horizon View management environment:

Our external traffic accesses the estate via a pair of NSX Edge Gateways, serving as firewall and load balancer for a pair of VMware User Access Gateways.  These are configured as two-legged, tunnelling into the vSwitch beneath, where you have a dedicated NSX Edge appliance load balancing the Connection servers.  This internal load balancer is also used by internal users who connect in via an L2 bridge or NSX Edge as appropriate.

 You then deploy NSX for the Desktop blocks as well, in order to provide the previously mentioned firewalling and malware protection for a secure end-to-end solution.

Closing Thoughts…

With NSX, it’s possible to turbo-charge the security for a VDI desktop environment in a manner that can be applied regardless of the choice of broker solution – the above would work just as well in a third party VDI solution such as Citrix XenApp or, perhaps more importantly, XenDesktop, not just VMware Horizon.  The ability to dynamically set and operate firewalling on egress outside of the guest Operating System means that such firewalling cannot be tampered with from within the VDI desktop, which might be useful in environments where desktops are used with untrusted users (public kiosks for example).

If you’re interested in exploring the combination of VMware NSX network virtualisation in a VDI estate, please contact Xtravirt, and we’d be happy to use our wealth of knowledge and experience to assist you.

About the Author

Curtis Brown joined the Xtravirt consulting team in October 2012. His specialist areas include End User Compute solutions and Virtual Infrastructure design and implementation with particular strength in VDI, storage integration, backup and Disaster Recovery design/implementation. He is a VMware vExpert 2017.

by Curtis Brown

Although VMware tends to put a focus on the more glamorous side of Enterprise computing – Cloud this, Containers that, Hypervisor here, Automation the other…. – there is a side that in the past has been almost a cottage industry in comparison, VMware’s Type 2 desktop hypervisor products. But at this year’s VMworld they weren’t forgotten and got a session all of their own.

Developing Products

VMware Workstation (for Windows and Linux) and VMware Fusion (for Mac) have been around for some time – the latter is celebrating its 10^th anniversary, while the former was released back in 1999.

The unified approach to the underlying VMware Platform means that the underlying Hypervisor service, VM hardware, VMware Tools and console, are common across the VMware product range. As a base, this then diverges to the different product teams for the Workstation/Fusion and ESXi vSphere layers.

This is significant, as this article will go on to discuss.

Welcome to the Next Generation

The big-ticket item for this session was the presentation of the new VMware Fusion release (version 10), and VMware Workstation release 14.  Both releases are important for several reasons, not least because it’s the first major version release since 2015.

So, what’s new?

The big one, common to both is VM version 14.  This is noteworthy for several reasons.  Firstly, there is support for VMs running the new Microsoft Windows 10 Fall Creators Update, Ubuntu 17.04 and Fedora 26.  In the case of the former, Virtual Machines can be configured to support Microsoft VBS (Virtualization Based Security), i.e. Credential Guard, which is a significant development. VBS requires UEFI bios on a VM configured for Secure Boot and enabled for in-guest (nested) Virtualisation – VBS uses Microsoft Hyper-V components.  We also have virtual NVMe disk support for improved storage performance on VMs too.

Further, with respect to VBS, it was mentioned that a future point release will support this on the host desktop PC, essentially allowing Hyper-V to run alongside Workstation.   Time will tell whether this comes to pass.

Remember the comment about the common underpinnings between the different VMware products being significant?  Ask yourself this – what does VM version 14 mean for the next vSphere release?

Both products gain full support for importing OVA packages. This allows, for example, the configuration of an appliance via the GUI, as would be the case in VMware vSphere. This means that the vCenter Appliance can be deployed in a fully supported manner in the GUI.

There are also improvements in Virtual Networking such as Workstation Pro and Fusion Pro Virtual Networking, which now includes a Latency emulator for network stress testing.  Both products also provide enhancements in their ability to control a VMware vSphere estate.

For VMware Fusion users, there’s an API framework with 20 VM controls for scripting.  Furthermore, the graphics engine now supports MacOS Metal rendering engine, which provides a marked improvement over OpenGL, though the latter is available as a fall-back mode.  For those MacBook users with the fancy new Touch Bar – this is now supported in VMware Fusion.

VMware Workstation Player has taken on a particularly key role in more recent times as a delivery mechanism for corporate desktop VM builds to BYOD or offsite locations, often using VMware Horizon FLEX.  To that end, VMware have put some effort in improving the User Interface design.   Workstation Pro continues to be the tool for developers using Windows/Linux desktops – the Network testing capabilities being a prime example of that.

Closing Thoughts…

Far from being a product left to whither on the vine, VMware have breathed new life into these popular products.  They remain at the leading edge with respect to local capabilities while continuing to serve a wide array of use cases from developers to business users to home users.

If you’re interested in exploring the latest virtualisation solutions but not sure where to start, please contact Xtravirt, and we’d be happy to use our wealth of knowledge and experience to assist you.

About the Author

Curtis Brown joined the Xtravirt consulting team in October 2012. His specialist areas include End User Compute solutions and Virtual Infrastructure design and implementation with particular strength in VDI, storage integration, backup and Disaster Recovery design/implementation. He is a VMware vExpert 2017.