Xtravirt — Encryption: Data Protection in VMware...

By Curtis Brown

Introduction

This little post is a ‘how to guide’ for enabling encryption on VMware vSAN.  To do this, we’ll need a few ingredients:

• A VMware vSphere 6.5 cluster with VMware vSAN enabled
  
• A Key Management Server Solution (KMS)
  

The Key Management Server (not to be mistaken for Microsoft’s license key solution) provides encryption keys for vSAN encryption.  This should be a robust solution (ideally, multiple nodes) as without this, vSAN becomes inaccessible!  Also, a tip – don’t put your KMS solution in the vSAN you’re about to encrypt, that would be a really bad idea!

In the case of the estate stood up for this blog post, HyTrust KeyControl 4.1 was deployed.  It’s an easy to use product that does exactly what’s required.

Registering the KMS in VMware vSphere

VMware vCenter supports the KMIP standard (VMware have certified a number of products) for connected KMS servers.  In the case of our HyTrust KeyControl appliance, we have to enable the KMIP server service and set the protocol to version 1.1.

We also need to set up a service User account on here.  It’s important not to set a password for this account.  We’re using certificates to authenticate and setting a password prevents vSphere from using the account with the HyTrust solution.  We download the SSL certificate for the user (this is a ZIP file containing the CA certificate and user certificate as PEM files).

Logged on as an administrator in the VMware vCenter Web Client, we open up the configuration of the vCenter server and add our KMS:

We enter a name for the cluster and the details for the first node (we can add other nodes under this cluster later).  The port is 5696 for most solutions.  

We then have to trust the certificate for the Server:

At this point, we have the configuration, but it’s yet to establish a trusted connection.  We need to establish the trust using the menu option below:

There are a few ways of achieving this (see the screenshot below), but we’ll be uploading the certificates snagged earlier:

In our case, we upload the User PEM twice:

And, voila, we’re ready to go forth and enable vSAN encryption

Enabling VMware vSAN Encryption

Here’s the easy bit.  We’ll assume that you already have vSAN up and running and will be enabling vSAN encryption.  If this is a pre-existing cluster, remember to leave room in the cluster to accommodate the emptying and reformatting of a host.  This operation will temporarily remove a host from the cluster as the disk formatting is changed.

We open the Cluster Configuration and select vSAN>General.

Edit the settings to enable Encryption.  We can erase the disks before use if we wish, but the key item is selecting the KMS server and clicking OK.  Allowing reduced redundancy reduces the number of VM data moves while the process to encrypt is under way.

At this point the cluster will reconfigure, enabling de-duplication.  This can take a little while so be patient. And that’s it done.

Closing Thoughts

This is a relatively simple feature to enable, providing a measure of data security for little effort.

If you’re considering developing a VMware vSAN based estate and need assistance, please contact Xtravirt, and we’d be happy to use our wealth of knowledge and experience to assist you.

About the Author

Curtis Brown joined the Xtravirt consulting team in October 2012. His specialist areas include End User Compute solutions and Virtual Infrastructure design and implementation with strengths in VDI, storage integration, backup and Disaster Recovery design/implementation. He is a VMware vExpert 2018.

by Curtis Brown

Introduction

VMware vSAN™ is the storage component for VMware®’s Hyper-Converged Infrastructure offering. It can be deployed (albeit with its own licensing), as a part of a VMware vSphere® cluster.  The release of vSAN is generally tied to a specific release of VMware vSphere, so the 6.5 Update 1 release includes 6.6.1.

Testing VMware vSphere in a lab can be desirable for many reasons, for example training or development. However, it can be quite hardware intensive, and adding in vSAN makes matters more complicated.  To properly test vSAN, we need multiple nodes and good networking (10Gb for all-flash). However, it’s possible to use VMware Workstation (or VMware Fusion® for you Apple fans) to test this in a nested environment, where a set of virtual machines running VMware vSphere are hosted on one physical system.

One of the key features in VMware Workstation 14 (and Fusion

is the addition of Virtual Machine Hardware version 14. This is significant for this exercise, as one the features of this version is the ability to add virtual NVMe drives to Virtual Machines. This is also useful as we don’t need to mess about with the host VM or guest vSphere configuration to spoof the software into thinking it has SSDs.

What’s the Shopping list?

Well, you’re going to need a machine with a decent CPU (an Intel i7 or similar) and 32GB RAM with some fast disk (SSD).  It’s worth remembering that you’re going to be standing up quite a bit if you squeeze this in one machine. From my experience, you will need:

• 6GB RAM
  
• 2 vCPU
  
• 15GB disk (for vSphere ESXi binaries)
  
• 2 NICs
  
• For vSAN, I added a 5GB NVMe as my Cache layer and a pair of 20GB NVMe as my data tier
  

Using this toolkit, I can build out my own vSphere cluster.  In addition to this, I also use a Distributed Switch with a Management port group and a VM port group (more for tidiness than anything else).  Each host needs a VMKernel for Management (adding vMotion to this also works for efficiency) and I added a separate one purely for vSAN.

Enabling vSAN

This is pretty simple – browse through the vSphere Web Client to the Cluster, go to the Configure tab, select vSAN>General and hit Configure. This will then launch a wizard that takes you through the process of enabling vSAN.  

Feature wise, to keep the load down I didn’t enable de-duplication & compression or encryption.  So long as vSAN is enabled on a VMKernel port on each host, the network validation should be fine.

The disk claiming is spot on.  As you can see, the NVMe disks are recognised correctly as flash disks and selected for the relevant tiers based on size.

This will complete the configuration and you’ll have a vSAN:

Fixing Some Warnings…

There will be a few amber warnings that require attention.

For the simpler warnings, you’ll want to enable the Performance Service as well as update the vSAN HCL Database. If you’re not connected to the internet you can download and apply this manually using ‘update from file’.  The file can be downloaded from https://partnerweb.vmware.com/service/vsan/all.json

The remaining Amber warnings are trickier.  The first warning that you will encounter will be that the hardware isn’t on the vSAN HCL. (This shouldn’t be much of a surprise given we’re running this in Workstation.)

The second will be the vSAN Build Recommendation Engine Health component. This requires an internet connection and that the service is logged into my.vmware.com with credentials.  For a disposable lab, this is unlikely to be desirable.

These warnings can be silenced via the Ruby vCenter Console (RVC. via either SSH or the console, log on as root and access the Shell. Then log onto RVC using vCenter credentials directed at the vCenter FQDN…)

Mark a shortcut to the vSphere cluster with vSAN:

mark (vcenter FQDN)/(datacenter object)/computers/(Cluster)

To silence the given service:

vsan.health.silent_health_check_configure -a (service) ~vsan

For example:

The following services will need attention:

• vumconfig - vSAN Build Recommendation Engine Health check
  
• controllerdiskmode – Controller Disk Group Mode
  
• controllerdriver - Controller Driver is VMware Certified
• controllerfirmware - Controller firmware is VMware certified
• controllerreleasesupport - Controller is VMware certified for ESXi release
• controlleronhcl - SCSI Controller is VMware certified
  

For example, the vSAN Build Recommendation Engine Health Check:

You can use the command vsan.health.silent_health_check_status ~vsan to check the status.  -a switch can be used for specific entries.

Expanding the Cluster

If you want more nodes, then you will need to add them as additional hosts. This will allow you to test RAID5 and RAID6 Erasure Coding (four and six hosts respectively) and add capacity and performance, but you need more tin for this.

Shutting Down

To shut down the lab, you should simply:

1. Check that all re-sync operations are complete:

1. Place the hosts in Maintenance Mode with ‘No Data Evacuation’ selected and don’t move powered off VMs
   
2. Power off the hosts
   

With respect to setting up a vSAN lab, it’s “job done” – go celebrate!

If you’re interested in exploring the ways in which you can modernise your datacentre but not sure where to start, please contact Xtravirt, and we’d be happy to use our wealth of knowledge and experience to assist you.

About the Author

Curtis Brown joined the Xtravirt consulting team in October 2012. His specialist areas include End User Compute solutions and Virtual Infrastructure design and implementation with particular strength in VDI, storage integration, backup and Disaster Recovery design/implementation. He is a VMware vExpert 2017.

By Ian Cook

Introduction

VMware vSphere comprises one or more virtual centre servers and multiple ESXi hosts. Virtual networking using distributed switches and NSX, and virtual storage (VSAN) can all be managed through the virtual centre server. The VMware update manager is also integrated. vSphere 6.5 comes with many features that enable customers to easily manage their private, public and hybrid cloud environments.

 Customer Background and Issues

During a recent engagement for a renowned healthcare provider, a vSphere 6.5 Cluster issue was encountered with VCSA and external PSC.

The customer’s environment is built on Cisco UCS FlexPods with FCoE (Fibre Channel over Ethernet) - all flash storage. There are two tier 3 datacentres, two VMware Virtual Centre Server appliances (one at each site) running vSphere 6.5 in enhanced linked mode. The Platform Service Controllers are external, which is a requirement for linked mode. There are six clusters, with three blades in each cluster, three clusters in each site.  

The customer was seeing numerous issues with one of the six clusters including:

1)     No management of VM’s possible (power on/off, create or delete snapshots, edit settings was greyed out on every VM)

2)     vMotion failing

3)     DRS non-functional due to vMotion failure

4)     HA wasn’t enabling/disabling correctly (one of the three hosts in the cluster would function, two would not)

5)     Unable to disconnect/connect a host from the vCenter using the GUI

6)     Tasks showing as ‘running’ in tasks on the vCenter server, but not showing as running on the host when directly connected

During troubleshooting with VMware GSS, it was discovered that the database entries for the hosts/cluster were corrupt.

The Solution

After further investigation, we identified that the problem was linked to the vCenter and not the hosts, as all of the commands could be run when connected directly to the host console. VMware GSS were engaged, and they agreed with the initial findings, that the vCenter vPostgres entries were corrupt.  The decision was made to disconnect the hosts from the vCenter and then reconnect, with the aim to refresh the agents and force the database to update. Because we could not disconnect or reconnect from the web interface, the hosts from the vCenter were forced to disconnect, using the vPostGres database commands. This was completed during a pre-planned, out of hours change window, where the fix below was applied:

1)     SSH to VCSA

2)     /opt/vmware/vpostgres/current/bin/psql -d VCDB -U postgres press <Enter>

3)     Should give VCDB=# prompt

4)     Select id,dns_name,enabled from vpx_host;

5)     Will list all hosts and the id number of the host.

6)     Update vpx_host set enabled = 0 where id = <Host ID from table above>;

7)     Response should be UPDATE 1

8)     Select id,dns_name,enabled from vpx_host;

9)     Should show the host removed with a 0 under enabled

10)  Repeat for any other hosts

11)  \q

12)  Stop vpxd – service-control –stop vmware-vpxd press <Enter>

13)  Start vpxd - service-control –start vmware-vpxd press <Enter>

14)  Refresh/log in to vSphere web client and reconnect the disconnected hosts by right click on host, Connection > Connect

 The Results

Once the fix had been applied, the cluster within the customer’s environment returned to a manageable state, with zero downtime for the customers virtual machines. The fix was also applied with zero impact to the services, resulting in the functions that would not previously work now working without fault.

 Xtravirt is a leading VMware specialist and has the ultimate combination of deep experience and agility to design and deliver IT transformations. If you need assistance in getting the best from your VMware vSphere estate, please contact us, and we’d be happy to use our wealth of knowledge and experience to assist you.

About the author

 Ian Cook joined the Xtravirt consulting team in December 2015 as a Technical Consultant. He has over 20 years’ experience in the IT industry, with an in-depth understanding of VMware Virtualisation product sets and NetApp, along with experience in data centre migration and delivery and upgrading of virtualisation solutions.

by Nick Goldman

VMware Cloud Foundation brings the best in breed virtualisation of network, storage and compute in a pre-validated and automated package. VMware cloud is used in VMware based public cloud solutions such as; VMware cloud on AWS and IBM cloud for VMware solutions. VMware Cloud Foundation lets you spin up a private cloud environment in a much-reduced time frame and deliver a reliable hybrid cloud environment.  

VMware Cloud Foundation 3.0 was announced only a few months ago at VMworld US 2018. Version 3.0 removed the requirement to use Cisco or Arista switches. Now any switch provider that is on the VMware Hardware Compatibility List (HCL) can be used which will allow for VCF fitting into existing environments.  VMware has now also added all vSAN ready nodes which opens up far more flexibility with hardware.  

A number of management of improvements were also made also assist with enterprise deployments. These included the ability to skip upgrades of vCenter and ESXi which helps with compatibility of 3rd party solutions). Cloud Foundation 3.0 also supports multiple clusters in a workload domain to allow for larger workload domains and reduced size of failure domain and specific use cases which require small clusters (such as licensing) and stretch clusters.

Now only a few months later the next release 3.5 is announced and brings a raft of new features including support for NSX-T and PKS (Pivotal Container Service), support for composable infrastructure (initially HPE Synergy) and support for external NFS (which allows the use of existing storage for workloads).

Including NSX-T in VMware Cloud Foundation shows the direction that VMware are heading towards with much larger use cases for NSX-T.

What is VMware Cloud Foundation?

VMware’s Cloud Foundation was born out of the VMware EVO SDDC (Software Defined Data Centre) platform and is designed to make private and public clouds easy to deploy, manage and secure. It also allows cloud providers such as IBM and VMware Cloud on AWS, as well as private data centres, to quickly deploy and scale out a cloud platform.  

“VMware’s Cloud Foundation allows cloud providers to quickly deploy and scale out a cloud platform” 

VMware Cloud Foundation is a Hyper Converged Infrastructure platform that that delivers software defined compute, storage and networking services (NSX) to allow agile delivery of virtual servers or containers. The solution is made up of vSphere, VSAN and NSX overlaid with a management solution (the SDDC manager) which is used for both setup and day 2 operations such as patching and monitoring. 

Cloud Foundation version 3.5 has just been released and includes the latest releases of all VMware products including vSphere 6.7U1, vSAN 6.7U1, NSX-V6.4.3, NSX-T 2.3 and optionally vRealize Automation 7.5. and vRealize Operation 7.0, vRealize Log Insight 4.7

Delivery Model

VMware Cloud Foundation is available in three delivery models: 

• Through a public cloud provider such as VMware Cloud on AWS or through one of the VMware Cloud Provider Program providers such as IBM or Rackspace   
  
• As an engineered solution such as Dell EMC’s VxRack solution which comes preconfigured and installed (however customers have informed me this at present introduces a delay while the configuration is certified 
  
• Deploying on any vSAN ready nodes from any vendors including Dell EMC, Cisco, Fujitsu, HPE, Hitachi and Quanta 
  

Cloud Foundation can speed up the delivery of an SDDC solution by having a pre-validated and tested solution using VMware best practices. This can reduce the complexities and lead times associated with traditional datacentre infrastructures. VMware on AWS will be the proving ground for many new features on VMware Cloud Foundation and as the suite is all based in software VMware will be able to rapidly add features.  

“Cloud Foundation can speed up the delivery of an SDDC solution” 

The management of Cloud Foundation is via the VMware SDDC Manager. From within here you can do the initial bring up which just requires a few details such as time, network settings and DNS and NTP servers. The SDDC manager will bring up the entire stack including switch configuration, host configuration and a management cluster (a four-node cluster containing a dedicated vCenter, NSX manager and vSAN). Once the bring up procedure has been completed, you are then able to deploy workload domains which are policy driven based on the performance and availability requirements. The workloads can either be virtual server infrastructure or virtual desktop infrastructure where the SDDC manager will automatically deploy a fully functional VMware view environment.

Is VMware Cloud foundation right for my company?

Whether Cloud Foundation is right for your organisation for not depends on what your commitment to other hardware solutions such as a SAN or blade enclosures are. In these cases, it may not be best to change your entire infrastructure to start using Cloud Foundation, but if you have end of life hardware or you are looking at putting in NSX to virtualise your organisation’s networking then it could help to reduce the time to get the new platform up and running. In addition, with the lifecycle management included it will reduce some of the burden associated with keeping your cloud platform up to date.

If your organisation has previously struggled with setting up new technology or it has taken an excessively long amount of time to deploy and expand, then VMware Cloud Foundation could be the right solution for your organisation. VMware will allow you to transfer existing unused licenses for individual components to Cloud Foundation.

VMware Cloud Foundation has similarities to other solutions such as Nutanix, which provide a simplified management for their hyper converged platform. However, the inclusion of technology such as NSX in the platform is more advanced than some of VMware’s competitors.

“Cloud Foundation takes VMware’s best of breed technology and wraps a management layer around them”.  

Version 3.5 also offers the latest versions of VMware products which was part of VMware’s commitment to reduce the time between when products were released individually and when they are available as part of VMware cloud foundation.

Closing thoughts

VMware Cloud Foundation has become a very comprehensive solution for organisations looking to deploy there SDDC in a reliable and standardised fashion whilst reducing timescales for design and deployment. It takes VMware’s best of breed technologies and wraps a management layer around them. As companies look to move towards a buy rather than build strategy with their infrastructure then VMware Cloud Foundation is on point to be a tried and tested solution. VMware are starting to open up options of hardware in this release which will make Cloud Foundation to suitable for many more organisations who are looking to upgrade or deploy a new SDDC or to put them on the path to the hybrid cloud journey via NSX hybrid connect. 

If you are interested in VMware cloud services and solutions and want to know how they can benefit your organisation Xtravirt can help. We provide advisory, design and implementation services to create the right solution for your organisation. Contact us and we’ll be happy to use our wealth of knowledge and experience to assist you. 

About the Author

Nick Goldman is a Senior Consultant within the Xtravirt consulting team. He is an experienced infrastructure consultant with experience in both technical architecture and hands-on implementation. His areas of expertise include virtualisation solutions based on the VMware stack and Microsoft based infrastructure solutions.

About Xtravirt

Xtravirt are an experienced consulting firm dedicated to delivering outcomes to help customers solve their IT challenges. We design and build strategies to help customers unlock the full potential of cloud, datacentre and workspace technology.

We are the VMware Global and EMEA Professional Services partner of the year.

www.xtravirt.com

By Curtis Brown

As an efficient and secure platform, VMware vSphere® provides a powerful and flexible foundation for business that accelerates the transformation to hybrid cloud. With vSphere you can support new workloads and use cases while keeping pace with the growing needs and complexity of the SDDC infrastructure.

One of the announcements that coincided with this years VMworld 2018 event in Las Vegas was VMware vSphere 6.7 Update 1 and a new variant of VMware vSphere – Platinum Edition. In this blog I look at the main highlights of this new release and the related new edition.

Platinum Edition

Platinum Edition sits above VMware vSphere Enterprise Plus, inheriting its feature set but adds the following:

VMware AppDefense
VMware AppDefense is an integrated component in Platinum Edition. It provides a powerful, yet interesting approach to security.  Rather than taking the approach of actively monitoring for expected threat vectors (such as monitoring TCP/UDP ports, looking for malware etc), AppDefense uses machine learning to establish knowledge of the ‘known good’ state of a VM – it is aware of what traffic comes from, or travels to, the VM and so picks up how the VM behaves in normal operation.

If the VM strays from this normal operation, AppDefense raises the alarm. Taking this approach is more resource efficient than active solutions seeking known vectors, while also providing greater coverage for new attack vectors by watching for changes in behaviour from ‘known good’ rather than trying to look for ‘known bad’.

Credits for VMWare Cloud on AWS
For those purchasing 5 vCPUs or more, VMware will include $10,000 worth of AWS credits as part of a promotion once Platinum Edition is released as General Availability.

vSphere 6.7 Update 1

In parallel to the release of Platinum edition, VMware vSphere reaches 6.7 Update 1.  This builds upon the previous 6.7 release by adding the following:

• VM Encryption meeting US Government FIPS 140-2 Validation requirements as well as encryption of cross-vCenter vMotion traffic.
  
• Support for Trusted Platform Module (TPM) 2.0:
  
• At the hardware level, providing security for the ESXi installation itself.
• At the VM level as a virtual TPM to allow features such as Microsoft Virtualization Based Security to be enabled fully.
• Improvements in Security Access Logging for audit purposes.
  
• Fully featured HTML5 vSphere Client covering all vSphere capabilities.
  
• Enhanced Content Library
  

Closing Thoughts

VMware vSphere, by VMware’s own admission, is now a mature product, however, it continues to evolve providing enhancements to manageability, performance and security. It probably doesn’t get the attention it deserves, but as the underpinning of most of VMware’s solutions, vSphere is as important as ever to VMware.

In light of the imminent end of support for VMware vSphere 5.5, the release of 6.7 Update 1 emphasises the importance of maintaining currency with the latest release, not merely for shiny new features, but to maintain and enhance security in an ever-dangerous world.

Xtravirt is a leading cloud and virtualisation consultancy and VMware specialist with the ultimate combination of deep experience and agility to design and deliver IT transformations. We are also the VMware Global Professional Services Partner of the Year.

If you need assistance in getting the best from VMware vSphere, please contact us, and we’d be happy to use our wealth of knowledge and experience to assist you.

Useful links

Under the Hood - VMware vSphere Platinum Edition

Under the Hood – vSphere 6.7 update 1

Xtravirt Upgrade Service for VMware vSphere

Virtualisation health check service for VMware vSphere

About the Author

Curtis Brown joined the Xtravirt consulting team in October 2012. His specialist areas include End User Compute solutions and Virtual Infrastructure design and implementation with particular strength in VDI, storage integration, backup and Disaster Recovery design/implementation. He was awarded VMware vExpert 2018.

By Curtis Brown

The somewhat anticipated release of VMware vSphere 6.7 Update 1 is now with us.  So, the burning question now is “Can I upgrade?”.  The answer is not quite as simple as a yes or no as this is always a mine field, particularly where interoperability is concerned.  My intention with this article is to save you some of the leg work with respect to investigating product interoperability.

However please note, this article doesn’t dig into hardware compatibility, or compatibility with third party products, simply because of the vast array of possible scenarios.

Compatibility with Horizon View 7

The most common starting point is VMware Horizon 7 itself.   By checking the VMware product Interoperability Matrix, we can see that the minimum release of VMware Horizon that is validated with VMware vSphere 6.7 Update 1 is the latest release, 7.6.

VMware Horizon 7.6 - COMPATIBLE

VMware App Volumes

VMware App Volumes 2.14 and the more recent patch release are both listed as a valid configuration.  This would also be the recommended release for use with VMware Horizon 7.6, although it has quite a generous level of backward compatibility.

One observation of note is that the poorly adopted cul-de-sac release 3.0 product has not been validated against 6.7, but as this was explicitly incompatible with 6.5, so this is not particularly surprising.

VMware App Volumes 2.14.2 - COMPATIBLE

VMware vRealize Operations for Horizon

With respect to VMware vRealize Operations support in general, release 6.6.1 or later is required.  This is driven by vSphere rather than Horizon which can work with older vROps releases.

For a VMware Horizon environment running on VMware vSphere 6.7 Update 1, the VMware vRealize Operations for Horizon plugin needs to be on 6.6.0 to support VMware Horizon 7.6 to retain compatibility through to VMware vSphere.

However, care should be taken with the compatibility between the Horizon plugin and vRealize Operations itself.  As the Horizon component only supports Horizon 7.6 directly on release 6.6.0 of the plugin, the interoperability matrix dictates that VMware vRealize Operations should be running on release 6.7.

VMware vRealize Operations Manager 6.7 - COMPATIBLE
VMware vRealize Operations for Horizon 6.6 - COMPATIBLE

Of course, for features, guest operating system compatibility, the latest version is recommended.

VMware User Environment Manager 9.5 - COMPATIBLE

VMware NSX for vSphere

Although not every VMware Horizon deployment uses VMware NSX, it’s included to flag a possible concern. With respect to straight VMware vSphere interoperability, VMware NSX for vSphere 6.4.2 and 6.4.3 both support for vSphere 6.7 Update 1.  However, the supported Horizon release (7.6) has yet to be validated with NSX 6.4.2 or 6.4.3.  This is  unlikely to cause an issue, and validation is likely to be only a matter of time, though it may be enough to cause a pause for thought.

VMware NSX for vSphere 6.4.3 - SUBJECT TO CONFIRMATION BY VMware REGARDING HORIZON 7.6

Upgrading Desktop Templates

With respect to upgrading templates, the back-end components should be upgraded prior to the agents within the image.  As such, upgrading this rather depends on how many change windows are being used to upgrade the above components.  In all cases, VMware have limited support for backward compatibility for agents, so there is flexibility here.  The VM templates have the following components/dependencies:

• VMware App Volumes Agent – used for registering the VM and the logged in user to App Volumes manager.
  
• VMware UEM Agent – used for managing the user persona via UEM.
  
• VMware vRealize Operations for Horizon Agent – although a version is integrated as part of the VMware Horizon Agent, for full functionality in line with the release of vRealize Operations for Horizon, the dedicated agent is recommended.
  
• VMware Horizon Agent – this is used to provide components for managing deployment, assignment and the remote desktop protocol to the desktop.  It is recommended that this is installed after VMware Tools has been upgraded.
  
• VMware Tools – required for interaction with vSphere, as well as providing optimised device drivers for the guest OS.
  
• The VM virtual hardware version – this is defined by the VMware ESXi release. Upgrading should only be carried out once VMware Tools are upgraded but can be beneficial for performance reasons.
  

Where hardware GPUs are deployed, there are further considerations.  For example, if the templates are deployed using a vDGA (Dedicated Graphics) or Nvidia vGPU configuration, further investigation into supported Nvidia drivers should be carried out.

What to upgrade first?

Where to start upgrading will be driven from your starting point, so it’s well worth looking at compatibility of the release that you’re starting at with the relevant components.

Upgrading VMware vRealize Operations and the Horizon plugin is likely to be the best starting point as this supports all the monitored components backwards for a number of releases. In addition, it is the least disruptive activity for users.

After this, updating App Volumes Managers would be the next step.

Upgrading VMware Horizon follows the order it has always followed – VMware Composer, followed by Connection Servers and Security Servers.  The recommendation, however, would be to take the time to retire any Security Servers and replace them with VMware Unified Access Gateway appliances instead.

Where deployed, VMware NSX would be next on the list..

After this, the vCenter upgrade followed by the VMware ESXi hosts should take place.  In the case of the latter, as mentioned previously, pay close attention where hardware GPUs are deployed as this may need upgraded drivers and software in-line with the vSphere release.  If vSAN is deployed, this would take place as the closing step of upgrading all the ESXi hosts in the cluster, ensuring that there is enough space to carry out such an upgrade.

With respect to the desktop templates, upgrading of components can be staged, but the supporting services must be in place first.

Closing Thoughts

Although there are a fair few items to consider, so long as the components are upgraded with consideration to each other and in the proper order, it’s possible to uplift the entire stack to support VMware vSphere 6.7 Update 1.  The only caveat is the lack of interoperability testing  between releases of VMware Horizon 7.6 and NSX 6.4, though it should be remembered that there is no direct connection between the two products and VMware have yet to actually publish test results for this combination.

If you are looking to get the best from VMware infrastructure and understand your upgrade and compatibility options, please contact us, and we’d be happy to use our wealth of knowledge and experience to assist you.

About the Author

Curtis Brown joined the Xtravirt consulting team in October 2012. His specialist areas include End User Compute solutions and Virtual Infrastructure design and implementation with particular strength in VDI, storage integration, backup and Disaster Recovery design/implementation. He was awarded VMware vExpert 2018 and is a graduate of the VMware Advanced Architecture Course 2018.

About Xtravirt

Xtravirt are an experienced consulting firm dedicated to delivering outcomes to help customers solve their IT challenges. We design and build strategies to help customers unlock the full potential of cloud, datacentre and workspace technology.

We are the VMware Global and EMEA Professional Services partner of the year.

www.xtravirt.com

by Curtis Brown

In a time where security is top of mind, patch management for both the health and security of a VMware vSphere® estate has never been more important.

VMware vSphere® Update Manager™ is an essential, but often under-appreciated part of VMware vSphere. However, punching VMware vCenter® straight out to the internet may not be an attractive option for several reasons, most notably security, but also scaling. If you have a large estate with many vCenter servers and Update Managers, do you want all of them pulling down updates straight from VMware?

VMware Update Manager Download Service is a software solution that provides the means to place an intervening server between Update Manager (or multiple Update Manager installations) and the internet.  It can be used as a host for updates itself, or it can be configured to publish the updates on an upstream web server.

Previous releases only supported Windows, however, we can now deploy a Linux derivative, permitting a more solid appliance to be constructed.  The guidance in this article is a combination of VMware’s documentation, guidance from noted VMware blogger William Lam and my own testing.

 Installation of UMDS on Linux

The first step is to prepare a Linux server.  For this deployment, Ubuntu 14.04 was used.  Ideally, this should be provided with a static IP address for ease of use. I tested a multi-homed configuration with an external and internal connection which worked fine.

The next step is to prepare the VM for UMDS and then install it.

Install the following pre-requisite components for Linux:

• perl

• tar

• sed

• psmisc

• unixodbc

• postgresql

• postgresql-contrib

• odbc-postgresql

William Lam has a really elegant script that automates this: (http://www.virtuallyghetto.com/2016/11/automating-the-installation-of-vum-update-manager-download-service-umds-for-linux-in-vsphere-6-5.html)

Once these are in place, it creates a PostGreSQL database and sets up a local ODBC connection to it, including establishing authentication to allow UMDS to access the database.  The script creates an answer file to configure the UMDS installation prior to installing it. This is explained very well in William’s blog post referenced above.

At this point we have a UMDS server up and running, which can be confirmed by running:

/usr/local/vmware-umds/bin/vmware-umds -v

Configuration of UMDS

Once UMDS is in place, it needs to be configured.  The commands are identical to the Windows release of UMDS.

Existing configuration can be checked by running the following command:

/usr/local/vmware-umds/bin/vmware-umds -G

This will show the following:

·        Configured URLs – where UMDS is configured to pull patches down from.  We can add vendor URLs to this, but the default VMware depots are listed.

·        Patch Store location – where UMDS will download files to.  The default is /var/lib/vmware-umds.

·        Export Store Location – we can specify a remote location where UMDS can export patches to – we won’t be using this here, but vmware-umds -o [ –default-export-store] (path) can configure this.

·        Proxy Server – where needed, proxy server values can be configured using vmware-umds -p.

·        Patch Content – we can select whether to enable Host and Virtual Appliance patching and define which Host Releases we wish to support.

Let’s go through some of these, firstly deciding what content to download.

Selecting whether to enable Host or VA support is simple – we run vmware-umds with the -S option.  For example, the following will prevent download of VA patches but enable Host patches:

/usr/local/vmware-umds/bin/vmware-umds -S –enable-host –disable-va

For Host patches, we can refine which releases we wish to support.  Again, this uses the -S switch.  The example below disables ESX 5.0 patching.  To enable a release, substitute -d for a -e:

/usr/local/vmware-umds/bin/vmware-umds -S -e embeddedEsx5.0.0-INTL

Next, we might want to add third party download sources for vendor-specific patches.  Obviously, you’ll need the URL for their repository. Use –remove to remove a URL.  

/usr/local/vmware-umds/bin/vmware-umds -S –add-url https://host_URL/index.xml –url-type HOST

To select where to download to, we use:

/usr/local/vmware-umds/bin/vmware-umds -S –patch-store your_new_patchstore_folder

The default in 64-bit Windows is C:\Program Files (x86)\VMware\Infrastructure\Update Manager while the default location in 64-bit Linux is /usr/local/vmware-umds.

Running the -G command again gives us the following:

In our example, we’ve left the default configuration for the URLs and patch store, but have restricted ourselves to just ESXi 6.5 host patches.

Once all this is set as required, we need to download the patches from VMware.  The command for this is straight forward:

/usr/local/vmware-umds/bin/vmware-umds -D

This can be set up as a scheduled task in Linux by configuring crontab.  If we need to, we can re-download patches using -R and specifying a date range as per the following example.

/vmware-umds -R –start-time 2010-11-01T00:00:00 –end-time 2010-11-30T23:59:59

At this point we have a populated UMDS server. A simple listing of our UMDS patch store shows our content:

We then need to either export the content to an upstream location or host it on our UMDS server for collection by the VMware Update Manager installation.  VMware Update Manager can only use a local path or a Web Server URL as a local repository - the latter option is preferred.  If we have an upstream repository set up, we can use the **-E **command to upload the content.

We’ll focus on setting up a web server on our UMDS server.

Setting up Nginx to serve UMDS content

VMware provide this guidance as part of their validated design – and it’s relatively simple to use to provide a persistent web server.

Firstly, we install Nginx. A simple one-liner will suffice (though you’ll need the root password!)

sudo apt-get -y install nginx

Once complete, we need to allow access to our UMDS Patch Store:

sudo chmod -R 755 /var/lib/vmware-umds

Next, we copy out the default Nginx configuration file to create one for UMDS.  We then edit this using a text editor such as vi or nano – I’ll use vi:

sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/umds

sudo vi /etc/nginx/sites-available/umds

The amendments we make are highlighted in green below.  We amend the root path to our UMDS patch store, add the DNS short name and Fully Qualified Domain Name, and turn on autoindexing.

**               server {**

**             listen 80 default_server;**

**             listen [::]:80 default_server ipv6only=on;**

**                       root /var/lib/vmware-umds** ;      

**             index index.html index.htm;**

**                       # Make site accessible from http://localhost/**

**             server_name localhost exampleumds exampleumds.domain.local;**

**                       location / {**

**                     # First attempt to serve request as file, then**

**                             # as directory, then fall back to displaying a 404.**

**                                            try_files $uri $uri/ =404;**

**                             # Uncomment to enable naxsi on this location**

**                             # include /etc/nginx/naxsi.rules**

**                               autoindex on;**

**             }**

We then delete the default configuration, enable our UMDS configuration and restart Nginx.

sudo rm /etc/nginx/sites-enabled/default

sudo ln -s /etc/nginx/sites-available/umds /etc/nginx/sites-enabled/

sudo service nginx restart

We should then be able to browse our UMDS patch store.

Configuring VMware Update Manager

Configuring VMware Update Manager to use a Shared Repository is a straight forward process.

From the Home Menu, select VMware Update Manager; then select the Update Manager from the Server list and go to the Settings Tab.

Pick Download Settings from the left-hand menu and select Edit Download Sources.  As per shown below, select Shared Repository and enter a URL.

VUM will validate this setting.  After that, we can download our patches into Update manager and then it’s business as usual. Set up Baselines, scan and remediate as you would do when Update Manager pulls directly from VMware.

Closing Thoughts….

With this approach, we can provide a secure gap between VMware vCenter and the internet and still retrieve updates.  One downside of the new VMware Update Manager integration with VMware vSAN in VMware vSphere 6.5 Update 1 is that vSAN requires a direct connection to VMware in order to establish vSAN Baselines.  Currently, proxying of this through UMDS is not possible, so if this functionality is required, then vCenter will still need some internet connectivity, though at least the patch downloads are segregated.

If you need assistance in getting the best from your VMware vSphere estate,  please contact Xtravirt, and we’d be happy to use our wealth of knowledge and experience to assist you.

About the Author

Curtis Brown joined the Xtravirt consulting team in October 2012. His specialist areas include End User Compute solutions and Virtual Infrastructure design and implementation with particular strength in VDI, storage integration, backup and Disaster Recovery design/implementation. He is a VMware vExpert 2017.

By Michal Grzeszczak

OLD WORLD

The landscape of modern IT is constantly evolving and an aggressive shift towards the software defined data centre is arising. Nowadays, virtualisation of storage and networking is becoming as, or even more important than the virtualisation of compute. In this rapidly transforming realm, traditional networking and security can’t keep up with location-agnostic and application-centric workloads and even if they could, there are now simply better ways to solve the problems occurring in traditionally managed data centres. Security, agility, automation and visibility are the key areas where there is a need for new tooling. During a recent customer engagement, we faced all of these issues and to mitigate them, VMware NSX® and VMware vRealize® Network Insight™ (vRNI) were deployed in the environment.  

BACKGROUND

The customer’s main business objective is to provide IT services to a number of hospitals. Security regulations in the health care world (the likes of HIPPA) can be difficult to comply with, especially with traditional security methods such as using perimeter firewalls for east-west traffic control. The customer had an old data centre that contained both virtual and physical workloads, 200+ undocumented applications, Cisco 6500s core switches and Cisco ASA firewalls. As they were facing multiple challenges with this setup, the decision was made to engage Xtravirt to migrate to a new NSX based data centre.

CHALLENGES

The main challenge the customer had in their previous environment was application traffic visibility, namely the 200+ applications without proper documentation outlining necessary ports to be open in the firewall. The communication between the networking team and application team wasn’t as smooth as one could hope for either which created unnecessary holes in the overall security posture of the company’s IT department. Multiple DMZs from the Cisco ASA firewall did not scale well and the rule sprawl was becoming a problem. The security team was working reactively instead of pro-actively - a known issue with the traditional approach. All of these issues led to the environment becoming unmanageable.

To sum up the challenges:

• Lack of visibility of the East-West traffic - resulting in poor understanding of the application flows and complicating the security policy, therefore becoming difficult to manage.
  

• Communication breakdown between IT teams - back and forth email exchange proves time consuming and slows down the deployments or changes, identifying a need for a tool to provide a “source of truth” of what is actually happening in the environment. 
  

• Hair-Pinning to the perimeter firewalls and routers - sending traffic for inspection to the physical firewalls and routing to the core switches, even if the workloads reside on the same host. That is a waste of bandwidth. Also, latency sensitive applications might be affected. 
  

 GOALS

The customer decided to build a new data centre with NSX for micro-segmentation and vRNI for visibility and security planning. The next step was to migrate the applications from the old environment to a new one, then monitor traffic flows of the applications to create an adequate security policy.

 Goals communicated before the engagement:

• Use vRNI to monitor applications and services that are running in the current data centre to get a clear picture of the network flows before the migration of the applications to the new data centre. 
  
• Use vRNI to plan security policies for the environment based on the observed flows as opposed to the (lacking) documentation from the application team. 
  
• Design a security policy using NSX, based on the vRNI outcome. 
  
• Monitor the entire network, both virtual and physical workloads to get the full picture of what is happening in the environment. Then design an alert system using vRNI that will help with monitoring and troubleshooting. 

D-DAY

After adding Virtual Distributed Switches as Data Sources in the vRNI we watched traffic flows of the applications. With a few clicks, we were able to see all the traffic - ports, protocols, IP addresses - to and from any selected application. To define an application in the vRNI we simply specify the workloads that are relevant. Then the visual graph shows all necessary information as well as recommended firewall rules. We could export interesting data in the CSV file format readable in Excel and use that as a base for Security Rules creation. It is recommended to collect the flows of the application for some time, like a day or two, as not all the ports of the applications are used in the given moment. It could be a good idea to send a request to the DevOps team to sweep through all the functionality of the application, just to make sure all the traffic needed to be allowed in the firewall is actually there in the output graph of vRNI. By default, vRNI collects data every 5 minutes. 

Next steps involved creating a Security Policy using a distributed firewall - kernel based East-West firewall used for micro-segmentation. The decision was made to use Security Tags for all of the virtual workloads and IPsets for external ones. 

• The Security Tags allow for dynamic assignment of VMs. For example - you could create a Security Tag called “Web” and configure a Security Policy that will automatically add VMs with the name that contains “Web” to a specific Security Group. This is a useful feature as workloads quite often change IP addresses and location. We are simply shifting from network-based security to an object-based one that allows for agile and location-agnostic applications. 
  
• IPsets are sets of IP Addresses, subnets or a group of subnets that specify the scope of affected workloads for a given Security Group. In the customer’s environment, the zero-trust model was implemented which means that only necessary traffic is allowed on the Distributed Firewall and everything else is dropped. This type of design ensures maximum security. 

Next, the vRNI notification system was used for monitoring the new Data Centre. There are two types of notifications:

• System notifications, which are pre-defined. The list of notifications contains 100 of the most commonly appearing issues customers face during a deployment. For example, this could be a loss of network connection of the NSX Edge routers.  
  
• User notifications are defined by user and are very simple to set up. One can simply use a search bar to search for a specific query, for example, Change in the Application “App1” - and create a notification alert with the click of a mouse. Both System and User notifications are customisable. You can specify the severity of the alerts and tags to make searching for the problem easier and quicker, and contact recipients by email to notify a specific person or a team about an issue.  

RESULTS

Quite simply, they are spectacular. In my opinion, none of the solutions available on the market could solve the customer challenges like NSX and vRNI. All the goals were met and challenges mitigated. The customer now has a new health care compliant and scalable data centre with full visibility of both physical and virtual traffic. The customer also has a solution that is centrally managed and application-centric with an agile security policy, plus a customised notification system for monitoring and troubleshooting. 

ONE STEP AHEAD

VMware appears to be reading the future pretty well; by being flexible and adjusting to the market needs, this virtualisation pioneer managed to create a one stop shop for every IT requirement. With the acquisitions of Nicira and Arkin respectively, VMware expanded their catalogue with two extremely powerful and market changing solutions - NSX and vRNI. The first providing micro-segmentation, logical switching/routing and load balancing to name a few, and the second allowing for full visibility of physical/virtual networks and assisting in security planning. The fact that these two work together and give so many unique features is a game changer in the industry. Adding to the mix products like vSAN for storage virtualisation and vRA for automation, makes it even more interesting - all in software, all managed from your browser, location-agnostic and application-centric. This is a software defined revolution and it is happening right now. Join it and stay ahead of the game. 

Xtravirt is a leading VMware NSX specialist and has the ultimate combination of deep experience and agility to design and deliver your IT transformation. If software-defined networking is on your roadmap then contact us today.

To find out more visit: https://xtravirt.com/nsx/

About the author

Michal Grzeszczak joined the Xtravirt consulting team in September 2017. He has an in-depth understanding of NSX along with experience in software-defined networking, virtualization and data centre support.

by Curtis Brown

VMware NSX® network virtualisation platform has been around for a little while now delivering an operational model for networking that forms the foundation of the Software-Defined-Data-Centre.  It’s often associated more with server virtualisation or as a component within a Cloud Automation solution and with good reason; it’s readily able to deliver a scaled, secure environment, while providing several mechanisms to deliver advanced network functionality such as firewalling, load balancing and anti-malware protection.  However, one area where its application is frequently overlooked is in the world of End User Compute – more specifically virtual desktop infrastructure.

Wouldn’t it be nice if…

Consider a full-on Horizon deployment (though, to be fair, these components could be replaced in the most part for an element of your choice) –

•  Horizon View – This will publish Virtual Desktops in Pools, with these pools assigned to Active Directory based Groups/Users.
• App Volumes – This gives you a mechanism for delivering defined stacks of applications to the Virtual Desktops.Again, you can assign using Groups or users.
• User Environment Manager – You use this to manage environmental and application settings.

 So, you have the mechanisms in place to deliver Virtual Desktops, complete with some granular application and settings delivery.  This is all pretty good, but wouldn’t it be nice if you could provide some intelligent network capabilities too?

Finetuned Firewalling.

Now take VMware NSX - this has some nice features that you can leverage in a VDI estate.

One of the key areas of concern is hardening the estate.  There’s been a pretty big play in the NSX world around using NSX to provide segmentation – both at a macro level, separating workloads into different VXLANs on virtual switches – and at the micro level using the Distributed Firewall to provide firewall rules at the Vmnic. Both strategies can be used here.

You can also separate Pools at a macro level or a micro level if you wish to, with the latter being particularly interesting.

The Distributed Firewall can provide a great deal of flexibility when defining firewall rules and can leverage several different identifiers, including vSphere entities and Active Directory objects.  Using these, you can generate a rule bases to lock down traffic quite tightly, in conjunction with the VDI solution and application delivery mechanism.  Take this example:

You can set up a standard DFW ruleset that applies to your desktops that will prevent traffic between the virtual desktops, while still providing the core services and application support for anything required for the desktop. This means you can control LDAP traffic between the desktops and Domain Controllers or PCoIP between the desktops, the Connection Servers or direct to physical endpoints if you wish.

 With App Volumes, you can define an AppStack with several applications which may well have discrete client/server network traffic requirements.  The DFW can apply rules based upon the user logged into the desktop, so you can create and apply rules specific for these client server applications and tie them to the same Active Directory object that applies the AppStack.

 The net result is that you end up with a combined ruleset applied to a desktop that is not just tied to a broad pool, but also to discrete needs for users within the pool. This provides strict granular access based upon the needs of the desktop and the application set for the user.  And let’s remember that this is applied at the desktop’s connection to the network – not at any perimeter level.

Malware Protection

NSX also provides the ability to integrate a compatible antivirus/antimalware solution into the mix. This is not, however, limited to the more publicised Guest Introspection where virus scanning is offloaded at the hypervisor level.  NSX can also integrate with both virtual and physical appliances such as Fortigate for intrusion detection, perimeter firewalling and more.

At the Infrastructure Level

As with any VDI estate, you have the upstream infrastructure to consider, several services can be provided here too.  

Using VMware NSX Edge Gateway appliances, you can provide perimeter firewalling between networks.

For Horizon View, both Connection Servers as well as Access Gateways/Security Servers require Load Balancers, as do App Volumes Managers.  The NSX Edge appliances are capable of being configured to provide load balancing services.

Perimeter firewalling using NSX Edge can also be provided, so you can have a DMZ layer for the Security Servers/Access Gateways as well.

Generally speaking, you could deploy something like this for the Horizon View management environment:

Our external traffic accesses the estate via a pair of NSX Edge Gateways, serving as firewall and load balancer for a pair of VMware User Access Gateways.  These are configured as two-legged, tunnelling into the vSwitch beneath, where you have a dedicated NSX Edge appliance load balancing the Connection servers.  This internal load balancer is also used by internal users who connect in via an L2 bridge or NSX Edge as appropriate.

 You then deploy NSX for the Desktop blocks as well, in order to provide the previously mentioned firewalling and malware protection for a secure end-to-end solution.

Closing Thoughts…

With NSX, it’s possible to turbo-charge the security for a VDI desktop environment in a manner that can be applied regardless of the choice of broker solution – the above would work just as well in a third party VDI solution such as Citrix XenApp or, perhaps more importantly, XenDesktop, not just VMware Horizon.  The ability to dynamically set and operate firewalling on egress outside of the guest Operating System means that such firewalling cannot be tampered with from within the VDI desktop, which might be useful in environments where desktops are used with untrusted users (public kiosks for example).

If you’re interested in exploring the combination of VMware NSX network virtualisation in a VDI estate, please contact Xtravirt, and we’d be happy to use our wealth of knowledge and experience to assist you.

About the Author

Curtis Brown joined the Xtravirt consulting team in October 2012. His specialist areas include End User Compute solutions and Virtual Infrastructure design and implementation with particular strength in VDI, storage integration, backup and Disaster Recovery design/implementation. He is a VMware vExpert 2017.

by Michal Grzeszczak

My name is Michal Grzeszczak and I am a senior consultant at Xtravirt (www.xtravirt.com), an independent cloud consulting business and VMware Master Services Competent Partner.  In this blog, I’d like to share with you my experience of L2 bridging with VMware® NSX-T Data Center and help you to understand some of the differences between NSX-T and NSX-V, as well as cover some NSX use cases.  

Customer background:

The customer is one of the leading organisations in the betting and gambling industry and have been using NSX-V for some time now. When it came to their new greenfield environment, they decided to deploy NSX-T 2.4 Data Center. This decision was largely based on the fact that NSX-T Data Center provides bridging firewalls natively for L2 software bridging, which was their main requirement. Also, given that NSX-T will be the de facto network and security virtualisation platform offered by VMware going forward, by specifying it for this environment the customer is able to future proof the deployment. 

Future upgrades are also accounted for as upgrading from NSX-T 2.4 to future NSX-T releases is simpler than performing upgrades from a previous version of V or T.

NSX-T 2.4 was a major update and brought many changes to the architecture of the product, the main ones being:

• The NSX Manager and NSX Controllers were merged into one appliance deployed in a Cluster of 3 Nodes therefore minimising the footprint of the solution and operational complexity. 
• The other major change was the introduction of the new Simplified UI which “requires just the bare minimum of user input, offering strong default values with prescriptive guidance for ease of use. This means fewer clicks and page hops are required to complete configuration tasks.”

NOTE: In NSX 2.4 two UIs are presented - one is the new Simplified UI, the other one is Advanced. The latter is taken from NSX-T 2.3. The future plan is to remove the Advanced UI and provide all of the functionality via the Simplified UI.

 What are the key benefits of choosing NSX-T over NSX-V?

 There are many benefits of NSX-T over NSX-V, to name a few:

• NSX-T doesn’t require vCenter, however it can be added to NSX-T as a Compute Manager and allows for up to 16 Compute Managers per NSX 2.4 solution . There is no longer a 1:1 requirement like there was with NSX-V. 
• KVM Hypervisor support
• Bare Metal Edges provide sub-second failover 
• Data Plane Development Kit (DPDK) Optimising Forwarding - DPDK is a set of data plane libraries and network interface controller drivers for fast packet processing
• New, more flexible Overlay technology - Geneve replaces     VXLAN  https://docs.vmware.com/en/VMware-Validated-Design/4.3/com.vmware.vvd.sddc-nsxt-design.doc/GUID-CF3C47CA-9BEB-4213-8F08-1494261BF3EC.html 
• Bi-directional Forwarding Detection support
• BGP (Border Gateway Protocol) expanded functionality with features like Route Maps
• Much clearer User Interface (UI)

What were the specific use cases for this case customer and the design considerations?

USE CASE 1 - NSX-T Edge L2 Bridging - Integration of physical, non-virtualised database servers that require L2 connectivity to the virtualised environment. 

Design considerations:

• In NSX-T 2.4 two options are possible to bridge L2 workloads - using ESXi Bridge Clusters or Edge Bridge Profiles. The latter is recommended to use as the former will be deprecated in future. 
• Ideally the use of dedicated Bare Metal Edges, however this is not a requirement. 
• The possibility to deploy Edge Bridges in collapsed vSphere Clusters >     Management + Edge or Compute + Edge
• Consider having active and standby Edge Nodes on different hosts to avoid throughput drop, because VLAN traffic needs to be forwarded to both Edge Nodes in promiscuous mode.
• Overlay traffic can be tagged on a Distributed Port Group or Uplink Profile, but please avoid double tagging. 
• VLAN traffic should not be tagged on the Uplink Profile.
• Distributed Port Group for VLAN traffic connecting to the Edge Node should be in a Trunk Mode. The reason for this is due to the fact that Edge doing Bridging adds 802.1Q tag when transposing Overlay traffic to VLAN. 
• Consider having the same MTU value across your environment - if you can, choose MTU of 9000 for better performance. 
• Several Bridge Profiles can be configured, and a given Edge can belong to several Bridge Profiles. By creating two separate Bridge Profiles, alternating active and backup Edge in the configuration, the user can easily make sure that two Edge nodes simultaneously bridge traffic between Overlay and VLAN

Constraints:

• Edge Cluster with minimum 2 Edge Nodes in Active/Standby mode is needed.
• Standby uplinks are not supported on the Edge Node.
• Source Based Load Based Teaming is not supported on the Edge Node.
• The port group on the VSS/VDS sending and receiving traffic on the VLAN side should be in promiscuous mode, allowing MAC Address changes and Forge Transmits.

Deployment:

• Follow the deployment guide here - https://youtu.be/IwpujflzJhY 
• Or here https://docs.vmware.com/en/VMware-NSX-T-Data-Center/2.3/com.vmware.nsxt.admin.doc/GUID-7B21DF3D-C9DB-4C10-A32F-B16642266538.html 

Validation:

• Log in to the Edge Node with your credentials.
• Type “nsxcli”.
• “Get l2bridge-ports-config” will show the Bridge Port State (Active Edge will have Forwarding, Standby will have Stopped), VLAN ID configured and Bridge UUID which can be copied and used to do a packet capture on the Edge Node.
• To do the packet capture type “start capture interface “copied Bridge UUID” and hit enter, ping from VM to Physical Server to see the flows. 

USE CASE 2 - NSX bridging firewall - Secure communication between physical database servers and Overlay workloads.

• The configuration of the bridging firewall can be done currently only on the Advanced UI.
• Security rules are configured per Logical Switch aka Segment in Simplified UI. 
• NSX-T grouping objects like NSGroups can be used to provide abstraction from the IP based approach.

USE CASE 3 - vRealize Network Insight - Monitoring tool that can provide visibility into both Physical and Virtual environments. 

• NSX-T 2.4 is fully supported with the latest vRealize Network Insight version 4.1.
• Make sure you are allowing ports for communication between vRNI and other devices after the deployment. For example, ESXi Hosts to vRNI Collector on UDP 2055. The full list of ports needed can be found here - https://docs.vmware.com/en/VMware-vRealize-Network-Insight/3.9/com.vmware.vrni.install.doc/GUID-FDDA5F2F-7C3B-472A-A17D-39582FBD5996.html 
• There is a new website that provides in-depth information about new features in vRNI, definitely worth visiting - https://vrealize.vmware.com/t/vmware-network-management/  

What were the outcomes?

Overall, this deployment was a complete success as we were able to satisfy all of the requirements that the customer had. All the production physical databases were able to communicate on the same L2 segments, virtualised and connected to NSX-T segments workloads. On top of that, communication between those workloads was secured by NSX-T Bridging Firewall. vRealize Network Insight was used to provide visibility into the environment. Its ability to quickly troubleshoot network and firewall related issues in both virtual and physical realms allows admins to take a breath in the never-ending battle of making the networks stable.

I hope you enjoyed my blog, if you’d like to talk to Xtravirt about your business’s networking and security requirements, then please send an email to info@xtravirt.com

Some Useful links:

You can read more about the NSX-T 2.4 release here: https://blogs.vmware.com/networkvirtualization/2019/02/introducing-nsx-t-2-4-a-landmark-release-in-the-history-of-nsx.html/