Author Archives: Anthony Spiteri

NSX Bytes: Updated – NSX Edge Feature and Performance Matrix

For a few years now i’ve been compiling features and throughput numbers for NSX Edge Services Gateways. This started off comparing features and performance metrics between vShield Edges and NSX Edges. As the product evolves, so does it’s capabilities and given the last time I updated this was around the time of NSX-v 6.2 I thought it was time for an update.

A reminder that VMware announced the End of Availability (“EOA”) of the VMware vCloud Networking and Security 5.5.x that kicked in on the September of 19, 2016 and that from vCloud Director 8.10 and above vShield Edges are no longer supported…hence why I don’t have the VSE listed in the tables. For those still running VSEs for what ever reason, you can reference my original post here.

As a refresher…what is an Edge device?

The Edge Services Gateway (NSX-v) connects isolated, stub networks to shared (uplink) networks by providing common gateway services such as DHCP, VPN, NAT, dynamic routing, and Load Balancing. Common deployments of Edges include in the DMZ, VPN Extranets, and multi-tenant Cloud environments where the Edge creates virtual boundaries for each tenant.

The following relates to ESG maximums per NSX and ESXi maximums.

Item Maximums
ESGs per NSX Manager 2,000
ESGs per ESXi Host 250
ESG Interfaces 10 (Including Internal, Uplink and Trunk)
ESG Subinterfaces 200
The function of an ESG is as follows:

The ESG gives you access to all NSX Edge services such as firewall, NAT, DHCP, VPN, load balancing, and high availability. You can install multiple ESG virtual appliances in a datacenter. Each ESG virtual appliance can have a total of ten uplink and internal network interfaces. With a trunk, an ESG can have up to 200 subinterfaces. The internal interfaces connect to secured port groups and act as the gateway for all protected virtual machines in the port group. The subnet assigned to the internal interface can be a publicly routed IP space or a NATed/routed RFC 1918 private space. Firewall rules and other NSX Edge services are enforced on traffic between network interfaces.

Below is a list of services provided by the NSX Edge.

Service Description
Firewall Supported rules include IP 5-tuple configuration with IP and port ranges for stateful inspection for all protocols
NAT Separate controls for Source and Destination IP addresses, as well as port translation
DHCP Configuration of IP pools, gateways, DNS servers, and search domains
Site to Site VPN Uses standardized IPsec protocol settings to interoperate with all major VPN vendors
SSL VPN SSL VPN-Plus enables remote users to connect securely to private networks behind a NSX Edge gateway
Load Balancing Simple and dynamically configurable virtual IP addresses and server groups
High Availability High availability ensures an active NSX Edge on the network in case the primary NSX Edge virtual machine is unavailable
Syslog Syslog export for all services to remote servers
L2 VPN Provides the ability to stretch your L2 network.
Dynamic Routing Provides the necessary forwarding information between layer 2 broadcast domains, thereby allowing you to decrease layer 2 broadcast domains and improve network efficiency and scale. Provides North-South connectivity, thereby enabling tenants to access public networks.

Below is a table that shows the different sizes of each edge appliance and what (if any) impact that has to the performance of each service. As a disclaimer the below numbers have been cherry picked from different sources and are subject to change.

NSX Edge (Compact) NSX Edge (Large) NSX Edge (Quad-Large) NSX Edge (X-Large)
vCPU 1 2 4 6
Memory 512MB 1GB 1GB 8GB
Disk 512MB 512MB 512MB 4.5GB + 4GB
Interfaces 10 10 10 10
Sub Interfaces (Trunk) 200 200 200 200
NAT Rules 2,048 4,096 4,096 8,192
ARP Entries
Until Overwrite
1,024 2,048 2,048 2,048
FW Rules 2000 2000 2000 2000
FW Performance 3Gbps 9.7Gbps 9.7Gbps 9.7Gbps
DHCP Pools 20,000  20,000  20,000  20,000
ECMP Paths 8 8 8 8
Static Routes 2,048 2,048 2,048 2,048
LB Pools 64 64 64 1,024
LB Virtual Servers 64 64 64 1,024
LB Server / Pool 32 32 32 32
LB Health Checks 320 320 320 3,072
LB Application Rules 4,096 4,096 4,096 4,096
L2VPN Clients Hub to Spoke 5 5 5 5
L2VPN Networks per Client/Server 200 200 200 200
IPSec Tunnels 512 1,600 4,096 6,000
SSLVPN Tunnels 50 100 100 1,000
SSLVPN Private Networks 16 16 16 16
Concurrent Sessions 64,000 1,000,000 1,000,000 1,000,000
Sessions/Second 8,000 50,000 50,000 50,000
LB Throughput L7 Proxy) 2.2Gbps 2.2Gbps 3Gbps
LB Throughput L4 Mode) 6Gbps 6Gbps 6Gbps
LB Connections/s (L7 Proxy) 46,000 50,000 50,000
LB Concurrent Connections (L7 Proxy) 8,000 60,000 60,000
LB Connections/s (L4 Mode) 50,000 50,000 50,000
LB Concurrent Connections (L4 Mode) 600,000 1,000,000 1,000,000
BGP Routes 20,000 50,000 250,000 250,000
BGP Neighbors 10 20 100 100
BGP Routes Redistributed No Limit No Limit No Limit No Limit
OSPF Routes 20,000 50,000 100,000 100,000
OSPF LSA Entries Max 750 Type-1 20,000 50,000 100,000 100,000
OSPF Adjacencies 10 20 40 40
OSPF Routes Redistributed 2000 5000 20,000 20,000
Total Routes 20,000 50,000 250,000 250,000

Of interest from the above table it doesn’t list any Load Balancing performance number for the NSX Compact Edge…take that to mean that if you want to do any sort of load balancing you will need NSX Large and above. To finish up, below is a table describing each NSX Edge size use case.

Use Case
NSX Edge (Compact) Small Deployment, POCs and single service use
NSX Edge (Large) Small/Medium DC or mult-tenant
NSX Edge (Quad-Large) High Throughput ECMP or High Performance Firewall
NSX Edge (X-Large) L7 Load Balancing, Dedicated Core

The Quad Large model is suitable for high performance firewall abilities and the X-Large is suitable for both high performance load balancing and routing. You can convert between NSX Edge service gateway sizes upon demand using a non-disruptive upgrade process, so the recommendation is to begin with the Large model and scale up if necessary. A Large NSX Edge service gateway is suitable for medium firewall performance but as detailed later, the NSX Edge service gateway does not perform the majority of firewall functions.

References:

https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.4/NSX%20for%20vSphere%20Recommended%20Configuration%20Maximums_64.pdf

https://docs.vmware.com/en/VMware-Validated-Design/4.2/com.vmware.vvd.sddc-design.doc/GUID-FCEA948E-7F8B-4FF0-857B-12D6E045BF1D.html

Veeam Availability Console now available from Azure Marketplace

Last week the Veeam Availability Console Azure Marketplace appliance went live. This allows Veeam Cloud and Service Providers to easily deploy VAC into any Azure region. In it’s previous incarnation the Managed Backup Portal was only available as an Azure marketplace appliance and not available to install by a VCSP. Now that VAC 2.0 is out, VCSPs who don’t have the ability to host Cloud Connect or VAC on their infrastructure can deploy it in Azure and have the service up and running within fifteen minutes.

There are some limitations that come along with deploying VAC into Azure and it won’t be for everyone. The biggest caveat is that you can only have one Cloud Connect Server per VAC instance and as part of the deployment, Cloud Connect services is installed on the same Virtual Machine. You can’t offer Replication services from the Azure instance, and if offering Cloud Connect backup you need to understand it’s own scalability and performance bottlenecks. That said, as a remote management, monitoring, reporting, billing and self service platform there is a lot to like about having VAC in Azure.

Marketplace Deployment Steps:

You can start the deployment by searching for Veeam Availability Console in the Azure Marketplace or you can go direct to the product page here.

Click on Create to start the configuration steps.

The Basics includes VM name, hard disks type, username and password as well as selecting the subscription, the ability to use a new or existing resource group and finally the Azure location you want to deploy into.

In Step 2 you need to choose the Size of the Azure instance. The template provides the recommended configurations. The sizes are relative to the amount of agents and/or Backup & Replication instances you are going to be managing from this instance. You can find sizing guides here for larger environments.

I ended up going with an A2 standard for my instance which removes the load balancing functionality from the configuration and offers a little less IOPS. Step 3 contains some optional extra’s to ensure a higher level of availability for the VM instance and lets you configure the networking. Once that’s done you can review your configuration settings and start the deployment. It took just over 8 minutes for the deployment to succeed.

If you click on the Virtual Machine object in the Azure Portal you will see an overview of the VM and it’s configuration.

Addition Azure Configuration:

If you notice in the image above, a DNS name is listed in the overview. This was something that I had to set manually after the deployment. You set this by going into the Networking of the resource pool and click on IP Configuration. Here, you can enter in a DNS name relative to the Azure zone you are in. You can then use this to connect to the VAC Console, Cloud Connect Service and to RDP to the VM and helps in the event of having a dynamic, rather than a static Azure IP.

Speaking of networking and ports, below is a list of the default port rules created during the deployment. Note that WinRM is open as well.

Finalizing Deployment:

After deploying the Azure Marketplace appliance you can RDP into the VM and complete the setup that includes configuring Cloud Connect and VAC it’s self. A few things have been done for us as part of the deployment, however the first thing you need to do is get a license. This is a BYO license situation, so once you have deployed the Marketplace appliance you will need to source a VAC license from the Veeam Licensing Portal and apply.

Head to the VAC Web Portal and Install the License.

Once done the last step is to configure Cloud Connect from the Backup & Replication Console. Again, you will need a valid Cloud Connect license as you are greeted with the Free Edition when you connect to the console for the first time. As per normal with Cloud Connect, you need to configure the SSL Certificate first and then configure a new Cloud Gateway. Configure the Networking as shown below using the DNS name that was created in the steps above.

Once this is completed you can go into the VAC Console and work through the normal Configuration steps. The only thing you don’t need to do is add the Cloud Connect Server to the VAC instance as this has already been done during the initial deployment process.

It’s worth noting that the versions of Backup & Replication (9.5.0.1536) and Availability Console (2.0.1.1343) are up to date and include the latest Hot-Fixes for VAC. The intent is to have the templates as up to date as possible, however once deployed you can upgrade as per usual.

Conclusion:

So there you have it…within fifteen minutes you can have a fully working Veeam Availability Console instance running in Azure and ready to be used to offer all the goodness that VAC offers our Cloud and Service Provider partners. For an overview as to what VAC offers, click here and have a read of my GA post on What’s in It for Service Providers.

Links:

https://azuremarketplace.microsoft.com/en-us/marketplace/apps/veeam.veeam-availability-console?tab=Overview

 

Released: Runecast Analyzer 1.7 with vSAN Support

Runecast has released version 1.7 of their Analyzer today and it has added support for VMware vSAN. By using a number of resources within VMware’s knowledge base Runecast offers a platform that looks at best practices, log information and security hardening guides to monitor your vSphere infrastructure which in turn brings to your attention issues through a simple yet intuitive interface. This now extends to vSAN as well. Also in this release is an improved dashboard called the VMware Stack view and improved vSphere Web Plugin.

Version 1.7 focuses on VMware vSAN support and proactive issue detection with remediation. vSAN, having gained market lead in the HCI space is deployed in vSphere environments more commonly these days as the storage component. It is critical to not only monitor performance but also keep the vSAN configuration in the best condition and prevent from any future failures or outages.

Runecast Analyzer v1.7 scans vSAN clusters and looks at cluster configurations against a large database of VMware Knowledge Base and Best Practices rules. This results in the ability to list issues and then offer suggestions on how to fix those issues which may affect vSAN availability or functionality. This acts as a good way to stop issues before they become more serious problems that impact environments.

As mentioned version 1.7 also offers an upgrade to the vSphere Web Client and as you can see below the integration is tight with the HTML5 client.

Finally, I wanted to highlight the new VMware Stack dashboard. This new visual component aims to very quickly prioritize what problem to solve and where it exists. The VMware stack contains 5 layers, Management, VM, Compute, Network and Storage. Runecast prioritizes and sorts all detected problems into those five categories so an admin can easily see where the critical issues are and what is the risk they pose.

Overall for those that have vSAN in their environments I would recommend a look at this release. The guys at Runecast are taking a unique approach to monitoring and I’m looking forward to future releases as they expand even more beyond vSphere and vSAN.

The latest version is available for a free 14-day trial.

Office 365 Backups and the Opportunity that Exists for Service Providers

In recent weeks i’ve become reacquainted with an old friend…There was a time where eighty to ninety percent of my day job was working in and around Exchange Server. If I had started this blog in 2005 it would have been dominated with posts around the Hosting of Exchange Server and probably be named Exchange is Life!. I take pride in my Hosted Exchange Org and User creation scripts that I created before Hosting Control Panels where even a thing.

Over the last five or six years my interest in Exchange diminished due to moving roles and also due to some lingering ill feelings about the way in which Microsoft treated their initial Hosting partners as they started what would become, Office 365 back in the late 2000’s. That said I have remained aware of the Exchange landscape and while there is still a lot of on-premises Exchange instances and still a number of decent Hosted Exchange providers out there, there is no stopping Office 365’s growth.

I even jumped on the bandwagon by moving my personal SliemaLabs domain over to an Office 365 Exchange subscription late last year. That domain initially lived on an Exchange Server I ran from home, and then on a Hosted Exchange platform I built and now it’s completed it’s own journey to Office 365.

Having spent a bit of time recently looking at the 1.5 version of our Backup for Microsoft Office 365 product…more specifically the new self service feature that came in Backup & Replication 9.5 Update 3. I’ve had a renewed sense of purpose around the Exchange ecosystem…and that purpose is to ensure that all service providers understand the opportunity that exists around creating offerings for the backing up and availability of Office365 services.

This post follows a post that was released on the Veeam.com blog by Paul Mattes (VP of Global Cloud Group at Veeam) talking about the success of our Backup for Microsoft Office 365 product.

In 2017, more than 25,000 organizations installed our Office 365 backup solution, representing 2.3 million Microsoft Office mailboxes. We saw a staggering 327% quarter-over-quarter growth in Q4 of last year.

And the reasons why all Office 365 users should consider an external backup solution for their data hosted in Microsoft’s SaaS cloud platform.

It’s important to remember that SaaS platform providers, like Microsoft Office 365, take on the responsibility of application uptime and the underlying infrastructure. But it is the customer’s responsibility to manage and protect their vital business data.

This is public cloud in a nutshell…Ultimately the customer has the responsibility to ensure all data is backed up correctly. I won’t go into the technical aspects as to why Office 365 requires additional backups solutions. There a plenty of good online resources, a Gartner report is available here Microsoft’s has an offical page on High Availability and Business Continuity guide. Doing research into the nature of SaaS you understand the need for third party backup solutions.

The Office 365 Opportunity:

From a service provider point of view there is an opportunity to tap into the 85 million user Exchange Online market and offer availability services for organisations using Office 365. This is a multi-billion dollar market that exists today and services based around backup and management of that data are central to tapping into that opportunity. Just breaking down the ANZ market alone, there are approximately 4.25 million Office 365 users of which if only 5% was captured would represent a combined 3.5 to 5 million dollar market.

For those VCSPs who have already deployed Cloud Connect and offering Backup services, the ground work has been laid with regards to having the infrastructure in place to extend that service to offer Veeam Backup for Office 365 aaS.

The billable components of this service are licenses and then storage costs. Managed Service Providers can also build in management fees that offer an end to end solution for their clients. Where it should be seen to be extremely attractive for VCPSs is in the potential for the storage revenue to be significant early and then continue to grow as tenant’s backup and retain more and more mailboxes in addition to new tenants coming on board.

We have given our VCSPs the tools to be able to build a strong service around Office 365 backups with the 1.5 release of Backup for Office 365 focused on scalability and automation. Add to that the self service feature that came in Update 3 for Backup & Replication and there is no excuse to not start thinking about offering this as a service.

Looking beyond Exchange Online, version 2 of Backup for Office 365 will include the ability to backup SharePoint and OneDrive as well…have a think about what that represents in terms of revenue opportunities just on the potential for storage consumption alone.

Again, I want to emphasis that this market is huge and what’s on offer in terms of potential revenue can’t be ignored. I’m excited about the next 12-18 months in being able to see our VCSPs grab this opportunity…don’t let it slip!

References:

https://technet.microsoft.com/en-us/library/exchange-online-high-availability-and-business-continuity.aspx

The Limitations of Microsoft Office 365 Backup

 

 

Insider Protection: Tenant Storage Usage and Cost Calculator

Last month I published a blog that looked deeper into the Insider Protection feature that was added as a feature to Veeam Cloud Connect as part of Update 3 for Backup & Replication 9.5. As a refresher, deleted backup protection…or Insider Protection allows the VCSP to enable the deleted backups protection option for specific tenants and looks to add another level of data security for cloud based backups in the case of a malicious user gaining access to the Backup & Replication Console or in the case of accidental deletion by an administrator.

It’s a great feature that every VCSPs offering Cloud Connect should be looking at to productise. That said, there a few things missing from this initial Update 3 release. One of those is that currently there is no way to pull metrics in relation to how much Recycle Bin storage tenant’s are consuming. This means the VCSP hasn’t got a way to account for or charge for storage usage. Ideally this would be retrieved via a PowerShell command-let or API call however at the moment there is no functionality.

As a workaround i’ve come up with a POC PowerShell script that lists all Cloud Connect tenant accounts with Backup Protection enabled and then works out the amount of storage in a the tenant’s _RecycleBin folder and returns that value as well as storage costs as it pertains to the service provider and what a tenant will be charged. The configured retention period is also listed.

There are a few caveats with this release that i’m looking to improve on (or have people fork and improve the code) over the next few weeks. The service provider storage costs are hard coded by default, but i’ve left a section commented out that will prompt for the two values if desired.

Hopefully this works as an example so that VCSPs can begin to offer Insider Protection as part of their Cloud Connect service offering. Having a workaround for cost calculations and reporting is not ideal, however the this feature will evolve in future releases of Backup & Replication. For the moment though, don’t this stop you from looking at Insider Protection for your clients.

vCloud Director Tenant UI: Dude…Where is my VM Web Console?

As most of you should know buy now, vCloud Director 9.0 features a new HTML5 Tenant UI Portal which is not only very pretty, but also functional. As of the 9.0 release the HTML5 Tenant UI has a limited scope of functionality compared to the legacy Flex based web console but is still a great example of where vCD is going in terms of continuing to enhance vCD.

I was having a discussion on Slack with Mark Ukotic talking about future vCD releases when he commented that he was looking forward to the Web Console coming to the HTML5 UI. To which I said “It was already there!” He replied saying “Really?” to which I replied…

On the Virtual Machines page, you can click on the VMware graphic which will open a Web Console window.

You won’t see the mouse change to indicate that the area is hot, which is why most people assume that the option to launch the Web Console isn’t there. But if you click on it, the Web Console window will pop up and you will be able to interact with the VM.

It is a very limited console in terms of remote actions you can perform. There is a lot more functionality in the VMware Remote Console…hopefully we will see that available to launch through the new Tennant UI in upcoming versions.

If the VM if powered off you will get the following message if you try to click on the image.

So there you have it! The Web Console is there in the new HTML5 Tenant UI in vCloud Director 9.0…it’s not super obvious, but it is there!

#LongLivevCD

Configuring Service Provider Self Service Recovery with Veeam Backup for Microsoft Office 365

For a while now I’ve talked about the increasing functionality of the the Cloud Connect Gateway and that it is central to a lot of features and services that exist within Veeam Backup & Replication. With the release of 9.5 Update 3 we added a feature that allows multi-tenant self service recoverability of a tenants Office365 mailbox backup hosted by Veeam Cloud and Service Providers utilising Veeam Backup for Microsoft Office 365 1.5 that was released late last year.

Overview:

Tenant admins communicate with the Service Provider via the Cloud Gateway component which handles flow of data. The Service Provider grants the ability to their tenants so that each tenant can perform self restore operations using Veeam Explorer for Microsoft Exchange. By default, tenants are not able to restore anything from the backup without a Service Provider assistance.

The steps above show the self restore scenarios performed by the Tenant:

  • Tenants use Veeam Explorer for Microsoft Exchange to send restore requests via Veeam Cloud Gateway directly to the Service Provider.
  • On the Service Provider side, Veeam Backup for Microsoft Office 365 management server detects a proxy server responsible for processing tenant data.
  • Veeam Backup for Microsoft Office 365 management server locates an associated repository that contains a backup file that belongs to the Tenant.
  • Corresponding backup data is then transferred back to the tenant via Veeam Cloud Gateway.

IMPORTANT!

When planning solution components deployment, remember that Veeam Backup for Microsoft Office 365 v1.5 and Veeam Backup & Replication 9.5 Update 3 must be installed on the same server.

Example:

These days I don’t have access to a local Exchange Server or to a corporate Exchange Online instance but I did migrate my personal domain over to Office365 just before Christmas. That account has only one mailbox, but that’s enough to demonstrate the Office365 Service Provider backup and tenant self service recovery use case.

Service Provider Side:

For Service Providers to backup tenants on-premises or Office 365 Exchange mailboxes they need to first configure a new organization in Veeam Backup for Office 365. I’m not going to go through the steps for that as it’s been covered in other posts and is very simple to configure, however to prepare for the self service capability the service provider needs to ensure that the Cloud Connect Gateways are setup and configured and accessible externally.

In Backup for Office 365 you have to enable and configure the RestAPI and Authentication Settings under their respective tabs in the Options menu. This includes selecting an SSL certificate for both services…I’m just using a self signed certificate but obviously service providers will want a correctly signed public certificate to productise this feature.

With the organization configured I created a new job and backed up the Exchange Organization. Again, for this example I just have the one mailbox but the theory is the same weather it’s one, five, fifty or five thousand mailboxes.

From here, without any self service configured the Service Provider can access the mailboxe(s) to perform whole or granular item level recovery using the Veeam Explorer for Exchange. As shown below I can access any mailbox from the service provider’s end and perform recovery to a number of different locations

For each tenant (not per Exchange User) there needs to be a Cloud Connect tenant account created on the Backup & Replication server. This will be used at the tenant end by the admin to configure a Service Provider in the Backup & Replication console which will then be detected and used by the Veeam Explorer for Exchange to use to connect into the service provider and authenticate with an applicable Exchange account.

Tenant End:

For the tenant admin to use Veeam Explorer for Exchange to perform mailbox recovery you first have to configure a Service Provider using Cloud Connect tenant credentials as provided by the Service Provider. It’s worth mentioning here that you can have no license installed in Backup & Replication and are still able to add a Service Provider to the Backup Infrastructure menu. Once connected, firing up the Explorer for Exchange you will use the Service Provider option in the Add Store dropdown.

In the drop down list, select the Service Provider account configured in the Backup Infrastructure menu. If multiple exist you will see each one in the drop down. You also configure the username and password that connects to the Exchange Organization. This can be an admin account that is allowed impersonation, or you can enter in an individual account.

Once connected (which can take some time with the GUI of the Explorer for Exchange) any mailbox that the account has authorization over will be seen and mailbox recovery can begin.

An interesting thing to do is to check what is happening from a network connectivity point of view during this process. While performing a restore you can see open connections from the tenant side to Cloud Connect gateway on port 6180 and also you can see a connection to Office365 on port 443 completing the loop.

Back at the Service Provider end in the Backup for Office365 console you can see active Explorer for Exchange sessions as running jobs. Below you can see the local one, plus a remote session.

Automation:

For Service Providers with the capability to automate the setup and provisioning of these services through PowerShell or the RestAPIs here is a great example of what can be achieved with Backup for Office365 and the creation of a self service portal web interface. You can use the built in Swagger UI to evaluate the capabilities of RestAPIs.

The Swagger UI can be accessed via the following URL:

https://<Backup-Office365>:<Port>/swagger/ui/index

From there you can authenticate and work through the live examples.

Conclusion:

The market for Office365 backups is significant and we have built in some pretty cool technology into Backup & Replication that works with Backup for Office365 that allows easy, self service capabilities that can be productized by Service Providers out of the box. Not only can Service Providers offer services to backup client Exchange Organisations but they can also extend that to offer self service which increases overall operational efficiencies at the provider end while also offering enhanced services to clients.

References:

https://helpcenter.veeam.com/docs/vbo365/guide/vbo_mail_baas.html?ver=15

https://helpcenter.veeam.com/docs/vbo365/rest/swaggerui.html?ver=15

Creating a Custom Cloud Connect Maintenance Mode Message

Last week I wrote an article on Maintenance Modes in Cloud Connect and also Veeam Availability Console. For Cloud Connect there is a default error message that get’s shown in the Job Status if any jobs are started if the Cloud Connect Maintenance Mode is turned on.

We have the ability to customize that message via a registry key addition as documented in the online Veeam Help Centre.

To create a custom Maintenance mode notification, on the SP Veeam backup server, create the new registry value HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\CloudMaintenanceModeMessage = <message> (String), where <message> is a Maintenance mode notification that you want to display on the tenant side.

Adding the key via Registry Editor is simple enough and this is what you are left with from within the Registry Editor.

And the error message at the tenant end now reflects the custom message.

To make this easier for Service Providers, i’ve written a quick PowerShell script that does a couple of things. The first thing is report on the current registry value for the Maintenance Mode and then give you the option to delete the key and return the message to it’s default state. The second thing it does is prompt you enter in the desired custom message and set that in the registry.

References:

https://helpcenter.veeam.com/docs/backup/cloud/cc_maintenance_message.html?ver=95

NSX Bytes: NSX 6.4 UI Enhancements and Upgrade Coordinator

NSX-v 6.4 was released a couple of weeks ago and as I talked about in my launch post, there are a lot of new features and enhancements that make this release significant. A big focus for this release was around enhancing NSX’s ease of use and serviceability. There have been a number of additions to the UI with additional dashboards and menu items. Also importantly, a first port of the NSX Web Client functionality over the to HTML5 Web Client.

What’s interesting about the approach that the NSX product team has taken is that they have decided to have each new feature in the HTML5 Web Client accessible from the old Flash based Web Client as well. They have also continued to improve on the layout and usability of the flash based vSphere Web Client so what you have now is a combination of Flash and HTML5 inside the old Web Client as well as a limited pure HTML5 NSX experience in the new Web Client.

UI Enhancements:

Among the enhancements to the UI is the improvement in the navigation menu where some commonly used menu items that where clicks away have been brought into the main tree. As you can see below there is a lot more happening in the 6.4 menu tree on the right vs the previous releases on the left.

The HTML5 menu is a little shorter with only a couple of items added however it shows you what it will look like when the porting is complete. Also shown in the picture below is the new System Scale Dashboard that provides visibility into the current usage of various NSX components and system capacity relative to configuration maximums with warning thresholds configurable.

Highlighting the Flash+HTML cross over in the Flash Web Client, the System Scale Dashboard is also present in the old Web Client and shown below.

In terms of other UI additions there is now an EAM status monitor in the Host Preparation Tab and a direct way from the Web Client to generate Support Bundle…which again, is available from both Web Clients.

NSX Upgrade Coordinator:

Probably one of the coolest features in NSX-v 6.4 is the Upgrade Coordinator.

When you upgrade using Upgrade Coordinator, you can select to perform a One Click Upgrade, where everything is upgraded during one upgrade session. Or you can select to Plan Your Upgrade, and customize which components are upgraded, and organize component objects into upgrade groups.

Working you way through the wizard you can select which components to upgrade.

For me have control of the NSX Edge upgrades is super important as this has historically been a monotonous task for Service Providers with lots of customer using vCloud Director Edge services. The Upgrade Coordinator streamlines this upgrade task and makes the process a lot more efficient.

Having the ability to group and order the upgrade process for Edges (and Service VMs) is also an excellent enhancement. Once the wizard has been completed you are shown a progress dashboard which you can click into to view the current state of upgrading components.

Once completed, you should have all components upgraded and you can go through the post upgrade tasks and once completed you can always get an overview of the NSX environment by clicking on the main dashboard.

Conclusion:

There is a lot to like about where the NSX team is taking the user interface and it’s good to see an initial move over to the HTML5 Web Client while also having that same functionality still accessible via the Flash Web Client. To have a loot at what is currently supported and what is not in the HTML5 vs Flash Client head to this page and check out the support tables.

I’m looking forward to future updates that will look to push more functionality directly into the HTML5 Web Client.

References:

https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.4/rn/nsx-vsphere-client-65-functionality-support.html

https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.4/com.vmware.nsx.upgrade.doc/GUID-A539869B-9858-48B3-90ED-2336698EE386.html

Veeam Powered Network: Azure and Remote Site Configuration

This week we announced the offical GA of Veeam Recovery to Microsoft Azure featuring Veeam Powered Network (Veeam PN). This new product also features Director Restore to Microsoft Azure in combination with Veeam PN to create a solution that allows you to recover VMs into Azure and then have those VMs accessible on the original network by extending the on-premises network to the Azure networks. From there remote users can also connect into the Azure based Veeam PN Gateway and access services in all connected sites.

I’m going to step through the deployment of Veeam PN from the Azure Marketplace and then extend two remote sites into the Azure Virtual Network created during the initial configuration from the Azure Marketplace. Below is a logical drawing of the extended recovery network.

Components

  • Azure Subscription
  • Veeam PN Azure Marketplace Hub Appliance x 1
  • Veeam PN Site Gateway x 2
  • OpenVPN Client

The OVA is 1.5GB and when deployed the Virtual Machine has the base specifications of 1x vCPU, 1GB of vRAM and a 16GB of storage, which if thin provisioned consumes a tick over 5GB initially.

Networking Requirements

  • Veeam PN Hub Appliance – Incoming Ports TCP/UDP 1194, 6180 and TCP 443
    • Azure Virtual Network Address Space 172.16.0.0/16
  • Veeam PN Site Gateway – Outgoing access to at least TCP/UDP 1194
    • Columbus Address Space 10.0.30.0/24
    • Home Office Address Space 192.168.1.0/24
  • OpenVPN Client – Outgoing access to at least TCP/UDP 6180
Veeam PN Azure Marketplace Deployment:

Once logged into the Azure portal, head to the Azure Marketplace and search for Veeam. You should see Veeam PN for Microsoft Azure.

Click on that that and then click on the Create button at the bottom of the Marketplace description.

From here you are presented with a six step process that configures the Veeam PN Azure VM and allows you to configure networking, initial security and site-to-site and point-to-site settings.

For my deployment location I have chosen Southeast Asia which is in Singapore. The username and password you select here will be used to access the Veeam PN web console and the VM via SSH.

Step 2 includes choose the VM size which I have set from Standard A1 to a Basic A1. The biggest difference from Standard to Basic is the inclusion of a Load Balancer service. One thing to note here is that when considering sizing for any VPN technology CPU and RAM is critical as that becomes the limiting factors in being able to process the encrypted connectivity. We will shortly have an offical sizing guide for Veeam PN but for the purpose of connecting up two sites with some external users the Basic A1 instance will do.

In the image above i’ve also configured the 172.16.0.0/16 Virtual Network. The default that Azure gives you is 10.0.0.0/16 which overlaps with subnets in the Columbus lab which is why I chose another private network range.

The last step shown above is configuring the subnet where the Veeam PN VM will be deployed into. This network can also be used by Direct Restore to Azure to place recovered VMs into.

This next step has you choosing the encryption key size for you VPN connections. We have put in a couple of options and depending on your requirements you can select relatively weak keys to very strong keys. As the note says next to the 2048 key recommendation, this does impact the deployment time as the time to generate higher key sizes. This means that you will need to wait at least 10-15 minutes after deployment to access the Web Console to complete configuration. Setting up the VPN information is straight forward. In my example I have changed the port for the Point-to-Site connections to 6180 as I know this is a commonly opened port in our corporate network. The final steps show you a summary and final confirmation to purchase the Marketplace item. There is no cost involved with Veeam PN its self, but be aware that you will be charged for all Azure resource consumption. Once the job is submitted the deployment creates the Veeam PN VM and injects all the settings specified during this process. Taking a look at the Azure Resources created during the process you can see a number of different components listed.

Ill be putting together another post to dive into a few of those resources to show what is happening under the hood in terms of networking when other sites are added.

Finalising Veeam PN and Azure Configuration:

Once the Veeam PN appliance has been deployed successfully you need to complete a couple more steps to hook the Veeam PN service into Azure to allow the automatic injection of routes. To access the Veeam PN web console you enter in the DNS Name created during the initial setup. To view this after deployment is complete and also see the allocated Public IP click on the publicIP group in the Azure Portal.

If the Azure Marketplace deployment has been successful you we be greeted with an Azure Setup Wizard after logging into the Veeam PN web console.

NOTE: If you don’t get the Azure wizard and get the Out of Box Veeam PN setup prompt you haven’t waited long enough for the encryption keys to generate.

As explained this setup creates an Azure user to have access to the Virtual Network Routing Table. After hitting next you need to authenticate the Veeam PN appliance with Azure by clicking on the link provided and entering in the code to authenticate.

Once completed you can further confirm the setup was successful by clicking on Settings and then look at the Services tab. You should see all three options toggled to On.

Clicking on the Azure Tab will show details of the Azure network and deployment settings.

Veeam PN Site Gateway Deployment and Configuration:

I’ve covered in detail during the RC period of Veeam PN how to setup and deploy site gateways to connect back into the Hub. The Hub doesn’t have to live in Azure and there are use cases for Veeam PN to be used standalone, but lets continue with this setup. I went and configured the two sites as shown below. You can now see their subnet addresses in the web console…another added feature in the GA release.

I’ve also configured the Standalone Client that will enable me to connect from my MBP into the Hub and then get access to the networking resources. One new GA feature that has been added here is the ability to enable all traffic to flow through the Hub server as the default gateway…meaning all traffic will pass through Hub.

At each site a Veeam PN Site Gateway appliance gets deployed and is configured with the generated configuration files done in the steps above. Once connected the Overview page will show all sites connected via the Site-to-Site VPN. As of now, Azure, Columbus and my Home Lab are all part of the one extended network.

Backing Up Veeam PN Config and Version Updates:

For the GA version, we have introduced a couple new UI features based on feedback and usability. The first thing to do once you have finished the initial configuration is to head to the System Tab under Settings and Backup the config. This will download a configuration file that can be imported into a clean Veeam PN appliance if anything happened to the production instance.

There is also a new Updates tab which will Check for Updates and, if available Update to a newer build while retaining the current configuration.

Conclusion:

Once everything is connected and in place we can now restore a VM from anywhere and make it available to the extended networks configured in this example. There are a few more things to cover in regards to making the recovered application available from it’s origin network however I will cover that off in future posts.

Below is a summary what I have shown in this post:

  • Deploy Veeam PN from Azure Marketplace
  • Finalise Azure setup from Veeam PN Web Console
  • Setup Site Configurations
  • Deploy Veeam PN OVA to each site and import site configuration
  • Backup Veeam PN Hub configuration

Those five steps took me less than 30 minutes which also took into consideration the OVA deployments as well…that to me is extremely streamlined, efficient process to achieve what in the past, could have taken hours and certainly would have involved a more complex set of commands and configuration steps. The simplicity of the solution is what makes the solution very attractive…it just works!

Again, Veeam PN is free and is deployable from the Azure Marketplace or downloadable in OVA format directly from the veeam.com site.

« Older Entries Recent Entries »