Category Archives: VMware

Quick Fix: vSAN Health Reports iSCSI Target Service Stopped

A few weeks ago I wrote about using iSCSI as a backup repository target. While still running this POC in my environment I came across an error in the vSAN Health Checker stating the vSAN iSCSI target service was in a Failed state. Drilling down into the vSAN Health check tree I could see a Service Runtime status of stopped as shown below against the host.

This host had recently been marked as unreachable in vCenter and required a Management Agent reset to bring it back online. There is a chance that that process stopped the iSCSI Target service but did not start it. In any case there is an easy way to see the status of the services and then get them back online.

Once that’s been done, a re-run of the vSAN Health checker will show that the issue has been resolved and the iSCSI Target Service on the host is now running.

References:

https://kb.vmware.com/s/article/2147603

 

vSphere 6.7 – What’s in it for Service Providers Part 1

A few weeks ago after much anticipation VMware released vSphere 6.7. Like 6.5 before it, this is a lot more than a point release and represents a major upgrade from vSphere 6.5. There is so much packed into this new release that there is an official page with separate blog posts talking about the features and enhancements. As usual, I will go through some of the key features and enhancements that are included in the latest versions of vCenter and ESXi and as they relate back to the Service Providers that use vSphere as the foundation of their Infrastructure as a Service offerings.

There is a lot go get through though and like the vSphere 6.5 release the “whats new” will not fit into one post so i’ll split the highlights between a couple posts and I’ll cover ESXi specifically in a follow-up. I still feel like it’s important to highlight the base hypervisor as well as the management platform. I’ll also talk about current interoperability with vCloud Director and NSX as well as Veeam supportability for vSphere 6.7.

The major features and enhancements as listed in the What’s New PDF are:

  • Scalability Enhancements
  • VMware vCenter Server Appliance Linked Mode
  • VMware vCenter Server Appliance Back Up Scheduler
  • Single Reboot
  • Quick Boot
  • Support for 4K Native Storage
  • Improved HTML 5 based vSphere Client
  • Security-at-Scale
  • Support for Trusted Platform Module (TPM) 2.0 and virtual TPM
  • Cross-vCenter Encrypted vMotion
  • Support for Microsoft’s Virtualization Based Security (VBS)
  • NVIDIA GRID vGPU Enhancements
  • vSphere Persistent Memory
  • Hybrid Linked Mode
  • Per-VM Enhanced vMotion Compatibility (EVC)
  • Cross-vCenter Mixed Version Provisioning – Simplify provisioning across hybrid cloud environments that have diferent vCenter versions

Below are the ones in red fleshed out in the context of Service Providers.

Enhanced vCenter Server Appliance:

The VCSA has been enhanced significantly in this release. Having used the VCSA exclusively for the past year in all my environments I have a love hate relationship with it. I still feel it’s nowhere as stable as vCenter running ontop of Windows and is prone to more issues than a Windows based vCenter…however this 6.7 release will be the last one supporting or offering a Windows based vCenter. With that VMware have had to work hard on making the VCSA more resilient.

Compared to the 6.5 VCSA, 6.7 offers twice the performance in vCenter operations per second with a three times reduction in memory usage and three times faster DRS operations meaning that power on and other VM operations are performed quicker. This is great on a service provider platform with potentially lots of those operations happening during the course of a day. Hopefully this improves the responsiveness overall of the VCSA which I have felt at times to be poor under load or after an extended period of appliance uptime.

There has also been a number of updates to the APIs offered in vSphere, the VCSA and ESXi. William Lam has a great post on what’s new for APIs here, but all Service Providers should have teams looking at the API Explorer as it’s a great way to explore and learn what’s available.

Single Reboot and Quick Reboot:

For Service Providers who need upgrade their platforms to maintain optimal compatibility, upgrading hosts can be time consuming at scale. vSphere 6.7 reduces ESXi host upgrades, by eliminating one of the two reboots normally required for major version upgrades. This is the single reboot feature. There is also vSphere Quick Boot that restarts the ESXi hypervisor without rebooting the physical host. This skips time-consuming server hardware initialization and post boot operation wait times. Both of these significantly reduce maintenance times.

This blog post covers both features in more detail.

Improved HTML 5 based vSphere Client:

While minor in terms of actual under the hood improvements, the efficiencies that are gained when it comes to a decent user interface are significant. When managing Service Provider platforms at scale, having a reliable client is important and with the decommissioning of the VI client and the often frustrating performance of the Flex client a near complete and workable HTML vSphere Client is a big plus for those who work day to day on vCenter.

The vSphere 6.7 vSphere Client has support for vSAN as well as having Update Manager fully built in. As per the last NSX 6.4 update there is also limited management of that. There is also a new vROps plugin…this plugin is available out-of-the-box once vROps has been linked with vCenter and offers dashboards directly in the vSphere client that can view, cluster view, and alerts for both vCenter and vSAN views. This is extremely handy for Service Providers who use vROps dashboard not needing to go to two different locations to get the info.

vCD and NSX Supportability:

Shifting from new features and enhancements to an important subject to talk about when talking service provider platform…VMware product compatibility. For those VCPP Service Providers running a Hybrid Cloud you should be running a combination of vCloud Director SP or/and NSX-v of which, at the moment there is no support for either in vSphere 6.7.

Looking at vCloud Director, it looks like 9.1 is supported however given the fact you need to be running NSX-v with vCD these days and NSX is not yet supported, it doesn’t make too much sense to suggest that there is total compatability.

I suspect we will see NSX-v come out with a supported build shortly…though I’m only expecting vCloud Director SP to support 6.7 form version 9.1 which will mean upgrades.

Veeam Backup & Replication Supportability: 

Veeam commits to supporting major version releases within 90 days or sooner of GA. So with that, those Service Provider that are also VCSPs using Veeam to backup their infrastructure should not upgrade to vSphere 6.7 until Backup & Replication Update 3a is released. For those that are bleeding edge and have updated your only option at that point is our Agents for Windows and Linux until Update 3a is released.

Wrapping up Part 1:

Rounding off this post, in the Known Issues section there is a fair bit to be aware of for 6.7. it’s worth reading through all the known issues just in case there are any specific issues that might impact you. In upcoming posts around vSphere 6.7 for Service Providers series I will cover more vCenter features as well as ESXi enhancements and what’s new in Core Storage.

Happy upgrading!

References:

https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-esxi-vcenter-server-67-release-notes.html

Introducing Faster Lifecycle Management Operations in VMware vSphere 6.7

Released: vSAN 6.7 – HTML5 Goodness, Enhanced Health Checks and More!

VMware has announced the general availability of vSAN 6.7. As vSAN continues to grow, VMware are very buoyant about how it’s performing in the market. With some 10,000 customers at a run rate of over 600 million they claim to lead the HyperConverged market with a 32% market share. From my point of view it’s great to see vSAN being deployed across 250 cloud providers and have it as the cornerstone storage of the VMware Cloud on AWS solution. vSAN 6.7 is focusing on intuitive operational experience, consistent application experience and holistic support experience.

New Features and Enhancements:

  • HTML5 User Interface
  • Embedded vROPs plugin for HTML5 User Interface
  • Support for Windows Failover Cluster using iSCSI
  • Adaptive Resync Performance Improvements
  • Destaging Performance Improvements
  • More Efficient data placement during Host Decommissioning
  • Improved Space Efficiency
  • Faster Failover with Redundant vSAN Networks
  • Optimized Witness Traffic Seperation
  • Stretched Cluster Improvements
  • Host Affinity for Next-Gen Applications
  • Health Check Enhancements
  • Enhanced Diagnostics
  • vSAN Support Insight
  • 4Kn Device Support
  • Improved FIPS 140-2 Validation Security

There are a lot of enhancements in this release and while not as ground breaking at the 6.6 release last year, there is still a lot to like about how VMware is improving the platform. From the list above, i’ve taken the key ones from my point of view and expanded on them a little.

HTML5 User Interface:

As has been the trend with all VMware products of late, vSAN is getting the Clarity Framework overhaul and is being included in the HTML5 vSphere Web Client with new vSAN tasks and workflows developed from the ground up to simplify the experience. There is also new vSAN functionality that can only be accessed via the HTML5 client.

The legacy Flex client will still be available for use and it’s also worth noting that this is not a direct port of the Flex interface but started from the ground up. This has resulted in a more efficient experience for the user with less clicks and less time to action items. Any new features or enhancements will only be seen in the new HTML5 UI.

Support for Windows Failover Cluster using iSCSI:

A few weeks back I posted around how you could use vSAN as Veeam repository using the iSCSI feature. With vSAN 6.7 there is offical support for Windows Failover Clustering using the vSAN iSCSI service. Lots of people still run MSCS and a lot still use traditional clustering. This supports physical and virtual Guest iSCSI initiators that includes transparent failover of clusters with vSAN iSCSI volumes.

I’m not sure if this now means that iSCSI volumes are supported as Veeam Cloud Repositories…but I will confirm either way.

Adaptive Resync Performance Improvements:

vSAN 6.7 introduces a new Adaptive ReSync feature that will make sure resources are available for VM IO and resync IO. This ensures that under IO stress certain traffic types are not starved of resources and allows more bandwidth to be used when there are periods of less contention. Under contention, resync IO will be guaranteed at least 20% of the bandwidth and if no resync traffic exists, VM IO may consume 100%. This is effectively regulating reads and writes to ensure optimal balance for VM and reync IO.

Destaging Performance Improvements:

vSAN 6.7 looks to be more consistent when talking about data optimizations in the data path. With the faster destaging, data drains more quickly from the write buffer to the capacity tier. This allows the buffer tier to be available for newer IO quicker. This is done via improved in-memory handling of IO during destaging that delivers higher throughput and more consistency which in turn improves the overall performance of VM and resync IO.

More Efficient data placement during Host Decommissioning:

When putting a host in maintenance mode or decommissioning a host you need to select the evacuation type for the objects on that host. This can take time depending on the amount of data. vSAN 6.7 builds on improvements introduced in 6.6 that consolidates replicas living across multiple hosts while maintaining FTT compliance. Is looks for the smallest component to move while results in less data being rebuilt and less temporary space usage. vSAN will provide more intelligence behind the data movement to reduce the time and effort it takes to put a host into maintenance mode.

Improved Space Efficiency:

In previous vSAN versions the VM swap object was always thick provisioned even if the VM it’s self was thin. in vSAN 6.7 this will now be thin by default and also inherit the policy from the VM so that the FTT is the swap object is consistent with the VM which results in more efficient storage. Previous to this, large environments would suffer with a large number of swap files taking up a higher proportionate amount of space.

 

Conclusion:

vSan continues to be improved by VMware and they have addressed some core usability and efficiency features in this 6.7 release. The move to the HTML5 web client was expected, but still good to see while the enhancements in resync and destaging all contributes to platform stability. The enhanced health checks add a new dimension to vSAN troubleshooting and the support insight allows users to get a better view of what’s happening on their instances.

References:

Pre release information and images sourced via VMware EABP

https://blogs.vmware.com/virtualblocks/2018/04/17/whats-new-vmware-vsan-6-7/

 

 

Released: NSX-v 6.3.6

Last week VMware released NSX-v 6.3.6 (Build 8085122) that doesn’t contain any new features but addresses a number of bug fixes from previous releases. This has been done independently of any updated release of NSX-v 6.4.0 that went GA in January.

This is good to see though interesting to also see that people are still not upgrading to 6.4.0 in droves meaning VMware needs to support both versions. Going through the release notes there are a lot of known issues that should be known and there are more than a few that apply to service providers.

Some key fixes are listed below:

Important Fixes :

  • Network outage of ~40-50 seconds seen on Edge Upgrade – During Edge upgrade, there is an outage of approximately 40-50 seconds
  • After upgrading to 6.3.5, the routing loop between DLR and ESG’s causes connectivity issues in certain BGP configurations –  A routing loop is causing a connectivity issue
  • NSX Manager CPU high due to edge in read-only file system mode – NSX Manager is slow to respond because it keeps 100% CPU and receives a lot of read-only file system events from edge.
  • After upgrade from vCNS edge 5.5.4 to NSX 6.3.6, customers could not configure Health-Check-Monitor port nor make any changes directly from vCD – Customers will not be able to configure Health-Check-Monitor port nor make any changes directly from vCD.
  • Distributed Firewall stays in Publishing state with certain firewall configurations – Distributed Firewall stays in “Publishing” state if you have a security group that contains an IPSet with 0.0.0.0/0 as an EXCLUDE member, an INCLUDE member, or as a part of ‘dynamic membership containing Intersection (AND)’

Those with the correct entitlements can download NSX-v 6.3.6 here.

References:

https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.3/rn/releasenotes_nsx_vsphere_636.html

Setting up vSAN iSCSI and using it as a Veeam Repository

Probably one of the least talked about features of vSAN is it’s ability to serve out iSCSI volumes. The feature was released with vSAN 6.5 and was primarily focused on physical workloads and is easily configurable via the vSphere Web Client. iSCSI targets on vSAN are managed the same as any other vSAN objects using Storage Policy Based Management (SPBM). Deduplication, compression, mirroring, and erasure coding can be utilized with the iSCSI target service as well as CHAP and Mutual CHAP authentication.

Of late, i’ve been asked by service providers about using Object Storage platforms as Veeam Backup & Replication repositories. There are a lot of options out there but someone asked specifically about using vSAN. In theory you could just use a VMDK on a vSAN datastore but I thought it would be interesting to look at using iSCSI to mount a volume and use it as a repository.

Initial iSCSI Configuration for vSAN:

First thing we need to do is enable the iSCSI Target service from the vSphere Web Console. Under the Cluster Configuration tab and in the iSCSI Target menu you need to enabled the iSCSI service. Select the default iSCSI Network kernel interface and then modify the iSCSI port and add security if desired. Take note of the info message around using the Storage Policy for the home object.

From there we setup a new iSCIS Target. From here you will be given the IQN and we will give the target an alias. This window also lets us create the first LUN to the iSCSI Target. The LUN id can be specified along with the alias and finally the size. Just like creating a new VMDK on a vSAN datastore we are given the storage consumption of the object depending on the Storage Policy chosen.

Once completed under the iSCSI Target pane we see the details of the Target and LUN just created. Take note of the I/O Owner Host as that is what we will be using later on as the iSCSI Target from the Veeam repository server.

Configuring Host access and setting iSCSI Access Permissions:

On the creation of a LUN there is a default policy that allows all initiator sources to connect to it. To create specific permissions for host access and to also create access groups you need to first enable the iSCSI initiator at the hosts. For that, I’ve got a Windows VM (note only physicals are officially supported) that’s got Veeam Backup & Replication installed on it. To connect to the iSCSI network we have to add an additional vNIC that’s hooked into a PortGroup that’s configured with the vSAN iSCSI VLAN.

Below we can see the VMKernel configuration and IP address of the I/O Owner hosts.

I’ve created a new PortGroup for the new vNIC to be attached to and added it to the VM.

From there we need to start the Microsoft iSCSI Initiator service which will give us the Initiator name we need to configure host access in the vSphere Web Client. Note that we should also install and enable MPIO for iSCSI if not installed as a Windows Feature.

Under the iSCSI Initiator Groups menu in the Cluster Configuration tab you can add the initiator to a new group. This can contain one or many hosts as you would expect in any iSCSI initiator group configuration.

Once that’s been done we have to allow that new group access to the target where the LUN is contained. Under the iSCSI Target menu and under Target Details in the lower pane click on the + icon and add the group as an allowed initiator.

From here we can go back to the Windows VM and connect to the iSCSI Target. We are using the IP Address of the Host was was highlighted above in the initial configuration.

Once done we should have a connected disk that’s visible in the Devices configuration of the isCSI Initiator.

Configuring new iSCSI Volume as Veeam Repository:

From here the process to setup a Veeam Repository based on the vSAN iSCSI LUN is straight forward. Firstly we need to bring online the volume and create a partition. As you can see below, the disk is of Bus Type iSCSI and Name is VMware Virtual SAN.

As for the partition configuration, I’ve set it up as shown before. ReFS being used as the file system.

From here we can head into the Backup & Replication console and create a new Repository with the new volume selected.

Performance and Limitations:

Once configured I was interested in seeing how a vSAN iSCSI connected object performed against a vSAN disk. The results below show that there is a significant performance hit in going one way or the other. This seems logical as in addition to iSCSI overheads a native VMDK on vSAN is hooked into the ESXi kernel directly and should get line speed rates when it comes to data transfer.

Below are the configuration maximums with vSAN iSCSI as listed below:

  • Maximum 1024 LUNs per vSAN cluster
  • Maximum 128 targets per vSAN cluster
  • Maximum 256 LUNS per target
  • Maximum LUN size of 62TB
  • Maximum 128 iSCSI sessions per host.
  • Maximum 4096 iSCSI IO queue depth per host
  • Maximum 128 outstanding writes per LUN .
  • Maximum 256 outstanding IOs per LUN.
  • Maximum 64 client initiators per LUN

So the max size of an iSCSI LUN matches the max size of a VMDK. Therefore when considering iSCSI as a possible option for Veeam backups, Scale Out Backup Repositories should be used to enable the adding at extents once that limit is reached.

There are also limitation on offical support for virtual machines and other platforms:

  • Currently not supported for implementation for Microsoft clusters.
  • Currently not supported for use as a target for other vSphere hosts.
  • Currently not supported for use with third party hypervisors.
  • Currently not supported for use with virtual machines

So if this becomes a consideration, physical servers will need to be used in order to gain support.

Conclusion:

So after all is said an done, we have a Veeam Repository than is now sitting on vSAN via iSCSI. The question remains weather this is a good application of vSAN or weather it’s worth looking at as an option, however the option is now there. Again, you may be able to look at the native VMDK option, but I like the flexibility of iSCSI for physical repositories at the moment.

Probably the biggest consideration for using vSAN iSCSI as a Veeam repository is the design of the vSAN Cluster. vSAN has not traditionally been considered for storage only purposes, however you could put together some low compute nodes with large disk groups that would present decent storage for repository purposes.

In using vSAN you have the benefit of knowing your data is redundant across multiple nodes as per the vSAN Storage Policies. This is the benefit of using object storage like vSAN as a Veeam Repository.

References:

https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.virtualsan.doc/GUID-13ADF2FC-9664-448B-A9F3-31059E8FC80E.html 

https://kb.vmware.com/kb/2148216

 

vExpert 2018 – The Value Remains!

After a longer than expected deliberation period the vExpert class of 2018 was announced late last Friday (US Time).  I’ve been a vExpert since 2012 with 2018 marking my seventh year in the program. I’ve written a lot about the program over the past three or four years since it’s “perceived” value started to go downhill. I’ve criticised parts of the program around the relative ease at which some people where accepted and also on the apparent inability for numbers to be better managed.

However, make no mistake I am still a believer in the value of the vExpert and more importantly I have come to realise over the past few years (solidified over the past couple of months) that apart from the advocacy component that’s critical to the programs existence…people continue to hold the program in extremely high regard.

There are a large number of vExpert’s who expect entry year after year, and rightly so. In truth there are a large number that legitimately demand membership. But there are others who have struggled to be accepted year after year and for who, acceptance into the program represents a significant achievement.

That is to say that while many established vExpert’s assume entry there are a number of people that desire entry. This is an important indicator on the strength of the program and the continued high regard the vExpert program should still be held in.  It’s easy to criticise from the inside, however that can’t be allowed to tarnish the reputation of program externally.

This is a great program and one that is valued by the majority of those who actively participate. VMware still commands a loyal community base and the vExpert’s lead from the front in this regard. Remembering that it’s all about the advocacy!

Well done again to the team behind the scenes…The new website is testament to the program moving forward. The vExpert team are critical the success of the program and having been part of the much smaller Veeam Vanguard program, I have a lot of respect for the effort that goes into sorting through two thousand odd applications and renewals.

And finally, well done to those first time vExpert’s! Welcome aboard!

——-

For those wondering, here are the official benefits of the program:

  • Invite to our private #Slack channel
  • vExpert certificate signed by our CEO Pat Gelsinger.
  • Private forums on communities.vmware.com.
  • Permission to use the vExpert logo on cards, website, etc for one year
  • Access to a private directory for networking, etc.
  • Exclusive gifts from various VMware partners.
  • Private webinars with VMware partners as well as NFRs.
  • Access to private betas (subject to admission by beta teams).
  • 365-day eval licenses for most products for home lab / cloud providers.
  • Private pre-launch briefings via our blogger briefing pre-VMworld (subject to admission by product teams)
  • Blogger early access program for vSphere and some other products.
  • Featured in a public vExpert online directory.
  • Access to vetted VMware & Virtualization content for your social channels.
  • Yearly vExpert parties at both VMworld US and VMworld Europe events.
  • Identification as a vExpert at both VMworld US and VMworld EU.

Released: vCloud Director 9.1 – New HTML5 Features, vCD-CLI and more!

Overnight VMware released vCloud Director 9.1 (build 7905680) which builds on the 9.0 release that came out last September. This continues to deliver on VMware’s promise to release major vCD updates every six months or so. This update, on the surface contains fewer big ticket items than the 9.0 release however the enhancements included are actually significant and continue to build on where 9.0 left off.

New Features and Enhancements:
  • Enhanced Tenant Portal
  • HTML Provider Portal
  • User Interface Extensibility
  • Service Integration
  • Standalone VMRC
  • Multi-Site Management View
  • SR-IOV
  • FIPS Mode
  • Python SDK
  • vCD-CLI
  • vRealize Orchestrator Integration
Enhanced Tenant Portal:

The new Tenant UI features include vApp and Catalog enhancements while delivering on probably the biggest pain point with the Flex UI tenant portal…that is OFV/OVA management. We now have native upload and download integration without the need for the client integration plugin.

You now also get an overview of resources consumed in your Virtual Datacenters and also get a view of the multiple organisation feature introduced into 9.0.

A new Provider Portal has been seeded in this release and at the moment can only be used for the new vRealise Orchestrator extensibility functionality. The administrator can import workflows from vRO through the import option. An administrator clicks the import workflow button, selects the vRO instance, and then chooses all the workflows they would like to import. On that note, there is an updated vRO Plug-In that allows both providers and tenants to automate tasks from the portal which is an excellent feature.

There is also a new workflow for the provision of standalone VMs and vApps.

Standalone VMRC:

If the management of OVAs/OVFs wasn’t the number one pain point with the FlexUI then the next one would have had to be the pain caused by the lack of functionality in the Console window. A HTML VM console is supported in version 9.0, but 9.1 now adds support for standalone VMware Remote Console. The VMRC provides more functions such for the tenant and significantly improves access to the VM consoles and gives greater flexibility accessing the VMs.

vCD-CLI:

I’ve blogged about the old VCA-CLI on a number of occasions and it’s great to see the project officially brought back into the vCD world. Development on this stopped for a while with the demise of vCloud Air, however I’m glad to see it picked up on as it’s a great tool for managing vCloud Director tenant Organisations and objects from a command line without having to get stuck into the APIs directly. It’s also used for the new Container Services Extension that has also been released side by side with this release of vCD.

Compatibility with Veeam, vSphere 6.5 and NSX-v 6.4.x:

vCloud Director 9.1 is compatible with vSphere 6.5 Update 1 and NSX-v 6.4 and supports full interoperability with other versions as shown in the VMware Product Interoperability Matrix. With regards to Veeam support, I am sure that our QA department will be testing the 9.1 release against our integration pieces at the first opportunity they get, but as of now, there is no ETA on offical support.

A list of known issues can be found in the release notes.

Conclusion:

Overall this is a very strong release with a lot of emphasis on extensibility behind the visual enhancements and functionality of the ever evolving HTML Tenant UI. As usual, I’ll look to write a few more blog posts on specific 9.1 features over the next couple of weeks.

There is a White Paper where you can find more details about what’s contained in the 9.1 release. Tom Fojta and Daniel Paluszek VMware have a what’s new blog posts as well.

#LongLivevCD

References:

https://blogs.vmware.com/vcloud/files/2018/03/vcd91newfeatureswp.pdf

VMware vCloud Director 9.1 is out!

VMware Cloud Briefing Roundup – VMware Cloud on AWS and other Updates

VMware has held it’s first ever VMware Cloud Briefing today. This is an online, global event with an agenda featuring a keynote from Pat Gelsinger, new announcements and demos relating to VMware Cloud as well as discussions on cloud trends and market momentum. Key to the messaging is the fact that applications are driving cloud initiatives weather that be via delivering new SaaS or cloud applications as well as extending networks beyond traditional barriers while modernizing the datacenter.

The VMware Cloud is looking like a complete vision at this point and the graphic below highlights that fact. There are multiple partners offering VMware based Cloud Infrastructure along with the Public Cloud and SaaS providers. On top of that, VMware now talks about a complete cloud management layer underpinned by vSphere and NSX technologies.

VMware Cloud on AWS Updates:

The big news on the VMware Cloud on AWS front is that there is a new UK based service offering and continued expansion into Germany. This will extend into the APAC region later in the year.

VMware Cloud on AWS will also have support for stretch clusters using the same vSAN and NSX technologies used on-premises on top of the underlying AWS compute and networking platform. This looks to extend application uptime across AWS Availability Zones within AWS regions.

This will feature

  • Zero RPO high Availability across AZs
  • Built into the infrastructure layer with synchronous replication
  • Stretched Cluster with common logical networks with vSphere HA/DRS
  • If an AZ goes down it’s treated as a HA event and impacted VMs brought back in other AZ

They are also adding vSAN Compression and Deduplication for VMware Cloud on AWS services which in theory will save 40% in storage.

VMware Cloud Services Updates:

Hybrid Cloud Extension HCX (first announced at VMworld last year) has a new on-premises offering and is expanding availability through VMware Cloud Provider Partners. This included VMware Cloud on AWS, IBM Cloud and OVH. The promise here is an any-to-any vSphere migration that cross version while being still secure. We are talking about Hybridity here!

Log Intelligence is an interesting one…it looks like Log Insight delivered as a SaaS application. It is a real-time big data log management platform for VMware Cloud on AWS adding real-time visibility into infrastructure and application logs for faster troubleshooting. It support any SYSLOG source and will ingest over the internet in theory.

Cost Insight is an assessment tool for private cloud to VMware Cloud on AWS Migration. It calculates VMware Cloud on AWS capacity required to migrate from on-premises to VMC. It has integration with Network insight to calculate networking costs during migration as well.

Finally there is an update to Wavefront that expands inputs and integrations to enhance visibility and monitoring. There are 45 new integrations, monitoring of native AWS services and integration into vRealize Operations.

You can watch the whole event here.

NSX Bytes: Updated – NSX Edge Feature and Performance Matrix

For a few years now i’ve been compiling features and throughput numbers for NSX Edge Services Gateways. This started off comparing features and performance metrics between vShield Edges and NSX Edges. As the product evolves, so does it’s capabilities and given the last time I updated this was around the time of NSX-v 6.2 I thought it was time for an update.

A reminder that VMware announced the End of Availability (“EOA”) of the VMware vCloud Networking and Security 5.5.x that kicked in on the September of 19, 2016 and that from vCloud Director 8.10 and above vShield Edges are no longer supported…hence why I don’t have the VSE listed in the tables. For those still running VSEs for what ever reason, you can reference my original post here.

As a refresher…what is an Edge device?

The Edge Services Gateway (NSX-v) connects isolated, stub networks to shared (uplink) networks by providing common gateway services such as DHCP, VPN, NAT, dynamic routing, and Load Balancing. Common deployments of Edges include in the DMZ, VPN Extranets, and multi-tenant Cloud environments where the Edge creates virtual boundaries for each tenant.

The following relates to ESG maximums per NSX and ESXi maximums.

Item Maximums
ESGs per NSX Manager 2,000
ESGs per ESXi Host 250
ESG Interfaces 10 (Including Internal, Uplink and Trunk)
ESG Subinterfaces 200
The function of an ESG is as follows:

The ESG gives you access to all NSX Edge services such as firewall, NAT, DHCP, VPN, load balancing, and high availability. You can install multiple ESG virtual appliances in a datacenter. Each ESG virtual appliance can have a total of ten uplink and internal network interfaces. With a trunk, an ESG can have up to 200 subinterfaces. The internal interfaces connect to secured port groups and act as the gateway for all protected virtual machines in the port group. The subnet assigned to the internal interface can be a publicly routed IP space or a NATed/routed RFC 1918 private space. Firewall rules and other NSX Edge services are enforced on traffic between network interfaces.

Below is a list of services provided by the NSX Edge.

Service Description
Firewall Supported rules include IP 5-tuple configuration with IP and port ranges for stateful inspection for all protocols
NAT Separate controls for Source and Destination IP addresses, as well as port translation
DHCP Configuration of IP pools, gateways, DNS servers, and search domains
Site to Site VPN Uses standardized IPsec protocol settings to interoperate with all major VPN vendors
SSL VPN SSL VPN-Plus enables remote users to connect securely to private networks behind a NSX Edge gateway
Load Balancing Simple and dynamically configurable virtual IP addresses and server groups
High Availability High availability ensures an active NSX Edge on the network in case the primary NSX Edge virtual machine is unavailable
Syslog Syslog export for all services to remote servers
L2 VPN Provides the ability to stretch your L2 network.
Dynamic Routing Provides the necessary forwarding information between layer 2 broadcast domains, thereby allowing you to decrease layer 2 broadcast domains and improve network efficiency and scale. Provides North-South connectivity, thereby enabling tenants to access public networks.

Below is a table that shows the different sizes of each edge appliance and what (if any) impact that has to the performance of each service. As a disclaimer the below numbers have been cherry picked from different sources and are subject to change.

NSX Edge (Compact) NSX Edge (Large) NSX Edge (Quad-Large) NSX Edge (X-Large)
vCPU 1 2 4 6
Memory 512MB 1GB 1GB 8GB
Disk 512MB 512MB 512MB 4.5GB + 4GB
Interfaces 10 10 10 10
Sub Interfaces (Trunk) 200 200 200 200
NAT Rules 2,048 4,096 4,096 8,192
ARP Entries
Until Overwrite
1,024 2,048 2,048 2,048
FW Rules 2000 2000 2000 2000
FW Performance 3Gbps 9.7Gbps 9.7Gbps 9.7Gbps
DHCP Pools 20,000  20,000  20,000  20,000
ECMP Paths 8 8 8 8
Static Routes 2,048 2,048 2,048 2,048
LB Pools 64 64 64 1,024
LB Virtual Servers 64 64 64 1,024
LB Server / Pool 32 32 32 32
LB Health Checks 320 320 320 3,072
LB Application Rules 4,096 4,096 4,096 4,096
L2VPN Clients Hub to Spoke 5 5 5 5
L2VPN Networks per Client/Server 200 200 200 200
IPSec Tunnels 512 1,600 4,096 6,000
SSLVPN Tunnels 50 100 100 1,000
SSLVPN Private Networks 16 16 16 16
Concurrent Sessions 64,000 1,000,000 1,000,000 1,000,000
Sessions/Second 8,000 50,000 50,000 50,000
LB Throughput L7 Proxy) 2.2Gbps 2.2Gbps 3Gbps
LB Throughput L4 Mode) 6Gbps 6Gbps 6Gbps
LB Connections/s (L7 Proxy) 46,000 50,000 50,000
LB Concurrent Connections (L7 Proxy) 8,000 60,000 60,000
LB Connections/s (L4 Mode) 50,000 50,000 50,000
LB Concurrent Connections (L4 Mode) 600,000 1,000,000 1,000,000
BGP Routes 20,000 50,000 250,000 250,000
BGP Neighbors 10 20 100 100
BGP Routes Redistributed No Limit No Limit No Limit No Limit
OSPF Routes 20,000 50,000 100,000 100,000
OSPF LSA Entries Max 750 Type-1 20,000 50,000 100,000 100,000
OSPF Adjacencies 10 20 40 40
OSPF Routes Redistributed 2000 5000 20,000 20,000
Total Routes 20,000 50,000 250,000 250,000

Of interest from the above table it doesn’t list any Load Balancing performance number for the NSX Compact Edge…take that to mean that if you want to do any sort of load balancing you will need NSX Large and above. To finish up, below is a table describing each NSX Edge size use case.

Use Case
NSX Edge (Compact) Small Deployment, POCs and single service use
NSX Edge (Large) Small/Medium DC or mult-tenant
NSX Edge (Quad-Large) High Throughput ECMP or High Performance Firewall
NSX Edge (X-Large) L7 Load Balancing, Dedicated Core

The Quad Large model is suitable for high performance firewall abilities and the X-Large is suitable for both high performance load balancing and routing. You can convert between NSX Edge service gateway sizes upon demand using a non-disruptive upgrade process, so the recommendation is to begin with the Large model and scale up if necessary. A Large NSX Edge service gateway is suitable for medium firewall performance but as detailed later, the NSX Edge service gateway does not perform the majority of firewall functions.

References:

https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.4/NSX%20for%20vSphere%20Recommended%20Configuration%20Maximums_64.pdf

https://docs.vmware.com/en/VMware-Validated-Design/4.2/com.vmware.vvd.sddc-design.doc/GUID-FCEA948E-7F8B-4FF0-857B-12D6E045BF1D.html

Released: Runecast Analyzer 1.7 with vSAN Support

Runecast has released version 1.7 of their Analyzer today and it has added support for VMware vSAN. By using a number of resources within VMware’s knowledge base Runecast offers a platform that looks at best practices, log information and security hardening guides to monitor your vSphere infrastructure which in turn brings to your attention issues through a simple yet intuitive interface. This now extends to vSAN as well. Also in this release is an improved dashboard called the VMware Stack view and improved vSphere Web Plugin.

Version 1.7 focuses on VMware vSAN support and proactive issue detection with remediation. vSAN, having gained market lead in the HCI space is deployed in vSphere environments more commonly these days as the storage component. It is critical to not only monitor performance but also keep the vSAN configuration in the best condition and prevent from any future failures or outages.

Runecast Analyzer v1.7 scans vSAN clusters and looks at cluster configurations against a large database of VMware Knowledge Base and Best Practices rules. This results in the ability to list issues and then offer suggestions on how to fix those issues which may affect vSAN availability or functionality. This acts as a good way to stop issues before they become more serious problems that impact environments.

As mentioned version 1.7 also offers an upgrade to the vSphere Web Client and as you can see below the integration is tight with the HTML5 client.

Finally, I wanted to highlight the new VMware Stack dashboard. This new visual component aims to very quickly prioritize what problem to solve and where it exists. The VMware stack contains 5 layers, Management, VM, Compute, Network and Storage. Runecast prioritizes and sorts all detected problems into those five categories so an admin can easily see where the critical issues are and what is the risk they pose.

Overall for those that have vSAN in their environments I would recommend a look at this release. The guys at Runecast are taking a unique approach to monitoring and I’m looking forward to future releases as they expand even more beyond vSphere and vSAN.

The latest version is available for a free 14-day trial.

« Older Entries