Tag Archives: vCD SP

Adding Let’s Encrypt SSL Certificate to vCloud Director Keystore

For the longest time the configuring of vCloud Director’s SSL certificate keystore has been the thing that makes vCD admins shudder. There are lots of posts on the process…some good…some not so good. I even have a post from way back in 2012 about fronting vCD with a Citrix NetScaler and if I am honest, I cheated in having HTTPS at the load balancer deal with the SSL certificate while leaving vCD configured with the self signed cert. With the changes to the way the HTML5 Tenant Portal deals with certs and DNS I’m not sure that method would even work today.

I wanted to try and update the self signed certs in both my lab environments to assist in resolving the No Datacenters are available issue that cropped up in vCD 9.1. Instead of generating and using self signed certs I decided to try use Let’s Encrypt signed certs. Most of the process below is curtesy of blog posts from Luca Dell’Oca and it’s worth looking at this blog post from Tom Fojta who has a PowerShell script to automate Let’s Encrypt SSL certs for us on NSX Edge load balancers.

In my case, I wanted to install the cert directly into the vCD Cell Keystore. The manual end to end the process is listed below. I intend to try and automate this process so as to overcome the one constraint with using Let’s Encrypt…that is the 90 day lifespan of the certs. I think that is acceptable and it ensures validity of the SSL cert and a fair caveat given the main use case for this is in lab environments.

Generating the Signed SSL Cert from Let’s Encrypt:

To complete this process you need the ACMESharp PowerShell module. There are a couple of steps to follow which include registering the domain you want to create the SSL cert against, triggering a verification challenge that can be done by creating a domain TXT record as shown in the output of the challenge command. Once submitted, you need to look out for a Valid Status response.

Once complete, there is a script that can be run as show on Luca’s Blog. I’ve added to the script to automatically import the newly created SSL cert into the Local Computer certificate store.

From here, I exported the certificate with the private key so that you are left with a PFX file. I also saved to Base-64 X.509 format the Root and Intermediate certs that form the whole chain. This is required to help resolve the No Datacenters are available error mentioned above. Upload the three files to the vCD cell and continue as shown below.

Importing Signed SSL from Let’s Encrypt into vCD Keystore:

Next, the steps to take on the vCD Cell can be the most complex steps to follow and this is where I have seen different posts do different things. Below shows the commands from start to finish that worked for me…see inline for comments on what each command is doing.

Once that has been done and the vCD services has restarted, the SSL cert has been applied and we are all green and the Let’s Encrypt SSL cert is in play.

Released: vCloud Director 9.1 – New HTML5 Features, vCD-CLI and more!

Overnight VMware released vCloud Director 9.1 (build 7905680) which builds on the 9.0 release that came out last September. This continues to deliver on VMware’s promise to release major vCD updates every six months or so. This update, on the surface contains fewer big ticket items than the 9.0 release however the enhancements included are actually significant and continue to build on where 9.0 left off.

New Features and Enhancements:
  • Enhanced Tenant Portal
  • HTML Provider Portal
  • User Interface Extensibility
  • Service Integration
  • Standalone VMRC
  • Multi-Site Management View
  • SR-IOV
  • FIPS Mode
  • Python SDK
  • vCD-CLI
  • vRealize Orchestrator Integration
Enhanced Tenant Portal:

The new Tenant UI features include vApp and Catalog enhancements while delivering on probably the biggest pain point with the Flex UI tenant portal…that is OFV/OVA management. We now have native upload and download integration without the need for the client integration plugin.

You now also get an overview of resources consumed in your Virtual Datacenters and also get a view of the multiple organisation feature introduced into 9.0.

A new Provider Portal has been seeded in this release and at the moment can only be used for the new vRealise Orchestrator extensibility functionality. The administrator can import workflows from vRO through the import option. An administrator clicks the import workflow button, selects the vRO instance, and then chooses all the workflows they would like to import. On that note, there is an updated vRO Plug-In that allows both providers and tenants to automate tasks from the portal which is an excellent feature.

There is also a new workflow for the provision of standalone VMs and vApps.

Standalone VMRC:

If the management of OVAs/OVFs wasn’t the number one pain point with the FlexUI then the next one would have had to be the pain caused by the lack of functionality in the Console window. A HTML VM console is supported in version 9.0, but 9.1 now adds support for standalone VMware Remote Console. The VMRC provides more functions such for the tenant and significantly improves access to the VM consoles and gives greater flexibility accessing the VMs.

vCD-CLI:

I’ve blogged about the old VCA-CLI on a number of occasions and it’s great to see the project officially brought back into the vCD world. Development on this stopped for a while with the demise of vCloud Air, however I’m glad to see it picked up on as it’s a great tool for managing vCloud Director tenant Organisations and objects from a command line without having to get stuck into the APIs directly. It’s also used for the new Container Services Extension that has also been released side by side with this release of vCD.

Compatibility with Veeam, vSphere 6.5 and NSX-v 6.4.x:

vCloud Director 9.1 is compatible with vSphere 6.5 Update 1 and NSX-v 6.4 and supports full interoperability with other versions as shown in the VMware Product Interoperability Matrix. With regards to Veeam support, I am sure that our QA department will be testing the 9.1 release against our integration pieces at the first opportunity they get, but as of now, there is no ETA on offical support.

A list of known issues can be found in the release notes.

Conclusion:

Overall this is a very strong release with a lot of emphasis on extensibility behind the visual enhancements and functionality of the ever evolving HTML Tenant UI. As usual, I’ll look to write a few more blog posts on specific 9.1 features over the next couple of weeks.

There is a White Paper where you can find more details about what’s contained in the 9.1 release. Tom Fojta and Daniel Paluszek VMware have a what’s new blog posts as well.

#LongLivevCD

References:

https://blogs.vmware.com/vcloud/files/2018/03/vcd91newfeatureswp.pdf

VMware vCloud Director 9.1 is out!

Released: vCloud Director 9.0.0.2 – Important Networking Fixes!

Last week VMware put out a new point release for vCloud Director 9.0 (Build 7553273) for Service Providers. While there is nothing new in this release there are a significant number of resolved issues as listed in the release notes. One thing to mention is that even though this was released during a similar timeframe to NSX-v 6.4 there is no offical compatibility just yet.

Reading through the list of resolved issues there where some pretty impactful errors that seem to be related mostly to NSX operations and networking in general.

  • Deleting a Provider VDC can corrupt VXLAN network pools that are in use After you delete a Provider VDC, its associated VXLAN network pool becomes unusable by organization VDCs backed by other Provider VDCs.
  • The Redeploy an Edge Gateway from vCloud Director task succeeds instantly but the Edge does not actually redeploy in NSX When you attempt to redeploy an Edge Gateway from vCloud Director, the API initiates a task in vCloud Director and in vCenter Server but does not send a redeploy request to the NSX server. As a consequence, the Edge Gateway does not redeploy.
  • Registration of an NSX Server fails when you supply the credentials of an SSO user vCloud Director SSO users are not authorized to access an NSX endpoint required for registration, so registration fails.
  • Changes on Edge Gateway Services are not synchronized between vCloud Director and NSX When you modify one of the Edge Gateway Services, for example by creating a Static Route, the change is saved on the vCloud Director side but cannot be saved on the NSX server.
  • Creating or updating a firewall rule for an Advanced Gateway Portal with enabling the Show only user-defined rules toggle causes the action of the default firewall rule to change. When you create a new firewall rule or update an existing rule for an Advanced Gateway Portal, if you enable the Show only user-defined rules toggle, the action of the default firewall rule changes incorrectly to match the last modified rule.
  • Deleting an external network that uses a distributed virtual port group with a Private VLAN does not work When you try to delete an external network that is liked to a private VLAN associated with a distributed virtual port group (dvPortgroup), the deletion fails with an InternalError: Only single VLAN or trunk VLAN is supported error message.
  • You cannot add a DNAT rule configuring an original or a translated port or port range through the tenant portal When you attempt to add a DNAT rule from the Edge Gateway screen in the tenant portal, you cannot enter either a port or a port range in the Original Port and the Translated Port text boxes.
  • Creating a SNAT or a DNAT network rule by using a public IP address that is not associated to a particular network interface fails When you try to create a SNAT or a DNAT network rule for either an internal or an external interface in vCloud Director, if the public IP address is not added to a particular network interface, you receive a the following error message:
  • Configuring a static route fails if you set the gateway of an external network as a next hop IP address When you configure a static route for an organization network, if you enter the address of an existing default gateway in the Next Hop IP text box, saving the static route configuration fails with the following error message:

Good to seem them fixing issues quickly but it also tells me that a lot of people participating in the beta for 9.0 didn’t test deep enough against real word scenarios…a lot of what is listed above isn’t what you would consider corner cases. These issues should have bene picked up before going to GA. Possibly also shows that a lot of VCPP Service Providers haven’t upgraded to 9.0 just yet. In any case the vCloud product development team has been hard at work resolving the bugs and Service Providers should be confident deploying or upgrading to 9.0 now.

#LongLivevCD

If you are a vCAN SP and have the right entitlements follow this link to download vCloud Director 9.0.0.2:

References:

https://docs.vmware.com/en/VMware-vCloud-Director-for-Service-Providers/9.0.0.2/rn/rel_notes_vcloud_director_9-0-0-2.html

 

 

Released: vCloud Director 8.10 and 8.20 Point Updates

Last week VMware snuck out two point releases for vCloud Director 8.10 and 8.20. For those still running those versions you now have 8.10.1.1 (Build 6878548) and for 8.20 there 8.20.0.2 (Build 6875354) available for download. These are both patch upgrades and resolve a number of bugs, some of which appear to be mirrored in both versions.

Scanning the Release Notes, below are some of the more notable fixes:

8.10

  • Resource limit change for a vCloud Edge Gateway Resolves an issue where the memory limit for a compact and full-4 Edge Gateway was insufficient. Memory was increased from 512MB to 2048MB
  • Performing hardware changes to a VM fails Resolves an issue where performing hardware changes to a VM in vCloud Director fails with an error message:
  • Degraded performance due to insufficient memory Resolves an issue that could lead to an insufficient memory reservation of the NSX Edge VMs, which might cause poor performance.
  • Catalog synchronization failure Resolves an issue where synchronization of a remote catalog item fails with an out of memory, causing the vCloud Director cell to crash.

8.20

  • Incorrect status update for VMs storage profile or disk-level storage Resolves an issue that could cause a VM storage profile or disk-level storage profile to be updated incorrectly when the VM is included in a recompose operation. This fix ensures that PvdcComputeGuaranteeValidator runs even when the deployment fails in Pay-As-You-Go allocation model. With this fix, the undeploy workflow ignores the VM deployment state if the undeploy operation is called with a force=true flag.
  • Failure to move virtual machines between shared datastores Resolves a storage issue where moving a virtual machine from one shared datastore to another fails.
  • Failure to revert VM snapshots Resolves an issue that could cause reverting to a virtual machine snapshot to fail
  • Failure to allocate an external IP address and a gateway IP address Resolves several issues in managing the allocation of external IP a gateway IP addresses during VM boot and runtime when the NAT service is enabled and IP Translation is set manually.
  • Failure to delete Organization VDC Resolves an issue that could cause various operations to fail.

So a small point release for good to see the team continuing to improve the platform for those not yet able to upgrade to the latest 9.0 release. If you have the entitlements, head to the MyVMware site to download the builds.

References:

http://pubs.vmware.com/Release_Notes/en/vcd/81011/rel_notes_vcloud_director_8-10-1-1.html

http://pubs.vmware.com/Release_Notes/en/vcd/82002/rel_notes_vcloud_director_8-20-0-2.html

vCloud Director 9.0: Digging into the new Standalone VM Feature

vCloud Director 9.0 was released late last month and brought with it a number of big new features and enhancements. If you are interested in a overview of what’s new, head here to my launch post. Getting back to this post I wanted to focus on what I think is a significant change to the way in which workloads are thought about in vCD…the Standalone VM.

Standalone Virtual machines can be instantiated and viewed along with virtual machines as part of a vApp container. A filter button creates a list based on Virtual machines, virtual applications or both.

The vApp container construct in vCloud Director carries divided opinion from both services providers and customers of vCD with one side liking the fact that VMs could be grouped into logical vApps and treated as a like group or VMs such as an Exchange Cluster. While others wanted the ability to deploy standalone VMs that where more like VM instances you find in public clouds. Historically from a programatic point of view the creation of a VM within a vApp had it’s challenges in a chicken and egg type of scenario where by the composition and recomposiontion of the VM within the vApp required a specific order. This was improved from 8.0 with enhancements to vApp functionality, including the ability to reconfigure virtual machines within a vApp, and network connectivity and virtual machine capability during vApp instantiation.

Standalone Virtual Machines:

In vCloud Director 9.0 you can now create and configure individual Virtual Machines form the new HTML5 Tenant UI. Under the compute menu you now have a Virtual Machines and vApps tab. From here you can view either standalone VMs, VMs in a vApp or both. This is also where you can create a new VM. Note that you can’t create new vApps from the new UI just yet…that still needs to be done in the Flash based UI.

You now have the ability to choose from three pre-canned instance sizes which come with default resources depending on the type of VM selected. However you can still customize the VM as shown below.

When provisioned the VM is available from the new tenant UI with all the normal operations possible. The biggest difference here is that you don’t need to worry about the vApp state and that it’s independent from any other VMs. As a side note as it’s not 100% obvious, to view the console of the VM click on the icon top right of the Virtual Machine box.

Standalone VMs in vCenter and Flash UI:

Taking a look under the covers of the HTML5 UI the standalone VMs are represented slightly differently in vCenter. in Previous versions each VM was created with the VM name plus a UUID…when a standalone VM is created the VM name is just that…the VM name.

However what is interesting is when you look in the Flash UI you will see that in fact the standalone VM is still contained within a vCD vAPP construct.

So in effect, that HTML5 UI is presenting the VM as standalone, but in actual fact there is still a one to one relationship with a vApp under the covers. Taking a look back in vCenter under the folder view it’s more representative of what you see in the Flash UI.

Standalone VMs via the API:

Querying the API shows that the Standalone VMs are indeed composed within a traditional vCD vApp.

References:

https://docs.vmware.com/en/vCloud-Director/9.0/rn/rel_notes_vcloud_director_90.html

Released: vCloud Director 9.0 – The Most Significant Update To Date!

Today is a good day! VMware have released to GA vCloud Director 9.0 (build 6681978) and with it come the most significant feature and enhancements of any previous vCD release. This is the 9th major release of vCloud Director, now spanning nearly six and half years since v1.0 was released in Feburary of 2011 and as mentioned from my point of view it’s the most significant update of vCloud Director to date.

Having been part of the BETA program I’ve been able to test some of the new features and enhancements over the past couple of months and even though from a Service Provider perspective there is a heap to like about what is functionally under the covers, but the biggest new feature is without doubt the HTML5 Tenant Portal however as you can see below there is a decent list of top enhancements.

Top Enhancements:

 

  • Multi-Site vCD – Single Access point URL for all vCD instances within same SP federated via SSO
  • On-premises to Cloud Migration – Plugin that enables L2 connectivity, warm and cold migration
  • Expanded NSX Integration – Security Groups, Logical Routing for east-west traffic and audit logging
  • HTML5 Tenant UI – Streamlined workflows for VM deployment, UI Extensibility for 3rd party services/functionality
  • HTML5 Metrics UI – Basic Metrics for VMs shown through tenant portal
  • Extensible Service Framework – Service enablement, SSO Ready
  • Application Extensibility – Plugin Framework
  • PostGres 9.5 Support – In addition to MSSQL and Oracle, Postgres is now supported.
  • …and more under the hood bits

I’m sure there will be a number of other blog posts focusing on the list above, and i’ll look to go through a few myself over the next few weeks but for this GA post I wanted to touch on the new HTML5 Tenant UI.

There is a What’s New in vCloud Director 9.0 PDF here.

New HTML5 Tenant UI:

The vCD team laid the foundation for this new Tenant UI in the last release of vCD in bringing the NSX Advanced HTML5 UI to version 8.20. While most things have been ported across there may still be a case for tenants to go back to the old Flex UI to do some tasks, however from what I have seen there is close to 100% full functionality.

To get to the new HTML5 Tenant UI you go to: https://<vcd>/tenant/orgname

Once logged in you are greeted with a now familiar looking VMware portal based on the Clarity UI. It’s pretty, it’s functional and it doesn’t need Flash…so haters of the existing flex based vCD portal will have to bite their tongues now 🙂

The Networking menu is inbuilt into this same Tenant portal and you you can access it directly from the new UI, or in the same way as was the case with vCD 8.20 from the flex UI. Below is a YouTube video posted by the vCD team that walks through the new UI.

There is also VM Metrics in the UI now, where previously they where only accessible after configuring the vCD Cells to route metric data to a Cassandra database. The metrics where only accessible via the API and some providers managed to tap into that and bring vCD Metrics into their own portals. With the 9.0 release this is now part of the new HTML5 Tenant UI and can be seen in the video below.

As per previous releases this only shows up to two weeks worth of basic metrics but it’s still a step in the right direction and gives vCD tenant’s enough info to do basic monitoring before hitting up a service desk for VM related help.

Conclusion:

vCloud Director 9.0 has delivered on the what most members of the VMware Cloud Provider Program had wanted for some time…that is, a continuation of the commitment to the the HTML5 UI as well as continuing to add features that help service providers extend their reach across multiple zones and over to hybrid cloud setups . As mentioned over the next few weeks, I am going to expand on the key new features and walk through how to configure elements through the UI and API.

Compatibility with Veeam, vSphere 6.5 and NSX-v 6.3.x:

vCloud Director 9.0 is compatible with vSphere 6.5 Update 1 and NSX 6.3.3 and supports full interoperability with other versions as shown in the VMware Product Interoperability Matrix. With regards to Veeam support, I am sure that our QA department will be testing the 9.0 release against our integration pieces at the first opportunity they get, but as of now, there is no ETA on offical support.

A list of known issues can be found in the release notes.

#LongLivevCD

References:

https://docs.vmware.com/en/vCloud-Director/9.0/rn/rel_notes_vcloud_director_90.html

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/vcloud/vmware-vcloud-director-whats-new-9-0-white-paper.pdf

https://blogs.vmware.com/vcloud/2017/08/vmware-announces-new-vcloud-director-9-0.html

CPU Overallocation and Poor Network Performance in vCD – Beware of Resource Pools

For the longest time all VMware administrators have been told that resource pools are not folders and that they should only be used under circumstances where the impact of applying the resource settings is fully understood. From my point of view I’ve been able to utilize resource pools for VM management without too much hassle since I first started working on VMware Managed Service platforms and from a managed services point of view they are a lot easier to use as organizational “folders” than vSphere folders themselves. For me, as long as the CPU and Memory Resources Unlimited checkbox was ticked nothing bad happened.

Working with vCloud Director however, resource pools are heavily utilized as the control mechanism for resource allocation, sharing and management. It’s still a topic that can cause confusion when trying to wrap ones head around the different allocation models vCD offers. I still reference blog posts from Duncan Epping and Frank Denneman written nearly seven years ago to refresh my memory every now and then.

Before moving onto an example of how overallocation or client undersizing in vCloud Director can cause serious performance issues it’s worth having a read of this post by Frank that goes through in typical Frank detail around what resource management looks like in vCloud Director.

Proper Resource management is very complicated in a Virtual Infrastructure or vCloud environment. Each allocation models uses a different combination of resource allocation settings on both Resource Pool and Virtual Machine level

Undersized vDCs Causing Network Throughput Issue:

The Allocation Pool model was the one that I worked with the most and it used to throw up a few client related issues when I worked at Zetttagrid. When using the Allocation Pool method which is the default model you are specifying the amount of resources for your Org vDC and also specifying how much of these resources are guaranteed. The guarantee means that a reservation will be set and that the amount of guaranteed resources is taken from the Provider vDC. The total amount of resources specified is the upper boundary, which is also the resource pool limit.

Because tenants where able to purchase Virtual Datacenters of any size there was a number of occasions where the tenants undersized their resources. Specifically, one tenant came to us complaining about poor network performance during a copy operation between VMs in their vDC. At first the operations team thought that is was the network causing issues…we where also running NSX and these VMs where also on a VXLAN segment so fingers where being pointed there as well.

Eventually, after a bit of troubleshooting we where able to replicate the problem…it was related to the resources that the tenant had purchased or lack thereof. In a nutshell because the allocation pool model allows the over provisioning or resources not enough vCPU was purchased. The vDC resource pool had 1000Mhz of vCPU with a 0% reservation but he had created 4 dual vCPU VMs. When the network copy job started it consumed CPU which in turn exhausted the vCD CPU allocation.

What happened next can be seen in the video below…

With the resource pool constrained ready time is introduced to throttle the CPU which in turn impacts the network throughput. As shown in the video when the resource pool has the the unlimited button checked the ready goes away and the network throughput returns to normal.

Conclusion:

Again, its worth checking out the impact on the network throughput in the video as it clearly shows what happens what tenants underprovision or overallocate their Virtual Datacenters in vCloud Director. Outside of vCloud Director it’s also handy to understand the impact of applying reservations on Resource Pools in terms of VM compute and networking performance.

It’s not always the network!

References:

http://www.vmware.com/resources/techresources/10325

http://frankdenneman.nl/2010/09/24/provider-vdc-cluster-or-resource-pool/

http://www.yellow-bricks.com/2012/02/28/resource-pool-shares-dont-make-sense-with-vcloud-director/

https://kb.vmware.com/kb/2006684

Allocation Pool Organization vDC Changes in vCloud Director 5.1

Worth a Repost: “VMware Doubles Down” vCloud Director 8.20

It seems that with the announcement last week that VMware was offloading vCloud Air to OVH people where again asking what is happening with vCloud Director….and the vCloud Air Network in general. While vCD is still not available for VMware’s enterprise customers, the vCloud Director platform has officially never been in a stronger position.

Those outside the vCAN inner circles probably are not aware of this and I still personally field a lot of questions about vCD and where it sits in regards to VMware’s plans. Apparently the vCloud Team has again sought to clear the air about vCloud Director’s future and posted this fairly emotive blog post overnight.

I’ve reposted part of the article below:

Blogger Blast: VMware vCloud Director 8.20

We are pleased to confirm that vCloud Director continues to be owned and developed by VMware’s Cloud Provider Software Business Unit and is the strategic cloud management platform for vCloud Air Network service providers. VMware has been and continues to be committed to its investment and innovation in vCloud Director.

With the recent release of vCloud Director 8.20 in February 2017 VMware has doubled down on its dedication to enhancing the product, and, in addition, is working to expand its training program to keep pace with the evolving needs of its users. In December 2016 we launched the Instructor Led Training for vCloud Director 8.10 (information and registration link) and in June 2017 we are pleased to be able to offer a Instructor Led Training program for vCloud Director 8.20.

Exciting progress is also occurring with vCloud Director’s expanding partner ecosystem. We are working to provide ISVs with streamlined access and certification to vCloud Director to provide service providers with access to more pre-certified capabilities with the ongoing new releases of vCloud Director. By extending our ecosystem service providers are able to more rapidly monetize services for their customers

Again, this is exciting times for those who are running vCloud Director SP and those looking to implement vCD into their IaaS offerings. It should be an interesting year and I look forward to VMware building on this renewed momentum for vCloud Director. There are many people blogging about vCD again which is awesome to see and it gives everyone in the vCloud Air Network an excellent content from which to leach from.

The vCloud Director Team also has a VMLive session that will provide a sneak peek at vCloud Director.Next roadmap. So if you are not a VMware Partner Central member and work for a vCloud Air Network provider wanting to know about where vCD is heading…sign up.

#LongLivevCD

vCloud Director SP 8.20 – NSX Advanced Networking Overview

Many, including myself thought that the day would never come where we would be talking about a new UI for vCloud Director…but a a month on from the 8.20 release of vCloud Director SP (which was the 8th major release of vCD) I’m happy to be writing about the new Advanced Networking features of 8.20 based on NSX-v. Full NSX compatibility and interoperability has been a long time coming, however the wait has been worthwhile as the vCloud Director team opted to fully integrate the network management into the vCD Cloud Cells over the initial approach that had a seperate appliance acting as a proxy between the NSX Manager and vCD Cells.

But before I dive into the new HTML5 goodness, I thought it would be good to recap the Advanced Networking Services of vCD and how we got to where we are today…

No More vShield…Sort Of:

As everyone should know by now, the vCloud Networking & Security was made end of life late last year and from the release of vCD SP 8.10 vShield Edges should have been upgraded to their NSX equivalents. These Edges will remain as basic Edges within vCloud Director and even though at the backend they would be on NSX-v versioning, no extra features or functionality beyond what was available in the existing vCD portal would be available to tenants.

  • DHCP
  • NAT
  • Firewall
  • Static Routing
  • IPSec VPN
  • Basic Load Balancer

The version of NSX-v deployed dictates the build number of the NSX Edge, however as can be seen below it’s still listed as a vShield Edge in vCenter.

As anyone who has worked closely would know, NSX-v has a lot of vShield DNA in it and in truth it’s more vShield than NSX when talking about the features that pertain to vCloud Director. However the power of NSX-v can be taken advantage of once an basic edge is upgraded to an Advanced Edge.

Advanced Edge Services:

Before the major UI additions that came with vCD SP 8.20 the previous 8.10 version did give us a taste of what was to come with the introduction of a new menu option when you right clicked on an Edge Gateway.

This option was greyed out unless you where running the initial beta of the Advanced Networking Services or ANS. The option can be executed by anyone with the rights to upgrade the edge gateway, but by default this can only be done by a System Administrator or the Org Admin. So it’s worthwhile double checking the roles you have allocated to your tenant’s to ensure that these upgrades can be controlled.

Once you click on the Convert to Advanced Gateway option you get a warning referring to a VMwareKB that warns you about an API change that may make previous calling methods obsolete. Something to take note of for anyone automating this process. On execution of this conversion there is no physical change to the Virtual Machine, however if you now click on the Edge Gateway Services option of the Edge Gateway you will be taken to the new HTML5 Web Interface for NSX Advanced Networking Services to access all the advanced features:

  • Firewall
  • DHCP
  • NAT
  • Routing (Dynamic)
  • Load Balancer (Advanced)
  • SSL VPN Plus
  • Certificates
  • Grouping Objects
  • Statistics
  • Edge Settings

All new Advanced Networking features are configured from the new HTML5 web interface which retains the base vCD URL but now adds:

/tenant/network-edges/{ID}?org=ORGNAME

Everything is self contained the tenant doesn’t have to authenticate again to get to the new user interface. However, if you just upgrade the Edge and go to configure the Advanced Network Services out of the box you will only see a couple of the items listed above.

In order to use the new features a System Administrator must use the vCloud API to grant the new rights that the organisation requires. This process has been explained very well by my good friend Giuliano Bertello here. This process uses the vCloud API to Grant Distributed Firewall and Advanced Networking Services Rights to roles in vCloud Director 8.20 using the new granular role based access control mechanisms that where introduced in 8.20. Once configured your tenant’s can now see all the services listed above to configure the Edge Gateway.

Organisational Distributed Firewall:

Something that is very much new in the 8.20 release is the ability to take advantage of mircosegmentation using the NSX-v Distributed Firewall service. The ability to configure organisation wide rules logically, without the need for a virtual Edge Gateway is a significant step forward for vCD tenants and I hope that this feature enhancement is exposed by service providers and it’s value sold to their tenants. To access the Distributed Firewall, in the Virtual Datacenters windows of the Administration tab, right click on the Virtual Datacenter name and select Manage Firewall.

Once again you will be taken to the new HTML5 user interface and once the correct permissions have been applied to the user you can enable the Distributed Firewall and start configuring your rules. The URL is slightly different to the Edge Gateway URL:

/tenant/dwf/{ID}?org=ORGNAME

But the look and feel is familiar.

Conclusion:

vCloud Director SP 8.20 has finally delivered on the what most members of the vCloud Air Network had wanted for some time…that is, full NSX interoperability and feature set access as well as a new user interface. Over the next few weeks, I am going to expand on all the features of the Advanced and Distributed Networking features of vCD and NSX and walk through how to configure elements through the UI and API as well as give a looks into what’s happening at the backend in terms of how NSX stores rules and policy items for vCD tenant use.

Compatibility with vSphere 6.5 and NSX-v 6.3.x:

vCloud Director SP 8.20 is compatible with vSphere 6.5 and NSX 6.3.0 and supports full interoperability with other versions as shown in the VMware Product Interoperability Matrix. As of vCD 8.20 GA, vCD 8.20 passed the functional interoperability test and limited scale testing for these versions:

  • vCD 8.20 with vSphere 6.0 and NSX 6.3.0
  • vCD 8.20 with vSphere 6.5 and NSX 6.3.0

References:

https://kb.vmware.com/kb/2149042
https://kb.vmware.com/kb/2147625

Quick Fix: vCloud Director SP None of the Cells have a vCenter Proxy Service Running. SSL Protocol Fix

vCloud Director SP 8.20 was released a few weeks ago and I wanted to highlight an issue I ran into while testing of the BETA. I hadn’t come across this issue in previous versions of vCD and even though it relates to the fact I had a vCenter 5.5 I thought it worth a post now that 8.20 has GA’ed.

After I upgraded my cells I got the fairly common error message under the Cloud Cells section of the Manage & Monitor menu telling me that I didn’t have a vCenter Proxy service running. It’s something all vCD administrators would have seen over the years, so I did the usual troubleshooting step of going of reconnecting the vCenter under vSphere Resources. This didn’t work, so I did what comes naturally and cleared the Quartz Tables in the vCD database without any success.

Failed to connect to the vCenter. Please check if this is a valid vCenter server and the credentials are correct.

The NestedESXi lab was running vCenter 5.5 U3b and after a bit of searching I came across a post in the vCloud BETA forums relating to this issue:

Starting with VDC 8.20, the SSL protocol ‘TLSv1’ is no longer supported by default in the product for security reasons (as a server to serve the REST API request, but also as a client when talking to vCenter).
The version of vCenter you are running (please confirm which version), is older and probably only supports TLSv1.

Which explains the errors I also had been observing. Note that from 5.5 Update 3e and 6.0 Update 3 and later TLS v1.0 has been disabled and should be disabled.

Due to security concerns in the TLSv1.0 protocol, both Payment Card Industry (PCI) and BSI organizations have suggested to implement and enable TLSv1.1 or TLSv1.2, and move away from the use of TLSv1.0 as soon as possible

Even though it’s not suggested I needed to enable TLS v1 so that vCD SP 8.20 could connect to the vCenter. The following steps where done to enable TLSv1 which was based off this VMwareKB outlining why cells no longer enable SSL v3 by default and talks about a cell management tool command that configures the allowed SSL Protocols vCD uses during the handshake process with vCenter.

The SSL V3 protocol has serious vulnerability, described in CVE-2014-3566. As of vCloud Director 5.5.3, cells no longer enable SSL V3 by default for internal and external HTTPS connections. The vCloud Director cell management tool has been updated with a new subcommand that enables the system administrator to configure the set of SSL protocols that the cell offers to use during the SSL handshake process. This new subcommand has been made available in vCloud Director 5.5.3

Run the following command on the vCD cell in /opt/vmware/vcloud/bin/

./cell-management-tool ssl-protocols -d SSLv3,SSLv2Hello

After that is done restart the cell and check to make sure you have a listener and that vCenter is connected. If you run the ssl-protocols command with a -l flag it will show you what ssl-protocols are allowed. By default you should now only have TLS v1.1 and 1.2 enabled, but in my case I also needed v1.

Finally, it’s worth repeating that TLS v1 shouldn’t be used in production, but if you are still running older versions of 5.5 and 6.0 in your labs then this will help.

References:

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2112282

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2145796

« Older Entries