tag:blogger.com,1999:blog-37258724270105986392024-03-08T11:34:35.874+00:00M80ARM - Virtualization WarriorThe tale of one man's journey through virtualization.Michaelhttp://www.blogger.com/profile/10740016259613298383noreply@blogger.comBlogger165125tag:blogger.com,1999:blog-3725872427010598639.post-16439989864944457722023-08-31T09:59:00.003+01:002023-09-01T19:00:05.602+01:00VMware Cloud on AWS and native AWS route tables<p style="text-align: left;">During my time working with customers who use VMware Cloud on AWS and wish to integrate with native AWS services, I frequently see issues with network connectivity when multiple route tables are in use. Some customers have an automated way of deploying VPCs that use multiple route tables, perhaps for public and private subnet architectures. A prerequisite of deploying a VMware Cloud on AWS SDDC is to connect it to a customer-owned VPC, sometimes referred to as the connected VPC:</p><p style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSWjAs4usEU2vL1fm04c6Tlxsz3FfBUz4dVUil2-urs-pu5DmiOlCQrpLsK4vPJum-eBBfPmaPLLB3BaXBgxKLrYzGBsuA3CvFuuohaCBfIkk1I6xh8oYyNuKTlFgwPbv02MBTfq4NGaL5raqefduW4h77S2wOGFKrP2WUZYvg0LEccW4mX02TKQKewtA/s2364/Route_Tables_01.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="178" data-original-width="2364" height="48" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSWjAs4usEU2vL1fm04c6Tlxsz3FfBUz4dVUil2-urs-pu5DmiOlCQrpLsK4vPJum-eBBfPmaPLLB3BaXBgxKLrYzGBsuA3CvFuuohaCBfIkk1I6xh8oYyNuKTlFgwPbv02MBTfq4NGaL5raqefduW4h77S2wOGFKrP2WUZYvg0LEccW4mX02TKQKewtA/w640-h48/Route_Tables_01.png" width="640" /></a></p><p style="clear: both; text-align: left;"><a href="https://docs.vmware.com/en/VMware-Cloud-on-AWS/services/com.vmware.vmc-aws-operations/GUID-BC0EC6C5-9283-4679-91F8-87AADFB9E116.html">https://docs.vmware.com/en/VMware-Cloud-on-AWS/services/com.vmware.vmc-aws-operations/GUID-BC0EC6C5-9283-4679-91F8-87AADFB9E116.html</a></p><p style="clear: both; text-align: center;"></p><p style="text-align: left;"><span></span></p><a name='more'></a>During deployment time we will read the connected VPC default CIDR range and add a static route into the NSX T0 router to send all traffic destined to that CIDR across the Elastic Network Interface (ENI) which connects the SDDC to the Connected VPC:<p></p><p style="text-align: left;"></p><p style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjw8KPMUgX6SXWvkZ9wputDWhQG4TodJE1sx6rjwTNleeornpblsZVpGus_Axj_g_Tg5lcO67-0MmdeLZo1nowU-KmseDzGMPLHkAZwBYdNXup9ndZqakq7lpYovGcH-WhKb1dI-ITaeW5QTielJy8_YkRE8dVAFp9s85Yg8_fme5IdstbAkO1B6d0J4kQ/s2200/Route_Tables_02.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="418" data-original-width="2200" height="122" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjw8KPMUgX6SXWvkZ9wputDWhQG4TodJE1sx6rjwTNleeornpblsZVpGus_Axj_g_Tg5lcO67-0MmdeLZo1nowU-KmseDzGMPLHkAZwBYdNXup9ndZqakq7lpYovGcH-WhKb1dI-ITaeW5QTielJy8_YkRE8dVAFp9s85Yg8_fme5IdstbAkO1B6d0J4kQ/w640-h122/Route_Tables_02.png" width="640" /></a></p><p></p><p style="text-align: left;">It's worth noting at this point that if you add additional CDIRs to the connected VPC these will <b>NOT</b> be accessible across the ENI as there will be <b>NO</b> route to those CIDRs in the T0 route table. We only learn the default CIDR at deployment time. </p><p style="text-align: left;">The issue that I see with customers is sometimes after a host failure or routine SDDC maintenance there are connectivity issues to/from certain workloads. The first question I always ask is if the customer has multiple route tables in the connected VPC and the majority of times the response is yes.</p><p style="text-align: left;">You can have multiple route tables associated with a VPC but only one can be the main route table:</p><p style="text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhawAK29DBc0Itusos3XoPeFBedGmnwT-Fe7ql49WpFZCGvA82OHXYOWWUwoVYLEfFN3cL_adJlvYs3KIZFzbLMfYc8HcIEBSw2uxi1go8fZReJPv39Ern0qHfcZtNo-vyT12aHGw7gn94vOkbImhdMQ63m4jiXxSJe-TQ7KDZHjHQVrAnK7-4o9KxsYCQ/s1458/Route_Tables_03.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="229" data-original-width="1458" height="100" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhawAK29DBc0Itusos3XoPeFBedGmnwT-Fe7ql49WpFZCGvA82OHXYOWWUwoVYLEfFN3cL_adJlvYs3KIZFzbLMfYc8HcIEBSw2uxi1go8fZReJPv39Ern0qHfcZtNo-vyT12aHGw7gn94vOkbImhdMQ63m4jiXxSJe-TQ7KDZHjHQVrAnK7-4o9KxsYCQ/w640-h100/Route_Tables_03.png" width="640" /></a></p><p style="text-align: left;">When you create a new segment in the SDDC we update the main route table in the connected VPC with the next hop ENI adapter. This way any traffic destined to that CIDR will always be directed to the SDDC host that is running the active NSX edge VM which effectively is the T0 router:</p><p style="text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLTPeS4__4t71Y4XuYtyARrJB3UEZThIv3MX2zWfztz_zNHW71_nErIBh3oVUTBFk-WUKW7A-RhAjNSm9eD06OEsmu9njWDdf9qfkXJZZfhQ7Us-I0I_p1-ApeUMQop0P8cXcExezmE7KD2qkAVSwMOPzJvO4QRWvy0VPjgEqKi7iM3__FHBFZEW91rkI/s1745/Route_Tables_04.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="334" data-original-width="1745" height="122" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLTPeS4__4t71Y4XuYtyARrJB3UEZThIv3MX2zWfztz_zNHW71_nErIBh3oVUTBFk-WUKW7A-RhAjNSm9eD06OEsmu9njWDdf9qfkXJZZfhQ7Us-I0I_p1-ApeUMQop0P8cXcExezmE7KD2qkAVSwMOPzJvO4QRWvy0VPjgEqKi7iM3__FHBFZEW91rkI/w640-h122/Route_Tables_04.png" width="640" /></a></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsQqGoDdgV6isEB5QEQ_wH-GGPCKzFvFjs8WLdoPYGLJTDVwuOX_3xmaDmloV1X6Ctxw08G_WodmBBvKmkRg2lawGhYXbTgVnozXxw3GdSlMNnXKkRWgCM19vauApAM6wlaKY_NbaR-o3Mn-YF8tY7KEYQDMvabukIQN5D68XMq_c0eDrcoPLHby-bYWg/s946/Route_Tables_05.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="420" data-original-width="946" height="284" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsQqGoDdgV6isEB5QEQ_wH-GGPCKzFvFjs8WLdoPYGLJTDVwuOX_3xmaDmloV1X6Ctxw08G_WodmBBvKmkRg2lawGhYXbTgVnozXxw3GdSlMNnXKkRWgCM19vauApAM6wlaKY_NbaR-o3Mn-YF8tY7KEYQDMvabukIQN5D68XMq_c0eDrcoPLHby-bYWg/w640-h284/Route_Tables_05.png" width="640" /></a></div><p style="text-align: left;">We don't update any additional routes tables:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhroXgvqflVircVn0066HNa8mm4v5h05kBy8ZIria-P8xXdOoCPIkUbLA4aNzE4EIHdVVJOkw2xW6P3U5axdTt2v23ylaFHqYqugDNyHM9HzPTyOIzLtLrHc379scxyodWRNAo6lGjQmWCfFRk5tXpCwVyR447hjPKXvUwLVAuRZsTGV9nevs2IyG2XWFI/s1383/Route_Tables_06.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="259" data-original-width="1383" height="120" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhroXgvqflVircVn0066HNa8mm4v5h05kBy8ZIria-P8xXdOoCPIkUbLA4aNzE4EIHdVVJOkw2xW6P3U5axdTt2v23ylaFHqYqugDNyHM9HzPTyOIzLtLrHc379scxyodWRNAo6lGjQmWCfFRk5tXpCwVyR447hjPKXvUwLVAuRZsTGV9nevs2IyG2XWFI/w640-h120/Route_Tables_06.png" width="640" /></a></div><p style="text-align: left;">Traffic from a VM to a native EC2 instance will travel through the NSX T1 and T0 and then across the ENI into the connected VPC route table, subnet and then to the EC2 instance. The return traffic follows the same path:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqK-cspwvbmXtCv-bFm_AiLdL83zY6AytCc_IBkcFLihIgyZlg28_v7-xy1Yw7o5iaks4g6wP-HHpcvl3Qj_OBykK9TiqH9HV8j6pAmurYmbdi_Hm6OB70J5rNsYC7Nk4Dd7rGjkqxFvxct7kc7RL7OXO9PQSijuQSbj7THXCqj7yh52h-UfiG3fILp1E/s1814/Untitled%20picture.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="348" data-original-width="1814" height="122" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqK-cspwvbmXtCv-bFm_AiLdL83zY6AytCc_IBkcFLihIgyZlg28_v7-xy1Yw7o5iaks4g6wP-HHpcvl3Qj_OBykK9TiqH9HV8j6pAmurYmbdi_Hm6OB70J5rNsYC7Nk4Dd7rGjkqxFvxct7kc7RL7OXO9PQSijuQSbj7THXCqj7yh52h-UfiG3fILp1E/w640-h122/Untitled%20picture.png" width="640" /></a></div><div style="text-align: left;"><p style="text-align: left;">What I have seen with customers who have VPC's with multiple route tables is that they typically manually add static routes into the additional route tables pointing to the same ENI as the CIDRs in the main route table:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQB5F__qApH8SQ6KA_Rcg7PY5gSzOGgNuWy55kB6_nvUHlJpzH6Ec6BBNGxZQ0xSR6836aPzYZvRws6O9Li4-NvbYnC9uFyVZJBU8BlFj985SXWjrYWbJLtA71l-wxUKD8KFbX5vFahbBq-pIihLy0_UblwTV0XeS2YuPzJfAGerpLmCnaBXwur6d71WQ/s1386/Route_Tables_07.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="372" data-original-width="1386" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQB5F__qApH8SQ6KA_Rcg7PY5gSzOGgNuWy55kB6_nvUHlJpzH6Ec6BBNGxZQ0xSR6836aPzYZvRws6O9Li4-NvbYnC9uFyVZJBU8BlFj985SXWjrYWbJLtA71l-wxUKD8KFbX5vFahbBq-pIihLy0_UblwTV0XeS2YuPzJfAGerpLmCnaBXwur6d71WQ/w640-h172/Route_Tables_07.png" width="640" /></a></div></div><div class="separator" style="clear: both; text-align: left;"><p style="clear: both; text-align: left;">Now this will work and because the active NSX edge is on the host with target ENI so traffic (If permitted) will flow between VMs in the SDDC and native AWS services in the connected VPC.</p><div class="separator" style="clear: both;">Problems start occurring after SDDC maintenance or sometimes if the customer experiences a host failure. During SDDC maintenance the NSX Active Edge VM is migrated to a new host with a different ENI whilst the original host is patched. If the host running the NSX Active Edge VM were to fail and be removed then the NSX Active Edge VM will either be migrated or powered on on a different host depending on the type of failure. In both scenarios the NSX Active Edge VM is now on a different host which has a different ENI. Our backend service will pick up on this change and update the main route table to point to the new ENI of the host the NSX Active Edge VM is now running on. We will NOT update additional route tables where the routes were manually added. </div><p style="clear: both; text-align: left;">To solve this problem we introduced Shared Prefix Lists in SDDC v1.20 which allows you to create a VMware managed prefix list in the customer AWS account:</p><p style="clear: both; text-align: left;"><a href="https://docs.vmware.com/en/VMware-Cloud-on-AWS/services/com.vmware.vmc-aws-networking-security/GUID-41C3259D-96D3-49DC-9661-96A03A8C0B40.html">https://docs.vmware.com/en/VMware-Cloud-on-AWS/services/com.vmware.vmc-aws-networking-security/GUID-41C3259D-96D3-49DC-9661-96A03A8C0B40.html</a></p><p style="clear: both; text-align: left;">This allows customers to use the prefix list in a route table instead of static entries. VMware learns which route tables are using the prefix list and anytime the active NSX edge VM moves to a different host the target ENI in all resources is updated. To enable managed prefix list mode simply log into the NSX Manager via the Cloud Service Portal or directly via the private IP address and browse to Connected VPC and then toggle the AWS Managed Prefix List Mode:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixFFeTK_1B0Pw-_NbuboT4jbST6PES7nFbF3fzmH-2_s8yxycq_XsHCP27A02qMRkwuIU-4OoL1PKzAhLpolai3EXAF7yQO6udmzJHee7tC7D0ezwetoBU901sIhn5pKJDDEHJb04Q0GVrlu3CUxJs746gIvEbCQEcSCP7kb_x-i2zXNAInrsMLuoir2s/s1700/Route_Tables_08.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="810" data-original-width="1700" height="304" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixFFeTK_1B0Pw-_NbuboT4jbST6PES7nFbF3fzmH-2_s8yxycq_XsHCP27A02qMRkwuIU-4OoL1PKzAhLpolai3EXAF7yQO6udmzJHee7tC7D0ezwetoBU901sIhn5pKJDDEHJb04Q0GVrlu3CUxJs746gIvEbCQEcSCP7kb_x-i2zXNAInrsMLuoir2s/w640-h304/Route_Tables_08.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Click Enable:</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_Y7zx9EHLPHFGoxxH0zIeFG1H1DZVqQkTkVmaXFNKnMuxlVnKC4u83dL8Jrr_0aRlDEtlwQusxvnWaNVvEkiP2pE-cCXuzmvgn_Cx9QVk13Giu9IYx9i62hmFCPIrnbIaPfXCb9BEIcjlmRWVH3UTD-rFRO6uzVbuhMaDodnyzF3tdhA0DUlkm9UT9zw/s586/Route_Tables_09.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="191" data-original-width="586" height="208" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_Y7zx9EHLPHFGoxxH0zIeFG1H1DZVqQkTkVmaXFNKnMuxlVnKC4u83dL8Jrr_0aRlDEtlwQusxvnWaNVvEkiP2pE-cCXuzmvgn_Cx9QVk13Giu9IYx9i62hmFCPIrnbIaPfXCb9BEIcjlmRWVH3UTD-rFRO6uzVbuhMaDodnyzF3tdhA0DUlkm9UT9zw/w640-h208/Route_Tables_09.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Once the process starts you will need to log into the AWS account associated with your SDDC and access Resource Access Manager. Inside there you will see a Resource Share request:</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipTms2yRQ1PmXjD4nSAR7NMtCblca0xOs4tkaxxil7SgXPoXSbIa6KeIgAXRqaDmOrkxcxLXP5bfBcAGWePlKFS585IChvIGznR5Z2b-vD37yvNOM9rxhDLDTrWQYHagrhK9GQl0xqOBf2JllF6Zh4XF1GaS5tx-UEvZBJ1rF6GZn2QIsc7stvV26IMj8/s1703/Route_Tables_10.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="602" data-original-width="1703" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipTms2yRQ1PmXjD4nSAR7NMtCblca0xOs4tkaxxil7SgXPoXSbIa6KeIgAXRqaDmOrkxcxLXP5bfBcAGWePlKFS585IChvIGznR5Z2b-vD37yvNOM9rxhDLDTrWQYHagrhK9GQl0xqOBf2JllF6Zh4XF1GaS5tx-UEvZBJ1rF6GZn2QIsc7stvV26IMj8/w640-h226/Route_Tables_10.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Once you click on the request Accept the resource share:</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRqt2YDpqKo4epwCqAPqL4XTuCBJ3E3GRnv1YN0t1CthgoN2svIYutUzmHSVoKjmFDJliPt4oj3z9VGktNAvvfk9qDKV18TU8igZN-cSirPEI20o5vjlQ4vpVjxB7oeOr5vFS7g1cDoFfuaPj1albOZSnH2q88Aoay08PC0NyjSaCj0OvJXt8CQxZYTwM/s1386/Route_Tables_11.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="516" data-original-width="1386" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRqt2YDpqKo4epwCqAPqL4XTuCBJ3E3GRnv1YN0t1CthgoN2svIYutUzmHSVoKjmFDJliPt4oj3z9VGktNAvvfk9qDKV18TU8igZN-cSirPEI20o5vjlQ4vpVjxB7oeOr5vFS7g1cDoFfuaPj1albOZSnH2q88Aoay08PC0NyjSaCj0OvJXt8CQxZYTwM/w640-h238/Route_Tables_11.png" width="640" /></a></div><p style="clear: both; text-align: left;">The process will continue and might take around 5 to 10 minutes to fully complete. You can keep checking in the NSX Manager UI for it to finish.</p><p style="clear: both; text-align: left;">Once finished you will see additional information about the prefix list including which route tables are currently using it. By default, this will just be the main route table:</p></div><div class="separator" style="clear: both; text-align: left;"><div class="separator" style="clear: both;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgnQbp0jhtkA160ouwABSjXvXL210VNMWOdf6ZHbI2EzGcgCYvOphP52364FUNQl_m0JKWp3bfT6UK2TK_ZLU27-zQ6Rkdrc6s6viQg917LhvhxSbfXpvLNZRN-qv3aEyvngKhYIK3svRkpmWNOlsCZZ3hl6xe1oFgyncFpmnuv73qIV8-69ColRPV1mdY" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="549" data-original-width="1437" height="244" src="https://blogger.googleusercontent.com/img/a/AVvXsEgnQbp0jhtkA160ouwABSjXvXL210VNMWOdf6ZHbI2EzGcgCYvOphP52364FUNQl_m0JKWp3bfT6UK2TK_ZLU27-zQ6Rkdrc6s6viQg917LhvhxSbfXpvLNZRN-qv3aEyvngKhYIK3svRkpmWNOlsCZZ3hl6xe1oFgyncFpmnuv73qIV8-69ColRPV1mdY=w640-h244" width="640" /></a></div><p style="clear: both; text-align: left;">If we check the main route table we will see the prefix list being used instead of the individual CIDRs with the target being the active ENI of the host running the active NSX edge VM:<br /></p></div><div class="separator" style="clear: both;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjl5PZ8FhuIcMR80lvRDyhFFVFW_PDKYQT4UVlMGItRnqXtCFucaRa5kb_qesThn8xHQUIwtlUxnruvNV5jWUxFTFcv_ZNUVxnAoApGuixMETS4wKDNmTOM9v2JmmZsCEohKSVzSr2rd7Eiy1PLGysqTSU6zbWvPAJ2QgxVhkKER2Wz14rm4D5x5Q_rrAY" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="320" data-original-width="1383" height="148" src="https://blogger.googleusercontent.com/img/a/AVvXsEjl5PZ8FhuIcMR80lvRDyhFFVFW_PDKYQT4UVlMGItRnqXtCFucaRa5kb_qesThn8xHQUIwtlUxnruvNV5jWUxFTFcv_ZNUVxnAoApGuixMETS4wKDNmTOM9v2JmmZsCEohKSVzSr2rd7Eiy1PLGysqTSU6zbWvPAJ2QgxVhkKER2Wz14rm4D5x5Q_rrAY=w640-h148" width="640" /></a></div><p style="text-align: left;">We can also look at the prefix list and see all the CIDRs that are currently advertised from the SDDC. Anytime a new segment is added to the SDDC the prefix list will be updated with the new CIDR:</p><p style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgqHHtGhrEu-YpeCSxMGsNmt26NfMyvDvoSoFNhRaBLPjsxLA46-mjlK-__5V4XqsVImTgrd7MVyzoyXqNp_dMVUA3yqpkeE3VJw-vLm-KiVxsIxW9cVyh5SJbnyd74VLE2jbx2XtWdyXZZSLn9W6sFH6QKpll5xscdofJTFu3HC1xY1wfAl-Wm_daUxGo" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="723" data-original-width="1390" height="332" src="https://blogger.googleusercontent.com/img/a/AVvXsEgqHHtGhrEu-YpeCSxMGsNmt26NfMyvDvoSoFNhRaBLPjsxLA46-mjlK-__5V4XqsVImTgrd7MVyzoyXqNp_dMVUA3yqpkeE3VJw-vLm-KiVxsIxW9cVyh5SJbnyd74VLE2jbx2XtWdyXZZSLn9W6sFH6QKpll5xscdofJTFu3HC1xY1wfAl-Wm_daUxGo=w640-h332" width="640" /></a></p><p style="clear: both; text-align: left;">Now we can use the prefix list in the additional route table instead of the manual entries. Go to the additional route table within the AWS console and edit the routes. You should now be able to select the prefix list and point it to the ENI of the host running the active NSX edge VM:</p><div class="separator" style="clear: both; text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiIb4YlIgKGtY4wNOnaf0k68XA4WzpqTtTX-gy76Skj97p2mHSskPBOu4jF5yPx8xMQVhpnWcR7GhW83y94jeF9y4fjtPmhoEhScthekaNALmHikoFM9LhPpFD3WXIeSJNwl5jbiJVNvZ0IZohs5s4zWzmvCpirDPy2ZJXt6T0pyXYzE-9S6howrs8GCI8" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="408" data-original-width="1666" height="156" src="https://blogger.googleusercontent.com/img/a/AVvXsEiIb4YlIgKGtY4wNOnaf0k68XA4WzpqTtTX-gy76Skj97p2mHSskPBOu4jF5yPx8xMQVhpnWcR7GhW83y94jeF9y4fjtPmhoEhScthekaNALmHikoFM9LhPpFD3WXIeSJNwl5jbiJVNvZ0IZohs5s4zWzmvCpirDPy2ZJXt6T0pyXYzE-9S6howrs8GCI8=w640-h156" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhkUtACgbo1BXAn5mAt3ytlBZcEw3qHaablKctz5l3bWeF2t0T53tPLEe-TdAnaEThcuBQO_Pt3Mw3TJTO4vl4f5fv6oM94a2ComQiFruiDPgu3nyUnwc4WarCwsYjrRsI8SJUv4FE-C0oQrt4G2uUEkr1FE1UieEsy0YVrTnaWZG6RAGqra6cFoON7TM0" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="288" data-original-width="1380" height="134" src="https://blogger.googleusercontent.com/img/a/AVvXsEhkUtACgbo1BXAn5mAt3ytlBZcEw3qHaablKctz5l3bWeF2t0T53tPLEe-TdAnaEThcuBQO_Pt3Mw3TJTO4vl4f5fv6oM94a2ComQiFruiDPgu3nyUnwc4WarCwsYjrRsI8SJUv4FE-C0oQrt4G2uUEkr1FE1UieEsy0YVrTnaWZG6RAGqra6cFoON7TM0=w640-h134" width="640" /></a></div><p style="text-align: left;">If you go back to NSX and refresh the Connected VPC page you will see that now we have two route tables programmed with the prefix list. We now know that we need to update both route table entries with the new host ENI of the active NSX edge VM in the event of an SDDC upgrade or host failure. </p></div><div class="separator" style="clear: both; text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhM0SCjXaJs9iEsXco73wPX3ljdIb9l-QRopoNYGJnl_kK5v4soz2vgeNATwPXXwBf37nX5_tfDsmZV7CpU15gG6UEELI7soy9qMSeatLZhJss_8818-T7zcaFdd4UA-eGt749kXeaC9YSmR2h6n_5oVaVTfm5zBncasXva1WjFN3iz9FDvll0TuTu0IO8" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="808" data-original-width="1698" height="304" src="https://blogger.googleusercontent.com/img/a/AVvXsEhM0SCjXaJs9iEsXco73wPX3ljdIb9l-QRopoNYGJnl_kK5v4soz2vgeNATwPXXwBf37nX5_tfDsmZV7CpU15gG6UEELI7soy9qMSeatLZhJss_8818-T7zcaFdd4UA-eGt749kXeaC9YSmR2h6n_5oVaVTfm5zBncasXva1WjFN3iz9FDvll0TuTu0IO8=w640-h304" width="640" /></a></div></div></div></div>Michaelhttp://www.blogger.com/profile/10740016259613298383noreply@blogger.com0tag:blogger.com,1999:blog-3725872427010598639.post-62859666165785043702023-05-03T16:06:00.001+01:002023-05-03T18:14:06.166+01:00VMware Cloud on AWS Cluster Rename<p>Just a quick blog to let you know that a new feature customers have been requesting for a long time, the ability to rename clusters, is now available with clusters that have two or more hosts.</p><p>If you navigate to the SDDC within the Cloud Services Portal you can see that I have an SDDC with a 2-node cluster with the default name of Cluster-1:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJs5wtrc8lfFOV-ZmhNxdh3UqSusYEJmc8qwrctNnq7gWDWi0OYNbBj_5Zs-DWxCQKBzPkvMOWWZsfV6iRPgpp2WYORbTuycKbPV8mleeTPJXJcsWpOceJ3YEmuj1GCio7TSrho3Rt9xaADfXZikLzQcxygW8SgL1G3WJkDQNluMlC2MAWy3pBHkEE/s2306/ClusterRename-01.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="887" data-original-width="2306" height="246" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJs5wtrc8lfFOV-ZmhNxdh3UqSusYEJmc8qwrctNnq7gWDWi0OYNbBj_5Zs-DWxCQKBzPkvMOWWZsfV6iRPgpp2WYORbTuycKbPV8mleeTPJXJcsWpOceJ3YEmuj1GCio7TSrho3Rt9xaADfXZikLzQcxygW8SgL1G3WJkDQNluMlC2MAWy3pBHkEE/w640-h246/ClusterRename-01.jpg" width="640" /></a></div><div><br /></div><div>Within vCenter you can also see the default <span><a name='more'></a></span>cluster name:</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiegQKwV2FpKqQKbQ_YKvhjHK0_bUH5Hjd5yI3fi15DHY4vJ4pt5VkWKTcfXMzL33hLLQy-RR2bQllXIue5IWWAmxYCKL5cnnDuE8RtAaA9paN7bP9spQmsmv_f4Y8637kQHrg1cE2HKT_wuiG_Gje3UBsiOhHJ0E2zKGZ3TEKVvUvVvKGKGOm-pB55/s543/ClusterRename-02.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="543" data-original-width="383" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiegQKwV2FpKqQKbQ_YKvhjHK0_bUH5Hjd5yI3fi15DHY4vJ4pt5VkWKTcfXMzL33hLLQy-RR2bQllXIue5IWWAmxYCKL5cnnDuE8RtAaA9paN7bP9spQmsmv_f4Y8637kQHrg1cE2HKT_wuiG_Gje3UBsiOhHJ0E2zKGZ3TEKVvUvVvKGKGOm-pB55/w452-h640/ClusterRename-02.jpg" width="452" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">If you select Actions you now have the ability to rename the cluster (Or additional clusters if you were to have more than one)</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhroxzjDGtNG8cx1JoWGrZSslr_Xn5x4PTgC2mHF7Y2lTY6djBS5MEfgsroT2CUdqOspwx3Egzi3AoP6sb2ss0hO8gNf6Gd7p-BQLdEzFv0YYDQbOO2Yfqw7C1xU58sHiSFy1_hR9EZ7YXfUB89i7EzIeUXRPbPlFLdpPn2TUmn3cg9L4T0z2RgITMI/s2558/ClusterRename-03.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1123" data-original-width="2558" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhroxzjDGtNG8cx1JoWGrZSslr_Xn5x4PTgC2mHF7Y2lTY6djBS5MEfgsroT2CUdqOspwx3Egzi3AoP6sb2ss0hO8gNf6Gd7p-BQLdEzFv0YYDQbOO2Yfqw7C1xU58sHiSFy1_hR9EZ7YXfUB89i7EzIeUXRPbPlFLdpPn2TUmn3cg9L4T0z2RgITMI/w640-h280/ClusterRename-03.jpg" width="640" /></a></div><div><br /></div><div>Enter the new cluster name:</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5c7MkpoS9POapJe_5EPIwK2LnusvNqzHAqV1C6_ZanMcn1bOkIzVGq2lZfNbzO5Kkp8ZbhjPNCqcxEHXThzo8WUVwIe4E1D4GHH2cQHQxbBSMyf7z8__2W8G6ACmihUHvzA4Y8tWAuHInqELd1Uawpzh2HLrRI_Dd2fCaqPJIj58G9lW8B6wdDMqV/s576/ClusterRename-04.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="357" data-original-width="576" height="396" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5c7MkpoS9POapJe_5EPIwK2LnusvNqzHAqV1C6_ZanMcn1bOkIzVGq2lZfNbzO5Kkp8ZbhjPNCqcxEHXThzo8WUVwIe4E1D4GHH2cQHQxbBSMyf7z8__2W8G6ACmihUHvzA4Y8tWAuHInqELd1Uawpzh2HLrRI_Dd2fCaqPJIj58G9lW8B6wdDMqV/w640-h396/ClusterRename-04.jpg" width="640" /></a></div><div><br /></div><div>You will now see the cluster rename process start which takes a few minutes:</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD1e4w92CsYWkwOnx76SsblCG-0JCa1SSqACPjy8DquXUc5J1qq5muhQkZU40jawTOZJiPwTKNF6uw0m4H926MmPXZNjp1ndUNdQt-daTKkA8FTz5CaYBMkOnQyWVv5J6Wz2u1JoQU5tULncylspTPvOQKoYFuIQD8KpLMrd71Mife7Tc-ki6V14wR/s414/ClusterRename-05.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="128" data-original-width="414" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD1e4w92CsYWkwOnx76SsblCG-0JCa1SSqACPjy8DquXUc5J1qq5muhQkZU40jawTOZJiPwTKNF6uw0m4H926MmPXZNjp1ndUNdQt-daTKkA8FTz5CaYBMkOnQyWVv5J6Wz2u1JoQU5tULncylspTPvOQKoYFuIQD8KpLMrd71Mife7Tc-ki6V14wR/w640-h198/ClusterRename-05.jpg" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFdgA-VIttHeCNLfLZ5lBCY56OMc0MHjdNvNWky9zD1df0byWFj03R-gNaL0ZvAiapd32UQ_XUQyVK1StXJjcEbQWFhg-kdD4McZEu0tkp0N577LmiX00HZ7cLGphFRPHvS4N4Wfj06D9qKfjug07fXcCDK-UxZSe_KoWM4dX3GYUgyVcU4ri5l-pg/s1124/ClusterRename-06.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="418" data-original-width="1124" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFdgA-VIttHeCNLfLZ5lBCY56OMc0MHjdNvNWky9zD1df0byWFj03R-gNaL0ZvAiapd32UQ_XUQyVK1StXJjcEbQWFhg-kdD4McZEu0tkp0N577LmiX00HZ7cLGphFRPHvS4N4Wfj06D9qKfjug07fXcCDK-UxZSe_KoWM4dX3GYUgyVcU4ri5l-pg/w640-h238/ClusterRename-06.jpg" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">Once completed you can see the new name reflected in the Cloud Services Portal as well as vCenter.</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj43okdAoHx_wWdNuPis6S8Eilcn7MyffXYvt96uz5Kb7Zjpr3APNRqlSIsYZU5yGpHmZaMkhZ0z6ndLZ7NpNJoFQdxmQuz_kCZAEdGEgtoqrjqyT4ZtNDkWlZpZULvmIHXw12KyEJuNmzxfpOZr5tvt5jkqq-kh3GY4x6E2Y_HjwNhJUTEmFIIPY8v/s1124/ClusterRename-07.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="418" data-original-width="1124" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj43okdAoHx_wWdNuPis6S8Eilcn7MyffXYvt96uz5Kb7Zjpr3APNRqlSIsYZU5yGpHmZaMkhZ0z6ndLZ7NpNJoFQdxmQuz_kCZAEdGEgtoqrjqyT4ZtNDkWlZpZULvmIHXw12KyEJuNmzxfpOZr5tvt5jkqq-kh3GY4x6E2Y_HjwNhJUTEmFIIPY8v/w640-h238/ClusterRename-07.jpg" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmeeetY8fM40sKEnJaD3-4_7JyOUi6FxaEu9uOimqp12ITzrKUaWy0A7q6NeQuGQcUCSB9UeGgIlMHQo2gU0pYZTJwe8VE1EkU8v7DOzU3t19PclSlGrSEnhJDfzuFokrN3Al_fgYonkOxeUxP6wxJOY_iVDWh8P5mJXokpSBLNL_tcUHFP6hZ70P6/s535/ClusterRename-08.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="535" data-original-width="384" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmeeetY8fM40sKEnJaD3-4_7JyOUi6FxaEu9uOimqp12ITzrKUaWy0A7q6NeQuGQcUCSB9UeGgIlMHQo2gU0pYZTJwe8VE1EkU8v7DOzU3t19PclSlGrSEnhJDfzuFokrN3Al_fgYonkOxeUxP6wxJOY_iVDWh8P5mJXokpSBLNL_tcUHFP6hZ70P6/w460-h640/ClusterRename-08.jpg" width="460" /></a></div>Michaelhttp://www.blogger.com/profile/10740016259613298383noreply@blogger.com0tag:blogger.com,1999:blog-3725872427010598639.post-19785703807328512742022-10-05T15:34:00.003+01:002022-10-05T15:35:10.767+01:00VPN termination on a NAT'ed Tier-1 within VMware Cloud on AWS for DMZ traffic segregation<p>A colleague's customer recently had a requirement to host both DMZ and Production workloads in VMware Cloud on AWS while ensuring that traffic is segregated during transit. Currently, if the customer was to deploy DMZ and Production networks attached to the default Compute Gateway (CGW) Tier-1 then that traffic would be routed by the Tier-1 and thus violate the segregation required as per below:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgB6bc15OcrhwPiycXKukQoGz9AOUYS9bx7yzDJsZXtSgl-czFGfAyWKhU1PgTW8XAuxEKTfqeq1IDNhRUuGr6Ow0KRCdlbFrmO915fEHwUi9sBdZ9FJywZvbNxM1k1R6DbRUhHqMV4xOdFaxaJaDsxmdTtf9NQ4gxXk0fniL-7JYNaBez7rkK8lCQ9/s1119/NATed%20VPN%2001.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="893" data-original-width="1119" height="510" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgB6bc15OcrhwPiycXKukQoGz9AOUYS9bx7yzDJsZXtSgl-czFGfAyWKhU1PgTW8XAuxEKTfqeq1IDNhRUuGr6Ow0KRCdlbFrmO915fEHwUi9sBdZ9FJywZvbNxM1k1R6DbRUhHqMV4xOdFaxaJaDsxmdTtf9NQ4gxXk0fniL-7JYNaBez7rkK8lCQ9/w640-h510/NATed%20VPN%2001.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: left;">In SDDC version 1.18 we introduced the ability to deploy multiple compute gateways (Routed, NAT'ed or Isolated) More information <span><a name='more'></a></span>can be found in the <a href="https://docs.vmware.com/en/VMware-Cloud-on-AWS/services/rn/vmware-cloud-on-aws-release-notes/index.html" target="_blank">release notes</a> and this <a href="https://blogs.vmware.com/cloud/2022/04/06/vmware-cloud-on-aws-advanced-networking-and-routing-features/" target="_blank">blog article</a>.</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNzZViv7q1Cl76Nn1mbipWYKIhU4dg0QeHKJTSMqxR2VCuZciSHqZ_lttUCJS5_3HyRsho_uU8c5IUBCcBsCjaMvS3PaW9N1hGXkD8-hPyUZ7f8PWTe-PnjtWH2WDpV3594BjW08G7tVOn5HmojINXt5j388zGnqu2rO1xTNMFw29D4KyjSbQzzE5h/s1455/NATed%20VPN%2002.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="524" data-original-width="1455" height="230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNzZViv7q1Cl76Nn1mbipWYKIhU4dg0QeHKJTSMqxR2VCuZciSHqZ_lttUCJS5_3HyRsho_uU8c5IUBCcBsCjaMvS3PaW9N1hGXkD8-hPyUZ7f8PWTe-PnjtWH2WDpV3594BjW08G7tVOn5HmojINXt5j388zGnqu2rO1xTNMFw29D4KyjSbQzzE5h/w640-h230/NATed%20VPN%2002.png" width="640" /></a></div><div><br /></div>The architecture we came up with would be to create a dedicated NAT'ed Tier-1 and terminate a VPN from a security appliance, in this case, Palo Alto, running in a security VPC in AWS. Now we had to use a NAT'ed Tier-1 because an Isolated Tier-1 does not establish a peering link to the Tier-0 so there would be no easy way to establish the VPN to the isolated Tier-1. A NAT'ed Tier1 would work just like an isolated Tier-1 as long as we didn't configure any NAT rules on it. The plan was to establish a VPN from the Palo Alto appliance across the AWS backbone to a public IP endpoint created on the NAT'ed Tier-1. This would allow external traffic to hit the AWS Palo Alto Firewall from outside, route across the VPN to the required DMZ server running in VMC and then route back to the Palo Alto appliance for inter-zone inspection before finally routing across the network to the application servers running back inside the SDDC:<div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEi_6gckIP9fXmYiD0S9eZMysnpynqjWQQVMVSKTwGf_7kxWdiI8Wr7I8BWwqHUFcAsPlY9pvYLunVQozcvr4UFpsPxTQZIt-uJ7H1qGlTPLt6WoH2NYzZuSmq4TzHtzMbAbEH6ZbdVYr6aIoqUzum-EyodLBO_14U5wlePq14PK2AKqx-ystr2V1kar" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="621" data-original-width="1608" height="248" src="https://blogger.googleusercontent.com/img/a/AVvXsEi_6gckIP9fXmYiD0S9eZMysnpynqjWQQVMVSKTwGf_7kxWdiI8Wr7I8BWwqHUFcAsPlY9pvYLunVQozcvr4UFpsPxTQZIt-uJ7H1qGlTPLt6WoH2NYzZuSmq4TzHtzMbAbEH6ZbdVYr6aIoqUzum-EyodLBO_14U5wlePq14PK2AKqx-ystr2V1kar=w640-h248" width="640" /></a></div><br /></div><div>We first needed to create the DMZ NAT'ed Tier-1 which is very straightforward. I would recommend using the NSX Manager UI via the Cloud Service Portal (CSP) as it is more feature rich that the current CSP UI. To access simply click on the Open NSX Manager button:</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEh69XZSsDqy8ogjHeA0uCjB1mmSb8p8YMHYdwIS3WooLF4pkCdcwNcLlzaSXwfZu_xI44d2TjoigLb48u2S9ZEe6MRT_ZGTBT3f4IiXho6rT5NhH2DtWXAiP8rngTmzNcEt9V5Ce14j5dmDkWmE13uACcimd1uhKGz2mnYwXFxcFLOZsAGuIi1061U6" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="533" data-original-width="2297" height="148" src="https://blogger.googleusercontent.com/img/a/AVvXsEh69XZSsDqy8ogjHeA0uCjB1mmSb8p8YMHYdwIS3WooLF4pkCdcwNcLlzaSXwfZu_xI44d2TjoigLb48u2S9ZEe6MRT_ZGTBT3f4IiXho6rT5NhH2DtWXAiP8rngTmzNcEt9V5Ce14j5dmDkWmE13uACcimd1uhKGz2mnYwXFxcFLOZsAGuIi1061U6=w640-h148" width="640" /></a></div></div><div><br /></div><div>Once inside the NSX Manager UI navigate to Networking -> Tier-1 Gateways and click Add Tier-1 Gateway:</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjAj-GHvduPWSKma4U37az1p-1UJVA4siDsMpcXj-46B46BUrD7NiKfaMdCBuF0V_czY-LvhcN53qk6RsRhRo-1b8LAbn7MgsfJMqUzgnSF721usuAJjaMuLN8imtldUtGOxNycarXZ6lBsOAg4EEIXxtfvFIZFdfEGBltu2ZX24xAQYyZt2pTKdHMP" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="513" data-original-width="1002" height="328" src="https://blogger.googleusercontent.com/img/a/AVvXsEjAj-GHvduPWSKma4U37az1p-1UJVA4siDsMpcXj-46B46BUrD7NiKfaMdCBuF0V_czY-LvhcN53qk6RsRhRo-1b8LAbn7MgsfJMqUzgnSF721usuAJjaMuLN8imtldUtGOxNycarXZ6lBsOAg4EEIXxtfvFIZFdfEGBltu2ZX24xAQYyZt2pTKdHMP=w640-h328" width="640" /></a></div><div><br /></div>Provide a name and ensure the type is NATed then click Save:<br /><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjQ-ZssA-deXhlvkAnVBID1NM3ZDZoZ8Ep8xlmVHourHmluNiKC497131l0uOL5GsD3ITNInF6SeLE0tzTc2xc6OQw1u8UtYvkvZ1-uSAe9KzB44wIY5qY95QOKgOAI5Yh9BfZy1JKzPho9W0Dk1PA8ScfC8ATbJBSmKa0KY3AFCKCoPu-xBoZxIQHS" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="544" data-original-width="1935" height="180" src="https://blogger.googleusercontent.com/img/a/AVvXsEjQ-ZssA-deXhlvkAnVBID1NM3ZDZoZ8Ep8xlmVHourHmluNiKC497131l0uOL5GsD3ITNInF6SeLE0tzTc2xc6OQw1u8UtYvkvZ1-uSAe9KzB44wIY5qY95QOKgOAI5Yh9BfZy1JKzPho9W0Dk1PA8ScfC8ATbJBSmKa0KY3AFCKCoPu-xBoZxIQHS=w640-h180" width="640" /></a></div><br />You can also create the required network segments that need to be attached to the DMZ NAT'ed Tier-1 but this is not required to establish the VPN so I won't be covering that. </div><div><br /></div><div>We now need to request a public IP address from AWS that can be used to create a VPN endpoint on the NAT'ed Tier-1. Navigate to Networking -> Public IPs and request a new IP ensuring you give it a suitable name. The IP address will be allocated by AWS automatically once you click save:</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjkWKUpln2c8QrPkMkMJK4_-Lxe4YsbcPoHNcDoeytDH7gqpfAyWrDmbuBOxR8BicxjZ7I9TwFIBBjg_Tio6gQoYEtFIxXUEe8g8w7AjbjoNEMSoG1OU4jaT01COjZgJFU19mThpjKUkNDBu-BzMm9niCxMTAPmp_92IttdZDfF-48HblS8qk1qZcyL" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="613" data-original-width="852" height="460" src="https://blogger.googleusercontent.com/img/a/AVvXsEjkWKUpln2c8QrPkMkMJK4_-Lxe4YsbcPoHNcDoeytDH7gqpfAyWrDmbuBOxR8BicxjZ7I9TwFIBBjg_Tio6gQoYEtFIxXUEe8g8w7AjbjoNEMSoG1OU4jaT01COjZgJFU19mThpjKUkNDBu-BzMm9niCxMTAPmp_92IttdZDfF-48HblS8qk1qZcyL=w640-h460" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div style="text-align: left;">You should not be able to ping this address just yet because we need to ensure we allow traffic on the internet interface and create the required NAT rule and VPN Endpoint. Let's create the VPN Service and Endpoint first.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Navigate to Networking -> VPN -> Tier-1 -> VPN Service and add a new IPSec service:</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgVUqUZCEEKXtxGMUuOCLLEaboVJ9KPTbKNkR3VOh__4-HzFv8oElsxvZw_Raq6VqrpzufWguN9_5IgH1T8X0WEWyF0cBqsO5a9DhD5elsOKLFZBBed7Sje2-5u4kW4M_iszNBSiQ5cXVTllyNwx5IpQd_W6eyLuMa-YTsGZNYzPjnTLtaDeyT-vszC" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="603" data-original-width="914" height="422" src="https://blogger.googleusercontent.com/img/a/AVvXsEgVUqUZCEEKXtxGMUuOCLLEaboVJ9KPTbKNkR3VOh__4-HzFv8oElsxvZw_Raq6VqrpzufWguN9_5IgH1T8X0WEWyF0cBqsO5a9DhD5elsOKLFZBBed7Sje2-5u4kW4M_iszNBSiQ5cXVTllyNwx5IpQd_W6eyLuMa-YTsGZNYzPjnTLtaDeyT-vszC=w640-h422" width="640" /></a></div><div style="text-align: left;"><br /></div>Give it a suitable name and ensure you attach it to the recently created Tier-1 Gateway and click save to proceed:</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjJ_PpwPcl2QWX70BIA9FESM1mbjkrzMjeNrEi1xiq8IVS6RGq3NRjsjxWnk4F6T1BfoRRrQ9SWeN7o1JGXZxlvjE1Thwb-asEUrsiMTDqYjELNOyaDxwLc7kXQMeSvk8xmQsxT8DtKYwDmoX5JrHqJxmvuZA_rc5vrMdfq9L7u2H62fBbgw0rp4A3I" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="571" data-original-width="1456" height="250" src="https://blogger.googleusercontent.com/img/a/AVvXsEjJ_PpwPcl2QWX70BIA9FESM1mbjkrzMjeNrEi1xiq8IVS6RGq3NRjsjxWnk4F6T1BfoRRrQ9SWeN7o1JGXZxlvjE1Thwb-asEUrsiMTDqYjELNOyaDxwLc7kXQMeSvk8xmQsxT8DtKYwDmoX5JrHqJxmvuZA_rc5vrMdfq9L7u2H62fBbgw0rp4A3I=w640-h250" width="640" /></a></div><br />Now click Local Endpoints and Add Local Endpoint:</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgiEssYHitTCvk1lJE_hv3uBb5K_VNMVlczh9WviqrUZAIf0aAcBwv6V8mXCUtO9yRn7HDM3W9pI2xN4su0qJPL6EsdEJ9urryGLqdAI_ky1AStrf65z7AC0irs_BamlwRlK3nYk_P7LYpAEQZ-uR2f73ii8up-SgJb8YoHpZfjE5T5_hdTu_SfQgo7" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="601" data-original-width="870" height="442" src="https://blogger.googleusercontent.com/img/a/AVvXsEgiEssYHitTCvk1lJE_hv3uBb5K_VNMVlczh9WviqrUZAIf0aAcBwv6V8mXCUtO9yRn7HDM3W9pI2xN4su0qJPL6EsdEJ9urryGLqdAI_ky1AStrf65z7AC0irs_BamlwRlK3nYk_P7LYpAEQZ-uR2f73ii8up-SgJb8YoHpZfjE5T5_hdTu_SfQgo7=w640-h442" width="640" /></a></div><br />Provide a suitable name and ensure you link it to the recently created VPN Service and provide the public IP address that was allocated by AWS:</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEirLtWT19wRf_L-5O1oN30E7Fy8W585vFUHwmiFXv2OoJjQCVywCCuSWFSkQQrEhz0UHRI8BIMm6tQfIaX8FXqppRXMVrfhOZPj1DztsYcoHL8LxMbD1cMshlgODXiOfCo-BghtJxT6rdJp3ktjoM0GuuZsp2cYOOUG0mDLmN0wxGlLDRQqC7_kx7-t" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="472" data-original-width="1485" height="204" src="https://blogger.googleusercontent.com/img/a/AVvXsEirLtWT19wRf_L-5O1oN30E7Fy8W585vFUHwmiFXv2OoJjQCVywCCuSWFSkQQrEhz0UHRI8BIMm6tQfIaX8FXqppRXMVrfhOZPj1DztsYcoHL8LxMbD1cMshlgODXiOfCo-BghtJxT6rdJp3ktjoM0GuuZsp2cYOOUG0mDLmN0wxGlLDRQqC7_kx7-t=w640-h204" width="640" /></a></div><div style="text-align: left;"><br /></div>We now need to ensure we allow traffic via the internet interface on the Tier-0 router as well as the newly created NAT'ed Tier 1. By default, any additional Tier-1 routers have an ANY - ANY - ALLOW rule. I would advise you to lock this down but for demo purposes, I will leave it as is. You can verify this by going into Security -> Gateway Firewall -> Tier-1 Gateways -> Select the correct Tier-1 Gateway and verify the security policy:</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjKBr6YiRD4FKVTGy84ts1NzUxHul2-OeAM4mleynY8hYLZpl6txY9CkBcN-gdkAEj2EIjd5NhExA8ve40UWWu6a3_RZIcp1tDy8_FFBXq44Fo2pyyf69UmnjL-4qj4s89ql-oER52cEtDtWWoLZ107jdxLr5Gl18hqKXxqsXkDUC9atxPLItXnZUMz" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="483" data-original-width="2547" height="122" src="https://blogger.googleusercontent.com/img/a/AVvXsEjKBr6YiRD4FKVTGy84ts1NzUxHul2-OeAM4mleynY8hYLZpl6txY9CkBcN-gdkAEj2EIjd5NhExA8ve40UWWu6a3_RZIcp1tDy8_FFBXq44Fo2pyyf69UmnjL-4qj4s89ql-oER52cEtDtWWoLZ107jdxLr5Gl18hqKXxqsXkDUC9atxPLItXnZUMz=w640-h122" width="640" /></a></div><br />We now need to allow the traffic in via the internet interface so the VPN can be established from outside the SDDC. Navigate to Security -> Gateway Firewall -> Compute Gateway and click Add Rule:</div><div style="text-align: left;"><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjU1QT5LcTczbfPfCoRtrGJqaJo-63S2VvFVjhmhtdJWGbgwMNBPbicufCVmoxVzcgYjJFN_LQ6Zri4rUHzzDvAS3J2VqxM2MlAK5oJjJJECRjF450EX6xE10oSf0oanvwVBUz_NhO6s_5maxbz7eFLNDnSiyi3AdL86sfy0SsmJMJTeOwbDOzkhYIK" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="504" data-original-width="2549" height="126" src="https://blogger.googleusercontent.com/img/a/AVvXsEjU1QT5LcTczbfPfCoRtrGJqaJo-63S2VvFVjhmhtdJWGbgwMNBPbicufCVmoxVzcgYjJFN_LQ6Zri4rUHzzDvAS3J2VqxM2MlAK5oJjJJECRjF450EX6xE10oSf0oanvwVBUz_NhO6s_5maxbz7eFLNDnSiyi3AdL86sfy0SsmJMJTeOwbDOzkhYIK=w640-h126" width="640" /></a></div><br /></div><div style="text-align: left;">Give the new rule a suitable name if needed, lock it down to only the public IP of the remote VPN endpoint. In my example I am just going to use a source of ANY with a destination of the VPN Endpoint public IP address on ANY service:</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEh88V2wfjr2_8FervFJ8Pi2ugy5DUGAHmhN_r6Uk6oPN2rr6OJNfvYcCpmuNk2GUdB5DP16avhxUBFJ_zJmP6GNZRKtZqLbtuxitAlPPZgCWsJVkRpj3eT8F86tno5FeL_Ynt8A7tWFH5PxluaXIYj426WyzSu9N9IdinueQUUN-S_WYCpia2bMut9T" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="453" data-original-width="2293" height="126" src="https://blogger.googleusercontent.com/img/a/AVvXsEh88V2wfjr2_8FervFJ8Pi2ugy5DUGAHmhN_r6Uk6oPN2rr6OJNfvYcCpmuNk2GUdB5DP16avhxUBFJ_zJmP6GNZRKtZqLbtuxitAlPPZgCWsJVkRpj3eT8F86tno5FeL_Ynt8A7tWFH5PxluaXIYj426WyzSu9N9IdinueQUUN-S_WYCpia2bMut9T=w640-h126" width="640" /></a></div><div style="text-align: left;"><br /></div>We now need to add a NAT rule so the public IP address assigned to the VPN Endpoint can actually be reached from outside the SDDC. Navigate to Networking -> NAT -> Internet and click Add NAT Rule:</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEg23_nxOaH3bGPiPeHIjkkwwAvywQGq6b_GpMz6VbqqKimajRAGqCLx3uH9cXuoeuFSDvgRXMKYp3mBHle_XvFkgSkemTab0web2RtvQiVc_KLEqbmpUkVlSz-SLGxEyhxTrC-7MTMi_Ct8HXzxLcRvlC3Sz9cNAQfrSv4Mt0xx_4r_GCbKBO7oJY4K" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="416" data-original-width="2541" height="104" src="https://blogger.googleusercontent.com/img/a/AVvXsEg23_nxOaH3bGPiPeHIjkkwwAvywQGq6b_GpMz6VbqqKimajRAGqCLx3uH9cXuoeuFSDvgRXMKYp3mBHle_XvFkgSkemTab0web2RtvQiVc_KLEqbmpUkVlSz-SLGxEyhxTrC-7MTMi_Ct8HXzxLcRvlC3Sz9cNAQfrSv4Mt0xx_4r_GCbKBO7oJY4K=w640-h104" width="640" /></a></div><div style="text-align: left;"><br /></div>Provide a suitable name and ensure the correct Public IP is selected. Specify the internal IP to also be the public IP and ensure Match External Address is selected from a firewall perspective:</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEj_5SQXneUMJfiGqK98_LZCQZ9UUYXf2tuqmZLaMis28LCpOU28OahvFNAvpTvG2lmSCfO5oq6GYqd5ykbWWuCZ08AsJ982XSmy3y6PD022C-IUe1knTWstUI3_J3HrwM_RDHh76HqnuvAEs5oT0e__dT5uvJFk1eXKDSUW7lDg8JldnGj2aYnOOxho" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="413" data-original-width="2287" height="116" src="https://blogger.googleusercontent.com/img/a/AVvXsEj_5SQXneUMJfiGqK98_LZCQZ9UUYXf2tuqmZLaMis28LCpOU28OahvFNAvpTvG2lmSCfO5oq6GYqd5ykbWWuCZ08AsJ982XSmy3y6PD022C-IUe1knTWstUI3_J3HrwM_RDHh76HqnuvAEs5oT0e__dT5uvJFk1eXKDSUW7lDg8JldnGj2aYnOOxho=w640-h116" width="640" /></a></div><br />Once you click save you should be able to ping the public IP address providing you allowed ICMP. For this example, I just allowed all traffic:</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhELwVdddYa5xb4eom0JYzGeIhUXBHcxFvyI6aSUUkx5S7lxOBIKCGPY2hD3GLSCgZ11fWxmBxo7ffy8bxDggVBn5udtauSRKFHzVsZpSs8Wcz-Z3_XjUjCeHLeN9W8jtQaXwnW80RPGi8LKsEQqrInePS4-ZH-0SfmlE03TCUeqj3sHN4CxFsPgHR6" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="486" data-original-width="825" height="378" src="https://blogger.googleusercontent.com/img/a/AVvXsEhELwVdddYa5xb4eom0JYzGeIhUXBHcxFvyI6aSUUkx5S7lxOBIKCGPY2hD3GLSCgZ11fWxmBxo7ffy8bxDggVBn5udtauSRKFHzVsZpSs8Wcz-Z3_XjUjCeHLeN9W8jtQaXwnW80RPGi8LKsEQqrInePS4-ZH-0SfmlE03TCUeqj3sHN4CxFsPgHR6=w640-h378" width="640" /></a></div><br />Now we should be able to create a new VPN session via Networking -> VPN -> Tier-1 -> IPSec Sessions and also at the remote side to establish an IPSec tunnel:</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjKgOTFTq1ul0FFog1j39H-TiXM2k5a_cMPft3maPLb4DE4uvcxA6C9c6tBMpsavRGB8uJoFh5CwHDM9rX7Ytm4NXBc40rmuIVcYma2dCd5wG-psYgv2m1Qke-ryj47ER91zj_LCRFvRVCJdKShZFfljW0-T3byK8d0ZWbO1kCbdBEmmU8CbXqmCdUJ" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="825" data-original-width="2549" height="208" src="https://blogger.googleusercontent.com/img/a/AVvXsEjKgOTFTq1ul0FFog1j39H-TiXM2k5a_cMPft3maPLb4DE4uvcxA6C9c6tBMpsavRGB8uJoFh5CwHDM9rX7Ytm4NXBc40rmuIVcYma2dCd5wG-psYgv2m1Qke-ryj47ER91zj_LCRFvRVCJdKShZFfljW0-T3byK8d0ZWbO1kCbdBEmmU8CbXqmCdUJ=w640-h208" width="640" /></a></div></div></div></div><div><p></p></div>Michaelhttp://www.blogger.com/profile/10740016259613298383noreply@blogger.com0tag:blogger.com,1999:blog-3725872427010598639.post-6730172433911178612022-02-11T11:24:00.003+00:002022-02-20T19:38:31.566+00:00Registering VMware Cloud Disaster Recovery to vCenter with a restricted user account <p>A customer who is currently looking to deploy <a href="https://www.vmware.com/uk/products/cloud-disaster-recovery.html" target="_blank">VMware Cloud Disaster Recovery</a> (VCDR) globally recently asked about using a single active directory account with the minimum required permissions within vCenter as the account used to register their VCDR connectors to vCenter. For those who are new to VCDR, this is VMware's Disaster Recovery as a Service solution that offers on-demand disaster recovery with a very compelling total cost of ownership in comparison to on-premises.</p><p>The customer in question wanted to use a single active directory account across all their vCenters globally and didn't want to add the active directory <span></span></p><a name='more'></a>account to the local administrator's group within vCenter. They like to operate using least privilege and only give the service account the permissions required to do its job. Luckily VCDR has the ability to create a role with the required permissions for you using the connector CLI.<p></p><p>I'm going to assume that your VCDR Orchestrator, Scale-out Cloud Filesystem, and connector(s) have been deployed on-premises already. Since all connectors are the same we only need access to one. You can obtain the username and password for the connector via the VCDR Orchestrator:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgrmty3fn8OtPx6wbzwjt4IVhoZgcmHYdGFxi6FlO9iGQ1PoMdmF16uw01AJ7Ah9VNtw-3H49okTQF_ygeVoKrCM9lQDW8ZZLK-Mx6NRARK5XRW4ai_MpZBx_AM9VQwOJSle16mkyiXkPEzvHbCc2CwByWe6dbfYRRqmVlDaMLdijylgLfPpPBfYQ8R=s728" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="312" data-original-width="728" height="274" src="https://blogger.googleusercontent.com/img/a/AVvXsEgrmty3fn8OtPx6wbzwjt4IVhoZgcmHYdGFxi6FlO9iGQ1PoMdmF16uw01AJ7Ah9VNtw-3H49okTQF_ygeVoKrCM9lQDW8ZZLK-Mx6NRARK5XRW4ai_MpZBx_AM9VQwOJSle16mkyiXkPEzvHbCc2CwByWe6dbfYRRqmVlDaMLdijylgLfPpPBfYQ8R=w640-h274" width="640" /></a></div><p>Once you have SSH'd into one of the connectors you can use the following command to create a new role called vcdr-failback-prvs</p><p><b>drc create-vcenter-user --vcenter <IP or DNS NAME> --admin-username administrator@vsphere.local --admin-password <PASSWORD> --new-username vcdr-failback-prvs --new-password vcdr-failback-prvs --vcenter-role vcdr-failback-prvs --create-role-only --failback-privs</b></p><p>This command will create a new role called vcdr-failback-prvs which has all the required permissions to snapshot, failover, and failback workloads. In the command, you do need to specify a new username and password but you can use the --create-role-only to only create the role and not the new local username and password. You would do this if you plan on using an Active Director account rather than a local account. If you would rather use a local vCenter account then you can remove the --create-role-only.</p><p>Once you run the command you should see it complete and the new role visible within vCenter</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgvtUzvt67VbstXSpBN7lcFxNsJtCsaf96L3Uea0zhhXT-Bxv0SaKu4Da5PJ4huRkX5LK5dqlZd_24GyTYvw3OmHHnuL4hA_BU5tut18kmcFyzni2QTeTEsg01jOkyeO9Mmm6awBMcCpjOi5DS-a-RKtHM5HYUBcjfoFx5OHID-QelVLhtpW85CCJHS=s661" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="418" data-original-width="661" height="404" src="https://blogger.googleusercontent.com/img/a/AVvXsEgvtUzvt67VbstXSpBN7lcFxNsJtCsaf96L3Uea0zhhXT-Bxv0SaKu4Da5PJ4huRkX5LK5dqlZd_24GyTYvw3OmHHnuL4hA_BU5tut18kmcFyzni2QTeTEsg01jOkyeO9Mmm6awBMcCpjOi5DS-a-RKtHM5HYUBcjfoFx5OHID-QelVLhtpW85CCJHS=w640-h404" width="640" /></a></div><div>The command above has been truncated in the UI but it is the same command I've highlighted above.</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgD7y00Ob6OuVqoazqBqjLHq2XTikWGp2Djf8Q-rW4x6Hm9wxjE0iZDkW7abfxzUXte4XwLHCSAp3XJIuQZae1Bo-n41KShYy5XukkqWVIbPvMTRhWC7NxRBvn0QJr2Xojt-2c3JXvo3uqN3gG1_vRKUMaYTjYxsIVW1OcRTIL6VeYj84uPRRiczcLm=s1138" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="869" data-original-width="1138" height="488" src="https://blogger.googleusercontent.com/img/a/AVvXsEgD7y00Ob6OuVqoazqBqjLHq2XTikWGp2Djf8Q-rW4x6Hm9wxjE0iZDkW7abfxzUXte4XwLHCSAp3XJIuQZae1Bo-n41KShYy5XukkqWVIbPvMTRhWC7NxRBvn0QJr2Xojt-2c3JXvo3uqN3gG1_vRKUMaYTjYxsIVW1OcRTIL6VeYj84uPRRiczcLm=w640-h488" width="640" /></a></div>We can now see that the new role has been created with the minimum required permissions. This can then be used within vCenter with the active directory user account. Michaelhttp://www.blogger.com/profile/10740016259613298383noreply@blogger.com0tag:blogger.com,1999:blog-3725872427010598639.post-78735321534530872092022-02-09T09:07:00.001+00:002022-02-09T09:07:19.767+00:00Routing to a connected VPC when attached to VMware Transit Connect<p>Recently there was an internal discussion around a customer request to access an Amazon FSx for Windows File Servers that was currently running in a connected VPC from another SDDC. The topology that the customer was looking at was as follows:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie6EhqW_q24VzOXGrl7Qy225JN6JdO4yj27dxRtxa3okNpHQFmwUvO8jGjA-cV-NR-lxekTJmmoTKubPw8jfT6MHEAdyMAfTvjmQ56nbJDgcKv7todbgcybCWT5DGOMA0nJ0VE7SIS6O0x5NnTJ9SE8ed5ojbRdX72FIEltOCYrzWRqAhmHIxrqlBA/s1723/Image_01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="864" data-original-width="1723" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie6EhqW_q24VzOXGrl7Qy225JN6JdO4yj27dxRtxa3okNpHQFmwUvO8jGjA-cV-NR-lxekTJmmoTKubPw8jfT6MHEAdyMAfTvjmQ56nbJDgcKv7todbgcybCWT5DGOMA0nJ0VE7SIS6O0x5NnTJ9SE8ed5ojbRdX72FIEltOCYrzWRqAhmHIxrqlBA/w640-h320/Image_01.jpg" width="640" /></a></div><div class="separator" style="clear: both; text-align: left;">The customer had two SDDC's with one of the SDDC's (SDDC 01) being connected to a VPC that was running Amazon FSx for Windows File Servers. They also wanted <span><a name='more'></a></span>the second SDDC (SDDC 02) to be able to access the Amazon FSx For Windows File Servers as well as workloads running in SDDC 01. The main question was what route the traffic would take from SDDC 01 to the Amazon FSx for Windows File Servers. </div><p>During the SDDC deployment, a static route will be added into SDDC 01 to send any traffic destined to Connected VPC 01 main CIDR across the ENI. In the example above the route, 172.16.0.0/16 would be added as a static route into the T0, and for every segment that is created, we would also update the Connected VPC 01 main route table to send the return traffic back across the ENI to avoid asymmetric routing. This takes care of traffic from SDDC 01 to Connected VPC 01.</p><p>When we add a VMware Transit Connect into the mix and add both SDDC 01 and SDDC 02 to the SDDC group this handles our requirement of being able to route between SDDC 01 and SDDC 02. If we added Connected VPC 01 as an external VPC to the SDDC Group then a static route would be added to the T0 on SDDC 02 to send all traffic destined to 172.16.0.0/16 across the vTGW (You would manually have to add a static route in the main route table of Connected VPC 01 for the return traffic to route across the TGW attachment. Since we already have a static route on the T0 in SDDC 01 the route is not added as the /16 prefix already exists.</p><p>Traffic flow looks like this: </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj50dKVGpyYTm1hs5MRyXgRKxCL7-BnWkj1IBetitUZMnLlw3kVdif_GD1Z8voug_18smxZTEX_5-mpRxIQqtXOk1_Hf3aVYs12L4XQlETl9VHvOrIQAyLudZEBVikbVNovkKx38iNnpeXMMkfWyZHTD3YrZF6hqpQklXER5IhBnhP1gRDQKKYxVxQ3/s1689/Image_02.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="846" data-original-width="1689" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj50dKVGpyYTm1hs5MRyXgRKxCL7-BnWkj1IBetitUZMnLlw3kVdif_GD1Z8voug_18smxZTEX_5-mpRxIQqtXOk1_Hf3aVYs12L4XQlETl9VHvOrIQAyLudZEBVikbVNovkKx38iNnpeXMMkfWyZHTD3YrZF6hqpQklXER5IhBnhP1gRDQKKYxVxQ3/w640-h320/Image_02.jpg" width="640" /></a></div><p>Things to watch out for:</p><p></p><ul style="text-align: left;"><li>If Connected VPC 02 has the same CIDR range as Connected VPC 01 then traffic would prefer to go across the ENI rather than the vTGW which means it would NOT be able to access the Amazon FSx for Windows Files Servers in Connected VPC 01. A way around this is to add a more specific route i.e. /32 address to the Amazon FSx for Windows File Server but this would also inject this route into SDDC 01 so ALL traffic from SDDC 01 and 02 would route across the vTGW and you would also need more specific routes to send traffic back across the vTGW for both SDDC 01 and SDDC 02.</li><li>If you add a static route in the Connected VPC 01 main route table for a more specific route to go via the TGW attachment then you would end up with Asymmetric routing which will cause the traffic to be blocked. By default, VMware Cloud on AWS will always add a route into the Connected VPC main route table to send the return traffic to an NSX segment back across the ENI. If the segment is a /24 and you add a static route to a /32 to the vTGW then traffic would route across the vTGW and you would end up with Asymmetric routing.</li></ul><p></p>Michaelhttp://www.blogger.com/profile/10740016259613298383noreply@blogger.com0tag:blogger.com,1999:blog-3725872427010598639.post-1999489998102712512022-01-26T13:46:00.002+00:002022-01-26T14:09:39.690+00:00VMware Transit Connect default route and the impact on VPN and HCX Connectivity<div class="separator" style="clear: both; text-align: left;">I recently had a query from a customer who was implementing intra-region peering between a VMware Transit Gateway and a native AWS Transit Gateway which would then be attached to a security VPC. Their requirement was to ensure that all VM connectivity from the SDDC would traverse the security VPC before egressing out to the internet or back to on-premises. This would require them to add a static route into the vTGW to point all traffic (0.0.0.0/0) to the peering attachment which connected the vTGW to the TGW. From there they<span><a name='more'></a></span> would need to ensure the correct routing is in place on the TGW to send all traffic to the security VPC and also verify that the correct routes are in place for the reverse traffic:</div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjRdDjvcj2VN0yd8oYffwSdQ49Zt9GD4_MbI6F16wIzf6P1BvDhx50MtP7S6V1rxvGEitmDoYxLZKA25HnFDINSDFHn_ePKTXd_59Q74gEPgeVDbdHnWEyKs9V86BLz827Ek3PuRO_aeSDoiawFl0eaPxGAhJhrFtCTBJlN2PGv-XEBsa_TLnq07H9T=s1215" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="757" data-original-width="1215" height="398" src="https://blogger.googleusercontent.com/img/a/AVvXsEjRdDjvcj2VN0yd8oYffwSdQ49Zt9GD4_MbI6F16wIzf6P1BvDhx50MtP7S6V1rxvGEitmDoYxLZKA25HnFDINSDFHn_ePKTXd_59Q74gEPgeVDbdHnWEyKs9V86BLz827Ek3PuRO_aeSDoiawFl0eaPxGAhJhrFtCTBJlN2PGv-XEBsa_TLnq07H9T=w640-h398" width="640" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">This particular customer was looking to migrate out of an on-premises datacentre and going to utilise HCX to perform the migration. They also had a requirement to maintain IP addresses which required stretched layer 2 between on-premises and VMC on AWS. Since they were not licensed for the vSphere Distributed Switch we had to deployed the NSX Standalone edge for stretched layer 2. </div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">The customer had a few questions all based on what impact adding the default route into the vTGW to send all traffic to the TGW would have on the stretched layer 2 VPN tunnel as well as the HCX Interconnect tunnels. The short answer is nothing. The stretched layer 2 VPN and HCX will continue to function as long as they are configured to use the public IP addresses rather than the internal IP addresses. The reason this works is when you create a VPN (Layer 2, Policy or Routed based) we add a static route into the T0 for the remote public IP address with the next-hop being the Internet Gateway. Since this is a more specific route VPN traffic will continue to egress out of the Internet Gateway rather than take the default route to the vTGW. You can see below that I have created three VPN's with different remote public IPs:</div><div class="separator" style="clear: both; text-align: left;"><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEghyaOujESx3_DBuZOesbpkuAgAoZ3h1je5FYj5wzi7nAwcCh2HK_c9JL3nL66P6GcbegpAvU-1tWFNu2_A8BQXvY2F2S89zEBGr2EwfVcwYU6fEOAPJuqe9Vt91KwC5lTKbX0-toteTHWGA3G3re-q0iBACKOS09ZeUSPpw9hX8Y5cpTKt2msXpLwc=s1355" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="311" data-original-width="1355" height="146" src="https://blogger.googleusercontent.com/img/a/AVvXsEghyaOujESx3_DBuZOesbpkuAgAoZ3h1je5FYj5wzi7nAwcCh2HK_c9JL3nL66P6GcbegpAvU-1tWFNu2_A8BQXvY2F2S89zEBGr2EwfVcwYU6fEOAPJuqe9Vt91KwC5lTKbX0-toteTHWGA3G3re-q0iBACKOS09ZeUSPpw9hX8Y5cpTKt2msXpLwc=w640-h146" width="640" /></a></div></div></div><p></p><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEj2JMWo4K4i2QwgUsebjE13Tuo6OrB89dFXgBiE3iQS5Wc8hshrOPQjbeT3LYUsBdxav-1dpd7t9uvkpkgj4wtukcet4ymcovWmedE0lnC1VqS-B8mHOHqXyWclt-UZqiadT6fWbV_W3WnjPvftWG4JmZ-YrbxjU0H5iLjtUgZneMXKKni9OZXCmnpD=s888" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="238" data-original-width="888" height="172" src="https://blogger.googleusercontent.com/img/a/AVvXsEj2JMWo4K4i2QwgUsebjE13Tuo6OrB89dFXgBiE3iQS5Wc8hshrOPQjbeT3LYUsBdxav-1dpd7t9uvkpkgj4wtukcet4ymcovWmedE0lnC1VqS-B8mHOHqXyWclt-UZqiadT6fWbV_W3WnjPvftWG4JmZ-YrbxjU0H5iLjtUgZneMXKKni9OZXCmnpD=w640-h172" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiSztTMR3tzZ354Jk7W-pvOXm1KM4YPue6OFWGVt-V6P0T8ADkg-tmKTIH4I-zij26VlocfOLt2LioFymAtcJ7YmG8Ivj4g0MXit7wfdAGUg8NtueC3Atgdj_EcL0VtKnaK9zT5d8ngmSWYhUfVSLAqW-wywkraUZoJO97pIMUjf6jwSS6zgH2xo_JJ=s1015" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="233" data-original-width="1015" height="146" src="https://blogger.googleusercontent.com/img/a/AVvXsEiSztTMR3tzZ354Jk7W-pvOXm1KM4YPue6OFWGVt-V6P0T8ADkg-tmKTIH4I-zij26VlocfOLt2LioFymAtcJ7YmG8Ivj4g0MXit7wfdAGUg8NtueC3Atgdj_EcL0VtKnaK9zT5d8ngmSWYhUfVSLAqW-wywkraUZoJO97pIMUjf6jwSS6zgH2xo_JJ=w640-h146" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">If we then take a look at the T0 route table we can see three /32 routes for the remote public IPs we created above with the next-hop being the Internet Gateway: </div><div class="separator" style="clear: both; text-align: center;"><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhuRC0OjT-LNpXYn-OsIdsaXFo_QqS-C1O3L8A8sNK7k6dj31zFxyelmZAf-d50XTe86_WFcM-pse1oW6ggoHGVcYyyIxYbbbfTGUbWXF01SqqXq1_GPsR1vY24CI2ERmRz7zKJZz1E3uMA2TJ76ohqoCs4ZhvY8FIh5xl-UnKT7iIqBJUADpqBw3Cp=s1347" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="125" data-original-width="1347" height="60" src="https://blogger.googleusercontent.com/img/a/AVvXsEhuRC0OjT-LNpXYn-OsIdsaXFo_QqS-C1O3L8A8sNK7k6dj31zFxyelmZAf-d50XTe86_WFcM-pse1oW6ggoHGVcYyyIxYbbbfTGUbWXF01SqqXq1_GPsR1vY24CI2ERmRz7zKJZz1E3uMA2TJ76ohqoCs4ZhvY8FIh5xl-UnKT7iIqBJUADpqBw3Cp=w640-h60" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">HCX works differently in that the public IP addresses actually reside on the virtual appliances so we use a policy route to send traffic from the internet interface (If the external network profile was selected during the deployment of HCX) to the correct appliances and also for the return traffic.</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">The good news with all of this is that a vTGW can be safely integrated into your existing SDDC and can also potentially save on costs and latency since traffic does not have to traverse two Transit Gateways.</div></div><p></p>Michaelhttp://www.blogger.com/profile/10740016259613298383noreply@blogger.com0tag:blogger.com,1999:blog-3725872427010598639.post-19567132414081200042021-04-27T11:44:00.004+01:002021-04-28T13:31:49.116+01:00HCX Service Mesh and Route Based VPN with default route advertised<p>I've been asked a few times around whether or not HCX can be used if the customer has a route-based VPN into VMware Cloud on AWS and is advertising the default route 0.0.0.0/0 into the SDDC. The short answer is Yes, this is supported and works.</p><p>The long answer as to why this question comes up is that when we advertise the default route of 0.0.0.0/0 into the SDDC then all traffic from the SDDC will flow via on-premises, this includes traffic destined for the internet. Some customers prefer to do this to ensure all outbound internet traffic routes via their perimeter firewall so they can ensure that all security and logging policies are applied. The confusion comes around HCX. Since HCX is unable to use an existing IPSEC VPN tunnel to send traffic from on-premises into the SDDC as per the <a href="https://kb.vmware.com/s/article/78021" target="_blank">KB article </a>it needs to establish its own. The HCX-IX Interconnect and HCX Network Extension Appliances both establish an IPSEC VPN tunnel from on-premises to their peer appliances in the SDDC using UDP/4500. So the question is, if we are advertising 0.0.0.0/0 into the SDDC so all traffic traverses the IPSEC VPN tunnel back to on-premises, then how can the HCX-IX Interconnect and HCX Network Extension Appliances communicate?</p><span><a name='more'></a></span><p>In my test environment, I have a route-based VPN and I've advertised the default route into the SDDC from on-premises:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4YzV6Hn8KyvouFiBaukJ8-XY8S8y_HTDfUbCQgeNWTMs8LipXzo-OcgknL0ewmpUK6GVDBazdYg2CPV1b_cpWpQiM7mLlM0Qs7Lj9wRpEQpzr1CULG4y6ZairYUAzV3NnoXbOD3qeqXA/s864/1.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="424" data-original-width="864" height="314" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4YzV6Hn8KyvouFiBaukJ8-XY8S8y_HTDfUbCQgeNWTMs8LipXzo-OcgknL0ewmpUK6GVDBazdYg2CPV1b_cpWpQiM7mLlM0Qs7Lj9wRpEQpzr1CULG4y6ZairYUAzV3NnoXbOD3qeqXA/w640-h314/1.jpg" width="640" /></a></div>From within a test VM in the SDDC if I ping 8.8.8.8 you see my latency is higher than expected, this is because traffic has to go across the VPN to on-premises and egress out that way then return via the same path. When I also check what my public IP address is it returns my on-premises public IP:<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1gpKTLXT97PgAhBu4I6uPMgTfSAMFyHaW6y_ca-bXiny22WFFwbWyDQkAgPYhlnwMmcK_K6g4SVdKSfzNgslt6fBxRWktdsXbiOC8canF1DSh9-KMyYTts3AN6FmxJUiwRWnNUX8VZtk/s1546/2.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="611" data-original-width="1546" height="252" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1gpKTLXT97PgAhBu4I6uPMgTfSAMFyHaW6y_ca-bXiny22WFFwbWyDQkAgPYhlnwMmcK_K6g4SVdKSfzNgslt6fBxRWktdsXbiOC8canF1DSh9-KMyYTts3AN6FmxJUiwRWnNUX8VZtk/w640-h252/2.jpg" width="640" /></a></div>Now if I deployed HCX we see that my HCX-IX Interconnect and HCX Network Extension Appliances successfully establish an IPSEC tunnel from the on-premises appliances to the public IP addresses assigned to the appliances in the SDDC:<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGK7cTKN2-3N-xLPNdVHWZrQ5tq2YytWvL9dgoV7ui_nMwdqnwJUDBkTO2x0f7oHdLEj9bztBwECM4dBpDbSqOdkjOyg0To0tFC9GDl5qy4FzHoHf20d5oUxKadDKf7PfRlikc1mShyphenhyphenlo/s1646/3.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="572" data-original-width="1646" height="222" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGK7cTKN2-3N-xLPNdVHWZrQ5tq2YytWvL9dgoV7ui_nMwdqnwJUDBkTO2x0f7oHdLEj9bztBwECM4dBpDbSqOdkjOyg0To0tFC9GDl5qy4FzHoHf20d5oUxKadDKf7PfRlikc1mShyphenhyphenlo/w640-h222/3.jpg" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMtgHebp8zCOBTsjBeVDzcMgRRsabsHUjYuvEYApgNBRh9FdzlI0t1KEmJze8EYHVHhaWK_I6DEin_7mH1axooIuwrgFadlpgnkBs0lZAP3adT7YbRMZH4t143MrvYWIvaUovOyH0Hkq4/s1644/4.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="412" data-original-width="1644" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMtgHebp8zCOBTsjBeVDzcMgRRsabsHUjYuvEYApgNBRh9FdzlI0t1KEmJze8EYHVHhaWK_I6DEin_7mH1axooIuwrgFadlpgnkBs0lZAP3adT7YbRMZH4t143MrvYWIvaUovOyH0Hkq4/w640-h160/4.jpg" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><div style="text-align: left;">The reason this works is that we have a special provision for the HCX appliances within the SDDC to always egress out of the internet gateway when the externalNetwork profile is used as part of the service mesh, even when the customer is advertising the default route into the SDDC.</div></div><p></p>Michaelhttp://www.blogger.com/profile/10740016259613298383noreply@blogger.com0tag:blogger.com,1999:blog-3725872427010598639.post-66271570698366673602021-02-22T09:10:00.001+00:002021-02-22T16:15:48.062+00:00HCX Mobility Optimized Networking Policy Routes<p>With the R145 <a href="https://docs.vmware.com/en/VMware-HCX/services/rn/VMware-HCX-Release-Notes.html" target="_blank">release of HCX</a> on 30th October 2020, VMware Cloud on AWS customers were treated to some great new functionality at no additional cost. New features such as <a href="https://cloud.vmware.com/community/2019/08/08/hcx-enterprise-replication-assisted-vmotion/" target="_blank">Replication Assisted vMotion</a>, <a href="https://cloud.vmware.com/community/2020/01/16/traffic-engineering-hcx-enterprise/" target="_blank">Application Path Resiliency</a>, <a href="https://cloud.vmware.com/community/2020/01/16/traffic-engineering-hcx-enterprise/" target="_blank">TCP Flow Conditioning</a>, <a href="https://cloud.vmware.com/community/2020/01/10/vmware-hcx-adds-mobility-groups-simplify-workload-migration-easily-identify-group-plan-migrate-complex-applications/" target="_blank">Mobility Groups</a> and my personal favourite, <a href="http://www.patrickkremer.com/enabling-mobility-optimized-networking-in-vmware-cloud-on-aws/" target="_blank">Mobility Optimized Networking</a>. I'm not going to go into too much detail around Mobility Optimized Network (MON) since Patrick Kremer (<a href="http://www.patrickkremer.com/" target="_blank">Blog</a> | <a href="https://twitter.com/KremerPatrick" target="_blank">Twitter</a>) has covered it extensively <a href="http://www.patrickkremer.com/enabling-mobility-optimized-networking-in-vmware-cloud-on-aws/" target="_blank">here</a>.</p><p>On an internal slack channel the following question was asked:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6PrZcksB3NfxPJRCK9iokl-hGtQ08F9N-SooE_6lEM2THSovkkFOZpj6aRbTq2UTPRXc-MJ847TCy6Qz0ZJzlWNit5WRcejpGqbszxopoqG6rH7rQwTCsqX1V75oPOqugMuRNwVczbGU/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="122" data-original-width="674" height="116" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6PrZcksB3NfxPJRCK9iokl-hGtQ08F9N-SooE_6lEM2THSovkkFOZpj6aRbTq2UTPRXc-MJ847TCy6Qz0ZJzlWNit5WRcejpGqbszxopoqG6rH7rQwTCsqX1V75oPOqugMuRNwVczbGU/w640-h116/image.png" width="640" /></a></div><br />When we migrate a VM from on-premises into VMC that resides on a stretched layer 2 network without enabling MON, any traffic that needs to egress that network either destined to VMs on-premises, within VMC or out to the internet<span><a name='more'></a></span> will need to go via on-premises. In my lab I have two VMS currently on-premises in the same VLAN:<p></p><div>MigrateVM-12 - 172.30.41.12/24</div><div>MigrateVM-13 - 172.30.41.13/24</div><div><br /></div><div>If I SSH into 172.30.41.12 and ping 172.30.41.13 I see my latency is ~<1ms:</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjS3xU1PM-wrJWAoUzMARoaUg7MMSr5Ev2n9fSe2tNbdd3jfFpuX2YujCKxkqdPFYU1VDZm0L0_SULXLP_u8_ovERx0bbs0got5k-uTyhN1S6j3phbxuzp4n1YZ16d_qOpQUoewAoEILuQ/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="524" data-original-width="1674" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjS3xU1PM-wrJWAoUzMARoaUg7MMSr5Ev2n9fSe2tNbdd3jfFpuX2YujCKxkqdPFYU1VDZm0L0_SULXLP_u8_ovERx0bbs0got5k-uTyhN1S6j3phbxuzp4n1YZ16d_qOpQUoewAoEILuQ/w640-h200/image.png" width="640" /></a></div></div></div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi13qnHbLrTowEHwjVHRAlbXRmZdLGIGP6B5nParYhravi5QUQQGKxFfv1aU7j6xEMjMbPrM_cm9I3NgoKufz_U5zdYn-k_9QRJHzbYooZjANJNvlgrMXcHS4-kP5aQOOCqZSyQrRmvakI/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="250" data-original-width="781" height="204" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi13qnHbLrTowEHwjVHRAlbXRmZdLGIGP6B5nParYhravi5QUQQGKxFfv1aU7j6xEMjMbPrM_cm9I3NgoKufz_U5zdYn-k_9QRJHzbYooZjANJNvlgrMXcHS4-kP5aQOOCqZSyQrRmvakI/w640-h204/image.png" width="640" /></a></div><br /></div></div><div>If I ping a workload currently running in VMC (172.30.119.129) you see that my latency is ~100ms as the traffic has to route from Chicago to Frankfurt via a Route Based VPN:</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6FkkpJB_yg4VWW_RxvC8Riqk0Z9AA2njnArqO6EZAA7qzPxyP7flJggaVoZt-MNSD97v-j8n-0plZPayJeY3A3vgnDMLVCYMltPdXVemFRaD7quVYSo7INVLMxCagWij2gk7pLwxXAeY/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="516" data-original-width="1667" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6FkkpJB_yg4VWW_RxvC8Riqk0Z9AA2njnArqO6EZAA7qzPxyP7flJggaVoZt-MNSD97v-j8n-0plZPayJeY3A3vgnDMLVCYMltPdXVemFRaD7quVYSo7INVLMxCagWij2gk7pLwxXAeY/w640-h198/image.png" width="640" /></a></div></div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNKTK_fGuOVF82xNyBWth7y-b2GCl7On9SPas9GCCzZKDsxrcyj6jG34SAPyGfSn7yNhjuTT8KJ7gvlsva0wjkCbrFanXBaye54ts3dRnvi8s_5X3joDyc4qCM9CwlgRDCZd6TKrsMzUk/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="250" data-original-width="781" height="203" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNKTK_fGuOVF82xNyBWth7y-b2GCl7On9SPas9GCCzZKDsxrcyj6jG34SAPyGfSn7yNhjuTT8KJ7gvlsva0wjkCbrFanXBaye54ts3dRnvi8s_5X3joDyc4qCM9CwlgRDCZd6TKrsMzUk/w640-h203/image.png" width="640" /></a></div><br /></div><div>If I ping an IP address out on the internet such as 8.8.8.8 you see that my latency is ~2ms</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9yLQvLVGJhUfSanNyO9Z4aDBqghG7FbGb3V4cdtZAFgTC1nj4okDrtfAnhvsIAA83OIt0dgyKNe-qMh3PpkccVecMMRuDk3O8w3NE99jR-pP9G_dl8WHZBs-koxn0aQH7SvkeH6komHQ/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="521" data-original-width="1674" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9yLQvLVGJhUfSanNyO9Z4aDBqghG7FbGb3V4cdtZAFgTC1nj4okDrtfAnhvsIAA83OIt0dgyKNe-qMh3PpkccVecMMRuDk3O8w3NE99jR-pP9G_dl8WHZBs-koxn0aQH7SvkeH6komHQ/w640-h200/image.png" width="640" /></a></div></div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeEszzY-DgKFM46vxYjpq2XXricpVtJqRPIECji1xWw5Y_rVsHbYo46qHd4Q8B0DRq_SaHE-zbZgZe-4PRb9lQYdMQ7QV8Lojfs4VDoRXHXp2iTVryM4GtYyVA746ul1hG2p0lRhhC2L4/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="250" data-original-width="781" height="204" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeEszzY-DgKFM46vxYjpq2XXricpVtJqRPIECji1xWw5Y_rVsHbYo46qHd4Q8B0DRq_SaHE-zbZgZe-4PRb9lQYdMQ7QV8Lojfs4VDoRXHXp2iTVryM4GtYyVA746ul1hG2p0lRhhC2L4/w640-h204/image.png" width="640" /></a></div><br /></div><div>I'm now going to migrate 172.30.41.12 from on-premises into VMC:</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhM_5z0mBZmV2xkPg3b1kUYh2LUBVYpLUU7sWxf3b1w9qciWKJd3zclGRgLT12aVeUErbguN8vI3zx5dBjfRsG8YX6JNc42Qft9m39zxZ2N272tAbcLtMpOs0gwcvzF3c8LapMYyRfrq3o/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="401" data-original-width="1676" height="154" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhM_5z0mBZmV2xkPg3b1kUYh2LUBVYpLUU7sWxf3b1w9qciWKJd3zclGRgLT12aVeUErbguN8vI3zx5dBjfRsG8YX6JNc42Qft9m39zxZ2N272tAbcLtMpOs0gwcvzF3c8LapMYyRfrq3o/w640-h154/image.png" width="640" /></a></div><br />With MON disabled we see that when I ping 172.30.41.13 my latency is now ~100ms since traffic has to traverse the L2 extension, which is as expected:</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZRh3GAiQj9yBzrsMNYwiyXjjMjsWjgQMRxtD-LiJIAR9wsi7dgKik21wdvUQJ74-QINLzh96YkLpt0lTedZgyA8Jx8DvLvfS0Kn3lOaD0qrvHNDPnL5GohdIE_FzRaj2KxRZLABO0YUY/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="521" data-original-width="1672" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZRh3GAiQj9yBzrsMNYwiyXjjMjsWjgQMRxtD-LiJIAR9wsi7dgKik21wdvUQJ74-QINLzh96YkLpt0lTedZgyA8Jx8DvLvfS0Kn3lOaD0qrvHNDPnL5GohdIE_FzRaj2KxRZLABO0YUY/w640-h200/image.png" width="640" /></a></div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg64sWR9MzsYvTZMvv_jzGmiKZRZ-iG-jNkUrnRD4vG26wMrjTkUa_ud04tEHUem68NAAIdASTEQeOnQn_S4cu_vurbGUfGEPri-BF8jWsfkc5edraEKmRIMmFmVpMfmum23o1XOYQlxv8/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="250" data-original-width="781" height="204" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg64sWR9MzsYvTZMvv_jzGmiKZRZ-iG-jNkUrnRD4vG26wMrjTkUa_ud04tEHUem68NAAIdASTEQeOnQn_S4cu_vurbGUfGEPri-BF8jWsfkc5edraEKmRIMmFmVpMfmum23o1XOYQlxv8/w640-h204/image.png" width="640" /></a></div></div><div><br /></div><div>If I ping 172.30.119.129 which is a VM also running in VMC my latency is ~200ms because in order to egress out of the network I have to do it via the on-premises gateway and then come back into VMC, which once again, with MON disabled is as expected:</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgapS_b7A1IR_3mxi3eEFBUr1-ICD3kS1RZBCXiMzBInGkoFYUFEmL6eG2o32k2JENIoLUCnRtcxJVCdDeB9qBniMew2-U9muQW8zAhPF26gWVYbbmqThOictlvtEY_0s_GrBHPETF3bz8/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="519" data-original-width="1671" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgapS_b7A1IR_3mxi3eEFBUr1-ICD3kS1RZBCXiMzBInGkoFYUFEmL6eG2o32k2JENIoLUCnRtcxJVCdDeB9qBniMew2-U9muQW8zAhPF26gWVYbbmqThOictlvtEY_0s_GrBHPETF3bz8/w640-h198/image.png" width="640" /></a></div></div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjB0VmU6x9TOMXy3IeGKRhG4byLavHhuQpRS6JTWzNzWjUPSSjfFh3kl50k8wrNJE-DWalvy0SUGBYPC6ebCFf6fezK2O71vDRVJLgLmiPIm8r4S5ngVCBzQ8krWDrjE3sTKkaNPuBZq9A/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="250" data-original-width="781" height="204" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjB0VmU6x9TOMXy3IeGKRhG4byLavHhuQpRS6JTWzNzWjUPSSjfFh3kl50k8wrNJE-DWalvy0SUGBYPC6ebCFf6fezK2O71vDRVJLgLmiPIm8r4S5ngVCBzQ8krWDrjE3sTKkaNPuBZq9A/w640-h204/image.png" width="640" /></a></div><div><br /></div>Now just for completeness if I ping 8.8.8.8 my latency is ~100ms because once again, I have to traverse the L2 extension in order to egress out of the network, which is as expected:</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSwZtty9nAJRV0cbcDAXWWfrBcVR-Ms5VfI63h8skWQRUjYSE_OnBGnqouQw4nqIqcVMpZ1k2fAwHlu0PpDlWKcORGsg6VxEc5aNmhFnQ9hGJIJfWOa2iRpHodZ5cU_ukFCgXR5DWkE8k/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="520" data-original-width="1675" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSwZtty9nAJRV0cbcDAXWWfrBcVR-Ms5VfI63h8skWQRUjYSE_OnBGnqouQw4nqIqcVMpZ1k2fAwHlu0PpDlWKcORGsg6VxEc5aNmhFnQ9hGJIJfWOa2iRpHodZ5cU_ukFCgXR5DWkE8k/w640-h198/image.png" width="640" /></a></div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPFGVQebx8hgGdafxpsDShFEzz5jEGh9IbAD4V-m9zOlBahYtRCOxVstUuhBFLCuxaOzbvhPd6mhqJqa1JfS4lT8vUMCeA_aAwqF2G0ESBKXLIi0_YhsFgmGWsWX3V1nx73hV7lwPbBRI/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="250" data-original-width="781" height="204" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPFGVQebx8hgGdafxpsDShFEzz5jEGh9IbAD4V-m9zOlBahYtRCOxVstUuhBFLCuxaOzbvhPd6mhqJqa1JfS4lT8vUMCeA_aAwqF2G0ESBKXLIi0_YhsFgmGWsWX3V1nx73hV7lwPbBRI/w640-h204/image.png" width="640" /></a></div><div><br /></div>I'm now going to enable MON on MigrateVM-12 (172.30.41.12) and test the same scenarios as above:</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjop4V5w7p5CWaBj1z5HIiI3mVz6GqaTJrHJeau9IwrrmX3d5J1fso_MqimFyteYvPkeQ6yq0fwk_OzeZ_sITJG2Scq3FAT7jMzDzeMD46vnKdqjGqeVkQBmViiQ2Ipx6i1c4EsDkA5A3o/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="336" data-original-width="1955" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjop4V5w7p5CWaBj1z5HIiI3mVz6GqaTJrHJeau9IwrrmX3d5J1fso_MqimFyteYvPkeQ6yq0fwk_OzeZ_sITJG2Scq3FAT7jMzDzeMD46vnKdqjGqeVkQBmViiQ2Ipx6i1c4EsDkA5A3o/w640-h110/image.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div style="text-align: left;">If I ping 172.30.41.13 my latency is still ~100ms as expected since I have to go back across the L2 extension to on-premises:</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZRh3GAiQj9yBzrsMNYwiyXjjMjsWjgQMRxtD-LiJIAR9wsi7dgKik21wdvUQJ74-QINLzh96YkLpt0lTedZgyA8Jx8DvLvfS0Kn3lOaD0qrvHNDPnL5GohdIE_FzRaj2KxRZLABO0YUY/" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img alt="" data-original-height="521" data-original-width="1672" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZRh3GAiQj9yBzrsMNYwiyXjjMjsWjgQMRxtD-LiJIAR9wsi7dgKik21wdvUQJ74-QINLzh96YkLpt0lTedZgyA8Jx8DvLvfS0Kn3lOaD0qrvHNDPnL5GohdIE_FzRaj2KxRZLABO0YUY/w640-h200/image.png" width="640" /></a></div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhczihxNPGwnAcEo_TzHJNf13Diy5l1HUe9weGYu25vQDYHDVRk2senCQN1NhcXL2PqPD3LY7HQjuHzO4b-o-Yj2C5ILnCSgndb6XCqNMoxR423lwUVvw8CrHwjnJTWX8jSmGZshV3s7s0/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="250" data-original-width="781" height="204" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhczihxNPGwnAcEo_TzHJNf13Diy5l1HUe9weGYu25vQDYHDVRk2senCQN1NhcXL2PqPD3LY7HQjuHzO4b-o-Yj2C5ILnCSgndb6XCqNMoxR423lwUVvw8CrHwjnJTWX8jSmGZshV3s7s0/w640-h204/image.png" width="640" /></a></div></div><div style="text-align: left;"><br /></div>Now when I ping 172.30.119.129, which is running in VMC, my latency is ~<1ms. This is where the benefit of MON is realised because I now have optimised routing to workloads running in VMC on either native network segments i.e. network segments created directly in VMC or additional stretched networks that have been presented into VMC:</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsfh9nj1fE_ty4UFIAlsjisOwWDN3wGTmo7r9FwgcHPUmD4M9wa3savrJ8TovcSbYHnUwRVytCIpB5eyr704H5CsZm-ECsLlRIER4Gst2edM4ce4RoKSJipBm2Aj5_iy47bxUe6S5znU0/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="516" data-original-width="1673" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsfh9nj1fE_ty4UFIAlsjisOwWDN3wGTmo7r9FwgcHPUmD4M9wa3savrJ8TovcSbYHnUwRVytCIpB5eyr704H5CsZm-ECsLlRIER4Gst2edM4ce4RoKSJipBm2Aj5_iy47bxUe6S5znU0/w640-h198/image.png" width="640" /></a></div><br /></div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIbbCUPLugz47NQht9t4PA1kmW5NRtfcDf7HmJsdJOpr1EoEAWplpefM_7fakRDx-LpZsaSanjXkF-nWItKwVqIpkBp18-lIBnEpqgZiJgSi9W_yAjciuGjxz0S-aCpFhUKgcH0yI-glY/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="250" data-original-width="781" height="204" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIbbCUPLugz47NQht9t4PA1kmW5NRtfcDf7HmJsdJOpr1EoEAWplpefM_7fakRDx-LpZsaSanjXkF-nWItKwVqIpkBp18-lIBnEpqgZiJgSi9W_yAjciuGjxz0S-aCpFhUKgcH0yI-glY/w640-h204/image.png" width="640" /></a></div><div style="text-align: left;"><br /></div><div style="text-align: left;">Back to the original question around internet traffic, we see that traffic egresses directly out of the SDDC rather than going via on-premises. We can tell this because the latency is ~3ms when it should be over 100ms:</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgj18UNM5WJ5118r8IS-0RefIYg_ICd_eX8SYGnNapvwi8Nc_z1CGWtoYe2vIJGAQAkFvnl4Q6NmdB_uMK6ru2mwAkxw64BzVQTsiS19FjBaMBbofzbqnnofouEY6tJ5BPcqBtJj9bPYRg/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="519" data-original-width="1673" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgj18UNM5WJ5118r8IS-0RefIYg_ICd_eX8SYGnNapvwi8Nc_z1CGWtoYe2vIJGAQAkFvnl4Q6NmdB_uMK6ru2mwAkxw64BzVQTsiS19FjBaMBbofzbqnnofouEY6tJ5BPcqBtJj9bPYRg/w640-h198/image.png" width="640" /></a></div></div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzoG2d9YhBmWsfVbiQZcqqNBdQTgVEKQxvftOF5jPy6Jjc3OmhtUwaIaek3sHJI1QGqvglgUkCslXF0Ma1EgwzHamSBu_ZcZyMugZNrOV0hXEvVdPRqnsLDEAnx6_dcoUAHmEGWTM7iBU/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="250" data-original-width="781" height="204" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzoG2d9YhBmWsfVbiQZcqqNBdQTgVEKQxvftOF5jPy6Jjc3OmhtUwaIaek3sHJI1QGqvglgUkCslXF0Ma1EgwzHamSBu_ZcZyMugZNrOV0hXEvVdPRqnsLDEAnx6_dcoUAHmEGWTM7iBU/w640-h204/image.png" width="640" /></a></div><br />The reason internet traffic egresses via the SDDC even if the default route of 0.0.0.0/0 is being advertised into the SDDC is because we need to avoid asymmetric routing. For stretched networks, if we need internet traffic to always egress via on-premises, maybe because we want to ensure the on-premises security posture is maintained whilst extending into the cloud then we need to configure <a href="https://docs.vmware.com/en/VMware-HCX/services/user-guide/GUID-14150BF0-A855-475B-95E3-F7C8B5C14F57.html" target="_blank">HCX policy routing</a>. By default, all RFC1918 addressed are configured automatically to route via the source gateway rather than the cloud gateway. In order to route internet traffic via the source gateway, we need to add the default route of 0.0.0.0/0 into the policy route. Within the HCX Network Extension Advanced menu item select <b>Policy Routes</b>:</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZJo-zxJOoCmF1xvUpqE-1raBZ53caBmygCH0ihLccZTVNDgPJ59y5TPFv5oANZB68VU72cxodz6QWejGkh1bvXFmNOBRje85yipzzWBokHDVP-WXOXjIV_AIm6o8U5sCrnMI8QIoNABA/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="191" data-original-width="780" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZJo-zxJOoCmF1xvUpqE-1raBZ53caBmygCH0ihLccZTVNDgPJ59y5TPFv5oANZB68VU72cxodz6QWejGkh1bvXFmNOBRje85yipzzWBokHDVP-WXOXjIV_AIm6o8U5sCrnMI8QIoNABA/w640-h156/image.png" width="640" /></a></div><div style="text-align: left;"><br /></div>We see by default the source gateway is used for routing to 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 networks. We simply need to add 0.0.0.0/0 into the policy and ensure the option to <b>Redirect to Peer</b> is set to <b>Allow</b>:</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhm-eL9pUvUXx-rtu9MU5BCuOCMzSRW2xA9_kBPev23VYP2lGCgsncEQkqpVVmGTFk47KPPyAake_MFt6Kl1oEjZht2kPUyHZWa6_CrqMkmj6bdBOlHmLb2dgGjoQyOBuNYN96jVHqSrG0/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="305" data-original-width="1554" height="126" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhm-eL9pUvUXx-rtu9MU5BCuOCMzSRW2xA9_kBPev23VYP2lGCgsncEQkqpVVmGTFk47KPPyAake_MFt6Kl1oEjZht2kPUyHZWa6_CrqMkmj6bdBOlHmLb2dgGjoQyOBuNYN96jVHqSrG0/w640-h126/image.png" width="640" /></a></div><br /></div><div style="text-align: left;">Once we add that route and click submit we now see that the latency from 172.30.41.12 to the internet is ~102ms since it has to traverse the L2 extension and then egress out via on-premises:</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSwZtty9nAJRV0cbcDAXWWfrBcVR-Ms5VfI63h8skWQRUjYSE_OnBGnqouQw4nqIqcVMpZ1k2fAwHlu0PpDlWKcORGsg6VxEc5aNmhFnQ9hGJIJfWOa2iRpHodZ5cU_ukFCgXR5DWkE8k/" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img alt="" data-original-height="520" data-original-width="1675" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSwZtty9nAJRV0cbcDAXWWfrBcVR-Ms5VfI63h8skWQRUjYSE_OnBGnqouQw4nqIqcVMpZ1k2fAwHlu0PpDlWKcORGsg6VxEc5aNmhFnQ9hGJIJfWOa2iRpHodZ5cU_ukFCgXR5DWkE8k/w640-h198/image.png" width="640" /></a></div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGBlhf_8H6WGu6RdBOBNK9KcbF5E3y4xhfwDp6493OCBjS-4RMjfbYV0pmB1-NUpFAVUnmt69U3IOmXkNS7tpei3tg_Gsrthd9VK68ZDBdNme0HhBLkmCB0oz4o3r2mC3wBFEa1oSm7gA/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="250" data-original-width="781" height="204" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGBlhf_8H6WGu6RdBOBNK9KcbF5E3y4xhfwDp6493OCBjS-4RMjfbYV0pmB1-NUpFAVUnmt69U3IOmXkNS7tpei3tg_Gsrthd9VK68ZDBdNme0HhBLkmCB0oz4o3r2mC3wBFEa1oSm7gA/w640-h204/image.png" width="640" /></a></div><br /></div><div style="text-align: left;">This ensures that any on-premises security policies will be applied to VMs running in VMC that need to access the internet but they will still benefit from optimised routing when they need to communicate with other workloads running in the SDDC.</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhf2_i4mM_O4wmUF6fWd9-lrIFU7NfKov6lrwvbi-xL_A-jeWwTxQfpdES8CYmrIr8sPsMuUY4LbJBVfCTs_ZOMk6_gLraFOXpdFVPXeN0le1k-Lgh-mjNhZ9o5-fEofNlKC6zEBEzzRAg/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="531" data-original-width="1706" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhf2_i4mM_O4wmUF6fWd9-lrIFU7NfKov6lrwvbi-xL_A-jeWwTxQfpdES8CYmrIr8sPsMuUY4LbJBVfCTs_ZOMk6_gLraFOXpdFVPXeN0le1k-Lgh-mjNhZ9o5-fEofNlKC6zEBEzzRAg/w640-h200/image.png" width="640" /></a></div></div></div></div></div>Michaelhttp://www.blogger.com/profile/10740016259613298383noreply@blogger.com0tag:blogger.com,1999:blog-3725872427010598639.post-36173027397955769962021-01-19T15:38:00.003+00:002021-01-19T15:39:52.284+00:00Migrating back from Amazon FSx to on-premises file servers<p>In a <a href="https://www.m80arm.co.uk/2021/01/utilising-aws-datasync-and-aws-cloud.html" target="_blank">previous article</a>, I showed how AWS DataSync could be used to copy data from an on-premises file server (Either physical or virtual) into an Amazon FSx Windows file server. Amazon FSx is a fully managed, highly reliable, and scalable file storage that is accessible over the industry-standard Service Message Block (SMB) protocol. This is ideal for customers who are looking to migrate workloads to VMware Cloud on AWS and start taking advantage of native cloud services to improve resiliency and cost. When it comes to customers who want to utilise <a href="https://cloud.vmware.com/cloud-disaster-recovery" target="_blank">VMware Cloud Disaster Recovery</a> to failover their environment into VMware Cloud on AWS but then failback to on-premises once the on-premises environment has been recovered things start to get a little tricky. AWS DataSync does not support copying data back from AWS (FSx, EFS or S3) to on-premises so this has to be performed manually. This post will showcase the steps required to copy the data back from Amazon FSx to on-premises which can be incorporated into your failback process to ensure that there is no data loss.</p><p>We first need to ensure we change the existing AWS DataSync task to either run manually or delete it completely to avoid having old data copied (If available) back into FSx which could potentially cause some inconsistencies. Navigate to the AWS DataSync service and either delete the task:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhYvbyEfb0R0U9u05Sb09B2vhztmkI2FrP-vYWnrZblQpaP9e-vTSU2Oh4aphcRMkzoEMBoZtaBFwRhopUXFRy0HZEshdnbuEqqjdym3eQnwsIellorTVzmef3s3bOI9OHcZ2FkEftOiE/s2229/FSx_FailBack_01.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="276" data-original-width="2229" height="80" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhYvbyEfb0R0U9u05Sb09B2vhztmkI2FrP-vYWnrZblQpaP9e-vTSU2Oh4aphcRMkzoEMBoZtaBFwRhopUXFRy0HZEshdnbuEqqjdym3eQnwsIellorTVzmef3s3bOI9OHcZ2FkEftOiE/w640-h80/FSx_FailBack_01.jpg" width="640" /></a></div><div><br /></div><div>Or change the task schedule to <b>Not Scheduled</b> which means you have to start it manually:</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHHvsNImv7GjgoX6jSkeAYrmXvvUz0AV8Twtm7CG022fLr758AOCi4MM1X0-yRZEGJILsqjp5kY6SEeL5nq6bzqfdljsAqJ_nka1F76xQ6uwuNq8eRhBJEyFCmJIea9FBKmNHMW2QutWQ/s410/FSx_FailBack_02.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="133" data-original-width="410" height="208" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHHvsNImv7GjgoX6jSkeAYrmXvvUz0AV8Twtm7CG022fLr758AOCi4MM1X0-yRZEGJILsqjp5kY6SEeL5nq6bzqfdljsAqJ_nka1F76xQ6uwuNq8eRhBJEyFCmJIea9FBKmNHMW2QutWQ/w640-h208/FSx_FailBack_02.jpg" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">Typically I would recommend stopping the share to 100% confirm<span><a name='more'></a></span> that there are no users accessing it during the data copy but its looks like this is not supported within FSx. An alternative would be to modify the NTFS permissions to ensure that no one has write access to the folder prior to starting the data copy. There should be no issues stopping the share or modifying the NTFS permission on-premises but just ensure the account that you use to start the data copy has write access to the folder.</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">In my example here I am assuming that I have lost the file servers on-premises prior to invoking DR so I will need to ensure I complete a full data copy back but this would also work if we were just copying back any modified data. Before starting we need to ensure we have access to a VM that has access to both the on-premises share and also the FSx share. I'm going to be using a VM running in VMware Cloud on AWS that can access FSx across the ENI and on-premises across a VPN. </div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Start by mapping both shares to the host VM:</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiat342oYhWb-ygJ4g33oNNQq4KOFAXK3o1PdvSyeWjr59g53_2x3Dq7QC4zFzFqocJuAxuHo7Q_fOFO20ctTNscejQzwsRF3IlR8mgbzm3BR6eyQA7pQvieT3E8uPBBHwRSKM5f4GQm_Y/s1619/FSx_FailBack_03.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="622" data-original-width="1619" height="246" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiat342oYhWb-ygJ4g33oNNQq4KOFAXK3o1PdvSyeWjr59g53_2x3Dq7QC4zFzFqocJuAxuHo7Q_fOFO20ctTNscejQzwsRF3IlR8mgbzm3BR6eyQA7pQvieT3E8uPBBHwRSKM5f4GQm_Y/w640-h246/FSx_FailBack_03.jpg" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">We then use <a href="https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/robocopy" target="_blank">RoboCopy</a> to copy the files, including NTFS permissions and timestamps from the source drive (Amazon FSx) to the target drive (On-Premises):</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">robocopy Y:\ Z:\ /copy:DATSO /secfix /e /MT:8</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><div class="separator" style="clear: both;"><ul style="text-align: left;"><li>Y – Refers to the source share located in the on-premises Active Directory forest mydata.com.</li><li>Z – Refers to the target share \\amznfsxabcdef1.mydata.com\share on Amazon FSx.</li><li>/copy – Specifies the following file properties to be copied:</li><ul><li>D – data</li><li>A – attributes</li><li>T – timestamps</li><li>S – NTFS ACLs</li><li>O – owner information</li></ul><li>/secfix – Fixes file security on all files, even skipped ones</li><li>/e – Copies subdirectories, including empty ones</li><li>/MT:8 – Specifies how many threads to use for performing multithreaded copies</li></ul><div>AWS have this documented <a href="https://docs.aws.amazon.com/fsx/latest/WindowsGuide/migrate-files-to-fsx.html" target="_blank">here</a> but refers to copying data from on-premises to Amazon FSx. The only issues that I can currently see are the /b and /copy U switches do not seem to be supported due to the permissions we have on the Amazon FSx server. I will see if I can speak to someone at AWS around the roadmap for this and any potential issues this will cause.</div><div><br /></div><div>Once we modify the RoboCopy command to reference the host VM mapped drives we can start the data copy:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdxmLFFBzUbA7xdIpESBoKxv0E0rj3xEZgLR95XhJGEmxlk6zKP_EHeYK_Jk0oinWdesacsvhunA7anAXgUIm-wchDHbDpqi61WHeY34m_o_64EuAMJGcL3mdsNgRnUMPZwvmn9QWLcX4/s1612/FSx_FailBack_04.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1172" data-original-width="1612" height="466" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdxmLFFBzUbA7xdIpESBoKxv0E0rj3xEZgLR95XhJGEmxlk6zKP_EHeYK_Jk0oinWdesacsvhunA7anAXgUIm-wchDHbDpqi61WHeY34m_o_64EuAMJGcL3mdsNgRnUMPZwvmn9QWLcX4/w640-h466/FSx_FailBack_04.jpg" width="640" /></a></div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;">Depending on bandwidth and the size of the files it may take some time to replicate the files back to on-premises. Once it finishes you should have an exact copy of the files back on-premises including NTFS permissions and correct timestamps:</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhADaWw_NSggu5KTo-PeiJJiza02M4PoM2iF9pnhLAZvgMvgOLPOyVHJvNfXv95jExcXMGJDJAEWtZG69KuLFhL4QnYP-ngTfckjApcexeRO7scfuqomNclOhqdgGr_PgLAm5oV9Qgdv2A/s1613/FSx_FailBack_05.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1171" data-original-width="1613" height="464" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhADaWw_NSggu5KTo-PeiJJiza02M4PoM2iF9pnhLAZvgMvgOLPOyVHJvNfXv95jExcXMGJDJAEWtZG69KuLFhL4QnYP-ngTfckjApcexeRO7scfuqomNclOhqdgGr_PgLAm5oV9Qgdv2A/w640-h464/FSx_FailBack_05.jpg" width="640" /></a></div><br />We can then re-enable/re-create the AWS DataSync task once we have verified the data has copied successfully so start the replication back into Amazon FSx in the event of having to invoke DR again in the future. </div></div>Michaelhttp://www.blogger.com/profile/10740016259613298383noreply@blogger.com0tag:blogger.com,1999:blog-3725872427010598639.post-15861164675378653562021-01-18T10:15:00.004+00:002021-01-18T10:16:29.728+00:00AWS DataSync via VPC Endpoints instead of Public Endpoints<p>In my previous <a href="https://www.m80arm.co.uk/2021/01/utilising-aws-datasync-and-aws-cloud.html" target="_blank">article</a>, I walked through the steps of replicating an on-premises file server into Amazon FSx using the AWS DataSync service. Since I didn't have a VPN between my on-premises and the VPC where the FSx service was deployed to I had to use the public endpoint whereby all communication from the DataSync agent to AWS occurs over the public internet. Within this article, I'm just going to quickly show you the process of setting this up using VPC Endpoints so communication goes over a VPN or Direct Connect directly into the VPC. This will allow for reverse replication which will be a topic for a future article. </p><p>I currently the AWS DataSync agent deployed with a routable static IP address on-premises and a VPN established into my VPC. I first need to create a VPC endpoint in my VPC for the AWS DataSync Service. Ensure you are in the correct region and navigate to the VPC service. From within there, you will see the option to add Endpoints:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgW8Z__3TOfR2MOYgsbrupsTubukNj_7qvSqc42o_NzW4WGFZtevQp4g4UcVOGWuDA6ihzPnR9WgrTgJIalUNM0kxfYfaNTuBL0vPgWqUo6FxnvCVRWSHXkTYSdJVZdbc-JLTGzv1a6tmo/s671/VPC_Endpoints_01.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="671" data-original-width="488" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgW8Z__3TOfR2MOYgsbrupsTubukNj_7qvSqc42o_NzW4WGFZtevQp4g4UcVOGWuDA6ihzPnR9WgrTgJIalUNM0kxfYfaNTuBL0vPgWqUo6FxnvCVRWSHXkTYSdJVZdbc-JLTGzv1a6tmo/w466-h640/VPC_Endpoints_01.jpg" width="466" /></a></div><div><br /></div><div>Search for the AWS DataSync service and ensure you select the correct VPC it needs to be created in. I've left the default options to<span><a name='more'></a></span> ensure an interface is deployed into all subnets within that VPC:</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitirutAbn3SUP6k6uT_NA3jmU9VSS_XVCc8vP5DqRb_K3D-NE2F_qeR__caH6bwuZnw7ZD_XDtx7nCZGmUyYzC7qKpFhPo8ezBtMrZhF0OlOmVb6SP8A2YFCt1CaV0lsUwAa21eSQZIDc/s1302/VPC_Endpoints_02.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="840" data-original-width="1302" height="412" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitirutAbn3SUP6k6uT_NA3jmU9VSS_XVCc8vP5DqRb_K3D-NE2F_qeR__caH6bwuZnw7ZD_XDtx7nCZGmUyYzC7qKpFhPo8ezBtMrZhF0OlOmVb6SP8A2YFCt1CaV0lsUwAa21eSQZIDc/w640-h412/VPC_Endpoints_02.jpg" width="640" /></a></div><div><br /></div><div>You also have the option to enable DNS and also specify a specific security group. You may want to lock down access to this endpoint so that it can only be accessed via the DataSync agent IP address on-premises:</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAr1mV7xl_fnAxjLO5NUibIwUlRxrsrQJ7qwQDn6snZKBuUF-pEgXxElzZPCIL_pVPgD4hmnyR2d-i86SPS1mzmOI_BttsF2BlsiAnsJtQD_t1w1LoUgK0dgykpjdDEiIzubW9UNFqN9k/s1281/VPC_Endpoints_03.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="798" data-original-width="1281" height="398" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAr1mV7xl_fnAxjLO5NUibIwUlRxrsrQJ7qwQDn6snZKBuUF-pEgXxElzZPCIL_pVPgD4hmnyR2d-i86SPS1mzmOI_BttsF2BlsiAnsJtQD_t1w1LoUgK0dgykpjdDEiIzubW9UNFqN9k/w640-h398/VPC_Endpoints_03.jpg" width="640" /></a></div><div><br /></div><div>Once you create the endpoint it takes a few minutes to actually create it but it should eventually move from pending to available.</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjP36qruK2vK8X_AtaNClze6U97EsIUEO9eLB8fHJWRB7Bfk56P5GOPy27tjTOWirnfvfxi-2tWtCdWk6VVhEIk2dTLdw6EqMHv3uWcCtW8JeKCYqyMsq9tsf6IUdT8qYNkdyj5H7KpshE/s1602/VPC_Endpoints_04.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="227" data-original-width="1602" height="90" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjP36qruK2vK8X_AtaNClze6U97EsIUEO9eLB8fHJWRB7Bfk56P5GOPy27tjTOWirnfvfxi-2tWtCdWk6VVhEIk2dTLdw6EqMHv3uWcCtW8JeKCYqyMsq9tsf6IUdT8qYNkdyj5H7KpshE/w640-h90/VPC_Endpoints_04.jpg" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifSYTSpmRSVMSIwvW-OW5Ox65IziUFTYzb1TeJFVLel_Vp_4P-gfeGDjn60ikuSIfHDzzZRZCBpNX9bHuQGVQpjqwi1M-D_uEQMHcRde6Eqi-oOK0Pw6RI70VrB3sw6ozlsm15KCHd9PQ/s1589/VPC_Endpoints_05.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="216" data-original-width="1589" height="86" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifSYTSpmRSVMSIwvW-OW5Ox65IziUFTYzb1TeJFVLel_Vp_4P-gfeGDjn60ikuSIfHDzzZRZCBpNX9bHuQGVQpjqwi1M-D_uEQMHcRde6Eqi-oOK0Pw6RI70VrB3sw6ozlsm15KCHd9PQ/w640-h86/VPC_Endpoints_05.jpg" width="640" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Once the VPC Endpoint has been created we can now activate the agent using VPC Endpoints rather than Public Endpoints. The VPC Endpoint that we just created should automatically be selected, if you have more than one ensure you select the correct one:</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcU7xTJEkAXpuKXuqSSdjhY_TIl7EZrmfG-Z6tvKW-36i3IfgkwqnDreKJQ9Ka1GhuWAuP-WkbJ-x8KWOznbd7Pi1ali0XdUdwpagz3hi79r0YfW-myzbK0mAsMfvJ_rxoBKrBr2ENv8w/s841/VPC_Endpoints_06.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="841" data-original-width="814" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcU7xTJEkAXpuKXuqSSdjhY_TIl7EZrmfG-Z6tvKW-36i3IfgkwqnDreKJQ9Ka1GhuWAuP-WkbJ-x8KWOznbd7Pi1ali0XdUdwpagz3hi79r0YfW-myzbK0mAsMfvJ_rxoBKrBr2ENv8w/w620-h640/VPC_Endpoints_06.jpg" width="620" /></a></div><div><br /></div><div>Now that we are communicating over VPN or Direct Connect we can automatically retrieve the key from the agent (Provided your on-premises firewall and AWS security groups allow communication). The only information that we need to add is the DataSync agent private IP address: </div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWEjtXVQSerWr6ISaPhQYyQ8jM7JqNJ6UlZ1MFAex1Fth-9w2590JUo3joS2Xc9lxgCKhJHo69c8L6I2b6UB4HauSY3hU7oYFkLBYic4Ku2pcfovdoZJ2VghLeigPz9jvssw3oGy61TMs/s813/VPC_Endpoints_07.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="427" data-original-width="813" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWEjtXVQSerWr6ISaPhQYyQ8jM7JqNJ6UlZ1MFAex1Fth-9w2590JUo3joS2Xc9lxgCKhJHo69c8L6I2b6UB4HauSY3hU7oYFkLBYic4Ku2pcfovdoZJ2VghLeigPz9jvssw3oGy61TMs/w640-h336/VPC_Endpoints_07.jpg" width="640" /></a></div><div><br /></div><div>If all is well then the agent will successfully activate:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGOLUTb5YX5OB6U1ttiXvkmK21rZA4zJLZ4pKT_ivuOaB9cBWF6H47FQs5fOTNVl_5-i9QZg-s2E1p908xCV5T2EHVilzwY5RVWFzADF0nVRAxz8rSosHHyFEgNqWr8YX05Zh58xNUV2c/s819/VPC_Endpoints_08.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="698" data-original-width="819" height="546" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGOLUTb5YX5OB6U1ttiXvkmK21rZA4zJLZ4pKT_ivuOaB9cBWF6H47FQs5fOTNVl_5-i9QZg-s2E1p908xCV5T2EHVilzwY5RVWFzADF0nVRAxz8rSosHHyFEgNqWr8YX05Zh58xNUV2c/w640-h546/VPC_Endpoints_08.jpg" width="640" /></a></div><div><br /></div><div>We can now see that the agent can successfully communicate with the VPC Endpoint and we can continue to define our on-premises and FSx locations ready for replication:</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL3_XLj0Dvd5mVy37KpgK5QLphuKnGHoTC0OhLKs3nMlFkVJHWVyrx_SAP3iPLwy00vQklidxXyQBI5rNgpglfc51wyWzPHcv0bcaPrVcWK5eFM012VAP3CMG_RZZo0bynvCBexTqAlRA/s1621/VPC_Endpoints_09.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="179" data-original-width="1621" height="70" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL3_XLj0Dvd5mVy37KpgK5QLphuKnGHoTC0OhLKs3nMlFkVJHWVyrx_SAP3iPLwy00vQklidxXyQBI5rNgpglfc51wyWzPHcv0bcaPrVcWK5eFM012VAP3CMG_RZZo0bynvCBexTqAlRA/w640-h70/VPC_Endpoints_09.jpg" width="640" /></a></div><div><br /></div><div>If you receive the following error during activation ensure that your security groups allow traffic inbound from the on-premises agent IP address:</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs-vsVJtmFaHHksmm7BMONH6miZ6wfsnmk7HNV9BVzCqI3z4R-CUxpiKyLsmA69zzE90hIHfnkzVjiXte_C1CdLW36MNmTSHJFom-bmnOBVjruCESR2ff7E0lhrlfz9MpYSDh3LwLBthI/s378/VPC_Endpoints_10.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="82" data-original-width="378" height="138" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs-vsVJtmFaHHksmm7BMONH6miZ6wfsnmk7HNV9BVzCqI3z4R-CUxpiKyLsmA69zzE90hIHfnkzVjiXte_C1CdLW36MNmTSHJFom-bmnOBVjruCESR2ff7E0lhrlfz9MpYSDh3LwLBthI/w640-h138/VPC_Endpoints_10.jpg" width="640" /></a></div><div><br /></div><div>In order to resolve this quickly, I simply ensured that my VPC default security group allowed traffic from the on-premises network CIDR range:</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgm3kWcxIAiECT5fDZQs1QJVxKjG9L1Xp62K3JTiJsnhckpAUSi89-deCVwaJ02e3ksvuAFEGwGBqMisb7EB33pxL3ijFkqwpc4JKc2Sc3GIzF-eTYFGRzxUxUbVo5R7JSgPdflJT30I_c/s1933/VPC_Endpoints_11.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="599" data-original-width="1933" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgm3kWcxIAiECT5fDZQs1QJVxKjG9L1Xp62K3JTiJsnhckpAUSi89-deCVwaJ02e3ksvuAFEGwGBqMisb7EB33pxL3ijFkqwpc4JKc2Sc3GIzF-eTYFGRzxUxUbVo5R7JSgPdflJT30I_c/w640-h198/VPC_Endpoints_11.jpg" width="640" /></a></div>Michaelhttp://www.blogger.com/profile/10740016259613298383noreply@blogger.com0tag:blogger.com,1999:blog-3725872427010598639.post-25883504082064617472021-01-15T15:44:00.000+00:002021-01-15T15:44:30.879+00:00Utilising AWS DataSync and AWS Cloud Native Storage to migrate file servers to support workloads running in VMware Cloud on AWS<p>Whilst working with customers on the technical aspects of migrating their applications from on-premises into VMware Cloud on AWS most often the topic of file servers comes up. If the customer currently has their file servers running as virtual machines on top of ESXi then it's very straight forward, they can use HCX to migrate the workload. Depending on the size of the file server the customer may not want to do this due to potentially increasing the host count of the cluster and instead use some native AWS storage services such as FSx, EFS or even S3. Another scenario I have come across is customers having physical file servers running on storage arrays such as NetApp etc. </p><p>During my investigation, I can across <a href="https://aws.amazon.com/datasync/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc" target="_blank">AWS DataSync</a> which automates and accelerates the moving of data from on-premises into AWS storage services as well as between AWS storage services.</p><p></p><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0ygTqUAJ_xu8akRwylTFQyJIWNuUvYyUYSmldkPMV7GcOaNn8wgbKueEsDR5KykvXtvQZhCYM1O67znXi-Amrc0WMiCpj5WAG855FAh3Hyx5FPTI_cPCv8Nq5wvDmqs2Jse7RIxXKjeo/s1190/DataSync_01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="437" data-original-width="1190" height="237" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0ygTqUAJ_xu8akRwylTFQyJIWNuUvYyUYSmldkPMV7GcOaNn8wgbKueEsDR5KykvXtvQZhCYM1O67znXi-Amrc0WMiCpj5WAG855FAh3Hyx5FPTI_cPCv8Nq5wvDmqs2Jse7RIxXKjeo/w640-h237/DataSync_01.jpg" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: left;">As of writing this article, the following services/protocols are supported:</div><div class="separator" style="clear: both; text-align: left;"><ul style="text-align: left;"><li>Amazon EFS file system (Source and Target)</li><li>Amazon FSx for Windows File Server (Source and Target)</li><li>Amazon S3 (Source and Target)</li><li>Network File System (NFS) (Source Only)</li><li>Object storage (Source Only)</li><li>Server Message Block (SMB) (Source Only)</li></ul><div>As an example, DataSync can be used to move data from an on-premises Windows file server into AWS FSx for Windows or from Amazon EFS into...<span><a name='more'></a></span>Amazon S3. It cannot be used to go from Amazon back to on-premises i.e. Amazon FSx for Windows back to an on-premises Windows file server. In this article, I'm going to move data from an on-premises Windows file server running Windows Server 2019 into an Amazon FSx for Windows environment. The Amazon FSx service is already deployed and integrated with my on-premises Active Directory servers.</div><div><br /></div><div>My Amazon FSx service is already running and has been deployed into the connected VPC and in the same Availability Zone as the SDDC to avoid any cross AZ charges:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_QUA__GMVd0JCaoxvGbbqnzcB4-rRXbDN15ywvwekysCgZ3QYzJ1WNHQZkIiolaU_GD8_8Gre3cP5UvJfsPQs_RNx7_vFoyOqepQGEoKljkTPih7Xzw-WpFd5fZI2uO2NMXENEES0eRw/s2534/DataSync_02.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="466" data-original-width="2534" height="118" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_QUA__GMVd0JCaoxvGbbqnzcB4-rRXbDN15ywvwekysCgZ3QYzJ1WNHQZkIiolaU_GD8_8Gre3cP5UvJfsPQs_RNx7_vFoyOqepQGEoKljkTPih7Xzw-WpFd5fZI2uO2NMXENEES0eRw/w640-h118/DataSync_02.jpg" width="640" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div>I've also created a new share within FSx using Windows Shared Folders (fsmgmt.msc) which matches the name of the share that I already have on-premises:</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYoaPQVl9DgeMCAz-4r9ih0Fhiuqq4Mx9VmHxwzmvzQxjo6Vc8o6bmSHMuQUdkVDKxt9Mhbp19kgJehC71U36Bo9Y1Hx9aqoU6R6X53fevB_GDi2ouztogybDjNDeaOWY4BDWdNu9iOm0/s1579/DataSync_03.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="244" data-original-width="1579" height="98" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYoaPQVl9DgeMCAz-4r9ih0Fhiuqq4Mx9VmHxwzmvzQxjo6Vc8o6bmSHMuQUdkVDKxt9Mhbp19kgJehC71U36Bo9Y1Hx9aqoU6R6X53fevB_GDi2ouztogybDjNDeaOWY4BDWdNu9iOm0/w640-h98/DataSync_03.jpg" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: left;">I now need to deploy the AWS DataSync agent on-premises and configure the replication task. Within the AWS console change to the region where your SDDC is deployed and find the AWS DataSync service:</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgraLqeWuThK4o_WZhbqcKLLS-poBG5uJkUYHlLhRz8KNoZNS0KYrtGKe2SlM41NXWAZJHu67V7m2iMe946V1Zijg9qMktyB0ZDVdcUqwmxtQLXp2S0Jcy000ifGIi3fW6PV-We51s5nxY/s884/DataSync_04.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="234" data-original-width="884" height="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgraLqeWuThK4o_WZhbqcKLLS-poBG5uJkUYHlLhRz8KNoZNS0KYrtGKe2SlM41NXWAZJHu67V7m2iMe946V1Zijg9qMktyB0ZDVdcUqwmxtQLXp2S0Jcy000ifGIi3fW6PV-We51s5nxY/w640-h170/DataSync_04.jpg" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">We want to create a transfer task between on-premises and AWS:</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOq3DkvpVI6ou-BdBo9pR8KOxNv_17nId4Gj7v4vkPYg1q_ovypXQsliQUWaooxgfVmdTMtg60GmD0qwNvrqKvOMSN4sVdJkM7XE46vYc9kXSIUu5jB4-lvwo1IUCW6j9v_2bOh4WJyr0/s398/DataSync_05.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="200" data-original-width="398" height="322" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOq3DkvpVI6ou-BdBo9pR8KOxNv_17nId4Gj7v4vkPYg1q_ovypXQsliQUWaooxgfVmdTMtg60GmD0qwNvrqKvOMSN4sVdJkM7XE46vYc9kXSIUu5jB4-lvwo1IUCW6j9v_2bOh4WJyr0/w640-h322/DataSync_05.jpg" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: left;">Select the agent VM hypervisor image, download and deploy it into your infrastructure. In my example, I will be using VMware ESXi as my hypervisor of choice but KVM, Hyper-V and EC2 are also supported. Once the appliance has been download and deployed follow the <a href="https://docs.aws.amazon.com/datasync/latest/userguide/deploy-agents.html" target="_blank">AWS instructions</a> to configure the agent's network settings. Once the agent is deployed and configured we need to decide which route we want traffic to take when moving the data. We can either go via the internet and use an AWS Public Service Endpoint or VPC Endpoint using AWS PrivateLink. Since I don't have a VPN or Direct Connect established to my VMC connected VPC I will be using the Public Service Endpoint. </div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">When configuring the agent I need to manually enter the agent's activation key which can be found when logging into the agent VM console, specifying the AWS region and service endpoint type:</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgo4hgwrBowB1D6pbeLbamnn06dvO2YlHrDiFYp-_E6xMkKffuDKPuGNmu7_PSJPBzskBX6b-WksAWDP_Wr4rzr7Hl7T2QtTUDyLiNuKeEOYOhf3A63rR22bfN4dSPGPSj993nKV-tYFuY/s1634/DataSync_06.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="776" data-original-width="1634" height="304" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgo4hgwrBowB1D6pbeLbamnn06dvO2YlHrDiFYp-_E6xMkKffuDKPuGNmu7_PSJPBzskBX6b-WksAWDP_Wr4rzr7Hl7T2QtTUDyLiNuKeEOYOhf3A63rR22bfN4dSPGPSj993nKV-tYFuY/w640-h304/DataSync_06.jpg" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">You can now enter the Agent VM activation key and well as an optional name and any tags you might care to use:</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj75THT4k0GN53DOyR8f4GB6vcseBHrQhZg7bhI5z0TsGTTdVPTTXtVrgNf-r4wy4DPdu2T1D92Sp4-WtselZnwK5H9u0RLq7z6CB1T0NzAe74wwPXANqQXOxrzyLEAfErQyb9JeYv1O38/s1237/DataSync_07.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1237" data-original-width="820" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj75THT4k0GN53DOyR8f4GB6vcseBHrQhZg7bhI5z0TsGTTdVPTTXtVrgNf-r4wy4DPdu2T1D92Sp4-WtselZnwK5H9u0RLq7z6CB1T0NzAe74wwPXANqQXOxrzyLEAfErQyb9JeYv1O38/w424-h640/DataSync_07.jpg" width="424" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">The agent should then successfully communicate with the service and we should see the agent status as being online:</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwINcgIHpatNPW-4O7-dZ7BGH-t6MgAcfdlg2ATRxk7EgKJkB-ZEQF6eVk0-f-kw0B7slL-o5Za8Ub3wvv3U1QxjuDppTxWggt-7oExWzQGNYA-cpO0gfHAO8uzSWCRS2sOFIsBe5KKuQ/s1682/DataSync_08.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="232" data-original-width="1682" height="88" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwINcgIHpatNPW-4O7-dZ7BGH-t6MgAcfdlg2ATRxk7EgKJkB-ZEQF6eVk0-f-kw0B7slL-o5Za8Ub3wvv3U1QxjuDppTxWggt-7oExWzQGNYA-cpO0gfHAO8uzSWCRS2sOFIsBe5KKuQ/w640-h88/DataSync_08.jpg" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: left;">If you are having connectivity issues using either the public endpoint or the VPC endpoint verify the <a href="https://docs.aws.amazon.com/datasync/latest/userguide/datasync-network.html" target="_blank">network requirements</a>.</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Now that we have our agent deployed and online as well as our Amazon FSx service deployed with a share created and connected to our on-premises Active Directory for authentication, we can create the scheduled task to sync the data on a regular basis. Within the AWS DataSync service create a new task and specify the location type. Since we are copying data from a Windows file server the location type will be Server Message Block (SMB). We then select the agent that we deployed and supply the SMB server name/IP and share mount:</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiycpbZ9ac-Ah14OBYaAY65iWog-SgfnTsV3ZVJzotpNZWAOAbmHfo75f4DrhnMhe14tu-qd9B-8JDO_cIlT_LvPz_Tw8SaWaYJu7UDNULtGZXLnGoGkowNFZG1xlxzcZ0vEgL9hBKbJXE/s841/DataSync_09.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="841" data-original-width="820" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiycpbZ9ac-Ah14OBYaAY65iWog-SgfnTsV3ZVJzotpNZWAOAbmHfo75f4DrhnMhe14tu-qd9B-8JDO_cIlT_LvPz_Tw8SaWaYJu7UDNULtGZXLnGoGkowNFZG1xlxzcZ0vEgL9hBKbJXE/w624-h640/DataSync_09.jpg" width="624" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">We then need to specify the user credentials that have access to read from that share:</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiinUD9ezyT2H0sPNGZrhDdd234YX7gvRW79NwhCsEb-wdnhMsbBQLoM7iEGfos1h9WEeAwyeBciNWycIwzdvwdHHJVVmTjvYKBAsoKWzv59ofcvwhJangkYIGYEJzbk9N6pwt-LyLg9I/s811/DataSync_10.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="505" data-original-width="811" height="398" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiinUD9ezyT2H0sPNGZrhDdd234YX7gvRW79NwhCsEb-wdnhMsbBQLoM7iEGfos1h9WEeAwyeBciNWycIwzdvwdHHJVVmTjvYKBAsoKWzv59ofcvwhJangkYIGYEJzbk9N6pwt-LyLg9I/w640-h398/DataSync_10.jpg" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: left;">Once we have created the source location we need to create the target location. We are copying the data to Amazon FSx so select that as the location type and enter the FSx file system and share name:</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAzWEiZJfJftPzvKA_B7fNizZkKbCr7R4fYl7UyBM_kKcHFrQ0fnYR4Mzq8OK3f8UVWW-N_z91OsynEOl5Arau6PfVzCS3kvZC_VhcMIrIVwQb0XOX_8vNE0ZOrcz0GnlkuzDoHzWtVWM/s813/DataSync_11.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="729" data-original-width="813" height="574" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAzWEiZJfJftPzvKA_B7fNizZkKbCr7R4fYl7UyBM_kKcHFrQ0fnYR4Mzq8OK3f8UVWW-N_z91OsynEOl5Arau6PfVzCS3kvZC_VhcMIrIVwQb0XOX_8vNE0ZOrcz0GnlkuzDoHzWtVWM/w640-h574/DataSync_11.jpg" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">Enter the user credentials that have access to the FSx server and click Next:</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGjgyVoH8k96Nnn0qv1QRShgKTfOx_LM3OuLzDNKMLqMy7BJRSx2Jwgmbd8r2rVr7MBIygk4_1FjCC6s6UIvV_RvVjE15Pk82leXzZ02rfIGAwfjFm-pIz7e5RGel3q-ojmD4gJHjd1fo/s814/DataSync_12.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="504" data-original-width="814" height="396" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGjgyVoH8k96Nnn0qv1QRShgKTfOx_LM3OuLzDNKMLqMy7BJRSx2Jwgmbd8r2rVr7MBIygk4_1FjCC6s6UIvV_RvVjE15Pk82leXzZ02rfIGAwfjFm-pIz7e5RGel3q-ojmD4gJHjd1fo/w640-h396/DataSync_12.jpg" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div style="text-align: left;">Give the task a suitable name and you can then specify additional options such as verification of data, bandwidth limits and whether or not you wish to enable queueing. The only change from the default options I have made is to not keep deleted files, I want my FSx file server to be identical to my on-premises file server:</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjlP6r5Ea4I3Yw5zKqVcM-laa8DopfR0lb6mZdvBfd0t5REbIg7o1qm6PqB73NLDxw-PbOFxee5tkrpRwP6VE6jAcobkSSSqZa-NvpFjXyxsFpf4twVvFqzCRtNtyPCGIK8zGmhE3CVso/s819/DataSync_16.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="798" data-original-width="819" height="624" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjlP6r5Ea4I3Yw5zKqVcM-laa8DopfR0lb6mZdvBfd0t5REbIg7o1qm6PqB73NLDxw-PbOFxee5tkrpRwP6VE6jAcobkSSSqZa-NvpFjXyxsFpf4twVvFqzCRtNtyPCGIK8zGmhE3CVso/w640-h624/DataSync_16.jpg" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: left;">You can filter out specific files that perhaps you don't want to be replicated such as temp files using regex patterns. I've set my sync to occur every hour at five minutes past the hour. You can specify hourly, daily, weekly, days of the week or a custom cron job:</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWS1X0UExal4WxlQ1VEMmgtSUC-y2dGbhEcrPcS_syG05eGbykq0LGLurITuCMNli76MebsbQE0uk-06tXBszYSwf1Brr5EoeBOaBFPjfOoP_PZ8Sjqz6XySPycnUL1kJni5MDyCseMVA/s820/DataSync_14.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="820" data-original-width="820" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWS1X0UExal4WxlQ1VEMmgtSUC-y2dGbhEcrPcS_syG05eGbykq0LGLurITuCMNli76MebsbQE0uk-06tXBszYSwf1Brr5EoeBOaBFPjfOoP_PZ8Sjqz6XySPycnUL1kJni5MDyCseMVA/w640-h640/DataSync_14.jpg" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">You can then specify whether you want task logging enabled. This would allow you to set up alerts in the event of a task failing to ensure the issue is resolved straight away.</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZElYcV6StyglX-ZXbbVBX-CWciJEM8KLlXTlP7W2ZSu7R7lTg66dJr2ZLbQS-AZaBbtGdvai-U63y2NZH88i7ACcKfyJTtyXlh-zrSqbycRCFYFo3SamVPPV-o-77ZsxZaIT3tvA4yyA/s819/DataSync_15.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="637" data-original-width="819" height="498" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZElYcV6StyglX-ZXbbVBX-CWciJEM8KLlXTlP7W2ZSu7R7lTg66dJr2ZLbQS-AZaBbtGdvai-U63y2NZH88i7ACcKfyJTtyXlh-zrSqbycRCFYFo3SamVPPV-o-77ZsxZaIT3tvA4yyA/w640-h498/DataSync_15.jpg" width="640" /></a></div><br /><div style="text-align: left;">You get the chance to review your settings and if you are happy then you can create the task. During the task creating process, your settings are pushed down to the agent VM on-premises and once it's complete it should show available. Rather than wait for the configured time for the task to start I will just manually start it:</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhw3Rrs17bZwQFTnO62p-9KoUWp_XQaTYzYrY1fpP_0om9A00ckEXbxgPdSCXjMDDwY0yE0z_-5wC0iBURIyP_qlFP0cJ0lLuqiCyLuk2cRBHO1SibEckheuhw5tvfgGAQFBNgInM4dV1Q/s2222/DataSync_17.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="279" data-original-width="2222" height="80" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhw3Rrs17bZwQFTnO62p-9KoUWp_XQaTYzYrY1fpP_0om9A00ckEXbxgPdSCXjMDDwY0yE0z_-5wC0iBURIyP_qlFP0cJ0lLuqiCyLuk2cRBHO1SibEckheuhw5tvfgGAQFBNgInM4dV1Q/w640-h80/DataSync_17.jpg" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">Prior to the job running, we can see that my on-premises file server has some files but my Amazon FSx is currently empty:</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhm_iURT1jPIYS9kJJ9JzsIl6qt03GN8BiAwqmIYQAyOlS72OpCJ2Sw3DU9SLhGWJg_eccThfz-rx1gAxc8WAEA874vdSGw34xY3orcyrRyoGWNsse1NsR_A-ZJj4kbef3239TEw5Ujqxg/s1649/DataSync_18.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="364" data-original-width="1649" height="142" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhm_iURT1jPIYS9kJJ9JzsIl6qt03GN8BiAwqmIYQAyOlS72OpCJ2Sw3DU9SLhGWJg_eccThfz-rx1gAxc8WAEA874vdSGw34xY3orcyrRyoGWNsse1NsR_A-ZJj4kbef3239TEw5Ujqxg/w640-h142/DataSync_18.jpg" width="640" /></a></div><br /><div style="text-align: left;">Once the task finishes we can see that our Amazon FSx file server now has an exact copy of the on-premises file server including permissions and timestamps:</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWLNqOBsJEXNrRKosr9IUXGXP9af1q2kWTX2XsPFkVBkwA2Bc9MTVbvHfUGNgg5iyMcW9YFP-K4AiNaJyQ1VB-HTL3FrWu9r9VpAsWvRYO695-M6HAqWdP-gTBVfvMe84azfFJLzuV12A/s1649/DataSync_19.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="364" data-original-width="1649" height="142" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWLNqOBsJEXNrRKosr9IUXGXP9af1q2kWTX2XsPFkVBkwA2Bc9MTVbvHfUGNgg5iyMcW9YFP-K4AiNaJyQ1VB-HTL3FrWu9r9VpAsWvRYO695-M6HAqWdP-gTBVfvMe84azfFJLzuV12A/w640-h142/DataSync_19.jpg" width="640" /></a></div><div style="text-align: left;"><br /></div><div style="text-align: left;">The task will continue to run every hour and copy new or changed files across.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">If you are looking to use AWS DataSync and FSx (Or any other supported service) as part of a migration strategy then you could simply keep the task operational until you agree downtime on the on-premises file server with the business. At that point, you would simply change the share to read-only and use logon scripts/GPOs to map the drive to the new location running on FSx. If this was for a disaster recovery scenario then you could just leave the task in place permanently and if a 1hr RPO is acceptable (Worse case) then your data will be ready and waiting for you when you failover into VMware Cloud on AWS.</div></div><p></p>Michaelhttp://www.blogger.com/profile/10740016259613298383noreply@blogger.com0tag:blogger.com,1999:blog-3725872427010598639.post-47092546784733436962021-01-07T12:20:00.001+00:002021-01-07T12:20:31.632+00:00VMware Cloud on AWS Online vExperience Days<p></p><div class="separator" style="clear: both; text-align: center;"><div style="text-align: left;">Are you interested in some free technical on-demand VMware Cloud on AWS training videos? If so, then the EMEA Solution Architects team have produced nine videos to guide ranging from introducing you to the service all the way through to automation and cloud economics:</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div class="separator" style="clear: both;">1. Introduction to VMware Cloud on AWS and Use Cases</div><div class="separator" style="clear: both;">2. Deploy Your First VMware Cloud on AWS SDDC</div><div class="separator" style="clear: both;">3. Accelerate Your Cloud Application Migration with VMware HCX</div><div class="separator" style="clear: both;">4. Protect Your Data, Minimize Downtime and Reduce Costs with Optimized Disaster Recovery</div><div class="separator" style="clear: both;">5. Create Hybrid Applications with VMware Cloud on AWS and Native AWS Services</div><div class="separator" style="clear: both;">6. Day-2 Operations: Managing Your VMware Cloud on AWS Platform</div><div class="separator" style="clear: both;">7. Deploy and Configure Your Entire VMware Cloud on AWS with Automation</div><div class="separator" style="clear: both;">8. Application Modernization with VMware Cloud on AWS and Kubernetes</div><div class="separator" style="clear: both;">9. Cloud Economics: What is it and How it Can Help You to Accelerate Your Journey to the Cloud</div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;">Click on the link below to register and get started. </div></div><div class="separator" style="clear: both; text-align: center;"><a href="http://bit.ly/2JSAvlj" imageanchor="1" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img border="0" data-original-height="628" data-original-width="1200" height="334" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxvQHP7TdWiLaTSZolqxcp5o6iO0UePc8dphgKVuj8EQQpKZei6mF4UGS2nEtwnXyrWOMkVsBz5kwTOZwTMKPF5Cz9rvWruhHWpqDcD3-o4cUz7Qiwpc1fh5jZut03jyDFp0zTecRrqMQ/w640-h334/VMW_3854_21Q4_VMC_Experience_Days_Promotion_1200x628.png" width="640" /></a></div></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;"><div class="separator" style="clear: both;">Feel free to provide any feedback or if there is any additional content you would like to see.</div></div><p></p>Michaelhttp://www.blogger.com/profile/10740016259613298383noreply@blogger.com0tag:blogger.com,1999:blog-3725872427010598639.post-29699706546874379922020-10-27T11:29:00.002+00:002020-10-27T11:30:36.554+00:00HCX Central CLI Mind Map<p>In a previous <a href="https://www.m80arm.co.uk/2020/10/troubleshooting-hcx-connectivity-and.html" target="_blank">article</a> I introduced the HCX Central CLI (CCLI) as a tool to help troubleshoot HCX connectivity and performance issues. I've created a quick Mind Map of all the various commands that are available through CCLI to ease the troubleshooting process.</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUfubV_MJslsPQ7W7hYOpghly1ZlhgQBrkUHPAUtM7X9zU2sTtr88xq4Cf5nU50RKMaLT4k7Ld0bmiw96w3nQ9XaDTeRs1NS8tABhi8qLWQ5Zd19agGyc6MBUkVXpqOhEMECOWNNUdBYg/s2086/HCX-CCLI-01.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="757" data-original-width="2086" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUfubV_MJslsPQ7W7hYOpghly1ZlhgQBrkUHPAUtM7X9zU2sTtr88xq4Cf5nU50RKMaLT4k7Ld0bmiw96w3nQ9XaDTeRs1NS8tABhi8qLWQ5Zd19agGyc6MBUkVXpqOhEMECOWNNUdBYg/w640-h232/HCX-CCLI-01.jpg" width="640" /></a></div><p></p><p>You can download a .pdf version of the full Mind Map <a href="https://www.dropbox.com/s/mdlfvs49m2x85xr/hcx%20ccli%20mindmap.pdf?dl=0" target="_blank">here</a></p><p>This is correct as of HCX Version R144 (Build 16989452)</p>Michaelhttp://www.blogger.com/profile/10740016259613298383noreply@blogger.com0tag:blogger.com,1999:blog-3725872427010598639.post-13505069934361344582020-10-26T10:49:00.002+00:002020-10-26T11:19:05.650+00:00Troubleshooting HCX Connectivity and performance issue into VMware Cloud on AWS<p>When working with customers on VMware Cloud on AWS POC's or Pilots a lot of the success criteria typically includes using Hybrid Cloud Extension (HCX) to migrate workloads from on-premises into VMware Cloud on AWS either using bulk migration or live vMotion. This sometimes involves troubleshooting connectivity and performance issue so I figured I would show the typical process that I follow to try and narrow down and identify the issue.</p><p><b>HCX Service Mesh Appliances Tunnel Status</b></p><span><a name='more'></a></span><p>The first check I always perform is to ensure the Service mesh tunnels are all UP for both the Interconnect Appliance as well as the Network Extension Appliance. This can be found within the HCX Plugin under interconnects -> Service Mesh -> Appliances:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhH0zdKWlZEReAZSQfcPYI0UiA2XWLJzev7zPvcW99kigK8_yYjMsa68NGTQq35dDG-gO9_5pFb9TAYYuHsi94lmRPAA-Yq8sdM9BN-WMmVMCW_SgwD8_wf2WpiDLa6bFOqzQn6Sgoqbro/s2375/HCX_01.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1046" data-original-width="2375" height="282" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhH0zdKWlZEReAZSQfcPYI0UiA2XWLJzev7zPvcW99kigK8_yYjMsa68NGTQq35dDG-gO9_5pFb9TAYYuHsi94lmRPAA-Yq8sdM9BN-WMmVMCW_SgwD8_wf2WpiDLa6bFOqzQn6Sgoqbro/w640-h282/HCX_01.jpg" width="640" /></a></div><div><br /></div>Expand out the Interconnect and Network Extension Appliance (If used) and verify that the tunnel status is UP.<div><br /></div><div><b>Diagnostics</b></div><div><br /></div><div>The next test I usually perform is to run a Diagnostics. This usually takes about 3 minutes and will verify the required connectivity is in place between all of the components, including HCX Manager, Interconnect and Network Extension Appliances, vCenter, ESXi hosts etc.</div><div><br /></div><div>Simply click on the Run Diagnostics button and once completed you can click on the here link to view the results:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-KZ0d16J0DJcVuGYayCi4ACDvYuzmYAo4b_3DobZM65ZTKkGvM3Jy20KnoLrjp2ptGa3SRv-kpRR8V3PRrajLp-4MSR0l7xEf5bEdvkzA-wUFaHAgTeSZXiOP7hnaoOf1KsThO6cUskE/s1328/HCX_02.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="519" data-original-width="1328" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-KZ0d16J0DJcVuGYayCi4ACDvYuzmYAo4b_3DobZM65ZTKkGvM3Jy20KnoLrjp2ptGa3SRv-kpRR8V3PRrajLp-4MSR0l7xEf5bEdvkzA-wUFaHAgTeSZXiOP7hnaoOf1KsThO6cUskE/w640-h250/HCX_02.jpg" width="640" /></a></div><div><br /></div><div>From the results view you can see green tick icons around all the interfaces that have been tested. Please note that your view might be different depending on the number of interfaces per appliance you have:</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8cODVEwp8td0VBzlXis40Fl1YW6g_CF1qmvMwCnajB9U0AQwiLgi3rrOPzVGrNnp29Cm3j4aQIZRGQeyh2-sLGNFcz57pvn0azNqFKtA9Doz77uMO-sMwqR0k9TQcklKCagB6CObx15M/s2530/HCX_03.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1144" data-original-width="2530" height="290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8cODVEwp8td0VBzlXis40Fl1YW6g_CF1qmvMwCnajB9U0AQwiLgi3rrOPzVGrNnp29Cm3j4aQIZRGQeyh2-sLGNFcz57pvn0azNqFKtA9Doz77uMO-sMwqR0k9TQcklKCagB6CObx15M/w640-h290/HCX_03.jpg" width="640" /></a></div><div><br /></div><div>Verify that everything is green and if needed, you can click into the green tick icon and verify what tests have actually been performed and their results:</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifBxSwtY8WFRmTqznjvQ8_LAS-VjhAQBkSVCf8qLjXNGRDzb3kiw94dWhBLoB5B3uubZKAoERPEkqA10V0kATJWskwHrIoNUFNYgBh1fGlp1BZ0ddMmda1lYef0R3Xt5IipYKSqss-L8I/s1152/HCX_04.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="696" data-original-width="1152" height="386" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifBxSwtY8WFRmTqznjvQ8_LAS-VjhAQBkSVCf8qLjXNGRDzb3kiw94dWhBLoB5B3uubZKAoERPEkqA10V0kATJWskwHrIoNUFNYgBh1fGlp1BZ0ddMmda1lYef0R3Xt5IipYKSqss-L8I/w640-h386/HCX_04.jpg" width="640" /></a></div><div><br /></div><div><b>HCX Central CLI (CCLI)</b></div><div><b><br /></b></div><div>If I need to actually connect to the various appliances to perform performance or troubleshooting tests such as ping, traceroute, iperf3 etc then I used the HCX Central CLI or CCLI for short. In order to access the CCLI you need to SSH into HCX Manager and then run the CCLI command:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiY0Y0ErqCZC1WjY_qdNzT8A3X1qgKVCQdoG2kB-R9MPu2N8DK19FcTFLkJtV0V0_R2RV_qPAXhW2KAzMKx4q4Lam98mL6Jwwn0bFGV5OkLW-Dkuo4Peq-jQkeUcm5Ju5i9zSil4zjaxCU/s799/HCX_05.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="318" data-original-width="799" height="254" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiY0Y0ErqCZC1WjY_qdNzT8A3X1qgKVCQdoG2kB-R9MPu2N8DK19FcTFLkJtV0V0_R2RV_qPAXhW2KAzMKx4q4Lam98mL6Jwwn0bFGV5OkLW-Dkuo4Peq-jQkeUcm5Ju5i9zSil4zjaxCU/w640-h254/HCX_05.jpg" width="640" /></a></div><div><br /></div><div>Once you are in CCLI you can type list to view the various appliances and then type go with the ID of the appliance you wish to connect to:</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1j86rmxWEqo5_AF2Fg2m9HwTRJkwUdtm2NJwF4N-rv74Is8eLOsrmt93f-Se6OpNXJj5SWYbpjx9N1tqLLcQJ-FyqKdNCWLl2H2t7E88fEeqKUtG0eXSKeqAqOw6FNJVMhj4RkC2hX5M/s896/HCX_06.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="497" data-original-width="896" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1j86rmxWEqo5_AF2Fg2m9HwTRJkwUdtm2NJwF4N-rv74Is8eLOsrmt93f-Se6OpNXJj5SWYbpjx9N1tqLLcQJ-FyqKdNCWLl2H2t7E88fEeqKUtG0eXSKeqAqOw6FNJVMhj4RkC2hX5M/w640-h356/HCX_06.jpg" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Once you have connected to an appliance if you press the TAB key you will get a list of all the commands that are available to you:</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiMG6EWRY0SWegFQPTTMo_tUhPjmf7Ygw-UM8jYaDruJArP37DtkWebdbtkZ3JS2QW3Pcg9O3nx3j-5GVdZMIa19IkM63JiKd3p7Tve9nPoSd_aeU8vMf1Sfp72B9vpJQe5e9zuPO3xi0/s1644/HCX_07.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="130" data-original-width="1644" height="50" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiMG6EWRY0SWegFQPTTMo_tUhPjmf7Ygw-UM8jYaDruJArP37DtkWebdbtkZ3JS2QW3Pcg9O3nx3j-5GVdZMIa19IkM63JiKd3p7Tve9nPoSd_aeU8vMf1Sfp72B9vpJQe5e9zuPO3xi0/w640-h50/HCX_07.jpg" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: left;">My typical go-to troubleshooting commands that I regularly use are:</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><b>HC</b> - The HC command stands for Health Check and will perform a quick Health Check to ensure the appliance is not resourced constraint and all the services are working as expected:</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8oMd_uUa8UEjW2_980DPNuzAPRteWgzVt9_ZYAXHt9N5UYsxERJxJfmkBLp0FZnBjMNo_nhkmXkOLuxj_Z19KUcWB2hgVMZZCzpLN0SoF4Siv22ooMjnsPeaQyzYZnhtwnMQIlmxhxMs/s1056/HCX_12.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="869" data-original-width="1056" height="526" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8oMd_uUa8UEjW2_980DPNuzAPRteWgzVt9_ZYAXHt9N5UYsxERJxJfmkBLp0FZnBjMNo_nhkmXkOLuxj_Z19KUcWB2hgVMZZCzpLN0SoF4Siv22ooMjnsPeaQyzYZnhtwnMQIlmxhxMs/w640-h526/HCX_12.jpg" width="640" /></a></div></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><b>SSH</b> - To open a shell prompt on the appliance where I can perform ping and traceroute tests as well as use iPerf3 if I need to test performance between the various components on-premises. You can also view specific log files if needed:</div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;"></div><div class="separator" style="clear: both; text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi72EUaITPlnbNrXPMcqmavJZ6E0CPuk9oHcZP0SCQqIxOW1tjo_jljpJYITwSgT-Pa5cfNk-xwn1OfLNaW6xjI17AvJZIhtrt0MMqmAbRSl2LwVermQeB1L3CoRfkm8-inWETQZhvS68Y/s1268/HCX_08.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="258" data-original-width="1268" height="130" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi72EUaITPlnbNrXPMcqmavJZ6E0CPuk9oHcZP0SCQqIxOW1tjo_jljpJYITwSgT-Pa5cfNk-xwn1OfLNaW6xjI17AvJZIhtrt0MMqmAbRSl2LwVermQeB1L3CoRfkm8-inWETQZhvS68Y/w640-h130/HCX_08.jpg" width="640" /></a></div><b><br /></b></div><div class="separator" style="clear: both; text-align: left;"><b>Perftest All</b> - This will command will run various performance tests which include uplink and tunnel connectivity and performance. The command can take around 12 minutes to complete and once finished I would typically copy/paste into a text document to review it properly:</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvl9IWxdXzj-hwHF1k3qTQhSbYfX8VejDTSqId6ru1x5sWN9aSoSS6wa6y1IAMsS3JU0O861Zfw2kn18Pjw2pduRXp7zMnyh0QugaMX5imTxgTH5-BzocpOjkpc2Myrbif3sMc-DQk9xU/s971/HCX_09.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="840" data-original-width="971" height="554" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvl9IWxdXzj-hwHF1k3qTQhSbYfX8VejDTSqId6ru1x5sWN9aSoSS6wa6y1IAMsS3JU0O861Zfw2kn18Pjw2pduRXp7zMnyh0QugaMX5imTxgTH5-BzocpOjkpc2Myrbif3sMc-DQk9xU/w640-h554/HCX_09.jpg" width="640" /></a></div><div><br /></div><div>Once it completes you will get a summary of the results which can be quickly used to ensure the appliance has suitable throughput into VMC:</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHZKk_XM167hDC1aY4w99z0ShVJgaQv3qQqaq0TSV1kCgQ6cA5iLnsZOyoDreBC3bWqkkQYihSANgxOTneFRcOEZEa79_Unz1LRCJLFv5NFKV4dEvY2lkSOUKAtaLiaqFmWVFE4mIYmuk/s748/HCX_10.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="556" data-original-width="748" height="476" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHZKk_XM167hDC1aY4w99z0ShVJgaQv3qQqaq0TSV1kCgQ6cA5iLnsZOyoDreBC3bWqkkQYihSANgxOTneFRcOEZEa79_Unz1LRCJLFv5NFKV4dEvY2lkSOUKAtaLiaqFmWVFE4mIYmuk/w640-h476/HCX_10.jpg" width="640" /></a></div><div><br /></div><div>You can also run the various performance tests separately if you want to focus on a specific test rather than waiting for them all to complete. Just type perftest and then press TAB to view all the options:</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJvs9dEcglVp9BvToN1-iT1cy_P0ztxwKwFiWM6nAsLQp9EW-va8uCZpqJQRimrHt3QWxdLEV4txCYL8Twp7yK6J8fBexPtIpLcqYeq-TxQtZkYZh9j3Fn1zBdkuJhjeqG_T9fOb5j6FM/s1378/HCX_11.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="121" data-original-width="1378" height="56" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJvs9dEcglVp9BvToN1-iT1cy_P0ztxwKwFiWM6nAsLQp9EW-va8uCZpqJQRimrHt3QWxdLEV4txCYL8Twp7yK6J8fBexPtIpLcqYeq-TxQtZkYZh9j3Fn1zBdkuJhjeqG_T9fOb5j6FM/w640-h56/HCX_11.jpg" width="640" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div>All the commands above can be run on both the Interconnect and Network Extension Appliances so depending on what issue you are facing you might want to run them on both appliances.</div><div><br /></div><div>Please review the official <a href="https://docs.vmware.com/en/VMware-HCX/services/user-guide/GUID-B6CF4054-9C8C-43DE-AC67-01AE0679B190.html" target="_blank">HCX Troubleshooting</a> pages for more information</div>Michaelhttp://www.blogger.com/profile/10740016259613298383noreply@blogger.com0tag:blogger.com,1999:blog-3725872427010598639.post-65862285723119055882020-09-16T19:36:00.001+01:002020-09-16T19:42:15.022+01:00VMC Sizer now accepts RVTools and LiveOptics Inputs<p>When it comes to sizing customer environments who are looking to migrate from on-premises into VMware Cloud on AWS we always use the <a href="https://vmc.vmware.com/sizer" target="_blank">VMC Sizer website</a>. The tool allows us to input and modify various parameters to correctly size the environment. Basic values that we need to gather from customers to size the environment are:</p><p>Number of VMs</p><p>Storage per VM</p><p>vCPU per VM</p><p>vRAM per VM</p><span><a name='more'></a></span><p><br /></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie5AMFT0pD28d2IWvB_TAtIvNs0G74iQiDfrV-k1pmcMh-LylpHaLCo7L7xsoHhOy1miRp_rXM-h3wEK4cliVD2oJLQxNwHxD-wHXp3UeT6YJKBKcWzhaS2EIdIX6V2Rms3uVsK9BWAIM/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="909" data-original-width="654" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie5AMFT0pD28d2IWvB_TAtIvNs0G74iQiDfrV-k1pmcMh-LylpHaLCo7L7xsoHhOy1miRp_rXM-h3wEK4cliVD2oJLQxNwHxD-wHXp3UeT6YJKBKcWzhaS2EIdIX6V2Rms3uVsK9BWAIM/w462-h640/image.png" width="462" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">In order to gather the VM profile information we typically use either <a href="https://www.robware.net/rvtools/" target="_blank">RVTools</a> or <a href="https://www.liveoptics.com/" target="_blank">LiveOptics</a> to gather the data. We then export the data to an Excel spreadsheet and then manipulate the data to get the average size VM based on the environment(s) that we are sizing. Once we have the average VM sizes we can then input these values into VMC Sizer to identify the number of hosts required.</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">A recent update the VMC sizer team introduced is the ability to import the exported Excel spreadsheet directly into the sizer tool to populate the required fields. We have the ability to import both RVTools and LiveOptics data:</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKJC_k30Xpo3PGPe_rJCkHnlPyWh8Ev348b0hhKNE7dUPna8sBvmDlsplJIkRe2ZI6q22gKd65wxhZGqEP6OxQi6TEMwNWeBjAMunRJef4s4oa7kCWkaQsahSnyDf09zE1XlnELruQk-M/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="194" data-original-width="605" height="206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKJC_k30Xpo3PGPe_rJCkHnlPyWh8Ev348b0hhKNE7dUPna8sBvmDlsplJIkRe2ZI6q22gKd65wxhZGqEP6OxQi6TEMwNWeBjAMunRJef4s4oa7kCWkaQsahSnyDf09zE1XlnELruQk-M/w640-h206/image.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">Once you select the .xlsx file you can choose to include Powered Off and Suspended VMs if you wish. You can also choose to size based off Utilized or Provisioned from a storage and memory perspective:</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrDZDr7Pfu6zjBjUe8EnC06BCY1Vl8-YUS1vbh6GMeoqx_MsiKoDXNf6AC_ZQeinTJTW9zoiwnhIWPVWD6saVkvv5ZVSS-c1mSAMEqoU4YjnSbQ0bs7KcmU9b2kzMTFnRnSd61Zg4uZqc/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="479" data-original-width="576" height="531" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrDZDr7Pfu6zjBjUe8EnC06BCY1Vl8-YUS1vbh6GMeoqx_MsiKoDXNf6AC_ZQeinTJTW9zoiwnhIWPVWD6saVkvv5ZVSS-c1mSAMEqoU4YjnSbQ0bs7KcmU9b2kzMTFnRnSd61Zg4uZqc/w640-h531/image.png" width="640" /></a></div><br /></div>The following diagram explains the options that you have to size based on storage. Total Disk Size is Provisioned, Total Used Space is Utilized and LiveOptics also gives you the storage usage from within the Guest OS utilising VMtools: </div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaTi8uYjuIfmC9EIWkonaGX6uLh12lTaXKCmaiVahyMXR1OAqi4z1WUQXZu3ZEkZzjYuwjcQDPpCUh9NfT39CRq4jEClCg8Xbz641_X-rrFm39Nrm5p99TRlqjNMnukbCQqxVdxKOSHGY/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="687" data-original-width="733" height="600" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaTi8uYjuIfmC9EIWkonaGX6uLh12lTaXKCmaiVahyMXR1OAqi4z1WUQXZu3ZEkZzjYuwjcQDPpCUh9NfT39CRq4jEClCg8Xbz641_X-rrFm39Nrm5p99TRlqjNMnukbCQqxVdxKOSHGY/w640-h600/image.png" width="640" /></a></div><br />Once you click Upload the tool will analyse the spreadsheet and fill in the correct values based on the extract:</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgh1AzgiqG3qG0HRgMLP8VpYqE_n7MqpIsvy_B_41gNBL3oV96lA4BtdS8nMWvjwSpTJTZu_c7h5U__Z2ilTaJjG6g6wLkIOaJ9X9jrEpZPiNjpmhC6tAPibN-Q9LHnclpeMBnf-Stv6g/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="1004" data-original-width="1100" height="584" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgh1AzgiqG3qG0HRgMLP8VpYqE_n7MqpIsvy_B_41gNBL3oV96lA4BtdS8nMWvjwSpTJTZu_c7h5U__Z2ilTaJjG6g6wLkIOaJ9X9jrEpZPiNjpmhC6tAPibN-Q9LHnclpeMBnf-Stv6g/w640-h584/image.png" width="640" /></a></div><br />No need to manipulate the data to find the average VM size anymore. If you want to perform multiple sizing based on different clusters then simply just filter the data and copy/paste to a new .xlsx file and upload it individually.</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">This dramatically simplifies the sizing process for end customers and allows them size based on multiple scenarios such as specific clusters for licensing purposes etc.</div><p></p>Michaelhttp://www.blogger.com/profile/10740016259613298383noreply@blogger.com0tag:blogger.com,1999:blog-3725872427010598639.post-7520862918252959222020-01-23T07:33:00.000+00:002020-01-23T07:33:52.870+00:00North East VMUG - Thursday 6th February 2020The first North East VMUG of 2020 is ready for <a href="https://community.vmug.com/events/event-description?CalendarEventKey=04b1a5ef-b21a-438f-901a-78421715f7ce&CommunityKey=2019c52c-3ed6-4008-87ce-922ef5c5763d&Home=%2fcommunities%2flocalcommunityhome" target="_blank">registration</a> and boy is it going to be a good one. The event will take place on Thursday 6th February at the <a href="https://www.google.co.uk/maps/place/Royal+Station+Hotel/@54.9691961,-1.6175727,17z/data=!4m18!1m9!3m8!1s0x487e70b44eee6491:0xf087e6613ee3d2af!2sRoyal+Station+Hotel!5m2!4m1!1i2!8m2!3d54.969193!4d-1.615384!3m7!1s0x487e70b44eee6491:0xf087e6613ee3d2af!5m2!4m1!1i2!8m2!3d54.969193!4d-1.615384" target="_blank">Royal Station Hotel</a> which is situated right next to Newcastle Central Station. Once again, the team have put on a spectacular agenda with some great VMware speakers as well as community sessions. Special thanks to all the sponsors who fund these events and without them these events would not happen so during the breaks go spend some time with them and see what they have to offer:<br />
<br />
<a href="https://www.datrium.com/" target="_blank">Datrium</a><br />
<a href="https://trustack.co.uk/" target="_blank">TruStack</a><br />
<a href="https://www.10zig.com/" target="_blank">10Zig</a><br />
<a href="https://www.zerto.com/" target="_blank">Zerto</a><br />
<a href="https://www.runecast.com/" target="_blank">Runecast</a><br />
<br />
The current agenda is as follows:<br />
<br />
<b>VMware Keynote - Frank Denneman (<a href="http://frankdenneman.nl/" target="_blank">Blog</a> | <a href="https://twitter.com/FrankDenneman" target="_blank">Twitter</a>) - Chief Technologist at VMware</b><br />
<b>Title - VMware’s Hybrid Cloud Vision and Strategy</b><br />
<br />
In this session, Frank will discuss VMware’s 3-year Hybrid Cloud Vision and Strategy. He’ll discuss industry trends driving our thinking and then lay out our vision for how we can evolve our core platform to support where customers and the industry is going. re provides a lot of value, especially in large-scale Kubernetes deployments.<br />
<br />
<b>VMware Keynote - Duncan Epping (<a href="http://www.yellow-bricks.com/" target="_blank">Blog</a> | <a href="https://twitter.com/DuncanYB" target="_blank">Twitter</a>) - Chief Technologist at VMware </b><br />
<b>Title - How HCI is revolutionizing the datacenter today and tomorrow! </b><br />
<br />
A year has passed and a lot has changed since then. Not just for you, but also for HCI and vSAN in particular. In this session, Duncan will discuss where we are coming from, but more importantly where we are going. Be warned, this session will include forward-looking statements and demos of to be released features.<br />
<br />
<b>Community Session - Kyle Jenner (<a href="http://www.vjenner.com/" target="_blank">Blog</a> | <a href="https://twitter.com/kylejenneruk" target="_blank">Twitter</a>) - AWS Architect at Rackspace</b><br />
<b>Title - VI admin to Cloud Architect</b><br />
<br />
A little northerners journey to the cloud - tips and tricks learned along the way and thoughts on the future.<br />
<br />
<b>Community Session - Craig Dalrymple (<a href="https://www.cragdoo.co.uk/" target="_blank">Blog</a> | <a href="https://twitter.com/cragdoo" target="_blank">Twitter</a>) - Senior Systems Engineer at Brightsolid</b><br />
<b>Title - ...And now for something completely different</b><br />
<br />
A frank and open presentation about mental health in IT, it is real and it really can happen to anyone ...did I mention there will be Irn Bru?<br />
<br />
<b>Community Session - Michael Sweeney (<a href="https://twitter.com/msweeneyuk" target="_blank">Twitter</a>) - Virtualistion Specialist at DXC.Technology</b><br />
<b>Title - Modern Day Infrastructure Management using vRealize Ops</b><br />
<br />
Overview and lessons learnt from a vROps deployment and what advantages this brought to make more informed business decisions.<br />
<br />
<b>VMware Session - Andy Watson (<a href="https://twitter.com/adwatson1984" target="_blank">Twitter</a>) - Systems Engineer at VMware</b><br />
<b>Title - Virtual Cloud Networking</b><br />
<br />
Andy Watson, a Solution Engineer in VMware’s Network and Security Business Unit, gives an update on the Virtual Cloud Network. In the last 3 years, VMware has gone from a single networking product to providing complete consistent networking and security from the Datacentre to the Edge and the Cloud.<br />
<br />
This is a great event to network with peers and experts from VMware as well as have a few sneaky beers since its no longer dry January :)<br />
<br />
See you there<br />
<br />
MichaelMichaelhttp://www.blogger.com/profile/10740016259613298383noreply@blogger.com0tag:blogger.com,1999:blog-3725872427010598639.post-32178432613816156662020-01-21T11:17:00.001+00:002020-01-24T11:47:42.394+00:00Protecting a 3-Tier App in VMC with the NSX Distributed FirewallVMware Cloud on AWS SDDC v1.9 was officially released on the 16th January 2020 and includes a wealth of enhancements with regards to the NSX Distributed Firewall and Inventory Groups. The release notes for SDDC v1.9 can be found below if you want to check out all the new features that are available with this release:<br />
<br />
<a href="https://docs.vmware.com/en/VMware-Cloud-on-AWS/0/rn/vmc-on-aws-relnotes.html">https://docs.vmware.com/en/VMware-Cloud-on-AWS/0/rn/vmc-on-aws-relnotes.html</a><br />
<br />
In this article, I am going to show you how to protect a simple 3-Tier Application using the NSX Distributed Firewall and some of the enhancements around Inventory Groups. A policy-based VPN has already been established from on-premises into VMC and the application has already been deployed into a single network segment as per the diagram below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC9ZIw8qp0MrBveeue9Og5tTgYpfqKVOtoFfqEShP0hgyYEeNHTq87O406DhaQynxuR8X7SvDG0SMOA8K7bH-MR_ImiuR04VjdbqvjaBDnT4K2t4Vig82XhWhygUm8IeIyuDFwg0iiKrI/s1600/SDDC1.8_DFW_01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="638" data-original-width="1418" height="284" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC9ZIw8qp0MrBveeue9Og5tTgYpfqKVOtoFfqEShP0hgyYEeNHTq87O406DhaQynxuR8X7SvDG0SMOA8K7bH-MR_ImiuR04VjdbqvjaBDnT4K2t4Vig82XhWhygUm8IeIyuDFwg0iiKrI/s640/SDDC1.8_DFW_01.jpg" width="640" /></a></div>
A policy-based VPN has been configured to allow the following traffic:<br />
<br />
On-Premises to VMC<br />
10.1.9.0/24 - 10.101.1.0/24<br />
10.1.9.0/24 - 10.2.0.0/16<br />
<br />
VMC to On-Premises<br />
10.101.1.0/24 - 10.1.9.0/24<br />
10.2.0.0/16 - 10.1.9.0/24<br />
<br />
The on-premises firewall has been configured to allow all traffic between the network segments and an ANY - ANY - Allow rule has been configured on the Compute Gateway Firewall to allow all traffic into the 3-Tier App Semgemt. I could lock this down but I want to focus on the Distributed Firewall security aspects for this particular blog post:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMYCyGUP_LC41rN_LMAzYhJnSs3C0fwd7GfLuZU_0n4GiBEyw7bU_5peAoVy0EPzUnHruYlsciX7GmrYiEk84uaRfMmjtqzLKRLoAXOcrCpU_rFMN2rJteNEXX5XMoabaTPdJ3ilcmemI/s1600/SDDC1.8_DFW_02.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="284" data-original-width="1600" height="112" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMYCyGUP_LC41rN_LMAzYhJnSs3C0fwd7GfLuZU_0n4GiBEyw7bU_5peAoVy0EPzUnHruYlsciX7GmrYiEk84uaRfMmjtqzLKRLoAXOcrCpU_rFMN2rJteNEXX5XMoabaTPdJ3ilcmemI/s640/SDDC1.8_DFW_02.jpg" width="640" /></a></div>
<br />
Prior to configuring the distributed firewall, I check the application is working as expected by accessing the webserver from the on-premises management segment (10.1.9.0/24) to verify connectivity:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidoB3I1_wvJjSDa6wvbWgfuq0ziNp89dL_pPzdd6x0WKyARAMWYt8m1ZF_h-2O-EV8KT380MgqRucxAbF6JeJPe7l5dB5SbKwtWYuOMX7BX7HDjBqUFv1VK20Umlo3mDFGH3LH_QDO4c8/s1600/SDDC1.8_DFW_03.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="420" data-original-width="713" height="376" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidoB3I1_wvJjSDa6wvbWgfuq0ziNp89dL_pPzdd6x0WKyARAMWYt8m1ZF_h-2O-EV8KT380MgqRucxAbF6JeJPe7l5dB5SbKwtWYuOMX7BX7HDjBqUFv1VK20Umlo3mDFGH3LH_QDO4c8/s640/SDDC1.8_DFW_03.jpg" width="640" /></a></div>
<br />
Since this is the only application that will currently be running in VMC and I want to ensure maximum security, I switch from a Blacklist security approach to Whitelist with logging. This a new feature of VMC and set's the default ANY - ANY rule to deny with logging rather than allow. When setting the security approach you have the following options:<br />
<br />
<b>Blacklist</b> - This option creates a default ANY-ANY rule to allow all traffic. This is the default option for the distributed firewall.<br />
<b>Blacklist with logging</b> - This option creates a default ANY-ANY rule to allow all traffic with logging enabled.<br />
<b>Whitelist</b> - This option creates a default ANY-ANY rule to block all traffic. All communication is denied access including DHCP traffic.<br />
<b>Whitelist with logging</b> - This option creates a default ANY-ANY rule to block all traffic with logging enabled. All communication is denied access including DHCP traffic.<br />
<br />
The option can be changed in the Cloud Services Portal (CSP) under Networking & Security then Distributed Firewall:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAeOjejZWtjccEbSepxd0HbDI4Sk6HitZ1_gmZV4OvngZqd6ewioD-l1Kc-kb7LSsUCGA6xiJugo1sEHMxyic2TeqP7RY5voKRmPy-9v5QQAzYyIJ_mlsp_gmmmiVd4tu3QnLQugDtkeY/s1600/SDDC1.8_DFW_04.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="742" data-original-width="1229" height="386" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAeOjejZWtjccEbSepxd0HbDI4Sk6HitZ1_gmZV4OvngZqd6ewioD-l1Kc-kb7LSsUCGA6xiJugo1sEHMxyic2TeqP7RY5voKRmPy-9v5QQAzYyIJ_mlsp_gmmmiVd4tu3QnLQugDtkeY/s640/SDDC1.8_DFW_04.jpg" width="640" /></a></div>
<br />
I verify connectivity has been dropped by pinging my WEB, APP and DB servers as well as try to access the application via http://10.101.1.11<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcHZ8YQh3uvP5RSPv9MfSE9pMeWc1ot6EmxOFWS3XdwxaHy2l8GgJ1rM4znQNzwNC8vvo2aaX6E_wa8K-FXDeXQ3fHpNyXZjcybo6Et4RKMx81p4jznn2hsEY2RC6xskzivwQITIlJb9Q/s1600/SDDC1.8_DFW_05.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="402" data-original-width="474" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcHZ8YQh3uvP5RSPv9MfSE9pMeWc1ot6EmxOFWS3XdwxaHy2l8GgJ1rM4znQNzwNC8vvo2aaX6E_wa8K-FXDeXQ3fHpNyXZjcybo6Et4RKMx81p4jznn2hsEY2RC6xskzivwQITIlJb9Q/s400/SDDC1.8_DFW_05.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5mbHTPKXEouGw6tW1LfyJPv5kLS9b1KNzq2yQ9XBL3sknpYB9YAHh_3KBsNZRLE04dCLek7xZ4flbbfagRDh8cz3E3Bu0M3egzFJd6f02X7YyA8qfMjR7Bz2PKMo_GQYewGniDCJPw60/s1600/SDDC1.8_DFW_06.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="420" data-original-width="386" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5mbHTPKXEouGw6tW1LfyJPv5kLS9b1KNzq2yQ9XBL3sknpYB9YAHh_3KBsNZRLE04dCLek7xZ4flbbfagRDh8cz3E3Bu0M3egzFJd6f02X7YyA8qfMjR7Bz2PKMo_GQYewGniDCJPw60/s400/SDDC1.8_DFW_06.jpg" width="367" /></a><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
The Distributed Firewall rules that I want to implement are as follows:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfGzlBpEu_IpE3dAysPHZx1uqFaFPblJcojlYNgVdsaky3-MKxpZs0Chugnbn9SxlR9R187b6acS75ATVLdhpJA1Wh3LWhnumuSDgBj8o5ud-tWsaBJbOhKE0GLp9uDDqhoORTY1I_Qgo/s1600/SDDC1.8_DFW_07.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="136" data-original-width="757" height="114" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfGzlBpEu_IpE3dAysPHZx1uqFaFPblJcojlYNgVdsaky3-MKxpZs0Chugnbn9SxlR9R187b6acS75ATVLdhpJA1Wh3LWhnumuSDgBj8o5ud-tWsaBJbOhKE0GLp9uDDqhoORTY1I_Qgo/s640/SDDC1.8_DFW_07.jpg" width="640" /></a></div>
<br />
I only want to allow SSH and ICMP from my on-premises management segment to the 3-Tier App for support/troubleshooting purposes. I then want to allow anything to talk to my webserver but only over HTTP (TCP port 80). My web server needs to talk to my app server also over HTTP and finally, the application servers communicates with the database server using the MySQL service (TCP port 3306). Since we have a whitelist security approach all other communication will be blocked thus preventing any lateral movement by any malicious hacker. An example of this would be a hacker compromising my web server and laterally trying to move, say over a known MySQL exploit, into the database server to extract any data.<br />
<br />
I’m going to use NSX Inventory Groups as the basis for my DFW ruleset and dynamically add members to the groups based on tags, which is new with v1.9 of the SDDC. Using tags has the added benefit that if I need to scale out any portion of my application i.e. add more web servers then I can simply deploy the server, assign a tag to the server an automatically ensure the correct security posture is applied to the workload without having to modify any firewall rules. I’m going to start by creating the following Inventory Groups with the following membership criteria:<br />
<br />
<b>Web Servers</b> - Dynamically add workloads to the group when a <b>Web</b> tag is applied to the VM<br />
<b>App Servers</b> - Dynamically add workloads to the group when an <b>App</b> tag is applied to the VM<br />
<b>DB Servers</b> - Dynamically add workloads to the group when a <b>DB</b> tag is applied to the VM<br />
<b>3-Tier App</b> - This group will have static membership and I will add the Web Servers, App Servers and DB Servers group into it. Nested groups are also a new feature released as part of SDDC v1.9.<br />
<b>On-Premises Management</b> - This group will have static membership which will include the CIDR range of the on-premises management segment (10.1.9.0.24)<br />
<br />
To create an Inventory Group simply log into the Cloud Services Portal (CSP) and navigate to your SDDC. From here click on the Networking & Security, Groups and then Add Group:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2Q-IMhf_BRvF-qkx13HUwd0bLJCv3fK2kzubd-t51rv4GP-S-n3BttaeGz9oC3Vub9zVZFwutR8HD1nMmRZspsCNC_eWDz9i0CGOoHUI9hnow54pJf9Spell6o8ByrCMA5R7yuKhdcqI/s1600/SDDC1.8_DFW_08.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="678" data-original-width="778" height="556" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2Q-IMhf_BRvF-qkx13HUwd0bLJCv3fK2kzubd-t51rv4GP-S-n3BttaeGz9oC3Vub9zVZFwutR8HD1nMmRZspsCNC_eWDz9i0CGOoHUI9hnow54pJf9Spell6o8ByrCMA5R7yuKhdcqI/s640/SDDC1.8_DFW_08.jpg" width="640" /></a></div>
<br />
I'm going to call this group Web Servers and give it a suitable description. Click on the Set<b> </b>Members link to set the membership criteria:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQl4o3ySPQgIp8vNEPzuJQcCavvWghFOytDodjfk0RBNoXAppyzyWn3ciuzN8LQoqzpcxBMWI3yg9Mh1l-5pK1-DH6HIt9O3tG3Df0q1BX0HHm2XdDId5KA2YWNiEtlCQr8wZ9m_S4YZk/s1600/SDDC1.8_DFW_09.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="360" data-original-width="1600" height="142" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQl4o3ySPQgIp8vNEPzuJQcCavvWghFOytDodjfk0RBNoXAppyzyWn3ciuzN8LQoqzpcxBMWI3yg9Mh1l-5pK1-DH6HIt9O3tG3Df0q1BX0HHm2XdDId5KA2YWNiEtlCQr8wZ9m_S4YZk/s640/SDDC1.8_DFW_09.jpg" width="640" /></a></div>
<br />
I now want to click on Add Criteria and specify Virtual Machine Tag Equals Web and click Apply:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_2Fp3CHuiiyU6Bl-IMeXTOSif_4YrAnC9JlqFNXMh4MXlq6y0brob2PhT40F95OkoyvC8P6eZMHAIQjM43C6z1Ee3HscGcb5KocXONAqRS-MPxaDS_pHWgPWbFS5TcAEEjWdcZUkHcms/s1600/SDDC1.8_DFW_10.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="693" data-original-width="1144" height="386" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_2Fp3CHuiiyU6Bl-IMeXTOSif_4YrAnC9JlqFNXMh4MXlq6y0brob2PhT40F95OkoyvC8P6eZMHAIQjM43C6z1Ee3HscGcb5KocXONAqRS-MPxaDS_pHWgPWbFS5TcAEEjWdcZUkHcms/s640/SDDC1.8_DFW_10.jpg" width="640" /></a></div>
<br />
Finally, I can click Save to commit the changes:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjugW_fOYm7U2nurP22Zhdo8aWSn8Ax4mE3GpK_4uVleGowFJIEQHCCqGUurT7beeuLZ359BqiV478dCT6Xmgh95Bx9-S4vmcyBQZ9o5cct1VSmz3OkasR24aFU65xSmPFmFwtbAkxqAZk/s1600/SDDC1.8_DFW_11.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="352" data-original-width="1600" height="140" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjugW_fOYm7U2nurP22Zhdo8aWSn8Ax4mE3GpK_4uVleGowFJIEQHCCqGUurT7beeuLZ359BqiV478dCT6Xmgh95Bx9-S4vmcyBQZ9o5cct1VSmz3OkasR24aFU65xSmPFmFwtbAkxqAZk/s640/SDDC1.8_DFW_11.jpg" width="640" /></a></div>
<br />
I now have my first Infrastructure Group which will dynamically add VMs whenever a Web tag is applied to them. I will now continue and create the App Servers and DB Servers groups based on the App and DB tags.<br />
<br />
I'm now going to create my 3-Tier App group with the membership being the Web Servers, App Servers and DB Servers groups:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghyYuIyKXrnjrPUNg1jG7HMTeM6fG7hbTgbo_KIxLO5_QDwgtbxhQC4_FMeVRdYgfkQPGDB3eUGt1z1An1xURp8Vo0cZBuK9C2NWntC5D7YKAgERzlMABeC75xuie1vPp1mJAvAc9q4Ws/s1600/SDDC1.8_DFW_13.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="465" data-original-width="1600" height="186" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghyYuIyKXrnjrPUNg1jG7HMTeM6fG7hbTgbo_KIxLO5_QDwgtbxhQC4_FMeVRdYgfkQPGDB3eUGt1z1An1xURp8Vo0cZBuK9C2NWntC5D7YKAgERzlMABeC75xuie1vPp1mJAvAc9q4Ws/s640/SDDC1.8_DFW_13.jpg" width="640" /></a></div>
<br />
To nest groups select Members and check the groups that you want to be nested:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRL_caN3YMO2kyXqgU7VI77T-HTCh5v3f63spvieGmeMMH4lSxXY5okX2k-igVcXXTUR463Drex7IEX4Vhx0usgQJXC9ESJzOqVru0k1BP6uRsf-joPr-XOlQmSEpzUCYQ6v2zjHq5p6s/s1600/SDDC1.8_DFW_14.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="691" data-original-width="1143" height="386" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRL_caN3YMO2kyXqgU7VI77T-HTCh5v3f63spvieGmeMMH4lSxXY5okX2k-igVcXXTUR463Drex7IEX4Vhx0usgQJXC9ESJzOqVru0k1BP6uRsf-joPr-XOlQmSEpzUCYQ6v2zjHq5p6s/s640/SDDC1.8_DFW_14.jpg" width="640" /></a></div>
<br />
Finally, the last group that I need to create is my On-Premises Management group:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEid1lzpWyCMiT0fEpp0zgyiyuFXTEw0h1Prf2QGJSF59l1Ul6at77Tktc5a4bVwlqwXCxmqGyXfscWYvl5r2IS5ISqxmuoePxrWwGNBeR7ieaxh6wtxB7kCByvipxFa1z2dqq_8wq9RhNo/s1600/SDDC1.8_DFW_15.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="510" data-original-width="1600" height="202" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEid1lzpWyCMiT0fEpp0zgyiyuFXTEw0h1Prf2QGJSF59l1Ul6at77Tktc5a4bVwlqwXCxmqGyXfscWYvl5r2IS5ISqxmuoePxrWwGNBeR7ieaxh6wtxB7kCByvipxFa1z2dqq_8wq9RhNo/s640/SDDC1.8_DFW_15.jpg" width="640" /></a></div>
<br />
This group is going to be based off the CIDR range 10.1.9.0/24 so select the IP/MAC Addresses option and enter the range:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh74QtxyllYx8FNiD-2osCEoibu_k_ScmFQbDVg5lJw9DFkO52w2gCubOKnE53EumGrnnldz7u7DDm9BZsKtZ2U3XSvQSuDZ4cu3vx_dhaLG09lodzHnjUedg1SxldaKyX0g32n4nxXRzc/s1600/SDDC1.8_DFW_16.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="688" data-original-width="1139" height="386" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh74QtxyllYx8FNiD-2osCEoibu_k_ScmFQbDVg5lJw9DFkO52w2gCubOKnE53EumGrnnldz7u7DDm9BZsKtZ2U3XSvQSuDZ4cu3vx_dhaLG09lodzHnjUedg1SxldaKyX0g32n4nxXRzc/s640/SDDC1.8_DFW_16.jpg" width="640" /></a></div>
<br />
I now have all the required Infrastructure Groups created and can start building out my Distributed Firewall ruleset:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcv004iKO_wnmm8APS2kQneBLKAOtOr3qbh49iesZsok1tuctd5IleKwkb7ZXKBB0e70pC5M4WeMldAnt1ttg6bqpHC0sNwpunkmZjhQ9fLKrITR6uKQTTiDiVweA6rOY2Uv4phSEfPAU/s1600/SDDC1.8_DFW_17.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="380" data-original-width="1600" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcv004iKO_wnmm8APS2kQneBLKAOtOr3qbh49iesZsok1tuctd5IleKwkb7ZXKBB0e70pC5M4WeMldAnt1ttg6bqpHC0sNwpunkmZjhQ9fLKrITR6uKQTTiDiVweA6rOY2Uv4phSEfPAU/s640/SDDC1.8_DFW_17.jpg" width="640" /></a></div>
<br />
The Distributed Firewall has been completely overhauled as part of SDDC v1.9 with a ton of great new features. The interface has been updated and now includes rule categories which are evaluated based on priority precedence i.e. Emergency rules will be evaluated before Environment rules:<br />
<br />
1 - Ethernet - Applied to all SDDC network traffic<br />
2 - Emergency<span style="white-space: pre;"> </span> - Used for quarantine and allow rules<br />
3 - Infrastructure - Define access to shared services. Global rules - AD, DNS, NTP, DHCP, Backup, Management Servers<br />
4 - Environment - Rules between zones - production vs development, inter-business unit rules<br />
5 - Application<span style="white-space: pre;"> </span> - Rules between applications, application tiers, or the rules between microservices<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFIJd3bbxvuPbu8BefRO7hJagefp7hWSTBAgt21ZQbH0V5BgAmpgXZvAk08YDcmUozAa1hYxKNmZau_uGPJAKhzRpfoqjSCvXO8DOR7FrBxTtVhhDC5gPeKccvosF6PJAhzi1AQcfG2cA/s1600/SDDC1.8_DFW_18.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="651" data-original-width="1600" height="260" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFIJd3bbxvuPbu8BefRO7hJagefp7hWSTBAgt21ZQbH0V5BgAmpgXZvAk08YDcmUozAa1hYxKNmZau_uGPJAKhzRpfoqjSCvXO8DOR7FrBxTtVhhDC5gPeKccvosF6PJAhzi1AQcfG2cA/s640/SDDC1.8_DFW_18.jpg" width="640" /></a></div>
<br />
Configurations can now be saved and published at a later date/time (Maybe within a change window) and we can also fully exclude VMs from having DFW policies applied. These are just a few of the improvements, remember to check the release notes for more.<br />
<br />
One of the huge usability improvements in SDDC v1.9 is the ability to dynamically re-prioritize rules by dragging and dropping them into place. You can also filter rules by name, source, destination or service and can edit rules inline on the UI. This makes creating and modifying DFW rules much more efficient.<br />
<br />
We are going to create the required rules for our 3-Tier App and the first thing we need to do is create a new policy within the Applications section. The name of the policy can be modified inline:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNTtHVE98cMob7-oIEM78LPZmJJSdh5ZwyCO8oC9kgJ9P0dBn0yK7dnqy-YPqwzsDvTGWg1dmiEa1mKfOMISn-_2SUtQ7qDpNO6eb3fLm9FKNpwHhrI7Dk29jtpA8vd7SusCYn9clvnYg/s1600/SDDC1.8_DFW_19.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="345" data-original-width="1452" height="152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNTtHVE98cMob7-oIEM78LPZmJJSdh5ZwyCO8oC9kgJ9P0dBn0yK7dnqy-YPqwzsDvTGWg1dmiEa1mKfOMISn-_2SUtQ7qDpNO6eb3fLm9FKNpwHhrI7Dk29jtpA8vd7SusCYn9clvnYg/s640/SDDC1.8_DFW_19.jpg" width="640" /></a></div>
<br />
Click on the three dots to the right of the rule and click Add Rule:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4odR1fd8spEj5CONCUGzQVQOSp5CKLpGDxcNMPt2Upg50bGeaMoADBZKbpsSpjfwmoucdJMY-l7HZIQ-PfARB-SdhR_Z-KXzPWQ1pMoLaZrU4amQiL-NkSNoOCwjzrmI4IOM4Jdu1_TI/s1600/SDDC1.8_DFW_20.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="338" data-original-width="277" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4odR1fd8spEj5CONCUGzQVQOSp5CKLpGDxcNMPt2Upg50bGeaMoADBZKbpsSpjfwmoucdJMY-l7HZIQ-PfARB-SdhR_Z-KXzPWQ1pMoLaZrU4amQiL-NkSNoOCwjzrmI4IOM4Jdu1_TI/s320/SDDC1.8_DFW_20.jpg" width="262" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Give the rule a suitable name, in our example, we want this rule to allow Admin access to the 3-Tier App from the On-Premises Management Network for troubleshooting and support purposes:</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBbjStu6vnrU4URyfsvJeZbep3UtL_4pDU_bN4Vgu-oFCEd8idiSOgZ1ydJ3oylVDSQSmc7F2TzKCRxkcs9W8WhUC6exyjtPYSKtl37apk9m0REy-Dpy99swP_yNimpR1SLZviFYB1T80/s1600/SDDC1.8_DFW_21.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="373" data-original-width="1450" height="164" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBbjStu6vnrU4URyfsvJeZbep3UtL_4pDU_bN4Vgu-oFCEd8idiSOgZ1ydJ3oylVDSQSmc7F2TzKCRxkcs9W8WhUC6exyjtPYSKtl37apk9m0REy-Dpy99swP_yNimpR1SLZviFYB1T80/s640/SDDC1.8_DFW_21.jpg" width="640" /></a></div>
<br />
Within the Source set it to the On-Premises Management Infrastructure Group:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0cmad11m04m-9LNymBEQGvF51A2VM1N8YPsOuv_cBVcFUnMPXmMyTcsM98j4_veUgfkL0fpgrHVvcmTE3yMCtG1lsmyWId5sQ0mxbJrluT7gvpp9IMtgGUWlrgl-JaYQjzPgvCyMEyiY/s1600/SDDC1.8_DFW_22.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="695" data-original-width="1145" height="388" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0cmad11m04m-9LNymBEQGvF51A2VM1N8YPsOuv_cBVcFUnMPXmMyTcsM98j4_veUgfkL0fpgrHVvcmTE3yMCtG1lsmyWId5sQ0mxbJrluT7gvpp9IMtgGUWlrgl-JaYQjzPgvCyMEyiY/s640/SDDC1.8_DFW_22.jpg" width="640" /></a></div>
<br />
Set the Destination to be the 3-Tier App group:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDm4M4jPQAPYCGCuD0cpgH8_W9MV2QS95WMEWnz5huYYcL43D7SqE0hUcSx9aYMtTOcxtRmpR73tQ5isy3VV4yN1nAVqG8BlvDPjo6AvVpF_dyloitkkbqP6cyDKDOaJgswWrvGd_YXMg/s1600/SDDC1.8_DFW_23.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="691" data-original-width="1144" height="386" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDm4M4jPQAPYCGCuD0cpgH8_W9MV2QS95WMEWnz5huYYcL43D7SqE0hUcSx9aYMtTOcxtRmpR73tQ5isy3VV4yN1nAVqG8BlvDPjo6AvVpF_dyloitkkbqP6cyDKDOaJgswWrvGd_YXMg/s640/SDDC1.8_DFW_23.jpg" width="640" /></a></div>
<br />
Now the services we want to allow are SSH and ICMP (If the service you require is not available you can add custom services):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizX5mxGrTHlQS74596jHo7P4qdy9nqd2X4NPwMuOuupXrvaXXnFP0biXGvY9BejMaPZjJQC4KmkWtp4MnvTixtC6DxF34ifRofB4Z5ipXyo31fmQ4BJhe2WBvdDaLAvrOdCEKlsiynGxE/s1600/SDDC1.8_DFW_24.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="691" data-original-width="1141" height="386" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizX5mxGrTHlQS74596jHo7P4qdy9nqd2X4NPwMuOuupXrvaXXnFP0biXGvY9BejMaPZjJQC4KmkWtp4MnvTixtC6DxF34ifRofB4Z5ipXyo31fmQ4BJhe2WBvdDaLAvrOdCEKlsiynGxE/s640/SDDC1.8_DFW_24.jpg" width="640" /></a></div>
<br />
We can see that our admin access rule is in place but since we have not published the ruleset this is currently not live:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjP963RyR3EC2af3d01hwQ5C0xSH6oi4VU6jUFM0tWUlE3dUXDtQmiJEsFxamHHL3kTCxoPKoXNR9B_7XFMptGsot5bgmogHKxxMFgoIXG5dzYAFPyCCkgH4ujlhERNj-u_tEyaMMgpkmY/s1600/SDDC1.8_DFW_25.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="401" data-original-width="1453" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjP963RyR3EC2af3d01hwQ5C0xSH6oi4VU6jUFM0tWUlE3dUXDtQmiJEsFxamHHL3kTCxoPKoXNR9B_7XFMptGsot5bgmogHKxxMFgoIXG5dzYAFPyCCkgH4ujlhERNj-u_tEyaMMgpkmY/s640/SDDC1.8_DFW_25.jpg" width="640" /></a></div>
<br />
I'm now going to create the complete ruleset for the application based on the following requirements:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8LJGMZ3_6rJtBK5L763tPITXQSN4iPgIFDNOT1UeStM2lO4I5x7Me4Z-V_dNV6COi1OrENXyL0YQgV_iMt6yqPHT__EfrG1NlGIfex6-rBYNWdtaXKHso0N-uDmYmskS5XdEuhl7evlc/s1600/SDDC1.8_DFW_07.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="136" data-original-width="757" height="114" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8LJGMZ3_6rJtBK5L763tPITXQSN4iPgIFDNOT1UeStM2lO4I5x7Me4Z-V_dNV6COi1OrENXyL0YQgV_iMt6yqPHT__EfrG1NlGIfex6-rBYNWdtaXKHso0N-uDmYmskS5XdEuhl7evlc/s640/SDDC1.8_DFW_07.jpg" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizMEesIXjh1QdgXmyL5FYqSM3E2In-qyH0u-lMUtwi1paRSNI80sgIuiZj8WzzjT8kSbYBRaYk7TnuKZiK_4KY4qdmuo4H3WZ2OM2vUQ6-YH7w9dAC68_Wr1XK_EFNb_o4Hu7uNYKPWA8/s1600/SDDC1.8_DFW_26.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="527" data-original-width="1448" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizMEesIXjh1QdgXmyL5FYqSM3E2In-qyH0u-lMUtwi1paRSNI80sgIuiZj8WzzjT8kSbYBRaYk7TnuKZiK_4KY4qdmuo4H3WZ2OM2vUQ6-YH7w9dAC68_Wr1XK_EFNb_o4Hu7uNYKPWA8/s640/SDDC1.8_DFW_26.jpg" width="640" /></a></div>
<br />
<br />
Once the ruleset has been created remember to publish it otherwise it will not be realised within NSX.<br />
<br />
The final task is to tag our VMs with the correct tags which will ensure they are added to the corresponding infrastructure groups and the correct security policy should be applied. Navigate to the Virtual Machines section and edit one of the VMs:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVgmOVYIizLl6uSVOUWg-ljwdBupjh5nbQ5Hm2Ys-F4C_aBpKbc-xt3ARMYD0ckM1QOrad6RbqGtWVRcT_idkIiLvz2-PBAYptvrbxdIj4bmOD139iX3KLUxBmgiI3uixzW-ONpEo7KfU/s1600/SDDC1.8_DFW_32.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="644" data-original-width="1054" height="390" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVgmOVYIizLl6uSVOUWg-ljwdBupjh5nbQ5Hm2Ys-F4C_aBpKbc-xt3ARMYD0ckM1QOrad6RbqGtWVRcT_idkIiLvz2-PBAYptvrbxdIj4bmOD139iX3KLUxBmgiI3uixzW-ONpEo7KfU/s640/SDDC1.8_DFW_32.jpg" width="640" /></a></div>
<br />
Tag the VM with the required tag. In our example, this would be either Web, App or DB:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX20Ej4_hcOopm6jsjqgjNLDtKQGBxoiF0pQr2QaPXm6oR0dxdvWxPLMEIo9HaNZzqeKHulRlOz5mXrj-pHchGuX-qpKJ6FrvfZmX7q4asj3H0KGfAf4X9OhC9-8jFADsJZSyEzULoI90/s1600/SDDC1.8_DFW_33.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="421" data-original-width="1204" height="222" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX20Ej4_hcOopm6jsjqgjNLDtKQGBxoiF0pQr2QaPXm6oR0dxdvWxPLMEIo9HaNZzqeKHulRlOz5mXrj-pHchGuX-qpKJ6FrvfZmX7q4asj3H0KGfAf4X9OhC9-8jFADsJZSyEzULoI90/s640/SDDC1.8_DFW_33.jpg" width="640" /></a></div>
<br />
Ensure all VMs in scope are tagged accordingly:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxjAry_cHx9dKPvVKBBl0qqS-Byt3PEhSgcnZ1BvlMitccjBWguoHdYEBfPXU5mXm7ce1wTAUjWWrZTsAtp70Z2Kgi4G4jNAaiuTcFlEPci2Rfwv7buazW5N3P40pJRNbZIgf6fitvuhI/s1600/SDDC1.8_DFW_34.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="302" data-original-width="860" height="224" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxjAry_cHx9dKPvVKBBl0qqS-Byt3PEhSgcnZ1BvlMitccjBWguoHdYEBfPXU5mXm7ce1wTAUjWWrZTsAtp70Z2Kgi4G4jNAaiuTcFlEPci2Rfwv7buazW5N3P40pJRNbZIgf6fitvuhI/s640/SDDC1.8_DFW_34.jpg" width="640" /></a></div>
<br />
You can check to ensure the VMs have been tagged correctly and they appear in the security group by viewing the group members:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8ztPxe4cdbBwo3HVz_XtxHn2oNkVt48uZFtD2SUdZmlvUNz8uAWKTXP0aU45thEZxn5KL9muBfR-Gp3fo1RPPXvPyufLZUrMZEoyCuBxIrsGcqfsCPCtEwrtY4_9GG7ZUTvKLalZljdM/s1600/SDDC1.8_DFW_35.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="641" data-original-width="1425" height="286" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8ztPxe4cdbBwo3HVz_XtxHn2oNkVt48uZFtD2SUdZmlvUNz8uAWKTXP0aU45thEZxn5KL9muBfR-Gp3fo1RPPXvPyufLZUrMZEoyCuBxIrsGcqfsCPCtEwrtY4_9GG7ZUTvKLalZljdM/s640/SDDC1.8_DFW_35.jpg" width="640" /></a></div>
<br />
My Web Servers group now has WEB01 as a member:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEil_p4me-Dhq7lHkT-58o65GG8YWy0X7BJXArlloAU-vTwTnsnGlJ2pgwQpP3PzYP91-w-I7CMCiQsAQQfimwTRVBEx98Hhu01Ybq0aexaiLctLQJJl5ZisHvjig5hFHv5pxXyWCO3v4Ns/s1600/SDDC1.8_DFW_36.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="690" data-original-width="1143" height="386" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEil_p4me-Dhq7lHkT-58o65GG8YWy0X7BJXArlloAU-vTwTnsnGlJ2pgwQpP3PzYP91-w-I7CMCiQsAQQfimwTRVBEx98Hhu01Ybq0aexaiLctLQJJl5ZisHvjig5hFHv5pxXyWCO3v4Ns/s640/SDDC1.8_DFW_36.jpg" width="640" /></a></div>
<br />
Using groups and tags has the operation benefit of not having to make any changed to rules if I scale up the application. If I add a new Web Server all I simply have to do it tag it with the Web tag (Ideally through automation) and the correct security policies will be applied to the workload from day one.<br />
<br />
Now the Distributed Firewall policies have been created and the VMs tagged let's check to ensure my application is working as expected. If I browse to the Web Server I can see that I can successfully connect to the 3-Tier Application:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkU0tgX8iTQtH8wtju9biNLLVnUGwJot2MZMd_OR7w_5b6eBlx64Q9FiNlhV_FcBeGy7zhhv90cFMK5GtAy1-8-0ky-iyCGBsWGvlWcwVux7YC0yyrZ4xqexVWU4ojeNxdHh4OuKWGFHc/s1600/SDDC1.8_DFW_42.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="407" data-original-width="711" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkU0tgX8iTQtH8wtju9biNLLVnUGwJot2MZMd_OR7w_5b6eBlx64Q9FiNlhV_FcBeGy7zhhv90cFMK5GtAy1-8-0ky-iyCGBsWGvlWcwVux7YC0yyrZ4xqexVWU4ojeNxdHh4OuKWGFHc/s640/SDDC1.8_DFW_42.jpg" width="640" /></a></div>
<br />
From my desktop which is in the On-Premises Management CIDR range, I can successfully ping all workloads:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgB-iIgGXpRnFQH2qrheUU58-SEuIfKyONZ9jcuZ0w5Ihu0Q119jPTd4pBwl9DqOQ4Hx-r8IZwgMKbxVBo2ltqFKFrZbUbYrYl22hml8k6vzM97vVlmmWO6OD5-50ufbihIdP_A1IR_js0/s1600/SDDC1.8_DFW_41.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="816" data-original-width="558" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgB-iIgGXpRnFQH2qrheUU58-SEuIfKyONZ9jcuZ0w5Ihu0Q119jPTd4pBwl9DqOQ4Hx-r8IZwgMKbxVBo2ltqFKFrZbUbYrYl22hml8k6vzM97vVlmmWO6OD5-50ufbihIdP_A1IR_js0/s640/SDDC1.8_DFW_41.jpg" width="436" /></a></div>
<br />
I can also successfully SSH into the Web Server but notice that I cannot SSH or ping from the Web Server to the Database Server:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhS732RTO7_jcxsg7guFby0C3X9LreLvoA4GZ1VLkv9SNgrJfUbls3IvJoNJUKJR0UgYrc6E_YzjvYhYIfiJ8tO7rpcJVFcsE4zucvu8tV_ANHo4xjgwlKyhKV24v9_b9HFSvN6hp6LUjM/s1600/SDDC1.8_DFW_43.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="511" data-original-width="621" height="524" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhS732RTO7_jcxsg7guFby0C3X9LreLvoA4GZ1VLkv9SNgrJfUbls3IvJoNJUKJR0UgYrc6E_YzjvYhYIfiJ8tO7rpcJVFcsE4zucvu8tV_ANHo4xjgwlKyhKV24v9_b9HFSvN6hp6LUjM/s640/SDDC1.8_DFW_43.jpg" width="640" /></a></div>
<br />
VMware Cloud on AWS SDDC v1.9 is an update packed with new features and functionality and just shows the power of the platform in helping customers migrate and secure their workloads with familiar tooling.Michaelhttp://www.blogger.com/profile/10740016259613298383noreply@blogger.com0tag:blogger.com,1999:blog-3725872427010598639.post-34202030988041279822019-12-04T09:30:00.000+00:002019-12-04T09:30:00.211+00:00Monitoring VMware Cloud on AWS vCenter alarms within vRealize Log Insight Cloud<a href="https://cloud.vmware.com/log-insight-cloud" target="_blank">vRealize Log Insight Cloud</a> (vRLIC) gives us unified visibility across public and private clouds through robust log aggregation, analytics and faster root cause determination. The great news is that it is also included as part of your subscriptions to VMware Cloud on AWS (VMC) and as of VMworld Europe 2019 also now includes additional features and functionality:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglA7Apmz2V8MzZ3N_qg_q9QhaGlXneAuq_d3Bez1GYrF8ib7p2H21scXujOH0PjVcEW_E69zsC0rGpwnVOiiLos8qeRHNgZ-8_0GM9RJeXs4twJmMYUegD7ArfJbR5SOnal6_wmy-n3Gw/s1600/vRLIC_01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="543" data-original-width="997" height="217" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglA7Apmz2V8MzZ3N_qg_q9QhaGlXneAuq_d3Bez1GYrF8ib7p2H21scXujOH0PjVcEW_E69zsC0rGpwnVOiiLos8qeRHNgZ-8_0GM9RJeXs4twJmMYUegD7ArfJbR5SOnal6_wmy-n3Gw/s400/vRLIC_01.jpg" width="400" /></a></div>
<br />
Check out the official blog article <a href="https://cloud.vmware.com/community/2019/11/05/vrealize-log-insight-cloud-new-name-packaging-features/" target="_blank">here</a><br />
<br />
With the core version, VMC customers now get access to real-time reporting which is what we are going to look at today. In a previous <a href="https://www.m80arm.co.uk/2019/12/vmware-cloud-on-aws-vcenter-alarms.html" target="_blank">post</a>, I talked using creating VMC vCenter alarms and setting notifications for specific events. The event we were particularly interested in was if the VSAN datastore reaches 70% utilisation because at 75% a new host will be added to ensure we stay within <a href="https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/support/vmw-cloud-aws-service-level-agreement.pdf" target="_blank">SLA</a>. In the example, we used an alert that would trigger if the datastore was less than 100% utilised as this would ensure the alert would always trigger. We are now going to use vRLIC to query for the alert and then send us a notification once it has been triggered.<br />
<br />
vRLIC is automatically configured to ingest logs for VMC and can be accessed via the Cloud Services Portal so there is nothing that you need to do to start using it, simply launch the application:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhe-oXfK5Ei5EwJLtztNsJiYGVwyfE85RONzodYHao3Cm2qBLQ5iBBWHs3fd6p6g8EIdhlmIFU5JYrC1kMopjiwo_PsqSP8WC2JM7RgDmiwU11sOKdJdHj59A9149JAULNCLHkusU1BSII/s1600/vRLIC_02.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="303" data-original-width="1392" height="86" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhe-oXfK5Ei5EwJLtztNsJiYGVwyfE85RONzodYHao3Cm2qBLQ5iBBWHs3fd6p6g8EIdhlmIFU5JYrC1kMopjiwo_PsqSP8WC2JM7RgDmiwU11sOKdJdHj59A9149JAULNCLHkusU1BSII/s400/vRLIC_02.jpg" width="400" /></a></div>
<br />
The initial landing page gives us a great overview of recent alerts and event observations over the last hour. It is definitely worth spending some time with vRLIC to see the level of information and default alerts that are available to VMC customers:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhM5Igq7ig79efI71r9m7vJ9KHGCx-ns8Zkgy6CsmuiGwTb5DUOF40xfYOgo7LPVi8Elk_q_u_lgt28MgeHTVhaVISgwqYgwb4eO2DJNMstm67cXd188pThGHK5fz-M5FVjoiAm0yUyqQI/s1600/vRLIC_03.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="720" data-original-width="1600" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhM5Igq7ig79efI71r9m7vJ9KHGCx-ns8Zkgy6CsmuiGwTb5DUOF40xfYOgo7LPVi8Elk_q_u_lgt28MgeHTVhaVISgwqYgwb4eO2DJNMstm67cXd188pThGHK5fz-M5FVjoiAm0yUyqQI/s400/vRLIC_03.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I've re-created the vCenter alert that triggers when VSAN Datastore Usage is below 100 percent just to ensure the log is sent instantly to vRLIC:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXFpDtPK2YZoLTowK3fZzGj5TCOwXzM251BJ1opz1W1JjAZkIeHQ4Z1S0Upn8F-J2o4K25qr0kt-UZKOmKaPDYqLTghUBHXc4w05yayZhOBcDCqhGM74gn-l-iStDi9K8JzsSS6Bw3WDc/s1600/vRLIC_20.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="963" data-original-width="1143" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXFpDtPK2YZoLTowK3fZzGj5TCOwXzM251BJ1opz1W1JjAZkIeHQ4Z1S0Upn8F-J2o4K25qr0kt-UZKOmKaPDYqLTghUBHXc4w05yayZhOBcDCqhGM74gn-l-iStDi9K8JzsSS6Bw3WDc/s400/vRLIC_20.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
If we explore the logs and query for the alert name <b>VSAN Datastore Usage is below 100 percent</b> with a timeframe of the last ten minutes then we can see the triggered alert. We know this is the alert because we can see it change its state from Gray to Red:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxGKZ_lAxOOJ3lrF1AmsoXpZjedTwq8clcun2WB5OunLHSKIgLOCHGHkMjv7l0Cc953IQCsuKmxDJ97WL_o4T-2v7Vwk02bcxOnNbIFICL28_eLbdLRK8IuqMhxhNCWNErxoHRjFrVZ8E/s1600/vRLIC_21.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="516" data-original-width="1600" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxGKZ_lAxOOJ3lrF1AmsoXpZjedTwq8clcun2WB5OunLHSKIgLOCHGHkMjv7l0Cc953IQCsuKmxDJ97WL_o4T-2v7Vwk02bcxOnNbIFICL28_eLbdLRK8IuqMhxhNCWNErxoHRjFrVZ8E/s400/vRLIC_21.jpg" width="400" /></a></div>
<br />
Now that we have the query needed we can click on the save icon:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNRkyrSwXjXgaj4IrjTdVrbZyR7bfz55G22gOGReCnuwiOlwPqRxwydyDjQaUIXX5OnDvGergkS4BZxssa-dVErbvHPv1v4jhIu2LbFT5J35kUTcFWf8-DT-k5yfoKZ2QMWXyDPYomA6Q/s1600/vRLIC_08.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="49" data-original-width="287" height="68" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNRkyrSwXjXgaj4IrjTdVrbZyR7bfz55G22gOGReCnuwiOlwPqRxwydyDjQaUIXX5OnDvGergkS4BZxssa-dVErbvHPv1v4jhIu2LbFT5J35kUTcFWf8-DT-k5yfoKZ2QMWXyDPYomA6Q/s400/vRLIC_08.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Give the query a suitable name and description and click <b>Save:</b></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmP0AWDKfsNKw8KxgCW4yNKoHhAk9NlSLgK1xyhy9KtDxpYBYvi716ZzNKNy0TdwKtW7qQjdeDoV7EpNlV966nzXoguyPG1bWFGeb61uKrC6cY_KxC6U7l2ECEAqZeVsdXL9jWEnB6z8o/s1600/vRLIC_22.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="475" data-original-width="570" height="332" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmP0AWDKfsNKw8KxgCW4yNKoHhAk9NlSLgK1xyhy9KtDxpYBYvi716ZzNKNy0TdwKtW7qQjdeDoV7EpNlV966nzXoguyPG1bWFGeb61uKrC6cY_KxC6U7l2ECEAqZeVsdXL9jWEnB6z8o/s400/vRLIC_22.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
Once we save the query we can click on the alert icon to create an alert based on the query:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKi0yMM-qY_BwY3e0FTgdaQlkbBdVoKBIviUfMTL1opYHK2VdFjjsSFfModo7Zp_muPRxHoVCBpl1tPj-5Mf0cBN6J83BXAu0Xzy-kqpmFNgLPiUcMbtLEe_4PLSi8XFJ12dVXb_DDYWA/s1600/vRLIC_10.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="59" data-original-width="301" height="77" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKi0yMM-qY_BwY3e0FTgdaQlkbBdVoKBIviUfMTL1opYHK2VdFjjsSFfModo7Zp_muPRxHoVCBpl1tPj-5Mf0cBN6J83BXAu0Xzy-kqpmFNgLPiUcMbtLEe_4PLSi8XFJ12dVXb_DDYWA/s400/vRLIC_10.jpg" width="400" /></a></div>
<br />
Give the alert a suitable name and description and click <b>Save</b>:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXkG_OGX183doN-rWHDwvZFaB0rXfoZHXHlcwuFOrip0K-VyA0t13Zb-2G9grbJ4Ny-4bUkkKajSe9_OnQNApxrHiQ8GBJENrRrOYQ31srdAva8mkHKTYtfjhAGfnmxdza2tgU5ObFhjY/s1600/vRLIC_23.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="523" data-original-width="571" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXkG_OGX183doN-rWHDwvZFaB0rXfoZHXHlcwuFOrip0K-VyA0t13Zb-2G9grbJ4Ny-4bUkkKajSe9_OnQNApxrHiQ8GBJENrRrOYQ31srdAva8mkHKTYtfjhAGfnmxdza2tgU5ObFhjY/s400/vRLIC_23.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
The Alert Definition screen will appear which will allow you to customise the alert. Remember to add the Email address where you would like the alert to be sent, set the trigger to evaluate on every match and enable it before clicking on the save icon:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuysG4QyJyghNg2HMtSsPwYdb2yZopPpAvYnBXhC4F6fbPs9RvONFfYMoDY06Hd959cyjVp-CUAndNVGC66YOTz9DJqfvRRHWy3zcgArEHCDEOsaxSy6vxnf2J9m9uado-OMhrXVgWq0A/s1600/vRLIC_24.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="525" data-original-width="1600" height="131" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuysG4QyJyghNg2HMtSsPwYdb2yZopPpAvYnBXhC4F6fbPs9RvONFfYMoDY06Hd959cyjVp-CUAndNVGC66YOTz9DJqfvRRHWy3zcgArEHCDEOsaxSy6vxnf2J9m9uado-OMhrXVgWq0A/s400/vRLIC_24.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
It's also worth sending a test alert to ensure you receive the notification:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUetBkoOXjh7H9Xf840gUhZbr2i0FLK_THno9OzGD9I3UToH0d9kyqsI8T67QvzXghf_Qw4_YPFOjHS3LsOEehO5DpUulPjRmY0GPdSjXyb5HF-qWcMxsBJyAf-EEs16JP_ft3BFPQ93k/s1600/vRLIC_25.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="156" data-original-width="539" height="115" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUetBkoOXjh7H9Xf840gUhZbr2i0FLK_THno9OzGD9I3UToH0d9kyqsI8T67QvzXghf_Qw4_YPFOjHS3LsOEehO5DpUulPjRmY0GPdSjXyb5HF-qWcMxsBJyAf-EEs16JP_ft3BFPQ93k/s400/vRLIC_25.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
Hopefully, if everything is set up correctly next time the alert is triggered you should receive a notification via email and also see it in the Recent Alerts:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzGxWrNe3r4lIu2RZExgyLIDMcqN3C35Gknj0jJ4KoA2ilkWjab3Batbar2Y7J__4S4GzCpsl8LGzz80zjlDaeE0Cgznx16uUqZsQEE9yUKvv60f1mTRNGhf8zJPMLjj9BmTwSacxo6YY/s1600/vRLIC_26.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="583" data-original-width="1261" height="183" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzGxWrNe3r4lIu2RZExgyLIDMcqN3C35Gknj0jJ4KoA2ilkWjab3Batbar2Y7J__4S4GzCpsl8LGzz80zjlDaeE0Cgznx16uUqZsQEE9yUKvv60f1mTRNGhf8zJPMLjj9BmTwSacxo6YY/s400/vRLIC_26.jpg" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhU_Ojs1hP-zUajFZdcyQo2_5NPRAEc_DiNz58c6YUc67iAKf50QlD0jR7EOepns7M8Ut07xohNhry_8Oech-KVpoRIRxDvXXMd4I_HWTI1cCLBVhxzXl-m6Jx9ALU7FPsm6-C2Bh1OQOk/s1600/vRLIC_27.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="522" data-original-width="1098" height="190" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhU_Ojs1hP-zUajFZdcyQo2_5NPRAEc_DiNz58c6YUc67iAKf50QlD0jR7EOepns7M8Ut07xohNhry_8Oech-KVpoRIRxDvXXMd4I_HWTI1cCLBVhxzXl-m6Jx9ALU7FPsm6-C2Bh1OQOk/s400/vRLIC_27.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
With the example above we are triggering an email notification when we see any log that has been ingested and contains the text, <b>VSAN Datastore Usage is below 100 percent</b>. This is not ideal because it will also trigger the notification when any changes to the alarm are made i.e. reset to green or disabling and re-enabling. I tried testing this on alarm name as well as the text <b>gray to red</b> which is sent when the state of the alarm changes but during testing, I noticed that this was not always sent on certain alarm configuration changes which I have fed back to the BU and will be addressed in the future. I don't envisage these changes being made regularly in customer environments so it should not cause an influx of emails.<br />
<br />
A point that I would like to highlight is that vRLIC currently runs out of one of the US AWS regions so if there are issues with logs residing outside of the UK/EU then please get in touch and I will continue to raise this internally.Michaelhttp://www.blogger.com/profile/10740016259613298383noreply@blogger.com0tag:blogger.com,1999:blog-3725872427010598639.post-84479911867226656212019-12-02T08:19:00.002+00:002019-12-04T09:37:34.304+00:00VMware Cloud on AWS vCenter AlarmsA lot of VMware customers use vCenter alarms and notifications for monitoring their on-premises environment and the same goes for when they move to VMware Cloud on AWS. I was recently asked by a customer on how they can receive a notification when the VSAN storage capacity is getting close to 75% full. For those who are not aware we need 25% slack space for VSAN and will automatically add a host once storage utilisation reaches 25%, which is documented in the <a href="https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/support/vmw-cloud-aws-service-level-agreement.pdf" target="_blank">Service Level Agreement</a> for VMware Cloud on AWS.<br />
<div>
<br /></div>
<div>
Creating an alarm can either be completed directly in the vCenter client or via the Cloud Gateway Appliance. Simply browse to the <b>WorkloadDatastore</b>, select <b>Configure</b> and then <b>Alarm Definitions</b>. From here you need to <b>Add</b> a new alarm:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBKRA7ZYdY1NxNbh2LffAjZM3qOBa1s5ZSBTmJT8wLbDZK1zMfASqlR2MYYLhx1ywQau8GA4w6UXAnhiHIvmv41aVmGFIM7vccb3rNy2MZOW5jSNNf92zBltKPvxXgPr9w8RKfcxwwX4c/s1600/alarms_01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="598" data-original-width="1237" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBKRA7ZYdY1NxNbh2LffAjZM3qOBa1s5ZSBTmJT8wLbDZK1zMfASqlR2MYYLhx1ywQau8GA4w6UXAnhiHIvmv41aVmGFIM7vccb3rNy2MZOW5jSNNf92zBltKPvxXgPr9w8RKfcxwwX4c/s400/alarms_01.jpg" width="400" /></a></div>
<div>
<br /></div>
<div>
Give the alarm a suitable Name and Description and click <b>Next</b>:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhB5IS6qw6UnEb2jyivxA5FEjPzCWqreg3LiUJ9uWahmss05izrj6sNo3KeaNPqtNFfsX9v3m0udBchGrt3-C_YH9YITuF1mQKlmvOaJiQ-0EWdomowdN_jtoBNca0HGm7Ww40iIgngNMc/s1600/alarms_02.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="966" data-original-width="1143" height="337" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhB5IS6qw6UnEb2jyivxA5FEjPzCWqreg3LiUJ9uWahmss05izrj6sNo3KeaNPqtNFfsX9v3m0udBchGrt3-C_YH9YITuF1mQKlmvOaJiQ-0EWdomowdN_jtoBNca0HGm7Ww40iIgngNMc/s400/alarms_02.jpg" width="400" /></a></div>
<div>
<br /></div>
<div>
In the example, I am setting the alarm to be triggered if the utilization is less than 100% (Which will always be the case) to ensure that I receive a notification. Typically you would set this to <b>is above 70%</b> or whatever threshold you feel comfortable with. Once you have the correct parameters enter the email address to whom you would like the notification sent to and click <b>Next</b>:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0FhCP-5gBqiwHjWfZCFKK7HGKiecx1t0gtjDbOo486GnXeHw8AhHY1JM2fVSbZWYO65Iozd266SsJC5007TXAq1jWEP3ngX8vnbnEQTwkfmhul1fWvta2LDlk7dpunoTUrrn48XZS-SY/s1600/alarms_03.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="961" data-original-width="1143" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0FhCP-5gBqiwHjWfZCFKK7HGKiecx1t0gtjDbOo486GnXeHw8AhHY1JM2fVSbZWYO65Iozd266SsJC5007TXAq1jWEP3ngX8vnbnEQTwkfmhul1fWvta2LDlk7dpunoTUrrn48XZS-SY/s400/alarms_03.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Set the email notification if you want to be notified once the condition clears otherwise click <b>Next</b>:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYVdoopnUZzW6h8mHbfU1979_VDhyz5qex1tdj8HJlZibX6suXzDVAJaVPR-Ft2Jhq4Pf2BPrXQhJ4-Il3XSw0Y5IXr3ITXmJp-cTgJ3x0HZ8NITPBEu9u0kGWdSTADe6Nybp1DaHOI1s/s1600/alarms_04.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="965" data-original-width="1140" height="337" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYVdoopnUZzW6h8mHbfU1979_VDhyz5qex1tdj8HJlZibX6suXzDVAJaVPR-Ft2Jhq4Pf2BPrXQhJ4-Il3XSw0Y5IXr3ITXmJp-cTgJ3x0HZ8NITPBEu9u0kGWdSTADe6Nybp1DaHOI1s/s400/alarms_04.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Review your settings and click <b>Next</b> when ready:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfF1sVyOriE2oCQ_kNHZnCwsQFrFadI9zDVdlR0UlDjrs1gj1Zm25zBqK07WqLbJ8F2VF_AgpWUH06M75A8cOBKVaBr3EyjzTkAxI-MjjtfJ0_fzh9pDmJ-lj7_7Sk_E7QQUmWYaAOF5k/s1600/alarms_05.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="964" data-original-width="1143" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfF1sVyOriE2oCQ_kNHZnCwsQFrFadI9zDVdlR0UlDjrs1gj1Zm25zBqK07WqLbJ8F2VF_AgpWUH06M75A8cOBKVaBr3EyjzTkAxI-MjjtfJ0_fzh9pDmJ-lj7_7Sk_E7QQUmWYaAOF5k/s400/alarms_05.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Since our alarm was set to trigger if storage utilisation was less than 100% we can see that it triggered straight away within vCenter:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfdQ3idaBwc_8pZ3jloq54XhktYK5ZHMAClcHtluUoGJweOBdBgM7fiQtbqVq_G7mqrhE5vwxWxNeouoB4up9HvzRlfrMhWTg1lrwEFcbuRVCS4nc2Y7VIZnSd3gPjg3bOce6joHrZhTY/s1600/alarms_06.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="364" data-original-width="1409" height="102" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfdQ3idaBwc_8pZ3jloq54XhktYK5ZHMAClcHtluUoGJweOBdBgM7fiQtbqVq_G7mqrhE5vwxWxNeouoB4up9HvzRlfrMhWTg1lrwEFcbuRVCS4nc2Y7VIZnSd3gPjg3bOce6joHrZhTY/s400/alarms_06.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
We also received an email notification:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrxC_NXw8_azyrUMJnP-Ge5C5aIaM_Q3Zs5BO6c7OQoVsnb64BzdbxqXhAnpVmuo-q9UcFZTRIrHnpB6A5NQb3M3_37HglkPj4943FasALv5Yg1CreQ_2mHZJVKqorPTHJmw1hOSqHbAo/s1600/alarms_07.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="312" data-original-width="876" height="141" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrxC_NXw8_azyrUMJnP-Ge5C5aIaM_Q3Zs5BO6c7OQoVsnb64BzdbxqXhAnpVmuo-q9UcFZTRIrHnpB6A5NQb3M3_37HglkPj4943FasALv5Yg1CreQ_2mHZJVKqorPTHJmw1hOSqHbAo/s400/alarms_07.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Since currently there is no sender address there is a chance this might get picked up by your email spam filtering software so you might have to create a rule to allow it through. Due to this annoyance in the <a href="https://www.m80arm.co.uk/2019/12/monitoring-vmware-cloud-on-aws-vcenter.html" target="_blank">next article</a>, I will show you how to trigger an alert from <a href="https://cloud.vmware.com/log-intelligence" target="_blank">vRealize Log Intelligence Cloud</a>.</div>
Michaelhttp://www.blogger.com/profile/10740016259613298383noreply@blogger.com0tag:blogger.com,1999:blog-3725872427010598639.post-41657900393638617622019-10-16T10:50:00.001+01:002019-10-16T10:50:06.388+01:00Adding vCenter Cloud Gateway Proxy ExceptionsI was recently asked about whether or not we could add proxy exceptions to the vCenter Cloud Gateway appliance to ensure that all local traffic i.e. traffic to the on-premises vCenter does not go through the corporate proxy. For those who are not aware, the vCenter Cloud Gateway allows Hybrid Linked Mode between an on-premises vCenter and a vCenter residing in VMC without the requirements on opening specific ports from VMC back to on-premises. The only ports that are required are TCP/443 and TCP/902 as per the <a href="https://docs.vmware.com/en/VMware-Cloud-on-AWS/services/com.vmware.vsphere.vmc-aws-manage-data-center.doc/GUID-BE75F0F1-2864-4926-97FE-37E635471C43.html" target="_blank">pre-requisites</a>:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhE_vmttLneuMPAceIVhfpgQEIAVAd0foadA-VH9voOK-TWvLYXZ6556fADNtmjaeV6ohyKnWSZq31_FhNHMftwK93MbuJyzTKkNqK5SYvc4v1gvX-1RoEJzqkmm5j-NEVwRVeqKvvT7hI/s1600/CGA-01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="450" data-original-width="800" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhE_vmttLneuMPAceIVhfpgQEIAVAd0foadA-VH9voOK-TWvLYXZ6556fADNtmjaeV6ohyKnWSZq31_FhNHMftwK93MbuJyzTKkNqK5SYvc4v1gvX-1RoEJzqkmm5j-NEVwRVeqKvvT7hI/s400/CGA-01.png" width="400" /></a></div>
<br />
When checking the VAMI interface on the vCenter Cloud Gateway appliance the only options for proxy are enabling or disabling for HTTP, HTTPS and FTP, there is no option to add exceptions:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjs0HAlzwEn20xPcrNaeK70fuhzPFPkloMVklXYSEEc-hNWNRW8_hrliu2mXn4AzBegvgy9hVDkA06q5XgyvSWERewoDmNJtVc29A5IuAMNteoCELIzTOIA7hLXz-o1FIKpRZuBgBV_fDU/s1600/CGA-02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="475" data-original-width="557" height="340" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjs0HAlzwEn20xPcrNaeK70fuhzPFPkloMVklXYSEEc-hNWNRW8_hrliu2mXn4AzBegvgy9hVDkA06q5XgyvSWERewoDmNJtVc29A5IuAMNteoCELIzTOIA7hLXz-o1FIKpRZuBgBV_fDU/s400/CGA-02.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
To add exceptions you need to use the API. The get the list of current proxy exceptions you can use:<br />
<br />
<b>GET</b> https://<Cloud Gateway IP>:5480/rest/appliance/networking/noproxy<br />
<br />
If you want to add entries you can do a PUT against the following URL:<br />
<br />
<b>PUT</b> https://<Cloud Gateway IP>:5480/rest/appliance/networking/noproxy<br />
<br />
with the following JSON:<br />
<br />
{<br />
"servers": [<br />
"localhost",<br />
"127.0.0.1",<br />
"10.0.0.0" ** Add networks that require exception **<br />
]<br />
}<br />
<br />
localhost and 127.0.0.1 are always added<br />
<br />
In the below example I GET the current list of proxy exceptions:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimTArON2swdt4_fKkE1QmzugXCXcrjEpJqlHgoCl5NJAf8r2IJ2qvMGrT6dWwSZHdmoV007DchalLACBBTc7h2st7DVTvUo9xH7MWj7H6HDmXkopHdvNK1mSkLnIMpRN9DSFsAdqgwtv8/s1600/CGA-03.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="399" data-original-width="671" height="237" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimTArON2swdt4_fKkE1QmzugXCXcrjEpJqlHgoCl5NJAf8r2IJ2qvMGrT6dWwSZHdmoV007DchalLACBBTc7h2st7DVTvUo9xH7MWj7H6HDmXkopHdvNK1mSkLnIMpRN9DSFsAdqgwtv8/s400/CGA-03.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I then PUT two new exceptions into the list (10.0.0.0 and 192.168.1.0):</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghOq0t8kcSS274TmyT-bbTgY4HyDsJ6zbzoD4K7MRXcXEB3AGS3SSTZsosLb-otMPTtba7Bhxu5VEjsSXi7zgFa9x6RqjMSmJjvIuA6B5N8AOaFn0T1tQPzxWp6na87WlfkltF5aapGjI/s1600/CGA-04.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="641" data-original-width="670" height="382" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghOq0t8kcSS274TmyT-bbTgY4HyDsJ6zbzoD4K7MRXcXEB3AGS3SSTZsosLb-otMPTtba7Bhxu5VEjsSXi7zgFa9x6RqjMSmJjvIuA6B5N8AOaFn0T1tQPzxWp6na87WlfkltF5aapGjI/s400/CGA-04.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Then finally do another GET to show the full list:</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgyl1z6tOeF8xdSRgl54nMWYROTy1JF9lL_Tx9Qwqc0ZrY26hht5WP_TvgAJCGzl4pZVy0kH-T-p3LUBImZ6XdM2_LZRdDL8pEkCFAaq3BjOh5OKhplmn51yZ0l61PivvDTkkla_vCpcw/s1600/CGA-05.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="402" data-original-width="604" height="265" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgyl1z6tOeF8xdSRgl54nMWYROTy1JF9lL_Tx9Qwqc0ZrY26hht5WP_TvgAJCGzl4pZVy0kH-T-p3LUBImZ6XdM2_LZRdDL8pEkCFAaq3BjOh5OKhplmn51yZ0l61PivvDTkkla_vCpcw/s400/CGA-05.jpg" width="400" /></a></div>
Michaelhttp://www.blogger.com/profile/10740016259613298383noreply@blogger.com0tag:blogger.com,1999:blog-3725872427010598639.post-88395342729358407422019-08-24T17:56:00.001+01:002019-08-24T20:36:42.919+01:00North East VMUG - Thursday 26th SeptemberThe next North East VMUG event has officially been announced and <a href="https://community.vmug.com/events/event-description?CalendarEventKey=e42621ab-791e-4e8d-8c6b-99d23bdb2251&CommunityKey=2019c52c-3ed6-4008-87ce-922ef5c5763d&Home=%2fcommunities%2flocalcommunityhome" target="_blank">registration is open</a>. The event will take place on Thursday 26th September at the Royal Station Hotel. It's conveniently located right next to Newcastle Central station and directions can be found <a href="https://www.google.co.uk/maps/place/Royal+Station+Hotel/@54.9691961,-1.6175727,17z/data=!3m1!4b1!4m8!3m7!1s0x487e70b44eee6491:0xf087e6613ee3d2af!5m2!4m1!1i2!8m2!3d54.969193!4d-1.615384" target="_blank">here</a>. The guys have pulled out all the stops and arranged a great selection of sponsor and community sessions. Just check out the list of rockstars who will be at the event:<br />
<br />
<b>Keynote Sessions</b><br />
<br />
Matt Steiner (<a href="https://cloudytechnologist.com/" target="_blank">Blog</a> | <a href="https://twitter.com/Steiner_Matthew" target="_blank">Twitter</a>) - Cloud Management Evangelist/Strategist, VMware<br />
Session - Are you the Platform Engineer of the Future who will #ManageAllTheThings?<br />
<br />
As we enter the Multi-Cloud era, the traditional roles in IT are changing. In this talk, we look at how the landscape is changing, and at the Cloud Management technology that is supporting this change. We will talk APIs, Infrastructure as Code, Platforms as Code, Everything as a Service, how you truly can #ManageAllTheThings, and become the Platform Engineer of the Future.<br />
<br />
Lee Dilworth (<a href="https://twitter.com/leedilworth" target="_blank">Twitter</a>) - Chief Technologist Storage & Availability, VMware<br />
Session - To be confirmed<br />
<br />
<br />
<b>Community Sessions</b><br />
<br />
Ricky El-Qasem (<a href="http://read.virtualizeplanet.com/" target="_blank">Blog</a> | <a href="https://twitter.com/rickyelqasem" target="_blank">Twitter</a>)<br />
Session - Automation: you're the first, the last, my everything)<br />
<br />
A talk about how everything in your IT could and should be automated. Discussing how different facets of automation can help you nail down everything that can be automated, some next gen automation with AI and showing off a new tool in prototype he has been working on to help automate cloud templates.<br />
<br />
Gareth Lewis (<a href="https://www.vgarethlewis.com/" target="_blank">Blog</a> | <a href="https://twitter.com/vGarethLewis" target="_blank">Twitter</a>)<br />
Session - VMware NSX Data Centre for vSphere (NSX-V): Micro-Segmentation from the Field<br />
<br />
A real-world look at the micro-segmentation of applications with the aid of VMware NSX-V and the NSX Application Rule Manager. By visualising application dependencies, endpoints and services, we can implement a zero-trust environment and prevent lateral network exploits thanks to the Application Rule Manager and NSX Distributed Firewall.<br />
<br />
Sam McGeown (<a href="https://www.definit.co.uk/" target="_blank">Blog</a> | <a href="https://twitter.com/sammcgeown" target="_blank">Twitter</a>)<br />
Session - Getting Started with Kubernetes and the NSX-T container network plugin<br />
<br />
A hands-on demonstration configuring the NSX-T container plugin with Kubernetes. Minimal slides and maximum command line.<br />
<br />
These event would not be possible if it wasn't for the sponsors so a big shout out to them all:<br />
<br />
<b>Gold Sponsors</b><br />
<br />
<a href="https://www.delltechnologies.com/en-gb/index.htm" target="_blank">Dell Technologies</a><br />
<a href="https://www.arcserve.com/uk/" target="_blank">Arcserve</a><br />
<a href="https://www.htguk.com/" target="_blank">HTG</a><br />
<br />
<b>Silver Sponsors</b><br />
<br />
<a href="https://exagrid.com/" target="_blank">ExaGrid</a><br />
<a href="https://www.exponential-e.com/" target="_blank">Exponential-e</a><br />
<br />
Remember to secure a pass out from the other half because the event is only half the fun. vBeers will be held at <a href="https://www.google.co.uk/maps/place/The+Town+Wall/@54.969422,-1.6206289,17z/data=!3m1!4b1!4m5!3m4!1s0x487e70b528df3e97:0xbafd540ba3db475a!8m2!3d54.9694189!4d-1.6184402" target="_blank">The Town Wall</a> straight after the event and continue into the night. Be sure to be first in line for the legendary scotch eggs before they disappear.Michaelhttp://www.blogger.com/profile/10740016259613298383noreply@blogger.com0tag:blogger.com,1999:blog-3725872427010598639.post-27263071480005187182019-05-29T16:39:00.002+01:002019-05-29T16:39:39.306+01:00Docker Desktop for Windows running in VMware Cloud on AWSI had an interesting request from a customer who is potentially looking to move some developers desktops from on-premises into VMC accessible via Horizon 7 but had a requirement to run docker on the Windows 10 desktops and asked if it was possible.<br />
<br />
Since Docker uses some functionality of HyperV on Windows 10 I had my doubts but figured I would try it out. In order for this to work you need to enable <b>Virtualization Based Security</b> within the guest VMs settings:<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht23xmnG9d85ficblM-tcrgBUoU8vqnRtkPjEG4hIhZIw3SJ0tB_FPwgxSIclxSILIp-zKUiAabEFV_0cNrf4OJS5Wifw1q-spCAHkPeiJfB-6imyLw8RaYKE-N60piwN-UkiZAN0mxr8/s1600/Docker_02.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="480" data-original-width="835" height="364" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht23xmnG9d85ficblM-tcrgBUoU8vqnRtkPjEG4hIhZIw3SJ0tB_FPwgxSIclxSILIp-zKUiAabEFV_0cNrf4OJS5Wifw1q-spCAHkPeiJfB-6imyLw8RaYKE-N60piwN-UkiZAN0mxr8/s640/Docker_02.jpg" width="640" /></a><br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Once you have enable this Docker Desktop for Windows should start successfully and you should be able to run docker images:</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQSaJtT3Za3v9CeToDW8QmWgPP12jsSBjib3GHAEQ5L0Sy5WOBHPvOzjAFJfk4MJd6EUSeCM3JEIK3Y7Imba4NPCSs9rgVHwwH2BwfriCOLqY6SlJ7_CKce-nbo_vkuADiqOJSdThImMo/s1600/Docker_01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1009" data-original-width="1600" height="403" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQSaJtT3Za3v9CeToDW8QmWgPP12jsSBjib3GHAEQ5L0Sy5WOBHPvOzjAFJfk4MJd6EUSeCM3JEIK3Y7Imba4NPCSs9rgVHwwH2BwfriCOLqY6SlJ7_CKce-nbo_vkuADiqOJSdThImMo/s640/Docker_01.jpg" width="640" /></a></div>
Michaelhttp://www.blogger.com/profile/10740016259613298383noreply@blogger.com0tag:blogger.com,1999:blog-3725872427010598639.post-2310662086460810252019-05-13T09:30:00.000+01:002019-05-13T10:35:21.813+01:00Scaling up your single node VMC SDDCFor those of you who don't know, VMware Cloud on AWS offers you the ability to deploy a one node SDDC for testing purposes. These are ideal for POCs or pilots and can very easily be scaled up to a production grade SDDC with the click of a button. So, what exactly is the Single Host offering? Our <a href="https://cloud.vmware.com/vmc-aws/faq#general" target="_blank">VMware Cloud on AWS FAQ</a> tells us the following:<br />
<br />
<b>What is the Single Host SDDC offering?</b><br />
<i>With the new time-bound Single Host SDDC starter configuration, you can now purchase a single host VMware Cloud on AWS environment with the ability to seamlessly scale the number of hosts up within that time period, while retaining your data. The service life of the Single Host SDDC starter configuration is limited to 30-day intervals. This single host offering applies to customers who want a lower-cost entry point for proving the value of VMware Cloud on AWS in their environments.</i><br />
<br />
When helping customers with POCs/pilots who want to validate the solution and use cases before purchasing they often want to move the SDDC from a POC/pilot stage into a fully fledge production grade SDDC. A lot of work goes into setting up the pilot which might include:<br />
<ul>
<li>Connectivity to on-premises either via VPNs or Direct Connect.</li>
<li>Setting up and configuring various add-on services such as Hybrid Cloud Extension (HCX) and Disaster Recovery as a Service.</li>
<li>Various infrastructure workloads might have already been deployed such as Authentication Services, DNS, NTP, Backups, Native AWS integration etc.</li>
</ul>
<div>
<span style="color: red;">It's at this point that I feel I should mention that you should absolutely avoid running production workloads on a single node SDDC due to the lack of redundancy in both the compute and storage layers. If the host fails you could potentially lose data since it's a single host and VSAN doesn't have the ability to ensure your data is stored on multiple hosts.</span></div>
<div>
<br /></div>
<div>
One of the mains reason for scaling up a POC/Pilot is when you destroy the SDDC the various public IP's are also handed back to AWS which means any VPNs (Policy or Route based) configured would need modifying and if the customer has strict change control processes or the firewalls are managed via a 3rd party there might be additional delays and costs associated with the changes. </div>
<div>
<br /></div>
<div>
For this article I used a single node SDDC running version 1.6 Patch 01. For future SDDC versions we may change the way the scale up process works.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiR-fD4c-7DqwAQCrPgSZ_f4QBeWr3LwqhWXpydl_VFy3dhOph9VImFcHiMPkVFuipQadonU1JwbeLxkuM33wWmsKZIBIZjoMBdvDOWIrtjTlDDqfq-b5kGO8OGc_h7czl3dHIjRCMKy7Q/s1600/sddc_version_01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="542" data-original-width="745" height="464" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiR-fD4c-7DqwAQCrPgSZ_f4QBeWr3LwqhWXpydl_VFy3dhOph9VImFcHiMPkVFuipQadonU1JwbeLxkuM33wWmsKZIBIZjoMBdvDOWIrtjTlDDqfq-b5kGO8OGc_h7czl3dHIjRCMKy7Q/s640/sddc_version_01.jpg" width="640" /></a></div>
<br />
When you have a single node SDDC that you want to scale up to a production grade three node SDDC there are a few things that you need to take into consideration:<br />
<br />
<b>AWS Account</b><br />
You need to ensure that you have linked your SDDC to your AWS account if you didn't already do this when your deployed your SDDC. Single node SDDC's have a grace period of 14 days before you need to connect them to your AWS account but if you want to scale it up you need to ensure that it's linked before you initiate the process. To check whether your SDDC is linked to an AWS account go to your SDDC, select <b>Networking & Security</b> and select <b>Connected VPC</b>:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUCcAhaqgoimU1TeNsJPCglaIwZ7yv4YeltaAlbgjPirIwJanuZgNbaRRPQ52TV0VYFqzn1AJMLYjdKePTCE8v3rfxdk0JmSfXlJSAVKIZTo8mxC7QXDEkzLbjLz_68w9tlX8OhEpM6Zk/s1600/connected_vpcs_01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="593" data-original-width="1600" height="236" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUCcAhaqgoimU1TeNsJPCglaIwZ7yv4YeltaAlbgjPirIwJanuZgNbaRRPQ52TV0VYFqzn1AJMLYjdKePTCE8v3rfxdk0JmSfXlJSAVKIZTo8mxC7QXDEkzLbjLz_68w9tlX8OhEpM6Zk/s640/connected_vpcs_01.jpg" width="640" /></a></div>
<br />
If your SDDC isn't connected then go through the process to complete this.<br />
<br />
<b>VSAN Storage Policies</b><br />
When you deploy a single node the default VSAN VM policy is set to <b>No Data Redundancy</b> since there is only a single node we are unable to store data on multiple nodes:</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5wSl5mTFTQqNNUrIa8raHB-r7onbf5mBIjomr9lDwJrhozOWnRJ43j0v6H7KcOPzyHyoFga_D4Ur05nbjf6I5Ee4WRSDR9thMHy4PIy2FsRuYvQNks3IxLelvsR1y8fHLLqL3bQLyZ8c/s1600/ScaleUp_01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="958" data-original-width="1195" height="512" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5wSl5mTFTQqNNUrIa8raHB-r7onbf5mBIjomr9lDwJrhozOWnRJ43j0v6H7KcOPzyHyoFga_D4Ur05nbjf6I5Ee4WRSDR9thMHy4PIy2FsRuYvQNks3IxLelvsR1y8fHLLqL3bQLyZ8c/s640/ScaleUp_01.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
We can see that all our workload and management VMs are using the default policy are are currently compliant with the policy:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghH-HSeWzxCpMy-ihio6DWyJGjEtKz4Ht_Kp7SHz-wFmV_gu91ENmH6oaZDSA2vOaci3WHRcGGe6286BEWnPw8vyqoVK3_bthtWtSrWBsVXrexShjV9zSu1fqDRZBENK6gWkZ8to4WN-0/s1600/compliance_01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="699" data-original-width="1600" height="278" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghH-HSeWzxCpMy-ihio6DWyJGjEtKz4Ht_Kp7SHz-wFmV_gu91ENmH6oaZDSA2vOaci3WHRcGGe6286BEWnPw8vyqoVK3_bthtWtSrWBsVXrexShjV9zSu1fqDRZBENK6gWkZ8to4WN-0/s640/compliance_01.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Subscriptions</b></div>
Either before or after scaling up your SDDC to get the best value of discount you need to create a subscription. Subscriptions allow you to save money by committing to buy a certain amount of capacity in a specific region for a defined period, either 1 or 3 years, and a subscription is not required to use VMware Cloud on AWS. Any usage of the service not covered by a subscription is charged the at on-demand rate:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioVggZKO_25M67a1jBXb2dslB1w_yFPAh9XOJdL41JbGuOBGhPaHzx3Msd9t6xADpz_zI5pgGXsxYEKHRsJf8qRELR5_93mOhvy3eYBCiuv-j4nXbgijpoAdgwR4tjzxPxh4gjVlGlPAI/s1600/subscriptions_01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="443" data-original-width="1600" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioVggZKO_25M67a1jBXb2dslB1w_yFPAh9XOJdL41JbGuOBGhPaHzx3Msd9t6xADpz_zI5pgGXsxYEKHRsJf8qRELR5_93mOhvy3eYBCiuv-j4nXbgijpoAdgwR4tjzxPxh4gjVlGlPAI/s640/subscriptions_01.jpg" width="640" /></a></div>
<br />
Page 10 in the <b><a href="https://docs.vmware.com/en/VMware-Cloud-on-AWS/services/vmc-on-aws-getting-started.pdf" target="_blank">VMware Cloud on AWS Getting Started</a></b> guide shows you the process in creating a subscription and you can find more information about our pricing on public facing site <a href="https://cloud.vmware.com/vmc-aws/pricing" target="_blank">here</a>.<br />
<br />
<b>Scaling Up</b><br />
In order to scale up your one node SDDC simply click on the <b>Scale Up</b> button:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCHE4sB2CaMKrYD6wFuJMYBVPT-JziHugZzblxs3U6O6g6c1aah-y7CzuvK8Ft72YKG-kNLckze0w6Kp8hugkt3wX5q28lGvpK3saZW2l3yK2vlR6sNCT5czyjdBOsAXM8Mwt8M0Ar1iw/s1600/scale_up_01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="528" data-original-width="1600" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCHE4sB2CaMKrYD6wFuJMYBVPT-JziHugZzblxs3U6O6g6c1aah-y7CzuvK8Ft72YKG-kNLckze0w6Kp8hugkt3wX5q28lGvpK3saZW2l3yK2vlR6sNCT5czyjdBOsAXM8Mwt8M0Ar1iw/s640/scale_up_01.jpg" width="640" /></a></div>
<br />
A confirmation screen is displayed showing what your current environment looks like and what the new environment will look like once completed. If you are happy to proceed then click on the <b>Scale Up Now</b> button:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnqwE8PSFnCXD9DlxO6_jEQrTzs7Di1Qs0Gw0hDz6F5aEM7JPjOhmQfKmW0h5t9dWnyaIjIaAnRZ9n4mrpLP6kEItajLQRYwZPzysJqWkKpZYAx6_P89uivtdaUY58MBt9Nkn5DA05tC8/s1600/scale_up_02.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="652" data-original-width="1595" height="260" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnqwE8PSFnCXD9DlxO6_jEQrTzs7Di1Qs0Gw0hDz6F5aEM7JPjOhmQfKmW0h5t9dWnyaIjIaAnRZ9n4mrpLP6kEItajLQRYwZPzysJqWkKpZYAx6_P89uivtdaUY58MBt9Nkn5DA05tC8/s640/scale_up_02.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The scale up process will start and typically takes about 20 minutes (~10 minutes per host)</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqXtnbF2YDvYIZyIzpOLAI1Q9LjuUc27_QsIT5iiDeljlAqclOBWKAnLqzA5AGV-rDXt7cVsK7AaSaQApn4q7T4hTsl2u7NCOZFehi5uYuMjFVnpIAo5nBFX2viSLRxF81CU4ux46w9dM/s1600/scale_up_03.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="177" data-original-width="389" height="290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqXtnbF2YDvYIZyIzpOLAI1Q9LjuUc27_QsIT5iiDeljlAqclOBWKAnLqzA5AGV-rDXt7cVsK7AaSaQApn4q7T4hTsl2u7NCOZFehi5uYuMjFVnpIAo5nBFX2viSLRxF81CU4ux46w9dM/s640/scale_up_03.jpg" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpDr1fayRA-UtGss522eBmKipgchymfKkHBYmxjs0xWGk1PX4U_WlLQLd9QCkc-fir0Lvh3HFOloZhm-XFYtzmPhEvd59e8aLNO1lcXBCFgBOh-7W35YeVK_t5gBweZ1sbdP9G8kuNBYo/s1600/scale_up_04.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="300" data-original-width="944" height="202" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpDr1fayRA-UtGss522eBmKipgchymfKkHBYmxjs0xWGk1PX4U_WlLQLd9QCkc-fir0Lvh3HFOloZhm-XFYtzmPhEvd59e8aLNO1lcXBCFgBOh-7W35YeVK_t5gBweZ1sbdP9G8kuNBYo/s640/scale_up_04.jpg" width="640" /></a></div>
<br />
You can continue to use the environment and you will notice that within vCenter new hosts are automatically added in maintenance mode and then taken out of maintenance mode:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiamGRjVNUTIXO2gnpVkiN-88TwD_feseWBigWyoQW2IpVeiFs6OBD6gewJFZTDpzHCjFqyO0qdIzW56DTwDnYjaCQHc6Okx1I05lIKWrEIqOyKnK9eZyrfOrCvaiDNHteOzL5GOARnZjE/s1600/scale_up_05.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="444" data-original-width="1600" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiamGRjVNUTIXO2gnpVkiN-88TwD_feseWBigWyoQW2IpVeiFs6OBD6gewJFZTDpzHCjFqyO0qdIzW56DTwDnYjaCQHc6Okx1I05lIKWrEIqOyKnK9eZyrfOrCvaiDNHteOzL5GOARnZjE/s640/scale_up_05.jpg" width="640" /></a></div>
<br />
Eventually the two additional hosts will be added and available to use. The scale up process is complete and you will have a fully supported three node SDDC:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkblQ_VvrXemUESGVPHT_RdPZUQu4g0NpbvfWRQdaO910ISju32yJSIwfJBveFeYDF-LhaTkN4H_IbEFH47wcccmtND8dcBMNEuPQZ2NtatH6JSWHVsgn5Gex8rIY-C1eXuWaz0M667Ps/s1600/scale_up_06.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="512" data-original-width="1600" height="204" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkblQ_VvrXemUESGVPHT_RdPZUQu4g0NpbvfWRQdaO910ISju32yJSIwfJBveFeYDF-LhaTkN4H_IbEFH47wcccmtND8dcBMNEuPQZ2NtatH6JSWHVsgn5Gex8rIY-C1eXuWaz0M667Ps/s640/scale_up_06.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8ERmKMfyNVV7NuHqs7TMG4q5-V223lhRjRySfLyJo-lDPEszhLoWBADPyAtIPEFFNO6O1nrNmmdgjZ02yho-KiaJHYYb8vWQAwSO6o68RhrRHG45KSKTS2ZTQuIRC0TfpdRW5x-qSHfQ/s1600/scale_up_07.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="318" data-original-width="934" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8ERmKMfyNVV7NuHqs7TMG4q5-V223lhRjRySfLyJo-lDPEszhLoWBADPyAtIPEFFNO6O1nrNmmdgjZ02yho-KiaJHYYb8vWQAwSO6o68RhrRHG45KSKTS2ZTQuIRC0TfpdRW5x-qSHfQ/s640/scale_up_07.jpg" width="640" /></a></div>
<br />
As part of the scale up process we change the VSAN storage policy for the management workloads from being in the <b>VSAN Default Storage Policy</b> to being in the <b>Management Storage Policy - Regular</b> which supports FTT=1 (RAID1):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBQYDnOS0yU_EWFAvhOl_DROS7buJOEQzMxDIqz0YFbLxDzKU606MHsanadwgV3dI-ECnCdEt7IsfkrwLDxFiNQxFtVzedunugTyBGfcmL-lfDpock8M0oWrtwl628eYT1Vr6XH6XsuuI/s1600/scale_up_09.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="791" data-original-width="1600" height="316" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBQYDnOS0yU_EWFAvhOl_DROS7buJOEQzMxDIqz0YFbLxDzKU606MHsanadwgV3dI-ECnCdEt7IsfkrwLDxFiNQxFtVzedunugTyBGfcmL-lfDpock8M0oWrtwl628eYT1Vr6XH6XsuuI/s640/scale_up_09.jpg" width="640" /></a></div>
<br />
Within about 20 minutes VSAN will bring the VMs into compliance and ensure data is stored on two different hosts:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiesVENF_0idP0HUmb9NFIRpSVeTd1EZq-1u6LXfi4of0WaDkbO9Y2mCBfBjbaLFB1vFpOLmuhUDDoeg3dsqO6T4Ob0xh-Uqba6OOYDgdNfKWW2SfUMnA1QrrRyCAHwUN8ebAa-pNVRBZ4/s1600/scale_up_08.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="734" data-original-width="1600" height="292" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiesVENF_0idP0HUmb9NFIRpSVeTd1EZq-1u6LXfi4of0WaDkbO9Y2mCBfBjbaLFB1vFpOLmuhUDDoeg3dsqO6T4Ob0xh-Uqba6OOYDgdNfKWW2SfUMnA1QrrRyCAHwUN8ebAa-pNVRBZ4/s640/scale_up_08.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
We also modify the <b>VSAN Default Storage Policy</b> to ensure we use FTT=1(RAID1):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEji9KkbCkBKaMbQGGvKvdlC0Sbmcbs2eh7m5of08wZwyxj7nsC-OKoFwHS74xOu5RMhHyjEnZqHhzCAJVQKw6OexPuKewS60Y2NXb-geZy5YM6-UVwyuw2UgIllM4pNFI0lfgAJj-uyj-4/s1600/scale_up_10.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="795" data-original-width="1600" height="318" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEji9KkbCkBKaMbQGGvKvdlC0Sbmcbs2eh7m5of08wZwyxj7nsC-OKoFwHS74xOu5RMhHyjEnZqHhzCAJVQKw6OexPuKewS60Y2NXb-geZy5YM6-UVwyuw2UgIllM4pNFI0lfgAJj-uyj-4/s640/scale_up_10.jpg" width="640" /></a></div>
<br />
This will bring all workloads that currently use this policy into compliance within about 20 minutes (Depending on the number of workloads you have running within the environment)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguRtr016Za018ZNEHYqSpQ3QAFfZPEdeN4FYZ__cFyx6VRG-sao3mSwH2zJIvchISBrvOoFVIkCCRBz7A0LEw3skqw4q5YgTAPA_TKAY2fPOSqeNb8aepx4bFEWDnzi5uvSqgX7zId9P4/s1600/scale_up_11.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="623" data-original-width="1600" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguRtr016Za018ZNEHYqSpQ3QAFfZPEdeN4FYZ__cFyx6VRG-sao3mSwH2zJIvchISBrvOoFVIkCCRBz7A0LEw3skqw4q5YgTAPA_TKAY2fPOSqeNb8aepx4bFEWDnzi5uvSqgX7zId9P4/s640/scale_up_11.jpg" width="640" /></a></div>
<br />
Once this process has completed you are fully in support and running a production grade three node cluster.<br />
<br />
One thing I have noticed is that you will see a warning about management network redundancy on the original one node. This alert was present before we scaled up but we currently don't have the ability to suppress it so you will have to initiate a support request via chat to have this suppressed. I will log this internally to suppress the warning as part of the scale up process:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeLwdl1Sf7UKA0LospiDlrhqrQLoQ7WbM8PNu7QOG6nqV78S-R3Nt3DGbKgKORyAbgIOAddngtjltItwxUAdL112c8R3nX1jjqp87_VfUwCaRViDCZsSEGkMzmGHJm7Gs690XJCgEYAwo/s1600/scale_up_12.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="512" data-original-width="1600" height="204" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeLwdl1Sf7UKA0LospiDlrhqrQLoQ7WbM8PNu7QOG6nqV78S-R3Nt3DGbKgKORyAbgIOAddngtjltItwxUAdL112c8R3nX1jjqp87_VfUwCaRViDCZsSEGkMzmGHJm7Gs690XJCgEYAwo/s640/scale_up_12.jpg" width="640" /></a></div>
Michaelhttp://www.blogger.com/profile/10740016259613298383noreply@blogger.com0tag:blogger.com,1999:blog-3725872427010598639.post-78613104731584845282018-12-03T09:00:00.000+00:002018-12-03T09:39:00.537+00:00Time for a new role...As I start writing this I've realised that I have been at VMware for over 5 years having started in October 2013 with absolutely no pre-sales experience as a core Systems Engineer supporting partners based out of the North of England. Working for VMware has always been a dream since being introduced to the technology back in the Virtual Infrastructure 3.x days and having the opportunity to join this company has certainly been life changing. My role was initially supporting partners from a core vSphere technology and introducing them to new technologies (at the time) such as VSAN and NSX and getting existing technologies adopted by customers. This gave me great exposure to working with both partners and customers and getting to grips with what the Systems Engineer role actually involved.<br />
<br />
Just over a year later I had the opportunity to join some internal training on NSX and knew from the outlay that this was game changing technology. Prior to joining VMware I was very much exposed to networking and security and understood the value proposition and how this technology could change the way we consume networking and security services within the datacenter. A few months later I had the opportunity to join the Networking and Security Business Unit (NSBU) as a specialist NSX Systems Engineer. This was in the very early days and I remember attending the first internal technical enablement session when there was only around 30 SE's globally and we all fit in a small training room in Palo Alto. I've now been in post for almost four years and have seen the NSBU grow from a single product business unit with NSX to now a true multi-product BU with our Virtual Cloud Network proposition which is resinating extremely well with customers across all verticals. I've covered a mixture of public sector and commercial customers and helped train, design and deploy various solutions for customers to solve a variety of challenges.<br />
<br />
I've been looking for a change over the last few month and investigated both internal and external opportunities looking for my next move. I'm glad to say that as of today I'm now a Lead VMware Cloud on AWS Solutions Engineer within the Cloud Platform Business Unit. My role going forward will be to help customers understand the value proposition of VMware Cloud on AWS and the possibilities of extending their on-premises environments into VMware on AWS. With the recent announcements of AWS Outpost and <a href="https://cloud.vmware.com/community/2018/11/28/vmware-cloud-aws-outposts-cloud-managed-sddc-data-center/" target="_blank">VMware on AWS Outpost</a> I'm truly excited to join the team and see the level of innovation and the relationship we have with AWS continue to grow and benefit customers. Expect more content in the near future.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCSIGRQKvyaom5s6_i4yk7vdHm86OTQAQu5a6_nLXZUiPx7FH5omHjMFIYofKbykXRGPX9RFcprY5zjKjwaqfXGqa7Z-8dUPI2kt5FIpjEJJfQ7Ll2mpRaWTBs2VmXXnKNil1UBmY_9Nk/s1600/VMConAWS.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="217" data-original-width="300" height="230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCSIGRQKvyaom5s6_i4yk7vdHm86OTQAQu5a6_nLXZUiPx7FH5omHjMFIYofKbykXRGPX9RFcprY5zjKjwaqfXGqa7Z-8dUPI2kt5FIpjEJJfQ7Ll2mpRaWTBs2VmXXnKNil1UBmY_9Nk/s320/VMConAWS.png" width="320" /></a></div>
<br />Michaelhttp://www.blogger.com/profile/10740016259613298383noreply@blogger.com0tag:blogger.com,1999:blog-3725872427010598639.post-87485358522604480942018-08-25T20:36:00.001+01:002018-08-25T20:39:27.844+01:00North East VMUG - Thursday 20th September 2018The next North East VMUG is locked in and final arrangements are being made. The event will take place on Thursday 20th September 2018 at the following address:<br />
<br />
Royal Station Hotel<br />
Neville Stret<br />
Newcastle upon Tyne<br />
NE1 5DH<br />
<br />
You can register for the event <a href="https://community.vmug.com/events/event-description?CalendarEventKey=101d7f3e-35f3-4ff8-b978-4639251840db&CommunityKey=2019c52c-3ed6-4008-87ce-922ef5c5763d&Home=%2fcommunities%2flocalcommunityhome" target="_blank">here</a><br />
<br />
The agenda is currently as follows:<br />
<br />
08:40 - Registration & Networking<br />
09:00 - NEVMUG Introduction<br />
09:10 - Cormac Hogan (<a href="https://cormachogan.com/" target="_blank">Blog</a> | <a href="https://twitter.com/CormacJHogan" target="_blank">Twitter</a>) - VMware Keynote<br />
<br />
<b>What’s happening in the world of VMware Storage</b><br />
<br />
A closer look at some of the more recent announcements around VMware storage related products and features. There will be lots to talk about as this will be so soon after the US VMworld 2018 event. We will look at new enhancements to VMware, VVols, IO Filters, Core Storage and even projects that are happening around persistent storage in the container space. There should be something for everyone in this space.<br />
<br />
10:00 - Networking<br />
10:15 - Rubrik<br />
<br />
Details to follow<br />
<br />
11:00 - Networking<br />
11:15 - Community Session – Bryan O’Connor (<a href="http://www.bryanoconnor21.co.uk/" target="_blank">Blog</a> | <a href="https://twitter.com/BryanOConnor21" target="_blank">Twitter</a>)<br />
<br />
<b>What's new in vSphere 6.7</b><br />
<br />
<ul>
<li>Management Enhancements</li>
<li>ESXI Enhancements</li>
<li>Virtual Center Enhancements</li>
<li>VM Enhancements</li>
<li>Storage Enhancements</li>
<li>Security Enhancements</li>
<li>Network Enhancements</li>
<li>Availability Enhancements</li>
</ul>
<br />
12:00 - Lunch<br />
12:30 - Adam Bohle - VMware on AWS (<a href="https://twitter.com/adambohle" target="_blank">Twitter</a>)<br />
<br />
<b>VMware Cloud on AWS - Whats New</b><br />
<br />
VMware Cloud on AWS is a fast moving technology in the VMware portfolio, this session will consist of a short introduction to the service, as well as an update on all the new features and AWS regions that have become available this year.<br />
<br />
13:15 - Networking<br />
13:25 - NAKIVO - Nick Luchkov, Senior Technical Pre-Sales Manager<br />
<br />
<b>Protecting VMware/Hyper-V environments with NAKIVO Backup & Replication</b><br />
<br />
NAKIVO develops a fast, reliable, and affordable backup and replication solution for virtual and cloud environments. Over 10,000 companies are using NAKIVO Backup & Replication to protect and recover their data more efficiently and cost-effectively. Join this session to learn:<br />
<br />
<ul>
<li>How to ensure business continuity and reduce downtime of your critical virtualized data.</li>
<li>How to speed up the backup and replication data transfer, reduce backup size and shrink backup window.</li>
<li>How to turn your NAS into the backup appliance and use deduplication hardware appliances to get super-fast backup speed.</li>
</ul>
<br />
14:10 - Networking<br />
14:20 - IGEL - Tom Illingworth<br />
<br />
<b>Thin client? It’s all about the software</b><br />
<br />
Hear IGEL discuss IGEL’s revolutionary endpoint management solutions, simple, smart and secure. We believe it should be as easy to remotely manage 10,000 devices as 10 and add the functionality that’s most important to enterprise, making the life of the IT department easier.<br />
<br />
15:05 - Networking<br />
15:15 - Community Session – Dale Handley (<a href="https://twitter.com/dalemhandley" target="_blank">Twitter</a>)<br />
<br />
A detailed session on the new custom Forms feature in vRealize Automation 7.4vRA.<br />
<br />
16:00 - Networking<br />
16:10 - Darren Hirons (<a href="https://twitter.com/dazhirons" target="_blank">Twitter</a>) & Matt Evans from VMware<br />
<br />
<b> ‘To Re, or not to Re (purpose)’</b><br />
<br />
The desktop market offers many desktop re-purposing solutions based on Windows, Linux and Chrome. In this session we will take a deep dive into those technologies, share our test results and present a comparison of the different vendor offerings to help you make an informed choice. Examples of our findings will cover costs, system requirements, performance, device management and limitations.<br />
<br />
16:55 - NEVMUG Close – Q&A and prize giveaway<br />
17:00 - vBeers – Cinema room, The Town Wall<br />
<br />
Big thanks to all of our sponsors, without you these events would not be possible.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://www.rubrik.com/" target="_blank"><img border="0" data-original-height="180" data-original-width="373" height="96" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjZgPn3gczGUGDODyQ1hswZBOtyYkF4RkBjBtHMppaGixKziZ8BJiPhPn-xhumbxFGGSsMupovMR5jtlGviZhfcyw3VTra1Vtco1BsD2D39BsJxHD9xxCTQFahLFbk-3STM6S_oupO7lw/s200/Rubrik.png" width="200" /></a></div>
<a href="https://www.igel.com/" target="_blank"><img border="0" data-original-height="152" data-original-width="331" height="91" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjznkmGfDwDYgCnUVbIDI6nlm32N857CncKKgmRd8oIzvU3vA725Z4j3ZOLf9JFeQu4UvocJdWnhenDcQCDCSBIjOTmwFcVmVp3cxwEjJj9Bppr9umGJBUCT3yKjPuTFbgKTBcRbKlOga0/s200/iGel.jpeg" width="200" /></a><br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://www.nakivo.com/" target="_blank"><img border="0" data-original-height="511" data-original-width="767" height="133" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-3PZwQQhXi4RB7B9ER-r_9tum6l-2G6EhKAQbW-dqiX9OKGkM9R2AtRHIBJNoxEghHECJ10420GAgjfOrMSpZu-y1PoAF7303RH88PmXd3HqyArhdJKo7BuMhPwycBfTQRJn3pqIZGaU/s200/Nakivo.jpg" width="200" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://www.nfon.com/en_de/" target="_blank"><img border="0" data-original-height="298" data-original-width="220" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlEvG32zhqxJqlA37ohyphenhyphenQS6GK0tX0-s9lzTK4uQTYqdnVj3PgU78XFmLTWGC1bnVSxeSN3o9wfntVmfHVdgMLqGdw-by8fFwL-kEHkzoQcRQgP5JVl10i2W3EGl1DbRlYtRHmi0ODoHi4/s200/NFON.png" width="147" /></a><span id="goog_1694117857"></span><a href="https://www.blogger.com/"></a><span id="goog_1694117858"></span></div>
<a href="https://www.zerto.com/" target="_blank"><img border="0" data-original-height="187" data-original-width="333" height="111" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjIpwwOaYQXiyq8uWfcoF8m0aT865AuywEZ8HTuaDMIm5ecyqO7IvTa11usUssNImfKdR2fMR7YbUuZdhIjKRZcuGs_M0sn6oFf2Ls9-wV3Ixm7rnALMPs9ihMDS3l62nWf-A9HYfQ91w/s200/415229-zerto-logo.jpg" width="200" /></a><br />
<br />
<br />Michaelhttp://www.blogger.com/profile/10740016259613298383noreply@blogger.com0