Category:

Cloud

Cloud

VMware Cloud Director – Failed to Start

by Tommy Grot
written by Tommy Grot 3 minutes read

Welcome, tech enthusiasts, to another thrilling dive into the depths of VMware’s cloud management platform, Cloud Director. Today, we find ourselves confronted by an issue that has left many a cloud administrator scratching their heads: the mysterious failure of Cloud Director to initiate its services due to a missing public address in the AllowedOrigins configuration. This blog is your lifeline, offering a comprehensive roadmap to navigate through this technical maze and restore the harmony of your Cloud Director environment!

“Failed to Start: An error occurred during the initialization” error when trying to access vCloud Director after updating public addresses

Additional Informatoin avaiabled from VMware’s Support Site – Failed to Start: An error occurred during the initialization

Procedure:

  • Take a Powered off snapshot of your VMware Cloud Director Cells, (ensure to turn them off properly).
  • Power on the VCD Appliances

Login into VCD Administration Provider Portal

Go to Swagger API

Expand the GET /1.0.0/site/settings/cors

Click ” Try it out “

When you hit ” Execute” Below as in the screenshot provided you should see a similar output. Once you see your output, and you see missing entries for any additional VCD Cells, you will need to input them into the following order as provided.

Once you have staged and prepared your JSON for the AllowedOrigins, using Notepad ++ or VS Code then you will go to the PUT section of Swagger API Explorer as in screenshot below.

An Example of JSON: As provided ensure to replicate the missing FQDN or IP for each section as the sample JSON below.
{
  "resultTotal": 18,
  "pageCount": 1,
  "page": 1,
  "pageSize": 25,
  "associations": null,
  "values": [
    {
      "origin": "172.31.181.200"
    },
    {
      "origin": "172.31.200.10"
    },
    {
      "origin": "172.31.200.11"
    },
    {
      "origin": "IP ADDRESS For Missing Node"
    },
    {
      "origin": "cloud.virtualbytes.io"
    },
    {
      "origin": "cloud01.virtualbytes.io"
    },
    {
      "origin": "cloud02.virtualbytes.io"
    },
    {
      "origin": "FQDN for Missing Node"
    },
    {
      "origin": "http://172.31.181.200"
    },
    {
      "origin": "http://172.31.200.10"
    },
    {
      "origin": "http://172.31.200.11"
    },
    {
      "origin": "IP ADDRESS For Missing Node"
    },
    {
      "origin": "http://cloud.virtualbytes.io"
    },
    {
      "origin": "http://cloud01.virtualbytes.io"
    },
    {
      "origin": "http://cloud02.virtualbytes.io"
    },
    {
      "origin": "FQDN for Missing Node"
    },
    {
      "origin": "https://172.31.181.200"
    },
    {
      "origin": "https://172.31.200.10"
    },
    {
      "origin": "https://172.31.200.11"
    },
    {
      "origin": "FQDN for Missing Node"
    },
    {
      "origin": "https://cloud.virtualbytes.io"
    },
    {
      "origin": "https://cloud01.virtualbytes.io"
    },
    {
      "origin": "https://cloud02.virtualbytes.io"
    },
    {
      "origin": "FQDN for Missing Node"
    }
  ]
}

After your JSON is ready, you will want to paste it into the white body of the PUT request and hit execute.

Toward the bottom of the CORS PUT Section you should see a 200 OK Status, after you see that you should see VCD cells that were missing start up and also if you re-run the GET command you should see your missing nodes.

0 comments 575 views
0 FacebookTwitterLinkedinEmail
CloudVMware Cloud Foundation

How To Upgrade VMware Cloud Foundation 5.1.x

by Tommy Grot
written by Tommy Grot 4 minutes read

Have you heard the exciting news about the latest release of VMware Cloud Foundation 5.1.1? This update is packed with tons of new features that are sure to get you pumped up. From AI technologies and Private AI implementations to a slew of other enhancements, there’s something for everyone in this release. Whether you’re a seasoned pro or just dipping your toes into the world of cloud computing, this update has something to offer. So grab your favorite beverage, settle in, and let’s dive into all the new and exciting features that VMware Cloud Foundation 5.1.1 has to offer!

Highlighted Features

As announced at the 2024 GTC AI Conference, Broadcom has announced initial availability of  VMware Private AI Foundation with NVIDIA as an advanced add-on to VMware Cloud Foundation. VMware Private AI Foundation marks the beginning of a new era for infrastructure solutions, powered by VMware Cloud Foundation to support a wide range of Generative AI use cases. Read more about VMware Cloud Foundation AI/ML Solutions here.   

VMware Private AI Foundation with NVIDIA

VMware Cloud Foundation is the core infrastructure platform for VMware Private AI Foundation with NVIDIA, delivering modern private cloud that enables organizations to dynamically scale GenAI workloads on demand.  VMware Cloud Foundation provides an automated, self-service cloud experience that accelerates productivity for developers and data scientists, while delivering comprehensive security and resilience to protect and recover an organization’s most sensitive intellectual property.  

VMware Cloud Foundation 5.1.1 Bill of Materials: 

VMware Cloud Foundation 5.1.1 – Release Notes

Lets start the Upgrade!

Take a snapshot of your SDDC Manager and your vCenter Server, ensure they are offline snapshots.

Login to your SDDC Manager, and you shall see new bundles appear, this is only true if you have a internet connected VCF stack. If you are in a offline deployment follow this other walk through i made on how to download bundles for VCF and other products.

Example of what you shall see when bundles are automatically downloaded into your SDDC Manager

Next before we upgrade – ensure you run a Pre-Check Under the Workload Domains you want to upgrade

The Pre-check will verify connectivity and password authentication with service accounts to all different appliances. Once the pre-check is done we will proceed to the next step which is to plan the upgrade!

My Pre-check had few errors, one of the major errors was related to VM/Host Affinity rules for certain VMs like domain controller, Aria Logs, Aria Operations, so I had to disable the rules for the upgrade to ensure that there is no error during deployment.

Disabled VM/Host Rules

Here you will see the Pre-Check Results, I had 5 errors which one of of them was storage capacity of the vCenter Server and then VM/Host Rules that were enabled that needed to be disabled to continue the upgrade.

Once Pre-Check has been completed, you will see that your workload domain will have Updates Available in the right side of the window as shown below.

Now we plan for the upgrade, this is a new addition which helps out the upgrade path and sees the source and target version along with being able to see what bundles or what products have been upgraded if you have utilized the Async Patch tool like in this blog post here.

Now, you will see that my vCenter Server and NSX have been upgraded that is due to the Async patch tool, I upgraded my VCF out of cycle of the main released to fix few issues and security vulnerabilities. So thus the Green check marks for NSX_T Manager and vCenter and ESXi.

Now, we will wait – this task is running in the background, you will in a moment see that the Download Bundles task(s) will be running.

After the binaries have been downloaded, staged and prepared. You will see that your workload domain that was once with updates available is now ready for upgrade.

Lets Start the upgrade! Ensure you have GOOD BACKUPS and/or SNAPSHOTS of the SDDC Manager and vCenter Server. If you do lets continue!

SDDC Manager is now upgrading itself, it will upgrade the core components as well as the drift update if it is needed.

  • Setup Common Appliance Platform
  • Validate Services Before Upgrade
  • Remove Packages Pre Upgrade
  • Update Necessary RPMs For Photon4 Upgrade
  • VMware Cloud Foundation Services and Platform Upgrades
  • Authenticate Common Appliance Platform
  • Update VCF Service and Platform rpms
  • Reboot SDDC Manager
  • Refresh Custom Certificates
  • Update SDDC Manager Appliance Version
  • SDDC Manager Deployment Drift
  • Run VCF Services and Platform upgrades Post Validation
  • Validate Services
  • Cleanup
  • Stop Common Appliance platform Service

After 16 minutes and 29 seconds, we have an upgraded SDDC Manager! Since my vCenter and NSX have all been upgraded the upgrade would of continued and all the hosts would have upgraded automatically minus few questions being asked during the deployment.

Successfully deployed VMware Cloud Foundation 5.1.1!

5 comments 1.7K views
1 FacebookTwitterLinkedinEmail
CloudVMware Cloud Foundation

VMware Cloud Foundation 5.x – SDDC Manager Password Operations Not Allowed

by Tommy Grot
written by Tommy Grot 2 minutes read

Tonight’s topic – I want to share with you a recent headache I encountered while working with my VMware Cloud Foundation SDDC Manager 5.x and NSX Password Rotation for Audit account! I was in the middle of a routine password rotation service when suddenly, my task got stuck, leaving me scratching my head in frustration. I couldn’t believe how one little hiccup could bring my whole operation to a screeching halt. In this blog post, I will walk you through the issue I faced, how I troubleshooted it, and ultimately resolved it. So grab a cup of your favorite drink, sit back, and let’s dive into this tech challenge together!

Lets Begin!

  • Take Snapshot (Uncheck Memory) of SDDC Manager
  • SSH into SDDC Manager Appliance
  • Elevate to Root ( su – )

Now we will start digging in the Postgres Database, we will try to find the culprit of what is holding up the lifecycle management of VCF.

The command below will display any locked tasks that are running or are stuck

psql --host=localhost -U postgres -d platform -c "select * from lock"

My Issue – NSX Audit Password got stuck rotating and caused a halt in all operations, example below

{“serviceIdentifier”:”LCM”,”operationIdentifier”:”NSX_AUDIT”,”description”:”Resource of type NSX locked by service (ID: LCM) and operation (ID: NSX_AUDIT)”,”pollingInterval”:0,”expirationTime”:0}

Now that we have our locks displayed, for mine there was 2 locks I had to delete – eample below

psql --host=localhost -U postgres -d platform -c "delete from lock where id='ba4e6ff4-689a-4905-92ff-635cb7403698'";
psql --host=localhost -U postgres -d platform -c "delete from lock where id='ID_FROM_RESOURCE_NAME'";

Next, we will remove the second lock from the database:

psql --host=localhost -U postgres -d platform -c "delete from lock where id='6bd393ba-ad8f-4e1a-a6c3-0695c4556c29'";
psql --host=localhost -U postgres -d platform -c "delete from lock where id='ID_FROM_RESOURCE_NAME'";

Now we have a healthy and happy SDDC Manager!

As well our password options are no longer blocked out!

Reboot and remove snapshot after you are done, ensure you have all working services before snapshot is removed or a good backup!

0 comments 1.9K views
0 FacebookTwitterLinkedinEmail
CloudVMware Cloud Foundation

VMware Cloud Director 10.5.x Certificate Replacement

by Tommy Grot
written by Tommy Grot 1 minutes read

Today’s topic is about managing certificates for VMware Cloud Director. Well, you’ve come to the right place! In this blog post, we’ll walk you through the step-by-step process of changing certificates for VMware Cloud Director 10.5.x. Whether you’re a seasoned pro or a newbie in the world of virtualization, we’ve got you covered. Say goodbye to the headaches of dealing with expired or invalid certificates, and say hello to a smoother, more secure experience with VMware Cloud Director. Let’s get started!

This process is much easier! Than the days of Postman and API calls and trying to get the certificate loaded into the web store and many other pain points that were noticeable, but not anymore this processes is super easy!

Login to your provider portal of VCD with your administrator account or a system admin account.

Go to – Administration

Click on Certificates Library – >

Click on Import -> Then fill our a friendly name and upload the .pem format of your cert and as well the private.key with the passphrase.

Once your certificate has been imported, also ensure to have your CA Signed Certs Trusted (Root and Subordinate) in your trusted certs library.

Then go back to Resources -> Cloud Cells -> Click on the Cell you want to change the certificate first in.

Then click on Edit

The pop up will come up to select the certificate we just imported earlier in the walk through, select that one.

Now you will “Use Certificate” and it will run the API Calls and certificate tasks behind the scenes.

Select your certificate and then click edit and use certificate, few seconds later you should see a successful message in the recent tasks!

8 comments 3K views
2 FacebookTwitterLinkedinEmail
CloudVMware Cloud Foundation

New VMware Cloud Foundation & vSphere Foundation Offerings and Licensing model

by Tommy Grot
written by Tommy Grot 4 minutes read

Official Announcement about the new offerings from VMware

VMware is here to shake things up with their latest offerings, VMware Cloud Foundation and VMware vSphere Foundation!

With VMware Cloud Foundation, managing your cloud infrastructure has never been easier, providing a unified platform for seamless deployment and management of applications across private, public, and hybrid clouds. And that’s not all! VMware vSphere Foundation takes virtualization to the next level for smaller businesses and their needs, delivering enhanced scalability, reliability, and security for your business-critical applications.

Announcement of VMware Cloud Foundation and vSphere Foundation Products and Support Services offerings, same information where @ William Lam has shared on his blog.

VMware Cloud Foundation (VCF)

Products & Support Services includes:

  • SDDC Manager
  • vSphere Enterprise Plus
    • vCenter Server Standard
    • vSphere with Tanzu (includes TKG Runtime)
    • vSphere ESXi
  • vSAN Enterprise (includes 1TiB per CPU Core)
  • NSX Enterprise Plus
  • Aria Suite Enterprise
    • Aria Automation
    • Aria Operations
    • Aria Operations for Logs
  • Aria Operations for Networks Enterprise
  • HCX Enterprise
  • VMware Data Service Manager (COMING SOON)
  • Activation & Upgrade Support Service
  • Select Support Service (recommended)

Available Add-Ons for purchase for VCF:

  • VMware Cloud Disaster Recovery (VCDR)
    • Sold as protected TiB and Per Protected VM
  • VMware Ransomware Recovery (RWR)
    • Sold as Per Protected VM
  • VMware Site Recovery (SRM)
    • Sold as pack of 25 VMs
  • vSAN Enterprise
    • Sold as 8TiB per CPU socket
  • VMware Load Balancer (NSX Advanced Load Balancer)
    • Sold as per service unit
  • VMware Firewall
    • Sold as per CPU Core
    • Distributed Firewall
    • Gateway Firewall
    • Security Intelligence
    • Container Security with Antrea
  • VMware Firewall + Advanced Threat Protection (ATP)
    • Sold as per CPU Core
    • Distributed Firewall
    • Gateway Firewall
    • Security Intelligence
    • Container Security with Antrea
    • Distributed and Gateway Intrusion Detection and Prevention Service (IDS/IPS)
    • Malware Prevention
    • Network Traffic Analysis (NTA) and Network Detection and Response (NDR)
  • Tanzu Mission Control (TMC)
    • Sold as per CPU Core
    • TMC SaaS
    • TMC (Self-Managed)
  • Tanzu Application Platform (TAP)
    • TAP
      • Sold as per vCPU
    • Tanzu Spring Runtime
      • Sold as per CPU Core
  • Tanzu Spring Runtime (TSR)
    • Sold as per CPU Core
  • Tanzu Guardrails Enterprise (TGE)
    • Sold as per resource
    • Tanzu Hub
    • Tanzu Guardrails
    • Aria Automation Config (formally Saltstack)
    • Automation for Secure Clouds
    • Automation for Secure Host
  • Tanzu Guardrails Advanced (TGA)
    • Sold as per resource
    • Tanzu Hub
    • Tanzu Guardrails
    • Automation for Secure Clouds
  • Tanzu Cloudhealth Enterprise (TCE)
    • Sold as percentage of monthly cloud spend
  • Tanzu Application Catalog (TAC)
    • Sold as active artifact
  • Tanzu Ops for Apps (formally Wavefront)
    • Sold as packets per second (PPS)
  • Tanzu Insights (TI)
    • Sold as event per month
  • CSP Entitlement
    • Partner must be signed up to Broadcom Expert Advantage program
    • Cloud Director
    • Cloud Director Availability
    • Cloud Director Plugins and Extension
    • Chargeback
    • Usage Meter
  • VMware Private AI Foundation  (COMING SOON)
  • Support Account Manager (SAM) Support Services
  • Dedicated Technical Support Engineer (DTSE) Support Services

VMware vSphere Foundation (VVF)

Products & Support Services includes:

  • vSphere Enterprise Plus
    • vCenter Server Standard
    • vSphere with Tanzu (includes TKG Runtime)
    • vSphere ESXi
  • vSAN Enterprise (*includes 100GiB per CPU Core per host)
  • Aria Suite Standard
    • Aria Suite Lifecycle
    • Aria Operations
    • Aria Operations for Logs
  • Production Support Service

Available Add-Ons for purchase for VVF:

  • VMware Cloud Disaster Recovery (VCDR)
    • Sold as protected TiB and Per Protected VM
  • VMware Ransomware Recovery (RWR)
    • Sold as Per Protected VM
  • VMware Site Recovery (SRM)
    • Sold as pack of 25 VMs
  • vSAN Enterprise
    • Sold as 8TiB per CPU socket
  • VMware Load Balancer (NSX Advanced Load Balancer)
    • Sold as per service unit
  • Tanzu Mission Control (TMC)
    • Sold as per CPU Core
    • TMC SaaS
    • TMC (Self-Managed)
  • Tanzu Application Platform (TAP)
    • TAP
      • Sold as per vCPU
    • Tanzu Spring Runtime
      • Sold as per CPU Core
  • Tanzu Spring Runtime (TSR)
    • Sold as per CPU Core
  • Tanzu Guardrails Enterprise (TGE)
    • Sold as per resource
    • Tanzu Hub
    • Tanzu Guardrails
    • Aria Automation Config (formally Saltstack)
    • Automation for Secure Clouds
    • Automation for Secure Host
  • Tanzu Guardrails Advanced (TGA)
    • Sold as per resource
    • Tanzu Hub
    • Tanzu Guardrails
    • Automation for Secure Clouds
  • Tanzu Cloudhealth Enterprise (TCE)
    • Sold as percentage of monthly cloud spend
  • Tanzu Application Catalog (TAC)
    • Sold as active artifact
  • Tanzu Ops for Apps (formally Wavefront)
    • Sold as packets per second (PPS)
  • Tanzu Insights (TI)
    • Sold as event per month
  • Note: The included 100GiB of vSAN Storage per CPU core will be available in a future vSphere patch update.

Also additional offers for customers:

  • VMware vSphere Standard (VVS)
  • VMware vSphere Essentials Plus Kit (VVEP)

Products & Support Services includes:

Available Add-Ons for purchase for VSS:

  • VMware Cloud Disaster Recovery (VCDR)
    • Sold as protected TiB and Per Protected VM
  • VMware Ransomware Recovery (RWR)
    • Sold as Per Protected VM
  • VMware Site Recovery (SRM)
    • Sold as pack of 25 VMs

VMware vSphere Essentials Plus Kit (VVEP)

Products & Support Services includes:

Available Add-Ons for purchase for VVEP:

  • VMware Cloud Disaster Recovery (VCDR)
    • Sold as protected TiB and Per Protected VM
  • VMware Ransomware Recovery (RWR)
    • Sold as Per Protected VM
  • VMware Site Recovery (SRM)
    • Sold as pack of 25 VMs

VMware Validated Solutions (VVS) for VCF

Available VVS for VCF:

0 comments 3K views
0 FacebookTwitterLinkedinEmail
Cloud

The New Frontier of Generative AI & VMware Multi-Cloud!

by Tommy Grot
written by Tommy Grot 1 minutes read

Generative AI and VMware Solutions, with the excitement and potential of new language learning models, will be adapted by businesses but with each business having their own domain to run their data through there are lots of concerns with security, privacy, and legal issues.

Large language models and multi-cloud infrastructure can complement each other by distributing the computational workload across multiple cloud providers. This allows for increased performance and scalability, as well as reducing the risk of service disruption or downtime.

Multi-cloud deployment of large language models enables organizations to leverage the strengths and capabilities of different cloud providers. By strategically distributing the workload, businesses can optimize cost-efficiency, enhance data privacy and security, and avoid vendor lock-in.

In this Briefing, you’ll hear insights from VMware business and technical leaders on topics including:

  • The opportunities and challenges CIOs see in transforming their businesses with AI.
  • Why multi-cloud environments will be the foundation for enterprise AI.
  • The importance of a responsible and ethical approach to AI.
  • The role of an AI-enabling ecosystem for customer choice and flexibility.
  • AI research priorities for VMware.
  • A glimpse into VMware’s focus on accelerating and simplifying customer adoption of AI.

Speakers include VMware President Sumit Dhawan, VP of Research Sujata Banerjee, and VP of Cross-Cloud Services Vittorio ViarengoDon’t miss this important conversation!

0 comments 408 views
1 FacebookTwitterLinkedinEmail
Cloud

Cannot establish a remote console connection in VMware Aria Automation 8.12.x

by Tommy Grot
written by Tommy Grot 1 minutes read

Tonight’s troubleshooting tidbit – I have deployed VMware Aria Automation, started doing some automation, I ran into a issue were the Remote Console did not want to open it came with an error – “Cannot establish a remote console connection. Verify that the machine is powered on. If the server has a self-signed certificate, you might need to accept the certificate, then close and retry the connection.”

  1. SSH into one vRA virtual appliance in the cluster
  2. Edit the provisioning service deployment by running the following commandkubectl -n prelude edit deployment provisioning-service-app
  3. Set the following property in the JAVA_OPTS list to true-Denable.remote-console-proxy=false

Here you will see the orginal screenshot having the Denable.remote-console-proxy=true, which next screenshot we will switch it to false

Denable.remote-console-proxy=false

After you save with wq! you will go back to the main SSH session and what I did was executed command – watch kubectl get pods -n prelude . This allowed me to verify and watch if there was no errors during startup.

0 comments 1.2K views
1 FacebookTwitterLinkedinEmail
CloudNetworkingVMware NSX

Deploying VMware NSX Advanced Load Balancer

by Tommy Grot
written by Tommy Grot 2 minutes read

Today’s topic is on VMware NSX Advanced Load Balancer (AVI). We will walk through the steps of deploying a NSX ALB overlayed on top of your NSX Environment.

Features

  • Multi-Cloud Consistency – Simplify administration with centralized policies and operational consistency
  • Pervasive Analytics – Gain unprecedented insights with application performance monitoring and security
  • Full Lifecycle Automation – Free teams from manual tasks with application delivery automation
  • Future Proof – Extend application services seamlessly to cloud-native and containerized applications

More information at VMware’s site here

What You Will Need:

  • A Configured and running NSX Environment
  • NSX ALB Controller OVA (controller-22.1.3-9096.ova)
  • Supported Avi controller versions: 20.1.7, 21.1.2 or later versions
  • Obtain IP addresses needed to install an appliance:
    • Virtual IP of NSX Advanced Load Balancer appliance cluster
    • Management IP address
    • Management gateway IP address
    • DNS server IP address
  • Cluster VIP and all controllers management network must be in same subnet.

Lets start with deploying controller OVF

I like to keep neat and consistent names the following names I utilized:

Virtual Machine Names:
  • nsx-alb-01
  • nsx-alb-02
  • nsx-alb-03

You need total of 3 Controllers deployed to create a High Available NSX ALB.

Click the Ignore All, or you will get this error as show below

Select your datastore ->

Click Next ->

My DNS Records:

  • nsx-alb-01.virtualbytes.io
  • nsx-alb-02.virtualbytes.io
  • nsx-alb-03.virtualbytes.io

We are deploying!

Access your first appliance via its FQDN that you have set in the steps above.

Create your password for local admin account

Create your passphrase, and your DNS resolvers, and DNS Search Domains.

Skip SMTP if not needed, but if you need a mail server please fill out your required SMTP IP and Port

  • Service Engines are managed within the tenant context, not shared across tenants to enable the Tenant Context Mode.
  • Service Engines are managed within the provider context, shared across tenants to enable the Provider Context Mode.

That is it for the initial deployment, next we will add our other 2 additional NSX ALB nodes for HA setup.

Go to Administration -> Controller -> Nodes

Click Edit ->

For your 2 additional NSX ALB nodes you will need to provide an IP Address and hostname and password.

Sample of what it should look like for all 3 ALB appliances

A simple topology of what we have deployed.

That is it! from now on you can configure for what use case you will NSX-ALB for. A next blog post will go through how to step up a NSX-T Cloud.

Licensing Flavors – If you click on the little cog icon next to the Licensing. You will see different tiers.

Different License Tiers that are apart of NSX-ALB Licensing model.

0 comments 2.6K views
0 FacebookTwitterLinkedinEmail
Cloud

VMware Cloud Director 10.4.X & Terraform Automation Part 2

by Tommy Grot
written by Tommy Grot 6 minutes read

Tonight’s multi-post is about VMware Cloud Director 10.4.x and Terraform!

With Terraform there are endless possibilities, creating a virtual data center and being able to tailor to your liking and keeping it in an automated deployment. In this multi-part blog post we will get into VCD and Terraform Infrastructure as Code automation. If you would like to see what we did in Part 1, here is the previous post – VMware Cloud Director 10.4.X & Terraform Automation Part 1

What You will Need:

  • A Linux VM to execute Terraform from
  • Latest Terraform Provider (I am using beta 3.9.0-beta.2 )
  • Gitlab / Code Repo (Optional to store your code)
  • VMware Cloud Director with NSX-T Integrated already
  • Local Account with Provider Permissions on VCD (mine is terraform)

Lets Begin!

First part we will add on to our existing Terraform automation which we have continued in Part 1 of this multi-part blog. Below is the provider information for reference.

terraform {
  required_providers {
    vcd = {
      source  = "vmware/vcd"
      version = "3.9.0-beta.2"
    }
  }
}

provider "vcd" {
  url                  = "https://cloud.virtualbytes.io/api"
  org                  = "system"
  user                 = "terraform"
  password             = "VMware1!"
  auth_type            = "integrated"
  max_retry_timeout    = 60
  allow_unverified_ssl = true
}

Next, we will add Data Center Groups to our terraform template, what we are doing here is Creating the virtual data center group to span multiple organizations, if need be, but for this demonstration – I am using a DCG for Distributed Firewall purposes.

#### Create VDC Org Group 

resource "vcd_vdc_group" "demo-vdc-group" {
  depends_on = [vcd_org_vdc.demo-org-10]
  org                   = "demo-org-10"
  name                  = "demo-vdc-group"
  description           = "Demo Data Center Group"
  starting_vdc_id       = vcd_org_vdc.demo-org-10.id
  participating_vdc_ids = [vcd_org_vdc.demo-org-10.id]
  dfw_enabled           = true
  default_policy_status = true
}

The next code snippet – here we will set and configure the Data Center Group firewall from an Internal to Internal and Drop to Any to Any and Allow. Configuration where by default it keeps Internal DFW rule.

##### DFW VDC Group to Any-Any-Allow
resource "vcd_nsxt_distributed_firewall" "lab-03-pro-dfw" {
  depends_on = [vcd_org_vdc.demo-org-10]
  org = "demo-org-10"
  vdc_group_id = vcd_vdc_group.demo-vdc-group.id
  rule {
    name        = "Default_VdcGroup_demo-vdc-group"
    direction   = "IN_OUT"
    ip_protocol = "IPV4"
    source_ids = [vcd_nsxt_security_group.static_group_1.id]
    destination_ids = []
    action      = "ALLOW"
  }
}

If you are wanting to create multiple rules within a Distributed Firewall, here below I will show some examples – This will not be a part of the code implementation.

##### Sample DFW Rule Creation
resource "vcd_nsxt_distributed_firewall" "lab-03-pro-dfw-1" {
  depends_on = [vcd_org_vdc.demo-org-10]
  org = "demo-org-10"
  vdc_group_id = vcd_vdc_group.demo-vdc-group.id
  rule {
    name        = "rule-1" # Here you will create your name for the specific firewall rule
    direction   = "IN_OUT" # One of IN, OUT, or IN_OUT. (default IN_OUT)
    ip_protocol = "IPV4"
    source_ids = []
    destination_ids = []
    action      = "ALLOW"
  }
}

Some more detailed information from Terraform site –

Each Firewall Rule contains following attributes:

  • name – (Required) Explanatory name for firewall rule (uniqueness not enforced)
  • comment – (Optional; VCD 10.3.2+) Comment field shown in UI
  • description – (Optional) Description of firewall rule (not shown in UI)
  • direction – (Optional) One of INOUT, or IN_OUT. (default IN_OUT)
  • ip_protocol – (Optional) One of IPV4IPV6, or IPV4_IPV6 (default IPV4_IPV6)
  • action – (Required) Defines if it should ALLOWDROPREJECT traffic. REJECT is only supported in VCD 10.2.2+
  • enabled – (Optional) Defines if the rule is enabled (default true)
  • logging – (Optional) Defines if logging for this rule is enabled (default false)
  • source_ids – (Optional) A set of source object Firewall Groups (IP Sets or Security groups). Leaving it empty matches Any (all)
  • destination_ids – (Optional) A set of source object Firewall Groups (IP Sets or Security groups). Leaving it empty matches Any (all)
  • app_port_profile_ids – (Optional) An optional set of Application Port Profiles.
  • network_context_profile_ids – (Optional) An optional set of Network Context Profiles. Can be looked up using vcd_nsxt_network_context_profile data source.
  • source_groups_excluded – (Optional; VCD 10.3.2+) – reverses value of source_ids for the rule to match everything except specified IDs.
  • destination_groups_excluded – (Optional; VCD 10.3.2+) – reverses value of destination_ids for the rule to match everything except specified IDs.

Now that we have established firewall rules within our template, next you can IP Sets which are kind of a Group that you can use for ACL’s and integrate them into a firewall and static groups etc!

#### Demo Org 10 IP sets
resource "vcd_nsxt_ip_set" "ipset-server-1" {
  org = "demo-org-10" # Optional

  edge_gateway_id = vcd_nsxt_edgegateway.lab-03-pro-gw-01.id

  name        = "first-ip-set"
  description = "IP Set containing IPv4 address for a server"

  ip_addresses = [
    "10.10.10.50",
  ]
}

Static Groups are another great way to assign networks and members. For this example, my Static Group consists of my domain network segment and with this I can utilize the group into firewall rules.

#### Create Static Group
resource "vcd_nsxt_security_group" "static_group_1" {
  org = "demo-org-10"
  edge_gateway_id = vcd_nsxt_edgegateway.lab-03-pro-gw-01.id

  name        = "domain-network"
  description = "Security Group containing domain network"

  member_org_network_ids = [vcd_network_routed_v2.nsxt-backed-2.id]
}

###########################################################
An example of how to use a Static Group within a firewall rule.
  rule {
    name        = "domain-network" ## firewall rule name
    action      = "ALLOW" 
    direction   = "IN_OUT"
    ip_protocol = "IPV4"
    source_ids = [vcd_nsxt_security_group.sg-domain-network.id]
    destination_ids = [vcd_nsxt_security_group.sg-domain-network.id]
    logging   = true
  }

That is it for the automation for Part 2 of VMware Cloud Director! Stay Tuned for more automation!

0 comments 1.3K views
0 FacebookTwitterLinkedinEmail
Cloud

Load Balancing VMware Cloud Director 10.4.x Cells with NSX ALB (AVI)

by Tommy Grot
written by Tommy Grot 2 minutes read

Topic of the Day – Load Balancing VMware Cloud Director 10.4.x multi cell deployment. For this deployment I am using 3 VCD Cells, they consist of Small Size ( 2vCPU and 12GB, these are not recommended specifications for a production appliance – Per VMware.)

This walkthrough will show you how to load balancer the appliances only, we are not integrating NSX ALB into VMware Cloud Director for Tenants to consume, stay tuned for a future walkthrough for VCD and NSX ALB Integration!

What you will need:

  • Multiple VCD Appliances
  • Certificate with multiple SANs ( I used my wildcard cert)
  • Certificates and Public Addresses configured already on all VCD Appliances
  • 4 DNS A Records, 1 A Record Pointing to VIP IP address of ALB VS Pool, 3 A Records for individual appliances

More information on VMware Cloud Director 10.4.1 Certificate Implementation here

Lets login to NSX ALB, Go to Virtual Services and top right click on “Create Virtual Service”

-> Advanced Setup

Select your NSX Cloud which we will deploy the VIP pool

Select VRF Context, which for my deployment I am used my t1-edge-01-m01-gw, which is my Tier 1 Router attached to my primary Tier-0.

Next we will configured Virtual Service VIP for our Service Engine for ALB.

Attach the VsVIP to your Tier 1 Logical Router

Add a Virtual IP that is free from within your VIP Pool that is pre-allocated manually or can be via IPAM Dynamically. For my implementation I am setting the IP address statically.

Click Save -> Then it will take us back to the main page where we are deploying the Virtual Service

Next step we will set the Profile of our Virtual Service to the following

  • System-TCP-Proxy
  • System-L4-Application


(Side topic, VMware Cloud Director works better with a Layer 4 Load Balancer, there are issues that occur if a Layer 7 HTTP load balancer is utilized)

Now that our Profile is set, next we will create our Pool. I named my “VMware-Cloud-Director-Appliances-Pool”

The Following Settings that should be set are:

  • Default Server Port: 443
  • Least Connections (can use other Algorithms based on your needs)
  • Tier1 Logical Router – t1-edge01-m01-gw (this is my Tier1)
  • Servers – Created IP Address Group
  • Health Monitor
  • SSL – System-Standard, (Service Edge Client Certificate)

  1. Any other settings will depend on your implementation

Once all settings have been configured, now we will hit save and proceed to the last page “Advanced”

Ensure to select your Service Engine Group, or ALB will deploy it on the default group and might cause issues.

After you have the AVI Service Engine deploying, now you can go to VCD, and setup Public Addresses – Pre reqs are that you need to have VCD SSL CA Signed or Self Signed already configured and just need to enabled Public Addresses for the Web Portal and API.

That’s it! Very simple implementation to utilize VMware NSX Advanced Load Balancer and Load Balance VMware Cloud Director Appliances!

0 comments 2.5K views
1 FacebookTwitterLinkedinEmail
Newer Posts
Older Posts