Native AWS VPC Connecting to VMware Cloud on AWS (Part 1) – Native VPC Connectivity via VPN

With the release of VMware Cloud on AWS 1.12, we delivered additional connectivity options with the addition of transit connect (VMware managed AWS Transit Gateway). Over the past few weeks, I have been working on a project that has specific success criteria as well as challenges that prevent certain connectivity options so I thought what better way to show how we got around the issue than to show how we did it as Transit Connect and AWS Direct Connect were out of scope. The plan is to have this be a multiple part blog series that details how to setup and test a route based VPN, attach to native AWS EC2 workloads via ENI in the VMC VPC as well as leverage a Transit connect that makes connectivity easier to configure, manage and maintain. The diagram below is the overall architecture for those already leveraging AWS native services via a Direct Connect and Transit Gateway but can only connect to VMC via IPSEC VPN for certain reasons (shout out to fellow VMC Architect Will Lin for the assist!). While Direct Connect provides much better speeds and feeds, you may still be able to accomplish what you need depending on your application requirements.

STEP 1: To get things started, we need to either identify or create a VPC that we want to communicate with the VMware Cloud on AWS SDDC. If you already have a VPC configured you can skip to Step 2. To create a new VPC, log into your AWS account go to Services > VPC> Create VPC. Similar to creating your VMC SDDCm it is paramount that plan your CIDR range appropriately so can assign subnetting correctly based on what you are trying to accomplish. ** Make sure you are selecting the correct AWS Region based on your requirements! **

Next, create a subnet that you will assign to the VPC. This is why understanding the CIDR ranges is important as you cannot have any overlap between your VPC CIDR and VPC subnets so keep that in mind as you build things out.

Creating a subnet assigned to the AWS VPC

Step 2: Deploy a AWS Transit Gateway (TGW). For reference, an AWS Transit Gateway connects VPCs and on-premises networks through a central hub. Keep in mind the default ASN number for the AWS TGW is 64512. If you are going to use an existing TGW, get the correct number from your team. For the sake of this blog, I setup the TGW with all the default settings.

Step 3: Create a Customer Gateway (CGW). A CGW is a resource that you create in AWS that represents the customer gateway device in your on-premises network, or VMC in this situation. 

In order to configure the CGW, you need to enter the VPN Public IP listed in the Networking & Security section of the SDDC console.

Step 4: With your transit and customer gateways configured, it’s time to create the VPN connection from the AWS side. Go to Services > VPC > Site-to-Site VPN Connections > Create VPN Connection. Name the VPN connection and select “Transit Gateway” as the gateway type and add your CGW. Take note that you can also add a new CGW didn’t as a part of the previous steps. We want to set the routing options to dynamic so we take advantage of BGP. My personal preference is to define the CIDR and per AWS documentation, this needs to be a /30 within a certain range. I also created a basic preshared key rather than have AWS create the key randomly.

AWS VPN Configuration

Step 5: Download the VPN configuration as a generic file. This is where you can validate the configuration and use it for configuring the VPN from the VMware Cloud SDDC Console.

Step 6: Configure the VPN on the SDDC. Go to the VMC SDDC Console > Networking & Security > VPN > Route Based > Add VPN. Here you want to take the Virtual Private Gateway Outside IP and enter that into the Remote Public IP Field. Take the Customer Gateway Inside IP Address and enter that number as the BGP Local IP. Next, take the Virtual Private Gateway Inside IP and enter that into the BGP Remote IP field. All that’s left is to enter the BGP ASN number that your configured earlier as a part of the TGW creation. It should also be listed in the config file you downloaded. If all numbers are correct, you should see the VPN Tunnel and BGP come up in a matter of minutes! If the VPN comes up and BGP does not, check your IPs and ASN numbers. Additional help can also be found here!!!!

You now have a working VPN from AWS to VMC!!! While the tunnel is up, there is more work to do so you can fully test traffic. In Part 2 I will cover routing tables and SDDC Gateway rules to enable two way communication. Stay tuned!!!!

Same Place, New Beginnings!

A few months ago, I decided to take a calculated risk and explore other roles within VMware. Up to this point in my career, a new role meant moving on from the organization as well. The experience of moving within a company the size of VMware is a bit different and while I will miss the customers and team interactions, I am excited for my new role as a Cloud Solutions Architect!

I have dedicated much of my free time over the past four years to all things “cloud” and it has opened several doors of opportunity which has ultimately led to me filling this role. In working with enterprise customers, there is an appetite to get out of managing datacenters and shift focus to creating applications that differentiate themselves from the competition. Enterprises no longer want to maintain their monitoring, alerting, and back up tools; thus shifting to a Software as a Service (SaaS) model. I’m passionate about helping others succeed. This role allows me to work with customers who want to better understand what “cloud” means to them and how VMware can help them realize (see what I did there?…sorry Dad joke) their business and IT outcomes.

On a personal note, I have worked with a few mentors over the past 18 months who have challenged me to push even further outside of my comfort zone which has been unsettling at times but I have found that doing so helps me to stay sharp and push myself to do things differently. For those looking to change it up as well I recommend the following:

• Follow Your Passion. No use in doing things you don’t enjoy.
• Take time to assess where you are and where you want to be.
• It’s ok to say “No”. I was fortunate enough to receive a few offers on this journey but I had to follow my passion despite some of the offers were fantastic opportunities.
• Be open with your management. Management should be there to help you achieve your goals, if they are not supporting you…..it’s time to move on anyway!!
• You are going to need to put in some effort after hours if you want to change directions.
• Ask for help

I’m looking forward to the next chapter and even more opportunities to talk cloud with you all!

Embrace the “New Normal”

“The only constant in life is change” -Heraclitus

Being in IT for 15+ years I have seen many things change from 3.5″ floppy discs to 64 GB microSD cards and from the Intel i486 processor to ARM Coretx-A72 processors found in Raspberry Pis. To take it a step further, my foray into IT was more of a trial by fire than a chosen profession. Back in my college days I worked for a small start up as a project manager for a call center that provided customer support and telesales. Due to our size, we all filled many roles and as we on-boarded handfuls of new reps every few weeks, yours truly was responsible for setting up PCs. That means physically setting them up to use….not configuring roaming profiles or any type of OS configuration. I mean plugging in keyboards, mice, and monitors via PS/2 and VGA connectors. I still to this day don’t know why I chose the path that I did but there was something about tearing things down and rebuilding them that peaked my interest. Due to our size and budget, there were several occasions where we cannibalized two mediocre PCs to create one that was one step above mediocre. Fast forward a few years and I’m CompTia A+and Network+ certified working my way towards a Microsoft Certified Systems Engineer (MCSE).

Why do I bring this all up? First, the best way to further your IT career is to be curious. Second, as I have been working with several enterprise and commercial customers over the past six years, I see the need for VI administrators and system administrators to rapidly expand their skill sets to remain relevant and valued within the organization.

Scripting

I will be the first to admit that I am not a developer. With a heavy windows background, I have always preferred a GUI since lines reading lines of code was very foreign to me. That being said, as I grew more comfortable with system administration via Windows, I became more curious around how I could automate more of my daily tasks via scripts…enter the login.bat file for Windows user profiles! While it wasn’t exactly complex, it still gave me an entry point to learn how to automate small processes that saved me a lot of time. Hopefully most of us rely heavily on scripts and are using tools such as PowerShell. If you aren’t, you should!

With my Windows background, CLI based operating systems such as Linux and IOS scared me to death! I had no idea how to start and the closest thing I could compare it to was MS-DOS back in my early gaming days when the original King’s Quest was released. It wasn’t until working with ESX, Cisco, and OpenBSD for customer projects where I started facing my insecurities around CLI and discovered it wasn’t as intimidating as I once thought. While I don’t think I will ever be a developer or coder, I can unequivocally state that getting comfortable with CLIs within ESXi and NSX is a MUST for any VI admin. My first recommendation is to head over to VMware {code} and get started with PowerCLI! Once you become more familiar with PowerCLI, don’t spend all of your time writing your own scripts. PowerCLI guru Alan Renouf has a litany of scripts that may be of benefit. He has created scripts for VMs, Storage, Hosts, reporting and more!

APIs

Application Programming Interface (API) is quickly becoming a necessary skill set for any administrator or engineer. Being able make API calls (requests) to applications and services takes the ability to programmatically administer environments to another level. Over the past several years, VMware has worked hard to create REST (REpresentational State Transfer) APIs to allow developers and VI admins alike to better automate on several levels. In addition, there are some features with VMware services that can only be done via API or are released in the API first and then the GUI follows. A full list of VMware APIs can be found here. If you come from an operations background like me, you may prefer a GUI tool to assist when getting started with APIs. I have found Postman to be beneficial. To get things started, I have included two videos that should help get you started. The first is a vBrownBag session from Kyle Ruddy who walks through vSphere APIs with Postman.

The second is an introduction VMware Cloud on AWS.

Leveraging APIs are the new normal. If you are a VMware Cloud on AWS customer, take time to dig into the Developer Center and start playing with the API explorer and Code Samples! Two more great resources for leveraging VMware APIs are Patrick Kremer and William Lam. Truth be told, if there is an API question that I can’t answer, William always seems to have it!

VMware Cloud on AWS Developer Center

I am new-ish to this way of life but really enjoy learning new skills! If you are in tech, it’s a lifetime of learning so we all should embrace it with excitement. I hope to post more about my learnings and possibly even share some code samples but until then….click through all the links above and get started!!!

Effectively Planning VMware Cloud on AWS SDDC Upgrades

One of the questions I am often asked is now that I am using VMware Cloud on AWS, how do I go about managing my SDDC life cycle? The answer…..VMware has you covered! As of March 2020, we have made some significant enhancements to the Notification Gateway (NGW) that give you several options to receive updates from VMware Cloud Services regarding maintenance activities such as certificate replacements and SDDC upgrades to new releases. While the NGW can be leveraged in several different areas, my preferred integrations are with Slack and Microsoft Teams. Setting up these integrations are fairly straightforward. Look no further than William Lam’s blog for details.

Even if you have Webhook integrations setup, you will still get a notification email similar to the image below letting you know when your SDDC is scheduled for an upgrade.

Notification email from Notification Gateway detailing each phase of the SDDC upgrade.

It is imperative that you take note of the dates and times your SDDC is scheduled for each phase as your times will all be in UTC timezone so do your time conversions accordingly. When you login to your SDDC console and go to the maintenance tab and you will see each phase listed along with recommendations for each phase.

Each phase of the SDDC is highlighted below as well as details around SDDC accessibility during the upgrade. For detailed information, read my associate Tom Twyman’s blog and the SDDC upgrade notes found here. We continue to improve upgrade processes in the background so check back often!! There are additional considerations to make when integrating with HCX, Site Recovery and Horizon so be sure to understand the impacts listed in the read me!! Keep in mind that during Phase 1 your vCenter certificate will be updated and the NSX certificate will be updated during Phase 3. If you have other products and services that depend on vCenter, you will need to take the proper steps to accept the new certs.

While there are time estimates for each phase, mileage may vary during the upgrade. To make things a bit easier for you. I have included a simple excel spread sheet to help you plan your SDDC upgrade.

sddcupgradescheduleDownload

After going through several customer upgrades over the past two years, my top 5 things to do are

1. Don’t forget about certificate validation afterwards!
2. Plan your outages around each phase and best to be conservative. Allot for the full estimated time.
3. Setup integrations with the NGW. While emails are nice, it has been my observation that people get too many emails these days and these notifications are often ignored. Pick a delivery method that will get your attention!
4. Read the release notes as well as upgrade notes before your scheduled upgrade.
5. Don’t panic! For some, giving VMware the keys to the car (SDDC) is unnerving, and they want to watch and be involved. Remember this is a service, we have you covered. Sit back and relax!

SDDC to SDDC HCX Migrations (C2C Migrations) Demo

VMware has had some disruptive innovations over the past twenty years such as vMotion, Distributed Resource Scheduler (DRS), and Instant Clones to name a few. More recently, VMware released one of their innovation crowned jewels in Hybrid Cloud Extension aka HCX. HCX is an application mobility platform designed for simplifying application migration, workload rebalancing and business continuity across datacenters and clouds. I have been using VMware Cloud on AWS for quite some time and one of my biggest frustrations was not being able to seamlessly move workloads from one Software Defined Datacenter (SDDC) to another. In August of 2019, HCX released the preview for “SDDC to SDDC mobility”. I mention VMware Cloud on AWS because HCX is included with the VMWonAWS subscription and should be deployed and leveraged! For example, many VMWonAWS customers are using HCX for Cloud to Cloud (C2C) migrations as well as migrations from on-prem to cloud. HCX has many use cases as pictured below.

Last month, I demonstrated how to:

• Deploy HCX in two SDDCs in two Availability Zones
• Create a Site Pair
• Create a Service Mesh
• Deploy HCX IX, WAN Optimization and Network Extension
• Configure Layer 2 Network Extension
• Live vMotion (continuous ping across Network Extension to target SDDC)
• Bulk vMotion
• Protect VMs via HCX
• Troubleshoot Service Mesh deployments including redeploy of appliances

For more info regarding HCX you can go to the product page here and refer to my previous post. Enjoy!!!!

Deploying a VMware Cloud on AWS SDDC End to End

For those of you who are ready to deploy your first Software Defined Data Center (SDDC) on VMware Cloud on AWS, there is a little bit more than meets the eye when it comes to the initial deployment. As a part of the VMware TAM Lab series, I demonstrate how to deploy an SDDC from start to finish, including the configuration of the VPC in AWS.

**SHAMELESS PLUG** – Subscribe to the TAM Lab YouTube channel. We are covering all VMware Technologies and use cases….including how to go about building your own home lab. Check it out!!!

Dive in!!!!! Learning all about VMware Cloud on AWS and HCX

• 

• 

Lately, I’ve been asked by peers and customers alike “How can I learn more about VMware Cloud on AWS?!” Many of us are finding ourselves in front of screens much more than normal these days so what better way to fill in some time gaps than by learning more about VMware Cloud on AWS and HCX?! While search engines are helpful, I hope my “definitive list” helps!!! If you need more, feel free to reach out!!! Happy Learning!!!

VMware Cloud on AWS

YouTube

VMware Cloud on AWS Customer Success YouTube Channel

VMware Cloud YouTube Channel

VMware Cloud on AWS Blogs

Nico Vibert – https://nicovibert.com/

Gilles Chekroun – http://www.gilles.cloud/

Ryan Kelly – http://www.vmtocloud.com/

William Lam – https://www.virtuallyghetto.com/

Tom Twyman – https://occasional-it.com/

Dustin Spinhirne – https://dspinhirne.github.io/vmcbook/

VMware Cloud Blog – https://cloud.vmware.com/community/blog/

Community Sites

VMware Cloud on AWS Blog Community – https://cloud.vmware.com/community/vmware-cloud-on-aws/

VMTN Forum –https://communities.vmware.com/community/vmtn/vmc-on-aws/overview

VMware Cloud on AWS VMUG- https://community.vmug.com/communities/community-home169?CommunityKey=df5b4c52-4f7b-48dc-b5ad-ea0be799e128

Documentation

VMware Cloud on AWS Sizer and Workload Profiles – https://vmc.vmware.com/sizer/workload-profiles

VMware Cloud on AWS Documentation – https://docs.vmware.com/en/VMware-Cloud-on-AWS/index.html

Configuration Maximums – https://docs.vmware.com/en/VMware-Cloud-on-AWS/services/com.vmware.vmc-aws-operations/GUID-10A0804B-04F4-4B8A-9EBA-85169F533223.html

Getting Started – https://docs.vmware.com/en/VMware-Cloud-on-AWS/services/vmc-on-aws-getting-started.pdf

Operations Guide – https://docs.vmware.com/en/VMware-Cloud-on-AWS/services/vmc-aws-operations.pdf

Feature Walkthrough – https://featurewalkthrough.vmware.com/t/vmware-cloud-on-aws/

Hands on Labs

HOL-2052-01-ISM – VMware Horizon on VMware Cloud on AWS – https://labs.hol.vmware.com/HOL/catalogs/lab/6542

HOL-2087-01-HBD – VMware Cloud on AWS – Getting Started – https://labs.hol.vmware.com/HOL/catalogs/lab/6593

HOL-2087-91-HBD – VMware Cloud on AWS – Lightning Lab- https://labs.hol.vmware.com/HOL/catalogs/lab/6053

Hybrid Cloud Extension (HCX)

Blogs

Gabe Rosas – https://hcx.design/ – THIS IS A ONE STOP SHOP FOR HCX!!!!!

Emad Younis – https://emadyounis.com/

Communities

https://cloud.vmware.com/community/vmware-hcx/

Documentation

HCX Overview – https://docs.vmware.com/en/VMware-HCX/services/user-guide/GUID-A7E39202-11FA-476A-A795-AB70BA821BD3.html

Hands on Labs

HOL-2081-01-HBD – VMware HCX – Getting Started with Cross-Cloud Mobility- https://labs.hol.vmware.com/HOL/catalogs/lab/6352

My Guide for Passing the AWS Solution Architect Associate Exam

If you are reading this then you probably already have an understanding how fast Amazon Web Services rolls out new features and services. It’s impossible to know everything about AWS and I definitely struggled in my preparation for this exam. I set out to get certified almost two years ago but simply never could find the best time to take it. Truth be told, after rescheduling three times in 2018, I let my test expiration lapse because I literally didn’t have time to sit for it. In 2019 I was determined to pass the Solution Architect Associate exam as my 2018 failure was hovering over me like a black cloud. I am excited and relieved that I recently passed and I want to pass along some tips for those of you who want to be a certified AWS Solutions Architect. **Once I set a test date, I prepped for about six weeks.**

1. Leverage AWS Free Tier – This exam was not easy for me as I spend over 90% of my time with VMware solutions and all my AWS exposure was after hours. That being said, leveraging the AWS Free Tier proved to be a lifesaver when preparing for the exam. There are some things that you will use in practice labs that may cost a few dollars but every cent is worth it. You will need hands on experience setting up S3, EC2, and VPC from scratch. The free tier makes it all possible with next to zero dollars in cost. My advice….look at as an investment.
2. A Cloud Guru – Ryan Kroonenburg and team have done all of us a great service in making several AWS constructs easy to understand. The cost was well worth it. I didn’t get a membership but did purchase the AWS Certified Architect Associate course. I reviewed each session twice and went through the VPC, S3, Databases, and HA Architecture content several times. Make sure you understand all the labs!! I went through the practice tests as well but I didn’t quite find them deep enough to help me prepare. I had to find another test prep course…Whizlabs!
3. Whizlabs! – I can confidently say that without Whizlabs AWS Practice Tests , I would not have passed the exam. Whizlabs provides great content that is similar to the exam and detailed explanations to each test question. I purchased the practice exam questions for under $10 at Udemy. As a matter of fact, they are having their Black Friday sale right now! DON’T TEST PREP WITHOUT IT!!!
4. AWS.com FAQs – For S3, EC2 also read all about Database Services. There will be some questions that come straight out of the FAQs.
5. AWS Certified SA Official Study Guide – I wouldn’t say this is a must have but for those of you who like having something physical in your hand to study, this will do the trick. I found some of the diagrams and summaries helpful.
6. Architecting on AWS – This three day course helped me with better understanding AWS concepts and best practices. I don’t view this as a must but it was well worth my time.
7. Practice, Practice, Practice – Understand the exam format helped me prepare. You will have plenty of time to answer all 65 questions if you practice beforehand. Understanding the concepts around VPCs and networking is a must. Also know RDS and DynamoDB inside out!!

As the VMware-AWS partnership continues to grow, it’s important for both companies to understand each others’ services. This exam was on the tough side but I felt well prepared by the time I sat for it. Preparing for this exam has definitely helped me in conversations with customers as they not only move vSphere workloads to VMware Cloud on AWS but also look for ways to innovate with AWS native services such as S3, RDS, Lambda and more. I highly recommended getting this certification. It’s well worth it!! Good luck in your studies and feel free to reach out to me if you have questions via Twitter @vSeanLambert or reply to this blog!

Bye Bye Spreadsheets! Hello (New) VMCSizer!!!! Part 2

In a previous blog, I highlighted Workload profiles and how they should be used in right sizing your VMWonAWS environment. Since my last blog, the sizer has been updated not only with a new URL but with several new features. One of which is that you can now choose either i3 or R5 instances depending on your workload needs. You will notice that when you select an r5 instance, you are automatically assigned 15 TB of AWS Elastic Block Storage (EBS) aka Elastic VSAN. For more information regarding Elastic VSAN, click here.

r5 instance type

Similar to the previous version, you will be able to see the results of your workload inputs. Another new feature is ribbon across the top that allows you get into the data!! Information is key when sizing your environment and this section of the sizer gives you everything you need.

Recommendation buttons that allow you to go deep into your data inputs and results

As a part of the recommendation, you can see below that the sizer has identified my SDDC to be storage bound due to my storage requirements. This gives me a good idea where I will need to grow going forward.

SDDC Recommendation Dashboard

With the continued interest and adoption of VMware Cloud on AWS come two topics that always come to the forefront once you get passed how cool it is…..HOW MUCH DO I NEED? and HOW MUCH IS IT GOING TO COST?! To get the full picture, you will need to capture the details of your environment. There are several tools available and luckily enough, Bill Roth from VMware highlighted these tools in a blog a few weeks ago. In addition to his mention of RVTools, which is very popular, I would also encourage you to reach out to your….shameless plug…VMware Technical Account Manager. They have an additional toolset that can help you right-size the environment. Take a test drive and size today!!

VMware Cloud on AWS – Identity Access with Microsoft AD

For years I have been Window (see what I did there) shopping Intel NUC, HP Microservers, Mac minis, and others to setup my home lab v 2.0. However, with the onslaught of Cloud Services, I continue to balk at the thought of dropping thousands of dollars every few years for new hardware, as well as the electric bill and management overhead that comes with it. With VMware Cloud on AWS, I wanted to see how I could create a lab environment and continue to use Active Directory for vCenter authentication. Due to not having an vCenter on prem, Hybrid Linked Mode (HLM) wasn’t an option for an identity source. VMware has existing documentation where you can see the options for Identity Sources. This blog will walk you through the setup and configuration steps I took to get AD working within VMWonAWS vCenter. Like with all things in Public Cloud, it’s critical to have your networking straight before you begin adding subnets, etc.

• Create your subnet via SDDC > Networking & Security > Network > Segments > Add Segment

• Login to vCenter with the cloudadmin account.  We can see the network segment is added in vCenter. Note that we cannot add networks from vCenter. We must use the SDDC Console to add logical networks

Networking View from vCenter

One of the great things about vSphere 6.7 and later is the additional functionality built into the Content Library. I have already loaded several OVF Templates and will deploy my Domain Controller from a Win2016 Std OVF template. For more content library goodness, check out William Lam’s blog here. I’m a huge fan and I recommend you use Content Libraries!!

During OVF deployment, place the VM on the correct network

With the Network Segment selected and IP assigned, the new Domain Controller will be able to communicate with the SDDC vCenter after a few more configurations.

Now that we have the DC on the proper network segment, we need to allow traffic to flow between the SDDC Management Gateway and the DC. To do this we need to create a Management Group. This is done by going to the SDDC Console > Networking & Security > Inventory > Groups > Management Group > Add Group. Add your domain controller to the Management Group with its assigned IP.

Once the Management Group assignment has been configured, we can now add a Gateway firewall rule to allow the domain controller to talk to the SDDC vCenter. To enable communication, go to SDDC Console > Networking & Security > Gateway Firewall > Management Gateway > Add New Rule. This is where adding the user defined group comes into play as we need to be able to select the group to add as the destination for the firewall rule.

We now need to allow communication via the DNS settings on the management gateway. We must remove the default DNS settings and add the domain controller(s) IPs so LDAP/AD can communicate with the SDDC vCenter. If we don’t change the IPs from default, we will get an LDAP error that the URL cannot be reached. Here’s a video that ties together the final piece of adding the DNS server and assigning the GlobalCloudAdmin role to the user I want to login to vCenter with the s2c.local domain credentials. In addition, you can read Nico Vibert’s blog that shows how to use AWS Directory Services as an identity source. Enjoy!!