VMware has had some disruptive innovations over the past twenty years such as vMotion, Distributed Resource Scheduler (DRS), and Instant Clones to name a few. More recently, VMware released one of their innovation crowned jewels in Hybrid Cloud Extension aka HCX. HCX is an application mobility platform designed for simplifying application migration, workload rebalancing and business continuity across datacenters and clouds. I have been using VMware Cloud on AWS for quite some time and one of my biggest frustrations was not being able to seamlessly move workloads from one Software Defined Datacenter (SDDC) to another. In August of 2019, HCX released the preview for “SDDC to SDDC mobility”. I mention VMware Cloud on AWS because HCX is included with the VMWonAWS subscription and should be deployed and leveraged! For example, many VMWonAWS customers are using HCX for Cloud to Cloud (C2C) migrations as well as migrations from on-prem to cloud. HCX has many use cases as pictured below.
Last month, I demonstrated how to:
Deploy HCX in two SDDCs in two Availability Zones
Create a Site Pair
Create a Service Mesh
Deploy HCX IX, WAN Optimization and Network Extension
Configure Layer 2 Network Extension
Live vMotion (continuous ping across Network Extension to target SDDC)
Protect VMs via HCX
Troubleshoot Service Mesh deployments including redeploy of appliances
For more info regarding HCX you can go to the product page here and refer to my previous post. Enjoy!!!!
For those of you who are ready to deploy your first Software Defined Data Center (SDDC) on VMware Cloud on AWS, there is a little bit more than meets the eye when it comes to the initial deployment. As a part of the VMware TAM Lab series, I demonstrate how to deploy an SDDC from start to finish, including the configuration of the VPC in AWS.
**SHAMELESS PLUG** – Subscribe to the TAM Lab YouTube channel. We are covering all VMware Technologies and use cases….including how to go about building your own home lab. Check it out!!!
Lately, I’ve been asked by peers and customers alike “How can I learn more about VMware Cloud on AWS?!” Many of us are finding ourselves in front of screens much more than normal these days so what better way to fill in some time gaps than by learning more about VMware Cloud on AWS and HCX?! While search engines are helpful, I hope my “definitive list” helps!!! If you need more, feel free to reach out!!! Happy Learning!!!
I have been using this feature of NSX heavily as of late so I wanted to highlight the power and flexibility of inventory groups that allow you to configure firewall rules that best fit your organization. The grouping of VMs and network services within VMware Cloud on AWS allows you put VMs that have common characteristics such as databases, web servers, operating systems, IP addresses and tags together to more easily publish firewall rules. By default, VMware Cloud on AWS creates two primary management groups and a service inventory when the SDDC is created. The two “parent groups” as I will call them are the Management Group and Workload Group respectively. The Management groups are system defined groups of infrastructure components such as ESX hosts, vCenter, NSX Manager or any other management appliances such as HCX. Workload groups are user defined groups of Virtual Machines or IP addresses.
As you can see above, I added sub groups to the Workload Group based on function (Web, SQL, etc.). Recently, I have been testing the Membership Criteria option as this feature leverages tags and can also group based on Virtual Machine names that contain or start with a defined string. To add a new group, select Add Group, name your group, and then choose one of three membership types, Virtual Machine, IP Address or Membership Criteria. For this example, I used Membership Criteria. Once Membership Criteria is selected, pick the member VMs based on one of the two criteria (VM Name or Tag). For VM name you can choose contains or equals to categorize your VM grouping. The tag criteria can only be leveraged by having the tag name be equal to the VM(s) that is defined. In order to leverage the tag membership criteria, the the VM must be already tagged.
**Public Service Announcement** vCenter Tags and Attributes are NOT manifest in Networking & Security in the SDDC. These tags can only be added via Virtual Machines under Networking & Security > Inventory > Groups > Virtual Machines. Right click on the VM, select Edit and add your tag.
For the sake of this blog, I have created several VMs with different names but the same tag to show how tagging is leveraged.
Once VMs are tagged correctly, verify tagging is working by going to the Workload Groups by selecting the group > View Members.
Now that VMs are properly grouped and tagged, Compute Gateway rules can now be configured and published. Go to Networking & Security > Compute Gateway > Add New Rule > Name the rule and select your source and destination. You should see your newly created group in the selection.
To verify that the rule is applied correctly, go to Networking & Security > Inventory > Groups > Workload Groups > Select the group that was added to the edge firewall rule > Select View Reference.
Below is a demo showing how VMs (tagged “Web”) on different Network segments can all access the internet with one rule.
If you are reading this then you probably already have an understanding how fast Amazon Web Services rolls out new features and services. It’s impossible to know everything about AWS and I definitely struggled in my preparation for this exam. I set out to get certified almost two years ago but simply never could find the best time to take it. Truth be told, after rescheduling three times in 2018, I let my test expiration lapse because I literally didn’t have time to sit for it. In 2019 I was determined to pass the Solution Architect Associate exam as my 2018 failure was hovering over me like a black cloud. I am excited and relieved that I recently passed and I want to pass along some tips for those of you who want to be a certified AWS Solutions Architect. **Once I set a test date, I prepped for about six weeks.**
Leverage AWS Free Tier – This exam was not easy for me as I spend over 90% of my time with VMware solutions and all my AWS exposure was after hours. That being said, leveraging the AWS Free Tier proved to be a lifesaver when preparing for the exam. There are some things that you will use in practice labs that may cost a few dollars but every cent is worth it. You will need hands on experience setting up S3, EC2, and VPC from scratch. The free tier makes it all possible with next to zero dollars in cost. My advice….look at as an investment.
A Cloud Guru – Ryan Kroonenburg and team have done all of us a great service in making several AWS constructs easy to understand. The cost was well worth it. I didn’t get a membership but did purchase the AWS Certified Architect Associate course. I reviewed each session twice and went through the VPC, S3, Databases, and HA Architecture content several times. Make sure you understand all the labs!! I went through the practice tests as well but I didn’t quite find them deep enough to help me prepare. I had to find another test prep course…Whizlabs!
Whizlabs! – I can confidently say that without Whizlabs AWS Practice Tests , I would not have passed the exam. Whizlabs provides great content that is similar to the exam and detailed explanations to each test question. I purchased the practice exam questions for under $10 at Udemy. As a matter of fact, they are having their Black Friday sale right now! DON’T TEST PREP WITHOUT IT!!!
AWS.com FAQs – For S3, EC2 also read all about Database Services. There will be some questions that come straight out of the FAQs.
AWS Certified SA Official Study Guide– I wouldn’t say this is a must have but for those of you who like having something physical in your hand to study, this will do the trick. I found some of the diagrams and summaries helpful.
Architecting on AWS – This three day course helped me with better understanding AWS concepts and best practices. I don’t view this as a must but it was well worth my time.
Practice, Practice, Practice – Understand the exam format helped me prepare. You will have plenty of time to answer all 65 questions if you practice beforehand. Understanding the concepts around VPCs and networking is a must. Also know RDS and DynamoDB inside out!!
As the VMware-AWS partnership continues to grow, it’s important for both companies to understand each others’ services. This exam was on the tough side but I felt well prepared by the time I sat for it. Preparing for this exam has definitely helped me in conversations with customers as they not only move vSphere workloads to VMware Cloud on AWS but also look for ways to innovate with AWS native services such as S3, RDS, Lambda and more. I highly recommended getting this certification. It’s well worth it!! Good luck in your studies and feel free to reach out to me if you have questions via Twitter @vSeanLambert or reply to this blog!
This is part two of my blog on how to leverage Microsoft Active Directory as an Identity Source and have AD replicate between two VMware Cloud on AWS SDDCs. Now that I have Active Directory running in US East, I will setup a route based VPN between my US East SDDC and US West SDDC. For my lab, I am using a Route Based VPN to replicate Active Directory Traffic. To add Route Based VPNs to both SDDCs, take note of your SDDC Public IPs on your Management Networks, determine what you want your Autonomous System Numbers (ASN) to be, and determine your IPs for both BGP local IPs. To keep the BGP IP scheme simple, I chose 169.254.x.x/30 to only allow for two available IP addresses. FYI, There are two different number ranges for Public and Private ASN numbers. Public is 1-64,511 and Private is 64,512-65,535. Route based VPN makes things simple in this scenario since we are leveraging Border Gateway Protocol (BGP) where both SDDCs are able to exchange routes and leverage BGP peering. For a deeper dive into BGP peering specifically around AWS Direct Connect and VMware Cloud on AWS, check out Nico Vibert’s Blog. It will not disappoint!
Once you have the ASN and SDDC Public IP information, you can add your route based VPN by going to Networking & Security tab -> Network -> VPN -> Route Based -> “Add VPN”. For my lab, I have kept all the defaults for the tunnel and IKE settings. You may need to make changes here based on your security requirements. You must, however, select a pre shared key that will be used for both VPN connections to establish a secure connection. I have also left the Remote Private IP field blank. Once you click “Save”, you will see the status of the VPN and BGP Remote IP go to a yellow status as the negotiations take place. If successful, you should see both Remote BGP IP and VPN status turn green.
The next step in the process is to deploy a second Domain controller inside the second SDDC. Before you can promote the second DC, you need to first deploy a Windows Server VM in SDDC #2. Once the VM is deployed, you will then need to establish two-way communication across the VPN tunnel to be able to add the Windows Server to the domain and promote it. Although the VPN is up, you still need to configure additional Gateway Firewall rules in order for Domain Controllers to talk to each other across networks. Go back to Networking & Security -> Security -> Gateway Firewall -> Compute Gateway -> Add New Rule. For two-way communication, add two rules that allow traffic to and from the Domain Controller. Make sure that you have this traffic go over the VPN Tunnel Interface and NOT the Internet Interface. Make these rules for both SDDCs.
Before promoting your soon-to-be Domain Controller, make sure you can ping across the VPN via IP and DNS FQDN. The next step in the process is to deploy a second Domain Controller inside SDDC #2. I will not go through the process in this blog but the steps are similar to setting up the first DC in that you need to promote the server to a Domain Controller. There are several blogs out there on how to do this but here’s one just in case. Once added, you can verify Active Directory is syncing across SDDCs and Domain Controllers by running “repadmin /replsummary” via the Command Prompt. You can now add users, GPOs, etc to either side and both SDDCs will have the same info. To take things even further, add your new Domain Controller as an identity source to the new SDDC. This will allow users to login to either vCenter as long as they have an account on the domain. If you missed my blog on setting up AD as an identity source with VMWonAWS, click here.
In a previous blog, I highlighted Workload profiles and how they should be used in right sizing your VMWonAWS environment. Since my last blog, the sizer has been updated not only with a new URL but with several new features. One of which is that you can now choose either i3 or R5 instances depending on your workload needs. You will notice that when you select an r5 instance, you are automatically assigned 15 TB of AWS Elastic Block Storage (EBS) aka Elastic VSAN. For more information regarding Elastic VSAN, click here.
Similar to the previous version, you will be able to see the results of your workload inputs. Another new feature is ribbon across the top that allows you get into the data!! Information is key when sizing your environment and this section of the sizer gives you everything you need.
As a part of the recommendation, you can see below that the sizer has identified my SDDC to be storage bound due to my storage requirements. This gives me a good idea where I will need to grow going forward.
With the continued interest and adoption of VMware Cloud on AWS come two topics that always come to the forefront once you get passed how cool it is…..HOW MUCH DO I NEED? and HOW MUCH IS IT GOING TO COST?! To get the full picture, you will need to capture the details of your environment. There are several tools available and luckily enough, Bill Roth from VMware highlighted these tools in a blog a few weeks ago. In addition to his mention of RVTools, which is very popular, I would also encourage you to reach out to your….shameless plug…VMware Technical Account Manager. They have an additional toolset that can help you right-size the environment. Take a test drive and size today!!
This blog entry is a bit on the personal side but I hope it will help those who are feeling overwhelmed with life whether it be personally or professionally. Like most, I have been dealt some pretty bad hands throughout the years. Actually, the entire deck of cards has been filled with Jokers at times. Several years ago a mentor of mine reminded me to always have an “eternal perspective” and that most things don’t lasts forever. While this is true, I’ve found it difficult to keep that perspective when I’m in the thick of it. Life happens. Things break, relationships fail, you get passed up for a promotion, you don’t get the job you want, on and on it goes until you question your circumstances and how can you escape?!
A month ago, one of my children reminded me of a core life principal I was taught long ago. Just make it to the next cone……aka “win the day”. To provide a bit more context, every July 4th, Provo, UT has the Freedom Run where individuals and families enter in a 1 mile, 5K or 10K race followed by a parade down University Ave. This year, my youngest son wanted to run a race so we signed him up for the mile. At packet pickup, he was stoked to get his bib and SWAG bag and couldn’t wait to get on the course the next morning (EARLY the next morning)! Once the gun sounded to start the race, he took off like a shot even though I recommended he slow down and pace himself. No more than 2/10 of a mile had passed when it began…”I so tired”, “I can’t do this”, “this is too hard”, “can we stop?!” One of the guiding principles at the Lambert House is “if you start something, you finish…don’t quit”. As I was trying to not push my five year to the point of tears, I looked up and saw a bright orange traffic cone in the distance and it hit me! “Hey see that cone up there?! Run to that cone and touch it!” He ran and touched it. “Ok, you see that other cone ahead? Go touch it!”. Once again he ran and touched it. Whether it was a cone or a tree along the rest of the course, he worked on just getting to the next stop.
After 14 minutes and several seconds, my son had finished something he said he couldn’t do. FINISH!!
Life is tough. Social media is great for many things but I personally think Facebook, Twitter, Instagram, make it way too easy for us to compare ourselves to others and we are left feeling inadequate in some ways. For me, I’ve been in IT for 15 years and some days I feel like I’m being passed by like I’m standing still. There are so many smart and talented people at VMware and our partners that I find it hard to keep up. I’ve failed at becoming a vExpert (finally made it this past year though!), failed certifications, failed at maintaining customer relationships, etc. However, I’ve had my share of successes to! To those who are struggling to keep up and/or find their place in the ever changing world of IT….or just life in general…take a step back! Take time to reflect and see what you HAVE accomplished…then ask yourself what you want to do next. Decide what you want that next cone to be and got for it! Then repeat over and over. Before you know it, like my son, you will have reached your BHAG (Big Hairy Audacious Goal)!!!
For years I have been Window (see what I did there) shopping Intel NUC, HP Microservers, Mac minis, and others to setup my home lab v 2.0. However, with the onslaught of Cloud Services, I continue to balk at the thought of dropping thousands of dollars every few years for new hardware, as well as the electric bill and management overhead that comes with it. With VMware Cloud on AWS, I wanted to see how I could create a lab environment and continue to use Active Directory for vCenter authentication. Due to not having an vCenter on prem, Hybrid Linked Mode (HLM) wasn’t an option for an identity source. VMware has existing documentation where you can see the options for Identity Sources. This blog will walk you through the setup and configuration steps I took to get AD working within VMWonAWS vCenter. Like with all things in Public Cloud, it’s critical to have your networking straight before you begin adding subnets, etc.
Create your subnet via SDDC > Networking & Security > Network > Segments > Add Segment
Login to vCenter with the cloudadmin account. We can see the network segment is added in vCenter. Note that we cannot add networks from vCenter. We must use the SDDC Console to add logical networks
One of the great things about vSphere 6.7 and later is the additional functionality built into the Content Library. I have already loaded several OVF Templates and will deploy my Domain Controller from a Win2016 Std OVF template. For more content library goodness, check out William Lam’s blog here. I’m a huge fan and I recommend you use Content Libraries!!
During OVF deployment, place the VM on the correct network
With the Network Segment selected and IP assigned, the new Domain Controller will be able to communicate with the SDDC vCenter after a few more configurations.
Now that we have the DC on the proper network segment, we need to allow traffic to flow between the SDDC Management Gateway and the DC. To do this we need to create a Management Group. This is done by going to the SDDC Console > Networking & Security > Inventory > Groups > Management Group > Add Group. Add your domain controller to the Management Group with its assigned IP.
Once the Management Group assignment has been configured, we can now add a Gateway firewall rule to allow the domain controller to talk to the SDDC vCenter. To enable communication, go to SDDC Console > Networking & Security > Gateway Firewall > Management Gateway > Add New Rule. This is where adding the user defined group comes into play as we need to be able to select the group to add as the destination for the firewall rule.
We now need to allow communication via the DNS settings on the management gateway. We must remove the default DNS settings and add the domain controller(s) IPs so LDAP/AD can communicate with the SDDC vCenter. If we don’t change the IPs from default, we will get an LDAP error that the URL cannot be reached. Here’s a video that ties together the final piece of adding the DNS server and assigning the GlobalCloudAdmin role to the user I want to login to vCenter with the s2c.local domain credentials. In addition, you can read Nico Vibert’s blog that shows how to use AWS Directory Services as an identity source. Enjoy!!
re:Invent 2018 was a week full of exciting announcements that kept me running from one session to another as well as took me out of my comfort zone as a technologist. There was so much going on that it was difficult to digest every session let alone keep up with all of the services and industries that AWS is in. However, these are my takeaways…..
The AWS-VMware partnership runs deep! As previously mentioned, VMware CEO Pat Gelsinger was the only other CEO to join Andy Jassey on stage during his keynote where they announced AWS Outposts. I’m excited to see how customers use the service and the use cases behind them. In addition to the keynote, the VMware Code booth was busy from opening to close as we covered IoT (Raspberry Pi with sensors), Wavefront, VMware Cloud on AWS, and more. It was great to see so much activity and help customers realize that VMware is heavily invested in the cloud and can bring immediate value as customers continue to develop their cloud strategy.
If you haven’t heard the words, Artificial Intelligence, Machine Learning, Deep Learning, Reinforced Learning, or Neural Networks….you WILL!! With services like SageMaker, RoboMaker, DeepRacer, DeepLens, Polly and more, intelligent software is here. From a VMware standpoint, we changed the SDDC acronym at VMworld 2018 from Software Driven Data Center to the Self Driving Data Center as we are working to build intelligent software in products such as vRealize Operations, NSX Data Center, and AppDefense as well as services like NSX Cloud and VMware Cloud on AWS. I would advise everyone to get a base understanding of AI and ML. It will benefit you greatly as skills will need to shift due to learning being built into software. I personally believe that things such as host and server configurations will be a thing of the past. Infrastructure as code is here and we all must learn to adapt. I recommend picking up Prediction Machines: The Simple Economics of Artifical Intelligence by Ajay Argwal, Joshua Gans, and Avi Goldfarb.
Get outside your comfort zone! re:Invent hosts some of the smartest people I have ever been around. re:Invent is not the time to keep to yourself and only bounce from session to session. Go see the exhibit halls, demo booths and more. Although you may get your badge scanned countless times and receive pointless swag, you may come away with some valuable connections and insight. Take this amazing opportunity to grow your professional network!
There is too much to learn in one week! Consider re:Invent a conference that you will never be able to attend every session you want. The sheer scale of this event makes getting to everything impossible. However, with YouTube at your fingertips, you have an opportunity to review sessions you attended as well as see some you may have missed.
I know this post is a little late. I have been wanting to post this for some time. re:Invent was awesome and I can’t wait to attend next year!