For the last several months, I have been working with customers as they upgrade their SDDCs. One of the more impactful Day 2 activities that occurs during these upgrades is a the updating of vCenter and NSX certificates during Phase 1. During my time as an Engineer, we would keep certificates for 3-5 years as a part of our lifecycle management as we were 100% on premises. In contrast, many cloud providers are beginning to set certificate expiration to one year. This a faster rate of change than what many are accustomed to who manage on premises datacenters. While VMC manages these SDDC certs for you, many customers have asked me how they can continue to pull the cert expiration info so it can still be documented internally. Here is a simple openSSL command that can be run via Github. Trying something new!! FYI, this command needs to be run via a Linux VM that can access vCenter via IP or FQDN. Hope this helps some of you!!
One of the questions I am often asked is now that I am using VMware Cloud on AWS, how do I go about managing my SDDC life cycle? The answer…..VMware has you covered! As of March 2020, we have made some significant enhancements to the Notification Gateway (NGW) that give you several options to receive updates from VMware Cloud Services regarding maintenance activities such as certificate replacements and SDDC upgrades to new releases. While the NGW can be leveraged in several different areas, my preferred integrations are with Slack and Microsoft Teams. Setting up these integrations are fairly straightforward. Look no further than William Lam’s blog for details.
Even if you have Webhook integrations setup, you will still get a notification email similar to the image below letting you know when your SDDC is scheduled for an upgrade.
It is imperative that you take note of the dates and times your SDDC is scheduled for each phase as your times will all be in UTC timezone so do your time conversions accordingly. When you login to your SDDC console and go to the maintenance tab and you will see each phase listed along with recommendations for each phase.
Each phase of the SDDC is highlighted below as well as details around SDDC accessibility during the upgrade. For detailed information, read my associate Tom Twyman’s blog and the SDDC upgrade notes found here. We continue to improve upgrade processes in the background so check back often!! There are additional considerations to make when integrating with HCX, Site Recovery and Horizon so be sure to understand the impacts listed in the read me!! Keep in mind that during Phase 1 your vCenter certificate will be updated and the NSX certificate will be updated during Phase 3. If you have other products and services that depend on vCenter, you will need to take the proper steps to accept the new certs.
While there are time estimates for each phase, mileage may vary during the upgrade. To make things a bit easier for you. I have included a simple excel spread sheet to help you plan your SDDC upgrade.
After going through several customer upgrades over the past two years, my top 5 things to do are
- Don’t forget about certificate validation afterwards!
- Plan your outages around each phase and best to be conservative. Allot for the full estimated time.
- Setup integrations with the NGW. While emails are nice, it has been my observation that people get too many emails these days and these notifications are often ignored. Pick a delivery method that will get your attention!
- Read the release notes as well as upgrade notes before your scheduled upgrade.
- Don’t panic! For some, giving VMware the keys to the car (SDDC) is unnerving, and they want to watch and be involved. Remember this is a service, we have you covered. Sit back and relax!