Tag Archives: VMware Cloud on AWS

VMware Cloud on AWS – SDDC to SDDC VPN and MS AD Replication

This is part two of my blog on how to leverage Microsoft Active Directory as an Identity Source and have AD replicate between two VMware Cloud on AWS SDDCs. Now that I have Active Directory running in US East, I will setup a route based VPN between my US East SDDC and US West SDDC. For my lab, I am using a Route Based VPN to replicate Active Directory Traffic. To add Route Based VPNs to both SDDCs, take note of your SDDC Public IPs on your Management Networks, determine what you want your Autonomous System Numbers (ASN) to be, and determine your IPs for both BGP local IPs. To keep the BGP IP scheme simple, I chose 169.254.x.x/30 to only allow for two available IP addresses. FYI, There are two different number ranges for Public and Private ASN numbers. Public is 1-64,511 and Private is 64,512-65,535. Route based VPN makes things simple in this scenario since we are leveraging Border Gateway Protocol (BGP) where both SDDCs are able to exchange routes and leverage BGP peering. For a deeper dive into BGP peering specifically around AWS Direct Connect and VMware Cloud on AWS, check out Nico Vibert’s Blog. It will not disappoint!

SDDC Public IP Info

Once you have the ASN and SDDC Public IP information, you can add your route based VPN by going to Networking & Security tab -> Network -> VPN -> Route Based -> “Add VPN”. For my lab, I have kept all the defaults for the tunnel and IKE settings. You may need to make changes here based on your security requirements. You must, however, select a pre shared key that will be used for both VPN connections to establish a secure connection. I have also left the Remote Private IP field blank. Once you click “Save”, you will see the status of the VPN and BGP Remote IP go to a yellow status as the negotiations take place. If successful, you should see both Remote BGP IP and VPN status turn green.

SDDC to SDDC VPN once completed

The next step in the process is to deploy a second Domain controller inside the second SDDC. Before you can promote the second DC, you need to first deploy a Windows Server VM in SDDC #2. Once the VM is deployed, you will then need to establish two-way communication across the VPN tunnel to be able to add the Windows Server to the domain and promote it. Although the VPN is up, you still need to configure additional Gateway Firewall rules in order for Domain Controllers to talk to each other across networks. Go back to Networking & Security -> Security -> Gateway Firewall -> Compute Gateway -> Add New Rule. For two-way communication, add two rules that allow traffic to and from the Domain Controller. Make sure that you have this traffic go over the VPN Tunnel Interface and NOT the Internet Interface. Make these rules for both SDDCs.

Gateway Firewall Rules for VPN Tunnel Interface

Before promoting your soon-to-be Domain Controller, make sure you can ping across the VPN via IP and DNS FQDN. The next step in the process is to deploy a second Domain Controller inside SDDC #2. I will not go through the process in this blog but the steps are similar to setting up the first DC in that you need to promote the server to a Domain Controller. There are several blogs out there on how to do this but here’s one just in case. Once added, you can verify Active Directory is syncing across SDDCs and Domain Controllers by running “repadmin /replsummary” via the Command Prompt. You can now add users, GPOs, etc to either side and both SDDCs will have the same info. To take things even further, add your new Domain Controller as an identity source to the new SDDC. This will allow users to login to either vCenter as long as they have an account on the domain. If you missed my blog on setting up AD as an identity source with VMWonAWS, click here.

VMware Cloud on AWS – Identity Access with Microsoft AD

For years I have been Window (see what I did there) shopping Intel NUC, HP Microservers, Mac minis, and others to setup my home lab v 2.0. However, with the onslaught of Cloud Services, I continue to balk at the thought of dropping thousands of dollars every few years for new hardware, as well as the electric bill and management overhead that comes with it. With VMware Cloud on AWS, I wanted to see how I could create a lab environment and continue to use Active Directory for vCenter authentication. Due to not having an vCenter on prem, Hybrid Linked Mode (HLM) wasn’t an option for an identity source. VMware has existing documentation where you can see the options for Identity Sources. This blog will walk you through the setup and configuration steps I took to get AD working within VMWonAWS vCenter. Like with all things in Public Cloud, it’s critical to have your networking straight before you begin adding subnets, etc.

  • Create your subnet via SDDC > Networking & Security > Network > Segments > Add Segment
  • Login to vCenter with the cloudadmin account.  We can see the network segment is added in vCenter. Note that we cannot add networks from vCenter. We must use the SDDC Console to add logical networks
Networking View from vCenter

One of the great things about vSphere 6.7 and later is the additional functionality built into the Content Library. I have already loaded several OVF Templates and will deploy my Domain Controller from a Win2016 Std OVF template. For more content library goodness, check out William Lam’s blog here. I’m a huge fan and I recommend you use Content Libraries!!

During OVF deployment, place the VM on the correct network

With the Network Segment selected and IP assigned, the new Domain Controller will be able to communicate with the SDDC vCenter after a few more configurations.

Now that we have the DC on the proper network segment, we need to allow traffic to flow between the SDDC Management Gateway and the DC. To do this we need to create a Management Group. This is done by going to the SDDC Console > Networking & Security > Inventory > Groups > Management Group > Add Group. Add your domain controller to the Management Group with its assigned IP.

Once the Management Group assignment has been configured, we can now add a Gateway firewall rule to allow the domain controller to talk to the SDDC vCenter. To enable communication, go to SDDC Console > Networking & Security > Gateway Firewall > Management Gateway > Add New Rule. This is where adding the user defined group comes into play as we need to be able to select the group to add as the destination for the firewall rule.

We now need to allow communication via the DNS settings on the management gateway. We must remove the default DNS settings and add the domain controller(s) IPs so LDAP/AD can communicate with the SDDC vCenter. If we don’t change the IPs from default, we will get an LDAP error that the URL cannot be reached. Here’s a video that ties together the final piece of adding the DNS server and assigning the GlobalCloudAdmin role to the user I want to login to vCenter with the s2c.local domain credentials. In addition, you can read Nico Vibert’s blog that shows how to use AWS Directory Services as an identity source. Enjoy!!

AWS re:Invent 2018 – Takeaways

re:Invent 2018 was a week full of exciting announcements that kept me running from one session to another as well as took me out of my comfort zone as a technologist. There was so much going on that it was difficult to digest every session let alone keep up with all of the services and industries that AWS is in. However, these are my takeaways…..

  1. The AWS-VMware partnership runs deep! As previously mentioned, VMware CEO Pat Gelsinger was the only other CEO to join Andy Jassey on stage during his keynote where they announced AWS Outposts. I’m excited to see how customers use the service and the use cases behind them. In addition to the keynote, the VMware Code booth was busy from opening to close as we covered IoT (Raspberry Pi with sensors), Wavefront, VMware Cloud on AWS, and more. It was great to see so much activity and help customers realize that VMware is heavily invested in the cloud and can bring immediate value as customers continue to develop their cloud strategy.
  2. If you haven’t heard the words, Artificial Intelligence, Machine Learning, Deep Learning, Reinforced Learning, or Neural Networks….you WILL!! With services like SageMaker, RoboMaker, DeepRacer, DeepLens, Polly and more, intelligent software is here. From a VMware standpoint, we changed the SDDC acronym at VMworld 2018  from Software Driven Data Center to the Self Driving Data Center as we are working to build intelligent software in products such as vRealize Operations, NSX Data Center, and AppDefense as well as services like NSX Cloud and VMware Cloud on AWS. I would advise everyone to get a base understanding of AI and ML. It will benefit you greatly as skills will need to shift due to learning being built into software. I personally believe that things such as host and server configurations will be a thing of the past. Infrastructure as code is here and we all must learn to adapt. I recommend picking up Prediction Machines: The Simple Economics of Artifical Intelligence by Ajay Argwal, Joshua Gans,  and Avi Goldfarb.
  3. Get outside your comfort zone! re:Invent hosts some of the smartest people I have ever been around. re:Invent is not the time to keep to yourself and only bounce from session to session. Go see the exhibit halls, demo booths and more. Although you may get your badge scanned countless times and receive pointless swag, you may come away with some valuable connections and insight. Take this amazing opportunity to grow your professional network!
  4. There is too much to learn in one week! Consider re:Invent a conference that you will never be able to attend every session you want. The sheer scale of this event makes getting to everything impossible. However, with YouTube at your fingertips, you have an opportunity to review sessions you attended as well as see some you may have missed.

I know this post is a little late. I have been wanting to post this for some time. re:Invent was awesome and I can’t wait to attend next year!

AWS re:Invent 2018 – Day 3

Day 3 I attended a breakfast to celebrate the great things that VMware and CloudHealth are doing with our partners and customers. I’m excited about the multi-cloud functions the service has and how it will help customers get their arms around better managing their public cloud instances from security to costs. Here’s a link to VMware CEO Pat Gelsinger and CloudHealth CEO Tom Axbey discussing the acquisition and strategy going forward. During breakfast, we watched the live steam of Andy Jassy’s keynote. The next 2.5 hours of announcements were announced at an insane pace as I struggled to keep track. Once Andy started telling the story of Hybrid Cloud, I knew something cool was coming. Low and behold, Pat Gelsinger (VMware CEO) joins him on stage to announce AWS Outposts!!! There are so many exciting things about this announcement. In a nutshell, we are letting users choose between on-premises servers and storage, which can be ordered in quarter, half, and full rack units. AWS Outposts can be upgraded with the latest hardware and next-generation instances to run all native AWS and VMware applications. A second version, VMware Cloud on AWS Outposts, will let customers use the VMware control plane and APIs to run the hybrid environment. Andy Jassy Keynote at AWS at The Venetian, Las Vegas, NV on Wednesday, Nov. 28, 2018.After the keynote, I headed back to the Expo Hall to see what kind of attention the AWS Outposts message was getting and it was fairly packed! There’s a lot of interest around this technology. Very exciting! I spend a few hours there talking to several other VMware attendees at our booth and on the floor. It was awesome to see all the customer meetings. VMware and AWS are going to continue to innovate together, that much is clear.

My last session of the day was ENT313-S Running Production Workloads in VMware Cloud on AWS. VCSA and Hybrid Cloud Extension (HCX) all-pro Emad Younis and VMWonAWS Director Alex Jauch presented. Alex and Emad focused on the deep partnership between VMware and AWS that makes this service possible. If you want to know more about use cases, how the service is built, and how to quickly migrate workloads between on-prem and VMWonAWS, look no further than this session.

Day 3 = 14,509 steps (7.18 miles)

 

AWS re:Invent 2018 – Day 2

After seeing the VMware Code Facebook and Twitter accounts blow up on Day 1, I decided to check it out for myself. I’ll admit that we have a sweet set up with a barista and tons of tech toys to play with; in the form of Raspberry Pi and various sets of sensors.  I didn’t have time to do the hands-on activities but I plan on coming back on Day 4. I spent pretty much all morning at the Code booth watching Brian Graf deliver various demos highlighting how to build hybrid applications with VMWonAWS and AWS. The coolest demo that set what hair I have left on fire was showing how to leverage various APIs with VMWonAWS with Lex and other services to use Slack to deploy a Photon VM.

Another fantastic session was an Eric Nielsen deep dive on Raspberry Pi sensors. It was packed! If you’re up for it, you can run through the lab here if you feel like going nuts.  It only takes a few dollars of capital to get started.

IMG_5148

After spending considerable time at the VMware Code booth, it was off to go really deep on AWS Direct Connect. This was great to gain a detailed understanding of what makes up Direct Connect (DX). Click on the link above to see the full session on YouTube!

Next, it was off to spend some time in the Expo Hall to do some SWAG shopping.  I was on the hunt for socks but came away with plenty of other stuff. Hopefully, our spam filters are work will block most of the email that is going to come through. I really wanted the LEGO Millennium Falcon but that will have to wait….

To end the day I went to a session on Machine Learning on AWS Storage.  There was a lot of content in this one. It’s fascinating to see how customers are leveraging data to make critical business decisions. The first half it a bit dry but there’s some good content if you want to dive in. Day 2 was a good one….14,253 steps (7.05 mi)…..using the shuttle and staying in one casino has its benefits.

IMG_5153

AWS re:Invent 2018 – Day 1

This is where things really get moving. I’m happy to say I didn’t regret gorging myself with wings the night before and was ready to hit the ground running to see re:Invent in full swing. Day 1 step count…15,308 (7.57 mi). I started off the morning by attending everyone’s favorite topic….SECURITY!!! This session was spent debunking 13 Cloud Security Myths. A few things that I already knew were reinforced. One, public clouds are more secure that on-prem data centers. Two, security should be the first thing you think about when deploying everything from applications to infrastructure. Three, if you continue to follow older security models that have been around for years, you are missing the entire point of the cloud!

 

IMG_5143IMG_5144

Next up was a two-hour workshop getting some hands-on experience with the AWS Virtual Private Cloud (VPC). VPCs are the backbone to everything AWS including VMware Cloud on AWS. Although I have taken some online classes via AWS and A Cloud Guru, it was great to spend more time setting up VPCs as it is core to understanding how AWS works. We worked in groups of six where we set up VPC peering with each other. My main takeaway….have a concrete plan for the CIDR blocks you choose for your VPCs. If you don’t plan correctly, you will have to start over. A tool given out by the architects running the session was http://subnet-calculator.org/cidr.php . Bookmark it! An added benefit to the workshop was $25 in AWS credits!

Next stop was the Expo Hall and welcome reception. Of course, the hall was massive with hundreds of booths and all the SWAG you can handle. I decided to take a look around beforehand so I knew where to get “the good stuff.” Since I’m a VMware guy, it was awesome to see us well represented we even have our newest members of the family in Heptio (met Joe Beda at the booth) and Cloud Health with booths of their own.

The last session of the day was a VMware Cloud on AWS Deep Dive with Andy Reedy and Jin Zhang. If you ever get a chance to spend time with Andy, I would recommend it. I met him two years ago at some customer meetings and he is a fantastic architect. He got into the weeds with VMWonAWS regarding the host hardware and the interconnectivity between the vSphere hosts and AWS native services. We even went into the i3 and r5 models for EBS backed VSAN. It was a great session. As I have said before, AWS and VMware have a deep partnership to make this service available. The pace of innovation is blinding! Day 2 is next!!

This slideshow requires JavaScript.

VMware Cloud on AWS Connection Options

Happy New Year!!! This is going to be an exciting year for VMware Cloud on AWS and I wanted to kick off 2018 by highlighting the way in which you are going to connect into and out of VMware Cloud on AWS.

First of all, VMware Cloud on AWS is optimized (VMware Cloud Foundation) to run on dedicated, elastic bare metal infrastructure at a very high level inside Amazon’s data centers. For security purposes, the VMware Cloud on AWS SDCC is bifurcated to the components that manage the SDDC itself such as ESXi, VSAN, NSX, and vCenter.

Here’s a simple explanation of how you can setup the connectivity framework.

The first thing you need to setup is a connection to the management components of the SDDC.  You will first need to create a Management VPN and choose a set range of IP addresses that will be used by management components such as the ESXi hosts and vCenter. This range will be in the form of a simple CIDR block. We recommend using a /20 CIDR block for management purposes. After you connect the management portion of the SDDC, you will then need to setup an IPSec VPN between your on-prem data center and management components. This VPN can be setup over the Internet or AWS Direct Connect (DirectX). After this connection is established, you can then build firewall rules on the VMware Cloud on AWS Console. With these rules you can control access to the  vCenter from your on-prem data center.

VMCMgtVPN

There is an optional connection you can setup if you need access to your vCenter Server directly from the Internet. A public IP is automatically provided during the provisioning process. It is important to note that all access to this IP is restricted. To provide access, you will need to configure firewall rules in the VMware Cloud on AWS console to allow this direct type of Internet access.

PublicAccess

The second VPN you will need to setup is between your compute workloads and your on-premise data center. Several logical networks are required to provide the IP addresses for the workloads you plan on migrating or build in VMware Cloud on AWS. This VPN secures these workloads and allows them to connect back to your on-prem data center. This can be an IPSec VPN or L2VPN. The L2VPN advantage is that you can stretch a single L3 IP space from on-prem to the cloud and is also required for live migrations. This VPN can go over the Internet or AWS DirectX. You can again create firewall rules as needed to access on-prem workloads.

ComputeVPN

The next connection is between your SDDC workloads and your Amazon VPC. This is automatically configured and built during the SDDC provisioning process. Once you select the Amazon VPC subnet that will be associated with your VMware Cloud on AWS SDDC an elastic network interface (ENI) will be created allowing traffic to flow between both environments.  In order to control security, you will need to configure AWS IAM policies as well as firewall rules on the VMware Cloud on AWS side to allow access between both. Lastly, you will likely need to give direct public internet access to some of your SDDC workloads. To make these accessible to the Internet, you will need to leverage AWS elastic IPs along with NAT and firewall configurations to allow this type of access.

ENI

That’s it! Now you are ready to leverage your SDDC on VMware Cloud on AWS!

Also, here’s a video that covers the content discussed above.

-SL