30-07-15

VCP6-CMA Study Guide : Section 5: Allocate and Manage vRealize Automation Resources

VCP6-CMA-sm-logo_120_108

As I predicted in my last blog post, VMware have announced that starting at VMworld 2015 in August, it will be possible to schedule VCP6 exams such as VCP-DCV, VCP-DTM and VCP-CMA. Hopefully this will mean that my beta score for my CMA exam is not too far away now, it would be nice to get a full house of VCPs!

Anyway, also as per my last blog post, I’m publishing section 5 of the study guide, which is as far as I got. Unless I fail the beta and have to resit, I don’t envisage me having the time to go back and complete the remaining sections. Hopefully it will be of some use to people planning on having a go at the CMA, any feedback is welcome via Twitter as always.

Objective 5.1: Create and Manage Fabric Groups

Adding and configuring vSphere Endpoints

  • Creating an endpoint creates access to compute resources on a virtualised platform
  • The process involves creating a credential set, defining a cloud endpoint and mapping resources for consumption
  • Log in to the vRealize Automation console as an IaaS administrator.
  • Select Infrastructure > Endpoints > Credentials.
  • Click New Credentials.
  • Enter a name in the Name text box. (Optional) Enter a description in the Description text box.
  • Type the username in the User name text box.
    • Must be in domain\username format, for example mycompany\admin. The credentials must have permission to modify custom attributes
  • Type the password in the Password text boxes.
  • Click the Save icon (green tick)
  • Select Infrastructure > Endpoints > Endpoints.
  • Select New Endpoint > Virtual > vSphere.
  • Enter a name in the Name text box.
    • This must match the endpoint name provided to the vSphere proxy agent during installation or data collection fails.
  • (Optional) Enter a description in the Description text box.
  • Enter the URL for the vCenter Server instance in the Address text box.
  • Select the previously defined Credentials for the endpoint.
    • If your system administrator configured the vSphere proxy agent to use integrated credentials, you can select the Integrated credentials.
  • Only select Specify manager for network and security platform if you plan to integrate with an existing NSX or vCNS instance

Adding and configuring vRealize Automation endpoints

  • I’m assuming here that this refers to Orchestrator!
  • Same process as for vSphere endpoint, except you choose to create a vCO credential using administrator@vsphere.local (assuming using the vCO engine as part of the vRO appliance)
  • Create a new Orchestration endpoint for vCenter Orchestrator
  • Give it a meaningful, type in the address (typically https://vcoserver:8281/vco)
  • Select the appropriate vCO credential you just created
  • Add a custom property VMware.VCenterOrchestrator.Priority and set it to 1. This is mandatory.

Map compute resources to endpoints

  • A compute resource is an object that represents a host, host cluster, or pool in a virtualization platform, a virtual datacenter, or an Amazon region on which machines can be provisioned.
  • An IaaS administrator can add compute resources to or remove compute resources from a fabric group.
  • A compute resource can belong to more than one fabric group, including groups that different fabric administrators manage.
  • After a compute resource is added to a fabric group, a fabric administrator can create reservations on it for specific business groups. Users in those business groups can then be entitled to provision machines on that compute resource
  • Compute resources such as storage and networking can be assigned from endpoints to Business Groups
  • Reservations are used to carve up resource from compute resources to apply to a Business Group

Assign correct permissions to manage Fabric Groups

  • An IaaS administrator can organize virtualization compute resources and cloud endpoints into fabric groups by type and intent. One or more fabric administrators manage the resources in each fabric group.
  • Fabric administrators are responsible for creating reservations on the compute resources in their groups to allocate fabric to specific business groups. Fabric groups are created in a specific tenant, but their resources can be made available to users who belong to business groups in all tenants.
  • Fabric administrators are created and assigned when creating the Fabric Group
  • A Fabric Administrator can do the following:-
    • Manage build profiles
    • Manage compute resources
    • Manage cost profiles
    • Manage network profiles
    • Manage Amazon EBS volumes and key pairs
    • Manage machine prefixes
    • Manage property dictionary
    • Manage reservations and reservation policies

Perform compute resource data collection

  • vRealize Automation collects data from both infrastructure source endpoints and their compute resources.
  • Data collection occurs at regular intervals. Each type of data collection has a default interval that you can override or modify.
  • IaaS administrators can manually initiate data collection for infrastructure source endpoints and fabric administrators can manually initiate data collection for compute resources.
  • To perform a manual data collection, Log in to the vRealize Automation console as an IaaS administrator.
  • Select Infrastructure > Endpoints > Endpoints
  • Point to the endpoint for which you want to run data collection and click Data Collection.
  • Click Start.
  • (Optional) Click Refresh to receive an updated message about the status of the data collection you initiated.
  • Click Cancel to return to the Endpoints page
  • There are seven different types of data collection:-
    • Infrastructure Source Endpoint Data Collection (Updates information about virtualization hosts, templates, and ISO images for virtualization environments. Updates virtual datacenters and templates for vCloud Director. Updates regions and machines provisioned on them for Amazon. Updates installed memory and CPU count for physical management interfaces.)
    • Inventory Data Collection (Updates the record of the virtual machines whose resource use is tied to a specific compute resource, including detailed information about the networks, storage, and virtual machines. This record also includes information about unmanaged virtual machines, which are machines provisioned outside of vRealize Automation.)
    • State Data Collection (Updates the record of the power state of each machine discovered through inventory data collection. State data collection also records missing machines that vRealize Automation manages but cannot be detected on the virtualization compute resource or cloud endpoint.)
    • Performance Data Collection (vSphere compute resources only) (Updates the record of the average CPU, storage, memory, and network usage for each virtual machine discovered through inventory data collection)
    • vCNS inventory data collection (vSphere compute resources only) (Updates the record of network and security data related to vCloud Networking and Security and NSX, particularly information about security groups and load balancing, for each machine following inventory data collection)
    • WMI data collection (Windows compute resources only) (Updates the record of the management data for each Windows machine. A WMI agent must be installed, typically on the Manager Service host, and enabled to collect data from Windows machines.)
    • Cost data collection (compute resources managed by vRealize Business Standard Edition only) (Updates the CPU, memory, and storage costs for each compute resource managed by vRealize Business Standard Edition. The costs of catalog items that can be provisioned by using the compute resources are updated.)

Perform resource monitoring tasks

Resource Monitoring Scenario Privileges Required Location
Monitor the amount of physical storage and memory on your compute resources that is currently being consumed and determine what amount remains free. You can also monitor the number of reserved and allocated machines provisioned on each compute resource Fabric Administrator (monitor resource usage on compute resources in your fabric group) Infrastructure > Compute Resources > Compute Resources
Monitor physical machines that are reserved for use but not yet provisioned. Fabric Administrator Infrastructure > Machines > Reserved Machines
Monitor machines that are currently provisioned and under vRealize Automation management Fabric Administrator Infrastructure > Machines > Managed Machines
Monitor the amount of storage, memory, and machine quota of your reservation that is currently allocated and determine the capacity that remains available to the reservation Fabric Administrator (monitor resource usage for reservations on your compute resources and physical machines) Infrastructure > Reservations > Reservations
Monitor the amount of storage, memory, and the machine quota that your business groups are currently consuming and determine the capacity that remains on reserve for them. Tenant Administrator (monitor resource usage for all groups in your tenant)Business Group Manager (monitor resource usage for groups that you manage) Infrastructure > Groups > Business Groups

Objective 5.2: Create and Manage Reservations

Create and Manage Reservations

  • Before members of a business group can request machines, fabric administrators must allocate resources to them by creating a reservation.
  • Each business group must have at least one reservation for its members to provision machines of that type.
  • Log in to the vRealize Automation console as a fabric administrator
  • A tenant administrator must create at least one business group
  • Select Infrastructure > Reservations > Reservations
  • Select New Reservation > Virtual and select the type of reservation you are creating
  • (Optional) Select an existing reservation from the Copy from existing reservation drop-down menu.
  • Data from the reservation you chose appears, and you can make changes as required for your new reservation
  • Select a compute resource on which to provision machines from the Compute resource drop-down menu.
  • Only templates located on the cluster you select are available for cloning with this reservation.
  • The reservation name appears in the Name text box.
  • Enter a name in the Name text box
  • Select a tenant from the Tenant drop-down menu.
  • Select a business group from the Business group drop-down menu.
    • Only users in this business group can provision machines by using this reservation
  • (Optional) Select a reservation policy from the Reservation policy drop-down menu.
    • This option requires additional configuration. You must create a reservation policy
  • (Optional) Type a number in the Machine quota text box to set the maximum number of machines that can be provisioned on this reservation.
    • Only machines that are powered on are counted towards the quota. Leave blank to make the reservation unlimited.
  • Type a number in the Priority text box to set the priority for the reservation.
    • The priority is used when a business group has more than one reservation. A reservation with priority 1 is used for provisioning over a reservation with priority 2.
  • (Optional) Deselect the Enable this reservation check box if you do not want this reservation active.
  • (Optional) Add any custom properties

Specify Reservation Information

  • A reservation is a share of provisioning resources allocated by the fabric administrator from a fabric group and reserved for use by a particular business group
  • A virtual reservation is a share of the memory, CPU, networking, and storage resources of one compute resource allocated to a particular business group.
  • Each reservation is for one business group. A business group can have multiple reservations on a single compute resource. A business group can also have multiple reservations on compute resources of different types.
  • A physical reservation is a set of physical machines reserved for and available to a particular business group for provisioning.

Create and Manage a Cloud Reservation

  • A cloud reservation provides access to the provisioning services of a cloud service account for a particular business group.
  • A group can have multiple reservations on one endpoint or reservations on multiple endpoints.
  • A reservation may also define policies, priorities, and quotas that determine machine placement.
  • The reservation must be of the same platform type as the blueprint from which the machine was requested
  • The reservation must be enabled
  • The reservation must have capacity remaining in its machine quota or have an unlimited quota.
    • The allocated machine quota includes only machines that are powered on. For example, if a reservation has a quota of 50, and 40 machines have been provisioned but only 20 of them are powered on, the reservation’s quota is 40 percent allocated, not 80 percent
  • The reservation must have the security groups specified in the machine request.
  • The reservation must be associated with a region that has the machine image specified in the blueprint.
  • For Amazon machines, the request specifies an availability zone and whether the machine is to be provisioned a subnet in a Virtual Private Cloud (VPC) or a in a non-VPC location. The reservation must match the network type (VPC or non-VPC).
  • If the cloud provider supports network selection and the blueprint has specific network settings, the reservation must have the same networks.
    • If the blueprint or reservation specifies a network profile for static IP address assignment, an IP address must be available to assign to the new machine.
  • If the blueprint specifies a reservation policy, the reservation must belong to that reservation policy.
    • Reservation policies are a way to guarantee that the selected reservation satisfies any additional requirements for provisioning machines from a specific blueprint. For example, if a blueprint uses a specific machine image, you can use reservation policies to limit provisioning to reservations associated with the regions that have the required image.
  • If no reservation is available that meets all of the selection criteria, provisioning fails.

22-07-15

VCP6-CMA Study Guide – Section 4: Configure and Administer Tenants and Business Groups

VCP6-CMA-sm-logo_120_108

I started to publish a draft study guide a while back for the VCP-CMA beta exam, and never really finished it before I sat the exam itself. I have two more sections completed (out of ten, poor!) so I’m putting them out there for folks to reference. The exam itself is still in the beta process and has not been released to schedule, but I’m guessing they’ll be trying to get it ready for VMworld next month.

I wrote a previous post about my beta exam experience, which you can read here but it may well not reflect the finished article (i.e the released exam). Anyway, on with Section 4 of the study guide.

Objective 4.1: Create and Manage Business Groups

Identify Business Group roles and their specific privilege levels

  • A business group associates a set of services and resources to a set of users, often corresponding to a line of business, department, or other organizational unit.
  • Business groups are managed on the Infrastructure tab but are used throughout the service catalog. Entitlements in the catalog are based on business groups. To request catalog items, a user must belong to at least one business group.
  • A business group can have access to catalog items specific to that group and to catalog items that are shared between business groups in the same tenant. In IaaS, each business group has one or more reservations that determine on which compute resources the machines that this group requested can be provisioned.
  • A business group must have at least one business group manager, who monitors the resource use for the group and often is an approver for catalog requests. In IaaS, group managers also create and manage machine blueprints for the groups they manage. Business groups can also contain support users, who can request and manage machines on behalf of other group members.
  • Business group managers can also submit requests on behalf of their users. A user can be a member of more than one business group, and can have different roles in different groups.

Identify and Manage Business Group Manager role

  • Manages one or more business groups.
  • Typically a line manager or project manager.
  • Business group managers manage catalog items and entitlements for their groups in the service catalog.
  • They can request and manage items on behalf of users in their groups. They are also service architects in Infrastructure as a Service.
  • Responsibilities include:-
    • Create and publish business group–specific machine blueprints from IaaS.
    • Manage business group–specific catalog items and entitlements.
    • Monitor resource usage in a business group

Identify and Manage Support User role

  • A role in a business group.
  • Support users can request and manage catalog items on behalf of other members of their groups.
  • This role is typically an executive administrator or department administrator
  • Responsibilities:-
    • Request and manage items on behalf of other users within their business groups.

Identify and Manage User role

  • Presumably this means the “Business User” role, which is an end user, or consumer of catalog items from the self service portal
  • Responsibilities:-
    • Request and manage services.

Assign Active Directory Users and Groups to Business Group Roles

  • Done in the Infrastructure -> Groups -> Business Groups tab
  • Under the User Role field, enter search string and click the search icon
  • Select AD user or group you want to add and then click OK

Create and manage Machine Prefixes

  • Machine prefixes are added to VMs provisioned from within vRA but can be overridden if need be by Business Group managers
  • Managed within the Business Group by clicking the ellipsis to the right of the field for default machine prefix
  • Either select existing machine prefix or create a new one by entering the machine prefix, number of digits and next number (eg. vm-001)
  • Machine prefixes are shared across all tenants and must be created by a fabric administrator
  • Can also be created and managed under Infrastructure -> Blueprints -> Machine Prefixes

Identify and Configure Custom Properties

  • You can add custom properties to a blueprint to specify attributes of a machine or to override default specifications.
  • You can also add build profiles to a blueprint as a convenience for specifying multiple custom properties
  • A machine owner, business group manager or fabric administrator can add, change, or delete custom properties for a provisioned machine.
  • Custom properties can be added to Business Groups by editing the Business Group, scrolling to the bottom and clicking “New Property”. Add a name, value and whether or not you want to encrypt it (usually only used for passwords) and whether or not to prompt the user for a value (machine name, for example).
  • Custom properties can be used for various tasks including for example placing all VMs from a certain Business Group into a vCenter folder for management
  • Custom properties can also be added to Blueprints
  • Custom properties can be marked as required values when creating a blueprint
  • The Windows guest agent records property values on the provisioned machine in the %SystemDrive %\VRMGuestAgent\site\workitem.xml file.
  • The Linux guest agent records property values on the provisioned machine in the /usr/share/gugent/site/workitem.xml file

Objective 4.2: Create and Manage Tenants

Configure branding for the vRealize Automation console

  • System administrators control the default branding for tenants. Tenant administrators can use the default or reconfigure branding for each tenant
  • Log in to the vRealize Automation console as a system administrator or tenant administrator
  • Select Administration > Branding.
  • Clear the Use default check box.
  • Create a banner.
  • Click Choose File to upload a logo image. Follow the prompts to finish creating the banner.
  • Click Next.
  • Type the copyright information in the Copyright notice text box and press Enter to preview your selection.
  • (Optional) Type the URL to your privacy policy in the Privacy policy link text box and press Enter to preview your selection.
  • (Optional) Type the URL to your contact page in the Contact link text box and press Enter to preview your selection.
  • Click Update. The console is updated with your changes.

Add and configure Tenant-specific inbound and outbound email notifications

  • Tenant administrators can add an outbound email server to send notifications for completing work items, such as approvals.
  • Each tenant can have only one outbound email server. If your system administrator has already configured a global outbound email server, you can override this at tenant level
  • Select Administration > Notifications > Email Servers
  • Click the Add icon
  • Select Email – Outbound. Fill out the form as needed, choose to Test Connection if required
  • Select Administration > Notifications > Email Servers
  • Click the Add icon
  • Select Email – Inbound, fill out the form as needed.
  • Click OK.

Override and Revert to system default email servers

  • To override these settings at tenant level, Select Administration > Notifications > Email Servers.
  • Select the Outbound/Inbound email server.
  • Click Override Global, fill out the form as needed
  • If the system administrator has configured a system default outbound/inbound email server, tenant administrators can override this global setting.

Identify and add Identity Stores in vRealize Automation

  • vRA uses the concept of Identity Stores to perform authentication of users and leverage existing users and groups to assign to roles.
  • If the Identity Appliance is AD joined, the default tenant can use native AD mode (i.e not LDAP lookup)
  • Any subsequent tenants must use LDAP
  • Click Administration -> Identity Stores
  • Click Add Identity Store to add a new identity store
    • Choose a Name
    • Select the type (OpenLDAP or Active Directory)
    • Enter the URL for the identity store. For example, ldap://10.141.64.166:389 (636 for LDAPS).
    • Enter the domain name of the identity store
    • Enter an optional domain alias (shortens the login from the vRA appliance page)
    • Enter the login user Distinguished Name. For example, cn=demoadmin,ou=demo,dc=dev,dc=mycompany,dc=com
    • Enter the password for the identity store login user.
    • Enter the group search base Distinguished Name. For example, ou=demo,dc=dev,dc=mycompany,dc=com.
    • Enter the user search base Distinguished Name.
  • Click Test Connection.
  • Click Add.

Create and assign user roles to an Identity Store Group

  • Log in to the vRealize Automation console as a tenant administrator
  • Select Administration > Users & Groups > Identity Store Users & Groups.
  • Enter a user or group name in the Search box and press Enter. (Do not use an at sign (@), backslash (\), or slash (/) in a name).
    • You can optimize your search by typing the entire user or group name in the form user@domain.
  • Click the name of the user or group to whom you want to assign roles.
  • Select one or more roles from the Add Roles to this User list.
    • The Authorities Granted by Selected Roles list indicates the specific authorities you are granting.
  • (Optional) Click Next to view more information about the user or group.
  • Click Update.
  • Users who are currently logged in to the vRealize Automation console must log out and log back into the vRealize Automation console before they can navigate to the pages to which they have been granted access.

07-07-15

Why Cloud Computing Is Like Gas And Electricity

Storm_clouds

(cjohnson7 – Flickr)

I happened to tweet a link to an article from The Register the other day regarding the price of cloud based resources in Microsoft Azure going up, which detailed price rises of 11% in the Eurozone countries and worse than that, 26% in Australia. As a result, I ended up having a brief but interesting Twitter conversation with a follower about pricing and “locked in” charges like energy companies offer here in the UK.

The over-reaching point being that cloud computing has an awful lot of variables that dictate the overall pricing. Perhaps we were all a little naive at first in the industry, thinking that Moore’s Law and such would mean a doubling of compute power at half the price at regular intervals and the pricing to continuously fall. Hell, Amazon even tell you (or they did) that the more cloud resources people buy (storage, compute, networking) then the cheaper it will get because of the economies of scale and their bulk purchasing power.

What we never really seemed to factor in back in those days was the volatility of global currencies. I think it’s a reasonable statement to say that most IT pricing is inextricably linked to the value of the US Dollar, and when this goes up and down, pricing around the world for licencing and components tends to change too. As I write this post, Greece’s economy is in the toilet with no sure way to know what will happen next. It may even be possible that other Eurozone countries are close behind, and although I have strong opinions on the Euro, let’s park those for now and concentrate on the topic in hand.

Back to the original point, gas and electricity prices are governed by the free market principles of supply and demand. As the market gets saturated, prices fall. As the market resources becomes more scarce, prices rise. Prices also rise depending on the volatility of exchange rates. Stick with me here, I will get to the point.

When cloud computing is pitched, it’s pitched as being “OK” because it’s now operational expense (OpEx) rather than a large up front capital expense (CapEx), the implication being that this will result in smaller, more predictable bite sized chunks of expenditure over a period of time. This news about Azure pricing going up 26% in the worst case means that any forward budgeting you made on prices remaining stable just got blown out of the water. 26% of anything is a lot of unbudgeted costs to find.

Where does that leave you then? Well it all depends on your business needs, but spreading the risk by using hybrid cloud solutions is one answer. Keep the “Crown Jewels” in your own DC if you can, farming off the less needy systems to cloud provider bit barns. What else can you do? Well if you’re going all in with a cloud provider, whether that’s VMware, Microsoft, Google, Amazon or anyone else, check what your escape route is. What does it cost to move your workloads? How long will it take to get out of the contract? How much time will I need to replicate workloads into the “new” cloud? Do I even have an escape clause?

I don’t profess to have the answers, and in many ways, I’m just thinking out loud. However, seeing this news has made me realise that there was a bigger picture about cloud computing I hadn’t seen before. Had you?

 

02-07-15

Networking for VMware Administrators – Book Review

download

Much to my surprise, I bought “Networking for VMware Administrators” back in April 2014 and it has been on my “to do” list to read it since then. Regular readers will know of my recent scrapes and japes with NSX, including passing the VCP-NV exam so there was a nice dovetail with what I’ve been learning in this area and this book.

For those familiar with the VMware curcuit, Chris Wahl is a well known presenter and author and amongst other things regularly appears at VMworld and records Pluralsight videos, which I always like to use as a jump start to anything new I learn. As I’m not a networking guy, I thought I would try and start at the bottom, get a refresher on basic concepts and then move it forward to how that applies in the vSphere world. Steve Pantol is a new name to me, but the two seem to have a nice flow to how they write.

This book certainly hits the mark where that is concerned. Starting off very simply, the basic concepts of how networking evolved from the simplest idea to be where it is now takes you from the first rung on the ladder and conceptualises each new addition to networking designs, such as hubs, repeaters and switches. This then moves along to things such as VLANs and broadcast domains.

Physical networking is covered at a decent level of detail, taking into account the OSI model, and subtle but important differences between layers 2, 3 and above. I found the authors’ easy and humorous style of delivery very easy to follow and not feeling like a dry subject being rammed down your throat. Networking isn’t necessarily the most intriguing subject you’ll ever cover, but we’d be nothing without it’s essential plumbing to get us connected.   I read the book in three sittings, which is pretty good for me, as I’ve got the attention span of a gnat.

Part II of the book concentrates on virtual networking and switching, moving the focus towards vSphere and it’s networking options. Obviously this falls into two camps – standard and distributed vSwitches. There is also some content on Nexus V1000 switches, but I pretty much skipped that as I’ve never seen it and currently don’t really care about it. That being said, it’s good to know the section is there for me to refer back to if need be.

One aspect I really liked about the book overall was how choices and requirements fed into the design of the networking infrastructure, both from a physical and virtual viewpoint. Chris is a dual VCDX and it’s useful to get inside of his head and understand how to translate these sorts of issues and choices into an overall design. Especially useful if I ever get my finger out and actually submit a VCDX design!

Part III covers storage traffic on the network, namely iSCSI and NFS. I was a little surprised to see this type of content in the book, but enjoyed reading about it none the less. I suppose storage traffic falls into the cracks a little bit as it’s not “pure” VM networking, but it’s just as essential to get this part right when designing an overall solution. Bad storage == bad performance!

Again, a good emphasis on design constraints, assumptions and choices is put into this section, giving you a good steer on what should be considered when using storage protocols over the physical network (items such as dedicated, non routed VLANs, for example). One good tip I picked up was how to configure NFS to give you more NICs by using multiple exports on the NFS server and establishing separate links. As with all other sections, single points of failure are discussed and mitigated with different design choices.

Another good titbit I picked up was using traffic shaping to throttle vMotion traffic on 10Gbps Ethernet – I’d never before actually come across a good use case for traffic shaping, I’d assumed NIOC was always the way to go.

Finally section IV covers off all other “miscellaneous” networking concerns for your design and/or environment, this includes vMotion as discussed above and how to design around multiple NICs and/or connections, exploding a few myths along the way.

At 368 pages, it’s not War and Peace but also it’s not a 100 page pamphlet that skims over the important details. Like I said, I read it in around three chunks over a couple of days without it feeling like a chore. I think for anyone pursuing the VCDX route, this book is an absolute must. Not only does it help crystallise some concepts around physical and virtual networking, but there is excellent detail on how to consider your networking design and how to justify particular design decisions.

NSX is out of the scope of this book, but is such a huge topic in and of itself that I’m sure we’ll see a release on this in the not too distant future. This is a book that helps you understand networking from the ground up and how this relates to a virtual world.

That being said, it’s a highly recommended addition to your library of resources as it helps you have a meaningful conversation with networking teams, which as we all know is not the easiest thing in the world ;-)

Remember if you have a VCP certification, you can buy this book from VMware Press with a 30% discount using the code you can obtain from the VCP portal. I also believe Chris donates all book profits to charity, so yet another excellent reason to add this to your collection. Other good stockists are also available!

01-07-15

Achievement Unlocked – VCP-NV

VMW-LGO-CERT-PRO-6-NETWK-VIRT

A little bit after the fact, but last Friday I sat and passed the VCP-NV exam to leave me the VCP-CMA short of a full house of VCPs (and that beta result is pending). Even though I have only had a few weeks getting hands on with NSX in the hands on labs, I think it’s a tribute to how simple the product is to pick up and run with that I found most aspects of it pretty straight forward to pick up and understand.

I went over the ICM course notes which I had and also watched Jason Nash’s excellent Pluralsight videos. Although not everything about the product is covered in these videos, it’s an excellent primer on some networking fundamental refreshers and also the building blocks to NSX and how to deploy them. There are still a couple of areas that I’m not totally sure about (SNAT and DNAT for example, and where to apply these rules) and I also seem to have a bit of a mental block around when MAC addresses change in transit, but I’m sure I’ll get there in the end.

As NSX is still fresh in my mind and we’re hoping to join a VMware Lighthouse program in the UK, I’ve already booked my VCIX-NV exam for early August, which should give me plenty of time to crystallise the problems I’ve had as listed above. I actually enjoy the Advanced exams more than the VCP type exams as it appeals to the way I work and I prefer being hands on with products, rather than answering conceptual questions about the product.

The exam itself is 125 questions over 125 minutes and as usual is very faithful to the blueprint. Even before I’d got to the end I felt confident that I’d done enough to pass even though I’d been probed on some of my problem areas. In the end I passed reasonably comfortably and I look forward to sitting the VCIX in August!

 

12-06-15

VCP6-CMA Beta Exam Experience

VCP6-CMA-sm-logo_120_108

I just got back from sitting the beta VCP6-CMA exam so I thought I would jot down a few thoughts in case it helps others out. Firstly, it was my first VCP exam for around 2.5 years, so I’d actually forgotten what kind of level the questions were pitched at! I’m used to VCAP level now, which usually means labbing the shit out of the blueprint so you can get to the exam and be able to hit the ground running with the practical and/or design canvas questions.

Although I’ve only really had dirty hands on vRealize Automation (I’m going to pronounce it as “Vera” I think in the future!) for about 6 weeks. You’d think that not really long enough to go ahead and sit a VCP, but even though the product scope is large, I’ve found it relatively easy to get up to speed with how it works. Enough to sit the exam anyway, and as it was at a special price until the end of the beta today (£36), I thought why not? As a partner we have big plans around the cloud space, so having the VCP can only help.

As for the exam itself, as usual it’s pretty faithful to the exam blueprint. There are 110 questions to be completed in 120 minutes, I believe non-native English speakers get a bit longer. I completed all the questions within about an hour. The exam itself was form based, multiple choice and exhibit based questions, as per most VCP exams I’ve ever sat. With 110 questions, VMware are able to very broadly go across all features of the product (including vRealize Business and App Director) and test you to a reasonable degree. Obviously not as testing as VCAP, but it’s not the same level.

I found myself falling back on my old exam technique of going with my gut response and when I wasn’t sure of an answer, I’d rule out the ones I knew were incorrect and then play the odds with the ones that were left.

There were only a couple of spelling mistakes and a couple of questions I didn’t think were worded too well, but the exam room was quite noisy which didn’t help my concentration, so it may be I was a bit distracted. I didn’t flag any answers for review and I didn’t add comments to any questions. It seems a pretty fair test of product knowledge and a good exam to pass.

Apparently I won’t know if I’ve passed for about 8-10 weeks as the beta exam process runs it’s course (hopefully it may be shorter as today is the last day), so I’ll have to forget about it for now and move on to the VCP-NV which I sit on the 30th. My gut feeling was I’d done enough to pass (around 3/4 correct by my estimation), so we’ll see when the time comes.

A totally different experience to a VCAP and not as intense, but I enjoyed it none the less. Fingers crossed now and onto VCP-NV!

 

11-06-15

VCP6-CMA Study Guide – Section 3: Create and Administer Cloud Networking

VCP6-CMA-sm-logo_120_108

Objective 3.1: Explain NSX Integration with vRealize Automation

Manage network services from within vRealize Automation

  • Network profiles are used to map networks in vRA to port groups in vSphere (for example)
  • Create a network profile from the vRealize Appliance, logged in as a fabric administrator
  • Go to Infrastructure -> Reservations -> Network profiles
  • Click New Network Profile and select the appropriate type (External, NAT, private, routed – all are created at time of provisioning except External which is a pre-existing vSphere port group)
  • Give the profile a name and configure the subnet mask (and optionally, DNS details and gateway)
  • Click IP Ranges tab and add a range of IP addresses for that profile to consume by using New Network Range button
  • Fill out a name and a start and end IP address for the range, click OK
  • A CSV file may also be used to define a large range of IP addresses

Configure NSX Integration

  • Prerequisites include an existing NSX Manager instance associated to a vCenter Server and a vSphere endpoint instance
  • Also credentials for the NSX Manager (Infrastructure -> Credentials -> New Credentials) and NSX plug-in into Orchestrator
  • Login to the vRealize Appliance as an IaaS administrator
  • Edit the vSphere endpoint in Infrastructure -> Endpoints
  • Select “Specify manager for network and security platform”
  • Add the IP address or DNS name of the NSX Manager appliance
  • Select the NSX Manager credential set previously added
  • Run a data collection from the Infrastructure -> Compute Resources section in vRealize Appliance (ensuring the network discovery is enabled)
  • Before you consume NSX services, you must run the Enable Security Policy Support for Overlapping Subnets Workflow in vRealize Orchestrator, using the NSX Manager endpoint previously used as the input parameter for the workflow.
  • After you run this workflow, the Distributed Firewall rules defined in the security policy are applied only on the vNICs of the security group members to which this security policy is applied

Configure IaaS for Network Integration

  • Configuration requires steps in this order:-
    • Configure the Orchestrator endpoint in IaaS
    • Create a vSphere instance integrated with NSX (see above)
    • Run the Enable Security Policy Support for Overlapping Subnets Workflow (see above)
    • Create a network profile (see above)
    • Add or amend an existing reservation, click on the Network tab
    • Select an external network in the Network Paths list
    • Select the transport zone, security group and routed gateway

Objective 3.2: Configure and Manage vRealize Automation Networking

Identify the available NSX for vSphere Edge network services

    • NSX Edge Services include:-
      • Dynamic Routing (Provides the necessary forwarding information between layer 2 broadcast domains, thereby allowing you to decrease layer 2 broadcast domains and improve network efficiency and scale. NSX extends this intelligence to where the workloads reside for doing East-West routing. This allows more direct virtual machine to virtual machine communication without the costly or timely need to extend hops. At the same time, NSX also provides North-South connectivity, thereby enabling tenants to access public networks.)
      • Firewall (Supported rules include IP 5-tuple configuration with IP and port ranges for stateful inspection for all protocols)
      • Network Address Translation (Separate controls for Source and Destination IP addresses, as well as port translation)
      • DHCP (Configuration of IP pools, gateways, DNS servers, and search domains)
      • Site-to-Site Virtual Private Network (VPN) (Uses standardized IPsec protocol settings to interoperate with all major VPN vendors)
      • L2 VPN (Provides the ability to stretch your L2 network)
      • SSL VPN-Plus (SSL VPN-Plus enables remote users to connect securely to private networks behind a NSX Edge gateway)
      • Load Balancing (Simple and dynamically configurable virtual IP addresses and server groups)
      • High Availability (High availability ensures an active NSX Edge on the network in case the primary NSX Edge virtual machine is unavailable)
      • Multi-Interface Edge

Configure DHCP/NAT/VPN/Load Balancer

  • Configuration of NSX is done from the vSphere Web Client
  • Uses a plugin under the Networking & Security button
  • Go to NSX Edges and create an Edge Gateway for the services
  • Provide CLI username and password for appliance
  • Enable SSH and HA if required
  • Pick datacenter, appliance size (compact, large, X-Large, Quad-large)
  • Choose cluster and datastore for Edge appliance deployment
  • Configure NIC and which VDS you want to attach the appliance to
  • Configure IP addresses and subnet, MTU size (1600 for VXLAN, remember)
  • Services are configured by double clicking on the Edge appliance and going to the Manage tab

Sub-allocate IP Pools

  • IP Pools are created and edited under the NSX Edge Gateway object in the vSphere Web Client. Look under the Manage tab, then click Pools and the add button. Configure the pool as appropriate

Add static IP addresses

  • Static IP addresses are created under the Edge Gateway Manage tab, the DHCP and bindings. Click the add button and add VM or MAC binding as needed.
  • Interface, VM Name, VM vNIC interface, Host name and IP address are required fields.

Configure syslog

  • The syslog server is configured by logging into the NSX Manager appliance management interface, Manage Appliance Settings button and fill out the Syslog server under General settings.
  • IP address, port number and protocol (TCP/UDP) are required