Professional Documents
Culture Documents
Course Introduction
Slide 1-1
Course Introduction
Course Introduction
Module 1
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Importance
Slide 1-2
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Learner Objectives
Slide 1-3
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Course Introduction
By the end of this course, you should be able to meet the following
objectives:
ail
.co
m
Course Introduction
go
th
ic_
re
ad
er
ho
tm
Typographical Conventions
Slide 1-5
Monospace bold
Boldface
Italic
<filename>
Placeholders:
<ESXi_host_name>
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Monospace
Course Introduction
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Course Introduction
go
th
ic_
re
ad
er
ho
ail
.co
m
tm
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Course Introduction
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
ail
.co
m
go
th
ic_
re
ad
er
ho
tm
10
vCloud Resources
Slide 1-11
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Course Introduction
11
Documentation Resources
ail
.co
m
Slide 1-12
go
th
ic_
re
ad
er
ho
tm
12
MODULE 2
Slide 2-1
Module 2
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
13
ail
.co
m
Course Introduction
go
th
ic_
re
ad
er
ho
tm
14
Importance
Slide 2-3
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
15
Learner Objectives
Slide 2-4
By the end of this module, you should be able to meet the following
objectives:
Describe how VMware products use the cloud computing approach
Locate vCloud Director components and explain their functions
Determine licensing needs
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
16
ad
er
ho
tm
ail
.co
m
th
ic_
re
VMware vCloud is a VMware cloud solution built on VMware technologies and solutions to
deliver cloud computing. Cloud computing is a new approach to computing that leverages the
efficient pooling of on-demand, self-managed virtual infrastructure to provide resources consumable
as a service.
go
A simple cloud architecture might contain a VMware vCloud Director server group comprising
multiple servers. Each server can run a collection of services called a vCloud Director cell.
Each vCloud Director server group requires at least one VMware vCenter Server system, a
VMware vCloud Networking and Security server, and one or more VMware ESX or
VMware ESXi hosts. For each vCenter Server system managed by vCloud Director, there must
be one vCloud Networking and Security server.
All vCloud Director servers in the group share a single vCloud Director database. The group
connects to one or more vCenter Server systems and the ESX or ESXi hosts that they manage. One
vCloud Networking and Security server is needed for each vCenter Server system. vCloud
Networking and Security servers provide network security services and automatically deploy
VMware vShield Edge virtual appliances on demand from vCloud Director.
17
vCloud Director
Load Balancer
VMware vCloud API
vCloud Director
Web Console
NFS Server
VMware vSphere
vCenter database
vCC
plug-in
vCloud Connector
Virtual Appliance
vCNS
vCloud
Agent
vCloud
Agent
vCloud
Agent
tm
vCloud
Agent
vCloud
Agent
Data
Collectors
vCenter
Chargeback
server
vCenter
Chargeback
database
vCenter
Chargeback
web interface
ho
vCloud
Agent
ail
.co
m
VMware vSphere
Web Client
vCloud
Agent
vCenter Chargeback
LDAP
vCenter Server
vCloud
Connector
ESX/ESXi
Hosts
ad
er
Datastores
th
ic_
re
The VMware vCloud Director Web console allows administrators and operators management
control of vCloud Director. The Web console and communications from the vCloud API system
should connect first to a load balancer. The load balancer routes the communication to one of
several vCloud Director cells.
go
All vCloud Director cells in the cloud share a common vCloud Director database. The vCloud
Director cells should also connect to a common NFS server. The NFS server is used as a temporary
storage facility for images and files that are uploaded into the vCloud Director catalog.
18
vCloud Director
Load Balancer
vCloud API
vCloud Director
Web Console
NFS Server
vSphere
VMware vCenter
Database
ail
.co
m
VMware vSphere
Web Client
vCloud Connector
Virtual Appliance
vCloud
Agent
vCloud
Agent
tm
vCloud
Agent
vCloud
Agent
vCenter
Chargeback
Database
vCenter
Chargeback
Web Interface
ho
vCloud
Agent
Data
Collectors
Datastores
ad
er
VMware ESX/
VMware ESXi
Hosts
vCloud
Agent
vCenter
Chargeback
Server
vCloud
Agent
VMware vCenter
Chargeback
LDAP
VMware vCenter
Server
VMware
vCloud
Connector vCC
plug-in
(vCC)
re
The vCloud architecture graphic shows the core and the optional components of vCloud.
go
th
ic_
Other VMware components can be added to increase capabilities or control. One example is
VMware vCenter Chargeback. vCenter Chargeback provides resource metering and reporting
to facilitate resource showback/chargeback. vCenter Chargeback is composed of a vCenter
Chargeback server and vCenter Chargeback data collector.
VMware vCloud Connector is an optional component that helps facilitate the transfer of a
powered-off VMware vSphere vApp in Open Virtualization Format (OVF) format from a local
cloud or vSphere instance to a remote cloud or vSphere instance. vCloud Connector is a virtual
appliance that installs in vSphere and handles all the logic of working with other clouds. The GUI is
displayed in the VMware vSphere Web Client through the vCloud Connector browser plug-in.
19
UI
API
VMRC
image
transfer
ail
.co
m
firewall
cell
cell
cell
cell
ho
cell
tm
load balancer
console proxy
cell
cell
image transfer
ad
er
core (UI/API)
cell
ic_
re
Each vCloud Director cell is automatically assigned a role. When communications requests come
into the load balancer requests fall into one of four major categories:
go
th
User Interface (UI). This is the main Web console that administrators and operators use to
manage vCloud Director.
API. The API consists of commands that can be issued to vCloud Director from other systems
and scripts through the API. Some commands and functions can only be issued though the API.
Virtual Machine Remote Console (VMRC). This is the pop-out console that an operator can
open on any virtual machine running in vCloud Director.
Image Transfer. This is the system that allows files and images like .ISO files to be uploaded
into vCloud Director.
A master cell (selected by vCloud Director) coordinates the role assignment to vCloud Director
cells.
20
vSphere*
ail
.co
m
LDAP
vCenter
Server
Database
tm
ho
ESX/ESXi
Hosts*
er
Datastores
ad
go
th
ic_
re
vCloud infrastructures rely on vSphere resources to provide CPU and memory to run virtual
machines. vCloud Director also uses vSphere distributed switches and vSphere port groups to
support virtual machine networking. vSphere datastores provide storage for virtual machine files
and other files necessary for virtual machine operations. These underlying vSphere resources are
used by vCloud Director to create cloud resources.
vCloud Director requires all workloads to be virtualized. Clusters enabled by VMware vSphere
Distributed Resource Scheduler (DRS) should be set to automatically balance the vCloud Director
deployed workloads across the physical compute resources of the DRS cluster.
NOTE
vCloud Director can be used with a VMware vSphere Enterprise Edition license. To use
vSphere distributed switches, you must have a VMware vSphere Enterprise Plus Edition
license.
21
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
22
vCloud API
ail
.co
m
vCloud API
Load Balancer
ho
tm
LDAP
vCloud Agent
To ESX/ESXi Host
vCenter Server
ad
er
SMTP
Server
go
th
ic_
re
A vCloud Director server group consists of one or more vCloud Director servers. These servers
share a common database and are linked to an arbitrary number of vCenter Server systems and ESXi
hosts. vCloud Networking and Security servers provide network services to vCenter Server and
vCloud Director. A vCloud Director server group includes multiple vCloud Director servers. Each
server can run a collection of services called a vCloud Director cell. All servers in the group share a
single database. The group connects to multiple vCenter Server systems and the ESXi hosts that
they manage. Each vCenter Server system connects to one vCloud Networking and Security server.
A Web-based portal for vCloud administrators provides the means to allocate and separate resources
into organizations. Administrators can set lease times to control how long vApps can run and be
stored. Administrators can also set quotas, which limit the number of virtual machines that an
organization can have.
A Web-based portal for each organization provides consumers with the means to create and manage
their own virtual machines. Access is controlled through a roles-based model set up by the
organization administrator.
23
ail
.co
m
load
balancer
vCloud Director
database
NFS
server
ad
er
ho
tm
go
th
ic_
re
Scaling vCloud Director to large environments is supported by installing multiple vCloud Director
cells. Cell activities are coordinated through a shared database. One cell is designated as the
coordinator cell. All other cells are designated as subordinate cells. The coordinator cell designates
which services run on the subordinate cells. These designations are all done automatically by
vCloud Director.
Multiple cells require load balancing to manage heavy use of Web and remote consoles. Options
include configuring round-robin DNS or using a third-party load-balancing product.
A single cell can support many vCenter Server instances. These instances should all be in the same
site to avoid potential latency. You must also scale your vSphere deployment to provide the
resources necessary for the multiple vCloud Director cells.
vCloud Director cells are stateless front-end processors for vCloud. All cells connect to a central
database. Each cell has a variety of purposes and self-manages various functions among cells. The
cell manages connectivity to the cloud and provides both API and UI endpoints or clients.
24
Multiple cells (a load-balanced group) should be used to address availability and scale. This
addressing is typically achieved by load balancing or content switching the front-end layer. Load
balancers present a consistent address for services, regardless of the underlying node responding.
Load balances can spread session load across cells, monitor cell health, and add or remove cells
from the active service pool.
ail
.co
m
tm
ho
@
er
ad
re
ic_
th
go
Module 2 Architecture and Components
25
In general, any load balancer that supports SSL session persistence and has network connectivity to
the public-facing Internet or internal service network can perform load balancing of vCloud Director
cells. General concerns around performance, security, manageability, and so on should be taken into
account when deciding to share or dedicate load balancing resources.
If your vCloud Director installation includes multiple cloud cells running behind a load balancer or
a network address translation (NAT) device, or if the cloud cells do not have publicly-routable IP
addresses, you can set a public console proxy address. During the initial configuration of each cloud
cell a remote console proxy IP address is specified. By default, vCloud Director uses that address
when a user attempts to view a virtual machine console. To use a different address, specify a public
console proxy address.
console
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
The Remote Framebuffer (RFB) protocol is used by the vCloud Director Web console. VMware
encrypts RFB for security. Virtual Network Computing (VNC) is a common implementation of
RFB, but VMware does not use VNC code.
26
Submitted to DMTF
RESTful API
PUT
POST
DELETE
destroy resource
cloud layer
cloud layer
ail
.co
m
vCloud API
GET
virtualization layer
VIM API
tm
client
ad
er
ho
physical layer
go
th
ic_
re
The vCloud API is an interface for providing and consuming virtual resources in the cloud. It
enables deploying and managing virtualized workloads in private, public, and hybrid clouds. The
vCloud API enables the upload and download of vApps and their instantiation, deployment, and
operation. In 2009, VMware submitted the vCloud API to the Distributed Management Task Force
to promote consistent mobility, provisioning, management, and service assurance of applications
running in internal and external clouds.
The vCloud API uses a Representational State Transfer (REST) application development style.
vCloud API clients and servers communicate over HTTP, exchanging representations of vCloud
objects. These representations take the form of XML elements. HTTP GET requests are used to
retrieve the current representation of an object. HTTP POST and PUT requests are used to create or
modify an object. HTTP DELETE requests are typically used to delete an object.
27
User API:
Used to perform tasks in and control what can be done through the vCloud
Director consumer portal.
The vCloud Director implementation of the vCloud API open standard
Administrative API:
Used to perform tasks in and control what can be done through the vCloud
Director administrator portal.
Specific to vCloud Director
Extensions:
ail
.co
m
ho
tm
POST http://vcloud.example.com/api/v1.0/vApp/vapp-7/action/undeploy
Content-type: application/vnd.vmware.vcloud.undeployVAppParams+xml
...
<UndeployVAppParams saveState="true" xmlns="http://www.vmware.com/vcloud/v1"/>
ad
er
202 Accepted
Content-Type: application/vnd.vmware.vcloud.task+xml
...
<Task href="http://vcloud.example.com/task/201"...>
go
th
ic_
re
The vCloud API allows for interacting with a cloud and can be used to facilitate communication
with vCloud Director using a UI other than the portal that is included with vCloud Director. The
vCloud API is the cornerstone of federation and ecosystem support in a vCloud environment. All the
current federation tools communicate with the vCloud environment through the vCloud API. The
ISV ecosystem also uses the vCloud API to enable its software to communicate with vCloud
environments. Having a vCloud environment expose the vCloud API to the cloud consumer is
important.
Currently, vCloud Director is the only software package that exposes the vCloud API. In some
environments, vCloud Director is deployed behind a portal or in another location not readily
accessible to the cloud consumer. In this case, an API proxy or relay must be present to have the
vCloud API exposed to the end consumer.
Because of the value of the vCloud API, some environments might want to meter API usage and
charge extra for it to customers. Protecting the vCloud API through audit trails as well as API
inspection is a good idea. Cloud providers can extend the vCloud API with new features.
28
The vCloud API, included with vCloud Director, consists of a user API, an administrative API, and
extensions:
The user API is the vCloud Director implementation of vCloud API open standard. An
administrator can use this API to perform and control activities done through the vCloud
Director organization Web consoles.
The administrative API is specific to vCloud Director. An administrator can use this API to
perform and control activities done through the vCloud Director administrator portal.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
29
vShield
Edge
vShield
Edge
ad
vCNS
system
tm
vShield Edge:
manager UI
vShield
Edge
ho
Virtual appliance
Runs management interface
Aggregates usage data for chargeback
One vCloud Networking and Security
server per attached vCenter
Server system
ail
.co
m
er
th
ic_
re
vCloud Director uses vShield Edge appliances to secure multitenancy. vShield Edge also provides
NAT, DHCP, firewall, port forwarding, and IP masquerading services. vCloud Director works with
vCloud Networking and Security to deploy a vShield Edge device as part of the network creation
process. These appliances run on vSphere hosts.
go
Each vCenter Server system is connected to a vCloud Networking and Security host. vCloud
Networking and Security is a Linux-based virtual appliance that deploys and manages vShield Edge
devices as requested by vCloud Director. vCloud Networking and Security also aggregates usage
data for vCenter Chargeback.
vShield Edge appliances are deployed automatically by vCloud Director through vCloud
Networking and Security as needed. vShield Edge appliances reside in the vCloud consumer
resource clusters, not in the management cluster. vShield Edge appliances are placed in a system
resource pool by vCloud Director and vCenter Server. For more information about the vShield Edge
appliance and its functions, see vCloud Suite Documentation at https://www.vmware.com/support/
pubs/.
30
ail
.co
m
Data collector:
tm
vCenter
Server
ho
Interface access:
vCenter
Chargeback
Web Interface
vCloud
Director Cell
Web interface
VMware vSphere Client plug-in
vShield
Manager
vCenter
Database
vCenter
Chargeback
Server
Data
Collectors
LDAP
vCenter
Chargeback
Database
SMTP Server
ad
Runs Web portal (Apache Tomcat server) for users and administrative
interface
Abstracts vCenter Server and vCloud Director objects into the vCenter
Chargeback hierarchy
Allows resource cost assignment aligned to vCloud Director resource
allocation models
Generates cost and usage reports
Built-in load balancer for scaling vCenter
vCenter Chargeback
vCloud
Director
Chargeback servers
vSphere
Client Plug-In
Database
er
th
ic_
re
vCenter Chargeback helps to accurately assign, measure, and analyze the cost of workloads in a
vCloud environment. The diagram illustrates how the architectural components of vCenter
Chargeback integrate with other vCloud components.
go
31
When you install vCenter Chargeback, the vCenter Chargeback application, the load balancer,
and the data collectors are installed and run on the same machine. Although the vCenter
Chargeback database can also be installed on the same machine, in a real-world scenario you
install the application and the database on separate machines.
A single data collector instance replicates the information to the vCenter Chargeback database
from multiple vCenter Server instances and vCloud Director databases. You can also create a
cluster of vCenter Chargeback instances that share a single load balancer. Each user request is
routed through the load balancer. The load balancer forwards the request to a vCenter
Chargeback instance in the cluster based on the number of requests currently being serviced by
each instance in the cluster. All the vCenter Chargeback instances in a cluster are connected to
the same vCenter Chargeback database.
The vCenter Chargeback database stores the following chargeback-specific information:
ail
.co
m
tm
Configuration settings
ho
er
ad
re
vCloud Networking and Security data collector (polls vCloud Networking and Security)
go
th
ic_
These data collectors collect vCenter Server inventory and vCloud Director organizational
information, poll usage information, and populate vCenter Chargeback database through
synchronization jobs. The first instance is installed on the vCenter Chargeback server when you
install vCenter Chargeback.
The vCenter Chargeback Web interface is Web browser-based interface for users and administrators.
The vCenter Chargeback plug-in for the VMware vSphere Client provides limited vCenter
Chargeback administration. Only a subset of the Web interface capabilities are available and the
vCenter Chargeback hierarchy is replicated from the vCenter Server hierarchy.
32
The load balancer spreads load from requests across multiple vCenter
Chargeback servers.
vCenter Chargeback
server 2
tm
ho
ad
er
vCenter Chargeback
server 3
ail
.co
m
Data
load balancer
vCenter Chargeback
(built-in)
Web interface
vCenter
Chargeback
server 1
collectors:
th
ic_
re
go
33
ad
er
ho
tm
ail
.co
m
ic_
re
vCloud Director includes an AMQP service that you can configure to work with an AMQP broker
such as RabbitMQ.
th
If you want to use this service, you must install and configure an AMQP broker.
go
34
2
Architecture and Components
ad
er
ail
.co
m
tm
ho
ic_
re
vCloud Connector is an optional component that can facilitate transfer of a powered-off vApp in
OVF format from a local cloud or vSphere environment to a remote cloud or vSphere environment.
go
th
As more clouds are created, several clouds from different sites in a private enterprise can form a
larger cloud. Or a private cloud and a public cloud can form a hybrid cloud. Cloud consumers need a
way to migrate workloads in a federated cloud.
vCloud Connector solves this problem by enabling you to perform migrations from all of your
public clouds and private clouds and to obtain a consistent view of them from a single interface.
vCloud Connector must be installed by cloud administrators, but it can be used by other
administrators and end users to view and manage workloads.
After vCloud Connector has been deployed to a vSphere host and registered with a vCenter Server
system, end users can access vCloud Connector under Solutions and Applications in the vSphere
Web Client from which the OVF file was deployed.
Even in environments not running vCloud Director, vCloud Connector can still be used to copy and
move vApps.
If both vCenter Server instances are added as clouds in vCloud Director, you can freely move
workloads between them.
Module 2 Architecture and Components
35
remote cloud
vSphere Client
with vCloud
Connector plug-in
public cloud
private cloud
vCloud
Director
vCloud Director
vCenter
Server
ho
tm
attached storage
/opt/vmware/vccp/staging
(initial configuration =
40GB)
ail
.co
m
vApp
vCloud
Connector Virtual
Appliance
ad
er
vSphere
th
ic_
re
vCloud Connector is a virtual appliance. vCloud Connector installs in vSphere and handles all the
business logic of dealing with other clouds. The vCloud Connector UI is displayed in the vSphere
Web Client through a browser plug-in.
go
You have two considerations about where to place your vCloud Connector appliance:
The virtual appliance must be deployed to a vCenter Server system. The only user access is
through the vSphere Web Client, so users of vCloud Connector must have the right to log in to
this vCenter Server system.
Workload copy operations use the vCloud Connector appliance as a middleman, so network
latency and bandwidth between clouds must be considered. In some cases, you might prefer to
run multiple instances of vCloud Connector across multiple vCenter Server instances to avoid
network latency or consuming excessive bandwidth.
36
Cloud Resources
Provider Virtual Data Center
ho
tm
ad
er
ail
.co
m
th
ic_
re
A management cluster is a VMware vSphere High Availability or DRS cluster that is created to
manage a vCloud architecture. A management cluster contains the standard components of ESXi
hosts and a vCenter Server system. A management cluster has its own storage. The storage must be
shared storage that is used to store the virtual machines running the management cluster.
go
37
The resources of vCenter Server clusters host cloud workloads. These resources will be allocated by
vCloud Director as provider datacenters.
The management cluster and vCloud consumer resources must reside on the same physical site. The
use of a single site ensures a consistent level of service. Otherwise, latency issues might arise if
workloads must be moved from one site to another.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Do not use the vSphere Web Client to make changes to resource group objects. Changing the state
of objects created by vCloud Director can cause unpredictable side effects because these objects are
owned and managed by vCloud Director.
38
ad
er
ho
ail
.co
m
tm
th
ic_
re
go
When building a vCloud Director cloud, assume that all management components, such as vCenter
Server and vCenter Chargeback, will run in virtual machines.
The best practice is to separate resources allocated for management functions from pure userrequested workloads. The underlying vSphere clusters should also be split into two logical groups:
A single management cluster running all core components and services needed to run the cloud.
The remaining available vCenter Server clusters should be aggregated into a pool called cloud
consumer resources. These clusters are under the control of vCloud Director. Multiple clusters
can be managed by the same vCenter Server system or different vCenter Server systems, but
vCloud Director manages the clusters through the vCenter Server systems.
Why should the vSphere resources be organized and separated? Reasons include the following:
To ensure that management components are separate from the resources that they are managing.
39
To minimize overhead for cloud consumer resources. Resources allocated for cloud use have
little overhead reserved.
To dedicate resources to the cloud. Resources can be consistently and transparently managed
and divided. Resources can also be scaled horizontally.
To more easily accommodate different service levels for distinct workload types.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
40
Licensing Considerations
Slide 2-24
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
Without distributed switches, vCloud Director cannot dynamically create networks or effectively use
network pools.
41
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
42
Key Points
Slide 2-26
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Questions?
43
ail
.co
m
tm
ho
@
er
ad
re
ic_
th
go
44
MODULE 3
Slide 3-1
Module 3
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
45
ail
.co
m
Course Introduction
go
th
ic_
re
ad
er
ho
tm
46
Importance
Slide 3-3
ail
.co
m
go
th
ic_
re
ad
er
ho
tm
In this module, you learn about the types of vCloud Director networks
and services.
47
Module Lessons
Slide 3-4
Lesson 2:
Lesson 3:
Lesson 4:
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 1:
48
Lesson 1:
Types of Networking Used in vCloud
Director
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
49
Learner Objectives
Slide 3-6
By the end of this lesson, you should be able to meet the following
objective:
Describe the types of networking found in vCloud Director
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
50
External networks
Organization virtual data center (VDC) networks
vApp networks
ad
er
ho
tm
ail
.co
m
ic_
External networks
re
th
go
51
tm
ail
.co
m
ad
er
ho
go
th
ic_
re
Cloud networking addresses a fundamental paradox. Corporate networks can be complex systems.
These networks can be composed of hundreds or even thousands of physical network switches,
routers, bridges, firewalls, and other devices. Each individual physical network device can have
hundreds to thousands of programmable components. This large number of complex programmable
components means that networks are extremely complex interconnected systems.
Teams of network engineers work hard to keep these complex interconnected systems stable and
performing well. This means that network engineers are going to resist change. The best network
engineers insist upon using structured change management systems to make sure that all changes are
carefully planned, tested, and coordinated before being implemented.
Network engineers like stable networks that do not change much. Stable systems result in higher
quality of service for customers. Stable systems are also which easier to manage and maintain.
In contrast, network customers like dynamic networks. They have constantly changing network
needs and requirements. These needs usually require the rapid deployment of new network systems.
The configuration requirements of these networks are diverse depending on what the customer is
using the network to support.
52
From the viewpoint of the customers, the best solution is for customers to have the power to
instantly deploy their own networks. But customers do not have the knowledge or the expertise to
deploy and manage these networks.
From the viewpoint of the network engineers, the best solution is to have networks that never
change. But such networks do not meet the needs of the customers.
VMware vCloud can provide dynamic network creation and deployment on a rapid basis to
customers without damaging the stability of corporate IT network systems.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
53
vCloud Director
ail
.co
m
VMware ESXi
ESXi
tm
Internet
er
ho
ad
re
Cloud networks are built on a layered structure that distributes responsibility and capability.
go
th
ic_
At the bottom of the structure is the physical network layer. The physical layer is managed by the
corporate IT network engineers. The physical layer includes physical switch and firewall
configuration, design and management of IP address ranges, WANs, LANs, VLANs, and so on. All
are carefully controlled and managed by network engineers. The physical network environment is as
static and stable as the network engineers can possibly make it.
The next layer is the VMware vSphere network layer. The vSphere network layer is managed by
vSphere administrators using VMware vCenter Server systems and VMware ESXi hosts.
The vSphere network layer is composed of standard switches and distributed switches. These
switches connect through the physical network interface cards (NICs) of the ESXi hosts to the
physical network layer. These network configurations should be carefully coordinated between the
vSphere administrators and the network engineers. The vSphere network layer is more dynamic and
flexible than the physical network layer.
The next layer is the cloud network layer. Here the vCloud Director system administrators create
external networks that connect to vSphere network systems (port groups on distributed switches).
The administrator of VMware vCloud can then design organization VDC networks and network
pools to provide cloud tenants with flexible means to create and deploy networks in vCloud.
54
The final layer is where the vCloud customers (organizations) operate. Customers can use the
organization VDC networks and network pools to create vApp networks and interconnect them.
They create and interconnect vApp networks rapidly and easily, without disrupting the physical
networks that all of these networking layers are built on. With vCloud Director version 5.1,
organization administrators can create and manage routed and isolated organization VDC networks.
With the advent of edge gateways, a system administrator can establish a wider boundary of
delegation to organization administrators without sacrificing critical communication boundaries.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
55
External Networks
Slide 3-10
Internet
ail
.co
m
tm
edge gateway
organization B
ad
er
ho
organization A
edge gateway
go
th
ic_
re
External networks are logical, differentiated networks based on vSphere port groups. These port
groups include distributed switch port groups, standard switch port groups, and Cisco N1000V port
groups. Each port group can become a single external network. The best practice is to use port
groups on distributed switches. A single distributed switch can have several port groups in it. Each
port group can provide a connection point for a different external network. If you plan to create
multiple external networks, the port groups should be separated by VLANs. The port groups must
be created in vCenter Server and must already exist before vCloud Director can use them for
external networks.
Even though this network is called an external network, a connection to the Internet is not required.
An external network is external to vCloud organizations. You can create an external network that is
used to connect multiple ESXi hosts to other internal corporate resources without a route to the
Internet.
If you must provide vApps in the cloud with access to the Internet, create an external network that is
connected through a gateway router to the Internet.
Port groups in a VMware vSphere Distributed Resource Scheduler or VMware vSphere High
Availability cluster that is managed by vCloud Director do not have to be used for external
networks. Many of those networks are for purposes outside of vCloud Director. One example of a
56
network that is not used directly by vCloud Director would be a network that provides IP storage to
ESXi hosts. Another example would be a management network used for the internal administration
of ESXi hosts and vCenter Server systems.
External networks can also be used to connect organizations together, either by use of a common
network that both organization edge gateways connect to, or an upstream router.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
57
Internet
ESXi01
ESXi02
tm
172.20.11.52
vmnic1
ail
.co
m
vmnic1
172.20.11.51
ho
ad
er
external network
th
ic_
re
Visualizing how external networks at the provider level are built off vSphere networks is important.
Here you can see that external network, a provider-level external network, is built off a port group
named External. The External port group is located in the vDS-External distributed switch. The
ESXi01 and ESXi02 hosts are connected to the VDC production distributed switch.
go
The physical NICs on ESXi01 and ESXi02 are both labeled as vmnic1 on these two hosts. The
vmnic1 NIC on ESXi01 has been assigned an IP address of 172.20.11.51. The vmnic1 NIC on
ESXi02 has been assigned an IP address of 172.20.11.52. Both of these physical NICs are connected
to a physical network known as the production network. The production network has been assigned
a network Classless Inter-Domain Routing (CIDR) of 172.20.11.0/24.
External networks connect to port groups that have been defined on vSphere virtual switches. If you
plan to use a vSphere port group for a vCloud external network, increase the number of ports from
the default value of 128 to 4096.
The best practice is to use only distributed switches. Distributed switches are automatically
consistent in names and port groups on all ESXi hosts in a cluster. vCloud Director can use them
with dynamic provisioning.
vCloud Director supports the Cisco Nexus v1000. However, the v1000 does not work with VLAN
or vCloud Director isolated network backed network pools. The v1000 requires network pools that
58
are backed by port groups. The port groups must be preprovisioned. The best practice is to use
distributed switches with all network pools, including network pools that are backed by port groups
and used to support Cisco Nexus v1000 switches.
A standard switch can be used with vCloud Director external networks. Standard switches are
supported, but not recommended. If you are using standard switches, then all the port groups have to
be created accordingly on all the ESXi hosts in advance.
You can use standard switches with network pools that are backed by port groups, but doing so is
also not recommended.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
59
Direct-connect network:
external network
external network
Routed networks:
network A
network B
network C
ail
.co
m
edge gateway
tm
Isolated networks:
vShield
Edge
ho
ad
er
network
re
go
th
ic_
60
Static IP Pool
Only
External Network
DHCP and firewall services are not available, only static IP pool.
ail
.co
m
ad
er
tm
go
th
ic_
re
Direct-connect organization VDC networks can be created and managed only by a vCloud Director
system administrator. An organization administrator has no control over the network characteristics
and network services for direct-connect organization VDC networks. Because a direct-connect
organization VDC network is a literal extension of an external network, many services are not
available, such as DHCP and firewall.
Direct-connect organization VDC networks use an external network to connect directly to the
Internet or to systems external to the cloud. For some single servers (such as small Web servers),
using an external type of network is the best solution because it does not need internal
communication. For administrative purposes, a customer can connect through SSH or remote
desktop directly to servers on this type of network.
If a vApp is direct-connected, either the vApp IP addresses must be statically configured or a DHCP
server must be connected to the external network with IP addresses. If vApp addresses are statically
configured, they should use the same subnet that the external network is using. Direct connected
vApps should be fenced when connecting to external networks to prevent MAC or IP addresses
conflicts.
When the vCloud administrator creates a direct-connect organization VDC network, no visible
changes in the vSphere environment occur. External networks have already been created by the
Module 3 VMware vCloud Director Networking
61
ho
A direct-connect network is a
literal extension of an external
network.
vCloud administrator. Networks that are direct-connected have no VMware vShield Edge
devices deployed to provide network address translation (NAT) or firewall services.
Direct-connect organization VDC networks depend on systems that are external to vCloud to
provide network support. These systems include systems such as DHCP and DNS. vApp
administrators can also manually configure the TCP/IP configuration of virtual machines, which are
connected (through vApp networks) to direct-connected organization VDC networks. The vApp
network might also be direct-connected. The vApp administrator must configure the virtual machine
network settings carefully to match the network configuration in use on the external network.
Directly connecting systems to the Internet without firewall protection is not recommended. You can
fence the vApp, which does provide firewall services.
ail
.co
m
vCloud administrators should also be aware that when multiple organization VDC networks are
direct-connected to the same external network, all network traffic on all of these networks is visible.
That visibility can violate the cloud principle of multitenancy.
Direct-connection networks must be used with extreme caution.
NOTE
go
th
ic_
re
ad
er
ho
tm
The vCloud Director GUI refers to external networks at both the provider and organization level. To
prevent confusion, refer to an external network that is outside organizations as a provider external
network. External networks that are inside organizations are either organization direct-connected
networks or organization external networks.
62
X
DHCP,
Static IP
Pool
vShield
Edge
Network
ail
.co
m
ho
tm
Consumers
ad
er
th
ic_
re
An organization administrator can create any number of isolated organization VDC networks. An
isolated organization VDC network is defined as a single subnet with an Edge device providing
services. The isolated network Edge device cannot be connected to an external network or to any
other organization VDC network.
go
If a customer does not want certain vApps to have a connection to the Internet, external networks, or
other organization VDC networks, using an isolated network is the best practice. The use of isolated
internal vApp networks is possible if the virtual machines require only internal communication with
each other. Examples of internal networks include networks for test systems and vApps that are used
only for high numbers of computations. Administration of virtual machines connected exclusively to
internal networks is possible only through a local console connection. Virtual machines can still
have multiple network interfaces. Having multiple interfaces enables a virtual machine to
communicate privately over a local-only internal network while also accessing the Internet or other
organization VDC network through a second interface.
An isolated network Edge device does not provide firewall or routing services. If virtual machines in
different vApps must communicate with each other, you must configure NAT features on each vApp
network Edge device to do the following:
63
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
When direct-connecting vApps, consider fencing the vApps to avoid MAC and IP address conflicts.
64
external network
DHCP,
static IP
pools
edge gateway
ail
.co
m
tm
ad
er
ho
go
th
ic_
re
Routed organization VDC networks connect to an edge gateway. An organization might be provided
with one or more edge gateways. Each edge gateway supports up to 10 network interfaces that are
shared among external and internal networks connected to the gateway. The organization
administrator can create routed networks, configure NAT features for each network (on the edge
gateway device), manage IP allocation pools and DHCP ranges, and configure firewall rules.
Each routed organization VDC network represents a managed interface on an edge gateway.
Services available to the routed networks attached to the same edge gateway are shared. If you
enable or disable a service, such as the DHCP service, that service is disabled for all attached
organization VDC networks. You can manage service state and configurations on a per-routed
network basis, but you are still managing the edge gateway itself.
Users can attached routed vApp networks or direct-connect vApps to a routed organization VDC
network.
65
network A
network B
network C
Edge gateways provide DHCP, static IP pool, firewall, NAT, rate limit,
and load-balancing services.
ail
.co
m
Each organization typically has a least one edge gateway that connects to a
single external network and a single organization VDC network.
Multiple edge gateways can be used to provide separate service and
management points.
ad
er
ho
tm
th
ic_
re
An edge gateway is a virtual router for organization VDC networks. You can configure an edge
gateway to provide network services such as DHCP, firewall, NAT, static routing, virtual private
network, and load balancing.
go
You can create an edge gateway in either a compact or a full configuration. The full configuration
provides increased capacity and performance. The compact configuration requires less memory and
fewer compute resources. All services are available in either configuration. You can enable either
configuration for high availability. A high availability edge gateway automatic failover of the edge
gateway to a backup instance that is running on a separate virtual machine.
An edge gateway can support up to 10 interfaces. These interfaces are categorized as uplinks when
they connect to an external network and categorized as internal interfaces when they connect to an
organization VDC network. You must specify at least one uplink interface when you create an edge
gateway. All uplink interfaces on an edge gateway must connect to an external network available in
the provider VDC that backs the organization VDC in which you are creating the edge gateway.
Internal interfaces are created automatically when you create a routed organization VDC network
that connects to an edge gateway.
66
vApp Networks
Slide 3-17
Direct-connect network
vApp Network
ail
.co
m
vShield Edge
Routed network
vApp Network
tm
Isolated network
ho
vShield Edge
ad
er
vApp Network
ic_
re
A vApp network can be configured to provide many of the same kinds of services available to an
organization VDC network.
th
go
67
Direct-Connect vApps
Slide 3-18
External Network
Edge Gateway
Network A
Network B
Network C
ad
er
ho
tm
ail
.co
m
DHCP,
Static IP
Pool
th
ic_
re
A vApp that you direct-connect does not have a network Edge device. The virtual machines are
directly connected to and consume the resources of an organization VDC network. When creating a
network that is direct-connected, you add one of the organization VDC networks as a vApp network.
go
Care must be taken when using direct-connect vApps. The virtual machines consume the
organization VDC network resources (such as static IP pool addresses). All network traffic for each
virtual machine is sent over the organization VDC network.
When direct-connecting vApps, consider fencing the vApp to avoid potential MAC and IP address
conflicts on the organization VDC network.
68
Routed vApps
Slide 3-19
The vShield Edge Gateway device provides firewall, NAT, DHCP, static
IP pool, and other services to the internal network.
Default settings
External Network
Edge Gateway
IP translation NAT
is enabled.
Traffic not matching a NAT
rule is routed.
Empty translation rule set.
vShield Edge
ad
er
ho
tm
IP Services
Network A
Network B
Network C
re
A routed vApp includes at least one local network and connects to an organization VDC network.
go
th
ic_
By default, the vApp network Edge device behaves as a typical IP router when connected to an
organization VDC network. A vApp network Edge device appears as having NAT enabled when it is
created. By default NAT is enabled and the NAT type is set to IP translation. When IP translation is
enabled the Edge device still acts as a typical IP router. This default configuration means the Edge
device is routing traffic between the attached subnets, transforming only traffic that matches IP
translation rules. To configure a many-to-one NAT connection you must change the NAT type to
port forwarding and enable IP masquerading.
A vApp network Edge device has only two interfaces, one interface is connected to an organization
VDC network and another interface is connected to the virtual machines in the vApp. Virtual
machines in a vApp can be created with multiple network interfaces. You can add many local
networks to a vApp, each of which can connect to the same or a different organization VDC
network.
The vApp network Edge device provides static IP pool, NAT, firewall, and DHCP services.
69
ail
.co
m
Multiconnection vApps
Slide 3-20
ail
.co
m
Network A
Network B
Network C
Answer: 4
ad
er
ho
tm
th
ic_
re
The vApp networking examples shown so far assume the same type of connection for each virtual
machine in the vApp. A vApp can be configured to have many local networks and connect to one or
more organization VDC networks simultaneously, with the vApp author deciding how each virtual
machine is connected.
go
The diagram shows how a single vApp can be configured with multiple networks. The vApp author
can configure the virtual machines with multiple network interfaces, then connect each virtual
machine network interface to any network added to the vApp.
70
Each vApp can have one or more vApp networks that connect to a common
organization VDC network.
You cannot use IP translation for one virtual machine and port forwarding
for another virtual machine.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
71
Network Naming
Slide 3-22
ad
er
ho
tm
ail
.co
m
th
ic_
re
The 33-character network name limit is required by the underlying vSphere support system.
Networks that have names longer than 33 characters can fail to deploy. The network with a name
longer than 33 characters can work initially. But the network fails if the Reset Network command
is ever issued to it.
go
When VMware vShield Manager deploys a network, it prefixes the name of the edge device
with vse-. It also appends a 28-character hexadecimal identifier enclosed in two parentheses. For
example, a network name like Marketing-webserver-routed-external-network (43
characters) could be changed to something like vse-Marketing-webserver-routedexternal-network(032c2c2505b424ac3b8926f73d2aa704).
The new name of the edge device has 77 characters, which works fine. But if the vCloud Director
administrator (or some other user who has the proper privileges) issues the Reset Network
command, vCloud Director redeploys the edge device. Also, the new edge device has .updated
appended to the name. The edge device name is now vse-Marketing-webserver-routedexternal-network(032c2c2505b424ac3b8926f73d2aa704).updated. This name has 85
characters. The name length limit in vSphere is 80 characters. The outcome is that the Reset
Network command fails and the network stops working.
72
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
73
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
74
Lesson 2:
Network Address Translation and Fencing
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
75
Learner Objectives
Slide 3-26
By the end of this lesson, you should be able to meet the following
objectives:
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
76
Suballocated IP Pools
Slide 3-27
Pool: 172.20.10.100-199
External Network
172.20.10.0/24
Sub: 172.20.10.120-129
Sub: 172.20.10.110-119
Organization A
Organization B
ail
.co
m
ad
er
ho
tm
th
ic_
re
For each external network, the vCloud Director system administrator may configure one or more
static IP pool ranges. The static IP pools are used by the edge gateways and virtual machines that
connect to that network.
go
The system administrator can suballocated a portion of the static IP pool on an external network to a
specific edge gateway for use in NAT operations. Suballocated ranges must be available to
configure destination NAT and source NAT rules on an edge gateway. Each suballocated pool is
reserved and is not used for normal IP allocations on the external network.
77
172.20.10.204
external network
edge gateway
organization VDC
network
vApp
external network
IP: 172.20.10.204
ho
00:50:56:01:00:2b
172.20.10.100
ARP - 172.20.10.204 is at:
00:50:56:01:00:2b
DNAT
172.20.10.204
192.168.100.170
IP: 192.168.100.170
ad
er
192.168.100.170
ail
.co
m
DNAT
tm
ic_
re
Destination network address translation (DNAT) rules translate a packets destination address and,
optionally, destination IP port to the values you specify.
go
th
In the most common case, you associate a NAT service with an uplink interface on an edge gateway
so that addresses on organization VDC networks are not exposed on the external network. You can
define NAT translations to associate IP addresses on separate organization VDC networks as well.
The internal address or addresses of the DNAT rules must be on directly attached networks, or be
identifiable through static routes.
A DNAT mapping defined on an edge gateway is unidirectional with state. Connections matching
the mapping specification are allowed through and the resulting solicited responses return using the
correct IP addresses and ports. Unsolicited outbound traffic is disallowed.
Inbound packets destined for the external addresses of DNAT rules are delivered to the external
interface of the edge gateway. The gateway responds to Address Resolution Protocol (ARP) requests
for each DNAT-defined external address. After the packets are received, the edge gateway transforms
the destination IP address, updates the checksum, and translates the destination port if needed.
A DNAT mapping may be a single IPtosingle IP rule or an IP rangetoIP range rule. In the case
of an IP range, a 1:1 correlation exists between each IP pair from first to last. Protocol filtering can
be defined for each DNAT rule.
78
external network
organization VDC
network
edge gateway
vApp
IP: 172.20.10.204
ho
00:50:56:01:00:2b
172.20.10.100
ARP - 172.20.10.204 is at:
00:50:56:01:00:2b
SNAT
192.168.100.170
172.20.10.204
IP: 192.168.100.170
ad
er
192.168.100.170
external network
172.20.10.204
ail
.co
m
SNAT
tm
ic_
re
Source network address translation (SNAT) translates the packets source address and, optionally,
the source port to the values you specify.
go
th
Source NAT is the reverse of destination NAT. Traffic leaving a specific IP address or IP range is
transformed as originating from a different IP address or IP range on an external network connected
to the edge gateway. In the case of IP ranges, a 1:1 correlation exists between each sequential IP
pair.
An SNAT mapping is unidirectional with state. Connections matching the mapping specification are
allowed through and the resulting solicited responses return using the correct IP addresses and ports.
Unsolicited inbound traffic is disallowed.
As with DNAT, the gateway responds to ARP requests for each SNAT-defined external address.
After the packets are received, the edge gateway transforms the destination IP address, updates
checksums, and translates the destination port if needed.
Source NAT rules may be defined to target IP addresses on any network connected to the edge
gateway. The external addresses of SNAT rules must be in the range of a directly attached subnet.
The source address can be from a directly attached subnet or from a source that is routed to the
gateway. If the source addresses are routed, the gateway must have the appropriate static routes
defined for handling the response traffic.
Module 3 VMware vCloud Director Networking
79
Bidirectional mapping
192.168.100.0/24
172.30.15.205
192.168.100.104
ho
IP: 172.30.15.205
IP Translation
192.168.100.170
172.30.15.205
IP: 192.168.100.170
ad
er
vApp Network
192.168.100.170
ail
.co
m
IP translation associates an
external IP address with a virtual
machine IP address on a 1:1
basis.
tm
ic_
re
Unlike an edge gateway that implements DNAT and SNAT rules, a vApp network Edge device can
implement 1:1 IP translation, port forwarding, and IP masquerading.
go
th
IP translation is a true 1:1 bidirectional mapping of a virtual machine network interface with an
external address. IP translation is similar to edge gateway destination NAT, except that IP translation
is a full bidirectional mapping without protocol filtering. In terms of traffic, the specified virtual
machine interface and the external IP address are synonymous.
When IP translation is enabled, all traffic not matching a rule is still routed through the Edge device,
exposing vApp IP addresses to upstream networks. Configure firewall rules to block this behavior.
You can use IP masquerading to isolate the vApp network behind a many-to-one NAT configuration.
But because IP masquerading and IP translation features are mutually exclusive, you cannot use
both in the same service configuration.
As with most NAT operations, the Edge device responds to ARP requests for all IP translation
external addresses.
80
TCP:8080
TCP:80
192.168.100.0/24
192.168.100.104
ail
.co
m
Dest: 172.30.15.5
Proto: TCP:8080
192.168.100.170
vShield Edge:
172.30.15.5
tm
Port Forwarding
TCP: 8080
192.168.100.170:80
ho
Dest: 192.168.100.170
Proto: TCP:80
IP: 192.168.100.170
ad
er
vApp Network
th
ic_
re
Port forwarding provides external access to services running on virtual machines on the vApp
network. Traffic matching a specified transport protocol that has been directed to the external
interface of the Edge device is forwarded to the rule-specified virtual machine interface. The
inbound port can be changed based on the forwarding rule configuration.
go
Response traffic from the virtual machine is transformed on the outbound to appear as originating
from the external interface of the edge.
After port forwarding has been enabled, IP masquerading can be selected. If IP masquerading is not
enabled, the edge device routes subnet traffic, exposing vApp virtual machine addresses to upstream
networks.
Port forwarding NAT is mutually exclusive to IP translation. You cannot have both NAT services
configured at the same time. Switching between the two types of NAT erases all existing rules.
81
Many-to-one NAT
ail
.co
m
tm
192.168.100.170
ad
er
192.168.100.104
ho
192.168.100.0/24
th
ic_
re
IP masquerading enables a typical port address translation configuration on the vApp network Edge.
All outbound traffic is transformed as originating from the external interface of the vApp network
Edge.
go
To enable IP masquerading, you must first enable NAT and set the NAT type to port forwarding.
Because IP masquerading depends on a NAT type of port forwarding, IP masquerading cannot be
used with IP translation.
For many vApp configurations, the use of IP masquerading might be preferred as it isolates the
vApp network for duplication.
82
ad
er
ho
tm
go
th
ic_
re
You can choose to fence a vApp when the vApp has been configured with one or more direct
connections to organization VDC networks. A direct-connect network is a literal reference to an
organization VDC network. Directly connecting virtual machines can lead to MAC and IP address
conflicts when other direct-connect vApps are deployed in the same manner. For direct-connect
cases, fencing of the vApp should be considered. Only vApps that direct-connect to an organization
VDC network can be fenced. A network Edge device is not deployed for direct-connect vApp
networks unless the vApp if fenced.
Fencing the vApp causes a network Edge device to be deployed that separates the vApp virtual
machines from the organization network. The Edge device has two interfaces: One interface is
attached to the organization network and the other connects to the vApp. The vApp network has the
same subnet address as the organization network with the fencing Edge device separating the
broadcast domains. The fencing Edge device is deployed with IP translation rules associating vApp
virtual machine addresses with addresses allocated from the organization VDC network.
83
ail
.co
m
Edge Gateway
172.30.15.208
ail
.co
m
172.30.15.207
vShield
Edge
172.30.15.210
vShield
Edge
172.30.15.0/24
172.30.15.105
172.30.15.104
172.30.15.105
ad
er
172.30.15.104
ho
tm
172.30.15.0/24
th
ic_
re
The diagram illustrates how fencing works. Each of the two vApps contains two virtual machines
configured to direct-connect to a common organization VDC network. Because the vApp virtual
machines have the same set of IP addresses, IP conflicts occur on the organization VDC network
broadcast domain unless fencing is configured.
go
For each vApp, an edge device is deployed that isolates the virtual machines into a separate layer-2
broadcast domain. The edge devices are deployed with preconfigured IP translation rules based on
which virtual machines in the vApp are connecting to the attached organization VDC network.
84
172.30.27.52
tm
172.30.15.0/24
ail
.co
m
172.30.15.0/24
ho
172.30.27.0/24
172.30.27.204
ad
er
172.30.15.104
go
th
ic_
re
The diagram shows a vApp of two virtual machines configured to connect to two different
organization VDC networks. When fencing is enabled, a separate edge device is deployed for each
direct-connect organization VDC network. The edge devices each have a unique set of IP translation
rules based on how the virtual machines in the vApp connect to the organization VDC networks.
85
172.30.27.0/24
172.30.15.207
Answer:
2 subnets
4 layer 2 broadcast domains
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
86
Lesson 3:
vCloud Director Network Pools
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
87
Learner Objectives
Slide 3-38
By the end of this lesson, you should be able to meet the following
objectives:
Define a network pool
Describe the types of network pools
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
What is a network pool? A network pool is a predefined collection of vSphere network resources
that can be used by vCloud Director to dynamically create a limited number of organization and
vApp networks. Think of a network pool as a collection as a set of templates to help you create
networks. The resources include things like VLAN IDs, port groups, virtual network switches, and
vCloud Director isolated networks.
88
ad
er
ho
tm
ail
.co
m
re
Network pools are used as a template to create networks at the organization and vApp levels.
go
th
ic_
Two types of organization VDC networks require network pools. These networks are routed
organization VDC networks that connect to an external network through an edge gateway and
isolated organization VDC networks.
All vApp networks are built off network pools. Although a direct-connect vApp does not consume
network pool resources, fencing the vApp requires a network.
When you create a network pool, you must specify a maximum limit of networks. This maximum
limits the maximum number of networks that can be created from the pool.
89
Network Pools
Slide 3-40
ail
.co
m
vApp networks:
tm
ad
er
ho
go
th
ic_
re
A provider VDC gets its resources from vSphere. CPU and memory are combined into a resource
pool. Storage is configured into datastores. All of these resources are used by vCloud Director to
create a provider VDC. Networks are not included in resource pools or datastores. When you create
a provider VDC, vCloud Director analyzes the underlying ESXi hosts and clusters that the resources
come from. Based on that analysis, vCloud Director reports to you which external networks are
available to organizations and vApps that are built on a provider VDC.
Organizations and vApps get their resources from an organization VDC, which is built on the
provider VDC. When you create an organization VDC, vCloud Director enables you to associate the
organization VDC directly with a network pool. The network pools are built on vSphere port groups,
virtual switches, VLANs, and vCloud Director isolated networks.
(Provider) external networks are defined as being available to a provider VDC. Network pools are
directly associated with specific organization VDCs.
90
Network Pool
Network Pool
Network Pool
VDC
VDC
ad
er
ho
tm
VDC
organization
VDC
ail
.co
m
th
ic_
re
Each cloud can have multiple organizations. Each organization can have its own organization
VDCs. A single organization can have multiple VDCs. Multiple VDCs can connect to the same
network pool A single organization VDC cannot connect to multiple network pools.
go
Each network pool must be backed by a network resource in vSphere. The network resource has to
be in the vSphere cluster that the cloud is built on. Network resources include VLANs, preexisting
port groups, and vCloud Director isolated networks.
91
Network Pool
Network Pool
ail
.co
m
Network Pool
organization
Alpha
organization
Beta
VDC
tm
VDC
VDC
ad
er
ho
VDC VDC
go
th
ic_
re
Organization VDCs from different organizations can connect to the same network pool, which
enables private enterprise clouds to create one or two network pools that serve an entire company.
Using network pools between multiple organizations enables public clouds to create fewer network
pools because each cloud tenant does not need their own pool. However, you can overcommit your
network pools. vCloud administrators should carefully monitor network pool use.
92
tm
ail
.co
m
go
th
ic_
re
ad
er
ho
NetworkPool VCD-NI 10
93
ad
er
ail
.co
m
tm
ho
th
ic_
re
The most common type of Network pool is a Network pool that is built on VLANs. For a VLAN
type of network pool, you must specify a VLAN ID range or a group of VLAN ID ranges. When
you specify VLAN ID ranges, do not overlap existing VLANs either in vCenter Server or in
attached physical switches.
go
Exercise care when you configure your physical switches. When you put a port into trunk mode,
verify that the VLANs you have configured on your ESXi host are defined and allowed by the
switch trunk port. The default behavior varies among different types of switches and between
vendors. You might need to define all the VLANs used with ESXi explicitly on the physical switch.
For each VLAN definition, you can specify the VLAN ID, name, type, maximum transmission unit
(MTU), security association identifier (SAID), state, ring number, bridge identification number, and
so on.
For switches that allow all ports by default, you might not need to do anything. The VMware best
practice is to restrict the VLAN ranges to only those VLAN IDs that you need.
vSphere VXLAN networks are based on the IETF draft VXLAN standard. These networks support
local-domain isolation equivalent to what is supported by vSphere isolation-backed networks.
94
VMkernel
ESXi host
ad
er
ho
tm
ESXi host
VMkernel
ail
.co
m
th
ic_
re
The second type of network pool is one backed by vCloud Director isolated network. The vCloud
Director isolated network is driven by the VSLAD agent that runs on ESXi hosts in the vSphere
DRS/vSphere HA cluster. The VSLAD agent is part of the software in the VSLA kernel module.
go
vCloud Director isolated networks isolate network traffic. If a packet needs to leave the port group
on one ESXi host to move to a different ESXi host, it is tunnelled through the VMkernel module.
This tunneling uses MAC-in-MAC encapsulation, which puts a vCloud Director isolated network
header in place and sends the packet out to the physical layer. A vCloud Director isolated network
adds 24 bytes to the length of the packet.
Think of the vCloud Director isolated network as a software-based isolated network between two or
more ESXi hosts which is using special packets at layer 2 of the network model (Ethernet layer).
The packets are decoded in the VMkernel. Network traffic is isolated at layer 2. vCloud Director
isolated networks can be used to connect traffic on multiple ESXi hosts.
Creating a network pool that is backed by the vCloud Director isolated network does not change
anything on the vSphere layer. You will not see a vShield Edge device deployed. No new port
groups appear. When a vApp that connects to a network is powered on, the vShield Edge device is
deployed and the port group is created.
95
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
The final type of network pool backing is a network pool backed by vSphere port groups. The port
groups on virtual switches must be created in advance by the VMware vCenter administrator.
These port groups must already have VLAN IDs configured to meet vCloud security requirements.
The network pool based on port groups is the least flexible type of network pool. However, this type
of network pool backing does give the vCloud administrator total control over the configuration.
You can override the VLAN configuration requirement. VMware recommends against overriding
the VLAN configuration requirement.
96
ad
er
ho
tm
go
th
ic_
re
VXLANs is a new type of LAN connection that is designed to replace the vCloud Director Isolated
Networks.
97
ail
.co
m
Router
VLAN ID = 01
VLAN ID = 02
DRS Cluster A
DRS Cluster B
ail
.co
m
No VXLAN is configured.
A router is required for virtual machines in both clusters to
communicate with each other.
ad
er
ho
tm
go
th
ic_
re
If you have virtual machines running on two different clusters that have different VLAN IDs these
virtual machines cannot communicate with each other unless you set up a router between the
clusters.
98
Router
VTEP
VTEP
DRS Cluster A
DRS Cluster B
VXLAN Virtual Tunnel End Point (VTEP) is on both ends of the VXLAN wire.
ad
er
ho
tm
ail
.co
m
th
ic_
re
VXLANs enable you to connect two clusters with a VXLAN wire. The VXLAN wire is a logical
connection between the two clusters. Each end of the wire must be anchored with a VXLAN Virtual
Tunnel End Point (VTEP).
go
VXLAN is a routable protocol that does not require special configuration within a router. Because
VXLAN is an encapsulation protocol, VLANs are not needed to isolate traffic. Each VXLAN wire
is isolated.
VXLAN is not an encrypted protocol. Traffic is isolated, but it is not secured by encryption.
99
The VXLAN pool is given a name derived from the name of the
containing provider VDC and attached to it at creation.
You cannot delete or modify the VXLAN network pool.
You cannot create a VXLAN network pool by another method.
If you rename a provider VDC, the associated VXLAN network pool is
renamed.
ad
er
ho
tm
ail
.co
m
ic_
re
vCloud Director automatically sets up a network pool backed by a VXLAN. The pool is named after
the provider VDC. Each provider VDC gets a unique VXLAN pool.
go
th
Even though a VXLAN pool is available you are not required to use it. Other types of network pools
can still be used with each provider VDC.
100
VXLAN Frame
Slide 3-51
The original L2 header becomes the payload plus VXLAN, UDP, and IP
headers.
VXLAN Frame
VXLAN Header
Misc Data
Source Port
Source Address
Protocol 0x11
VXLAN Port
Header Checksum
UDP Length
VLAN ID Tag
Source IP
Checksum 0x0000
Destination IP
Destination Address
Reserved
Source Address
VNI
Reserved
VLAN ID Tag
ho
14+
VXLAN Overhead
go
th
ic_
re
ad
er
14+
20
Inner L2
VXLAN Flags
tm
Destination Address
Payload 1500
Outer IP Header
VXLAN Header
ail
.co
m
Outer IP Header
FCS
101
IPv6 (Bytes)
1500
1500
14
14
VXLAN header
IP Header
20
40
14
14
8
1572
1600
ail
.co
m
UDP header
tm
ho
go
th
ic_
re
ad
er
Frame size
102
ail
.co
m
go
th
ic_
re
ad
er
ho
tm
103
ad
er
ho
tm
Physical network MTUs must be set to 50 bytes larger than the MTU
used by virtual machine vNICs.
ail
.co
m
go
th
ic_
re
The extra configuration that is required in vSphere is a change of the MTU on distributed switches
that will be used by vCloud Director.
104
ail
.co
m
go
th
ic_
re
ad
er
ho
tm
105
VLAN backed:
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
Different types of network pools have different advantages and disadvantages. A solid
understanding of these advantages and disadvantages can help vCloud administrators decide when
to use which type of network pool.
106
VXLAN backed:
Routable
Disadvantages:
Requires more vSphere configuration than other pools
Requires 1550 MTU and other special configuration in physical networks
ad
er
ho
tm
go
th
ic_
re
The VXLAN backed network pools have more advantages and potential disadvantages than other
types of network pools.
107
Advantages:
ail
.co
m
ad
er
ho
tm
ail
.co
m
th
ic_
re
Organization networks that are routed or isolated use network pools. Organization networks that
direct-connect do not use network pools. All vApp networks use network pools. Fenced vApps use
network pools.
go
External networks do not use network pools because external networks are created by the provider
(cloud administrator). The networks are managed by the provider. They are not a resource of the
organization.
Every organization is limited in its resources. Organization networks and vApp networks can be
deployed only if enough resources are available in an assigned network pool.
Multiple organization VDCs can exist in an organization and can connect to a single network pool.
108
VLAN
vCloud Director isolated networks
Port groups
VXLAN
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
109
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
110
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
111
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 4:
vCloud Director Networking Objects in
vSphere
112
Learner Objectives
Slide 3-63
By the end of this lesson, you should be able to meet the following
objective:
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
113
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
114
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
115
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
116
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
117
Key Points
Slide 3-68
External
Organization
vApp
Port based
VLAN based
vCloud Director isolated network-based
VXLAN based
ail
.co
m
tm
ho
go
th
ic_
re
ad
er
Questions?
118
MODULE 4
Slide 4-1
ail
.co
m
Module 4
go
th
ic_
re
ad
er
ho
tm
119
ail
.co
m
Course Introduction
go
th
ic_
re
ad
er
ho
tm
120
Importance
Slide 4-3
ail
.co
m
You learn how to create provider virtual data centers (VDCs) that act
as the source for organization VDCs.
go
th
ic_
re
ad
er
ho
tm
121
Learner Objectives
Slide 4-4
By the end of this module, you should be able to meet the following
objectives:
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
122
ail
.co
m
ad
er
ho
tm
ic_
re
VMware vCloud Director has two types of virtual data centers (VDCs):
th
go
A provider virtual data center is a collection and an abstraction of VMware vSphere resources:
Storage
CPU
Memory
123
Resource Groups
Slide 4-6
DRS/vSphere HA cluster
DRS/vSphere HA cluster
ail
.co
m
DRS/vSphere HA cluster
ho
tm
DRS/vSphere HA cluster
DRS/vSphere HA cluster
ad
er
go
th
ic_
re
If you have separated vCloud Director management functions into a separate VMware vSphere
Distributed Resource Scheduler (DRS) management cluster, then you will have vCloud Director
resources provided by other vSphere DRS clusters. Each VMware vCenter Server system can
support multiple vSphere DRS clusters. But for management purposes, you might find it simpler to
have one vCenter Server system manage only one vSphere DRS cluster. If you decide to manage
multiple DRS clusters under a single vCenter Server system you should group related clusters
together. As you plan your architecture, remember that providers are based on the resources
managed by vCenter Server. A single provider virtual data center can encompass more than a single
vCenter Server system.
124
Types of Resources
Slide 4-7
tm
ho
Memory
Storage
ad
er
CPU
ic_
re
Resource pools are usually configured with each vSphere DRS cluster being organized into a single
resource pool. However, you can subdivide a vSphere DRS cluster into smaller resource pools.
go
th
In vSphere 5.5, storage should be organized into a storage policy. The use of a vSphere storage
policy is not required. You can configure provider virtual data centers with direct access to vSphere
datastores. But the use of a vSphere storage policy makes the management of storage easier.
125
ail
.co
m
Datastores
Resource
Pools
Provider VDCs
Slide 4-8
Resource
Pools
tm
ail
.co
m
Datastores
Memory
Storage
ad
er
ho
CPU
go
th
ic_
re
Virtual data centers are built on vSphere resources. CPU capacity, memory, and storage are at the
hardware level. vSphere collects those resources into resource pools and datastores. Provider virtual
data centers are built directly on top of vSphere resource pools and datastores. Organization virtual
data centers get their resources from provider virtual data centers.
126
Organization
VDC
Associated
VDC
Available
Provider VDC
External Networks
tm
Storage
ad
er
ho
Memory
ic_
re
Organization virtual data centers are collections of resources (CPU, disk, memory, and networks)
that provide organizations resources.
go
th
Relationships exist between organizations, network pools, and organization virtual data centers,
including the following:
Each organization virtual data center can be assigned only one network pool.
A single network pool can be used by multiple organization virtual data centers.
A single organization can connect to multiple network pools by leveraging multiple organization
virtual data centers.
Organization networks are built on network pools. Organization networks can be created before
creating an organization virtual data center.
127
ail
.co
m
Resource
Pools
Datastores
CPU
vCloud Resources
Slide 4-10
Organization VDC
Organization Network
Network Pool
Provider VDC
External Network
vSphere
Distributed
Switch
Storage
Policy
ail
.co
m
Distributed Port
Group
Resource
Pool
Storage
Policy
DRS Cluster
ho
Physical
Network
Physical
Host
FC-SCSI
Storage
NFS/iSCSI
Storage
ad
er
VLAN
tm
Physical
th
ic_
re
vSphere datastores are offered to vCloud Director as available storage through vSphere storage
policies. This storage is divided into provider virtual data centers. Organization virtual data centers
can use storage from a single provider. A single organization can have multiple organization virtual
data centers, each with a different type of storage.
go
The allocation of storage to resource clusters can vary depending upon how provider virtual data
centers are being allocated. If you are following the best practice recommendation of using a 1:1
mapping between provider virtual data centers and DRS clusters, then the recommendation for
storage is no different between a cloud resource cluster and a standard vSphere DRS cluster. The
exception is that if vSphere DRS clusters are being used as cloud resource clusters, they might
require larger datastores.
If resource pools are used for backing provider virtual data centers instead of DRS clusters, consider
using different types of datastores to offer multiple tiers of storage that can be grouped during the
provider virtual data center creation phase.
128
ho
@
er
ad
go
th
ic_
re
When you create a provider virtual data center, networks are not considered to be a part of the
virtual data center. But the vCloud Director UI indicates which external networks are available,
based on the resources (DRS clusters and resource pools) that you have selected as resources for the
virtual data center.
129
tm
ail
.co
m
ad
er
ho
tm
ail
.co
m
ic_
re
vCloud Director requires shared storage. All of the storage that is supported is based on the vSphere
hardware compatibility list. This storage includes:
th
Fibre Channel
NFS
go
iSCSI
All VMware ESXi hosts that provide storage to vCloud Director must be members of DRS
clusters. vCloud Director is aware only of storage that is presented to it as datastores from vSphere.
130
Some storage arrays can communicate with VMware vSphere API for
Storage Awareness.
A storage device can be assigned user-defined tags in vSphere.
vSphere API for Storage Awareness capabilities and user-defined tags
are used to organize storage with a storage policy.
Storage that is identified by a storage policy can be assigned to
provider VDCs.
ho
@
er
ad
ic_
re
A vSphere storage policy is based on either VMware vSphere API for Storage Awareness
capabilities or user-defined storage capabilities.
go
th
When you create a provider virtual data center you, must assign at least one vSphere storage policy
to the provider virtual data center. You can also assign storage from more than one vSphere storage
policy to a single provider virtual data center.
Organization virtual data centers get their storage from a single provider virtual data center. If the
provider virtual data center has access to storage from more than one vSphere storage policy, storage
from those same multiple instances of a vSphere storage policy is available to the organization
virtual data center.
NOTE
The use of a vSphere storage policy is not required. A vSphere storage policy must still be defined
on the resource cluster. But when a provider virtual data center is created, you can select one
vSphere storage policy and then have all of the shared storage covered by any vSphere storage
policy available to the provider virtual data center. The VMware best practice is to use a vSphere
storage policy.
131
Organization VDCs can use storage identified in more than one storage
policy.
tm
Each provider VDC can use storage identified in more than one storage
policy.
ail
.co
m
Storage Considerations
Slide 4-14
Other considerations:
The use of raw device mappings is not supported.
NFS share is required for multiple cells.
You can use storage policies to distribute virtual machine disks to
different storage tiers.
ad
er
ho
tm
ail
.co
m
ic_
re
vSphere DRS clusters used with vCloud Director must be configured to use automated vSphere DRS.
Automated vSphere DRS requires shared storage attached to all hosts in a vSphere DRS cluster.
go
th
Raw device mappings cannot be used. They are not supported. Using an RDM breaks the mobility
of VMware vSphere vApps.
The upload NFS share is mandatory only in multicell deployments. VMware recommends the
creation of an upload NFS share for all vCloud Director deployments. The configuration of an upload
NFS share makes it easier to add cells later, even if you originally planned to have only one cell.
The NFS share must be as large as the biggest potential vApp or media item that will be uploaded
into the catalog. You also must have enough storage space in the NFS share to take in to account
concurrent uploads. The best practice is to start with at least 500GB in the NFS upload share.
Storage should be common in the cluster. No mixed RAID or disk types are allowed in the same
cluster.
Storage should be organized into tiers based on cost and performance. These tiers are usually
managed by vSphere storage policies. Virtual machines can have different disks assigned to different
storage tiers based on vSphere storage policies. For example, a customer might have an application
that was a high-speed search engine attached to a read-only database. The data for the database
might be stored on a very fast solid-state drive (SSD), and the virtual machine base disk with the
operating system might be assigned to less expensive storage.
132
Datastore Sizing
Slide 4-15
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
133
Storage Tiering
Slide 4-16
go
th
ic_
re
ad
er
ho
tm
A single resource pool provides all CPU and memory in the cluster to the
provider VDC.
All shared storage in the vSphere DRS cluster is assigned to the provider
VDC.
ail
.co
m
134
4
VMware vCloud Director Providers
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
135
You can use the VMware vSphere Web Client or VMware vCloud
API to manually relocate virtual machine disk files under the following
conditions:
The target datastore is part of the same organization VDC as the vApp.
All virtual disks for a virtual machine are migrated to the same datastore.
ad
er
ail
.co
m
tm
ho
go
th
ic_
re
The best practice for using VMware vSphere Storage DRS is to configure vSphere storage
policies and vSphere datastore clusters. VMware vSphere Storage vMotion migration of virtual
machines is then handled automatically by vSphere based on the configuration of the vSphere
storage policies, datastore clusters, and vSphere Storage DRS rules. This type of configuration
provides optimal performance as some datastores become too full or too busy.
You can use either VMware vSphere Client or VMware vCloud API to manually migrate a
single virtual machine, but such migration should be done carefully.
CAUTION
Use of the vSphere Client to manually migrate a virtual machine when that virtual machine is part of
a vCloud Director vApp can cause vCloud Director problems. This statement is true for both storage
location migrations and host migrations. The vSphere Client displays a warning message if you try
to directly manage an item that is managed by vCloud Director.
136
Memory CPU
Storage
ho
External Networks
ad
er
External Networks
go
th
ic_
re
A provider virtual data center (VDC) combines the compute and memory resources of a single
vCenter Server resource pool with the storage resources of one or more datastores connected to that
resource pool. A provider VDC is the source for organization VDCs.
137
tm
Storage
Memory CPU
Provider VDC:
Silver
ail
.co
m
Provider VDC:
Gold
who use resources from a Silver or Bronze provider VDC. Likewise, you can create clusters of hosts
running similar hardware and create provider VDCs based on the type of hardware providing the
compute resources.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
When you create a provider VDC, vCloud Director prepares each host in the cluster associated with
the resource pool by installing an agent on each host. This process does not require a restart of the
host system.
138
Service-Level Examples
Slide 4-20
ail
.co
m
tm
ho
No vSphere HA failover
go
th
ic_
re
ad
er
139
Multiple provider VDCs can use the same datastore for storage.
Best practice: Divide storage into different tiers of cost, based on
storage device speed and expense.
You can connect multiple datastores to a single provider VDC.
You can add datastores to a provider VDC.
best practice
possible
ail
.co
m
datastore (SSD)
tm
datastore (unobtainium)
$$$ $$$
datastore (SSD)
$$$ $$$
ad
er
ho
$ $$ $$$
datastore (SCSI)
th
ic_
re
You can connect multiple provider VDCs to the same datastore. The best practice is to create storage
tiers where datastores are separated according to speed and cost of storage. Then connect specific
provider VDCs to those datastores to give users different cost options for their storage.
go
You can connect multiple datastores to a single provider VDC. You can also add datastores to a
provider VDC.
VMware recommends not creating multiple providers VDCs from the same datastore. Avoid
creating a datastore built on storage of multiple device types that operate at different costs or speeds.
140
ho
@
er
ad
ic_
re
You can map provider VDCs to vSphere DRS clusters or resource pools. The best practice is to map
each provider VDC to a single cluster.
go
th
Mapping a provider VDC to an entire cluster makes it easy to expand the resources in the provider
VDC by adding hosts or datastores to the cluster. If hosts are added later, the provider VDC can
automatically expand by the corresponding amount.
vCloud Director manages vSphere resources by proxy through a vCenter Server and automatically
creates resource pools in vCenter Server as needed to instantiate organization VDCs. If the vSphere
administrator uses vCenter Server to create nested resource pools, such use can negate the efficient
allocation of resources by vCloud Director. Multiple parent-level resource pools can also add
unnecessary complexity and lead to unpredictable results or inefficient use of resources if the
reservations are not set appropriately.
A provider VDC can map to one cluster. After a cluster is attached to a provider VDC, it is no
longer available for attachment to another provider VDC. It is possible to attach a second cluster to a
provider VDC if you are using an elastic VDC.
One or more datastores can be attached to a provider VDC. But as a best practice for segmenting
storage, VMware recommends that datastores should not be shared by multiple provider VDCs.
141
tm
ail
.co
m
It is possible to attach multiple provider VDCs to the same vSphere storage policy. The attachment
of multiple provider VDCs to the same vSphere storage policy is not a best practice, unless these
multiple provider VDCs are designed to provide the same level of service.
Create multiple provider VDCs to differentiate computing levels or performance characteristics of a
service offering. Segment by capacity, availability, or performance type. An example of
differentiating by availability is n+1 for a Bronze provider VDC versus n+2 for a Silver provider
VDC. As the level of expected consumption increases for a given provider VDC, add hosts to the
cluster from vCenter Server and attach more datastores.
Create different provider VDCs to differentiate between:
Performance levels (different hardware, CPU, RAM, disk, and so on)
Different availability levels (no HA, HA n+1, HA n+2,... HA n+4)
ail
.co
m
Special licensing requirements, where software is needed to be licensed for all cores. A
dedicated Oracle cluster is one example.
re
ad
er
ho
tm
As the number of hosts in the cluster backing a provider VDC approaches the halfway mark of
vSphere limits, consider implementing controls to preserve room. Implement these controls to
preserve room well ahead of reaching the cluster limits. For example, do not add additional tenants
to this particular VDC and use the additional hosts to be added to address increased resource
demand for the existing tenants. If the cluster backing a provider VDC has reached the maximum
number of hosts per vSphere design guidelines, create a provider VDC associated with a new
cluster.
ic_
th
go
142
ail
.co
m
When you create a provider, you must specify the planned hardware
level for the virtual machines that the provider will support.
go
th
ic_
re
ad
er
ho
tm
143
Elastic VDCs
Slide 4-24
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
All vSphere DRS clusters must be managed by the same vCenter Server
system.
Virtual Extensible LAN (VXLAN) fabric is required.
Organization VDCs must be configured as pay-as-you-go or allocation pool
models when provider VDCs span multiple vSphere DRS clusters.
144
Fast provisioning:
ad
er
ho
Template
go
th
ic_
re
Fast provisioning enables rapid provisioning of vApps with vSphere linked clones. A linked clone
uses the same base disk as the original, with a chain of delta disks to track the differences between
the original and the clone. Fast provisioning is enabled by default when allocating storage to an
organization VDC. If an organization administrator disables fast provisioning, all provisioning
operations result in full clones.
Increased elasticity: The ability to quickly provision vApps enables cloud applications to scale
up as needed through the ability to deploy a vApp from a catalog using linked-clone technology.
Increased operational efficiency: Use of linked clones typically results in significant
improvement in storage utilization.
145
vmdk
Increased elasticity
vmdk
tm
vmdk
ail
.co
m
Benefits:
vmdk
A shadow virtual
machine enables
cross-datastore
provisioning and is
invisible to end users.
vCenter Server 1
ail
.co
m
vCenter Server 2
VM
(S)
datastore-2
ho
VM-4
(L)
VM-5
(L)
VM-6
(L)
datastore -3
ad
er
datastore-1
VM-3
(L)
VM-2
(L)
tm
VM
(S)
ic_
re
vSphere limits the use of linked clones. Linked clones can be created only in a single datastore.
vCloud Director uses shadow virtual machines to allow linked clones to be deployed across multiple
datastores.
go
th
When vCloud Director deploys a virtual machine from a catalog, the standard procedure is to deploy
only a linked clone. But if a user requests the deployment of a virtual machine into an organization
VDC that is different from the organization VDC that the catalog is hosted in, vCloud Director
creates a shadow virtual machine.
After the shadow virtual machine is created, subsequent linked clones are deployed fast because you
are deploying linked clones to the same datastore.
For a linked clone in a single datastore, the linked clone is created almost instantaneously.
If a linked clone is requested on a different datastore, vCloud Director makes a full copy of the
source virtual machine on the destination datastore and then creates a linked clone. This full copy
operation takes more time than a standard linked clone creation. Subsequent linked clones are
almost instantaneous.
Because vCloud Director supports multiple vCenter Server systems, a user can request a linked
clone on a datastore that is on a different vCenter Server system. In this case, vCloud Director
creates a shadow virtual machine on the destination datastore before it creates the linked clone.
146
Fast provisioning requires vSphere 5.x (vCenter Server 5.x and ESXi
5.x).
The best practice is to base each provider VDC on a dedicated cluster.
Tree-depth is limited to 31. After 32, a new base disk is deployed.
The use of linked clones is limited to a single datastore. For crossdatastore deployment, a new shadow virtual machine is deployed.
Some in-guest operations cause many writes (increasing delta disk
size):
Defragmentation
Memory dumps
Application logs
ho
@
er
ad
th
ic_
re
Fast provisioning requires vCenter Server 5.x and ESXi 5.x hosts. If the provider VDC on which the
organization VDC is based contains VMware ESX 4.x hosts, fast provisioning is not supported.
In the presence of both ESX 4.x and ESXi 5.x hosts in a given cluster backing the provider VDC,
the fast provisioning option is not available during organization VDC creation.
go
Fast provisioning in vSphere 5.1 has different limits than fast provisioning under vSphere 5.0. Under
vSphere 5.0 if fast provisioning is used the cluster size is limited to eight hosts. Under vSphere 5.1
the cluster size can be a maximum of 32 hosts, even if fast provisioning is used.
If the provider VDC on which the organization VDC is based contains any VMware vSphere
VMFS datastores connected to more than eight hosts under vSphere 5.0, a power-on operation for a
virtual machine might fail. vSphere 5.0 datastores should be connected to a maximum of eight hosts.
VMware recommends separating datastores reserved for fast provisioning from datastores reserved
for full-clone vApp workloads for manageability and chargeback purposes. Additionally, if vCloud
Director is deployed on block based storage, VMware recommends using the vSphere DRS cluster
to back up a dedicated provider VDC for fast provisioning. All organization VDCs are created from
the dedicated provider VDC and should have Enable Fast Provisioning selected.
When you select Enable Fast Provisioning on all organization VDCs based on a dedicated provider
VDC, vCloud Director allows the implementation of linked clones across the cluster. The use of fast
Module 4 VMware vCloud Director Providers
147
tm
ail
.co
m
provisioning on all organization VDCs attached to a single provider VDC makes it easier for the
administrator to ensure that this dedicated cluster remains under the eight-host limit. The
administrator can configure other provider VDCs not to use linked clones. These clusters where fast
provisioning is disabled can be larger than eight hosts. Applications that are write-intensive perform
better when hosted on provider VDCs that do not have fast provisioning enabled.
NOTE
Although vSphere 5.1 has an expanded limit of 32 hosts per cluster if fast provisioning is used,
administrators should still plan to start their resource clusters at less than full size to leave space for
future expansion.
Provisioning Times
ho
tm
ail
.co
m
Provisioning should be near instantaneous when provisioning to the same datastore. Provisioning a
virtual machine to a different datastore triggers creation of shadow virtual machines if they do not
already exist on the target datastore. The shadow virtual machine is a full copy of the virtual
machine on the target datastore. After a shadow virtual machine exists in the target datastore,
subsequent provisioning of the virtual machine occurs instantaneously, as in the same datastore case.
VMware recommends that the most frequently provisioned vApp templates be preprovisioned
across the datastores for the organization to achieve consistent instantaneous provisioning
experience.
er
Performance Implications
go
th
ic_
re
ad
Linked-clone performance varies. Sometimes linked clones can perform better than full clones,
depending on the I/O policy of the application workload. One reason for potentially greater
performance is metadata caching. On virtual machine startup, metadata dictating which file to
access to get data is written to the ESXi copy-on-write heap. When a virtual machine does a virtual
SCSI read and hits the metadata cache, each virtual read results in a single physical read. However,
if an ESXi cache miss occurs, there will be a virtual read in addition to multiple physical reads for a
virtual machine reading across many disk sectors, causing additional overhead. Linked clone
performance can be further boosted through storage array caching. The use of storage array caching
can cause commonly used base disks to be read from storage array memory cache instead of disk.
Ample storage array cache will greatly benefit an environment utilizing linked clones.
Scalability Limitations
Tree width. Although there is no limit to the width of a tree, a datastore can fill up if a tree gets
too wide. If the datastore fills up, no clones can be created. The problem of having a full
datastore can be mitigated by using shadow virtual machines to allow cross-datastore
provisioning.
Tree depth. Linked-clone tree depth is kept at a maximum of 31. A thirty-second leaf node
automatically creates a base disk.
148
Eight-host limit. There is an eight-host limit imposed by vSphere 5.0 when using SAN storage.
This in turn limits max cluster size to eight hosts.
Fast provisioning technology is based on snapshot hierarchies. Snapshot hierarchies are
composed of several VMDKs organized as a chain with one or more common base disks, each
of which are opened in read-only mode. The top-level disk (called a delta disk) is opened in
exclusive mode. Files opened in read-only locking mode cannot be opened by more than 8
hosts, so the same limitation applies to VMFS based linked clones. This limitation does not
apply when vSphere uses NFS storage.
Single-datastore. Linked clones can be used only in a single datastore. The use of shadow
virtual machines allows for cross-datastore provisioning. As shadow virtual machines are full
copies of the source virtual machines, sizing considerations for preprovisioning shadow virtual
machines across datastores should be made.
ail
.co
m
tm
ho
er
ad
re
ic_
go
th
Some in-guest operations can increase delta disk sizes and fill up datastores. An example of this is a
defragmenter running in the guest operating system. The virtual machine might start with very small
VMDK files built off of linked clones. But as the defragmenter runs most of the disk is rewritten.
The modification of all disk sectors causes the VMDK of the linked clone delta disk to inflate back
to full size.
149
VMware does not recommend or support VMware vSphere vMotion migration of linked clones
in the vSphere layer. Even if the datastores are part of a datastore cluster enabled with vSphere
Storage DRS, vCloud Director provisioned linked clones are ignored by vSphere Storage DRS in
vSphere 5.0. Under vSphere 5.1, vSphere Storage DRS can be used to automatically balance linked
clones between datastores.
vSphere Storage vMotion. vSphere Storage vMotion in ESXi 5.0 has been improved to support
migration of linked clones. However, the migration of linked clones should be invoked only in
the vCloud Director layer, through the REST API Relocate_VM. When invoking the
Relocate_VM API to migrate linked clones, ensure that the target organization VDC is part of
the same provider VDC as the source organization VDC. Or ensure that the target organization
VDC is backed by a provider VDC that has the same datastore where the source vApp resides.
If the condition is not met, the API call fails.
Use the vCloud API to initiate vSphere Storage vMotion migration for
linked clones to preserve the linked-clone state.
Manual migration of a virtual machine that is built on linked clones can
cause undesirable effects. These effects include problems like the
inflation of delta disks.
vCloud Director does not support linked-clone configurations that span
across datastores.
Linked clones can be migrated between VMFS3 and VMFS5:
ad
er
ho
tm
vSphere Storage DRS supports linked clones only with vCloud Director
5.x.
ail
.co
m
th
ic_
re
If there is a cross-datastore linked clone configuration, vSphere Storage DRS does not make a
recommendation to place linked clones on the datastore that does not contain either the base disk or
a shadow virtual machine copy of the base disk. A cross-datastore linked clone configuration might
occur when vCloud Director APIs create it.
go
Linked clones can be migrated between VMFS3 and VMFS5 file systems. Several factors enter into
the decision-making process when vSphere Storage DRS is determining where to migrate a linked
clone. Factors such as the amount of data being moved, the amount of space reduction on the source
and the additional amount of space required on the destination all are considered. The major factor
is whether a shadow virtual machine of the base disk already exists on the destination.
150
Preparing Hosts
Slide 4-29
To prepare the ESXi host, vCloud Director installs the vCloud Director
agent on the ESXi host.
When the Preparing Hosts dialog box appears, you must provide the
root user ID and password of the ESXi hosts.
ail
.co
m
When you create the first provider VDC, vCloud Director prepares the
ESXi hosts in the DRS cluster.
go
th
ic_
re
ad
er
ho
tm
151
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
152
4
VMware vCloud Director Providers
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
153
Key Points
Slide 4-32
ho
tm
ail
.co
m
go
th
ic_
re
ad
er
Questions?
154
MODULE 5
Slide 5-1
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Module 5
155
ail
.co
m
Course Introduction
go
th
ic_
re
ad
er
ho
tm
156
Importance
Slide 5-3
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
But you must first understand the technical constructs that VMware
vCloud Director provides.
157
Module Lessons
Slide 5-4
Organizations
Lesson 2:
Lesson 3:
vApp Templates
Lesson 4:
Lesson 5:
Lesson 6:
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 1:
158
Lesson 1: Organizations
Slide 5-5
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 1:
Organizations
159
Learner Objectives
Slide 5-6
By the end of this lesson, you should be able to meet the following
objectives:
Create a vCloud Director organization
Add a catalog to an organization
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
160
About Organizations
Slide 5-7
ail
.co
m
Organization: Finance
Access Control
Users
Provisioned
Policies
ad
th
ic_
re
go
Each organization has a unique login URL. Users, locally created or imported from a Lightweight
Directory Access Protocol (LDAP) server, exist and operate only in this organization. The settings
in each organization are independent from the settings made for other organizations. (An exception
is Simple Mail Transport Protocol (SMTP) settings, which can be made per organization or by
inheriting the settings in the VMware vCloud Director default SMTP server.)
Organizations are isolated tenants in the cloud. Each organization has its own users, access control,
catalogs, provisioning policies, resources, and networks. Resources come from organization virtual
data centers (VDC). Each organizations VDC gets its resources from a single provider VDC. Each
organization can have multiple organization VDCs.
161
ho
vSphere vApp
er
Organization
VDCs
vApp
vApp
tm
Catalogs
Organization Portals
Slide 5-8
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
The vCloud Director system administrator creates the organization and provisions resources. After
the organization is created, the system administrator distributes the organization URL to the
administrator assigned to the organization (called the organization administrator). Using the URL,
the organization administrator logs in to the organization portal and sets it up, configures resource
use, adds users, and selects organization-specific policies and settings. Organization member users
(consumers) can then create, use, and manage IT services packaged as VMware vSphere vApps.
When you select the name of the organization, do not worry about the name being visible to other
organizations. Multitenancy means that users must know the name of their organization before they
can provision resources or services. A user in one organization cannot learn the names of other
organizations through the vCloud Director user interface. Plan to create an organization for each
tenant of the cloud. Only the vCloud Director administrator can create an organization.
The organization name is used in a URL whenever a user browses to the organization portal. As a
result, the organization name must be suitable as part of a URL. Do not use spaces or special
characters in an organization name. Underlines and hyphens are permitted. Because the name is part
of a URL, the best practice is to make the name as short as possible.
162
Organization Users
Slide 5-9
Privileges
System Administrator
Organization
Administrator
Catalog Author
vApp Author
vApp User
tm
ail
.co
m
Predefined Role
ad
er
ho
go
th
ic_
re
vCloud Director uses roles, and their associated rights, to determine which users and groups can
perform which operations. System administrators can create and modify roles. System
administrators and organization administrators can assign roles to users and groups in an
organization.
163
Organization Policies
Slide 5-10
Policy type
Settings
Leases
vApp runtime
vApp and vApp template storage
Storage cleanup location
Running virtual machines per user
ail
.co
m
Quotas
tm
ad
er
ho
th
ic_
re
Leases, quotas, and limits constrain the ability of organization users to consume storage and
processing resources. These settings prevent users from depleting or monopolizing an organizations
resources.
go
Leases provide a level of control over an organizations storage and compute resources by
specifying the maximum amount of time that vApps can be running and that vApps and vApp
templates can be stored.
The goal of a runtime lease is to prevent inactive vApps from consuming compute resources. For
example, if a user starts a vApp and goes on vacation without stopping it, the vApp continues to
consume resources. A runtime lease begins when a user starts a vApp. When a runtime lease
expires, vCloud Director stops the vApp.
The goal of a storage lease is to prevent unused vApps and vApp templates from consuming storage
resources. A vApp storage lease begins when a user stops the vApp. Storage leases do not affect
running vApps. A vApp template storage lease begins when a user adds the vApp template to a
vApp, adds the vApp template to a workspace, downloads, copies, or moves the vApp template.
When a storage lease expires, vCloud Director marks the vApp or vApp template as expired, or
deletes the vApp or vApp template, depending on the organization policy that you set.
164
Quotas determine how many virtual machines each user in the organization can store and power on
in the organizations VDCs. The quotas that administrators specify act as the default for all new
users added to the organization.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Limits prevent resource-intensive operations from affecting all the users in an organization and also
provide a defense against denial-of-service (DoS) attacks. Certain vCloud Director operations are
more resource intensive than others. An example of a resource-intensive operation is the copying or
moving of a vApp. For performance or security reasons, you can also limit the number of
simultaneous connections to a virtual machine from the vCloud Director remote console. Limiting
the number of simultaneous connections does not limit Virtual Network Computing or Remote
Desktop Protocol connections. Unlike the other usage policies, limits cannot be set by organization
administrators. They must be set by system administrators and cannot be modified by organization
administrators.
165
ad
er
ho
tm
ail
.co
m
vApps and vApp templates whose storage leases expire are handled as
configured under Leases.
go
th
ic_
re
Leases combined with management of expired items enables vCloud Director administrators and
organization administrators to prevent individual users from consuming too much of a clouds
resources.
166
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
After a vApp stops running, the clock starts for how long it will remain in
the users My Cloud.
167
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
After a vApp or vApp template has been moved into Expired Items,
either the cloud system administrator or the organization administrator
can renew it.
168
Catalogs
Slide 5-14
Database vApps
Windows Template
Media
er
ad
th
ic_
re
vCloud Director includes a content repository. The content repository is a component in the vCloud
Director storage subsystem. The content repository provides an abstraction to the underlying
datastores and offers features to store, search, retrieve, and remove content.
go
Content is delivered to consumers in the form of catalogs. A catalog is a container for vApp
templates and media files in an organization.
Catalogs can be shared, so the vApp templates in them are available to other users in the
organization. Catalogs can also be published, so members of other organizations can have read
access to the vApps, provided the organization is configured to allow publishing.
169
ail
.co
m
vApp Templates
tm
Catalog Objects
ho
Catalog Availability
Slide 5-15
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
170
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
171
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
172
go
th
ic_
re
ad
er
ho
tm
Share public catalogs that offer official build templates to the organization
administrators of all organizations
ail
.co
m
173
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
174
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 2:
Organization Virtual Data Centers
175
Learner Objectives
Slide 5-21
By the end of this lesson, you should be able to meet the following
objectives:
Create an organization virtual data center (VDC)
Configure organization VDC networking
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
176
Organization VDCs
Slide 5-22
er
ad
th
ic_
re
An organization VDC provides resources to an organization and is partitioned from a provider VDC.
Organization VDCs provide an environment where virtual systems can be stored, deployed, and
operated. They also provide storage for virtual media, such as floppy disks and CDs.
go
A single organization can have multiple organization VDCs associated with it.
Organization VDCs are used by vCloud Director to partition provider VDCs and allocate resources
to an organization. vCloud Director uses VMware vSphere resource pools as the basic construct to
partition these resources.
You must create the organization before you can create an organization VDC. Each organization can
have multiple organization VDCs. But each organization VDC is local to only one organization.
When creating an organization VDC, you must first select the provider VDC that will provide
resources. From a vSphere perspective, both provider and organization VDCs are resource pools and
have a parent-child relationship.
177
ho
tm
ail
.co
m
Predefined allocations
Ensured control of the tenants performance
and capacity requirements
VDC1 (Tier1)
VDC2 (Tier2)
tm
vApp
ad
er
ho
ail
.co
m
Organization A
th
ic_
re
The organization VDC enables the cloud provider to share provider VDC resources with multiple
tenants. Organization VDCs maintain security, enable the provider to set predefined allocations, and
ensure that the tenants performance and capacity requirements can be controlled.
go
Tenants do not have the ability to see the actual resources in the provider VDC. Their visibility is
only into which resources are available in the organization VDC.
Like a provider VDC, the organization VDC is a container for resources, but the way that resources
are allocated can be specified. A network pool can be added to an organization VDC with limits on
the number of networks that can be created. You can also specify the maximum amount of storage
that the organization VDC can consume.
178
VDCB-2
VDCB-1
VDCA-2
er
ad
th
ic_
re
You must create your provider VDCs before you can create your organization VDCs. Each
organization can have multiple organization VDCs. Each organization VDC can be connected to
only one provider VDC. But each provider VDC can serve resources to multiple organization
VDCs.
go
Like a provider VDC, the organization VDC is a container for resources. But the way that resources
are allocated from an organization VDC can be specified. A network pool can be added to an
organization VDC with limits on the number of networks that can be created. You can also specify
the maximum amount of storage that the organization VDC can consume.
The organization VDC inherits availability characteristics from the provider VDC to which it
belongs.
179
ho
VDCC-1
tm
VDCA-1
organization C
organization B
organization A
ail
.co
m
Allocation Models
Slide 5-25
Pay-as-you-go
Allocation pool
Reservation pool
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
When creating an organization VDC, choosing an appropriate allocation model is important. The
allocation model not only determines how the provider VDC resources are committed to the
organization VDCs, but also how the provider bills the customer for those resources.
180
Pay-As-You-Go Model
er
ad
th
ic_
re
The pay-as-you-go model is the easiest model to understand and administer. The easiest way to
think of pay-as-you-go is that customers pay for what they get. When a vApp powers on, the
resources are committed. If a vApp is not powered on, then the customer is not billed for resources.
go
Even though the customer is billed as soon as a vApp is powered on, only a percentage of the
resources are guaranteed. If you want to create a high-tier service offering, the pay-as-you-go model
is where the provider can increase the guaranteed resources.
The pay-as-you-go model is the only model where you can specify the speed of virtual CPUs in the
vApp.
The pay-as-you-go model has these characteristics:
Requires no up-front resource allocation.
Resources are committed only when users create vApps in the organization VDC.
You can set limits to cap usage.
You can also specify a percentage of resources to guarantee, which allows you to overcommit
resources.
181
ho
tm
ail
.co
m
Slide 5-26
ad
er
ho
tm
ail
.co
m
Slide 5-27
re
go
th
ic_
The allocation pool model allocates a subset of resources, but it guarantees to a tenant only a
percentage of what has been allocated. Thus, the provider has the ability to overcommit resources
when using the allocation pool model.
The allocation pool model has these characteristics:
Only a percentage of the allocated resources are committed to the organization VDC.
You can specify the percentage, which allows you to overcommit resources.
Advanced resource management controls, such as shares and reservations, are managed by the
cloud operator. These types of control allow for more coherent resource management across
organizations.
182
er
ad
ic_
re
The reservation pool model configures a physical container of resources. Think of this model as a
model where the customer rents hardware for their exclusive use.
go
th
The reservation pool model should be the most expensive allocation model offered to customers.
The customer is in complete control of the resources that they use, and all resources are guaranteed.
The reservation pool model also offers customers the greatest amount of control. They have the
same controls that a vSphere administrator would have over resource pool settings. Thus, overcommitment is possible, but it is controlled by the customer.
The reservation pool model has these characteristics:
All allocated resources are immediately committed to the organization VDC.
One-hundred percent of all resources specified are guaranteed.
No other organization can share these resources.
Organization administrators can use advanced vSphere resource management controls, such as
shares and reservations, to manage overcommitment of resources between their workloads.
183
ho
tm
ail
.co
m
Slide 5-28
Pay-as-you-go:
vApp
vApp
Allocation pool:
Capacity is reserved for the organization VDC,
with the ability for provider-controlled overcommitment for
the entire organization VDC.
ail
.co
m
Overcommit
Range
Guarantee
Actual
Guarantee
Actual
go
th
ic_
re
ad
er
tm
ho
184
Pay-as-you-go:
Allocation pool:
ail
.co
m
Reservation pool:
No admission control:
er
ad
go
th
ic_
re
When choosing an allocation model, you should consider virtual machine admission control.
Admission control is whether a VMware vSphere Distributed Resource Scheduler cluster allows
a virtual machine to be powered on and is based on available resources. The allocation models
directly affect how admission control is used in the vSphere DRS cluster.
185
ho
tm
ad
er
ho
tm
ail
.co
m
ic_
re
An organization VDC requires storage space for vApps and vApp templates. You can allocate
storage from the space available on provider VDC datastores.
go
th
Thin provisioning can help prevent overallocating storage and save storage space. For a virtual
machine with a thin virtual disk, VMware ESXi provisions the entire space required for the
disks current and future activities. ESXi commits only as much storage space as the disk needs for
its initial operations.
Fast provisioning saves time by using vSphere linked clones for certain operations.
Fast provisioning requires VMware vCenter Server 5.0 or later and ESXi 5.0 or later hosts. If
the provider VDC on which the organization VDC is based contains any ESX/ESXi 4.x hosts, you
must disable fast provisioning. If the provider VDC on which the organization VDC is based
contains any VMware vSphere VMFS datastores connected to more than 32 hosts, powering on
virtual machines might fail. Make sure that datastores are connected to a maximum of 32 hosts.
186
er
ad
ic_
re
The networking module discussed organization VDC networks in detail. Typically most
organizations have these requirements:
th
go
187
ho
tm
ail
.co
m
Example: <organization_name>-<network_name_or_purpose>
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
188
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
189
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
190
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 3:
vApp Templates
191
Learner Objectives
Slide 5-37
By the end of this lesson, you should be able to meet the following
objectives:
Install the Client Integration Plug-In into the VMware vSphere Client
Upload a virtual machine into vSphere from a local OVF template
Import a virtual machine from vSphere as a vApp template
Upload a virtual machine into vCloud Director from a local OVF
template
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
192
vApp Templates
Slide 5-38
ail
.co
m
vApp
er
ad
th
ic_
re
A vApp template is a virtual machine image that is loaded with an operating system, applications,
and data. These templates ensure that virtual machines are consistently configured across an entire
organization.
go
You can create a vApp template by importing a virtual machine from the vSphere DRS cluster or
from a vApp in the data center or uploading by using a file that uses the Image Transfer Service. If
vApp templates are not in Open Virtualization Format (OVF) format, they are converted to OVF
format immediately. You can use the vCloud Director import functions to import a vSphere virtual
machine to vCloud Director as either a vApp or a vApp template. But to import a VMware
vSphere vApp to vCloud Director, you must export it from vSphere in OVF format, then upload
the exported OVF to vCloud Director. Only system administrators can import a virtual machine
from vCenter Server to vCloud Director.
A vApp template is an immutable vApp because it cannot be deployed and so cannot be powered
on. You create a vApp instance from the vApp template that can be deployed and powered on.
193
ho
tm
vApp Template
Populating Catalogs
Slide 5-39
ad
er
ho
ail
.co
m
tm
go
th
ic_
re
vCloud Director offers several ways to populate catalogs with vApp templates and media. These
options are available based on user roles and their associated rights. For example, only system
administrators can import a virtual machine or media file from vSphere.
194
er
ad
th
ic_
re
You can deploy an OVF template in vSphere and then import the resulting virtual machine as a
vApp (in My Cloud) or vApp template in an organization catalog. Only the system administrator can
interact with vSphere to deploy the OVF template and then import the virtual machine.
go
Not all vSphere OVF templates can be imported directly into vCloud Director. vSphere supports
some items in the template that vCloud Director does not support. A workaround is to open the file
with a text editor and remove the items that vCloud Director does not support. Most of these items
are related to custom settings.
A user with sufficient privilege can upload an OVF template that is stored on their desktop computer
to an organization catalog as a vApp template.
195
ho
tm
Only the vCloud Director system administrator role has the right to upload a
vSphere virtual machine into vCloud Director.
Virtual machines can be uploaded into a catalog as vApp templates or into
My Cloud as vApps.
ail
.co
m
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
196
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
You can see the chain length on the properties of a virtual machine in
a template that is stored in a catalog.
197
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
198
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
199
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
200
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 4:
Building and Publishing vApps
201
Learner Objectives
Slide 5-47
By the end of this lesson, you should be able to meet the following
objectives:
Build a vApp
Publish a vApp to a local organization catalog
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
202
vApps (1)
Slide 5-48
app server
virtual
machine
virtual
machine
database
virtual
machine
ho
tm
app server
ail
.co
m
vApp
er
ad
go
th
ic_
re
vCloud Director delivers IT services in packages that are called vApps. vApps are composed of one
or more virtual machines. These virtual machines communicate over networks included in the
package and use resources and services in the deployed environment. The package also includes an
OVF descriptor, which provides general application information, hardware requirements,
deployment instructions, and policies that are enforced during runtime.
A vCloud vApp is instantiated and consumed in vCloud differently than in a vSphere environment.
As discussed earlier, a vApp is a container for a distributed software solution and is the standard unit
of deployment in vCloud Director. It has power-on operations, consists of one or more virtual
machines, and can be imported or exported as an OVF package. A vCloud vApp might have
additional vCloud specific constructs, such as vApp networks.
vApps are the lowest unit of work in vCloud Director. If a service requires only one virtual machine,
you must create a vApp for that virtual machine.
In vCloud Director, you can create a vApp by cloning a template in a catalog or by creating a new
one. After you have created the vApp, you can add, remove, or modify the virtual machines in it.
vApp property settings enable you to control the behavior of virtual machines when you start and
stop the vApp. For example, you can set the order in which the virtual machines power on and off.
203
OVF descriptor
vApps (2)
Slide 5-49
ail
.co
m
vApp
ad
er
ho
tm
vApp Template
ic_
re
You can create a vApp based on a vApp template stored in a catalog to which you have access. A
vApp in vCloud Director is a logical construct used to describe a set of virtual machines.
go
th
vApps simplify the requirement for the deployment and ongoing management of an n-tier
application in multiple virtual machines by encapsulating them in a single virtual service entity. A
vApp has the same basic operations as a virtual machine and can contain one or more virtual
machines.
vApps encapsulate not only virtual machines but also their interdependencies and resource
allocations, which enables single-step power operations, cloning, deployment, and monitoring of the
entire application. If the virtual machine is based on an OVF file that includes OVF properties for
customization, those properties are retained in the vApp. If any of those properties are userconfigurable, you can specify the values in the virtual machines properties pane after you add it to
the vApp.
The distribution format for vApps is OVF, implying that they can be imported and exported like
OVF virtual machines.
204
vApp
OVF package
Deployment
configuration
Benefits:
Deploy
OVF package.
ho
tm
vApps
ail
.co
m
vApp
er
ad
th
ic_
re
The vApp custom guest properties feature allows users to pass custom data into the guest operating
system of vApps that are deployed in vCloud Director. The custom guest properties feature is useful
for an application developer and application owner because the application can be customized by
users in ways beyond guest customization that is available in earlier versions of vCloud Director.
go
205
vSphere
ad
er
ho
tm
ail
.co
m
re
th
ic_
Default to one virtual CPU unless requirements call for more virtual CPUs. An example of a
need for multiple virtual CPUs would be a multithreaded application virtual machine.
go
206
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
207
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
208
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 5:
Deploying and Running vApps
209
Learner Objectives
Slide 5-55
By the end of this lesson, you should be able to meet the following
objectives:
Copy a vApp from a public catalog to the local organization catalog
Deploy a vApp from the local organization catalog
Configure and start vApps
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
210
Deploying vApps
Slide 5-56
er
ad
go
th
ic_
re
You can specify the organization VDC, the associated storage policy, and the leases for each
instance of a vApp template deployed from a catalog. The selected VDC provides the compute and
memory resources necessary for running the vApp and for running any network edge devices
deployed by VMware vCloud Networking and Security. The lease cannot exceed the limit set in
the organization policy.
211
ho
tm
ail
.co
m
Change the VDC used to run the vApp to any VDC in your organization
Change the storage profile used to run the virtual machines and optional
vShield Edge instances.
Change the vApp lease values
The vApp networking might be configured for the unique topology of the
source organization, including DNS resolution options, static or manual IP
allocations, and host names.
ad
er
ho
tm
ail
.co
m
ic_
re
vApps can be copied between catalogs. When copying a vApp from a public catalog published by
another organization, keep these points in mind:
go
th
The copied vApp networking can be configured for an entirely different topology. How the
virtual machines within the vApp resolve DNS, which IP addresses are to assigned to the virtual
machines, and other network-related settings might be inappropriate for running the vApp in the
new organization.
The guest customizations applied to the vApp might not meet organization standards. After
copying a vApp from a public catalog, you might deploy a copy of the vApp to your My Cloud,
then review and update the vApp configuration.
After updating the configuration based on the organization topology and policies, you can
republish the vApp to the catalog.
212
Guest Customization
Slide 5-58
er
ad
th
ic_
re
To ensure that the virtual machines in vApp templates are unique upon deployment, vCloud Director
includes the ability to customize guests directly from the organization Web console. Customization
occurs when powering on the virtual machine.
go
vCloud Director can customize the network settings of the guest operating system of a virtual
machine created from a vApp template. When you customize your guest operating system, you can
create and deploy multiple unique virtual machines based on the same vApp template without
machine name or network conflicts.
When you configure a vApp template with the prerequisites for guest customization and add a
virtual machine to a vApp based on that template, vCloud Director creates a package with guest
customization tools. When you deploy and power on the virtual machine for the first time, vCloud
Director copies the package, runs the tools, and deletes the package from the virtual machine.
Before vCloud Director can perform guest customization on virtual machines with Windows 2000,
XP, or 2003 guest operating systems, a system administrator of VMware vCloud must create a
corresponding Microsoft Sysprep deployment package in the vCloud Director deployment
environment. For more information about creating Sysprep deployment packages, see vCloud
Director Administrators Guide at www.vmware.com/support/pubs/vcd_pubs.html.
213
ho
tm
ail
.co
m
You can configure guest customization settings for any stopped virtual
machine.
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
For each virtual machine in a vApp, you can change the hardware settings. You must have vApp
author privileges and above to update or change the vApp hardware configuration.
214
er
ad
go
th
ic_
re
When creating a vApp, preparing a vApp for publication to a catalog, or when customizing a vApp
for startup, you can change how the vApp connects to the organization infrastructure. vApps
typically connect to an organization VDC network, either through a routed vApp network edge or
directly. To direct-connect a vApp to an organization VDC network, you must select the Add
network option in the network drop-down menu, and then select one or more existing organization
VDC networks to be added to the vApp. After you have created or selected the vApp network
configuration, you can configure IP parameters.
215
ho
tm
You can change the vApp network, create a new vApp network, or
connect the vApp directly to an organization VDC network.
ail
.co
m
vApp
Network
vApp
Routed vApp
192.168.210.2
192.168.210.204 192.168.210.103
(Static)
(Manual)
Edge Gateway
DHCP / Static Pool
ail
.co
m
(DHCP)
(Manual)
192.168.11.103
192.168.11.204
(Static)
Direct-Connect vApp
(DHCP)
ad
er
192.168.11.2
ho
tm
vApp
ic_
re
vCloud Director uses guest customization when it deploys virtual machines inside vApps to control
IP addressing. Three types of IP addressing exist: static, manual, and DHCP.
go
th
DHCP addressing is standard DHCP. The virtual machine guest operating system must be
configured to receive a DHCP address. vCloud Director does not use guest customization to enforce
the configuration of the virtual machine as a DHCP network client. If a virtual machine is set to use
DHCP, you must either have the network VMware vShield device configured to support DHCP
services or you must directly attach the vApp network to a higher network that has an external
DHCP server.
If a virtual machine has been assigned a DHCP address, you cannot configure an external network
address translation (NAT) IP address on the organization VDC network.
Static addressing is similar in operation to DHCP. When you create the network, you set a static
range of IP addresses. vCloud Director pulls IP addresses out of the static range in sequential order.
Then vCloud Director uses guest customization to manually set the IP address in the virtual machine
to the selected static address.
216
Static addresses have a major advantage over DHCP. If you set a virtual machine to a static IP
address, then vCloud Director assigns an external NAT IP address on the organization VDC network
that the vApp is attached to. This automatic assignment of external NAT IP addresses greatly
simplifies NAT operations.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Manual IP addresses are where vCloud Director uses the address that the administrator manually
specifies for a virtual machine. vCloud Director uses guest customization to configure the IP address
in the virtual machine. If a virtual machine has a manual IP address assigned, it does not
automatically receive an external NAT IP address on the organization VDC network. However, the
vCloud Director administrator can manually set the external NAT IP address for a virtual machine
with a manual IP address configuration.
217
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
218
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
219
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
220
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 6:
Additional Organization VDC Networking
221
Learner Objectives
Slide 5-66
By the end of this lesson, you should be able to meet the following
objectives:
Create a direct-connect organization VDC network
Create a routed organization VDC network
Create a suballocated IP pool for an organization VDC network
Create a fenced vApp
Create a destination network address translation (DNAT) mapping
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
222
go
th
ic_
re
ad
er
ho
ail
.co
m
tm
223
External Public
172.20.11.0/24
RD Gateway 172.20.11.201
RD Services Network
Direct Connect
RD-vApp1
NAT
RD-vApp2
ail
.co
m
RD External
172.30.1.0/24
NAT
RD-Services
172.20.10.0/24
172.30.120.0/24
ad
er
ho
tm
172.30.110.0/24
Fenced
th
ic_
re
go
A direct-connect organization VDC network shares the same layer-2 broadcast domain as the
external network it connects to. Care should be taken when using direct-connect organization VDC
networks. Although an organization administrator cannot directly manage the network, the
organization administrator can direct-connect a vApp to the network, essentially exposing virtual
machines to the external network broadcast domain and consuming external network resources.
Direct-connect vApps should be fenced, so that the MAC and IP addresses of the contained virtual
machines are isolated from the broadcast domain to avoid conflicts.
224
172.20.11.0/24
ail
.co
m
QA Gateway 172.20.11.200
QA Services Network
172.30.100.0/24
NAT
172.30.220.0/24
ho
QA-vApp2
172.30.100.0/24
ad
er
172.30.210.0/24
QA-Services
go
th
ic_
re
Organization administrators can create and manage any number of routed organization VDC
networks that attach to the organization edge gateway, up to the network interface limitation of the
edge gateway. Currently, edge gateways can support up to 10 network interfaces, with one interface
being typically reserved for connection to an external network.
225
NAT
QA-vApp1
tm
QA External
172.30.11.0/24
ad
er
ail
.co
m
The edge gateway receives packets for the external IP of the DNAT
mapping by associating its external interface MAC address with that IP
address through an Address Resolution Protocol response.
The edge gateway modifies the IP headers so that the packets are targeted
to some address on an interior network.
The edge gateway forwards those packets to the target host or to the next
hop.
Protocol filtering can be applied.
tm
ho
go
th
ic_
re
As the system administrator, you can configure suballocation IP pools when the organization VDC
is created. The system administrator can also configure suballocation IP pools for an organization
VDC later. If an organization must host externally accessible services by using a destination network
address translation (DNAT) mapping through the edge gateway firewall, the system administrator
must suballocate one or more IP addresses for use by the organization for NAT mapping operations.
To facilitate the hosting of inbound connections, an organization administrator can create DNAT
rules that map external IP addresses or IP address ranges to internal addresses. Allocation of
external addresses must be explicitly configured by a system administrator. After a suballocation IP
pool has been created by a system administrator, the organization administrator can create whatever
mappings are necessary.
When DNAT rules are defined, the edge gateway will issue Address Resolution Protocol (ARP)
responses on the external interface for each destination address. Through the ARP advertisement, all
packets destined for any DNAT-defined external address will be delivered to the edge gateway.
Upon receiving a packet with a destination address matching a DNAT rule, the edge gateway
transforms the destination address based on the DNAT rule configuration, updates IP header
checksum, and then forwards the packet to the interior host or the next interior hop.
226
External Public
172.20.11.0/24
172.20.11.240
QA Gateway 172.20.11.200
QA Services Network
172.30.100.0/24
QA External
172.30.11.0/24
NAT
QA-vApp2
ail
.co
m
QA-vApp1
DNAT
NAT
QA-Services
172.30.100.0/24
172.30.220.0/24
go
th
ic_
re
ad
er
ho
tm
172.30.210.0/24
172.30.100.140
227
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
228
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
229
Key Points
Slide 5-74
ail
.co
m
tm
vApps are based on vApp templates that are stored in the catalog.
ho
go
th
ic_
re
ad
er
Questions?
230
MODULE 6
Slide 6-1
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Module 6
231
ail
.co
m
Course Introduction
go
th
ic_
re
ad
er
ho
tm
232
Importance
Slide 6-3
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
233
Module Lessons
Slide 6-4
Security Roles
Lesson 2:
LDAP Integration
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 1:
234
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 1:
Security Roles
235
Learner Objectives
Slide 6-6
By the end of this lesson, you should be able to meet the following
objective:
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
236
system
administrators
vSphere
users
organization
local
users
local
users
ho
tm
vCloud Director
ail
.co
m
imported
users
LDAP server
imported
users
VMware
vSphere
identity
provider
ad
er
LDAP server
re
VMware vCloud Director security architecture identifies users from five possible locations:
ic_
go
th
Imported users from a Lightweight Directory Access Protocol (LDAP) server into vCloud
Director
Locally defined users within each organization
Imported users from an LDAP server into a specific organization
Imported users from the VMware vSphere identity provider
All users defined at the system level are system administrators. System administrators have full
rights in all organizations in the cloud.
237
ail
.co
m
ad
er
ho
tm
go
th
ic_
re
vCloud Director uses roles and rights to determine what actions a user can perform in an
organization. vCloud Director includes a number of predefined roles with specific rights. System
administrators and organization administrators must assign each user or group a role. The same user
can have a different role in different organizations. System administrators can also create roles and
modify existing ones.
238
System Administrator
Organization Administrator
Catalog Author
vApp Author
vApp User
Console Access Only
ad
er
ho
tm
ail
.co
m
go
th
All roles can be modified by system administrators except for the system administrator role. System
administrators can also create new custom roles.
239
ic_
re
The six predefined roles in vCloud Director are system administrator, organization administrator,
catalog author, vApp author, vApp user, and console access only.
Windows administrators
Linux root administrators
Application administrators and developers, such as Web site administrators,
database administrators, and email administrators.
ad
er
ho
tm
ail
.co
m
th
ic_
re
The Console Access Only role is an extremely limited role. It should be assigned only to end users
who have some kind of system administration responsibility on the virtual machines within a
specific VMware vSphere vApp. The Console Access Only role should not be assigned to
individuals who have cloud-related administration responsibilities.
go
The major difference between the Console Access Only role and the vApp user role is that console
access only users do not have the ability to do things at the vSphere level of the architecture. These
include actions such as being able to modify the properties of a virtual machine or to copy a virtual
machine.
240
vApp Users
Slide 6-11
Operate a vApp:
ail
.co
m
Share a vApp
Copy and move a vApp
Edit virtual machine properties:
Does not include resource items such as CPU, memory, network, or disk
th
go
The vApp user role is designed mainly for individuals who are system administrators of the virtual
machines that a vApp is made of. An end user or customer does not need the vApp user role to use a
vApp from a network connection.
Examples:
If your vApp is a Web application designed to allow customers to place orders then those
customers are not going to need the vApp user role to place an order on the Web site.
If your vApp is a Web application designed to allow help desk personnel to enter and update
trouble tickets those users are not going to need the vApp role to enter or manage tickets.
If you have an individual who is the system administrator of a Web application (root user) they
might need the vApp user role to manage their systems in the vApp.
241
ic_
re
The vApp user role is designed to allow someone to use a vApp. The vApp user role includes the
ability to change (nonresource) properties, to access the console, to share a vApp, to copy or move a
vApp, and to manage the passwords of virtual machines within the vApp. A vApp User can delete a
vApp but cannot create one.
ad
er
tm
ho
vApp Authors
Slide 6-12
Memory
CPU
Disks
Passwords
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
The vApp Author role is more limited than most other roles. It basically allows a user the ability to
create and manage vApps. The vApp Author role includes the ability to modify settings on virtual
machines within their vApps. This role can also create vApps from catalogs.
242
Catalog Authors
Slide 6-13
th
go
Module 6 VMware vCloud Director Basic Security
243
ic_
re
The catalog author role has the ability to create and publish catalogs. Whether a catalog author can
publish a catalog beyond organizational boundaries is controlled by the vCloud Director system
administrator.
ad
er
ho
tm
ail
.co
m
Organization Administrators
Slide 6-14
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
The organization administrator has broad powers within an existing organization. The organization
administrator role does not have the ability to add resources from the underlying vSphere
infrastructure to the cloud. But after organization VDCs and organization networks have been
created for an organization by the system administrator of VMware vCloud, the organization
administrator can manage them.
All system administrators of vCloud have the organization administrator role in all organizations. It
is not possible for an organization administrator to modify a system administrators rights within
their organization.
244
ad
er
tm
ail
.co
m
ho
th
ic_
re
The organization administrator role has a special relationship to organization virtual data center
(VDC) networks. In contrast to vCloud Director 1.5 organization administrators can now create
organization networks. However, these organization networks are limited to routed and isolated
networks. Only system administrators can create direct-connected organization networks.
go
Another change between vCloud Director 1.5 and vCloud Director 5.1 is the edge gateway.
Organization administrators cannot create edge gateways. But they can modify some of their
properties and configuration.
245
All users defined at the vCloud Director system level are system
administrators.
You can create individual users or import groups of users at the system
level.
System Administrator is the only type of user account with cloud-wide
rights in vCloud Director.
System administrators create and manage everything in the cloud
Only system administrators can create and modify roles.
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
The vCloud Director System Administrator role is the root or Administrator account for the
entire cloud. The only users who exist outside of the organizations are system administrators. All
system administrators within vCloud Director have full rights to all organizations. Individuals who
operate in the vCloud Director System Administrator role are often the same as VMware vCenter
Server administrators.
All users who are defined at the vCloud Director system level are system administrators. These
include users created in vCloud Director and users imported from external LDAP systems into
vCloud Director. If a user must have less than System Administrator rights, the user should be
created at an Organization level. It is possible to have the same user imported into different
organizations from one LDAP system. That user can then be assigned different rights in each
organization if desired.
Users do not have to be imported from LDAP or created at organization level. You can create users
or import users from LDAP at the system level. It is also possible to import groups of users from
external LDAP servers at the system level.
246
Custom Roles
Slide 6-17
Create a role from the beginning by manually selecting the desired rights
Copy a role to a new role and modify the rights
th
go
Module 6 VMware vCloud Director Basic Security
247
ic_
re
System administrators can create custom roles by either creating a role from the beginning or by
copying and modifying an existing role. System administrators also can delete roles. The best
practice is not to delete or modify the standard roles. Instead, either create a role from the beginning
or copy an existing role and modify it.
ad
er
ho
tm
ail
.co
m
A single individual might have access to multiple user IDs with different
roles.
Web browsers have the ability to use tabs to open multiple sessions in
the same browser.
To switch between user IDs with different roles, users should use the
following procedure:
ad
er
ho
ail
.co
m
tm
go
th
ic_
re
If an individual must switch between two different roles in vCloud Director, that individual must
carefully manage the browser tabs that give them access to the vCloud Director console. Use the
procedure outlined here to switch between vCloud Director security roles.
248
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
249
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
250
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 2:
LDAP Integration
251
Learner Objectives
Slide 6-22
By the end of this lesson, you should be able to meet the following
objectives:
Create custom vCloud Directory security roles
Integrate LDAP servers with vCloud Director
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
252
LDAP Integration
Slide 6-23
Authentication methods:
ail
.co
m
th
go
Multiple methods of authentication are supported, depending on which type of LDAP server you
have connected to.
Each organization can have its own LDAP configuration. Users and groups must be imported into
the organization and assigned roles before they can be used. It is possible to modify how often
vCloud Director will connect to the LDAP server to synchronize accounts.
vCloud Director 5.1 has the capability to import users from VMware vCenter Single SignOn. These users are treated in a manner similar to users imported from LDAP sources. Users can
be imported from any system configured in vCenter Single Sign-On as an identity provider.
The use of vCenter Single Sign-On and other vCloud Director security integration features such as
Security Assertion Markup Language (SAML) are covered in more detail in the advanced vCloud
Director courses.
253
ic_
re
You can use an LDAP service to provide a directory of users and groups to import into an
organization. If you do not specify an LDAP service, you must create a user account for each user in
the organization. LDAP options can only be set by a system administrator and cannot be modified
by an organization administrator.
ad
er
ho
tm
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
vCloud Director provides for single sign-on capability. A single sign-on capability enables a user to
have a single user ID and password that works throughout the system. vCloud Director provides
single sign-on by integrating LDAP. vCloud Director imports user IDs from external LDAP
systems. vCloud Director can also import other key information such as email addresses, group
membership, and contact information.
vCloud Director does not import user passwords from external LDAP systems. Instead vCloud
Director confirms that a password is correct when a user logs in by checking the supplied password
hash against the password hash currently stored in the LDAP directory.
In this discussion, the term single sign-on should be considered a generic security term.
254
LDAP Synchronization
Slide 6-25
The vCloud Director user account is not created until first login.
vCloud Director does not support recursive OU import.
th
go
255
ic_
re
vCloud Director does not automatically import users and groups from LDAP systems. Instead you
must manually select which users and groups to import. vCloud Director checks the users
credentials for all imported users at login time. It is not possible for a user in an external LDAP
directory to log in to vCloud Director unless their user ID has been imported by vCloud Director.
ad
er
ho
tm
ail
.co
m
LDAP users cannot log in to vCloud Director until their user ID has
been imported.
LDAP Network
Slide 6-26
vCloud
Director
database
server
vShield
Manager
organization
Alpha
LDAP server
organization
Beta
LDAP server
ad
er
ho
tm
vCloud
LDAP
server
vCenter
Server
system
ail
.co
m
go
th
ic_
re
vCloud Director can use LDAP at both the system level and the organization level. At the system
level you can either connect to an external LDAP system or you can create and use users who are
internal to vCloud Director. Even if you use an external LDAP system, VMware recommends that
you create at least one system user that is internal-only. The existence of at least one internally
defined system administrator allows you to log in to your vCloud Director console even if the LDAP
system is offline.
256
Kerberos:
If the user name is blank, vCloud Director attempts to access the LDAP
server with an anonymous (read-only) login. Some LDAP systems are
configured to support anonymous login.
th
go
Kerberos is a ticket-based system of client and server authentication. Both parties must prove their
identity to each other. Kerberos uses symmetric key cryptography and can also leverage public key
cryptography.
Windows active directory is an LDAP directory service that uses a custom implementation of
Kerberos.
In order to use Kerberos, you must first configure a Kerberos realm into vCloud Director.
Some LDAP servers are configured to allow anonymous login. They will allow any system to search
the LDAP directory for information. Anonymous login is always read-only. If the vCloud Director
server is configured with a blank user name (in DN format) then vCloud Director will attempt an
anonymous login.
257
ic_
re
There are two ways to log in to the LDAP server. Simple and with Kerberos authentication. Simple
authentication is simple. You send a users distinguished name (DN) and a password to the LDAP
server. The DN must be in LDAP format with common name (CN) and domain components (DC).
The LDAP server will then allow you to execute searches on information in the LDAP directory.
ad
er
ho
tm
Simple:
ail
.co
m
Kerberos Integration
Slide 6-28
Realm names are all uppercase unless Allow lower-case realms has been
selected in the LDAP configuration panel.
For Active Directory, the realm is the domain name in uppercase. Example:
ENGINEERING.ACME.COM
To use Kerberos, you must use only the fully qualified domain name when
you configure the host name or IP of the LDAP server in vCloud Director.
ad
er
The vCloud Director server must be able to access the LDAP servers and
the KDCs.
tm
ho
ail
.co
m
DC1.ENGINEERING.ACME.COM
go
th
ic_
re
If you are using Kerberos authentication, you must add a Kerberos realm to the vCloud Director
server first. To use an LDAP server, the vCloud Director server must be able to connect to it over
the network. This connection requires a proper DNS configuration. Some LDAP systems use a Key
Distribution Center that is a separate server from the LDAP server. If you are using Kerberos
authentication, the vCloud Director server must be able to connect to the KDC if it is separate from
the LDAP server.
It is possible to serve the entire vCloud with a single LDAP server. Or individual organizations can
have their own LDAP servers.
vCloud Director can use either Kerberos or Kerberos + SSL to authenticate to LDAP servers if the
LDAP server is either a Windows 2003 or a Windows 7 domain controller.
Kerberos is not supported when vCloud Director authenticates to Linux OpenLDAP servers.
However to increase security it is possible to use SSL when authenticating to Linux OpenLDAP
servers.
Before vCloud Director can use Kerberos, you must configure the Kerberos realm in vCloud
Director.
258
Windows Active Directory is an LDAP directory that also uses a modified implementation of
Kerberos. If you are trying to connect to a Windows LDAP then the realm name is the same thing as
the Windows domain name in upper case.
To use Kerberos to log in to a Windows LDAP the Key Distribution Center (KDC) is the domain
controller. You can use any domain controller in the domain as the KDC.
Kerberos is one of the most secure and reliable systems ever created for secure authentication. But it
can have problems. Most problems with Kerberos authentication can be traced to one of two issues:
DNS issues. If there are minor differences in DNS in the way a node name is stored it can
prevent Kerberos authentication. These differences might not cause problems for other types of
network connections. Kerberos requires the DNS name to be exactly what you are trying to
authenticate to in Kerberos. The same name must be used in the Kerberos tickets. The best
practice is to use the FQDN in all places.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lack of time synchronization. Kerberos tickets are time stamped to prevent an intruder from
stealing and reusing tickets. The standard limit for time drift is 5 minutes. If is more than a 5minute difference occurs from the time of the client trying to connect (in this case, the vCloud
Director server) to the Kerberos KDC, the ticket is considered invalid. Prevent time
synchronization problems by synchronizing the vCloud Director server and the Kerberos KDC
to the same time source. Using NTP servers on all systems solves this problem.
259
ad
er
ho
tm
ail
.co
m
CAUTION
go
th
ic_
re
If you are using a Microsoft Active Directory LDAP server, must you use Kerberos authentication?
No.You can connect a vCloud Director server to a Microsoft Active Directory LDAP server with
simple authentication. Microsoft Active Directory does not support anonymous authentication by
default, but it is possible to configure Active Directory to support anonymous authentication.
If you use simple authentication without at least combining it with SSL, then the user ID (DN) and
password are sent in clear text on the network.
260
SSL Integration
Slide 6-30
th
go
If you require a specific SSL certificate, the certificate will increase security. But the certificate from
the LDAP server must be located on your system (the one the vCloud Director browser console is
running from) and you must know the location to your SSL Key Store file and have the password.
261
ic_
re
To use SSL, you must select it. You must then determine if you will automatically accept all
certificates or if you will insist on browsing to a specific certificate. Using all certificates is much
easier to configure. If your LDAP server has a certificate, it is accepted automatically. The use of
SSL also provides an encrypted password exchange with the LDAP server.
ad
er
ho
ail
.co
m
tm
Think of the DN as the full file path and the RDN as a relative filename in its
parent folder.
CN = common name
OU = organizational unit
DC = domain component
ail
.co
m
Sample syntax for two employees named Jane Smith who work for the
same company and are in the same LDAP directory:
dn: cn=Jane Smith, ou=Sales, dc=Newtech, dc=acme, dc = com
ad
er
tm
DN = distinguished name
ho
ic_
re
LDAP directories use unique terminology and syntax. This slide shows some of the common
examples.
go
th
These LDAP schema attributes can be used to uniquely identify two different users with the same
name in different parts of the directory. The Distinguished Name (DN) and Relative Distinguished
Name (RDN) are both frequently used in LDAP system. You will have to use the DN for LDAP
queries in vCloud Director. You will also have to supply Domain Components (DC) as part of the
connection string.
262
dc=acme, dc=com
dc=newtech
dc=oldtech
ou=engineering
ail
.co
m
ou=sales
cn=Jane Smith
ad
er
ho
tm
cn=Jane Smith
go
th
ic_
re
Here is a graphical representation of two individuals with the same name in different locations
within an LDAP directory.
263
ad
er
ho
tm
ail
.co
m
Check with your LDAP administrator to confirm that you are using
the correct schema. Different LDAP systems use different attributes.
th
ic_
re
The schema used by different LDAP systems might vary. Check with your LDAP administrator to
confirm that you are using the correct schema for your vCloud Director configuration. If your
schema is configured incorrectly then you will not be able to execute searches on the LDAP
directory.
go
This slide shows two different possible configurations that are used in OpenLDAP. Both of these
have minor differences with Active Directory.
264
ad
er
ho
tm
ail
.co
m
Missing data might simply indicate that the LDAP database did not
have values in all of the fields that you queried. Mismatches on
attributes might cause searches to fail.
go
th
ic_
re
Even if the LDAP attributes in vCloud Director are configured correctly, you might have errors
returned on a search. Errors can occur if data is not present in the LDAP directory. An example
would be a user who does not have an email address or telephone number listed in the directory.
265
ad
er
ho
tm
ail
.co
m
You can specify a custom LDAP at the organization level, which allows each
organization to have a different (private) LDAP system.
If you bind all of your organizations to the same LDAP server (for example, in a
private cloud), VMware recommends that each organization have a unique
OU.
Only vCloud Director system administrators can configure LDAP for
organizations.
After LDAP is configured, organization administrators can import LDAP users
and groups.
re
th
ic_
1. Do not use LDAP. All of the users in this organization will be internally defined within the
go
2. Use the vCloud Director system LDAP service. The organization uses the LDAP service that
has been configured at the system level. To leverage the system-defined LDAP, all organization
users must be defined in the same Organization Unit (OU) in the LDAP database. You must
configure that OU here. VMware recommends that different organizations have unique OUs
within LDAP. The use of unique OUs preserves multitenancy. Using one system-wide LDAP
service with unique OUs for each organization is a VMware best practice for a private cloud
configuration.
3. Use a custom LDAP server. A custom LDAP server enables an organization to use its own
LDAP service. VMware recommends the use of custom LDAP servers in public cloud
implementations.
266
Password Protection
Slide 6-36
th
go
vCloud Director also stores some passwords. These include passwords for accessing certificates,
databases, VMware vCenter servers, and VMware vShield Manager servers. All of these
passwords are stored in encrypted form in the file $VCLOUD_HOME/etc/global.properties on
the vCloud Director server. Carefully protect any backups that contain that file.
267
ic_
re
LDAP users will never have their passwords stored in the vCloud Director database. Any users that
are defined internally to vCloud Director will have their passwords stored in the vCloud Director
database in an encrypted and salted form.
ad
er
ho
tm
These passwords are encrypted using a unique key per vCloud Director
installation.
These passwords are stored in
$VCLOUD_HOME/etc/global.properties.
ail
.co
m
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
268
tm
ail
.co
m
Google Apps
Salesforce.com
WebEx
AmericanAirlines
Facebook
ADP
Mozy
ho
th
go
You can configure a single sign-on service for end users with VMware Horizon Application
Manager. VMware Horizon Application Manager enables you to integrate end-user cloud
security with numerous third-party applications.
269
ic_
re
vCloud Director user IDs and passwords are for users who have administrative responsibilities
within the vCloud Director system. Cloud administrative users include catalog authors, vApp
authors, and organization administrators. LDAP and vCloud Director user accounts are not required
for end users.
ad
er
https://www.vmware.com/support/support-resources/hardening-guides.html
http://www.vmware.com/cloud-computing/cloud-architecture/vcattoolkit3.html
ail
.co
m
go
th
ic_
re
ad
er
ho
tm
270
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
271
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
272
Key Points
Slide 6-42
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Questions?
273
ail
.co
m
tm
ho
@
er
ad
re
ic_
th
go
274
MODULE 7
7
Slide 7-1
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Module 7
275
ail
.co
m
Course Introduction
go
th
ic_
re
ad
er
ho
tm
276
Importance
Slide 7-3
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
277
Module Lessons
Slide 7-4
Lesson 2:
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 1:
278
Slide 7-5
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 1:
Managing Cloud Resources as a System
Administrator
279
Learner Objectives
Slide 7-6
By the end of this lesson, you should be able to meet the following
objectives:
Use the cell management tool to perform basic cell maintenance tasks
Manage provider and organization virtual data centers
Manage external networks and edge gateways
Prepare and unprepare VMware ESXi hosts
Configure and send email notifications
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
280
ad
er
ho
tm
ail
.co
m
th
ic_
re
Most of the activities to manage a cloud cell are done at the command line on the VMware vCloud
Director server on which the cell resides. The only operation that you can perform using the
vCloud Director Web console is deleting the cloud cell.
go
To add cloud cells to a vCloud Director installation, install the vCloud Director software on
additional Cloud Director servers in the same vCloud Director cluster.
The cell management tool is a command-line utility that you can use to manage a cell and its SSL
certificates and to export tables from the vCloud Director database. Superuser or system
administrator credentials are required for some operations.
You can use the cell management tool to gracefully shut down a vCloud Director cell, which is
especially useful when you need to upgrade the version of vCloud Director. Before you upgrade a
vCloud Director server, use the cell management tool to quiesce and shut down vCloud Director
services on the servers cell.
vCloud Director creates a task object to track and manage each asynchronous operation that a user
requests. Information about all running and recently completed tasks is stored in the vCloud
Director database. Because a database upgrade invalidates this task information, you must be sure
that no tasks are running when you begin the upgrade process.
281
With the cell management tool, you can suspend the task scheduler so that new tasks cannot be
started, then check the status of all active tasks. You can wait for running tasks to finish or log in to
vCloud Director as a system administrator and cancel them. When no tasks are running, you can use
the cell management tool to stop vCloud Director services.
Prerequisites
Verify that you have superuser credentials for the target server.
Verify that you have vCloud Director system administrator credentials.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
If you are stopping vCloud Director services as part of a vCloud Director software upgrade, you
must use the cell management tool, which allows you to quiesce the cell before stopping
services.
282
ad
er
ho
tm
ail
.co
m
# /opt/vmware/vcloud-director/bin/vmware-vcd-cell stop
# service vmware-vcd start
ic_
re
If you want to stop a cell and let users know that you are performing maintenance, you can turn on
the maintenance message.
go
th
When the maintenance message is turned on, users who attempt to log in to the cell from a browser
see a message stating that the cell is down for maintenance. Users who attempt to reach the cell
using the VMware vCloud API receive a similar message.
283
cell
dbextract
certificates
go
th
ic_
re
ad
er
ho
ail
.co
m
tm
284
Commands:
generate-certs
recover-password
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
285
When disabled:
ail
.co
m
tm
ad
ho
er
ic_
re
After you create a provider virtual data center (VDC), you can modify its properties, disable or
delete it, and manage its VMware ESXi hosts and datastores.
go
th
Disabling a provider VDC prevents the creation of organization VDCs that use the provider VDC
resources. When a provider VDC is disabled, vCloud Director also disables the organization VDCs
that use its resources. If VMware vSphere vApps are running and you have powered-on virtual
machines, these virtual machines continue to run, but you cannot create or start additional vApps or
virtual machines on this disabled provider VDC.
When you delete a provider VDC, it removes its compute, memory, and storage resources from
vCloud Director, although the resources remain unaffected in VMware vSphere. As with each
hierarchy-dependent construct in vCloud Director, the construct, or object, cannot be deleted until
the administrator manually resolves dependencies. To delete a provider VDC, you must first resolve
the dependencies by disabling and deleting the dependent objects.
You can upgrade the hardware version based on the capabilities of the ESXi hosts in use.
Downgrading the highest supported hardware version is not supported.
286
The target Provider VDC includes the networks, network pools, storage policies, resource
pools, and datastores from all of the contributors.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Organization VDCs that were backed by the contributors are now backed by the target.
287
In earlier releases of vCloud Director, a Provider VDC could be backed by no more than one
resource pool. vCloud Director 5.1 removes that limitation, and allows you to merge existing
Provider VDCs to create a single Provider VDC that is backed by multiple resource pools. When
you merge Provider VDCs, you select one or more Provider VDCs as contributors and one Provider
VDC as the target of the merge. When the merge is complete, these changes are effective:
You can merge one or more Provider VDCs with an existing Provider VDC. The merged Provider
VDC contains the union of all resources from the contributing Provider VDCs. Only the merged
provider remains, all other provider objects are deleted. All dependent objects are automatically
updated. Organization VDCs are now shown as backed by the merged provider.
ail
.co
m
tm
ad
er
When disabled:
ho
go
th
ic_
re
You can enable and disable external networks in the network properties page, under the Network
Specification tab. When you disable an external network you are disabling the pool resources
available for the network, including any static IP pool ranges. Because the static IP pool is disabled,
you cannot create edge gateways nor run vApps or virtual machines that require static IP pool
allocation from the external network.
When an external network is disabled, the network continues to pass traffic. Already-deployed edge
gateways and running direct-connect organization VDC networks continue to operate and continue
to have whatever connectivity that has been configured.
You can change certain aspects of the network specification of an external network, but you cannot
change the Gateway IP address or the subnet mask. You can change the DNS parameters and the
DNS relay setting. You can manage the static IP pool by adding, removing, and modifying IP
address ranges.
When managing the static IP pool for an external network it is important to remember to check the
current IP allocations table. You cannot delete a static IP range that contains an already-allocated IP
address. Likewise, you cannot modify an existing IP range in a manner that would exclude an
already-allocated IP address.
288
If you need to change the subnet characteristics of an external network, create a new external
network with those characteristics.
ail
.co
m
tm
ho
@
er
ad
re
ic_
th
go
Module 7 Managing VMware vCloud Director Resources
289
You can delete an external network once all dependencies on that network have been removed.
Dependencies include edge gateways and other direct-connect organization VDC networks. Resolve
dependencies by shutting down, disabling, and deleting the dependent objects or by changing the
dependent relationship.
ad
er
ho
tm
ail
.co
m
ic_
re
After you create a network pool, you can modify its name and description or delete it. Depending on
the type of network pool, you can also add port groups, Cloud isolated networks, and VLAN IDs.
go
th
You can add Cloud isolated networks to a vCloud Director network isolation-backed network pool.
Verify that you have a network pool that is backed by a port group and verify that you have an
available port group in vSphere.
You can add Cloud isolated networks to a vCloud Director network isolation-backed network pool
(a vCloud Director network isolation-backed network pool).
You can delete a network pool to remove it from vCloud Director provided that it satisfies the
following prerequisites:
No organization VDC is associated with the network pool.
No vApps use the network pool.
No NAT-routed or internal organization VDC networks use the network pool.
290
When disabled:
ail
.co
m
re
ad
er
tm
ho
Slide 7-14
go
th
ic_
As a system administrator, you have complete configuration control over each organization VDC
with few limitations. The system administrator cannot change the fundamental allocation model of
an organization VDC. The system administrator can, at any time, change the characteristics and
settings associated with the selected allocation model, including reservations, guarantees, policy
limits, and maximum leases. These settings affect only vApps that you start from this point on.
Existing vApps must be stopped and then restarted for new policy and allocation model changes to
take effect.
The system administrator is the only role that can create organization VDC networks that directly
connect to an external network entity and manage external network suballocation IP pools.
Organization administrators must rely on a system administrator for these tasks.
Additionally, a system administrator controls:
Network pool properties used by the organization VDC
The network pool used by the organization VDC can be changed to some other pool and
the number of networks updated.
291
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
When you delete an organization VDC, it removes its compute, memory, and storage resources from
the organization. The resources remain unaffected in the source provider VDC. Dependencies must
be resolved before an organization VDC can be deleted.
292
Email Notifications
Slide 7-15
ad
er
ho
tm
ail
.co
m
th
ic_
re
vCloud Director requires a Simple Mail Transport Protocol (SMTP) server to send user notification
and system alert emails. You can modify the settings that you specified when you created the
organization.
go
You can send an email notification to all users in the entire installation, all system administrators, or
all organization administrators. You can send an email notification to notify users about upcoming
system maintenance, for example.
vCloud Director sends system alert emails when it has important information to report. For example,
vCloud Director sends an alert when a datastore is running out of space. You can configure vCloud
Director to send email alerts to all system administrators or to a specified list of email addresses. For
example, you can send an email notification to notify users about upcoming system maintenance.
For both the SMTP settings and the Email notification settings, an organization administrator may
choose to keep the system administrator-defined settings, or define new settings. At a minimum an
organization administrator may want to change Email notification settings so that all emails are
branded appropriately. An organization administrator can also override SMTP settings if an SMTP
server is available for organization use.
293
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
294
Use the cell management tool to perform basic cell maintenance tasks
Manage provider and organization virtual data centers
Manage external networks and edge gateways
Prepare and unprepare VMware ESXi hosts
Configure and send email notifications
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
295
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 2:
Managing Organization Resources
296
Learner Objectives
Slide 7-19
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
By the end of this lesson, you should be able to meet the following
objectives:
297
Leases:
Account lockout:
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
An organization administrator has full control over the organization policy except for the policy
limits imposed by a system administrator. Limits relating to resource intensive operations and
network consumption per-virtual machine are locked. An organization administrator can reconfigure
lease and quota settings, and configure account lockout parameters.
298
Deploy a new instance of the edge gateway with the same service
configuration.
Inbound and outbound limits for each external network that the edge
gateway connects to.
ad
er
ho
tm
ail
.co
m
th
ic_
re
Organization administrators can redeploy edge gateways and reapply edge gateway service
configurations. Organization administrators also have full control over rate limits set on each edge
gateway for inbound and outbound network throughput.
go
299
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
Organization administrators can create routed and isolated organization VDC networks. This is a
new feature as of vCloud Director version 5.1. An organization administrator has full control over
each organization VDC network that does not directly connect to an external network. For each
organization VDC network, an organization administrator can change DNS resolution settings and
manage static IP pools.
Neither a system administrator nor an organization administrator can change the subnet defined by
an organization VDC network. If you must have an organization VDC network that defines a
different subnet, create a organization VDC network.
300
ad
er
ho
tm
ail
.co
m
th
ic_
re
Organization administrators have full control over the organization VDC network configurations
applicable to the attached edge gateway, with the only exception being an organization VDC
network that direct-connects to an external network.
go
If the network services, such as DHCP settings, firewall settings, and so on, that are associated with
an organization VDC network are not working as expected, then you can reset the network.
Resetting a network basically reinitializes VMware vShield Edge in an effort to have DHCP,
VPN, firewalls, and routing work properly.
301
Managing vApps
Slide 7-24
ad
er
ho
tm
ail
.co
m
th
ic_
re
A system administrator can place a vApp in maintenance mode to prevent nonadministrator users
from changing the state of the vApp. This prevention is useful, for example, when you want to back
up a vApp using a third-party backup solution.
go
When a vApp is in maintenance mode, nonadministrator users cannot perform any actions that
modify the state of the vApp or its virtual machine. They can view information about the vApp and
its virtual machines and access the virtual machine consoles. Placing a vApp in maintenance mode
does not affect any currently running tasks that involve the vApp.
A system administrator can force stop a running vApp when an organization user is unable to do
so. In some cases, a user might be unable to stop a running vApp. If traditional methods for stopping
the vApp fail, you can force stop the vApp to prevent the user from getting billed. Force stopping a
vApp does not prevent the vApp from consuming resources in vSphere. After you force stop a vApp
in vCloud Director, use the VMware vSphere Client to check the status of the vApp in vSphere
and take the necessary action.
302
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
303
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
304
Key Points
Slide 7-27
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Questions?
305
ail
.co
m
tm
ho
@
er
ad
re
ic_
th
go
306
MODULE 8
g g
p
8
Module 8
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
307
ail
.co
m
Course Introduction
go
th
ic_
re
ad
er
ho
tm
308
Importance
Slide 8-3
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
In this module, you will learn how to manage vSphere resources from
the vCloud Director console.
309
Learner Objectives
Slide 8-4
By the end of this module, you should be able to meet the following
objectives:
Manage the following vSphere resources:
VMware vCenter Server systems
Resource pools
VMware ESXi hosts
vSphere datastores and datastore clusters
vSphere storage policies
Switches and port groups
Stranded items
ail
.co
m
go
th
ic_
re
ad
er
ho
tm
310
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
You can see that VMware vCloud Director has been connected to VMware vCenter Server
in the VMware vSphere Web Client. Go to Home > vCenter Server Extensions. vCloud
Director 5.1 does not communicate status to the vCenter Server system.
311
ail
.co
m
ad
er
ho
tm
ic_
re
There are many things that can be done from the vCloud Director > Manage & Monitor panel
concerning vCenter Server systems. Possible actions include:
th
go
Refresh information from the vCenter Server system (other than VMware vSphere storage
policies)
Refresh information on vSphere storage policies
Enable or disable a specific vCenter Server system
Detach a specific vCenter Server system
Change the connection information or the name of the vCenter Server system as it appears in
vCloud Director
312
Before you upgrade a vCenter Server system that is attached to vCloud Director, you must prepare
the vCenter Server system by using the following procedure:
1. Disable the vCenter Server system in vCloud Director. Wait for the status to change to
Disabled.
2. Upgrade the vCenter Server system using the standard vCenter Server upgrade procedure.
3. After the upgrade on the vCenter Server system is finished, go back to the vCloud Director Web
4. Reregister the vCloud Director with the upgraded vCenter Server system before you start using
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
it.
313
You can view information about the resource pools that vCloud Director
uses.
ad
er
ho
tm
ail
.co
m
th
ic_
re
Every provider virtual data center (VDC) in a vCloud Director installation requires a unique
resource pool in vSphere to provide its compute and memory resources. You must create and
configure resource pools in vSphere before you can add them to a provider VDC, but you can view
information about the resource pools that vCloud Director uses.
go
You can view information about the used and total CPU and memory reservations for a resource
pool. You can also view information about the datastores that are available to the resource pool.
To view the resource pool properties go to the Manage & Monitor tab, select Resource Pools >
resource pool name > Properties.
Here you can see information on a specific resource pool. The information includes:
Name of the resource pool
Memory reservation used / total
CPU reservation used/total
314
Datastore capacity
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
315
ad
er
ho
tm
The best practice is for each resource pool to be an entire cluster that is
dedicated to a provider virtual data center (VDC).
ail
.co
m
ic_
re
The best practice is for each resource pool to be an entire cluster that is dedicated to a provider
VDC.
go
th
Even though it is not the best practice, you can have multiple resource pools on a single cluster, with
each resource pool being assigned to a different provider VDC. However this design makes it easy
to overcommit resources. If you are going to use multiple resource pools in a single VMware
vSphere Distributed Resource Scheduler cluster you will need to carefully monitor and manage
utilization.
The type of settings used on the resource pool (reservations and limits) should be consistent with the
allocation model that will be used in the organization VDC that leverages each resource pool.
Resource pools created to support Pay-As-You-Go organization VDCs will always have no
reservations or limits. Pay-As-You-Go settings only affect overcommitment. A 100-percent
guarantee means no overcommitment is possible. The lower the percentage, the more
overcommitment is possible.
316
ad
er
ho
tm
ail
.co
m
th
ic_
re
You can move all the virtual machines from one VMware ESXi host to other ESXi hosts in the
same cluster. This ability is useful to unprepare a host, or to perform maintenance on a host without
affecting running virtual machines.
go
Disable the host first before redeploying the host. When you select Redeploy All VMs then vCloud
Director puts the host into maintenance mode and moves all of its virtual machines to other hosts in
the same cluster.
You redeploy all virtual machines on a host when doing the following:
317
ad
er
ho
tm
ail
.co
m
th
NOTE
ic_
re
You can disable a host to prevent VMware vSphere vApps from starting up on the host. Virtual
machines that are already running on the host are not affected.
go
vCloud Director enables or disables the host for all provider VDCs that use its resources.
318
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
The vCloud Director Manage & Monitor panel reports all available datastores and datastore clusters.
In order to take a datastore or a datastore cluster down for maintenance you should disable it first.
After a datastore or datastore cluster has been disabled, no vApps that are assigned to it can be
powered on and no vApps can be created on it.
319
ad
er
ho
tm
ail
.co
m
th
ic_
re
You can configure low disk space warnings on a datastore. vCloud Director issues a warning email
when the datastore reaches a specific threshold of available capacity. These warnings alert you to a
low disk situation before it becomes a problem.
go
vCloud Director allows you to set two thresholds: yellow and red. When vCloud Director sends an
email alert, the message indicates which threshold was crossed. The yellow threshold determines the
point at which fast provisioning will stop initiating shadow virtual machine creation.
vCloud Director will send an email alert when the datastore crosses the specified threshold.
320
ad
er
ho
tm
ail
.co
m
ic_
re
What if a datastore runs out of space? How do you move running virtual machines from one
datastore to another one?
go
th
Although it is possible to manually migrate running virtual machines from one datastore to another
in the vSphere Web Client, this can cause problems for vCloud Director vApps and is not
recommended. Instead you should use VMware vSphere Storage DRS to move powered-on
virtual machines that are part of vCloud Director vApps from one datastore to another. To do this the
datastore must already be part of a datastore cluster.
First vSphere Storage DRS must already be configured in the DRS cluster. Both the datastore you
want to evacuate and other migration candidate datastores must be in a datastore cluster. Use the
vSphere Web Client to place the datastore into Storage DRS Maintenance Mode. vSphere will
automatically move all virtual machines off of that datastore and onto other datastores in the
datastore cluster.
If you do not already have the vSphere Web Client open, all submenus in the vCloud Director
Manage & Monitor panel under vSphere Resources have an option to open the vSphere Web Client.
321
ad
er
ho
tm
ail
.co
m
Manage & Monitor > Datastores & Datastore Clusters > <datastore_name> > Properties >
Storage Profiles
go
th
ic_
re
You can determine exactly which vSphere storage policies are attached to a specific datastore by
using Manage & Monitor > Datastores & Datastore Clusters > <datastore_name> > Properties
> Storage Policies. The panel allows you to search for a specific vSphere storage policy if the
vCenter Server system is configured with a large number of vSphere storage policies. The panel will
also report how much storage space on the selected datastore is being actively used by the vSphere
storage policy.
322
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
Manage & Monitor > Storage Policies will report all of the vSphere storage policies available to
the system. The panel also reports the number of the VDCs using each vSphere storage policy (both
provider and organization), the number of datastores in each vSphere storage policy, and has much
space has been used, provisioned, and requested.
323
ad
er
ho
tm
ail
.co
m
Manage & Monitor > Storage Profiles > <policy_name> > Properties
go
th
ic_
re
You have already seen that each datastore can report all of the vSphere storage policies that have
been attached to it. It is also possible to get a list of all of the datastores assigned to a specific
vSphere storage policy.
324
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
Manage & Monitor > Switches & Port Groups will report all of the distributed switches that are
available in the system. This is information-only. There is no way to configure or change these
switches from this menu.
325
Switches & Port Groups lists all vCenter Server virtual switches and
port groups, including those created by vCloud Director:
ad
er
ho
tm
ail
.co
m
Manage & Monitor > Switches & Port Groups > Port Groups
go
th
ic_
re
Manage & Monitor > Switches & Port Groups > Port Groups reports all of the port groups in
use on a distributed switch. This panel gives important information that correlates which cloud
networks are associated with which port groups.
326
Stranded Items
Slide 8-19
Objects deleted from vCloud Director that still exist in vSphere appear
as stranded items.
8
Managing VMware vSphere Resources
vSphere Client
ad
er
ho
tm
ail
.co
m
th
ic_
re
When you delete an object in vCloud Director and that object also exists in vSphere, vCloud
Director attempts to delete the object from vSphere. In some situations, vCloud Director might not
be able to delete the object in vSphere. If the attempted deletion fails, the object becomes stranded.
go
You can view a list of stranded items and try again to delete them, or you can use the vSphere Client
to delete the stranded objects in vSphere.
You can delete a stranded item to try to remove an object from vSphere that you already deleted
from vCloud Director.
If vCloud Director cannot delete a stranded item, you can force delete it to remove it from the
stranded items list. The stranded item continues to exist in vSphere.
327
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
328
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
329
Key Points
Slide 8-22
ail
.co
m
go
th
ic_
re
ad
er
ho
tm
Questions?
330
MODULE 9
Module 9
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
331
ail
.co
m
Course Introduction
go
th
ic_
re
ad
er
ho
tm
332
Importance
Slide 9-3
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
333
Learner Objectives
Slide 9-4
By the end of this module, you should be able to meet the following
objectives:
Monitor provider and organization virtual data center use
View system-level and organization-level task and event logs
Enable debug display in task logs
Configure and synchronize Syslog server settings
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
334
Task Log
Slide 9-5
Task logs are available at the system level and for each organization.
Related VMware vSphere tasks are included when applicable.
tm
ho
@
er
ad
re
ic_
go
th
Each task is associated with an owner. The owner is either system or a particular user account. All
tasks with an indicated owner of system are initiated by vCloud Director to perform various
operations, including housekeeping tasks. All tasks with a non-system owner were initiated by a
given user account, such as a system administrator or organization administrator.
Each tasks log entry can be examined to view additional details about the operation. If relevant to
the task performed, a list of associated VMware vSphere tasks will also be available. When
relevant vSphere tasks are listed, you can obtain further details about each task by selecting the
entry then choosing the Open in VMware vSphere Web Client option under the Gear menu.
The system administrator can enable and disable the display of debug information in task log details.
When this setting is enabled, debug information pertaining to the task is listed at the bottom of each
task details page. Only the system administrator can change this setting. Debug information will
only appear in the task details when viewed by a system administrator.
This setting does not control the logging of debug information. Enabling this setting simply means
that debug information may be viewed for any logged task, regardless of when the task was
performed.
Module 9 Monitoring VMware vCloud Components
335
ail
.co
m
9
VMware vCloud Director tasks represent long-running operations and their status changes as the
task progresses. For example, a tasks status generally starts as Running. When the task finishes, its
status changes to Successful or Error.
Event Log
Slide 9-6
ad
er
ho
tm
Event logs are available at the system level and for each organization.
ail
.co
m
go
th
ic_
re
vCloud Director events represent one-time occurrences that typically indicate an important part of
an operation or a significant state change for a vCloud Director object. For example, vCloud
Director logs an event when a user initiates the creation an organization virtual data center (VDC)
and another event when the process completes. vCloud Director also logs an event every time a user
logs in and notes whether the attempt was successful or not.
Each event has a target specification that identifies, by name, the vCloud Director infrastructure
component or vCloud Director object that was the focus of the event. For login events, the target
will be the name of the account being used to access the system.
In general, each event is associated with an owner. The owner is either system or a particular user
account. All events with an indicated owner of system are initiated by vCloud Director to perform
various operations, including housekeeping tasks. All events with a non-system owner were initiated
by a given user account, such as a system administrator or organization administrator.
Each events log entry can be examined to view additional details about the event. Event details
never include associated vSphere operations.
336
How many days log entries are retained before being automatically deleted.
How many days log entries are available for viewing.
Inclusion of debug information when viewing task details.
tm
ho
@
er
ad
th
ic_
re
The system administrator is responsible for configuring activity history settings. Activity history
settings are applied system-wide and include the system logs and all organization logs. Organization
administrators cannot view nor manage activity history settings.
go
The history shown time frame controls the volume of log data available when viewing logs in the
vCloud Director console interface.
The history to keep time frame defines how long log entries are to be maintained by the system
before being deleted.
The system administrator can also enable the display of task-related debug information. This setting
is covered on the following page.
337
ail
.co
m
ad
er
ho
tm
ail
.co
m
The Syslog server for cell use is specified when vCloud Director is
installed.
go
th
ic_
re
When you install vCloud Director, you can specify a Syslog server for cell use. An integrated
Syslog collector is included with vSphere 5.1.
338
Syslog servers for network use are required for firewall rule logging.
Changes to syslog server settings must be manually synchronized.
ail
.co
m
tm
@
er
ad
go
th
ic_
re
You can configure up to two Syslog servers IP addresses for networks to use. This setting does not
apply to logging performed by cloud cells. The Syslog servers specified here are for use by edge
gateways and VMware vSphere vApp networks that have a firewall component. Unlike the
Syslog server for cell use, which is configured during vCloud Director installation, the Syslog server
settings for networks are configured after vCloud Director has been installed and deployed.
After configuring or changing the Syslog server settings for networks to use, those settings must be
explicitly synchronized with each organization edge gateway and each running vApp network where
logging is to occur. vApp networks and edge gateways created after the settings have been updated
will automatically receive new or updated values.
vApp networks will not be updated when an upstream edge gateway is synchronized.
Synchronization must be performed on each deployed vApp network or edge gateway where
logging firewall rules have been configured.
339
ho
ad
er
ho
tm
ail
.co
m
ic_
re
You can monitor the utilization of each provider VDC separately and use that information to plan
mitigation of any resource issues found.
go
th
For evaluating resource utilization, you can compare three different types of values: Used,
Allocation, and Overhead. Compare these values to determine if additional resources should be
allotted and to monitor the overall utilization of each provider VDC. You can compare Memory,
Storage, and Processor values.
Used percentages indicate the percentage of pool resources that are consumed by the provider VDC.
Allocation indicates the percentage of pool resources committed to the provider VDC.
340
Values for each storage policy used by the provider VDC are listed
separately.
Example: Determine which storage policies or datastores are
underutilized.
tm
ho
@
er
ad
re
ic_
go
th
You can monitor the utilization of each datastore used by a provider VDC. Datastores cannot be
managed directly in vCloud Director, instead the containing storage policy must be managed.
Compare the Used, Provisioned, and Requested values to determine which policies are overutilized
or underutilized.
341
ail
.co
m
9
You can monitor the utilization of each storage policy used by a provider VDC. Compare the Used,
Provisioned, and Requested values to determine which policies are overutilized or underutilized.
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
You can monitor CPU, memory, and storage resources for each organizations VDC. If you see the
resources are low, then you can add more resources if needed.
342
Upload Quarantine
Slide 9-13
Uploads that are not accepted within the specified timeout period are
deleted.
tm
ho
@
er
ad
th
ic_
re
Quarantine files are vApp templates and media files that users upload to their organization. vCloud
Director enables you to monitor the quarantined files. But you must first enable upload quarantine
and use third-party tools (for example, a virus scanner) to process the uploaded files before vCloud
Director accepts them.
go
You can use any Java Message Service (JMS) client that understands the STOMP protocol to
monitor and respond to messages from the vCloud Director quarantine service.
When an uploaded file is quarantined, a JMS broker sends a message to a request queue on a cloud
cell. The receiver decides whether to accept or reject the upload by sending a message to a response
queue.
For details, see the product documentation at www.vmware.com/support/pubs/vcd_pubs.html.
Each vCloud Director server host exposes a number of MBeans through Java Management
Extensions (JMX). This exposure enables operational management of the server and provides access
to internal statistics.
What are MBeans? MBeans are managed beans, Java objects that represent resources to be
managed. An MBean has a management interface.
343
ail
.co
m
All vApps and media files uploaded by users are quarantined for a
period of time.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
What is JMX? JMX is a Java technology that supplies tools for managing and monitoring
applications, system objects, devices (for example, printers) and service oriented networks. Those
resources are represented by objects called MBeans.
344
vcloud-container-debug.log
vcloud-container-info.log
vmware-vcd-watchdog.log
diagnostics.log
YYYY_MM_DD.request.log
ho
tm
ail
.co
m
cell.log
ad
er
ic_
re
vCloud Director provides logging information for each cloud cell in the system. You can view the
logs to monitor your cells and to troubleshoot issues.
go
th
345
Log name
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
346
9
Monitoring VMware vCloud Components
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
347
Key Points
Slide 9-17
Provider VDC
Organization VDC
Storage policy
Datastore
You can monitor CPU, memory, and storage resources for each
organization VDC.
vCloud Director provides logging information for each cloud cell in the
system.
ail
.co
m
go
th
ic_
re
ad
er
ho
tm
Questions?
348
MODULE 10
10
Slide 10-1
10
ail
.co
m
Module 10
go
th
ic_
re
ad
er
ho
tm
349
ail
.co
m
Course Introduction
go
th
ic_
re
ad
er
ho
tm
350
Importance
Slide 10-3
10
ail
.co
m
go
th
ic_
re
ad
er
ho
tm
351
Learner Objectives
Slide 10-4
By the end of this module, you should be able to meet the following
objectives:
Share an organization catalog with other organization users
Change ownership of a vApp
Share a vApp with other organization users
Force customization of a vApp
Reset a vApp network
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
352
ho
@
er
ad
go
th
ic_
re
Catalogs can be created in a number of ways by different users. When a system administrator creates
a catalog using the VMware vCloud Director console main menu, sharing options are not
presented. The catalog will be visible to the organization administrator only, but not shared with
other organization users. Sharing of the catalog with other organization users must be explicitly
configured after the catalog is created.
Catalogs created by any user, including the system administrator, using the New Catalog icon in the
organization catalogs list can be configured for sharing as part of the catalog creation process. By
default, catalogs created in this manner are not shared with other organization users. You must select
the groups and users that will be able to access the catalog, or chose to share the catalog with all
organization users.
353
tm
10
ail
.co
m
ad
er
tm
ail
.co
m
ho
th
ic_
re
Each user has a My Cloud container that shows all of the instantiated VMware vSphere vApps
the user has access to. vApps that appear in My Cloud are either owned by the user, have been
shared with the user, or are listed because of the users role, such as the organization administrator.
go
Ownership of a vApp can be transferred to any organization user with vApp User or above rights. A
group of users cannot own management of an instantiated vApp. The system administrator,
organization administrator, or the current vApp owner can change the ownership of a vApp.
354
ho
@
er
ad
go
th
ic_
re
Many users can share access to an instantiated vApp with management of the vApp being restricted
to administrative roles and the vApp owner. vApps can be shared to other users by a system
administrator, an organization administrator, or the vApp owner. The vApp will appear in the My
Cloud container for all users that the vApp has been shared with.
355
tm
10
ail
.co
m
System administrators
Organization administrators
The vApp owner
Any account that the vApp has been shared with
ad
er
ho
tm
ail
.co
m
ic_
re
th
go
356
Forcing Recustomization
Slide 10-9
10
ail
.co
m
ad
er
ho
tm
go
th
ic_
re
If the settings on a guest virtual machine are not in synch with vCloud Director or an attempt to
perform guest customization has failed, you can power on and force the recustomization of the
virtual machine.
357
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
If the network services, such as DHCP and NAT on are not working as expected, an organization
administrator can reset the network. Network services are not unavailable while the reset is
performed.
358
10
ail
.co
m
go
th
ic_
re
ad
er
ho
tm
359
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
360
Key Points
Slide 10-13
10
ail
.co
m
Questions?
go
th
ic_
re
ad
er
ho
tm
361
ail
.co
m
tm
ho
@
er
ad
re
ic_
th
go
362
M O D U L E 11
go
th
ic_
re
ad
er
ho
11
tm
ail
.co
m
Module 11
363
ail
.co
m
Course Introduction
go
th
ic_
re
ad
er
ho
tm
364
Importance
Slide 11-3
go
th
ic_
re
ad
er
ho
11
tm
ail
.co
m
Making the correct choices during installation can help save you time
and improve scalability and performance.
365
Module Lessons
Slide 11-4
Installation Prerequisites
Lesson 2:
Installation Procedure
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 1:
366
go
th
ic_
re
ad
er
ho
11
tm
ail
.co
m
Lesson 1:
Installation Prerequisites
367
Learner Objectives
Slide 11-6
By the end of this lesson, you should be able to meet the following
objective:
Describe the prerequisites for vCloud Director installation
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
368
Configuration Requirements
Slide 11-7
11
er
ad
ic_
re
VMware vCloud Director has several specific configuration requirements that must be
configured in VMware vSphere. Most of this can be summarized in the following:
th
Resources in the resource cluster should be shared and distributed (networks and storage).
go
369
ho
ail
.co
m
tm
The license for VMware vCloud Networking and Security that is included
with vCloud Director does not include such features as SSL VPN and load
balancing.
For virtual private network (VPN) and load balancing, vCloud Director
requires the fully licensed VMware vCloud Networking and Security
Advanced Edition license.
ad
er
ho
ail
.co
m
tm
go
th
ic_
re
vCloud Director requires that you have at least two major vSphere licenses. These licenses include
vSphere DRS, licensed by VMware vSphere Enterprise Edition and VMware vSphere
Enterprise Plus Edition, and VMware vSphere Distributed Switch and dvFilter, licensed by
vSphere Enterprise Plus. These licenses enable the creation and use of vCloud Director isolated
networks.
vCloud Director requires the use of VMware vShield Manager servers in some compatible
form. These must be properly licensed. In vCloud Director 5.1 this will normally be VMware
vCloud Networking and Security. A basic license for vCloud Networking and Security is
included with vCloud Director 5.1, but it does not include advanced features.
370
ad
er
ho
11
tm
ail
.co
m
th
ic_
re
VMware strongly recommends that vCenter Server 5.1 and ESXi 5.1 be used with vCloud
Director 5.1. Although earlier versions are supported, some features will not be available if these
earlier versions are used.
go
Stateless ESXi hosts were introduced in vSphere 5.0. These are fully supported with vCloud
Director 5.1. Customers should avoid stateless designs that require a host-specific configuration
when the host is going to be used in a VMware vCloud resource cluster.
371
ail
.co
m
ad
er
ho
tm
th
ic_
re
In addition to the other required software packages, which should be available by default, you must
have Java Runtime Environment 1.6.0 update 10 or later. Only the 32-bit version is supported. By
default this version of Java JRE is not present on RHE 5 systems. Java JRE must be upgraded before
the installation of vCloud Director.
go
You can install vCloud Director 5.1 without Java JRE 1.6.0 preinstalled on the Red Hat server. The
installation of vCloud Director 5.1 will install the Java JRE keytool software, which is the only
required component from Java JRE 1.6.0. The keytool software must be configured prior to
attempting to create and install SSL certificates for vCloud Director.
vCloud Director uses secure communications. To do this, clients must use SSL. Supported versions
include SSL 3.0 and Transport Layer Security (TLS) 1.0. In SSL and TLS, supported cipher suites
include RSA, decision support system (DSS), and Elliptic Curve signatures. Supported ciphers
include DES3, AES-128, or AES-256.
372
CentOS 6, Update 4
Red Hat Enterprise Linux 5 (64-bit), Update 4-9
Red Hat Enterprise Linux 6 (64-bit), Update 1-4
The Linux server that vCloud Director is installed on must meet the
following minimum disk and memory requirements:
ail
.co
m
2 GB of RAM is recommended.
go
th
ic_
re
ad
er
ho
11
tm
373
ail
.co
m
ad
er
ho
tm
go
th
ic_
re
The database that will be used by vCloud Director must be created before installing the first vCloud
Director cell. Specific requirements exist for database configuration and for the rights and privileges
that the user ID of the vCloud Director service will use to access the database. Make sure your
database administrator reads the section on configuring the database in VMware vCloud Director
Installation and Configuration Guide.
Before installation of vCloud Director, you must install security certificates. This installation should
be done after you have confirmed that your network configuration is correct (including DNS) and
that you have the correct version of Java Runtime Environment. You must use the JRE keytool
command to create your certificate requests.
You can use either self-signed security certificates or certificates that have been issued by an
external certificate authority (CA).
374
The vCloud Director cell server must have two network interfaces on
the production network.
One TCP/IP address for console connections
ail
.co
m
11
go
th
ic_
re
ad
er
ho
Use NTP to synchronize all vCloud Director servers and their database
server.
tm
375
tm
nslookup 192.168.1.1
ail
.co
m
go
th
ic_
re
ad
er
ho
nslookup 192.168.1.2
376
go
th
ic_
re
ad
er
ho
11
tm
ail
.co
m
377
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
Connections to the vCloud Director server from the Internet and from public networks must be
tightly controlled. The only port that is recommended to be open to the Internet and public networks
is 443 (HTTPS). This port should be open only if you are using a public cloud model and plan to
have external customers access the vCloud Director console from public or Internet-connected
systems.
378
ad
er
go
th
ic_
re
On internal networks, only a few other ports should be open on vCloud Director servers. Port 443 is
not listed here because it was mentioned earlier. Port 443 should also be open on internal networks
to allow local administrators to connect to the vCloud Director administration console.
379
ho
11
tm
ail
.co
m
Slide 11-17
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
380
go
th
ic_
re
ad
er
ho
11
tm
ail
.co
m
Lesson 2:
Installation Procedure
381
Learner Objectives
Slide 11-20
By the end of this lesson, you should be able to meet the following
objective:
Use the proper procedure to install vCloud Director
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
382
ail
.co
m
go
th
ic_
re
ad
er
ho
11
tm
383
go
th
ic_
re
ad
er
ail
.co
m
tm
ho
384
Configuring DNS
Slide 11-23
The DNS server that vCloud Director uses should have records
preconfigured. These records include the following:
Host records (A) preconfigured for both the vCloud Director HTTP and
the vCloud Director console proxy network connections
Reverse address lookup records preconfigured for both the vCloud
Director HTTP and the vCloud Director console proxy network
connections
11
tm
er
ad
go
th
ic_
re
The DNS configuration is critical for vCloud Director. All server names specified during vCloud
Director installation must be resolvable by DNS, including names assigned to the HTTP service
network interface and the console service network interface. Both the short name and the fully
qualified domain name (FQDN) must be resolvable. Reverse lookup of the addresses assigned must
also be configured into the DNS server. Use the nslookup command to confirm that DNS name
resolution is working for both host names and reverse IP addresses.
As mentioned in the prerequisites lesson, the DNS server must be configured with both A and PTR
records for the vCloud Director network interfaces before the installation of vCloud Director.
385
ho
ail
.co
m
DNS name resolution of both vCloud Director addresses and any other
address name resolution that is required during installation
Network connectivity to the vCenter Server systems and the ESX/ESXi
hosts in the resource clusters
Network connectivity to the database server
ad
er
ail
.co
m
tm
ho
Database server
go
th
ic_
re
After you have configured your DNS server and have created the two required network interfaces on
the vCloud Director server, you should confirm that your networking configuration is correct. Use
the nslookup command to make sure you can resolve all of the names and IP addresses from a
console or terminal window on the vCloud Director server. Also use ping or other tools to confirm
that the vCloud Director server has network connectivity to the following:
386
Guest OS
Directory Name
../sysprep/svr2003
../sysprep/svr2003-64
Windows XP (32-bit)
../sysprep/xp
Windows XP (64-bit)
../sysprep/xp-64
11
ad
go
th
ic_
re
vCloud Director uses Microsoft sysprep packages to customize VMware vSphere Apps during
vApp deployment. You should load Microsoft sysprep software on your vCloud Director server
before creating the packages. You must use the directory names specified above for each sysprep
package. You do not have to have all of the sysprep packages if you do not plan to deploy all of
these Windows operating systems in vApps.
The sysprep software must be loaded into the proper directory on the vCloud Director server before
it can be used. If you have a multicell environment, you must have this software on each cell.
387
er
ail
.co
m
tm
ho
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
388
go
th
ic_
re
ad
er
ho
11
tm
ail
.co
m
389
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
390
Key Points
Slide 11-29
go
th
ic_
re
ad
er
ho
11
tm
ail
.co
m
Questions?
391
ail
.co
m
tm
ho
@
er
ad
re
ic_
th
go
392