VCloud Director-Install-Configure Manage Allchapters

MODULE 1
Course Introduction
Slide 1-1
Course Introduction
Course Introduction
Module 1
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
VMware vCloud Director: Install, Configure, Manage
Importance
Slide 1-2
This course trains you in using VMware vCloud Director to deliver

infrastructure as a service in a private enterprise cloud. The course
includes information about public clouds.
You perform hands-on labs to understand how IT resources are
delivered and consumed in a cloud environment.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Your instructor demonstrates the basics of how vCloud Director

abstracts, allocates, and meters IT resources in a cloud environment.
Learner Objectives
Slide 1-3
Manage vCloud Director to satisfy private cloud business needs

Configure VMware vSphere storage to enable tiering in provider
virtual data centers (VDCs)
Create vCloud Director organizations and VMware vSphere vApps
to satisfy business needs
Configure networking for organizations and vApps
Administer vCloud Director users
Manage and monitor the vCloud Director environment
go
th
ic_
re
ad
er
ho
tm
Deploy vCloud Director as a private cloud
ail
.co
m
Course Introduction
By the end of this course, you should be able to meet the following
objectives:
Module 1 Course Introduction
You Are Here

Slide 1-4
Managing VMware vCloud Director

Resources
VMware vCloud Director Architecture and

Components
Managing VMware vSphere Resources
VMware vCloud Director Networking
Monitoring VMware vCloud Director

Components
VMware vCloud Director Providers
VMware vCloud Director Organization

Users
ail
.co
m
Course Introduction
VMware vCloud Director Installation
VMware vCloud Director Organizations
go
th
ic_
re
ad
er
ho
tm
VMware vCloud Director Basic Security
Typographical Conventions
Slide 1-5
Filenames, folder names, path

names, command names:
the bin directory
Monospace bold
What the user types:

Type ipconfig and press Enter.
Boldface
Graphical user interface items:

the Configuration tab
Italic
Book titles and emphasis:

vSphere Upgrade Guide
<filename>
Placeholders:
<ESXi_host_name>
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Monospace
Course Introduction
The following typographical conventions are used in this course:
Classroom Discussion: Cloud Computing

Slide 1-6
Define cloud computing:
Cloud computing is an approach to computing that leverages the
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
efficient pooling of on-demand, self-managed virtual infrastructure that is

consumed as a service.
Classroom Discussion: Cloud Computing Types

Slide 1-7
Course Introduction
List the three types of cloud deployment:

Private
Public
Hybrid
Briefly state what you understand about each of these cloud

deployments:
Hybrid: Composition of two or more interoperable clouds, enabling data

and application portability
Public: Accessible over the Internet for general consumption
go
th
ic_
re
ad
er
ho
ail
.co
m
Private: Operated solely within an enterprise for consumption by one or

many internal organizations, typically behind the firewall
tm
Classroom Discussion: Components

Slide 1-8
Which product provides the networking services in vCloud Director?
VMware vCloud Networking and Security servers provide the

networking services to vCloud Director.
To which VMware products does each vCloud Director server group

require access?
Each vCloud Director server group requires access to a VMware
vCenter Server system, a vCloud Networking and Security server,
and one or more VMware ESX/VMware ESXi hosts.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Classroom Discussion: Using vCloud Director

Slide 1-9
Course Introduction
What is an organization composed of?

Organizations are composed of users and groups, vApps, catalogs, and
organization VDCs.
What is the role of the organization administrator after the system

administrator sets up the organization?
The organization administrator logs in to the organization and sets it up,
configures resource use, adds users, and selects organization-specific
profiles and settings.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
VMware Online Resources

Slide 1-10
VMware Communities: http://communities.vmware.com
Start a discussion, and access communities and user groups.
VMware Support: http://www.vmware.com/support
Access the knowledge base, documentation, technical papers, and

compatibility guides.
VMware Education: http://www.vmware.com/education

Access the course catalog and worldwide course schedule.
Access information about advanced courses to continue on your
virtualization training path.
ail
.co
m
go
th
ic_
re
ad
er
ho
tm
For easy access to online resources, install the VMware toolbar.
10
vCloud Resources
Slide 1-11
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Course Introduction
www.vmware.com > Products > vCloud Director > Resources
11
Documentation Resources
ail
.co
m
Slide 1-12
go
th
ic_
re
ad
er
ho
tm
All documents referenced in

this course can be found at
http://www.vmware.com.
12
MODULE 2
Architecture and Components
Slide 2-1
Module 2
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
13
You Are Here

Slide 2-2

Resources

Components

Components

Users
ail
.co
m
Course Introduction
go
th
ic_
re
ad
er
ho
tm
14
Importance
Slide 2-3
A review of VMware vCloud Director architecture and all the

components needed to deploy vCloud Director provides context
before you learn how to install and configure it.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Module 2 Architecture and Components
15
Learner Objectives
Slide 2-4
By the end of this module, you should be able to meet the following
objectives:
Describe how VMware products use the cloud computing approach
Locate vCloud Director components and explain their functions
Determine licensing needs
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
16
vCloud Architecture (1)

Slide 2-5
ad
er
ho
tm
ail
.co
m
th
ic_
re
VMware vCloud is a VMware cloud solution built on VMware technologies and solutions to
deliver cloud computing. Cloud computing is a new approach to computing that leverages the
efficient pooling of on-demand, self-managed virtual infrastructure to provide resources consumable
as a service.
go
A simple cloud architecture might contain a VMware vCloud Director server group comprising
multiple servers. Each server can run a collection of services called a vCloud Director cell.
Each vCloud Director server group requires at least one VMware vCenter Server system, a
VMware vCloud Networking and Security server, and one or more VMware ESX or
VMware ESXi hosts. For each vCenter Server system managed by vCloud Director, there must
be one vCloud Networking and Security server.
All vCloud Director servers in the group share a single vCloud Director database. The group
connects to one or more vCenter Server systems and the ESX or ESXi hosts that they manage. One
vCloud Networking and Security server is needed for each vCenter Server system. vCloud
Networking and Security servers provide network security services and automatically deploy
VMware vShield Edge virtual appliances on demand from vCloud Director.
17

Slide 2-6
vCloud Director
Load Balancer
VMware vCloud API
vCloud Director Cell

vCloud Director
Web Console
NFS Server
End Users and

Administrators
vCloud Director Database
VMware vSphere
vCenter database
vCC
plug-in
vCloud Connector
Virtual Appliance
vCloud Networking and security and

vCNS Virtual Appliances
vCNS
vCloud
Agent
vCloud
Agent
vCloud
Agent
tm
vCloud
Agent
vCloud
Agent
Data
Collectors
vCenter
Chargeback
server
vCenter
Chargeback
database
vCenter
Chargeback
web interface
ho
vCloud
Agent
ail
.co
m
VMware vSphere
Web Client
vCloud
Agent
vCenter Chargeback
LDAP
vCenter Server
vCloud
Connector
ESX/ESXi
Hosts
ad
er
Datastores
th
ic_
re
The VMware vCloud Director Web console allows administrators and operators management
control of vCloud Director. The Web console and communications from the vCloud API system
should connect first to a load balancer. The load balancer routes the communication to one of
several vCloud Director cells.
go
All vCloud Director cells in the cloud share a common vCloud Director database. The vCloud
Director cells should also connect to a common NFS server. The NFS server is used as a temporary
storage facility for images and files that are uploaded into the vCloud Director catalog.
18

Slide 2-7
vCloud Director
Load Balancer
vCloud API

End Users and

Administrators
vCloud Director
Web Console
NFS Server
vSphere
VMware vCenter
Database
ail
.co
m
VMware vSphere
Web Client
vCloud Connector
Virtual Appliance
vCloud
Agent
vCloud
Agent
tm
vCloud
Agent
vCloud
Agent
vCenter
Chargeback
Database
vCenter
Chargeback
Web Interface
ho
vCloud
Agent
Data
Collectors
Datastores
ad
er
VMware ESX/
VMware ESXi
Hosts
vCloud
Agent
vCloud Networking and Security and

vShield Edge Virtual Appliances
vCenter
Chargeback
Server
vCloud
Agent
VMware vCenter
Chargeback
LDAP
VMware vCenter
Server
VMware
vCloud
Connector vCC
plug-in
(vCC)
re
The vCloud architecture graphic shows the core and the optional components of vCloud.
go
th
ic_
Other VMware components can be added to increase capabilities or control. One example is
VMware vCenter Chargeback. vCenter Chargeback provides resource metering and reporting
to facilitate resource showback/chargeback. vCenter Chargeback is composed of a vCenter
Chargeback server and vCenter Chargeback data collector.
VMware vCloud Connector is an optional component that helps facilitate the transfer of a
powered-off VMware vSphere vApp in Open Virtualization Format (OVF) format from a local
cloud or vSphere instance to a remote cloud or vSphere instance. vCloud Connector is a virtual
appliance that installs in vSphere and handles all the logic of working with other clouds. The GUI is
displayed in the VMware vSphere Web Client through the vCloud Connector browser plug-in.
19
Multiple Cell Architecture

Slide 2-8
Each Cell will have a different role automatically assigned.

Multiple cells provide load-balancing.
UI
API
VMRC
image
transfer
ail
.co
m
firewall
cell
cell
cell
cell
ho
cell
tm
load balancer
console proxy
cell
cell
image transfer
ad
er
core (UI/API)
cell
ic_
re
Each vCloud Director cell is automatically assigned a role. When communications requests come
into the load balancer requests fall into one of four major categories:
go
th
User Interface (UI). This is the main Web console that administrators and operators use to
manage vCloud Director.
API. The API consists of commands that can be issued to vCloud Director from other systems
and scripts through the API. Some commands and functions can only be issued though the API.
Virtual Machine Remote Console (VMRC). This is the pop-out console that an operator can
open on any virtual machine running in vCloud Director.
Image Transfer. This is the system that allows files and images like .ISO files to be uploaded
into vCloud Director.
A master cell (selected by vCloud Director) coordinates the role assignment to vCloud Director
cells.
20
vCloud Components: vSphere

Slide 2-9
Use vSphere Web Client for vSphere configuration and preparation.
vCenter Server and vCenter objects:
Data centers, host clusters, resource pools, vSphere distributed switches,

storage service levels
ESX/ESXi host configuration:
Virtual switches and networks

Datastores
vSphere resources, when attached, are managed by vCloud Director.

vCenter
Server
vSphere*
ail
.co
m
LDAP
vCenter
Server
Database
tm
vSphere Web Client
ho
ESX/ESXi
Hosts*
er
Datastores
ad
*minimum vSphere 4.0 U2 or 4.1
go
th
ic_
re
vCloud infrastructures rely on vSphere resources to provide CPU and memory to run virtual
machines. vCloud Director also uses vSphere distributed switches and vSphere port groups to
support virtual machine networking. vSphere datastores provide storage for virtual machine files
and other files necessary for virtual machine operations. These underlying vSphere resources are
used by vCloud Director to create cloud resources.
vCloud Director requires all workloads to be virtualized. Clusters enabled by VMware vSphere
Distributed Resource Scheduler (DRS) should be set to automatically balance the vCloud Director
deployed workloads across the physical compute resources of the DRS cluster.
NOTE
vCloud Director can be used with a VMware vSphere Enterprise Edition license. To use
vSphere distributed switches, you must have a VMware vSphere Enterprise Plus Edition
license.
21
Supported vCenter Server and ESX/ESXi Versions

Slide 2-10
For information about the supported versions of vCenter Server,

ESX/ESXi, and VMware vCloud Networking and Security, see the
VMware Product Interoperability Matrixes at
http://partnerweb.vmware.com/comp_guide/sim/interop_matrix.php.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
vCenter Server 5.x is required for fast provisioning, hardware version

8, and virtual private network support with vCloud Director 5.5.
22
vCloud Components: vCloud Director

Slide 2-11
vCloud Director cell:

Runs on Red Hat Enterprise Linux
Runs cloud Web server portal for the vCloud Director Web console
Access to vSphere infrastructure can be on a private network segment for security

reasons.
Requirements:
Split between consumers (organization portals) and administrators (system)
Runs on a physical or a virtual machine. A virtual machine is preferred.
Connects to the vCloud Director database.
Connects to an LDAP server for user management.

Connects to an SMTP server for notifications.
Connects to an NFS server for VMware vSphere vApp file transfer service (multicell
environments).
vCloud API
ail
.co
m
vCloud API
VMware vCloud Director
Load Balancer
ho
tm
LDAP
End Users and

Administrators
vCloud Agent
To ESX/ESXi Host
vCenter Server
ad
er
SMTP
Server
vCD Web Console

go
th
ic_
re
A vCloud Director server group consists of one or more vCloud Director servers. These servers
share a common database and are linked to an arbitrary number of vCenter Server systems and ESXi
hosts. vCloud Networking and Security servers provide network services to vCenter Server and
vCloud Director. A vCloud Director server group includes multiple vCloud Director servers. Each
server can run a collection of services called a vCloud Director cell. All servers in the group share a
single database. The group connects to multiple vCenter Server systems and the ESXi hosts that
they manage. Each vCenter Server system connects to one vCloud Networking and Security server.
A Web-based portal for vCloud administrators provides the means to allocate and separate resources
into organizations. Administrators can set lease times to control how long vApps can run and be
stored. Administrators can also set quotas, which limit the number of virtual machines that an
organization can have.
A Web-based portal for each organization provides consumers with the means to create and manage
their own virtual machines. Access is controlled through a roles-based model set up by the
organization administrator.
23
vCloud Director Scaling

Slide 2-12
vCloud Director multicell environment:

HTTPS load balancer in front of cells
All cells share vCloud Director database.
vCloud Director cells scale horizontally.
NFS server for vSphere vApp file transfer service
Recommendation:
All cells are on a single site.

All infrastructure local to site.
ail
.co
m
vCloud Director Web console
load
balancer
vCloud Director
database
NFS
server
vCloud Director cells
ad
er
ho
tm
(points to single URL)
go
th
ic_
re
Scaling vCloud Director to large environments is supported by installing multiple vCloud Director
cells. Cell activities are coordinated through a shared database. One cell is designated as the
coordinator cell. All other cells are designated as subordinate cells. The coordinator cell designates
which services run on the subordinate cells. These designations are all done automatically by
vCloud Director.
Multiple cells require load balancing to manage heavy use of Web and remote consoles. Options
include configuring round-robin DNS or using a third-party load-balancing product.
A single cell can support many vCenter Server instances. These instances should all be in the same
site to avoid potential latency. You must also scale your vSphere deployment to provide the
resources necessary for the multiple vCloud Director cells.
vCloud Director cells are stateless front-end processors for vCloud. All cells connect to a central
database. Each cell has a variety of purposes and self-manages various functions among cells. The
cell manages connectivity to the cloud and provides both API and UI endpoints or clients.
24
Multiple cells (a load-balanced group) should be used to address availability and scale. This
addressing is typically achieved by load balancing or content switching the front-end layer. Load
balancers present a consistent address for services, regardless of the underlying node responding.
Load balances can spread session load across cells, monitor cell health, and add or remove cells
from the active service pool.
ail
.co
m
tm
ho
@
er
ad
re
ic_
th
go
25
In general, any load balancer that supports SSL session persistence and has network connectivity to
the public-facing Internet or internal service network can perform load balancing of vCloud Director
cells. General concerns around performance, security, manageability, and so on should be taken into
account when deciding to share or dedicate load balancing resources.
If your vCloud Director installation includes multiple cloud cells running behind a load balancer or
a network address translation (NAT) device, or if the cloud cells do not have publicly-routable IP
addresses, you can set a public console proxy address. During the initial configuration of each cloud
cell a remote console proxy IP address is specified. By default, vCloud Director uses that address
when a user attempts to view a virtual machine console. To use a different address, specify a public
console proxy address.
vCloud Director Components: vCloud Director Web Console

Slide 2-13
Windows Internet Explorer, Mozilla Firefox, or Google Chrome

Supporting Adobe Flash Player 10.2 or later, 32-bit version
RFB-based consoles for virtual machine guest operating system
console
ad
er
ho
tm
ail
.co
m
Web browserbased interface for consumers and administrators:
go
th
ic_
re
The Remote Framebuffer (RFB) protocol is used by the vCloud Director Web console. VMware
encrypts RFB for security. Virtual Network Computing (VNC) is a common implementation of
RFB, but VMware does not use VNC code.
26
vCloud Components: vCloud API

Slide 2-14
Submitted to DMTF
RESTful API
retrieve representation of resource

without side effects
PUT
update representation of resource
POST
create new resource or execute

action on resource
DELETE
destroy resource
cloud layer
cloud layer
ail
.co
m
vCloud API
Implemented in vCloud Director
GET
Open standard for cloud interaction:
Pure-virtual API to interact at

the cloud layer
virtualization layer
VIM API
tm
Control vSphere resources

based on physical resources.
client
ad
er
ho
physical layer
go
th
ic_
re
The vCloud API is an interface for providing and consuming virtual resources in the cloud. It
enables deploying and managing virtualized workloads in private, public, and hybrid clouds. The
vCloud API enables the upload and download of vApps and their instantiation, deployment, and
operation. In 2009, VMware submitted the vCloud API to the Distributed Management Task Force
to promote consistent mobility, provisioning, management, and service assurance of applications
running in internal and external clouds.
The vCloud API uses a Representational State Transfer (REST) application development style.
vCloud API clients and servers communicate over HTTP, exchanging representations of vCloud
objects. These representations take the form of XML elements. HTTP GET requests are used to
retrieve the current representation of an object. HTTP POST and PUT requests are used to create or
modify an object. HTTP DELETE requests are typically used to delete an object.
27
vCloud Director Components: vCloud API

Slide 2-15
User API:
vCloud API open standard
Used to perform tasks in and control what can be done through the vCloud
Director consumer portal.
The vCloud Director implementation of the vCloud API open standard
Administrative API:
Used to perform tasks in and control what can be done through the vCloud
Director administrator portal.
Specific to vCloud Director
Extensions:
ail
.co
m
vSphere platform operations
ho
tm
POST http://vcloud.example.com/api/v1.0/vApp/vapp-7/action/undeploy
Content-type: application/vnd.vmware.vcloud.undeployVAppParams+xml
...
<UndeployVAppParams saveState="true" xmlns="http://www.vmware.com/vcloud/v1"/>
ad
er
202 Accepted
Content-Type: application/vnd.vmware.vcloud.task+xml
...
<Task href="http://vcloud.example.com/task/201"...>
go
th
ic_
re
The vCloud API allows for interacting with a cloud and can be used to facilitate communication
with vCloud Director using a UI other than the portal that is included with vCloud Director. The
vCloud API is the cornerstone of federation and ecosystem support in a vCloud environment. All the
current federation tools communicate with the vCloud environment through the vCloud API. The
ISV ecosystem also uses the vCloud API to enable its software to communicate with vCloud
environments. Having a vCloud environment expose the vCloud API to the cloud consumer is
important.
Currently, vCloud Director is the only software package that exposes the vCloud API. In some
environments, vCloud Director is deployed behind a portal or in another location not readily
accessible to the cloud consumer. In this case, an API proxy or relay must be present to have the
vCloud API exposed to the end consumer.
Because of the value of the vCloud API, some environments might want to meter API usage and
charge extra for it to customers. Protecting the vCloud API through audit trails as well as API
inspection is a good idea. Cloud providers can extend the vCloud API with new features.
28
The vCloud API, included with vCloud Director, consists of a user API, an administrative API, and
extensions:
The user API is the vCloud Director implementation of vCloud API open standard. An
administrator can use this API to perform and control activities done through the vCloud
Director organization Web consoles.
The administrative API is specific to vCloud Director. An administrator can use this API to
perform and control activities done through the vCloud Director administrator portal.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Extensions enable administrators to perform VMware vSphere platform operations.
29
vCloud Components: vCloud Networking and Security

Slide 2-16
vCloud Networking and Security is responsible for deploying and managing

VMware vShield Edge devices as requested by vCloud Director:
vShield
Edge
vShield
Edge
Firewall and router device that

provides network and security services
Deployed automatically by vCloud Director through vCloud Networking and Security
Deployed to vSphere hosts as a virtual appliance
ad
vCNS
system
tm
vShield Edge:
manager UI
vShield
Edge
ho
Virtual appliance
Runs management interface
Aggregates usage data for chargeback
One vCloud Networking and Security
server per attached vCenter
Server system
Edge gateway and vApp network devices

Connects to the vCenter Server system through the VMware vSphere API for vShield
Edge deployment
Manages configurations through
VMware VIX API
vCloud Networking and Security
ail
.co
m
er
th
ic_
re
vCloud Director uses vShield Edge appliances to secure multitenancy. vShield Edge also provides
NAT, DHCP, firewall, port forwarding, and IP masquerading services. vCloud Director works with
vCloud Networking and Security to deploy a vShield Edge device as part of the network creation
process. These appliances run on vSphere hosts.
go
Each vCenter Server system is connected to a vCloud Networking and Security host. vCloud
Networking and Security is a Linux-based virtual appliance that deploys and manages vShield Edge
devices as requested by vCloud Director. vCloud Networking and Security also aggregates usage
data for vCenter Chargeback.
vShield Edge appliances are deployed automatically by vCloud Director through vCloud
Networking and Security as needed. vShield Edge appliances reside in the vCloud consumer
resource clusters, not in the management cluster. vShield Edge appliances are placed in a system
resource pool by vCloud Director and vCenter Server. For more information about the vShield Edge
appliance and its functions, see vCloud Suite Documentation at https://www.vmware.com/support/
pubs/.
30
vCloud Components: vCenter Chargeback

Slide 2-17
vCenter Chargeback server:
ail
.co
m
Data collector:
tm
Gathers usage data

Populates vCenter Chargeback
database
vCenter
Server
ho
Interface access:
vCenter
Chargeback
Web Interface
vCloud
Director Cell
Web interface
VMware vSphere Client plug-in
vShield
Manager
vCenter
Database
vCenter
Chargeback
Server
Data
Collectors
LDAP
vCenter
Chargeback
Database
SMTP Server
ad
vCenter Chargeback database
Runs Web portal (Apache Tomcat server) for users and administrative
interface
Abstracts vCenter Server and vCloud Director objects into the vCenter
Chargeback hierarchy
Allows resource cost assignment aligned to vCloud Director resource
allocation models
Generates cost and usage reports
Built-in load balancer for scaling vCenter
vCenter Chargeback
vCloud
Director
Chargeback servers
vSphere
Client Plug-In
Database
er
th
ic_
re
vCenter Chargeback helps to accurately assign, measure, and analyze the cost of workloads in a
vCloud environment. The diagram illustrates how the architectural components of vCenter
Chargeback integrate with other vCloud components.
go
vCenter Chargeback includes four main components:

vCenter Chargeback runs on an Apache Tomcat server instance. The user interacts with the
vCenter Chargeback application through a load balancer (Apache HTTP server). vCenter
Chargeback connects to a vCenter Chargeback database that stores application-specific
information.
vCenter Chargeback retrieves the virtual infrastructure inventory and the resource and network
usage information through data collectors. An embedded data collector communicates with the
vCenter Server database. vCloud infrastructures also use the optional vCloud Director and
vCloud Networking and Security data collectors. vCenter Chargeback replicates collected data
in the vCenter Chargeback database. vCenter Chargeback uses this information and the cost
model and chargeback cost calculation formulas to generate cost reports.
31
When you install vCenter Chargeback, the vCenter Chargeback application, the load balancer,
and the data collectors are installed and run on the same machine. Although the vCenter
Chargeback database can also be installed on the same machine, in a real-world scenario you
install the application and the database on separate machines.
A single data collector instance replicates the information to the vCenter Chargeback database
from multiple vCenter Server instances and vCloud Director databases. You can also create a
cluster of vCenter Chargeback instances that share a single load balancer. Each user request is
routed through the load balancer. The load balancer forwards the request to a vCenter
Chargeback instance in the cluster based on the number of requests currently being serviced by
each instance in the cluster. All the vCenter Chargeback instances in a cluster are connected to
the same vCenter Chargeback database.
The vCenter Chargeback database stores the following chargeback-specific information:
ail
.co
m
vCenter Chargeback hierarchy

vCenter Chargeback users and roles
Cost models and usage metrics
tm
Configuration settings
ho
Three types of vCenter Chargeback data collectors are provided:
er
vCenter Chargeback data collector (polls vCenter Server)
ad
vCloud data collector (polls vCloud Director)
re
vCloud Networking and Security data collector (polls vCloud Networking and Security)
go
th
ic_
These data collectors collect vCenter Server inventory and vCloud Director organizational
information, poll usage information, and populate vCenter Chargeback database through
synchronization jobs. The first instance is installed on the vCenter Chargeback server when you
install vCenter Chargeback.
The vCenter Chargeback Web interface is Web browser-based interface for users and administrators.
The vCenter Chargeback plug-in for the VMware vSphere Client provides limited vCenter
Chargeback administration. Only a subset of the Web interface capabilities are available and the
vCenter Chargeback hierarchy is replicated from the vCenter Server hierarchy.
32
vCenter Chargeback Scaling

Slide 2-18
vCenter Chargeback servers:
The load balancer spreads load from requests across multiple vCenter
Chargeback servers.
Configure additional installations of vCenter Chargeback server to connect

with the built-in load balancer that is included in the first instance.
vCenter Chargeback
server 2
First instance is installed with vCenter Chargeback server (option selected).
tm
ho
Multiple data collectors can populate a single vCenter Chargeback

database.
The load is evenly distributed if multiple data collectors are enabled.
ad
Multiple instances can be installed and configured separately.
er
vCenter Chargeback
server 3
ail
.co
m
Data
load balancer
vCenter Chargeback
(built-in)
Web interface
vCenter
Chargeback
server 1
collectors:
th
ic_
re
vCenter Chargeback virtual machines can be deployed as a two-node, load-balanced cluster.

Multiple vCenter Chargeback data collectors can be deployed remotely to avoid a single point of
failure.
go
These deployments have no effect on infrastructure availability or customer virtual machines.

Configuring vCenter Chargeback servers in a cluster configuration ensures that providers can
accurately produce customer billing information and usage reports. Configuring vCenter
Chargeback in a cluster configuration is not required for maintaining workload accessibility.
33
Optional Advanced Message Queuing Protocol Broker

Slide 2-19
An open standard for message queuing

Supports flexible messaging for enterprise systems
RabbitMQ is an AMQP broker.

AMQP is used to provide cloud operators with a stream of notifications
about events in the cloud.
The use of an AMQP broker with vCloud Director is optional.
ad
er
ho
tm
ail
.co
m
Advanced Message Queuing Protocol (AMQP)
ic_
re
vCloud Director includes an AMQP service that you can configure to work with an AMQP broker
such as RabbitMQ.
th
If you want to use this service, you must install and configure an AMQP broker.
go
Many integrations require AMQP to communicate with vCloud Director.

Consult the installation and configuration documents for any integrations you plan to use.
34
vCloud Components: vCloud Connector

Slide 2-20
The vCloud Connector appliance is a Tomcat server and embedded

Postgres database to bridge vCloud Director and vSphere environments.
vCloud Connector uses temporary storage to facilitate file transfer.
2
vCloud Connector plug-in for vSphere Client:

Unified view across vSphere and private and public clouds
Visualize workloads and templates
Migrate workloads and templates:
vSphere to and from vSphere
vCloud Director to and from vCloud Director
Perform basic power and deployment operations

on workloads and templates
Access VMware Remote Console
in vCloud Director
ad
er
vSphere to and from vCloud Director
ail
.co
m
tm
vCloud Connector appliance:
ho
ic_
re
vCloud Connector is an optional component that can facilitate transfer of a powered-off vApp in
OVF format from a local cloud or vSphere environment to a remote cloud or vSphere environment.
go
th
As more clouds are created, several clouds from different sites in a private enterprise can form a
larger cloud. Or a private cloud and a public cloud can form a hybrid cloud. Cloud consumers need a
way to migrate workloads in a federated cloud.
vCloud Connector solves this problem by enabling you to perform migrations from all of your
public clouds and private clouds and to obtain a consistent view of them from a single interface.
vCloud Connector must be installed by cloud administrators, but it can be used by other
administrators and end users to view and manage workloads.
After vCloud Connector has been deployed to a vSphere host and registered with a vCenter Server
system, end users can access vCloud Connector under Solutions and Applications in the vSphere
Web Client from which the OVF file was deployed.
Even in environments not running vCloud Director, vCloud Connector can still be used to copy and
move vApps.
If both vCenter Server instances are added as clouds in vCloud Director, you can freely move
workloads between them.
35
vCloud Connector Architecture

Slide 2-21
local cloud or vSphere
remote cloud
vSphere Client
with vCloud
Connector plug-in
public cloud
private cloud
vCloud
Director
vCloud Director
vCenter
Server
ho
tm
attached storage
/opt/vmware/vccp/staging
(initial configuration =
40GB)
ail
.co
m
vApp
vCloud
Connector Virtual
Appliance
ad
er
vSphere
th
ic_
re
vCloud Connector is a virtual appliance. vCloud Connector installs in vSphere and handles all the
business logic of dealing with other clouds. The vCloud Connector UI is displayed in the vSphere
Web Client through a browser plug-in.
go
You have two considerations about where to place your vCloud Connector appliance:
The virtual appliance must be deployed to a vCenter Server system. The only user access is
through the vSphere Web Client, so users of vCloud Connector must have the right to log in to
this vCenter Server system.
Workload copy operations use the vCloud Connector appliance as a middleman, so network
latency and bandwidth between clouds must be considered. In some cases, you might prefer to
run multiple instances of vCloud Connector across multiple vCenter Server instances to avoid
network latency or consuming excessive bandwidth.
36
Management and Cloud Resource Clusters

Slide 2-22
Management Cluster
Cloud Resources
Provider Virtual Data Center
vCloud infrastructure virtual machine:
vCloud Director cell virtual machines

vCenter Chargeback server virtual machines
vCloud Networking and Security virtual appliance
vCenter database virtual machines
vCloud Director database virtual machine

vCenter Chargeback database virtual machine
Load balancer virtual machines for vCloud Director cells
VMware vSphere Data Protection virtual machine
vCloud Connector virtual machines

VMware vSphere Update Manager virtual machines
vSphere resources are managed by vCloud Director.

Each resource collection represents one or more provider
VDCs.
ho
VMware vSphere Management Assistant virtual

machine
tm
Optional management functions:
Cloud resources are exclusively for cloud user workloads:

No management virtual machines (except vShield Edge
virtual appliances deployed automatically).
ad
er
vCenter Server virtual machines
ail
.co
m
th
ic_
re
A management cluster is a VMware vSphere High Availability or DRS cluster that is created to
manage a vCloud architecture. A management cluster contains the standard components of ESXi
hosts and a vCenter Server system. A management cluster has its own storage. The storage must be
shared storage that is used to store the virtual machines running the management cluster.
go
The management cluster resides on a single physical site.

Although VMware recommends that you place management components in a management cluster,
you can choose how many management components to place in that cluster. For example, the
vCenter Server systems and vCloud Networking and Security instances might be hosted either in the
management cluster or in their respective resource clusters.
vSphere High Availability and DRS can be enabled on the management cluster to provide
availability for all management components. For vSphere High Availability, use the Percentage as
Cluster Resources Reserved admission control policy in an n+1 fashion instead of defining the
amount of host failures a cluster can tolerate or specifying failover hosts. This approach allows
management workloads to run evenly across the hosts in the cluster without the need to dedicate a
host strictly for host failure situations. For higher availability, you can add a host for an n+2 cluster,
although doing so is not a requirement of the vCloud private or public service definitions.
37
The resources of vCenter Server clusters host cloud workloads. These resources will be allocated by
vCloud Director as provider datacenters.
The management cluster and vCloud consumer resources must reside on the same physical site. The
use of a single site ensures a consistent level of service. Otherwise, latency issues might arise if
workloads must be moved from one site to another.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Do not use the vSphere Web Client to make changes to resource group objects. Changing the state
of objects created by vCloud Director can cause unpredictable side effects because these objects are
owned and managed by vCloud Director.
38
vCloud Architecture Best Practice

Slide 2-23
Underlying vSphere clusters should be split into two logical groups:
Reasons to organize and separate the vSphere resources
ad
er
ho
To ensure that management components are separate from the resources

they are managing.
To minimize overhead for cloud consumer resources. Resources allocated
for cloud usage have little overhead reserved.
Cloud resource groups should not host vCenter Server virtual machines that
are not created and managed by vCloud Director.
ail
.co
m
A single management cluster running all core components and services

needed to run the cloud.
Remaining available vCenter Server clusters should be used as cloud
resources. The VMware best practice is to use each cluster (resource pool)
in a single provider virtual data center.
Each vCloud Director cell should have a corresponding vCenter Server.
tm
th
ic_
re
From an infrastructure perspective a vCloud Director cloud is built on a foundation of virtual

infrastructure. vCloud Director cloud components are split between a management cluster and cloud
consumer resources.
go
When building a vCloud Director cloud, assume that all management components, such as vCenter
Server and vCenter Chargeback, will run in virtual machines.
The best practice is to separate resources allocated for management functions from pure userrequested workloads. The underlying vSphere clusters should also be split into two logical groups:
A single management cluster running all core components and services needed to run the cloud.
The remaining available vCenter Server clusters should be aggregated into a pool called cloud
consumer resources. These clusters are under the control of vCloud Director. Multiple clusters
can be managed by the same vCenter Server system or different vCenter Server systems, but
vCloud Director manages the clusters through the vCenter Server systems.
Why should the vSphere resources be organized and separated? Reasons include the following:
To ensure that management components are separate from the resources that they are managing.
39
To minimize overhead for cloud consumer resources. Resources allocated for cloud use have
little overhead reserved.
To dedicate resources to the cloud. Resources can be consistently and transparently managed
and divided. Resources can also be scaled horizontally.
To more easily accommodate different service levels for distinct workload types.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
The underlying vSphere infrastructure should follow vSphere best practices.
40
Licensing Considerations
Slide 2-24
vCloud Director requires the following vSphere licenses:
vCloud Networking and Security can require a separate license (unless

a VMware vCloud Suite license is used).
A vCloud Suite license can be used for vCloud Networking and Security
and ESXi hosts.
ad
er
ho
tm
VMware vSphere Distributed Resource Scheduler, licensed by VMware

vSphere Enterprise Edition and VMware vSphere Enterprise Plus
Edition.
VMware vSphere Distributed Switch and dvFilter, licensed by vSphere
Enterprise Plus Edition. This license enables creation and use of vCloud
Director isolated networks and VLAN IDbacked network pools.
ail
.co
m
go
th
ic_
re
Without distributed switches, vCloud Director cannot dynamically create networks or effectively use
network pools.
41
Review of Learner Objectives

Slide 2-25
You should be able to meet the following objectives:

Describe how VMware products use the cloud computing approach
Locate vCloud Director components and explain their functions
Determine licensing needs
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
42
Key Points
Slide 2-26
Load balancing is recommended for multicell architectures.

Cells in a multicell architecture have various roles.
Large architectures should be divided into management clusters and

resource groups.
Separate management from raw cloud resources.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Questions?
43
ail
.co
m
tm
ho
@
er
ad
re
ic_
th
go
44
MODULE 3
VMware vCloud Director Networking 3

g
Slide 3-1
Module 3
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
45
You Are Here

Slide 3-2

Resources

Components

Components

Users
ail
.co
m
Course Introduction
go
th
ic_
re
ad
er
ho
tm
46
Importance
Slide 3-3
Deployment and management of VMware vCloud Director requires

a comprehensive understanding of vCloud Director networking
configuration options. The subject of VMware vCloud networking
touches many key cloud computing concepts:
Multitenancy (separation of organization and vApp network traffic)
Connection of VMware vSphere vApps to outside users (external

networks, organization virtual data center networks, and vApp
networks)
Ability of customers to deploy networks dynamically (network pools)
ail
.co
m
go
th
ic_
re
ad
er
ho
tm
In this module, you learn about the types of vCloud Director networks
and services.
Module 3 VMware vCloud Director Networking
47
Module Lessons
Slide 3-4
Types of Networking Used in vCloud Director
Lesson 2:
Network Address Translation and Fencing
Lesson 3:
vCloud Director Network Pools
Lesson 4:
vCloud Director Networking Objects in vSphere
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 1:
48
Lesson 1: Types of Networking Used in vCloud Director

Slide 3-5
Lesson 1:
Types of Networking Used in vCloud
Director
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
49
Learner Objectives
Slide 3-6
By the end of this lesson, you should be able to meet the following
objective:
Describe the types of networking found in vCloud Director
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
50
vCloud Director Networks

Slide 3-7
External networks
Organization virtual data center (VDC) networks
vApp networks
Organization VDC networks and vApp networks can be configured in

one of three configurations:
Direct-connected to higher network level
Router-connected to a higher network level
Isolated (no connections to higher networks)
vApps that direct-connect to an organization can be deployed by using

network fencing.
ad
er
ho
tm
vCloud Director creates three types of networks:
ail
.co
m
ic_
External networks
re
Three types of networks are in VMware vCloud Director:
th
Organization virtual data center (VDC) networks
go
VMware vSphere vApp networks

The organization VDC networks and vApp networks operate at the customer level. The vApp
networks must be connected to organization VDC networks if you need the following:
vApps to communicate to other vApps in the organization
A vApp to communicate with something outside of the cloud (such as the Internet)
Organization networks tie vApps together, so they can communicate outside the cloud by connecting
them to external networks.
vApp networks provide connectivity and services to the virtual machines contained in the vApp, and
can connect those machines to a higher-level organization VDC network.
Both organization VDC networks and vApp networks can be isolated. Isolated networks can provide
services to the connected virtual machines and internal networks, but do not connect to a higherlevel network.
51
Customer Network Requirements and Network Stability

Slide 3-8
Network engineers like stable networks that change very little:
Network customers like dynamic networks:
tm
We need a new network for a special research group. We want them to

have direct internet access.
We need a new network for Q&A. It needs the same IP addresses as the
production network.
We need a new network to test marketing. It needs Internet access, but it
also needs to be protected.
We need a new network to control production equipment on the factory
floor. This custom production line must be online immediately. We want the
following IP addresses.
ail
.co
m
vCloud Director can provide dynamic networks to customers without

damaging the stability of corporate IT network systems.
ad
er
This provides higher quality of service for customers.

Networks are easier to manage and maintain.
ho
Corporate networks can be very complex systems.
go
th
ic_
re
Cloud networking addresses a fundamental paradox. Corporate networks can be complex systems.
These networks can be composed of hundreds or even thousands of physical network switches,
routers, bridges, firewalls, and other devices. Each individual physical network device can have
hundreds to thousands of programmable components. This large number of complex programmable
components means that networks are extremely complex interconnected systems.
Teams of network engineers work hard to keep these complex interconnected systems stable and
performing well. This means that network engineers are going to resist change. The best network
engineers insist upon using structured change management systems to make sure that all changes are
carefully planned, tested, and coordinated before being implemented.
Network engineers like stable networks that do not change much. Stable systems result in higher
quality of service for customers. Stable systems are also which easier to manage and maintain.
In contrast, network customers like dynamic networks. They have constantly changing network
needs and requirements. These needs usually require the rapid deployment of new network systems.
The configuration requirements of these networks are diverse depending on what the customer is
using the network to support.
52
From the viewpoint of the customers, the best solution is for customers to have the power to
instantly deploy their own networks. But customers do not have the knowledge or the expertise to
deploy and manage these networks.
From the viewpoint of the network engineers, the best solution is to have networks that never
change. But such networks do not meet the needs of the customers.
VMware vCloud can provide dynamic network creation and deployment on a rapid basis to
customers without damaging the stability of corporate IT network systems.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
53
Network Layers of Responsibility and Capability

Slide 3-9
Cloud Customer/Organization VDC Network Layer
Managed by cloud organization and vApp administrators
Very dynamic, responds rapidly to customer needs without
causing problems for physical network administrators
Organization administrators can create and manage certain
types of organization VDC networks.
vCloud Network Layer
vCloud Director
Managed by vCloud (provider) administrators

Built on options available in the VMware vSphere network
layer
vSphere Network Layer
ail
.co
m
VMware vSphere Distributed Resource

Scheduler or VMware vSphere High
Availability cluster
Managed by vSphere administrators
VMware ESXi
ESXi
tm
Much more flexible than physical networking, but must

remain stable and change slowly
Physical Network Layer
Internet
er
Physical switch and firewall configuration, design and

management of IP address ranges, WANs, LANs,
VLANs, and so on
ho
Managed by corporate IT network engineers
ad
Static and stable environment
re
Cloud networks are built on a layered structure that distributes responsibility and capability.
go
th
ic_
At the bottom of the structure is the physical network layer. The physical layer is managed by the
corporate IT network engineers. The physical layer includes physical switch and firewall
configuration, design and management of IP address ranges, WANs, LANs, VLANs, and so on. All
are carefully controlled and managed by network engineers. The physical network environment is as
static and stable as the network engineers can possibly make it.
The next layer is the VMware vSphere network layer. The vSphere network layer is managed by
vSphere administrators using VMware vCenter Server systems and VMware ESXi hosts.
The vSphere network layer is composed of standard switches and distributed switches. These
switches connect through the physical network interface cards (NICs) of the ESXi hosts to the
physical network layer. These network configurations should be carefully coordinated between the
vSphere administrators and the network engineers. The vSphere network layer is more dynamic and
flexible than the physical network layer.
The next layer is the cloud network layer. Here the vCloud Director system administrators create
external networks that connect to vSphere network systems (port groups on distributed switches).
The administrator of VMware vCloud can then design organization VDC networks and network
pools to provide cloud tenants with flexible means to create and deploy networks in vCloud.
54
The final layer is where the vCloud customers (organizations) operate. Customers can use the
organization VDC networks and network pools to create vApp networks and interconnect them.
They create and interconnect vApp networks rapidly and easily, without disrupting the physical
networks that all of these networking layers are built on. With vCloud Director version 5.1,
organization administrators can create and manage routed and isolated organization VDC networks.
With the advent of edge gateways, a system administrator can establish a wider boundary of
delegation to organization administrators without sacrificing critical communication boundaries.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
55
External Networks
Slide 3-10
External networks are used to provide a connection outside

the cloud, usually to the Internet.
External networks are built on vSphere port groups.
Internet
Organization VDC networks can connect to external

networks directly or through an edge gateway router.
External networks can be dedicated to a single organization or
shared by multiple organizations.
Several external networks can co-exist on the same

physical LAN when separated by VLANs.
external network
ail
.co
m
tm
edge gateway
organization B
ad
er
ho
organization A
edge gateway
go
th
ic_
re
External networks are logical, differentiated networks based on vSphere port groups. These port
groups include distributed switch port groups, standard switch port groups, and Cisco N1000V port
groups. Each port group can become a single external network. The best practice is to use port
groups on distributed switches. A single distributed switch can have several port groups in it. Each
port group can provide a connection point for a different external network. If you plan to create
multiple external networks, the port groups should be separated by VLANs. The port groups must
be created in vCenter Server and must already exist before vCloud Director can use them for
external networks.
Even though this network is called an external network, a connection to the Internet is not required.
An external network is external to vCloud organizations. You can create an external network that is
used to connect multiple ESXi hosts to other internal corporate resources without a route to the
Internet.
If you must provide vApps in the cloud with access to the Internet, create an external network that is
connected through a gateway router to the Internet.
Port groups in a VMware vSphere Distributed Resource Scheduler or VMware vSphere High
Availability cluster that is managed by vCloud Director do not have to be used for external
networks. Many of those networks are for purposes outside of vCloud Director. One example of a
56
network that is not used directly by vCloud Director would be a network that provides IP storage to
ESXi hosts. Another example would be a management network used for the internal administration
of ESXi hosts and vCenter Server systems.
External networks can also be used to connect organizations together, either by use of a common
network that both organization edge gateways connect to, or an upstream router.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
57
External Networks: Built on vSphere Port Groups

Slide 3-11
Internet
ESXi01
ESXi02
tm
distributed switch: vDS-External
172.20.11.52
vmnic1
ail
.co
m
vmnic1
172.20.11.51
production network 172.20.11.0/24
ho
port group: External
ad
er
external network
th
ic_
re
Visualizing how external networks at the provider level are built off vSphere networks is important.
Here you can see that external network, a provider-level external network, is built off a port group
named External. The External port group is located in the vDS-External distributed switch. The
ESXi01 and ESXi02 hosts are connected to the VDC production distributed switch.
go
The physical NICs on ESXi01 and ESXi02 are both labeled as vmnic1 on these two hosts. The
vmnic1 NIC on ESXi01 has been assigned an IP address of 172.20.11.51. The vmnic1 NIC on
ESXi02 has been assigned an IP address of 172.20.11.52. Both of these physical NICs are connected
to a physical network known as the production network. The production network has been assigned
a network Classless Inter-Domain Routing (CIDR) of 172.20.11.0/24.
External networks connect to port groups that have been defined on vSphere virtual switches. If you
plan to use a vSphere port group for a vCloud external network, increase the number of ports from
the default value of 128 to 4096.
The best practice is to use only distributed switches. Distributed switches are automatically
consistent in names and port groups on all ESXi hosts in a cluster. vCloud Director can use them
with dynamic provisioning.
vCloud Director supports the Cisco Nexus v1000. However, the v1000 does not work with VLAN
or vCloud Director isolated network backed network pools. The v1000 requires network pools that
58
are backed by port groups. The port groups must be preprovisioned. The best practice is to use
distributed switches with all network pools, including network pools that are backed by port groups
and used to support Cisco Nexus v1000 switches.
A standard switch can be used with vCloud Director external networks. Standard switches are
supported, but not recommended. If you are using standard switches, then all the port groups have to
be created accordingly on all the ESXi hosts in advance.
You can use standard switches with network pools that are backed by port groups, but doing so is
also not recommended.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
59
Organization VDC Networks

Slide 3-12
Direct-connect network:
external network
organization VDC network
external network
An extension of an external network

Cannot be created or managed by the
organization administrator
Routed networks:
network A
network B
network C
Organization administrator can create

and manage multiple routed networks.
Managed separately, represent an edge
gateway interface
ail
.co
m
edge gateway
Separate DHCP ranges and static IP

pools
tm
Isolated networks:
vShield
Edge
ho
VMware vShield Edge is deployed.
ad
er
network
Organization administrator can create

and manage multiple isolated networks.
re
The types of organization VDC networks are:
go
th
ic_
Direct-connect organization VDC networks: Created by the vCloud Director system

administrator and cannot be changed or managed by the organization administrator. A directconnect organization VDC network is a literal extension of a specific external network.
Routed organization VDC networks: Connect to an edge gateway device (router). The vCloud
Director system administrator must create each edge gateway. Only a vCloud Director system
administrator can manage external connections to the device. After an edge gateway has been
created for an organization, the organization administrator can create as many routed networks
as necessary, within the limitations of the edge gateway device that have been defined by the
vCloud Director administrator. An edge gateway can support 10 networks.
Isolated organization VDC networks: Do not connect to an edge gateway and thus cannot
connect to an external network nor connect to other organization VDC networks. An isolated
network is managed through an Edge device that provides DHCP and static IP services to a
single internal network.
Organization users can attach routed vApp networks to each type of organization VDC network, or
direct-connect vApps to each type of network.
60
Direct-Connect Organization VDC Network

Slide 3-13
Static IP Pool
Only
External Network
Organization VDC Network
DHCP and firewall services are not available, only static IP pool.
ail
.co
m
Organization users can attach vApps and vApp networks.

vApp networks attach to a vShield Edge Gateway device, which
consumes one IP address.
Fencing is recommended to avoid MAC and IP conflicts and to add firewall

protection.
ad
er
tm
Direct-connect vApps can attach many virtual machines, which can

consume many IP addresses:
go
th
ic_
re
Direct-connect organization VDC networks can be created and managed only by a vCloud Director
system administrator. An organization administrator has no control over the network characteristics
and network services for direct-connect organization VDC networks. Because a direct-connect
organization VDC network is a literal extension of an external network, many services are not
available, such as DHCP and firewall.
Direct-connect organization VDC networks use an external network to connect directly to the
Internet or to systems external to the cloud. For some single servers (such as small Web servers),
using an external type of network is the best solution because it does not need internal
communication. For administrative purposes, a customer can connect through SSH or remote
desktop directly to servers on this type of network.
If a vApp is direct-connected, either the vApp IP addresses must be statically configured or a DHCP
server must be connected to the external network with IP addresses. If vApp addresses are statically
configured, they should use the same subnet that the external network is using. Direct connected
vApps should be fenced when connecting to external networks to prevent MAC or IP addresses
conflicts.
When the vCloud administrator creates a direct-connect organization VDC network, no visible
changes in the vSphere environment occur. External networks have already been created by the
61
This network can be created and managed only by a system

administrator.
ho
A direct-connect network is a
literal extension of an external
network.
vCloud administrator. Networks that are direct-connected have no VMware vShield Edge
devices deployed to provide network address translation (NAT) or firewall services.
Direct-connect organization VDC networks depend on systems that are external to vCloud to
provide network support. These systems include systems such as DHCP and DNS. vApp
administrators can also manually configure the TCP/IP configuration of virtual machines, which are
connected (through vApp networks) to direct-connected organization VDC networks. The vApp
network might also be direct-connected. The vApp administrator must configure the virtual machine
network settings carefully to match the network configuration in use on the external network.
Directly connecting systems to the Internet without firewall protection is not recommended. You can
fence the vApp, which does provide firewall services.
ail
.co
m
vCloud administrators should also be aware that when multiple organization VDC networks are
direct-connected to the same external network, all network traffic on all of these networks is visible.
That visibility can violate the cloud principle of multitenancy.
Direct-connection networks must be used with extreme caution.
NOTE
go
th
ic_
re
ad
er
ho
tm
The vCloud Director GUI refers to external networks at both the provider and organization level. To
prevent confusion, refer to an external network that is outside organizations as a provider external
network. External networks that are inside organizations are either organization direct-connected
networks or organization external networks.
62
Isolated Organization VDC Networks

Slide 3-14
X
DHCP,
Static IP
Pool
An isolated network consists of a

vShield Edge device for DHCP and
other services and does not
connect to an external network.
vShield
Edge
Network
ail
.co
m
A vShield Edge device is deployed for DHCP and static IP pool

services.
vApp networks
Virtual machines of direct-connect vApps
ho
tm
Consumers
An isolated network does not consume an edge gateway interface.
ad
er
Organization users can attach vApps and vApp networks.
An organization administrator can create and manage this type of

network.
th
ic_
re
An organization administrator can create any number of isolated organization VDC networks. An
isolated organization VDC network is defined as a single subnet with an Edge device providing
services. The isolated network Edge device cannot be connected to an external network or to any
other organization VDC network.
go
If a customer does not want certain vApps to have a connection to the Internet, external networks, or
other organization VDC networks, using an isolated network is the best practice. The use of isolated
internal vApp networks is possible if the virtual machines require only internal communication with
each other. Examples of internal networks include networks for test systems and vApps that are used
only for high numbers of computations. Administration of virtual machines connected exclusively to
internal networks is possible only through a local console connection. Virtual machines can still
have multiple network interfaces. Having multiple interfaces enables a virtual machine to
communicate privately over a local-only internal network while also accessing the Internet or other
organization VDC network through a second interface.
An isolated network Edge device does not provide firewall or routing services. If virtual machines in
different vApps must communicate with each other, you must configure NAT features on each vApp
network Edge device to do the following:
63
Obfuscate the internal vApp networks

Define static routes on the vApp network Edge devices
Direct-connect the vApps to the isolated network
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
When direct-connecting vApps, consider fencing the vApps to avoid MAC and IP address conflicts.
64
Routed Organization VDC Networks

Slide 3-15
external network
DHCP,
static IP
pools
Routed networks are attached to

an edge gateway router.
edge gateway
ail
.co
m
tm
Services are shared. Enabling or disabling a service affects all

organization VDC networks.
Organization users can attach vApps and vApp networks to each
organization VDC network.
ad
er
DHCP and static IP pool ranges are managed individually on each

ho
Each routed network allocates a network interface on the organization

edge gateway.
Can be created and managed by an organization administrator
go
th
ic_
re
Routed organization VDC networks connect to an edge gateway. An organization might be provided
with one or more edge gateways. Each edge gateway supports up to 10 network interfaces that are
shared among external and internal networks connected to the gateway. The organization
administrator can create routed networks, configure NAT features for each network (on the edge
gateway device), manage IP allocation pools and DHCP ranges, and configure firewall rules.
Each routed organization VDC network represents a managed interface on an edge gateway.
Services available to the routed networks attached to the same edge gateway are shared. If you
enable or disable a service, such as the DHCP service, that service is disabled for all attached
organization VDC networks. You can manage service state and configurations on a per-routed
network basis, but you are still managing the edge gateway itself.
Users can attached routed vApp networks or direct-connect vApps to a routed organization VDC
network.
65
network A
network B
network C
Organization Edge Gateways

Slide 3-16
Organizations can have one or more edge gateways:
A single edge gateway can connect to multiple external networks and

be used to create many routed organization VDC networks.
The maximum number of interfaces on the edge gateway router is 10.
Edge gateways provide DHCP, static IP pool, firewall, NAT, rate limit,
and load-balancing services.
ail
.co
m
Each organization typically has a least one edge gateway that connects to a
single external network and a single organization VDC network.
Multiple edge gateways can be used to provide separate service and
management points.
Edge gateways connect an organization to the Internet and can

connect organizations.
Organizations can be connected by use of a common external network and
static routes.
ad
er
ho
tm
th
ic_
re
An edge gateway is a virtual router for organization VDC networks. You can configure an edge
gateway to provide network services such as DHCP, firewall, NAT, static routing, virtual private
network, and load balancing.
go
You can create an edge gateway in either a compact or a full configuration. The full configuration
provides increased capacity and performance. The compact configuration requires less memory and
fewer compute resources. All services are available in either configuration. You can enable either
configuration for high availability. A high availability edge gateway automatic failover of the edge
gateway to a backup instance that is running on a separate virtual machine.
An edge gateway can support up to 10 interfaces. These interfaces are categorized as uplinks when
they connect to an external network and categorized as internal interfaces when they connect to an
organization VDC network. You must specify at least one uplink interface when you create an edge
gateway. All uplink interfaces on an edge gateway must connect to an external network available in
the provider VDC that backs the organization VDC in which you are creating the edge gateway.
Internal interfaces are created automatically when you create a routed organization VDC network
that connects to an edge gateway.
66
vApp Networks
Slide 3-17
Direct-connect network
vApp Network
An extension of an organization VDC

network
Virtual machines directly connected
Typical IP router with NAT features
Connects a single vApp network with an

ail
.co
m
vShield Edge
Routed network
vApp Network
tm
Isolated network
ho
vShield Edge
Does not connect to an organization

VDC network
ad
er
vApp Network
vShield Edge deployed
ic_
re
A vApp network can be configured to provide many of the same kinds of services available to an
th
These types of connections can be defined for a vApp network:
go
Direct-connect network. The virtual machines in a direct-connect vApp can be connected to a

selected organization VDC network.
Routed network. The routed network type of connection is the most common vApp network
configuration when the virtual machines of a vApp must have Internet access or access to other
hosts attached to the network.
Isolated network. An isolated vApp network does not connect to an organization VDC network.
67
Direct-Connect vApps
Slide 3-18
A vShield Edge device is not deployed unless the vApp is fenced.

Services are consumed from the organization VDC network edge
gateway.
Fencing is recommended.
External Network
Edge Gateway
Network A
Network B
Network C
ad
er
ho
tm
ail
.co
m
DHCP,
Static IP
Pool
th
ic_
re
A vApp that you direct-connect does not have a network Edge device. The virtual machines are
directly connected to and consume the resources of an organization VDC network. When creating a
network that is direct-connected, you add one of the organization VDC networks as a vApp network.
go
Care must be taken when using direct-connect vApps. The virtual machines consume the
organization VDC network resources (such as static IP pool addresses). All network traffic for each
virtual machine is sent over the organization VDC network.
When direct-connecting vApps, consider fencing the vApp to avoid potential MAC and IP address
conflicts on the organization VDC network.
68
Routed vApps
Slide 3-19
The vShield Edge Gateway device provides firewall, NAT, DHCP, static
IP pool, and other services to the internal network.
Default settings
External Network
Edge Gateway
IP translation NAT
is enabled.
Traffic not matching a NAT
rule is routed.
Empty translation rule set.
vShield Edge
ad
er
ho
tm
IP Services
Network A
Network B
Network C
re
A routed vApp includes at least one local network and connects to an organization VDC network.
go
th
ic_
By default, the vApp network Edge device behaves as a typical IP router when connected to an
organization VDC network. A vApp network Edge device appears as having NAT enabled when it is
created. By default NAT is enabled and the NAT type is set to IP translation. When IP translation is
enabled the Edge device still acts as a typical IP router. This default configuration means the Edge
device is routing traffic between the attached subnets, transforming only traffic that matches IP
translation rules. To configure a many-to-one NAT connection you must change the NAT type to
port forwarding and enable IP masquerading.
A vApp network Edge device has only two interfaces, one interface is connected to an organization
VDC network and another interface is connected to the virtual machines in the vApp. Virtual
machines in a vApp can be created with multiple network interfaces. You can add many local
networks to a vApp, each of which can connect to the same or a different organization VDC
network.
The vApp network Edge device provides static IP pool, NAT, firewall, and DHCP services.
69
ail
.co
m
Multiconnection vApps
Slide 3-20
Always consider network security when designing vApp networking.

How many vApp networks does this vApp define?
External Network
Edge Gateway
Network D
ail
.co
m
Network A
Network B
Network C
Answer: 4
ad
er
ho
tm
Local network to network C

Local network - isolated
Direct connection to network B
Direct connection to network D
th
ic_
re
The vApp networking examples shown so far assume the same type of connection for each virtual
machine in the vApp. A vApp can be configured to have many local networks and connect to one or
more organization VDC networks simultaneously, with the vApp author deciding how each virtual
machine is connected.
go
The diagram shows how a single vApp can be configured with multiple networks. The vApp author
can configure the virtual machines with multiple network interfaces, then connect each virtual
machine network interface to any network added to the vApp.
70
vApp Network Rules

Slide 3-21
Each vApp can have one or more vApp networks that connect to a common
A vShield Edge device or vShield Edge Gateway device is deployed for

each vApp network:
The exception is direct-connect nonfenced vApps.
vApps cannot connect to the same vApp network.
Each vShield Edge can be configured for IP translation NAT or port

forwarding NAT but not both.
You cannot use IP translation for one virtual machine and port forwarding
for another virtual machine.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
71
Network Naming
Slide 3-22
Limit the length of any network or edge gateway name to 33 characters.
ad
er
ho
tm
ail
.co
m
th
ic_
re
The 33-character network name limit is required by the underlying vSphere support system.
Networks that have names longer than 33 characters can fail to deploy. The network with a name
longer than 33 characters can work initially. But the network fails if the Reset Network command
is ever issued to it.
go
When VMware vShield Manager deploys a network, it prefixes the name of the edge device
with vse-. It also appends a 28-character hexadecimal identifier enclosed in two parentheses. For
example, a network name like Marketing-webserver-routed-external-network (43
characters) could be changed to something like vse-Marketing-webserver-routedexternal-network(032c2c2505b424ac3b8926f73d2aa704).
The new name of the edge device has 77 characters, which works fine. But if the vCloud Director
administrator (or some other user who has the proper privileges) issues the Reset Network
command, vCloud Director redeploys the edge device. Also, the new edge device has .updated
appended to the name. The edge device name is now vse-Marketing-webserver-routedexternal-network(032c2c2505b424ac3b8926f73d2aa704).updated. This name has 85
characters. The name length limit in vSphere is 80 characters. The outcome is that the Reset
Network command fails and the network stops working.
72
Lab 1: Configuring VMware vCloud Director Networking

Slide 3-23
Configure vCloud Director networking
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
73

Slide 3-24
You should be able to meet the following objective:

Describe the types of networking found in vCloud Director
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
74
Lesson 2: Network Address Translation and Fencing

Slide 3-25
Lesson 2:
Network Address Translation and Fencing
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
75
Learner Objectives
Slide 3-26
objectives:
Describe the difference between a fenced vApp and a routed vApp
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Describe NAT services provided by edge gateways and other network

devices used in vCloud Director
76
Suballocated IP Pools
Slide 3-27
Pool: 172.20.10.100-199
External Network
172.20.10.0/24
Sub: 172.20.10.120-129
Sub: 172.20.10.110-119
Organization A
Organization B
ail
.co
m
Suballocated IP pools are created and managed by a system

administrator on specific edge gateway devices.
An organization administrator uses the suballocation range for
destination network address translation (DNAT) and source network
address translation (SNAT) mappings.
ad
er
ho
tm
th
ic_
re
For each external network, the vCloud Director system administrator may configure one or more
static IP pool ranges. The static IP pools are used by the edge gateways and virtual machines that
connect to that network.
go
The system administrator can suballocated a portion of the static IP pool on an external network to a
specific edge gateway for use in NAT operations. Suballocated ranges must be available to
configure destination NAT and source NAT rules on an edge gateway. Each suballocated pool is
reserved and is not used for normal IP allocations on the external network.
77
Edge Gateway Destination NAT

Slide 3-28
172.20.10.204
external network
Associates an external IP address or IP

range with an internal IP address or IP
range, on a 1:1 basis
edge gateway
organization VDC
network
Solicited responses return through the

mapping.
Unsolicited outbound traffic does not
traverse the mapping.
vApp
external network
ARP - Who has:

172.20.10.204
IP: 172.20.10.204
ho
00:50:56:01:00:2b
172.20.10.100
ARP - 172.20.10.204 is at:
00:50:56:01:00:2b
DNAT
172.20.10.204
192.168.100.170
IP: 192.168.100.170
ad
er
192.168.100.170
ail
.co
m
DNAT
tm
ic_
re
Destination network address translation (DNAT) rules translate a packets destination address and,
optionally, destination IP port to the values you specify.
go
th
In the most common case, you associate a NAT service with an uplink interface on an edge gateway
so that addresses on organization VDC networks are not exposed on the external network. You can
define NAT translations to associate IP addresses on separate organization VDC networks as well.
The internal address or addresses of the DNAT rules must be on directly attached networks, or be
identifiable through static routes.
A DNAT mapping defined on an edge gateway is unidirectional with state. Connections matching
the mapping specification are allowed through and the resulting solicited responses return using the
correct IP addresses and ports. Unsolicited outbound traffic is disallowed.
Inbound packets destined for the external addresses of DNAT rules are delivered to the external
interface of the edge gateway. The gateway responds to Address Resolution Protocol (ARP) requests
for each DNAT-defined external address. After the packets are received, the edge gateway transforms
the destination IP address, updates the checksum, and translates the destination port if needed.
A DNAT mapping may be a single IPtosingle IP rule or an IP rangetoIP range rule. In the case
of an IP range, a 1:1 correlation exists between each IP pair from first to last. Protocol filtering can
be defined for each DNAT rule.
78
Edge Gateway Source NAT

Slide 3-29
Associates an internal IP address or IP

range with an external IP address or IP
range, on a 1:1 basis.
external network
Solicited responses return through the

mapping.
organization VDC
network
edge gateway
Unsolicited inbound traffic does not

traverse the mapping.
vApp
IP: 172.20.10.204
ho
00:50:56:01:00:2b
172.20.10.100
ARP - 172.20.10.204 is at:
00:50:56:01:00:2b
SNAT
192.168.100.170
172.20.10.204
IP: 192.168.100.170
ad
er
192.168.100.170
external network
ARP - Who has:

172.20.10.204
172.20.10.204
ail
.co
m
SNAT
tm
ic_
re
Source network address translation (SNAT) translates the packets source address and, optionally,
the source port to the values you specify.
go
th
Source NAT is the reverse of destination NAT. Traffic leaving a specific IP address or IP range is
transformed as originating from a different IP address or IP range on an external network connected
to the edge gateway. In the case of IP ranges, a 1:1 correlation exists between each sequential IP
pair.
An SNAT mapping is unidirectional with state. Connections matching the mapping specification are
allowed through and the resulting solicited responses return using the correct IP addresses and ports.
Unsolicited inbound traffic is disallowed.
As with DNAT, the gateway responds to ARP requests for each SNAT-defined external address.
After the packets are received, the edge gateway transforms the destination IP address, updates
checksums, and translates the destination port if needed.
Source NAT rules may be defined to target IP addresses on any network connected to the edge
gateway. The external addresses of SNAT rules must be in the range of a directly attached subnet.
The source address can be from a directly attached subnet or from a source that is routed to the
gateway. If the source addresses are routed, the gateway must have the appropriate static routes
defined for handling the response traffic.
79
Routed vApps: IP Translation

Slide 3-30
Bidirectional mapping
192.168.100.0/24
All traffic is passed.

Configure firewall rules for protocol
filtering.
ARP - Who has:

172.30.15.205
172.30.15.205
192.168.100.104

00:50:56:01:00:2c
vShield Edge
ho
ARP - 172.30.15.205 is at:

00:50:56:01:00:2c
IP: 172.30.15.205
IP Translation
192.168.100.170
172.30.15.205
IP: 192.168.100.170
ad
er
vApp Network
192.168.100.170
ail
.co
m
IP translation associates an
external IP address with a virtual
machine IP address on a 1:1
basis.
tm
ic_
re
Unlike an edge gateway that implements DNAT and SNAT rules, a vApp network Edge device can
implement 1:1 IP translation, port forwarding, and IP masquerading.
go
th
IP translation is a true 1:1 bidirectional mapping of a virtual machine network interface with an
external address. IP translation is similar to edge gateway destination NAT, except that IP translation
is a full bidirectional mapping without protocol filtering. In terms of traffic, the specified virtual
machine interface and the external IP address are synonymous.
When IP translation is enabled, all traffic not matching a rule is still routed through the Edge device,
exposing vApp IP addresses to upstream networks. Configure firewall rules to block this behavior.
You can use IP masquerading to isolate the vApp network behind a many-to-one NAT configuration.
But because IP masquerading and IP translation features are mutually exclusive, you cannot use
both in the same service configuration.
As with most NAT operations, the Edge device responds to ARP requests for all IP translation
external addresses.
80
Routed vApps: Port Forwarding

Slide 3-31
Port forwarding associates a

TCP/UDP port with a virtual
machine IP address and port.
TCP:8080
TCP:80
Packets received on the vShield

Edge external interface are
forwarded and translated based
on the rules.
192.168.100.0/24
192.168.100.104
ail
.co
m
Dest: 172.30.15.5
Proto: TCP:8080
192.168.100.170
vShield Edge:
172.30.15.5
tm
Port Forwarding
TCP: 8080
192.168.100.170:80
ho
Dest: 192.168.100.170
Proto: TCP:80
IP: 192.168.100.170
ad
er
vApp Network
th
ic_
re
Port forwarding provides external access to services running on virtual machines on the vApp
network. Traffic matching a specified transport protocol that has been directed to the external
interface of the Edge device is forwarded to the rule-specified virtual machine interface. The
inbound port can be changed based on the forwarding rule configuration.
go
Response traffic from the virtual machine is transformed on the outbound to appear as originating
from the external interface of the edge.
After port forwarding has been enabled, IP masquerading can be selected. If IP masquerading is not
enabled, the edge device routes subnet traffic, exposing vApp virtual machine addresses to upstream
networks.
Port forwarding NAT is mutually exclusive to IP translation. You cannot have both NAT services
configured at the same time. Switching between the two types of NAT erases all existing rules.
81
Routed vApps: IP Masquerading

Slide 3-32
Many-to-one NAT
Also called port address translation (PAT ) and NAT overload
Outbound packets from the vApp are translated to appear upstream as

originating from the vShield Edge external interface.
Source TCP/UDP ports are changed as needed.
NAT must be enabled with the type set to Port Forwarding.
Source IP: vShield Edge External IP

TCP Source Port: 32785
ail
.co
m
tm
TCP Source Port: 61789
192.168.100.170
ad
er
192.168.100.104
ho
192.168.100.0/24
th
ic_
re
IP masquerading enables a typical port address translation configuration on the vApp network Edge.
All outbound traffic is transformed as originating from the external interface of the vApp network
Edge.
go
To enable IP masquerading, you must first enable NAT and set the NAT type to port forwarding.
Because IP masquerading depends on a NAT type of port forwarding, IP masquerading cannot be
used with IP translation.
For many vApp configurations, the use of IP masquerading might be preferred as it isolates the
vApp network for duplication.
82
vApp Fencing (1)

Slide 3-33
A vShield Edge device is deployed with IP translation rules mapping

each virtual machine in the vApp to an IP address on the organization
VDC network.
The fence provides firewall and NAT options.
ad
er
ho
tm
You can change the NAT type.
go
th
ic_
re
You can choose to fence a vApp when the vApp has been configured with one or more direct
connections to organization VDC networks. A direct-connect network is a literal reference to an
organization VDC network. Directly connecting virtual machines can lead to MAC and IP address
conflicts when other direct-connect vApps are deployed in the same manner. For direct-connect
cases, fencing of the vApp should be considered. Only vApps that direct-connect to an organization
VDC network can be fenced. A network Edge device is not deployed for direct-connect vApp
networks unless the vApp if fenced.
Fencing the vApp causes a network Edge device to be deployed that separates the vApp virtual
machines from the organization network. The Edge device has two interfaces: One interface is
attached to the organization network and the other connects to the vApp. The vApp network has the
same subnet address as the organization network with the fencing Edge device separating the
broadcast domains. The fencing Edge device is deployed with IP translation rules associating vApp
virtual machine addresses with addresses allocated from the organization VDC network.
83
Only vApps that direct-connect to an organization VDC network can be

fenced.
Fencing isolates virtual machines by segmenting the layer 2 broadcast

domain, removing the possibility of inter-vApp MAC and IP address
conflicts.
ail
.co
m
vApp Fencing (2)

Slide 3-34
How many subnets are defined?
A fencing vShield Edge

device does not define
a new subnet. It
segments the layer 2
broadcast domain.
How many layer 2 broadcast domains?
Edge Gateway

172.30.15.0/24
172.30.15.209
172.30.15.208
ail
.co
m
172.30.15.207
vShield
Edge
172.30.15.210
vShield
Edge
172.30.15.0/24
172.30.15.105
172.30.15.104
172.30.15.105
ad
er
172.30.15.104
ho
tm
172.30.15.0/24
th
ic_
re
The diagram illustrates how fencing works. Each of the two vApps contains two virtual machines
configured to direct-connect to a common organization VDC network. Because the vApp virtual
machines have the same set of IP addresses, IP conflicts occur on the organization VDC network
broadcast domain unless fencing is configured.
go
For each vApp, an edge device is deployed that isolates the virtual machines into a separate layer-2
broadcast domain. The edge devices are deployed with preconfigured IP translation rules based on
which virtual machines in the vApp are connecting to the attached organization VDC network.
84
Multiple Fence Configuration

Slide 3-35
Fencing a vApp fences all direct-connect networks (all or none).
One fence is deployed for each direct-connect network.
How many subnets are defined in the diagram?

How many layer 2 broadcast domains?
edge gateway
organization VDC network B
172.30.27.52
tm
172.30.15.0/24
ail
.co
m
organization VDC network A
172.30.15.0/24
ho
172.30.27.0/24
172.30.27.204
ad
er
172.30.15.104
go
th
ic_
re
The diagram shows a vApp of two virtual machines configured to connect to two different
organization VDC networks. When fencing is enabled, a separate edge device is deployed for each
direct-connect organization VDC network. The edge devices each have a unique set of IP translation
rules based on how the virtual machines in the vApp connect to the organization VDC networks.
85
172.30.27.0/24
172.30.15.207
Answer:
2 subnets
4 layer 2 broadcast domains

Slide 3-36
Describe the difference between a fenced vApp and a routed vApp
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Describe NAT services provided by edge gateways and other network

devices used in vCloud Director
86
Lesson 3: vCloud Director Network Pools

Slide 3-37
Lesson 3:
vCloud Director Network Pools
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
87
Learner Objectives
Slide 3-38
objectives:
Define a network pool
Describe the types of network pools
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
What is a network pool? A network pool is a predefined collection of vSphere network resources
that can be used by vCloud Director to dynamically create a limited number of organization and
vApp networks. Think of a network pool as a collection as a set of templates to help you create
networks. The resources include things like VLAN IDs, port groups, virtual network switches, and
vCloud Director isolated networks.
88
About Network Pools

Slide 3-39
A network pool is a predefined collection of vSphere network resources

that can be used by vCloud Director to dynamically create a limited
number of organization and vApp networks.
Resources include ranges of VLAN IDs, port groups, virtual network

switches, and vCloud Director isolated networks.
ad
er
ho
tm
All but direct-connect organization virtual data center networks require

network pool resources.
All but direct-connect, nonfenced vApp networks require network pool
resources.
If a network pool runs out of network resources, vCloud Director cannot
create new networks based on this pool.
Networks can be deleted to return resources to the network pool.
Network pools and organization quotas can be expanded.
ail
.co
m
re
Network pools are used as a template to create networks at the organization and vApp levels.
go
th
ic_
Two types of organization VDC networks require network pools. These networks are routed
organization VDC networks that connect to an external network through an edge gateway and
isolated organization VDC networks.
All vApp networks are built off network pools. Although a direct-connect vApp does not consume
network pool resources, fencing the vApp requires a network.
When you create a network pool, you must specify a maximum limit of networks. This maximum
limits the maximum number of networks that can be created from the pool.
89
Network Pools
Slide 3-40
Routed organization VDC networks

Isolated organization VDC networks
ail
.co
m
vApp networks:
All nonfenced vApp networks
Each pool contains a maximum limit on the number of networks that

can be created from it.
tm
Organization VDC networks:
Network pools might become overcommitted, so VMware recommends

monitoring of network pool utilization.
ad
er
ho
Used as a template to create new vCloud Director networks
go
th
ic_
re
A provider VDC gets its resources from vSphere. CPU and memory are combined into a resource
pool. Storage is configured into datastores. All of these resources are used by vCloud Director to
create a provider VDC. Networks are not included in resource pools or datastores. When you create
a provider VDC, vCloud Director analyzes the underlying ESXi hosts and clusters that the resources
come from. Based on that analysis, vCloud Director reports to you which external networks are
available to organizations and vApps that are built on a provider VDC.
Organizations and vApps get their resources from an organization VDC, which is built on the
provider VDC. When you create an organization VDC, vCloud Director enables you to associate the
organization VDC directly with a network pool. The network pools are built on vSphere port groups,
virtual switches, VLANs, and vCloud Director isolated networks.
(Provider) external networks are defined as being available to a provider VDC. Network pools are
directly associated with specific organization VDCs.
90
Organizations, Network Pools, and Organization VDCs (1)

Slide 3-41
Organization VDCs are assigned a network pool.

Each organization VDC can be assigned only one network pool.
A single network pool can be used by multiple organization VDCs, with the
system administrator defining the quota for each organization VDC.
Network Pool
Network Pool
Network Pool
VDC
VDC
ad
er
ho
tm
VDC
organization
VDC
A single organization can have multiple organization VDCs and connect to

multiple network pools.
ail
.co
m
th
ic_
re
Each cloud can have multiple organizations. Each organization can have its own organization
VDCs. A single organization can have multiple VDCs. Multiple VDCs can connect to the same
network pool A single organization VDC cannot connect to multiple network pools.
go
Each network pool must be backed by a network resource in vSphere. The network resource has to
be in the vSphere cluster that the cloud is built on. Network resources include VLANs, preexisting
port groups, and vCloud Director isolated networks.
91
Organizations, Network Pools, and Organization VDCs (2)

Slide 3-42
Multiple organizations can exist in a cloud.

Different organizations can use the same network pool.
Network Pool
Network Pool
ail
.co
m
Network Pool
organization
Alpha
organization
Beta
VDC
tm
VDC
VDC
ad
er
ho
VDC VDC
go
th
ic_
re
Organization VDCs from different organizations can connect to the same network pool, which
enables private enterprise clouds to create one or two network pools that serve an entire company.
Using network pools between multiple organizations enables public clouds to create fewer network
pools because each cloud tenant does not need their own pool. However, you can overcommit your
network pools. vCloud administrators should carefully monitor network pool use.
92
Network Pool Backing

Slide 3-43
Each network pool must be backed by a network resource.

Four types of network pools are possible:
VLAN-backed
vCloud Director isolated network-backed
Port group-backed
VXLAN-backed
tm
ail
.co
m
go
th
ic_
re
ad
er
ho
NetworkPool VCD-NI 10
93
Network Pools Backed by VLANs

Slide 3-44
New networks select an available

VLAN ID.
The number of networks is limited by

the number of VLAN IDs in the pool.
Port groups are created automatically
by vCenter Server.
VLAN IDs should also be configured
on an uplink physical switch (trunk
mode).
ad
er
VMware vCenter Server

configures a new port group with the
selected VLAN ID.
ail
.co
m
VLAN ranges are configured in the

network pool.
tm
New networks are created using

VLANs.
ho
th
ic_
re
The most common type of Network pool is a Network pool that is built on VLANs. For a VLAN
type of network pool, you must specify a VLAN ID range or a group of VLAN ID ranges. When
you specify VLAN ID ranges, do not overlap existing VLANs either in vCenter Server or in
attached physical switches.
go
Exercise care when you configure your physical switches. When you put a port into trunk mode,
verify that the VLANs you have configured on your ESXi host are defined and allowed by the
switch trunk port. The default behavior varies among different types of switches and between
vendors. You might need to define all the VLANs used with ESXi explicitly on the physical switch.
For each VLAN definition, you can specify the VLAN ID, name, type, maximum transmission unit
(MTU), security association identifier (SAID), state, ring number, bridge identification number, and
so on.
For switches that allow all ports by default, you might not need to do anything. The VMware best
practice is to restrict the VLAN ranges to only those VLAN IDs that you need.
vSphere VXLAN networks are based on the IETF draft VXLAN standard. These networks support
local-domain isolation equivalent to what is supported by vSphere isolation-backed networks.
94
Network Pools Backed by a vCloud Director Isolated Network

Slide 3-45
Networks are created with the use of tunneling (encapsulation).

Traffic moves between ESXi hosts on network layer 2 by using MAC-inMAC encapsulation.
vCenter Server creates the required port groups as needed.
Requirements:
A distributed switch that is connected to all VMware ESX/ESXi hosts.
VMkernel
ESXi host
ad
er
ho
tm
ESXi host
vCloud Director isolated

network tunnel
VMkernel
ail
.co
m
th
ic_
re
The second type of network pool is one backed by vCloud Director isolated network. The vCloud
Director isolated network is driven by the VSLAD agent that runs on ESXi hosts in the vSphere
DRS/vSphere HA cluster. The VSLAD agent is part of the software in the VSLA kernel module.
go
vCloud Director isolated networks isolate network traffic. If a packet needs to leave the port group
on one ESXi host to move to a different ESXi host, it is tunnelled through the VMkernel module.
This tunneling uses MAC-in-MAC encapsulation, which puts a vCloud Director isolated network
header in place and sends the packet out to the physical layer. A vCloud Director isolated network
adds 24 bytes to the length of the packet.
Think of the vCloud Director isolated network as a software-based isolated network between two or
more ESXi hosts which is using special packets at layer 2 of the network model (Ethernet layer).
The packets are decoded in the VMkernel. Network traffic is isolated at layer 2. vCloud Director
isolated networks can be used to connect traffic on multiple ESXi hosts.
Creating a network pool that is backed by the vCloud Director isolated network does not change
anything on the vSphere layer. You will not see a vShield Edge device deployed. No new port
groups appear. When a vApp that connects to a network is powered on, the vShield Edge device is
deployed and the port group is created.
95
Network Pools Backed by Port Groups

Slide 3-46
Port groups must be created in advance by the vCenter Server

administrator.
Port groups must be configured with VLAN IDs to meet vCloud security
requirements.
The assignment of the vSphere port group to the network pool is static.
vCloud Director can create one network for each port group that is
assigned to the network pool.
Port groups can be on distributed switches or standard switches.
The VMware best practice is to use only distributed switches.
ad
er
ho
tm
New networks are created by using existing port groups.
ail
.co
m
go
th
ic_
re
The final type of network pool backing is a network pool backed by vSphere port groups. The port
groups on virtual switches must be created in advance by the VMware vCenter administrator.
These port groups must already have VLAN IDs configured to meet vCloud security requirements.
The network pool based on port groups is the least flexible type of network pool. However, this type
of network pool backing does give the vCloud administrator total control over the configuration.
You can override the VLAN configuration requirement. VMware recommends against overriding
the VLAN configuration requirement.
96
Network Pools Backed by VXLAN (1)

Slide 3-47
Adds a 24-bit VXLAN network identifier to the packet.

VXLAN networks support local-domain isolation equivalent to what is
supported by vSphere isolation-backed networks.
When you create a provider VDC, a VXLAN network pool is created in
vCloud Director.
When you use this network pool, VXLAN virtual wires are created in
vCenter Server.
ad
er
ho
tm
A MAC-in-IP encapsulation designed to replace vCloud Director

Isolated Networks. (Wraps layer 2 in layer 3.)
go
th
ic_
re
VXLANs is a new type of LAN connection that is designed to replace the vCloud Director Isolated
Networks.
97
Based on the IETF draft VXLAN standard.
Virtual extensible LAN.
ail
.co
m

Slide 3-48
Router
VLAN ID = 01
VLAN ID = 02
DRS Cluster A
DRS Cluster B
ail
.co
m
No VXLAN is configured.
A router is required for virtual machines in both clusters to
communicate with each other.
ad
er
ho
tm
Virtual machines must be in different L2 broadcast domains.
go
th
ic_
re
If you have virtual machines running on two different clusters that have different VLAN IDs these
virtual machines cannot communicate with each other unless you set up a router between the
clusters.
98

Slide 3-49
Router
VTEP
VTEP
DRS Cluster A
DRS Cluster B
Virtual machines can be in the same L2 broadcast domain.
VLAN isolation is not required. Isolation is provided by VXLAN.
The VXLAN wire is a logical connection between two VTEPs.
VXLAN Virtual Tunnel End Point (VTEP) is on both ends of the VXLAN wire.
ad
er
ho
tm
ail
.co
m
VXLAN in use. No router is required for virtual machines in both clusters to

communicate.
th
ic_
re
VXLANs enable you to connect two clusters with a VXLAN wire. The VXLAN wire is a logical
connection between the two clusters. Each end of the wire must be anchored with a VXLAN Virtual
Tunnel End Point (VTEP).
go
VXLAN is a routable protocol that does not require special configuration within a router. Because
VXLAN is an encapsulation protocol, VLANs are not needed to isolate traffic. Each VXLAN wire
is isolated.
VXLAN is not an encrypted protocol. Traffic is isolated, but it is not secured by encryption.
99

Slide 3-50
The VXLAN pool is given a name derived from the name of the
containing provider VDC and attached to it at creation.
You cannot delete or modify the VXLAN network pool.
You cannot create a VXLAN network pool by another method.
If you rename a provider VDC, the associated VXLAN network pool is
renamed.
ad
er
ho
tm
ail
.co
m
vCloud Director automatically creates a VXLAN pool for each provider

VDC that is created.
ic_
re
vCloud Director automatically sets up a network pool backed by a VXLAN. The pool is named after
the provider VDC. Each provider VDC gets a unique VXLAN pool.
go
th
Even though a VXLAN pool is available you are not required to use it. Other types of network pools
can still be used with each provider VDC.
100
VXLAN Frame
Slide 3-51
The original L2 frame header and payload are encapsulated in a UDP

packet.
50 bytes of VXLAN overhead
The original L2 header becomes the payload plus VXLAN, UDP, and IP
headers.
VXLAN Frame
VXLAN Header
Outer UDP Header
Misc Data
Source Port
Source Address
Protocol 0x11
VXLAN Port
VLAN Type 0x8100
Header Checksum
UDP Length
VLAN ID Tag
Source IP
Checksum 0x0000
Ether Type 0x0800
Destination IP
Destination Address
Reserved
Source Address
VNI
VLAN Type 0x8100
Reserved
VLAN ID Tag
Ether Type 0x0800
ho
14+
VXLAN Overhead
go
th
ic_
re
ad
er
14+
20
Inner L2
VXLAN Flags
tm
Destination Address
Payload 1500
Outer IP Header
Inner L2 Header &

Payload
VXLAN Header
Outer MAC Header
Outer UDP Header
ail
.co
m
Outer IP Header
FCS
Outer MAC Header
101
VXLAN Networking Considerations: MTU Size

Slide 3-52
To accommodate the VXLAN encapsulation overhead, L2 maximum

transmission units (MTUs) on physical switches must be set based
on the following frame size considerations.
IPv4 (Bytes)
IPv6 (Bytes)
1500
1500
14
14
Guest L2 payload (MTU)

Guest L2 header
VXLAN header
IP Header
20
40
Optional outer VLAN tag
Outer frame header
14
14
8
1572
1600
ail
.co
m
UDP header
tm
Optional guest VLAN tag
ho
IPv6 data and control
go
th
ic_
re
ad
er
Frame size
102
Benefits of VXLAN Network Pools

Slide 3-53
vSphere VXLAN networks provide the following benefits:

Logical networks spanning layer 3 boundaries
Logical networks spanning multiple racks on a single layer 2
Broadcast containment
Higher performance
Greater scaling than VLANs

VLANs are limited to 4094 networks.
VXLANS allow up to 16.7 million networks.
ail
.co
m
go
th
ic_
re
ad
er
ho
tm
103
Drawbacks of VXLAN Network Pools (1)

Slide 3-54
vSphere VXLAN networks have the following drawbacks:
Typically this setting would be a minimum MTU of 1550 bytes.

VMware recommends an MTU of 1600 bytes.
Extra configuration in vSphere is required.

Extra configuration in the VMware vCloud Networking and Security
appliance is required.
In-the-middle-boxes on the physical network (such as firewalls) can
cause problems.
ad
er
ho
tm
Physical network MTUs must be set to 50 bytes larger than the MTU
used by virtual machine vNICs.
ail
.co
m
go
th
ic_
re
The extra configuration that is required in vSphere is a change of the MTU on distributed switches
that will be used by vCloud Director.
104
Drawbacks of VXLAN Network Pools (2)

Slide 3-55
vSphere VXLAN networks have the following drawbacks:
For Link Aggregation Control Protocol (LACP), 5- tuple hash distribution

must be enabled.
If VXLAN traffic is traversing routers, then multicast routing must be
enabled.
ail
.co
m
The recommended Multicast protocol to deploy for this scenario is

Bidirectional Protocol Independent Multicast (PIM-BIDIR), because the
hosts act as both multicast speakers and receivers at the same time.
PIM is required only if two or more hops are between VTEPs.
go
th
ic_
re
ad
er
ho
tm
For more information about VXLAN in a vCloud environment, see vShield

Administration Guide.
105
Network Pool Advantages and Disadvantages (1)

Slide 3-56
VLAN backed:
Advantages: Flexible. No special MTU settings. Routable.

Disadvantages: Requires more VLAN ID management. Physical switches
must be programmed for VLAN ranges and set to VLAN trunking.
vCloud Director isolated network backed:
Advantages: Easy to set up. No complicated VLAN ranges to track. Very

secure.
Disadvantages: Nonroutable. Requires change to MTU settings.
Port group backed:
Advantages: Can be used with both standard switches and distributed

switches.
Disadvantages: Difficult to manage. No automatic network deployment.
One-to-one ratio of port groups to networks in the pool. Manual
configuration of VLAN IDs required.
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
Different types of network pools have different advantages and disadvantages. A solid
understanding of these advantages and disadvantages can help vCloud administrators decide when
to use which type of network pool.
106
Network Pool Advantages and Disadvantages (2)

Slide 3-57
VXLAN backed:
Routable
Automatically created when you create a provider VDC.
Easy to use in vCloud Director

Allows large scaling and higher performance than vCloud Director isolated
networks
Disadvantages:
Requires more vSphere configuration than other pools
Requires 1550 MTU and other special configuration in physical networks
ad
er
ho
tm
go
th
ic_
re
The VXLAN backed network pools have more advantages and potential disadvantages than other
types of network pools.
107
Advantages:
ail
.co
m
Network Pools Summary (1)

Slide 3-58
Organization VDC networks use network pools.

All vApp networks use network pools.
External networks do not use network pools.
Organization VDC networks and vApp networks can be deployed only
when resources are available in the assigned network pool.
In each organization VDC, only a single network pool is available.
ad
er
ho
tm
ail
.co
m
Network pools are the network resource of an organization VDC.
th
ic_
re
Organization networks that are routed or isolated use network pools. Organization networks that
direct-connect do not use network pools. All vApp networks use network pools. Fenced vApps use
network pools.
go
External networks do not use network pools because external networks are created by the provider
(cloud administrator). The networks are managed by the provider. They are not a resource of the
organization.
Every organization is limited in its resources. Organization networks and vApp networks can be
deployed only if enough resources are available in an assigned network pool.
Multiple organization VDCs can exist in an organization and can connect to a single network pool.
108
Network Pools Summary (2)

Slide 3-59
Four types of network pool backing are possible:
VLAN
vCloud Director isolated networks
Port groups
VXLAN
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
109
Lab 2: Configuring VMware vCloud Director Network Pools

Slide 3-60
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Configure vCloud Director network pools
110

Slide 3-61
Define a network pool

Describe the types of network pools
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
111
Lesson 4: vCloud Director Networking Objects in vSphere

Slide 3-62
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 4:
vCloud Director Networking Objects in
vSphere
112
Learner Objectives
Slide 3-63
objective:
Locate vCloud Director networking objects in the vSphere Web console
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
113
External Network Port Groups

Slide 3-64
An external network is backed by a port group on a standard switch or

distributed switch.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
114
Network Pools and Deployed Networks

Slide 3-65
For network pools, the pool is defined as either a preconfigured port

group or a distributed switch.
The networks deployed by using the network
pool are listed under the containing object.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
115
vCloud Networking and Security Virtual Machines

Slide 3-66
A vShield Edge virtual machine is deployed for each of the following:
Organization edge gateway

Isolated organization VDC network
Routed and isolated vApp network
Fenced direct-connect vApp network
vShield Edge virtual machines appear in the

resource pool that is used to run them.
go
th
ic_
re
ad
er
ho
tm
A System subfolder is created in which

system-created objects that consume pool
resources are stored.
The System subfolder is independent of
organization VDC folders.
ail
.co
m
116

Slide 3-67
Locate vCloud Director networking objects in the vSphere Web console
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
117
Key Points
Slide 3-68
External
Organization
vApp
Networks are built on four types of network pools:
Port based
VLAN based
vCloud Director isolated network-based
VXLAN based
ail
.co
m
vCloud Director interacts with vSphere to deploy and manage vCloud

Director networks.
Rules govern the configuration of vApp and organization VDC
networks.
tm
vCloud Director networking has three levels:
ho
go
th
ic_
re
ad
er
Questions?
118
MODULE 4
Slide 4-1
ail
.co
m
Module 4
go
th
ic_
re
ad
er
ho
tm
119
You Are Here

Slide 4-2

Resources

Components

Components

Users
ail
.co
m
Course Introduction
go
th
ic_
re
ad
er
ho
tm
120
Importance
Slide 4-3
Cloud resources are an abstraction of their underlying VMware

vSphere resources. They provide the compute memory resources
for VMware vCloud Director virtual machines and VMware
vSphere vApps and access to storage and network connectivity.
ail
.co
m
You learn how to create provider virtual data centers (VDCs) that act
as the source for organization VDCs.
go
th
ic_
re
ad
er
ho
tm
Module 4 VMware vCloud Director Providers
121
Learner Objectives
Slide 4-4
objectives:
Describe how storage is provided to vCloud Director

Configure and manage storage for VDCs
Describe the relationship between provider VDCs and organization
VDCs
Describe VMware vSphere Storage vMotion issues
Manage storage for linked clones and shadow virtual machines
go
th
ic_
re
ad
er
ho
tm
Describe how compute and memory resources are provided to vCloud

Director
ail
.co
m
122
About Provider VDCs

Slide 4-5
Organizations get their resources from organization VDCs.

Each organization VDC is a subset of provider VDC resources that are
available to an organization.
ail
.co
m
A provider VDC is a collection of vSphere resources (storage, CPU,

and memory) that gives vCloud Director the ability to manage and use
those resources.
ad
er
ho
tm
ic_
A provider virtual data center
re
VMware vCloud Director has two types of virtual data centers (VDCs):
th
An organization virtual data center
go
A provider virtual data center is a collection and an abstraction of VMware vSphere resources:
Storage
CPU
Memory
123
Resource Groups
Slide 4-6
A resource group consists of standard VMware vSphere Distributed

Resource Scheduler or VMware vSphere High Availability clusters
that provide resources to a cloud.
Resource Groups
Management Cluster
vCenter
vCenter vCloud database vShield
Server Director server Manager Chargeback
DRS/vSphere HA cluster
ail
.co
m
ho
tm
ad
er
Each group: A set of VMware

ESX or VMware ESXi hosts
managed by a single VMware
vCenter Server system or
VMware vShield Manager
server pairing
go
th
ic_
re
If you have separated vCloud Director management functions into a separate VMware vSphere
Distributed Resource Scheduler (DRS) management cluster, then you will have vCloud Director
resources provided by other vSphere DRS clusters. Each VMware vCenter Server system can
support multiple vSphere DRS clusters. But for management purposes, you might find it simpler to
have one vCenter Server system manage only one vSphere DRS cluster. If you decide to manage
multiple DRS clusters under a single vCenter Server system you should group related clusters
together. As you plan your architecture, remember that providers are based on the resources
managed by vCenter Server. A single provider virtual data center can encompass more than a single
vCenter Server system.
124
Types of Resources
Slide 4-7
VDCs work with three types of resources:

CPU
Memory
Storage
CPU and memory come from vSphere resource pools.
Storage
Identified
in a
vSphere
storage
policy
Storage comes from vSphere datastores

that have been identified in a vSphere
storage policy.
tm
ho
Memory
Storage
ad
er
CPU
ic_
re
Resource pools are usually configured with each vSphere DRS cluster being organized into a single
resource pool. However, you can subdivide a vSphere DRS cluster into smaller resource pools.
go
th
In vSphere 5.5, storage should be organized into a storage policy. The use of a vSphere storage
policy is not required. You can configure provider virtual data centers with direct access to vSphere
datastores. But the use of a vSphere storage policy makes the management of storage easier.
125
ail
.co
m
Datastores
Resource
Pools
Provider VDCs
Slide 4-8
Silver Provider VDC
Gold Provider VDC
Resource
Pools
tm
ail
.co
m
Datastores
Memory
Storage
ad
er
ho
CPU
Bronze Provider VDC
go
th
ic_
re
Virtual data centers are built on vSphere resources. CPU capacity, memory, and storage are at the
hardware level. vSphere collects those resources into resource pools and datastores. Provider virtual
data centers are built directly on top of vSphere resource pools and datastores. Organization virtual
data centers get their resources from provider virtual data centers.
126
Network Resources Associated with Provider VDCs

Slide 4-9
Organization
VDC
Associated
Built from vSphere

Port Groups, Virtual
Switches, VLANs,
VXLANS, and vCloud
Director Isolated
Network
VDC
Available
Provider VDC
External Networks
tm
Storage
Organization VDCs are directly

associated with network pools,
with quotas.
You must define network pools
before you define organization
VDCs.
ad
er
ho
Memory
ic_
re
Organization virtual data centers are collections of resources (CPU, disk, memory, and networks)
that provide organizations resources.
go
th
Relationships exist between organizations, network pools, and organization virtual data centers,
including the following:
Each organization virtual data center can be assigned only one network pool.
A single network pool can be used by multiple organization virtual data centers.
A single organization can connect to multiple network pools by leveraging multiple organization
virtual data centers.
Organization networks are built on network pools. Organization networks can be created before
creating an organization virtual data center.
127
ail
.co
m
Resource
Pools
When you create a provider VDC,

you are notified about which
external networks are available
to that provider.
Datastores
CPU
Built from vSphere

Port Groups
vCloud Resources
Slide 4-10
vSphere datastores are organized with vSphere storage policies.

Memory and CPU resources are configured into resource pools.
Storage policies and resource pools are attached to provider VDCs.
Resources are allocated from provider VDCs to organization VDCs.
VCD vApp Network
Organization VDC
Organization Network
Network Pool
Provider VDC
External Network
vSphere
Distributed
Switch
Storage
Policy
ail
.co
m
Distributed Port
Group
Resource
Pool
Storage
Policy
DRS Cluster
ho
Physical
Network
Physical
Host
FC-SCSI
Storage
NFS/iSCSI
Storage
ad
er
VLAN
tm
Physical
th
ic_
re
vSphere datastores are offered to vCloud Director as available storage through vSphere storage
policies. This storage is divided into provider virtual data centers. Organization virtual data centers
can use storage from a single provider. A single organization can have multiple organization virtual
data centers, each with a different type of storage.
go
The allocation of storage to resource clusters can vary depending upon how provider virtual data
centers are being allocated. If you are following the best practice recommendation of using a 1:1
mapping between provider virtual data centers and DRS clusters, then the recommendation for
storage is no different between a cloud resource cluster and a standard vSphere DRS cluster. The
exception is that if vSphere DRS clusters are being used as cloud resource clusters, they might
require larger datastores.
If resource pools are used for backing provider virtual data centers instead of DRS clusters, consider
using different types of datastores to offer multiple tiers of storage that can be grouped during the
provider virtual data center creation phase.
128
Relationship Between Networks and Provider VDCs

Slide 4-11
Networks are not considered to be part of VDCs.

When you create a provider VDC, vCloud Director reports which
external networks are available to the cloud structures that use the new
provider VDC.
ho
@
er
ad
go
th
ic_
re
When you create a provider virtual data center, networks are not considered to be a part of the
virtual data center. But the vCloud Director UI indicates which external networks are available,
based on the resources (DRS clusters and resource pools) that you have selected as resources for the
virtual data center.
129
tm
ail
.co
m
About Storage Provided to vCloud Director

Slide 4-12
Shared storage is required.
vSphere DRS clusters are required.
Supported storage is based on the vSphere

hardware compatibility list:
Fibre Channel (FC)

Fibre Channel over Ethernet
NFS
iSCSI
vCloud Director storage:
vCloud Director sees datastores only because it operates at a higher layer

than vCenter Server.
vSphere sees the underlying technology.
ad
er
ho
tm
ail
.co
m
ic_
re
vCloud Director requires shared storage. All of the storage that is supported is based on the vSphere
hardware compatibility list. This storage includes:
th
Fibre Channel
NFS
go
Fibre Channel over Ethernet
iSCSI
All VMware ESXi hosts that provide storage to vCloud Director must be members of DRS
clusters. vCloud Director is aware only of storage that is presented to it as datastores from vSphere.
130
About Using vSphere Storage Policies

Slide 4-13
Some storage arrays can communicate with VMware vSphere API for
Storage Awareness.
A storage device can be assigned user-defined tags in vSphere.
vSphere API for Storage Awareness capabilities and user-defined tags
are used to organize storage with a storage policy.
Storage that is identified by a storage policy can be assigned to
provider VDCs.
Organization VDCs are assigned storage from a single provider VDC.
ho
@
er
ad
ic_
re
A vSphere storage policy is based on either VMware vSphere API for Storage Awareness
capabilities or user-defined storage capabilities.
go
th
When you create a provider virtual data center you, must assign at least one vSphere storage policy
to the provider virtual data center. You can also assign storage from more than one vSphere storage
policy to a single provider virtual data center.
Organization virtual data centers get their storage from a single provider virtual data center. If the
provider virtual data center has access to storage from more than one vSphere storage policy, storage
from those same multiple instances of a vSphere storage policy is available to the organization
virtual data center.
NOTE
The use of a vSphere storage policy is not required. A vSphere storage policy must still be defined
on the resource cluster. But when a provider virtual data center is created, you can select one
vSphere storage policy and then have all of the shared storage covered by any vSphere storage
policy available to the provider virtual data center. The VMware best practice is to use a vSphere
storage policy.
131
Organization VDCs can use storage identified in more than one storage
policy.
tm
Each provider VDC can use storage identified in more than one storage
policy.
ail
.co
m
Storage Considerations
Slide 4-14
Configure storage with vSphere best practices in mind.
Shared storage is required.

Allocate LUNs on a cluster-by-cluster basis.
Other considerations:
The use of raw device mappings is not supported.
NFS share is required for multiple cells.
You can use storage policies to distribute virtual machine disks to
different storage tiers.
ad
er
ho
tm
ail
.co
m
ic_
re
vSphere DRS clusters used with vCloud Director must be configured to use automated vSphere DRS.
Automated vSphere DRS requires shared storage attached to all hosts in a vSphere DRS cluster.
go
th
Raw device mappings cannot be used. They are not supported. Using an RDM breaks the mobility
of VMware vSphere vApps.
The upload NFS share is mandatory only in multicell deployments. VMware recommends the
creation of an upload NFS share for all vCloud Director deployments. The configuration of an upload
NFS share makes it easier to add cells later, even if you originally planned to have only one cell.
The NFS share must be as large as the biggest potential vApp or media item that will be uploaded
into the catalog. You also must have enough storage space in the NFS share to take in to account
concurrent uploads. The best practice is to start with at least 500GB in the NFS upload share.
Storage should be common in the cluster. No mixed RAID or disk types are allowed in the same
cluster.
Storage should be organized into tiers based on cost and performance. These tiers are usually
managed by vSphere storage policies. Virtual machines can have different disks assigned to different
storage tiers based on vSphere storage policies. For example, a customer might have an application
that was a high-speed search engine attached to a read-only database. The data for the database
might be stored on a very fast solid-state drive (SSD), and the virtual machine base disk with the
operating system might be assigned to less expensive storage.
132
Datastore Sizing
Slide 4-15
When determining what size to make datastores, use vSphere best

practices:
Mean vApp size x number of vApps:

Mean virtual machine disk capacity
Mean virtual machine memory requirement
Expected virtual machine I/O profile
Spare capacity to reserve
Capacity for base disks and shadow virtual machines (if using fast
provisioning)
go
th
ic_
re
ad
er
ho
tm
Size for placement of multiple vApps (fewer large datastores or more

small datastores).
ail
.co
m
133
Storage Tiering
Slide 4-16
Organize storage in tiers.

Separate tiers based on cost, speed, capacity, or features.
The best practice is to assign entire vSphere DRS clusters to a specific
tier.
Subdivide a single vSphere DRS cluster with storage policies and

resource pools only when resources are limited.
go
th
ic_
re
ad
er
ho
tm
A single resource pool provides all CPU and memory in the cluster to the
provider VDC.
All shared storage in the vSphere DRS cluster is assigned to the provider
VDC.
ail
.co
m
134
Storage Tiering and Storage Policies

Slide 4-17
Organization VDC storage policies are based on a subset of storage

policies provided by the provider VDC.
Each organization VDC has an associated default storage policy.
All virtual machines have an associated storage policy that defaults to
the organization VDC storage policy.
Virtual machine placement is based on storage policies.
You can use different storage policies with different virtual machine
disks in the same virtual machine.
4
go
th
ic_
re
ad
er
ho
tm
All available storage policies across selected clusters are listed at

provider VDC creation.
ail
.co
m
135
Storage DRS and Storage vMotion

Slide 4-18
You can use the VMware vSphere Web Client or VMware vCloud
API to manually relocate virtual machine disk files under the following
conditions:
The target datastore is part of the same organization VDC as the vApp.
All virtual disks for a virtual machine are migrated to the same datastore.
If you must move virtual machines off a datastore:
The datastore must belong to a datastore cluster enabled by vSphere

Storage DRS.
Use the vSphere Web Client to place the datastore into Storage
Maintenance Mode.
vSphere Storage DRS automatically moves all virtual machines on the
datastore to other datastores in the datastore cluster enabled by vSphere
Storage DRS.
ad
er
ail
.co
m
When a virtual machine is migrated by using vSphere Storage vMotion,

storage policies are used to determine virtual machine placement.
tm
VMware vSphere Storage DRS is supported by vCloud Director 5.5.
ho
go
th
ic_
re
The best practice for using VMware vSphere Storage DRS is to configure vSphere storage
policies and vSphere datastore clusters. VMware vSphere Storage vMotion migration of virtual
machines is then handled automatically by vSphere based on the configuration of the vSphere
storage policies, datastore clusters, and vSphere Storage DRS rules. This type of configuration
provides optimal performance as some datastores become too full or too busy.
You can use either VMware vSphere Client or VMware vCloud API to manually migrate a
single virtual machine, but such migration should be done carefully.
CAUTION
Use of the vSphere Client to manually migrate a virtual machine when that virtual machine is part of
a vCloud Director vApp can cause vCloud Director problems. This statement is true for both storage
location migrations and host migrations. The vSphere Client displays a warning message if you try
to directly manage an item that is managed by vCloud Director.
136
Provider VDCs and Service Levels

Slide 4-19
Create multiple provider VDCs to differentiate computing levels or

performance characteristics of a service offering.
Provider VDCs enable the cloud provider to offer different classes of
service with associated performance, availability, and cost
characteristics.
Memory CPU
Storage
ho
External Networks
ad
er
External Networks
go
For provider VDCs:
th
ic_
re
A provider virtual data center (VDC) combines the compute and memory resources of a single
vCenter Server resource pool with the storage resources of one or more datastores connected to that
resource pool. A provider VDC is the source for organization VDCs.
vSphere resources are abstracted in the form of provider VDCs.

Provider VDCs have a 1:1 relationship with vSphere resource pools.
The best practice is to map the provider VDC to the full DRS cluster instead of breaking a DRS
cluster into smaller resource pools.
Service levels for infrastructure capacity offered to the cloud tenant are differentiated at the provider
VDC level. Define your service-level agreement (SLA) for the service being offered. For example,
you might create three SLA tiers: Tier-1:Production, Tier2:QA, and Tier3:Dev.
With provider VDCs, you can pool infrastructure resources to create standard offerings. You can
create multiple provider VDCs for users in different geographic locations or business units, or for
users with different performance requirements. For example, you can combine your best-of-breed
compute resources with your fastest storage resources to create a Gold provider VDC. You can
charge consumers who use the Gold provider VDC a higher price for the resources than consumers
137
tm
Storage
Memory CPU
Provider VDC:
Silver
ail
.co
m
Provider VDC:
Gold
who use resources from a Silver or Bronze provider VDC. Likewise, you can create clusters of hosts
running similar hardware and create provider VDCs based on the type of hardware providing the
compute resources.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
When you create a provider VDC, vCloud Director prepares each host in the cluster associated with
the resource pool by installing an agent on each host. This process does not require a restart of the
host system.
138
Service-Level Examples
Slide 4-20
Tier 1 provider VDC (Gold: Production/Mission Critical)
Fully redundant infrastructure (power, networking, storage)

vSphere HA failover capacity
High-performance storage (block-level tiering of SSD, FC, SATA)
Tier 2 provider VDC (Silver: Production/UAT)

Fully redundant infrastructure
No vSphere HA failover
ail
.co
m
Midrange storage (FC)
Tier 3 provider VDC (Bronze: Development/QA)

Partially redundant infrastructure (power)
tm
ho
No vSphere HA failover
Low-end storage (SATA)
go
th
ic_
re
ad
er
139
Multiple Provider VDCs Using the Same Storage

Slide 4-21
Multiple provider VDCs can use the same datastore for storage.
Best practice: Divide storage into different tiers of cost, based on
storage device speed and expense.
You can connect multiple datastores to a single provider VDC.
You can add datastores to a provider VDC.
best practice
possible
Gold provider VDC
Silver provider VDC
ail
.co
m
Gold provider VDC
Silver provider VDC
datastore (SSD)
tm
datastore (unobtainium)
$$$ $$$
datastore (SSD)
$$$ $$$
ad
er
ho
$ $$ $$$
datastore (SCSI)
th
ic_
re
You can connect multiple provider VDCs to the same datastore. The best practice is to create storage
tiers where datastores are separated according to speed and cost of storage. Then connect specific
provider VDCs to those datastores to give users different cost options for their storage.
go
You can connect multiple datastores to a single provider VDC. You can also add datastores to a
provider VDC.
VMware recommends not creating multiple providers VDCs from the same datastore. Avoid
creating a datastore built on storage of multiple device types that operate at different costs or speeds.
140
Provider VDC Best Practices

Slide 4-22
Avoid sharing datastores between provider VDCs.

Do not mix storage types in a provider VDC.
Example: Do not mix SATA and SSD datastores in a provider VDC,

because mixing types results in virtual machines with indeterminate I/O
performance.
Create multiple provider VDCs to differentiate computing levels or

performance characteristics of a service offering.
Avoid using large clusters from the start (allow room for growth).
ho
@
er
ad
ic_
re
You can map provider VDCs to vSphere DRS clusters or resource pools. The best practice is to map
each provider VDC to a single cluster.
go
th
Mapping a provider VDC to an entire cluster makes it easy to expand the resources in the provider
VDC by adding hosts or datastores to the cluster. If hosts are added later, the provider VDC can
automatically expand by the corresponding amount.
vCloud Director manages vSphere resources by proxy through a vCenter Server and automatically
creates resource pools in vCenter Server as needed to instantiate organization VDCs. If the vSphere
administrator uses vCenter Server to create nested resource pools, such use can negate the efficient
allocation of resources by vCloud Director. Multiple parent-level resource pools can also add
unnecessary complexity and lead to unpredictable results or inefficient use of resources if the
reservations are not set appropriately.
A provider VDC can map to one cluster. After a cluster is attached to a provider VDC, it is no
longer available for attachment to another provider VDC. It is possible to attach a second cluster to a
provider VDC if you are using an elastic VDC.
One or more datastores can be attached to a provider VDC. But as a best practice for segmenting
storage, VMware recommends that datastores should not be shared by multiple provider VDCs.
141
tm
The best practice is to use a 1:1 mapping of provider VDC to a single

vSphere DRS cluster.
ail
.co
m
It is possible to attach multiple provider VDCs to the same vSphere storage policy. The attachment
of multiple provider VDCs to the same vSphere storage policy is not a best practice, unless these
multiple provider VDCs are designed to provide the same level of service.
Create multiple provider VDCs to differentiate computing levels or performance characteristics of a
service offering. Segment by capacity, availability, or performance type. An example of
differentiating by availability is n+1 for a Bronze provider VDC versus n+2 for a Silver provider
VDC. As the level of expected consumption increases for a given provider VDC, add hosts to the
cluster from vCenter Server and attach more datastores.
Create different provider VDCs to differentiate between:
Performance levels (different hardware, CPU, RAM, disk, and so on)
Different availability levels (no HA, HA n+1, HA n+2,... HA n+4)
ail
.co
m
Fast versus full provisioning
Special licensing requirements, where software is needed to be licensed for all cores. A
dedicated Oracle cluster is one example.
re
ad
er
ho
tm
As the number of hosts in the cluster backing a provider VDC approaches the halfway mark of
vSphere limits, consider implementing controls to preserve room. Implement these controls to
preserve room well ahead of reaching the cluster limits. For example, do not add additional tenants
to this particular VDC and use the additional hosts to be added to address increased resource
demand for the existing tenants. If the cluster backing a provider VDC has reached the maximum
number of hosts per vSphere design guidelines, create a provider VDC associated with a new
cluster.
ic_
For sizing a provider VDC, consider the following:
th
Expected number of virtual machines
go
Size of virtual machines (CPU, RAM, disk)
142
Providers and Virtual Machine Hardware

Slide 4-23
Hardware version 8 requires vSphere 5 ESXi hosts.

Hardware version 9 requires vSphere 5.1 ESXi hosts.
Hardware version 10 requires vSphere 5.5 ESXi hosts.
ail
.co
m
When you create a provider, you must specify the planned hardware
level for the virtual machines that the provider will support.
go
th
ic_
re
ad
er
ho
tm
143
Elastic VDCs
Slide 4-24
Provider VDCs can span multiple vSphere DRS clusters:
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
All vSphere DRS clusters must be managed by the same vCenter Server
system.
Virtual Extensible LAN (VXLAN) fabric is required.
Organization VDCs must be configured as pay-as-you-go or allocation pool
models when provider VDCs span multiple vSphere DRS clusters.
144
Fast Provisioning Using Linked Clones

Slide 4-25
Fast provisioning:
Provisions new virtual machines

from a template without
replicating the entire image
Links the images (clones) so
that common elements are
stored only once
Increased operational efficiency
ad
er
ho
Template
Fast provisioning benefits:
go
th
ic_
re
Fast provisioning enables rapid provisioning of vApps with vSphere linked clones. A linked clone
uses the same base disk as the original, with a chain of delta disks to track the differences between
the original and the clone. Fast provisioning is enabled by default when allocating storage to an
organization VDC. If an organization administrator disables fast provisioning, all provisioning
operations result in full clones.
Increased elasticity: The ability to quickly provision vApps enables cloud applications to scale
up as needed through the ability to deploy a vApp from a catalog using linked-clone technology.
Increased operational efficiency: Use of linked clones typically results in significant
improvement in storage utilization.
145
vmdk
Increased elasticity
vmdk
tm
vmdk
ail
.co
m
Benefits:
vmdk
Shadow Virtual Machines Enabling Cross-Datastore Provisioning

Slide 4-26
A shadow virtual
machine enables
cross-datastore
provisioning and is
invisible to end users.
vCloud Director 5.5
vCenter Server 1
ail
.co
m
vCenter Server 2
VM
(S)
datastore-2
ho
VM-4
(L)
VM-5
(L)
VM-6
(L)
datastore -3
ad
er
datastore-1
VM-3
(L)
VM-2
(L)
tm
VM
(S)
ic_
re
vSphere limits the use of linked clones. Linked clones can be created only in a single datastore.
vCloud Director uses shadow virtual machines to allow linked clones to be deployed across multiple
datastores.
go
th
When vCloud Director deploys a virtual machine from a catalog, the standard procedure is to deploy
only a linked clone. But if a user requests the deployment of a virtual machine into an organization
VDC that is different from the organization VDC that the catalog is hosted in, vCloud Director
creates a shadow virtual machine.
After the shadow virtual machine is created, subsequent linked clones are deployed fast because you
are deploying linked clones to the same datastore.
For a linked clone in a single datastore, the linked clone is created almost instantaneously.
If a linked clone is requested on a different datastore, vCloud Director makes a full copy of the
source virtual machine on the destination datastore and then creates a linked clone. This full copy
operation takes more time than a standard linked clone creation. Subsequent linked clones are
almost instantaneous.
Because vCloud Director supports multiple vCenter Server systems, a user can request a linked
clone on a datastore that is on a different vCenter Server system. In this case, vCloud Director
creates a shadow virtual machine on the destination datastore before it creates the linked clone.
146
Considerations for Fast Provisioning

Slide 4-27
Fast provisioning requires vSphere 5.x (vCenter Server 5.x and ESXi
5.x).
The best practice is to base each provider VDC on a dedicated cluster.
Tree-depth is limited to 31. After 32, a new base disk is deployed.
The use of linked clones is limited to a single datastore. For crossdatastore deployment, a new shadow virtual machine is deployed.
Some in-guest operations cause many writes (increasing delta disk
size):
Defragmentation
Memory dumps
Application logs
ho
@
er
ad
th
ic_
re
Fast provisioning requires vCenter Server 5.x and ESXi 5.x hosts. If the provider VDC on which the
organization VDC is based contains VMware ESX 4.x hosts, fast provisioning is not supported.
In the presence of both ESX 4.x and ESXi 5.x hosts in a given cluster backing the provider VDC,
the fast provisioning option is not available during organization VDC creation.
go
Fast provisioning in vSphere 5.1 has different limits than fast provisioning under vSphere 5.0. Under
vSphere 5.0 if fast provisioning is used the cluster size is limited to eight hosts. Under vSphere 5.1
the cluster size can be a maximum of 32 hosts, even if fast provisioning is used.
If the provider VDC on which the organization VDC is based contains any VMware vSphere
VMFS datastores connected to more than eight hosts under vSphere 5.0, a power-on operation for a
virtual machine might fail. vSphere 5.0 datastores should be connected to a maximum of eight hosts.
VMware recommends separating datastores reserved for fast provisioning from datastores reserved
for full-clone vApp workloads for manageability and chargeback purposes. Additionally, if vCloud
Director is deployed on block based storage, VMware recommends using the vSphere DRS cluster
to back up a dedicated provider VDC for fast provisioning. All organization VDCs are created from
the dedicated provider VDC and should have Enable Fast Provisioning selected.
When you select Enable Fast Provisioning on all organization VDCs based on a dedicated provider
VDC, vCloud Director allows the implementation of linked clones across the cluster. The use of fast
147
tm
ail
.co
m
provisioning on all organization VDCs attached to a single provider VDC makes it easier for the
administrator to ensure that this dedicated cluster remains under the eight-host limit. The
administrator can configure other provider VDCs not to use linked clones. These clusters where fast
provisioning is disabled can be larger than eight hosts. Applications that are write-intensive perform
better when hosted on provider VDCs that do not have fast provisioning enabled.
NOTE
Although vSphere 5.1 has an expanded limit of 32 hosts per cluster if fast provisioning is used,
administrators should still plan to start their resource clusters at less than full size to leave space for
future expansion.
Provisioning Times
ho
tm
ail
.co
m
Provisioning should be near instantaneous when provisioning to the same datastore. Provisioning a
virtual machine to a different datastore triggers creation of shadow virtual machines if they do not
already exist on the target datastore. The shadow virtual machine is a full copy of the virtual
machine on the target datastore. After a shadow virtual machine exists in the target datastore,
subsequent provisioning of the virtual machine occurs instantaneously, as in the same datastore case.
VMware recommends that the most frequently provisioned vApp templates be preprovisioned
across the datastores for the organization to achieve consistent instantaneous provisioning
experience.
er
Performance Implications
go
th
ic_
re
ad
Linked-clone performance varies. Sometimes linked clones can perform better than full clones,
depending on the I/O policy of the application workload. One reason for potentially greater
performance is metadata caching. On virtual machine startup, metadata dictating which file to
access to get data is written to the ESXi copy-on-write heap. When a virtual machine does a virtual
SCSI read and hits the metadata cache, each virtual read results in a single physical read. However,
if an ESXi cache miss occurs, there will be a virtual read in addition to multiple physical reads for a
virtual machine reading across many disk sectors, causing additional overhead. Linked clone
performance can be further boosted through storage array caching. The use of storage array caching
can cause commonly used base disks to be read from storage array memory cache instead of disk.
Ample storage array cache will greatly benefit an environment utilizing linked clones.
Scalability Limitations
Tree width. Although there is no limit to the width of a tree, a datastore can fill up if a tree gets
too wide. If the datastore fills up, no clones can be created. The problem of having a full
datastore can be mitigated by using shadow virtual machines to allow cross-datastore
provisioning.
Tree depth. Linked-clone tree depth is kept at a maximum of 31. A thirty-second leaf node
automatically creates a base disk.
148
Eight-host limit. There is an eight-host limit imposed by vSphere 5.0 when using SAN storage.
This in turn limits max cluster size to eight hosts.
Fast provisioning technology is based on snapshot hierarchies. Snapshot hierarchies are
composed of several VMDKs organized as a chain with one or more common base disks, each
of which are opened in read-only mode. The top-level disk (called a delta disk) is opened in
exclusive mode. Files opened in read-only locking mode cannot be opened by more than 8
hosts, so the same limitation applies to VMFS based linked clones. This limitation does not
apply when vSphere uses NFS storage.
Single-datastore. Linked clones can be used only in a single datastore. The use of shadow
virtual machines allows for cross-datastore provisioning. As shadow virtual machines are full
copies of the source virtual machines, sizing considerations for preprovisioning shadow virtual
machines across datastores should be made.
ail
.co
m
tm
ho
er
ad
re
ic_
go
th
Some in-guest operations can increase delta disk sizes and fill up datastores. An example of this is a
defragmenter running in the guest operating system. The virtual machine might start with very small
VMDK files built off of linked clones. But as the defragmenter runs most of the disk is rewritten.
The modification of all disk sectors causes the VMDK of the linked clone delta disk to inflate back
to full size.
149
VMware does not recommend or support VMware vSphere vMotion migration of linked clones
in the vSphere layer. Even if the datastores are part of a datastore cluster enabled with vSphere
Storage DRS, vCloud Director provisioned linked clones are ignored by vSphere Storage DRS in
vSphere 5.0. Under vSphere 5.1, vSphere Storage DRS can be used to automatically balance linked
clones between datastores.
vSphere Storage vMotion. vSphere Storage vMotion in ESXi 5.0 has been improved to support
migration of linked clones. However, the migration of linked clones should be invoked only in
the vCloud Director layer, through the REST API Relocate_VM. When invoking the
Relocate_VM API to migrate linked clones, ensure that the target organization VDC is part of
the same provider VDC as the source organization VDC. Or ensure that the target organization
VDC is backed by a provider VDC that has the same datastore where the source vApp resides.
If the condition is not met, the API call fails.
Linked Clones, Shadow Virtual Machines, and Storage DRS

Slide 4-28
Use the vCloud API to initiate vSphere Storage vMotion migration for
linked clones to preserve the linked-clone state.
Manual migration of a virtual machine that is built on linked clones can
cause undesirable effects. These effects include problems like the
inflation of delta disks.
vCloud Director does not support linked-clone configurations that span
across datastores.
Linked clones can be migrated between VMFS3 and VMFS5:
vSphere Storage DRS provides this support.

Format conversions are handled automatically at the platform level.
ad
er
ho
tm
vSphere Storage DRS supports linked clones only with vCloud Director
5.x.
ail
.co
m
th
ic_
re
If there is a cross-datastore linked clone configuration, vSphere Storage DRS does not make a
recommendation to place linked clones on the datastore that does not contain either the base disk or
a shadow virtual machine copy of the base disk. A cross-datastore linked clone configuration might
occur when vCloud Director APIs create it.
go
Linked clones can be migrated between VMFS3 and VMFS5 file systems. Several factors enter into
the decision-making process when vSphere Storage DRS is determining where to migrate a linked
clone. Factors such as the amount of data being moved, the amount of space reduction on the source
and the additional amount of space required on the destination all are considered. The major factor
is whether a shadow virtual machine of the base disk already exists on the destination.
150
Preparing Hosts
Slide 4-29
To prepare the ESXi host, vCloud Director installs the vCloud Director
agent on the ESXi host.
When the Preparing Hosts dialog box appears, you must provide the
root user ID and password of the ESXi hosts.
ail
.co
m
When you create the first provider VDC, vCloud Director prepares the
ESXi hosts in the DRS cluster.
go
th
ic_
re
ad
er
ho
tm
151
Lab 3: Creating Provider Virtual Data Centers

Slide 4-30
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Create provider virtual data centers
152

Slide 4-31
Describe how storage is provided to vCloud Director

Configure and manage storage for VDCs
Describe the relationship between provider VDCs and organization
VDCs
Describe VMware vSphere Storage vMotion issues
Manage storage for linked clones and shadow virtual machines
4
go
th
ic_
re
ad
er
ho
tm
Describe how compute and memory resources are provided to vCloud

Director
ail
.co
m
153
Key Points
Slide 4-32
Each provider VDC must be built from a resource pool.

Each provider VDC must have storage.
A provider VDC must have at least one external network.
Resource pools cannot span multiple vSphere DRS clusters.
All resource pools should be at the same level.
Storage should be divided into tiers based on cost and speed.
Use linked clones to provision new virtual machines from a template
without replicating the entire image.
A shadow virtual machine is a full clone that is created when a linked
clone is requested on a destination datastore that is different from the
source datastore.
ho
tm
Provider VDCs provide resources to organization VDCs.
ail
.co
m
go
th
ic_
re
ad
er
Questions?
154
MODULE 5

Organizations
Slide 5-1
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Module 5
155
You Are Here

Slide 5-2

Resources

Components

Components

Users
ail
.co
m
Course Introduction
go
th
ic_
re
ad
er
ho
tm
156
Importance
Slide 5-3
You can leverage existing VMware vSphere infrastructure

resources to deliver IT services in a private or public infrastructure
as a service cloud.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
But you must first understand the technical constructs that VMware
vCloud Director provides.
Module 5 VMware vCloud Director Organizations
157
Module Lessons
Slide 5-4
Organizations
Lesson 2:
Organization Virtual Data Centers
Lesson 3:
vApp Templates
Lesson 4:
Building and Publishing vApps
Lesson 5:
Deploying and Running vApps
Lesson 6:
Additional Organization VDC Networking
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 1:
158
Lesson 1: Organizations
Slide 5-5
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 1:
Organizations
159
Learner Objectives
Slide 5-6
objectives:
Create a vCloud Director organization
Add a catalog to an organization
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
160
About Organizations
Slide 5-7
An organization is a logical group of all users (consumers) to which

resources will be presented.
An organization has these characteristics:
Enforces a security boundary

Includes appropriate resources and controls
Includes one or more content repositories (catalogs)
ail
.co
m
Organization: Finance
Access Control
Users
Provisioned
Policies
ad
th
ic_
re
An organization is a logical group of users to which IT services are presented. Organizations

provide a security boundary, so that appropriate resources and controls can be set up for a given
group of users.
go
Each organization has a unique login URL. Users, locally created or imported from a Lightweight
Directory Access Protocol (LDAP) server, exist and operate only in this organization. The settings
in each organization are independent from the settings made for other organizations. (An exception
is Simple Mail Transport Protocol (SMTP) settings, which can be made per organization or by
inheriting the settings in the VMware vCloud Director default SMTP server.)
Organizations are isolated tenants in the cloud. Each organization has its own users, access control,
catalogs, provisioning policies, resources, and networks. Resources come from organization virtual
data centers (VDC). Each organizations VDC gets its resources from a single provider VDC. Each
organization can have multiple organization VDCs.
161
ho
vSphere vApp
(VMs with vApp

network)
er
Organization
VDCs
vApp
vApp
tm
Catalogs
Organization Portals
Slide 5-8
Each organization has a dedicated portal.
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
The vCloud Director system administrator creates the organization and provisions resources. After
the organization is created, the system administrator distributes the organization URL to the
administrator assigned to the organization (called the organization administrator). Using the URL,
the organization administrator logs in to the organization portal and sets it up, configures resource
use, adds users, and selects organization-specific policies and settings. Organization member users
(consumers) can then create, use, and manage IT services packaged as VMware vSphere vApps.
When you select the name of the organization, do not worry about the name being visible to other
organizations. Multitenancy means that users must know the name of their organization before they
can provision resources or services. A user in one organization cannot learn the names of other
organizations through the vCloud Director user interface. Plan to create an organization for each
tenant of the cloud. Only the vCloud Director administrator can create an organization.
The organization name is used in a URL whenever a user browses to the organization portal. As a
result, the organization name must be suitable as part of a URL. Do not use spaces or special
characters in an organization name. Underlines and hyphens are permitted. Because the name is part
of a URL, the best practice is to make the name as short as possible.
162
Organization Users
Slide 5-9
Each user has an administrator-assigned role.
Privileges
System Administrator
Creates and manages provider VDCs, external networks, network pools,

organizations, organization VDCs, organization VDC networks, and catalogs
Organization
Administrator
Creates and manages organization users, catalogs, and VMware vSphere

vApp templates and organization VDC networks
Catalog Author
Creates, manages, and uses catalogs and vApps
vApp Author
Creates, manages, and uses vApps
vApp User
Similar to vApp Author except that it cannot create vApp or change

CPU/memory/disk
Console Access Only
Access to consoles of vApp virtual machines with no power functions
tm
ail
.co
m
Predefined Role
ad
er
Organization users can be created in vCloud Director or by using an

LDAP server.
ho
go
th
ic_
re
vCloud Director uses roles, and their associated rights, to determine which users and groups can
perform which operations. System administrators can create and modify roles. System
administrators and organization administrators can assign roles to users and groups in an
organization.
163
Organization Policies
Slide 5-10
Leases, quotas, and limits help prevent users from depleting or

monopolizing an organizations resources.
Policy type
Settings
Leases
vApp runtime
vApp and vApp template storage
Storage cleanup location
Running virtual machines per user
ail
.co
m
Quotas
Stored virtual machines per user

Limits
Resource intensive operations per user
tm
Resource intensive operations per organization
ad
er
ho
Simultaneous connections per virtual machine
th
ic_
re
Leases, quotas, and limits constrain the ability of organization users to consume storage and
processing resources. These settings prevent users from depleting or monopolizing an organizations
resources.
go
Leases provide a level of control over an organizations storage and compute resources by
specifying the maximum amount of time that vApps can be running and that vApps and vApp
templates can be stored.
The goal of a runtime lease is to prevent inactive vApps from consuming compute resources. For
example, if a user starts a vApp and goes on vacation without stopping it, the vApp continues to
consume resources. A runtime lease begins when a user starts a vApp. When a runtime lease
expires, vCloud Director stops the vApp.
The goal of a storage lease is to prevent unused vApps and vApp templates from consuming storage
resources. A vApp storage lease begins when a user stops the vApp. Storage leases do not affect
running vApps. A vApp template storage lease begins when a user adds the vApp template to a
vApp, adds the vApp template to a workspace, downloads, copies, or moves the vApp template.
When a storage lease expires, vCloud Director marks the vApp or vApp template as expired, or
deletes the vApp or vApp template, depending on the organization policy that you set.
164
Quotas determine how many virtual machines each user in the organization can store and power on
in the organizations VDCs. The quotas that administrators specify act as the default for all new
users added to the organization.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Limits prevent resource-intensive operations from affecting all the users in an organization and also
provide a defense against denial-of-service (DoS) attacks. Certain vCloud Director operations are
more resource intensive than others. An example of a resource-intensive operation is the copying or
moving of a vApp. For performance or security reasons, you can also limit the number of
simultaneous connections to a virtual machine from the vCloud Director remote console. Limiting
the number of simultaneous connections does not limit Virtual Network Computing or Remote
Desktop Protocol connections. Unlike the other usage policies, limits cannot be set by organization
administrators. They must be set by system administrators and cannot be modified by organization
administrators.
165
Expired Items Management (1)

Slide 5-11
These vApps are either moved to an expired holding area or deleted.

The vCloud Director system administrator and the organization
administrator have the ability to restore to the organization a vApp that
is stored in an Expired Items storage area.
ad
er
ho
tm
ail
.co
m
vApps and vApp templates whose storage leases expire are handled as
configured under Leases.
go
th
ic_
re
Leases combined with management of expired items enables vCloud Director administrators and
organization administrators to prevent individual users from consuming too much of a clouds
resources.
166

Slide 5-12
This type of management can be used to keep organizations and users

from cluttering the system with too many vApps and wasting resources.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
After a vApp stops running, the clock starts for how long it will remain in
the users My Cloud.
167

Slide 5-13
The Expired Items inventory appears under My Cloud.

vApps can also be deleted from Expired Items.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
After a vApp or vApp template has been moved into Expired Items,
either the cloud system administrator or the organization administrator
can renew it.
168
Catalogs
Slide 5-14
Catalogs store the following:
Database vApps
Catalogs can be shared with all

users in the organization or with
specific users.
Windows Template
Catalogs can be shared with other

organizations.
Catalogs can be published to other
vCloud Director clouds.
Media
er
ad
th
ic_
re
vCloud Director includes a content repository. The content repository is a component in the vCloud
Director storage subsystem. The content repository provides an abstraction to the underlying
datastores and offers features to store, search, retrieve, and remove content.
go
Content is delivered to consumers in the form of catalogs. A catalog is a container for vApp
templates and media files in an organization.
Catalogs can be shared, so the vApp templates in them are available to other users in the
organization. Catalogs can also be published, so members of other organizations can have read
access to the vApps, provided the organization is configured to allow publishing.
169
Web Server vApps
ail
.co
m
vApp Templates
tm
Catalog Objects
vApp templates, which are used to

deploy workloads to user clouds
Media (ISO files and FLP files) that
can be inserted into CD/DVD and
diskette drives on virtual machines
Media can also include other files,
such as scripts.
ho
Catalog Availability
Slide 5-15
Catalogs are made available in four ways:
Public: Available to other organizations in the cloud

Shared: Available to other specific users in your organization or
available to other organizations in your cloud
Published: Available to subscribers in other vCloud Director clouds
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Private: Available to the owner or creator of the catalog only
170
Organization Catalog Sharing

Slide 5-16
The system administrator allows or disallows public sharing and

publishing of organization catalogs.
Catalogs can still be shared within an organization even if sharing with

other organizations is not allowed.
Sharing can be set or changed at any time.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
If sharing is allowed, the organization catalogs can be shared as visible to

other organizations.
Catalogs can be made public to specific organizations or to all
organizations.
171
Organization Catalog Publishing

Slide 5-17
The system administrator also controls whether an organization can

subscribe to catalogs that are externally published.
Publishing can be set or changed at any time.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Publishing allows a catalog to be shared with organizations in other

vCloud Director clouds.
172
Catalog Best Practices

Slide 5-18
Create an administration organization to do the following:
For each consumer organization, follow these practices:
Create a shared catalog for local templates

Use the shared catalog provided by the Administration organization to
create standard templates
Recognize that only the Organization Administrator role and the vCloud
Director system administrator can view shared and published catalogs
Be very selective about whom you allow to publish catalogs to external

clouds.
Be very selective about whom you allow to subscribe from external
clouds.
go
th
ic_
re
ad
er
ho
tm
Share public catalogs that offer official build templates to the organization
administrators of all organizations
ail
.co
m
173

Slide 5-19

Create a vCloud Director organization
Add a catalog to an organization
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
174
Lesson 2: Organization Virtual Data Centers

Slide 5-20
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 2:
Organization Virtual Data Centers
175
Learner Objectives
Slide 5-21
objectives:
Create an organization virtual data center (VDC)
Configure organization VDC networking
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
176
Organization VDCs
Slide 5-22
Provider VDC resources are allocated to tenants in the form of

organization VDCs.
Before you can create an organization VDC, you must create an
organization.
Each organization can have multiple organization VDCs.
Each organization VDC can belong to only a single organization.
vApps, vApp templates, and catalogs cannot be created in an
organization until an organization VDC exists.
er
ad
th
ic_
re
An organization VDC provides resources to an organization and is partitioned from a provider VDC.
Organization VDCs provide an environment where virtual systems can be stored, deployed, and
operated. They also provide storage for virtual media, such as floppy disks and CDs.
go
A single organization can have multiple organization VDCs associated with it.
Organization VDCs are used by vCloud Director to partition provider VDCs and allocate resources
to an organization. vCloud Director uses VMware vSphere resource pools as the basic construct to
partition these resources.
You must create the organization before you can create an organization VDC. Each organization can
have multiple organization VDCs. But each organization VDC is local to only one organization.
When creating an organization VDC, you must first select the provider VDC that will provide
resources. From a vSphere perspective, both provider and organization VDCs are resource pools and
have a parent-child relationship.
177
ho
tm
ail
.co
m
An organization VDC is a subset of the resources in a provider VDC.
Purpose of an Organization VDC

Slide 5-23
Organization VDCs enable the cloud provider

to securely share provider VDCs resources
with multiple tenants. The provider can do so
with the following:
Predefined allocations
Ensured control of the tenants performance
and capacity requirements
VDC1 (Tier1)
VDC2 (Tier2)
tm
vApp
ad
er
ho
A single cloud tenant can have multiple

organization VDCs. The advantages include:
They consume multiple classes with differing
SLAs.
The cost is based on computed needs.
The cloud consumer or user sees the
organization VDCs but not the underlying
provider VDCs.
ail
.co
m
Organization A
th
ic_
re
The organization VDC enables the cloud provider to share provider VDC resources with multiple
tenants. Organization VDCs maintain security, enable the provider to set predefined allocations, and
ensure that the tenants performance and capacity requirements can be controlled.
go
Tenants do not have the ability to see the actual resources in the provider VDC. Their visibility is
only into which resources are available in the organization VDC.
Like a provider VDC, the organization VDC is a container for resources, but the way that resources
are allocated can be specified. A network pool can be added to an organization VDC with limits on
the number of networks that can be created. You can also specify the maximum amount of storage
that the organization VDC can consume.
178
Organization VDCs and Provider VDCs

Slide 5-24
Each organization can have multiple organization VDCs.

Each organization VDC can use resources from a single provider VDC.
Multiple organization VDC can use resources from the same provider
VDC.
You cannot create an organization VDC until a provider VDC exists.
VDCB-2
VDCB-1
VDCA-2
Silver provider VDC
Bronze provider VDC
er
ad
th
ic_
re
You must create your provider VDCs before you can create your organization VDCs. Each
organization can have multiple organization VDCs. Each organization VDC can be connected to
only one provider VDC. But each provider VDC can serve resources to multiple organization
VDCs.
go
Like a provider VDC, the organization VDC is a container for resources. But the way that resources
are allocated from an organization VDC can be specified. A network pool can be added to an
organization VDC with limits on the number of networks that can be created. You can also specify
the maximum amount of storage that the organization VDC can consume.
The organization VDC inherits availability characteristics from the provider VDC to which it
belongs.
179
ho
Gold provider VDC
VDCC-1
tm
VDCA-1
organization C
organization B
organization A
ail
.co
m
Allocation Models
Slide 5-25
The allocation model controls how that organization will be allowed to

consume resources.
You can choose from three models:
Pay-as-you-go
Allocation pool
Reservation pool
Each organization can be created with only one model.
ad
er
ho
tm
ail
.co
m
Each organization is created based on an allocation model.
go
th
ic_
re
When creating an organization VDC, choosing an appropriate allocation model is important. The
allocation model not only determines how the provider VDC resources are committed to the
organization VDCs, but also how the provider bills the customer for those resources.
180
Pay-As-You-Go Model
er
ad
th
ic_
re
The pay-as-you-go model is the easiest model to understand and administer. The easiest way to
think of pay-as-you-go is that customers pay for what they get. When a vApp powers on, the
resources are committed. If a vApp is not powered on, then the customer is not billed for resources.
go
Even though the customer is billed as soon as a vApp is powered on, only a percentage of the
resources are guaranteed. If you want to create a high-tier service offering, the pay-as-you-go model
is where the provider can increase the guaranteed resources.
The pay-as-you-go model is the only model where you can specify the speed of virtual CPUs in the
vApp.
The pay-as-you-go model has these characteristics:
Requires no up-front resource allocation.
Resources are committed only when users create vApps in the organization VDC.
You can set limits to cap usage.
You can also specify a percentage of resources to guarantee, which allows you to overcommit
resources.
181
ho
tm
ail
.co
m
Slide 5-26
Allocation Pool Model
ad
er
ho
tm
ail
.co
m
Slide 5-27
re
The allocation pool model configures a virtual container of resources.
go
th
ic_
The allocation pool model allocates a subset of resources, but it guarantees to a tenant only a
percentage of what has been allocated. Thus, the provider has the ability to overcommit resources
when using the allocation pool model.
The allocation pool model has these characteristics:
Only a percentage of the allocated resources are committed to the organization VDC.
You can specify the percentage, which allows you to overcommit resources.
Advanced resource management controls, such as shares and reservations, are managed by the
cloud operator. These types of control allow for more coherent resource management across
organizations.
182
Reservation Pool Model
er
ad
ic_
re
The reservation pool model configures a physical container of resources. Think of this model as a
model where the customer rents hardware for their exclusive use.
go
th
The reservation pool model should be the most expensive allocation model offered to customers.
The customer is in complete control of the resources that they use, and all resources are guaranteed.
The reservation pool model also offers customers the greatest amount of control. They have the
same controls that a vSphere administrator would have over resource pool settings. Thus, overcommitment is possible, but it is controlled by the customer.
The reservation pool model has these characteristics:
All allocated resources are immediately committed to the organization VDC.
One-hundred percent of all resources specified are guaranteed.
No other organization can share these resources.
Organization administrators can use advanced vSphere resource management controls, such as
shares and reservations, to manage overcommitment of resources between their workloads.
183
ho
tm
ail
.co
m
Slide 5-28
Organization VDC Allocation Model Comparison

Slide 5-29
Pay-as-you-go:
vApp
vApp
Allocation pool:
Capacity is reserved for the organization VDC,
with the ability for provider-controlled overcommitment for
the entire organization VDC.
ail
.co
m
Overcommit
Range
Guarantee
Actual
Reservation pool (special case allocation pool):
Guarantee
Actual
go
th
ic_
re
ad
er
All provider VDC resources that you allocate are

committed to the organization VDC.
Tenant-controlled overcommitment for the entire organization
VDC.
tm
Resources are committed to the virtual machine

on virtual machine creation in the organization VDC.
Provider-controlled overcommitment per virtual machine.
Easiest to manage, good starting point.
ho
The pool expands

to accommodate
resources reserved
on demand.
184
Virtual Machine Admission Control

Slide 5-30
Pay-as-you-go:
CPU- and memory-based admission control:
Allocation pool:
Memory-based admission control

Virtual machines cannot be deployed to an allocation pool VDC unless
enough RAM is available to meet the reservation requirements for the virtual
machine.
ail
.co
m
Virtual machines cannot be deployed to a pay-as-you-go VDC unless

enough CPU and RAM are available to meet the reservation requirements
for the virtual machine.
Reservation pool:
No admission control:
All virtual machine deployments will be completed. Resource contention and

starvation must be managed by the tenant.
er
ad
go
th
ic_
re
When choosing an allocation model, you should consider virtual machine admission control.
Admission control is whether a VMware vSphere Distributed Resource Scheduler cluster allows
a virtual machine to be powered on and is based on available resources. The allocation models
directly affect how admission control is used in the vSphere DRS cluster.
185
ho
tm
Organization VDC Best Practices

Slide 5-31
Mixing resource allocation models in the provider VDC across

organizations can result in unpredictable resource consumption,
making SLA management difficult.
Enable thin provisioning to reduce storage consumption by committing
resources only on demand.
Enable fast provisioning to enable the use of vSphere linked clones.
ad
er
ho
tm
ail
.co
m
When creating organization VDCs, VMware recommends that you do

not mix allocation models in a provider VDC.
ic_
re
An organization VDC requires storage space for vApps and vApp templates. You can allocate
storage from the space available on provider VDC datastores.
go
th
Thin provisioning can help prevent overallocating storage and save storage space. For a virtual
machine with a thin virtual disk, VMware ESXi provisions the entire space required for the
disks current and future activities. ESXi commits only as much storage space as the disk needs for
its initial operations.
Fast provisioning saves time by using vSphere linked clones for certain operations.
Fast provisioning requires VMware vCenter Server 5.0 or later and ESXi 5.0 or later hosts. If
the provider VDC on which the organization VDC is based contains any ESX/ESXi 4.x hosts, you
must disable fast provisioning. If the provider VDC on which the organization VDC is based
contains any VMware vSphere VMFS datastores connected to more than 32 hosts, powering on
virtual machines might fail. Make sure that datastores are connected to a maximum of 32 hosts.
186
Organization VDCs and Networking

Slide 5-32
When you create an organization VDC, you have the opportunity to

create networks and gateways.
You can add networks and gateways after the organization VDC has
been created.
Organization networks and organization gateways can be shared with
other organization VDCs in the organization.
er
ad
ic_
re
The networking module discussed organization VDC networks in detail. Typically most
organizations have these requirements:
th
An edge gateway device that connects to an external network
go
A routed organization VDC network

In the most basic scenario, an organization topology is defined by an edge gateway connecting to an
external network and a single organization VDC network. vApp networks are routed and connect to
the single organization VDC network.
For the organization VDC network, you must provide a range of IP addresses and associated
network information. Because an organization VDC network is a private network, you can use RFC
1918 addresses for DHCP and static IP address pools. Typically, a full RFC 1918 class C is used for
the private network IP pool.
You can create an edge gateway in either a compact or a full configuration. The full configuration
provides increased capacity and performance. The compact configuration requires less memory and
fewer compute resources. All services are supported in either configuration. You can enable either
configuration for high availability, which enables automatic failover of the edge gateway device to a
backup instance that is running on a separate virtual machine.
187
ho
tm
ail
.co
m
Organization networks and organization edge gateways are part of

organization VDCs.
Considerations for Organization VDC Networking

Slide 5-33
Most organizations require at least one organization VDC network

Use a logical naming convention to identify networks for ease of
management:
Example: <organization_name>-<network_name_or_purpose>
Each organization VDC has a single network pool.
A system administrator selects the pool and stipulates the quota.
Select compact or full configuration for edge gateways based on traffic

demands.
go
th
ic_
re
ad
er
ho
tm
Most organizations require a minimum of one edge gateway that

connects to an external network.
ail
.co
m
188
Lab 4: Configuring VMware vCloud Director Organizations

Slide 5-34
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Configure vCloud Director organizations
189

Slide 5-35

Create an organization virtual data center (VDC)
Configure organization VDC networking
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
190
Lesson 3: vApp Templates

Slide 5-36
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 3:
vApp Templates
191
Learner Objectives
Slide 5-37
objectives:
Install the Client Integration Plug-In into the VMware vSphere Client
Upload a virtual machine into vSphere from a local OVF template
Import a virtual machine from vSphere as a vApp template
Upload a virtual machine into vCloud Director from a local OVF
template
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
192
vApp Templates
Slide 5-38
A vCloud Director virtual appliance (vApp) template is a predefined

package of virtual machines and networks that you can use to rapidly
instantiate vCloud Director vApps.
Install and preconfigure guest operating systems in the vApp template.
Preconfigure networks in the vApp template.
You cannot power on a vApp template.
ail
.co
m
vApp
er
ad
th
ic_
re
A vApp template is a virtual machine image that is loaded with an operating system, applications,
and data. These templates ensure that virtual machines are consistently configured across an entire
organization.
go
You can create a vApp template by importing a virtual machine from the vSphere DRS cluster or
from a vApp in the data center or uploading by using a file that uses the Image Transfer Service. If
vApp templates are not in Open Virtualization Format (OVF) format, they are converted to OVF
format immediately. You can use the vCloud Director import functions to import a vSphere virtual
machine to vCloud Director as either a vApp or a vApp template. But to import a VMware
vSphere vApp to vCloud Director, you must export it from vSphere in OVF format, then upload
the exported OVF to vCloud Director. Only system administrators can import a virtual machine
from vCenter Server to vCloud Director.
A vApp template is an immutable vApp because it cannot be deployed and so cannot be powered
on. You create a vApp instance from the vApp template that can be deployed and powered on.
193
ho
tm
vApp Template
Populating Catalogs
Slide 5-39
Upload an ISO or FLP image file.

Import a media file from a vSphere datastore.*
Copy or move a media file from one catalog to another.
Options for adding vApp templates to a catalog:
Upload an Open Virtualization Format (OVF) package.

Import a virtual machine from vSphere.*
Copy or move a vApp template from one catalog to another.
Create a vApp from a template, modify it, and save it as a template.
Create a vApp from the beginning and save it as a template.
ad
er
ho
* Requires system administrator permissions
ail
.co
m
Options for adding media to a catalog:
tm
go
th
ic_
re
vCloud Director offers several ways to populate catalogs with vApp templates and media. These
options are available based on user roles and their associated rights. For example, only system
administrators can import a virtual machine or media file from vSphere.
194
Importing vApp Templates

Slide 5-40
vSphere virtual machines can be imported into vCloud Director:
OVF templates can be uploaded into a catalog as a vApp template.

OVF templates can also be uploaded as a vApp.
Any organization user with sufficient rights can upload OVF templates.
Uploading templates removes any reliance on a system administrator to
interact with vSphere.
er
ad
th
ic_
re
You can deploy an OVF template in vSphere and then import the resulting virtual machine as a
vApp (in My Cloud) or vApp template in an organization catalog. Only the system administrator can
interact with vSphere to deploy the OVF template and then import the virtual machine.
go
Not all vSphere OVF templates can be imported directly into vCloud Director. vSphere supports
some items in the template that vCloud Director does not support. A workaround is to open the file
with a text editor and remove the items that vCloud Director does not support. Most of these items
are related to custom settings.
A user with sufficient privilege can upload an OVF template that is stored on their desktop computer
to an organization catalog as a vApp template.
195
ho
tm
Only the vCloud Director system administrator role has the right to upload a
vSphere virtual machine into vCloud Director.
Virtual machines can be uploaded into a catalog as vApp templates or into
My Cloud as vApps.
ail
.co
m
Chain-Length Problems (1)

Slide 5-41
Linked clones are disk-deduplicated copies of the vApp template.
These copies are based on vSphere snapshots.

Only the data unique to this vApp is stored separately.
Only 31 linked-clone copies of a vApp can exist. Then a new shadow virtual
machine is created for each virtual machine in the vApp and a new chain is
started.
A large number of linked clones can slow performance.

Only the vCloud Director system administrator can see the chain length
of a virtual machine and issue a command to consolidate.
go
th
ic_
re
ad
er
ho
tm
Each time a vApp is deployed from a vApp template, a linked clone is

created.
ail
.co
m
196

Slide 5-42
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
You can see the chain length on the properties of a virtual machine in
a template that is stored in a catalog.
197

Slide 5-43
You also can view shadow virtual machines.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
The command to consolidate is available when you right-click a virtual

machine in a template.
198
Lab 5: Creating VMware vCloud Director vApp Templates

Slide 5-44
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Create vCloud Director vApp templates
199

Slide 5-45

Install the Client Integration Plug-In into the VMware vSphere Client
Upload a virtual machine into vSphere from a local OVF template
Import a virtual machine from vSphere as a vApp template
Upload a virtual machine into vCloud Director from a local OVF
template
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
200
Lesson 4: Building and Publishing vApps

Slide 5-46
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 4:
Building and Publishing vApps
201
Learner Objectives
Slide 5-47
objectives:
Build a vApp
Publish a vApp to a local organization catalog
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
202
vApps (1)
Slide 5-48
A vApp is a package of IT services.

The package includes:
One or more preconfigured virtual machines running the applications

included in a service
A vApp network for communication between virtual machines
Metadata for deployment instructions and runtime policies
app server
virtual
machine
virtual
machine
database
virtual
machine
ho
tm
app server
ail
.co
m
vApp
er
ad
go
th
ic_
re
vCloud Director delivers IT services in packages that are called vApps. vApps are composed of one
or more virtual machines. These virtual machines communicate over networks included in the
package and use resources and services in the deployed environment. The package also includes an
OVF descriptor, which provides general application information, hardware requirements,
deployment instructions, and policies that are enforced during runtime.
A vCloud vApp is instantiated and consumed in vCloud differently than in a vSphere environment.
As discussed earlier, a vApp is a container for a distributed software solution and is the standard unit
of deployment in vCloud Director. It has power-on operations, consists of one or more virtual
machines, and can be imported or exported as an OVF package. A vCloud vApp might have
additional vCloud specific constructs, such as vApp networks.
vApps are the lowest unit of work in vCloud Director. If a service requires only one virtual machine,
you must create a vApp for that virtual machine.
In vCloud Director, you can create a vApp by cloning a template in a catalog or by creating a new
one. After you have created the vApp, you can add, remove, or modify the virtual machines in it.
vApp property settings enable you to control the behavior of virtual machines when you start and
stop the vApp. For example, you can set the order in which the virtual machines power on and off.
203
OVF descriptor
vApps (2)
Slide 5-49
A vApp is deployed from a vApp template.

vApps simplify the deployment and ongoing management of an n-tier
application.
vApps can contain one or many virtual machines.
vApps encapsulate not only virtual machines but also their
interdependencies and resource allocations.
OVF is the distribution format for vApps.
ail
.co
m
vApp
ad
er
ho
tm
vApp Template
ic_
re
You can create a vApp based on a vApp template stored in a catalog to which you have access. A
vApp in vCloud Director is a logical construct used to describe a set of virtual machines.
go
th
vApps simplify the requirement for the deployment and ongoing management of an n-tier
application in multiple virtual machines by encapsulating them in a single virtual service entity. A
vApp has the same basic operations as a virtual machine and can contain one or more virtual
machines.
vApps encapsulate not only virtual machines but also their interdependencies and resource
allocations, which enables single-step power operations, cloning, deployment, and monitoring of the
entire application. If the virtual machine is based on an OVF file that includes OVF properties for
customization, those properties are retained in the vApp. If any of those properties are userconfigurable, you can specify the values in the virtual machines properties pane after you add it to
the vApp.
The distribution format for vApps is OVF, implying that they can be imported and exported like
OVF virtual machines.
204
vApp Custom Guest Properties

Slide 5-50
The vApp custom guest properties

feature the following:
vApp
OVF package
Deployment
configuration
Developers and other users can use

OVF descriptors to easily pass user
data into guest operating systems.
Benefits:
Deploy
OVF package.
Provides functionality to bootstrap a

wide
variety of guest customization
solutions
ho
tm
vApps
Easier postdeployment configuration

and provisioning of identity to virtual
machine and vApps
ail
.co
m
vApp
er
ad
th
ic_
re
The vApp custom guest properties feature allows users to pass custom data into the guest operating
system of vApps that are deployed in vCloud Director. The custom guest properties feature is useful
for an application developer and application owner because the application can be customized by
users in ways beyond guest customization that is available in earlier versions of vCloud Director.
go
Steps involved in deploying a custom guest vApp include the following:

1. Template creation by the author:
Author declares OVF properties

Author installs guest software and scripts
Author exports template as an OVF package
2. Deployment by user:
User prompted for deployment-time values

User powers on vApp
The deployment works after steps 1 and 2. The OVF environment is generated by vCenter Server,
and guest scripts run and customize software.
205
vSphere
Considerations for vApps

Slide 5-51
General design considerations:
Include one virtual CPU. Add vCPUs as needed.

Use the latest version of VMware Tools.
Use default shares, reservations, and limits.
Use vmxnet3 network adapters.
Network design considerations:
ad
er
ho
tm
Each vApp network consumes processor and memory resources and a

network from the pool.
Each VMware vShield Edge that is deployed allocates an IP from the
static pool available on the organization VDC network.
ail
.co
m
re
Be aware of the following general design considerations for vApps:
th
ic_
Default to one virtual CPU unless requirements call for more virtual CPUs. An example of a
need for multiple virtual CPUs would be a multithreaded application virtual machine.
go
Always install the latest version of VMware Tools.

Always provision a 32-bit virtual machine unless a 64-bit virtual machine is required.
Deploy virtual machines by using default shares, reservations, and limits settings unless you
have a clear requirement for doing otherwise.
For virtual network adaptors, use VMXNET3 if supported.
Secure virtual machines as you would secure physical machines.
Use standard virtual machine naming conventions.
206
Lab 6: Building and Publishing VMware vCloud Director vApps

Slide 5-52
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Build and publish vCloud Director vApps
207

Slide 5-53

Build a vApp
Publish a vApp to a local organization catalog
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
208
Lesson 5: Deploying and Running vApps

Slide 5-54
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 5:
Deploying and Running vApps
209
Learner Objectives
Slide 5-55
objectives:
Copy a vApp from a public catalog to the local organization catalog
Deploy a vApp from the local organization catalog
Configure and start vApps
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
210
Deploying vApps
Slide 5-56
vApps are deployed from local or public catalogs.

When deploying a vApp from a catalog, you can change these settings:
er
ad
go
th
ic_
re
You can specify the organization VDC, the associated storage policy, and the leases for each
instance of a vApp template deployed from a catalog. The selected VDC provides the compute and
memory resources necessary for running the vApp and for running any network edge devices
deployed by VMware vCloud Networking and Security. The lease cannot exceed the limit set in
the organization policy.
211
ho
tm
ail
.co
m
Change the VDC used to run the vApp to any VDC in your organization
Change the storage profile used to run the virtual machines and optional
vShield Edge instances.
Change the vApp lease values
Copying and Moving vApps

Slide 5-57
Considerations when copying from a public catalog:
The vApp networking might be configured for the unique topology of the
source organization, including DNS resolution options, static or manual IP
allocations, and host names.
To change vApp settings:
Copy the vApp to a local organization catalog

Deploy the vApp
Update the configuration
Republish
ad
er
ho
tm
A vApp can be copied or moved from one catalog to another catalog.
ail
.co
m
ic_
re
vApps can be copied between catalogs. When copying a vApp from a public catalog published by
another organization, keep these points in mind:
go
th
The copied vApp networking can be configured for an entirely different topology. How the
virtual machines within the vApp resolve DNS, which IP addresses are to assigned to the virtual
machines, and other network-related settings might be inappropriate for running the vApp in the
new organization.
The guest customizations applied to the vApp might not meet organization standards. After
copying a vApp from a public catalog, you might deploy a copy of the vApp to your My Cloud,
then review and update the vApp configuration.
After updating the configuration based on the organization topology and policies, you can
republish the vApp to the catalog.
212
Guest Customization
Slide 5-58
Guest customization can be used for the following tasks:
Configure the host name

Enable or disable SID generation (for Windows guests)
Set the administrator password
Specify a customization script to be executed
Guest customization requires a virtual machine reboot to finish.
er
ad
th
ic_
re
To ensure that the virtual machines in vApp templates are unique upon deployment, vCloud Director
includes the ability to customize guests directly from the organization Web console. Customization
occurs when powering on the virtual machine.
go
vCloud Director can customize the network settings of the guest operating system of a virtual
machine created from a vApp template. When you customize your guest operating system, you can
create and deploy multiple unique virtual machines based on the same vApp template without
machine name or network conflicts.
When you configure a vApp template with the prerequisites for guest customization and add a
virtual machine to a vApp based on that template, vCloud Director creates a package with guest
customization tools. When you deploy and power on the virtual machine for the first time, vCloud
Director copies the package, runs the tools, and deletes the package from the virtual machine.
Before vCloud Director can perform guest customization on virtual machines with Windows 2000,
XP, or 2003 guest operating systems, a system administrator of VMware vCloud must create a
corresponding Microsoft Sysprep deployment package in the vCloud Director deployment
environment. For more information about creating Sysprep deployment packages, see vCloud
Director Administrators Guide at www.vmware.com/support/pubs/vcd_pubs.html.
213
ho
tm
ail
.co
m
You can configure guest customization settings for any stopped virtual
machine.
Hardware Customization (1)

Slide 5-59
You can change the hardware settings on a stopped virtual machine.

You might be able to hot-add hardware to running virtual machines.
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
For each virtual machine in a vApp, you can change the hardware settings. You must have vApp
author privileges and above to update or change the vApp hardware configuration.
214
Hardware Customization (2)

Slide 5-60
You can specify the IP addressing used by each virtual machine.
Static IP use requires enabling of guest customizations.
er
ad
go
th
ic_
re
When creating a vApp, preparing a vApp for publication to a catalog, or when customizing a vApp
for startup, you can change how the vApp connects to the organization infrastructure. vApps
typically connect to an organization VDC network, either through a routed vApp network edge or
directly. To direct-connect a vApp to an organization VDC network, you must select the Add
network option in the network drop-down menu, and then select one or more existing organization
VDC networks to be added to the vApp. After you have created or selected the vApp network
configuration, you can configure IP parameters.
215
ho
tm
You can change the vApp network, create a new vApp network, or
connect the vApp directly to an organization VDC network.
ail
.co
m
IP Addresses and vApp Connections

Slide 5-61
Edge Gateway
Organization VDC Network (192.168.11.0/24)

vShield Edge
DHCP / Static Pool
vApp
Network
vApp
Routed vApp
192.168.210.2
192.168.210.204 192.168.210.103
(Static)
(Manual)
Edge Gateway
DHCP / Static Pool
ail
.co
m
(DHCP)
Organization VDC Network (192.168.11.0/24)

vApp
Network
(Manual)
192.168.11.103
192.168.11.204
(Static)
Direct-Connect vApp
(DHCP)
ad
er
192.168.11.2
ho
tm
vApp
ic_
re
vCloud Director uses guest customization when it deploys virtual machines inside vApps to control
IP addressing. Three types of IP addressing exist: static, manual, and DHCP.
go
th
DHCP addressing is standard DHCP. The virtual machine guest operating system must be
configured to receive a DHCP address. vCloud Director does not use guest customization to enforce
the configuration of the virtual machine as a DHCP network client. If a virtual machine is set to use
DHCP, you must either have the network VMware vShield device configured to support DHCP
services or you must directly attach the vApp network to a higher network that has an external
DHCP server.
If a virtual machine has been assigned a DHCP address, you cannot configure an external network
address translation (NAT) IP address on the organization VDC network.
Static addressing is similar in operation to DHCP. When you create the network, you set a static
range of IP addresses. vCloud Director pulls IP addresses out of the static range in sequential order.
Then vCloud Director uses guest customization to manually set the IP address in the virtual machine
to the selected static address.
216
Static addresses have a major advantage over DHCP. If you set a virtual machine to a static IP
address, then vCloud Director assigns an external NAT IP address on the organization VDC network
that the vApp is attached to. This automatic assignment of external NAT IP addresses greatly
simplifies NAT operations.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Manual IP addresses are where vCloud Director uses the address that the administrator manually
specifies for a virtual machine. vCloud Director uses guest customization to configure the IP address
in the virtual machine. If a virtual machine has a manual IP address assigned, it does not
automatically receive an external NAT IP address on the organization VDC network. However, the
vCloud Director administrator can manually set the external NAT IP address for a virtual machine
with a manual IP address configuration.
217
Lab 7: Deploying VMware vCloud Director vApps

Slide 5-62
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Deploy vCloud Director vApps
218
Lab 8: vApp Networking

Slide 5-63
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Verify vApp Network Connectivity
219

Slide 5-64

Copy a vApp from a public catalog to the local organization catalog
Deploy a vApp from the local organization catalog
Configure and start vApps
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
220
Lesson 6: Additional Organization VDC Networking

Slide 5-65
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 6:
Additional Organization VDC Networking
221
Learner Objectives
Slide 5-66
objectives:
Create a direct-connect organization VDC network
Create a routed organization VDC network
Create a suballocated IP pool for an organization VDC network
Create a fenced vApp
Create a destination network address translation (DNAT) mapping
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
222
Direct-Connect Organization VDC Networks: Review

Slide 5-67
A system administrator must create a direct-connect network on behalf

of an organization.
Including IP address services, DNS configuration, and subnet range
All direct-connect networks connected to an external network share the

same layer 2 broadcast domain.
Exercise care when using direct-connect organization VDC networks.
Use fencing to isolate MAC and IP addresses.
go
th
ic_
re
ad
er
ho
ail
.co
m
A direct-connect organization VDC network is an extension of an external

network and does not connect to the organization VDC edge gateway.
Organization administrators cannot create, configure, or manage a directconnect network.
Network services for a direct-connect network are provided from the
external network created and managed by the system administrators:
tm
223
Direct-Connect Organization VDC Network: Example

Slide 5-68
External Public
172.20.11.0/24
RD Gateway 172.20.11.201
RD Services Network
Direct Connect
RD-vApp1
NAT
RD-vApp2
ail
.co
m
RD External
172.30.1.0/24
NAT
RD-Services
172.20.10.0/24
172.30.120.0/24
ad
er
ho
tm
172.30.110.0/24
Fenced
th
ic_
re
A system administrator can create a direct-connect organization VDC network on behalf of an

organization. A direct-connect organization VDC network is a literal extension of an external
network and cannot be managed by anyone other than a system administrator. A direct-connect
organization VDC network does not connect to the organization edge gateway.
go
A direct-connect organization VDC network shares the same layer-2 broadcast domain as the
external network it connects to. Care should be taken when using direct-connect organization VDC
networks. Although an organization administrator cannot directly manage the network, the
organization administrator can direct-connect a vApp to the network, essentially exposing virtual
machines to the external network broadcast domain and consuming external network resources.
Direct-connect vApps should be fenced, so that the MAC and IP addresses of the contained virtual
machines are isolated from the broadcast domain to avoid conflicts.
224
Routed Organization VDC Network: Review

Slide 5-69
An organization administrator can create routed organization VDC

networks.
The organization administrator can manage the properties and services
of each routed network.
DNAT and SNAT rules require that suballocated IP pools be created on
the attached external network.
External Public
172.20.11.0/24
ail
.co
m
QA Gateway 172.20.11.200
QA Services Network
172.30.100.0/24
NAT
172.30.220.0/24
ho
QA-vApp2
172.30.100.0/24
ad
er
172.30.210.0/24
QA-Services
go
th
ic_
re
Organization administrators can create and manage any number of routed organization VDC
networks that attach to the organization edge gateway, up to the network interface limitation of the
edge gateway. Currently, edge gateways can support up to 10 network interfaces, with one interface
being typically reserved for connection to an external network.
225
NAT
QA-vApp1
tm
QA External
172.30.11.0/24
Suballocated IP Pools and DNAT: Review

Slide 5-70
External IP addresses can be mapped to internal hosts across an

organization VDC edge gateway.
DNAT is a method by which an organization gateway transforms the

destination address of packets.
ad
er
ail
.co
m
The edge gateway receives packets for the external IP of the DNAT
mapping by associating its external interface MAC address with that IP
address through an Address Resolution Protocol response.
The edge gateway modifies the IP headers so that the packets are targeted
to some address on an interior network.
The edge gateway forwards those packets to the target host or to the next
hop.
Protocol filtering can be applied.
tm
ho
The external address or range must be suballocated on the external

network by a system administrator.
After a suballocated IP pool has been created, the organization
administrator can use those IP addresses for NAT purposes.
go
th
ic_
re
As the system administrator, you can configure suballocation IP pools when the organization VDC
is created. The system administrator can also configure suballocation IP pools for an organization
VDC later. If an organization must host externally accessible services by using a destination network
address translation (DNAT) mapping through the edge gateway firewall, the system administrator
must suballocate one or more IP addresses for use by the organization for NAT mapping operations.
To facilitate the hosting of inbound connections, an organization administrator can create DNAT
rules that map external IP addresses or IP address ranges to internal addresses. Allocation of
external addresses must be explicitly configured by a system administrator. After a suballocation IP
pool has been created by a system administrator, the organization administrator can create whatever
mappings are necessary.
When DNAT rules are defined, the edge gateway will issue Address Resolution Protocol (ARP)
responses on the external interface for each destination address. Through the ARP advertisement, all
packets destined for any DNAT-defined external address will be delivered to the edge gateway.
Upon receiving a packet with a destination address matching a DNAT rule, the edge gateway
transforms the destination address based on the DNAT rule configuration, updates IP header
checksum, and then forwards the packet to the interior host or the next interior hop.
226
Routed Organization VDC Network with DNAT: Example

Slide 5-71
External Public
172.20.11.0/24
172.20.11.240
QA Gateway 172.20.11.200
QA Services Network
172.30.100.0/24
QA External
172.30.11.0/24
NAT
QA-vApp2
ail
.co
m
QA-vApp1
DNAT
NAT
QA-Services
172.30.100.0/24
172.30.220.0/24
go
th
ic_
re
ad
er
ho
tm
172.30.210.0/24
172.30.100.140
227
Lab 9: Hosting Inbound Services

Slide 5-72
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Configure vApps and Networks for Hosting Inbound Services
228

Slide 5-73

Create a direct-connect organization VDC network
Create a routed organization VDC network
Create a suballocated IP pool for an organization VDC network
Create a fenced vApp
Create a destination network address translation (DNAT) mapping
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
229
Key Points
Slide 5-74
Organizations must be created before you create organization VDCs

and organization VDC networks.
Catalogs are libraries that are normally restricted to a single
organization but might be opened up to an entire cloud.
ail
.co
m
Organizations might be connected to cloudwide LDAP systems or have

an organization-only LDAP system.
A catalog provides organization users with a library of vApp templates

and media that they can use to create vApps and install applications on
virtual machines.
tm
Organizations provide secure, controlled, self-service environments for

consumers to access IT services.
vApps are based on vApp templates that are stored in the catalog.
ho
In VMware vCloud infrastructures, IT services are delivered through

organizations.
go
th
ic_
re
ad
er
Questions?
230
MODULE 6
VMware vCloud Director Basic

Security
Slide 6-1
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Module 6
231
You Are Here

Slide 6-2

Resources

Components

Components

Users
ail
.co
m
Course Introduction
go
th
ic_
re
ad
er
ho
tm
232
Importance
Slide 6-3
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
VMware vCloud Director is designed to be a secure environment.

vCloud Director administrators must be able to use security roles
and LDAP integration to keep VMware vCloud secure.
Module 6 VMware vCloud Director Basic Security
233
Module Lessons
Slide 6-4
Security Roles
Lesson 2:
LDAP Integration
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 1:
234
Lesson 1: Security Roles

Slide 6-5
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 1:
Security Roles
235
Learner Objectives
Slide 6-6
objective:
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Create and manage security roles in vCloud Director
236
vCloud Director Security

Slide 6-7
vCloud Director security

identifies users from five
possible locations:
system
administrators
vCloud Director local

vCloud Director
imported from LDAP
Organization local
Organization imported
from LDAP
VMware vSphere
identity provider
vSphere
users
organization
local
users
local
users
ho
tm
vCloud Director
ail
.co
m
imported
users
LDAP server
imported
users
VMware
vSphere
identity
provider
ad
er
LDAP server
re
VMware vCloud Director security architecture identifies users from five possible locations:
ic_
Locally defined in vCloud Director
go
th
Imported users from a Lightweight Directory Access Protocol (LDAP) server into vCloud
Director
Locally defined users within each organization
Imported users from an LDAP server into a specific organization
Imported users from the VMware vSphere identity provider
All users defined at the system level are system administrators. System administrators have full
rights in all organizations in the cloud.
237
vCloud Director Security Roles and Rights

Slide 6-8
Roles are a collection of rights.

Roles (other than system administrator) exist only at the organization
level.
Each user or group must be assigned to a role.
The same user can have different roles in different organizations.
Users can be assigned roles by belonging to a group.
Groups must be imported from external directory services, such as
LDAP.
ail
.co
m
Rights determine which actions a user can perform.
End users of cloud services do not require user ID or security rights in

vCloud Director.
End-user access should be controlled by application software in a vApp.
ad
er
ho
tm
go
th
ic_
re
vCloud Director uses roles and rights to determine what actions a user can perform in an
organization. vCloud Director includes a number of predefined roles with specific rights. System
administrators and organization administrators must assign each user or group a role. The same user
can have a different role in different organizations. System administrators can also create roles and
modify existing ones.
238
Predefined vCloud Director Security Roles

Slide 6-9
vCloud Director includes predefined roles:
System Administrator
Organization Administrator
Catalog Author
vApp Author
vApp User
Console Access Only
ad
er
ho
tm
ail
.co
m
go
th
All roles can be modified by system administrators except for the system administrator role. System
administrators can also create new custom roles.
239
ic_
re
The six predefined roles in vCloud Director are system administrator, organization administrator,
catalog author, vApp author, vApp user, and console access only.
Console Access Only Role

Slide 6-10
Can view and use the console of a virtual machine in a vApp

Can manage virtual machine password settings from inside the guest
operating system (no access to vCloud Director guest customization of
virtual machines)
Assign to end users who might be system administrators of the virtual

machines within a VMware vSphere vApp but who have no
administration duties related to vCloud.
Excellent for the following:
Windows administrators
Linux root administrators
Application administrators and developers, such as Web site administrators,
database administrators, and email administrators.
ad
er
ho
tm
Extremely limited role:
ail
.co
m
th
ic_
re
The Console Access Only role is an extremely limited role. It should be assigned only to end users
who have some kind of system administration responsibility on the virtual machines within a
specific VMware vSphere vApp. The Console Access Only role should not be assigned to
individuals who have cloud-related administration responsibilities.
go
The major difference between the Console Access Only role and the vApp user role is that console
access only users do not have the ability to do things at the vSphere level of the architecture. These
include actions such as being able to modify the properties of a virtual machine or to copy a virtual
machine.
240
vApp Users
Slide 6-11
The vApp User role is useful for virtual machine system

administrators. vApp users can do the following:
Operate a vApp:
Start, stop, suspend, and reset

Access a virtual machine console
ail
.co
m
Share a vApp
Copy and move a vApp
Edit virtual machine properties:
Does not include resource items such as CPU, memory, network, or disk
Manage virtual machine password settings
th
go
The vApp user role is designed mainly for individuals who are system administrators of the virtual
machines that a vApp is made of. An end user or customer does not need the vApp user role to use a
vApp from a network connection.
Examples:
If your vApp is a Web application designed to allow customers to place orders then those
customers are not going to need the vApp user role to place an order on the Web site.
If your vApp is a Web application designed to allow help desk personnel to enter and update
trouble tickets those users are not going to need the vApp role to enter or manage tickets.
If you have an individual who is the system administrator of a Web application (root user) they
might need the vApp user role to manage their systems in the vApp.
241
ic_
re
The vApp user role is designed to allow someone to use a vApp. The vApp user role includes the
ability to change (nonresource) properties, to access the console, to share a vApp, to copy or move a
vApp, and to manage the passwords of virtual machines within the vApp. A vApp User can delete a
vApp but cannot create one.
ad
er
Edit vApp properties
tm
Delete (but not create) a vApp
ho
vApp Authors
Slide 6-12
They can modify the following on a virtual machine:
Memory
CPU
Disks
Passwords
They can create and modify vApp networks.

They can view and add vApps from organization catalogs.
The vApp Author role Includes all of the rights of the vApp User role.
ad
er
ho
tm
vApp authors can create and manage vApps.
ail
.co
m
go
th
ic_
re
The vApp Author role is more limited than most other roles. It basically allows a user the ability to
create and manage vApps. The vApp Author role includes the ability to modify settings on virtual
machines within their vApps. This role can also create vApps from catalogs.
242
Catalog Authors
Slide 6-13
Catalog authors can create and publish catalogs.

Organization administrators can create and publish catalogs.
Control over whether an organization administrator or a catalog author can
publish a catalog outside of an organization is managed by the vCloud
Director system administrator.
Catalog authors have all of the rights of a vApp author.
th
go
243
ic_
re
The catalog author role has the ability to create and publish catalogs. Whether a catalog author can
publish a catalog beyond organizational boundaries is controlled by the vCloud Director system
administrator.
ad
er
ho
tm
ail
.co
m
Catalog authors have limited ability to control catalog publishing:
Organization Administrators
Slide 6-14
Add or manage organization users

Create or manage catalogs
Edit organization properties
Edit organization SMTP settings
Send email notifications
View and edit organization networks
Create new routed and isolated organization networks
Edit quota and lease policies
A vCloud Director system administrator has the Organization

Administrator role by default in all organizations.
ad
er
ho
tm
Organization administrators can do the following:
ail
.co
m
go
th
ic_
re
The organization administrator has broad powers within an existing organization. The organization
administrator role does not have the ability to add resources from the underlying vSphere
infrastructure to the cloud. But after organization VDCs and organization networks have been
created for an organization by the system administrator of VMware vCloud, the organization
administrator can manage them.
All system administrators of vCloud have the organization administrator role in all organizations. It
is not possible for an organization administrator to modify a system administrators rights within
their organization.
244
Organization Administrators and Networks

Slide 6-15
Organization administrators do have the right to create organization

VDC networks.
Organization networks that can be created by organization administrators

are limited to routed and isolated organization networks.
Organization administrators do not have the ability to create directconnected organization networks.
Organization administrators can modify some of the properties and

configuration of an edge gateway.
Organization administrators cannot create or modify external networks.
ad
er
Organization administrators cannot create edge gateways.
tm
Organization administrators can change the properties on organization VDC

networks.
ail
.co
m
In vCloud Director 1.5, organization administrators cannot create any kind of

organization network.
ho
th
ic_
re
The organization administrator role has a special relationship to organization virtual data center
(VDC) networks. In contrast to vCloud Director 1.5 organization administrators can now create
organization networks. However, these organization networks are limited to routed and isolated
networks. Only system administrators can create direct-connected organization networks.
go
Another change between vCloud Director 1.5 and vCloud Director 5.1 is the edge gateway.
Organization administrators cannot create edge gateways. But they can modify some of their
properties and configuration.
245
System Administrator Role

Slide 6-16
All users defined at the vCloud Director system level are system
administrators.
Other roles can only be assigned to users at the organization level.

If a user is going to be assigned a role other than system administrator, the
user ID should not be created at the system level.
You can create individual users or import groups of users at the system
level.
System Administrator is the only type of user account with cloud-wide
rights in vCloud Director.
System administrators create and manage everything in the cloud
Only system administrators can create and modify roles.
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
The vCloud Director System Administrator role is the root or Administrator account for the
entire cloud. The only users who exist outside of the organizations are system administrators. All
system administrators within vCloud Director have full rights to all organizations. Individuals who
operate in the vCloud Director System Administrator role are often the same as VMware vCenter
Server administrators.
All users who are defined at the vCloud Director system level are system administrators. These
include users created in vCloud Director and users imported from external LDAP systems into
vCloud Director. If a user must have less than System Administrator rights, the user should be
created at an Organization level. It is possible to have the same user imported into different
organizations from one LDAP system. That user can then be assigned different rights in each
organization if desired.
Users do not have to be imported from LDAP or created at organization level. You can create users
or import users from LDAP at the system level. It is also possible to import groups of users from
external LDAP servers at the system level.
246
Custom Roles
Slide 6-17
Create a role from the beginning by manually selecting the desired rights
Copy a role to a new role and modify the rights
System administrators can also modify a role.

Some rights that can be assigned to custom roles might have limited
functionality.
Best practices:
Do not modify or delete roles.

Copy a role to a new role.
Modify the rights as desired.
Assign the new role to users.
th
go
247
ic_
re
System administrators can create custom roles by either creating a role from the beginning or by
copying and modifying an existing role. System administrators also can delete roles. The best
practice is not to delete or modify the standard roles. Instead, either create a role from the beginning
or copy an existing role and modify it.
ad
er
ho
tm
System administrators can create new roles as follows:
ail
.co
m
Switching Between Roles

Slide 6-18
A single individual might have access to multiple user IDs with different
roles.
Web browsers have the ability to use tabs to open multiple sessions in
the same browser.
To switch between user IDs with different roles, users should use the
following procedure:
ad
er
ho
Click Log Out in the upper-right corner of the browser window.

Close the tab.
Open a new tab with the correct URL to the desired vCloud Director
console.
Log in under the new user ID that has a different security role in the new
tab.
ail
.co
m
Example: A system administrator who needs to test an organization

administrator account
tm
go
th
ic_
re
If an individual must switch between two different roles in vCloud Director, that individual must
carefully manage the browser tabs that give them access to the vCloud Director console. Use the
procedure outlined here to switch between vCloud Director security roles.
248
Lab 10: Managing Custom Security Roles

Slide 6-19
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Manage a custom VMware Cloud Director security role
249

Slide 6-20
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Create and manage security roles in vCloud Director
250
Lesson 2: LDAP Integration

Slide 6-21
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 2:
LDAP Integration
251
Learner Objectives
Slide 6-22
objectives:
Create custom vCloud Directory security roles
Integrate LDAP servers with vCloud Director
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
252
LDAP Integration
Slide 6-23
Active Directory (Windows)

OpenLDAP (Linux)
Authentication methods:
Simple with optional SSL

Kerberos with optional SSL
Only the system administrator can configure LDAP settings.

Each organization can have a separate LDAP configuration.
ail
.co
m
vCloud Director supports two types of LDAP integration:
Users and groups must be manually imported into vCloud Director.

If you are using VMware vCenter Single Sign-On, you can
identify your LDAP server as an identity provider.
Users are treated like users imported from LDAP.
th
go
Multiple methods of authentication are supported, depending on which type of LDAP server you
have connected to.
Each organization can have its own LDAP configuration. Users and groups must be imported into
the organization and assigned roles before they can be used. It is possible to modify how often
vCloud Director will connect to the LDAP server to synchronize accounts.
vCloud Director 5.1 has the capability to import users from VMware vCenter Single SignOn. These users are treated in a manner similar to users imported from LDAP sources. Users can
be imported from any system configured in vCenter Single Sign-On as an identity provider.
The use of vCenter Single Sign-On and other vCloud Director security integration features such as
Security Assertion Markup Language (SAML) are covered in more detail in the advanced vCloud
Director courses.
253
ic_
re
You can use an LDAP service to provide a directory of users and groups to import into an
organization. If you do not specify an LDAP service, you must create a user account for each user in
the organization. LDAP options can only be set by a system administrator and cannot be modified
by an organization administrator.
ad
er
ho
tm
LDAP Integration Benefits

Slide 6-24
User ID and password

Email address
Group membership
Contact information
An external LDAP system enables a single location to be shared

between other systems and vCloud Director to manage user security
(single sign-on).
vCloud Director checks users who were imported from LDAP at login to
ensure that credentials are correct.
ad
er
ho
tm
LDAP systems can define and manage a large amount of user

properties external to vCloud Director:
ail
.co
m
go
th
ic_
re
vCloud Director provides for single sign-on capability. A single sign-on capability enables a user to
have a single user ID and password that works throughout the system. vCloud Director provides
single sign-on by integrating LDAP. vCloud Director imports user IDs from external LDAP
systems. vCloud Director can also import other key information such as email addresses, group
membership, and contact information.
vCloud Director does not import user passwords from external LDAP systems. Instead vCloud
Director confirms that a password is correct when a user logs in by checking the supplied password
hash against the password hash currently stored in the LDAP directory.
In this discussion, the term single sign-on should be considered a generic security term.
254
LDAP Synchronization
Slide 6-25
The vCloud Director user account is not created until first login.
vCloud Director does not support recursive OU import.
Users and groups are pulled from the target OU only
vCloud Director cannot modify the information in an LDAP directory.

You must configure the frequency of synchronization of vCloud Director
user and group information with LDAP.
th
go
vCloud Director does not support hierarchial domains in LDAP.

vCloud Director cannot modify the information in an LDAP directory.
vCloud Director will synchronize imported user data such as group membership, e-mail address and
contact information. The period of synchronization must be configured by either the system
administrator (for vCloud Director system-wide user accounts) or the organization administrator (for
custom LDAP configurations at the organization level).
255
ic_
re
vCloud Director does not automatically import users and groups from LDAP systems. Instead you
must manually select which users and groups to import. vCloud Director checks the users
credentials for all imported users at login time. It is not possible for a user in an external LDAP
directory to log in to vCloud Director unless their user ID has been imported by vCloud Director.
ad
er
ho
tm
ail
.co
m
LDAP users cannot log in to vCloud Director until their user ID has
been imported.
LDAP Network
Slide 6-26
Each organization can query an organization-specific LDAP server
Organizations can share a custom LDAP server
A single LDAP server can serve the entire cloud.
Organizations require individual LDAP OU definitions.
vCloud
Director
database
server
vShield
Manager
organization
Alpha
LDAP server
organization
Beta
LDAP server
ad
er
ho
tm
vCloud
LDAP
server
vCenter
Server
system
ail
.co
m
go
th
ic_
re
vCloud Director can use LDAP at both the system level and the organization level. At the system
level you can either connect to an external LDAP system or you can create and use users who are
internal to vCloud Director. Even if you use an external LDAP system, VMware recommends that
you create at least one system user that is internal-only. The existence of at least one internally
defined system administrator allows you to log in to your vCloud Director console even if the LDAP
system is offline.
256
LDAP Login Depends on Authentication Method

Slide 6-27
Simple authentication consists of sending the LDAP server the user's

distinguished name and password. If you are using LDAP, the LDAP
password is sent over the network in clear text. Example:
cn=Manager,dc=vclass,dc=local
Kerberos:
Kerberos issues authentication tickets to prove a user's identity. If you select

Kerberos, you must select a realm. Example:
Administrator@rd.vclass.local
If the user name is blank, vCloud Director attempts to access the LDAP
server with an anonymous (read-only) login. Some LDAP systems are
configured to support anonymous login.
th
go
Kerberos is a ticket-based system of client and server authentication. Both parties must prove their
identity to each other. Kerberos uses symmetric key cryptography and can also leverage public key
cryptography.
Windows active directory is an LDAP directory service that uses a custom implementation of
Kerberos.
In order to use Kerberos, you must first configure a Kerberos realm into vCloud Director.
Some LDAP servers are configured to allow anonymous login. They will allow any system to search
the LDAP directory for information. Anonymous login is always read-only. If the vCloud Director
server is configured with a blank user name (in DN format) then vCloud Director will attempt an
anonymous login.
257
ic_
re
There are two ways to log in to the LDAP server. Simple and with Kerberos authentication. Simple
authentication is simple. You send a users distinguished name (DN) and a password to the LDAP
server. The DN must be in LDAP format with common name (CN) and domain components (DC).
The LDAP server will then allow you to execute searches on information in the LDAP directory.
ad
er
ho
tm
Simple:
ail
.co
m
Kerberos Integration
Slide 6-28
vCloud Director can use Kerberos or Kerberos plus SSL to authenticate to

Active Directory LDAP servers.
You must add a Kerberos realm to use Kerberos authentication:
Realm names are all uppercase unless Allow lower-case realms has been
selected in the LDAP configuration panel.
For Active Directory, the realm is the domain name in uppercase. Example:
ENGINEERING.ACME.COM
The KDC is the domain controller. Example:
To use Kerberos, you must use only the fully qualified domain name when
you configure the host name or IP of the LDAP server in vCloud Director.
ad
er
The vCloud Director server must be able to access the LDAP servers and
the KDCs.
tm
Connecting to LDAP and adding Kerberos realms requires DNS name

resolution to the Key Distribution Center (KDC).
ho
ail
.co
m
DC1.ENGINEERING.ACME.COM
go
th
ic_
re
If you are using Kerberos authentication, you must add a Kerberos realm to the vCloud Director
server first. To use an LDAP server, the vCloud Director server must be able to connect to it over
the network. This connection requires a proper DNS configuration. Some LDAP systems use a Key
Distribution Center that is a separate server from the LDAP server. If you are using Kerberos
authentication, the vCloud Director server must be able to connect to the KDC if it is separate from
the LDAP server.
It is possible to serve the entire vCloud with a single LDAP server. Or individual organizations can
have their own LDAP servers.
vCloud Director can use either Kerberos or Kerberos + SSL to authenticate to LDAP servers if the
LDAP server is either a Windows 2003 or a Windows 7 domain controller.
Kerberos is not supported when vCloud Director authenticates to Linux OpenLDAP servers.
However to increase security it is possible to use SSL when authenticating to Linux OpenLDAP
servers.
Before vCloud Director can use Kerberos, you must configure the Kerberos realm in vCloud
Director.
258
Windows Active Directory is an LDAP directory that also uses a modified implementation of
Kerberos. If you are trying to connect to a Windows LDAP then the realm name is the same thing as
the Windows domain name in upper case.
To use Kerberos to log in to a Windows LDAP the Key Distribution Center (KDC) is the domain
controller. You can use any domain controller in the domain as the KDC.
Kerberos is one of the most secure and reliable systems ever created for secure authentication. But it
can have problems. Most problems with Kerberos authentication can be traced to one of two issues:
DNS issues. If there are minor differences in DNS in the way a node name is stored it can
prevent Kerberos authentication. These differences might not cause problems for other types of
network connections. Kerberos requires the DNS name to be exactly what you are trying to
authenticate to in Kerberos. The same name must be used in the Kerberos tickets. The best
practice is to use the FQDN in all places.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lack of time synchronization. Kerberos tickets are time stamped to prevent an intruder from
stealing and reusing tickets. The standard limit for time drift is 5 minutes. If is more than a 5minute difference occurs from the time of the client trying to connect (in this case, the vCloud
Director server) to the Kerberos KDC, the ticket is considered invalid. Prevent time
synchronization problems by synchronizing the vCloud Director server and the Kerberos KDC
to the same time source. Using NTP servers on all systems solves this problem.
259
About Kerberos for Active Directory LDAP

Slide 6-29
Warning: Use of simple authentication without using SSL results in the

clear text transmission of the password that is used to connect to the
LDAP system.
ad
er
ho
tm
ail
.co
m
Kerberos not required. You can connect vCloud Director to an Active

Directory LDAP server using simple authentication.
CAUTION
go
th
ic_
re
If you are using a Microsoft Active Directory LDAP server, must you use Kerberos authentication?
No.You can connect a vCloud Director server to a Microsoft Active Directory LDAP server with
simple authentication. Microsoft Active Directory does not support anonymous authentication by
default, but it is possible to configure Active Directory to support anonymous authentication.
If you use simple authentication without at least combining it with SSL, then the user ID (DN) and
password are sent in clear text on the network.
260
SSL Integration
Slide 6-30
You can either accept all

certificates or browse to a
specific certificate.
To use a specific SSL
certificate, you must also
have access to the SSL
keystore and you must
configure the keystore
password.
th
go
If you require a specific SSL certificate, the certificate will increase security. But the certificate from
the LDAP server must be located on your system (the one the vCloud Director browser console is
running from) and you must know the location to your SSL Key Store file and have the password.
261
ic_
re
To use SSL, you must select it. You must then determine if you will automatically accept all
certificates or if you will insist on browsing to a specific certificate. Using all certificates is much
easier to configure. If your LDAP server has a certificate, it is accepted automatically. The use of
SSL also provides an encrypted password exchange with the LDAP server.
ad
er
ho
For LDAPS, the default TCP

port is 636, not 389.
ail
.co
m
Select Use SSL to use

LDAP over SSL (LDAPS).
tm
LDAP Terminology and Syntax

Slide 6-31
RDN = relative distinguished name
Think of the DN as the full file path and the RDN as a relative filename in its
parent folder.
CN = common name
OU = organizational unit
DC = domain component
Jane Smith, in Sales, at the Newtech branch of Acme Company:
ail
.co
m
Sample syntax for two employees named Jane Smith who work for the
same company and are in the same LDAP directory:
dn: cn=Jane Smith, ou=Sales, dc=Newtech, dc=acme, dc = com
Jane Smith, in Engineering, at the Oldtech branch of Acme Company:

dn: cn=Jane Smith, ou=Engineering, dc=Oldtech, dc=acme, dc = com
ad
er
tm
DN = distinguished name
ho
ic_
re
LDAP directories use unique terminology and syntax. This slide shows some of the common
examples.
go
th
These LDAP schema attributes can be used to uniquely identify two different users with the same
name in different parts of the directory. The Distinguished Name (DN) and Relative Distinguished
Name (RDN) are both frequently used in LDAP system. You will have to use the DN for LDAP
queries in vCloud Director. You will also have to supply Domain Components (DC) as part of the
connection string.
262
LDAP Namespace Diagram: Example

Slide 6-32
dc=acme, dc=com
dc=newtech
dc=oldtech
ou=engineering
ail
.co
m
ou=sales
cn=Jane Smith
ad
er
ho
tm
cn=Jane Smith
go
th
ic_
re
Here is a graphical representation of two individuals with the same name in different locations
within an LDAP directory.
263
Common LDAP Attributes

Slide 6-33
ad
er
ho
tm
ail
.co
m
Check with your LDAP administrator to confirm that you are using
the correct schema. Different LDAP systems use different attributes.
th
ic_
re
The schema used by different LDAP systems might vary. Check with your LDAP administrator to
confirm that you are using the correct schema for your vCloud Director configuration. If your
schema is configured incorrectly then you will not be able to execute searches on the LDAP
directory.
go
This slide shows two different possible configurations that are used in OpenLDAP. Both of these
have minor differences with Active Directory.
264
Querying LDAP Attributes

Slide 6-34
ad
er
ho
tm
ail
.co
m
Missing data might simply indicate that the LDAP database did not
have values in all of the fields that you queried. Mismatches on
attributes might cause searches to fail.
go
th
ic_
re
Even if the LDAP attributes in vCloud Director are configured correctly, you might have errors
returned on a search. Errors can occur if data is not present in the LDAP directory. An example
would be a user who does not have an email address or telephone number listed in the directory.
265
LDAP at the Organization Level

Slide 6-35
ad
er
ho
tm
ail
.co
m
You can specify a custom LDAP at the organization level, which allows each
organization to have a different (private) LDAP system.
If you bind all of your organizations to the same LDAP server (for example, in a
private cloud), VMware recommends that each organization have a unique
OU.
Only vCloud Director system administrators can configure LDAP for
organizations.
After LDAP is configured, organization administrators can import LDAP users
and groups.
re
At the organization level, vCloud Director presents three options:
th
vCloud Director system.
ic_
1. Do not use LDAP. All of the users in this organization will be internally defined within the
go
2. Use the vCloud Director system LDAP service. The organization uses the LDAP service that
has been configured at the system level. To leverage the system-defined LDAP, all organization
users must be defined in the same Organization Unit (OU) in the LDAP database. You must
configure that OU here. VMware recommends that different organizations have unique OUs
within LDAP. The use of unique OUs preserves multitenancy. Using one system-wide LDAP
service with unique OUs for each organization is a VMware best practice for a private cloud
configuration.
3. Use a custom LDAP server. A custom LDAP server enables an organization to use its own
LDAP service. VMware recommends the use of custom LDAP servers in public cloud
implementations.
266
Password Protection
Slide 6-36
LDAP user passwords are never stored in the vCloud Director

database.
Local user passwords are salted and hashed before storage in the
vCloud Director database.
vCloud Director also maintains other passwords for accessing
certificates, databases, VMware vCenter Server systems, and
VMware vShield Manager servers:
th
go
vCloud Director also stores some passwords. These include passwords for accessing certificates,
databases, VMware vCenter servers, and VMware vShield Manager servers. All of these
passwords are stored in encrypted form in the file $VCLOUD_HOME/etc/global.properties on
the vCloud Director server. Carefully protect any backups that contain that file.
267
ic_
re
LDAP users will never have their passwords stored in the vCloud Director database. Any users that
are defined internally to vCloud Director will have their passwords stored in the vCloud Director
database in an encrypted and salted form.
ad
er
ho
tm
These passwords are encrypted using a unique key per vCloud Director
installation.
These passwords are stored in
$VCLOUD_HOME/etc/global.properties.
ail
.co
m
vCloud Director and vCenter Single Sign-On

Slide 6-37
vCenter Single Sign-On must be configured in vSphere.

The vSphere Lookup Service must be registered in the vCloud
Director Administration tab, under Federation.
vCloud Director system administrator users must be imported (either as
a user or a group) from the vSphere identity provider.
Single Sign-On can also be configured at the organization level, but
requires metadata.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
When vCenter Single Sign-On is configured, vCloud Director system

administrators are authenticated by the vSphere identity provider.
268
vCloud End-User Single Sign-On

Slide 6-38
VMware Horizon Application Manager:
Provisions and entitles secure access

Tracks SaaS license activity
Generates usage reports
Used with applications such as the following:
tm
ail
.co
m
Google Apps
Salesforce.com
WebEx
AmericanAirlines
Facebook
ADP
Mozy
ho
th
go
You can configure a single sign-on service for end users with VMware Horizon Application
Manager. VMware Horizon Application Manager enables you to integrate end-user cloud
security with numerous third-party applications.
269
ic_
re
vCloud Director user IDs and passwords are for users who have administrative responsibilities
within the vCloud Director system. Cloud administrative users include catalog authors, vApp
authors, and organization administrators. LDAP and vCloud Director user accounts are not required
for end users.
ad
er
Secures end-user access to software as a service (SaaS) and Web

applications across different devices
Security Best Practices

Slide 6-39
For best practices on hardening your vCloud implementation, see

these documents:
https://www.vmware.com/support/support-resources/hardening-guides.html
VMware vCloud Architecture Toolkit (vCAT 3.1)
http://www.vmware.com/cloud-computing/cloud-architecture/vcattoolkit3.html
ail
.co
m
VMware Security Advisories, Certifications & Guides
go
th
ic_
re
ad
er
ho
tm
All documents can be found at http://www.vmware.com
270
Lab 11: Integrating LDAP and Active Directory

Slide 6-40
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Integrate LDAP into a VMware vCloud
271

Slide 6-41

Create custom vCloud Directory security roles
Integrate LDAP servers with vCloud Director
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
272
Key Points
Slide 6-42
vCloud Director has several predefined security roles.

System administrators can create custom security roles.
LDAP systems can be integrated into vCloud at both the system and
organization level.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Questions?
273
ail
.co
m
tm
ho
@
er
ad
re
ic_
th
go
274
MODULE 7
7
Slide 7-1
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Module 7
275
Managing VMware vCloud Director Resources

Resources
You Are Here

Slide 7-2

Resources

Components

Components

Users
ail
.co
m
Course Introduction
go
th
ic_
re
ad
er
ho
tm
276
Importance
Slide 7-3
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Effective management of vCloud Director resources also ensures the

highest efficiency and cost-effectiveness in their use.
Module 7 Managing VMware vCloud Director Resources
277
Effective management of VMware vCloud Director resources

(providers and networks) ensures that customers always have the
resources they need while using corporate IT assets.
Module Lessons
Slide 7-4
Managing Cloud Resources as a System

Administrator
Lesson 2:
Managing Organization Resources
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 1:
278
Lesson 1: Managing Cloud Resources as a System

Administrator
Slide 7-5
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 1:
Managing Cloud Resources as a System
Administrator
279
Learner Objectives
Slide 7-6
objectives:
Use the cell management tool to perform basic cell maintenance tasks
Manage provider and organization virtual data centers
Manage external networks and edge gateways
Prepare and unprepare VMware ESXi hosts
Configure and send email notifications
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
280
Cloud Cell Maintenance

Slide 7-7
Commands for basic server and cell maintenance:
ad
er
ho
tm
ail
.co
m
Cell maintenance activities are performed from the command line on

the VCD server system.
th
ic_
re
Most of the activities to manage a cloud cell are done at the command line on the VMware vCloud
Director server on which the cell resides. The only operation that you can perform using the
vCloud Director Web console is deleting the cloud cell.
go
To add cloud cells to a vCloud Director installation, install the vCloud Director software on
additional Cloud Director servers in the same vCloud Director cluster.
The cell management tool is a command-line utility that you can use to manage a cell and its SSL
certificates and to export tables from the vCloud Director database. Superuser or system
administrator credentials are required for some operations.
You can use the cell management tool to gracefully shut down a vCloud Director cell, which is
especially useful when you need to upgrade the version of vCloud Director. Before you upgrade a
vCloud Director server, use the cell management tool to quiesce and shut down vCloud Director
services on the servers cell.
vCloud Director creates a task object to track and manage each asynchronous operation that a user
requests. Information about all running and recently completed tasks is stored in the vCloud
Director database. Because a database upgrade invalidates this task information, you must be sure
that no tasks are running when you begin the upgrade process.
281
With the cell management tool, you can suspend the task scheduler so that new tasks cannot be
started, then check the status of all active tasks. You can wait for running tasks to finish or log in to
vCloud Director as a system administrator and cancel them. When no tasks are running, you can use
the cell management tool to stop vCloud Director services.
Prerequisites
Verify that you have superuser credentials for the target server.
Verify that you have vCloud Director system administrator credentials.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
If you are stopping vCloud Director services as part of a vCloud Director software upgrade, you
must use the cell management tool, which allows you to quiesce the cell before stopping
services.
282
Cloud Cell Maintenance Message

Slide 7-8
Turn on the cloud cell maintenance message during maintenance:
Displayed whenever users try to access the vCloud Director interface
To enable the maintenance message, use these commands:

# service vmware-vcd stop
# /opt/vmware/vcloud-director/bin/vmware-vcd-cell maintenance
To disable the maintenance message, use these commands:
ad
er
ho
tm
ail
.co
m
# /opt/vmware/vcloud-director/bin/vmware-vcd-cell stop
# service vmware-vcd start
ic_
re
If you want to stop a cell and let users know that you are performing maintenance, you can turn on
the maintenance message.
go
th
When the maintenance message is turned on, users who attempt to log in to the cell from a browser
see a message stating that the cell is down for maintenance. Users who attempt to reach the cell
using the VMware vCloud API receive a similar message.
283
Cell Management Tool (1)

Slide 7-9
To list available commands, at the command prompt, type cellmanagement-tool h.

Commands:
cell
Suspends the task scheduler

Checks the status of active tasks
Shuts down the cell gracefully
dbextract
certificates
Exports data from the vCloud Director database

Replaces the cells SSL certificates
go
th
ic_
re
ad
er
ho
ail
.co
m
The cell management tool is located in /opt/vmware/vclouddirector/bin.
tm
284
Cell Management Tool (2)

Slide 7-10
Commands:
generate-certs
recover-password
Generates new self-signed SSL certificates for the cell

Recovers the vCloud Director system administrator password
Requires the knowledge of the vCloud Director database user name and
password
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
285
Provider Virtual Data Center Management

Slide 7-11
Enable and disable a provider virtual data center (VDC)
When disabled:
Delete a provider VDC
Delete a provider VDC to release its compute, memory, and storage

resources from vCloud Director.
Dependencies must be deleted first
ail
.co
m
Upgrade the hardware version supported by a provider VDC
The selected hardware version must be supported by the underlying

VMware vSphere infrastructure.
Downgrading the hardware version is not supported.
tm
Merge with another provider VDC
Combine two provider VDCs into a single managed provider.
ad
Already-running VMware vSphere vApps and powered-on virtual

machines continue to run.
ho
vApps cannot be created, deployed from the catalog, nor started.
New organizations cannot be created.
er
ic_
re
After you create a provider virtual data center (VDC), you can modify its properties, disable or
delete it, and manage its VMware ESXi hosts and datastores.
go
th
Disabling a provider VDC prevents the creation of organization VDCs that use the provider VDC
resources. When a provider VDC is disabled, vCloud Director also disables the organization VDCs
that use its resources. If VMware vSphere vApps are running and you have powered-on virtual
machines, these virtual machines continue to run, but you cannot create or start additional vApps or
virtual machines on this disabled provider VDC.
When you delete a provider VDC, it removes its compute, memory, and storage resources from
vCloud Director, although the resources remain unaffected in VMware vSphere. As with each
hierarchy-dependent construct in vCloud Director, the construct, or object, cannot be deleted until
the administrator manually resolves dependencies. To delete a provider VDC, you must first resolve
the dependencies by disabling and deleting the dependent objects.
You can upgrade the hardware version based on the capabilities of the ESXi hosts in use.
Downgrading the highest supported hardware version is not supported.
286
The target Provider VDC includes the networks, network pools, storage policies, resource
pools, and datastores from all of the contributors.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Organization VDCs that were backed by the contributors are now backed by the target.
287
In earlier releases of vCloud Director, a Provider VDC could be backed by no more than one
resource pool. vCloud Director 5.1 removes that limitation, and allows you to merge existing
Provider VDCs to create a single Provider VDC that is backed by multiple resource pools. When
you merge Provider VDCs, you select one or more Provider VDCs as contributors and one Provider
VDC as the target of the merge. When the merge is complete, these changes are effective:
You can merge one or more Provider VDCs with an existing Provider VDC. The merged Provider
VDC contains the union of all resources from the contributing Provider VDCs. Only the merged
provider remains, all other provider objects are deleted. All dependent objects are automatically
updated. Organization VDCs are now shown as backed by the merged provider.
Managing External Networks

Slide 7-12
Existing edge gateways and direct-connect organization VDC networks are

unaffected.
Network traffic is not blocked. Instead, additional allocation of resources is

disabled, such as the static IP pool.
Change DNS parameters used by an external network
ail
.co
m
Add, remove, and modify static IP pool ranges used by an external

network
Added ranges must be relevant to the subnet specification.
You cannot remove a range that contains already-allocated addresses.
You cannot modify a range that contains already-allocated addresses
unless the resulting range includes the registered allocations.
tm
Delete an external network
ad
er
When disabled:
ho
Enable and disable an external network
go
th
ic_
re
You can enable and disable external networks in the network properties page, under the Network
Specification tab. When you disable an external network you are disabling the pool resources
available for the network, including any static IP pool ranges. Because the static IP pool is disabled,
you cannot create edge gateways nor run vApps or virtual machines that require static IP pool
allocation from the external network.
When an external network is disabled, the network continues to pass traffic. Already-deployed edge
gateways and running direct-connect organization VDC networks continue to operate and continue
to have whatever connectivity that has been configured.
You can change certain aspects of the network specification of an external network, but you cannot
change the Gateway IP address or the subnet mask. You can change the DNS parameters and the
DNS relay setting. You can manage the static IP pool by adding, removing, and modifying IP
address ranges.
When managing the static IP pool for an external network it is important to remember to check the
current IP allocations table. You cannot delete a static IP range that contains an already-allocated IP
address. Likewise, you cannot modify an existing IP range in a manner that would exclude an
already-allocated IP address.
288
If you need to change the subnet characteristics of an external network, create a new external
network with those characteristics.
ail
.co
m
tm
ho
@
er
ad
re
ic_
th
go
289
You can delete an external network once all dependencies on that network have been removed.
Dependencies include edge gateways and other direct-connect organization VDC networks. Resolve
dependencies by shutting down, disabling, and deleting the dependent objects or by changing the
dependent relationship.
Managing Network Pools

Slide 7-13
Depending on the type of network pool, you can do the following:
Add and remove port groups.

Add and remove isolation-backed networks.
Add, remove, and change VLAN ID ranges.
ad
er
ho
tm
ail
.co
m
Delete a network pool
ic_
re
After you create a network pool, you can modify its name and description or delete it. Depending on
the type of network pool, you can also add port groups, Cloud isolated networks, and VLAN IDs.
go
th
You can add Cloud isolated networks to a vCloud Director network isolation-backed network pool.
Verify that you have a network pool that is backed by a port group and verify that you have an
available port group in vSphere.
You can add Cloud isolated networks to a vCloud Director network isolation-backed network pool
(a vCloud Director network isolation-backed network pool).
You can delete a network pool to remove it from vCloud Director provided that it satisfies the
following prerequisites:
No organization VDC is associated with the network pool.
No vApps use the network pool.
No NAT-routed or internal organization VDC networks use the network pool.
290
Organization Virtual Data Center Management: System

Administrator
Only a system administrator can:
Change the allocation model properties of an organization VDC
The allocation model type cannot be changed
Configure thin and fast provisioning options of an organization VDC

Change the network pool type and size used by an organization VDC
Disable an organization VDC
When disabled:
ail
.co
m
Reservations and guarantees, policy quotas
New vApps cannot be created or deployed from the catalog

Existing vApps continue to run unaffected
Delete an organization VDC

re
ad
er
tm
ho
Slide 7-14
go
th
ic_
As a system administrator, you have complete configuration control over each organization VDC
with few limitations. The system administrator cannot change the fundamental allocation model of
an organization VDC. The system administrator can, at any time, change the characteristics and
settings associated with the selected allocation model, including reservations, guarantees, policy
limits, and maximum leases. These settings affect only vApps that you start from this point on.
Existing vApps must be stopped and then restarted for new policy and allocation model changes to
take effect.
The system administrator is the only role that can create organization VDC networks that directly
connect to an external network entity and manage external network suballocation IP pools.
Organization administrators must rely on a system administrator for these tasks.
Additionally, a system administrator controls:
Network pool properties used by the organization VDC
The network pool used by the organization VDC can be changed to some other pool and
the number of networks updated.
291
Storage policies used by the organization VDC

Thin-provisioning and fast-provisioning options can be changed at any time.
You cannot change the allocation model of an organization VDC. However, you can create
additional organization VDCs backed by the same, or some other, provider. Each organization VDC
can have a different allocation model. For example, this ability might be useful for migrating an
organization from a reservation pool to a pay-as-you-go model.
When you disable an organization VDC, you prevent the use of its compute and storage resources
by other vApps and virtual machines. vApps that are running and powered-on virtual machines
continue to run but you cannot create or start additional vApps or virtual machines.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
When you delete an organization VDC, it removes its compute, memory, and storage resources from
the organization. The resources remain unaffected in the source provider VDC. Dependencies must
be resolved before an organization VDC can be deleted.
292
Email Notifications
Slide 7-15
SMTP server settings can be defined at the system level.
Organizations may inherit or override the system-level SMTP settings.
Email notifications are contextual to the target object or functional

category.
ad
er
ho
tm
ail
.co
m
When a data container is selected for an email notification, such as a

provider VDC or organization VDC, the email notification is automatically
addressed to all users with items in
that container.
When a user container is
selected, such as an organization,
the email notification can be
addressed to any relevant user
group.
th
ic_
re
vCloud Director requires a Simple Mail Transport Protocol (SMTP) server to send user notification
and system alert emails. You can modify the settings that you specified when you created the
organization.
go
You can send an email notification to all users in the entire installation, all system administrators, or
all organization administrators. You can send an email notification to notify users about upcoming
system maintenance, for example.
vCloud Director sends system alert emails when it has important information to report. For example,
vCloud Director sends an alert when a datastore is running out of space. You can configure vCloud
Director to send email alerts to all system administrators or to a specified list of email addresses. For
example, you can send an email notification to notify users about upcoming system maintenance.
For both the SMTP settings and the Email notification settings, an organization administrator may
choose to keep the system administrator-defined settings, or define new settings. At a minimum an
organization administrator may want to change Email notification settings so that all emails are
branded appropriately. An organization administrator can also override SMTP settings if an SMTP
server is available for organization use.
293
Lab 12: Managing Cloud Resources

Slide 7-16
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Manage cloud resources as a system administrator
294

Slide 7-17
Use the cell management tool to perform basic cell maintenance tasks
Manage provider and organization virtual data centers
Manage external networks and edge gateways
Prepare and unprepare VMware ESXi hosts
Configure and send email notifications
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
295
Lesson 2: Managing Organization Resources

Slide 7-18
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 2:
Managing Organization Resources
296
Learner Objectives
Slide 7-19
Manage organization policies

Manage organization edge gateways and networks
Manage vApps
Configure organization email notifications
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
objectives:
297
Managing Organization Policies

Slide 7-20
System and organization administrators can update the organization

policy.
Leases:
Default quotas for users:
Maximum virtual machines per user, running machines per user
Account lockout:
Number of invalid logins allowed, lockout duration
Only a system administrator can change policy limits.
Number of resource-intensive operations and simultaneous connections per

virtual machine
ad
er
ho
tm
Maximum running and storage durations, cleanup option
ail
.co
m
go
th
ic_
re
An organization administrator has full control over the organization policy except for the policy
limits imposed by a system administrator. Limits relating to resource intensive operations and
network consumption per-virtual machine are locked. An organization administrator can reconfigure
lease and quota settings, and configure account lockout parameters.
298
Managing Organization Virtual Data Center Edge Gateways

Slide 7-21
Deploy a new instance of the edge gateway with the same service
configuration.
Reapply an edge gateway service configuration

Enable or disable an edge gateway
Configure traffic limits imposed by an edge gateway
Inbound and outbound limits for each external network that the edge
gateway connects to.
Synchronize syslog server settings to an edge gateway
ad
er
ho
tm
Redeploy an edge gateway
ail
.co
m
System and organization administrators can:
th
ic_
re
Organization administrators can redeploy edge gateways and reapply edge gateway service
configurations. Organization administrators also have full control over rate limits set on each edge
gateway for inbound and outbound network throughput.
go
An Organization administrator cannot configure external networks attached to an edge gateway, or

manage suballocated IP pools.
299
Managing Organization Virtual Data Center Networks

Slide 7-22
Create new routed organization VDC networks:
Create new isolated organization VDC networks:
Networks that do not connect to an edge gateway device
Change the DNS settings for an organization VDC network.

Manage static IP pools for an organization VDC network.
The network range and subnet mask cannot be changed.
ad
er
ho
tm
ail
.co
m
Networks that connect to an edge gateway device
go
th
ic_
re
Organization administrators can create routed and isolated organization VDC networks. This is a
new feature as of vCloud Director version 5.1. An organization administrator has full control over
each organization VDC network that does not directly connect to an external network. For each
organization VDC network, an organization administrator can change DNS resolution settings and
manage static IP pools.
Neither a system administrator nor an organization administrator can change the subnet defined by
an organization VDC network. If you must have an organization VDC network that defines a
different subnet, create a organization VDC network.
300
Managing Organization Virtual Data Center Network Services

Slide 7-23
Enable, disable, and manage DHCP services

Manage SNAT and DNAT rules
Manage the firewall service and rules
Manage static routing and routes
Manage VPN tunnels
Manage load balancing
Organization administrators have full control over organization VDC

network services.
ad
er
ho
tm
ail
.co
m
th
ic_
re
Organization administrators have full control over the organization VDC network configurations
applicable to the attached edge gateway, with the only exception being an organization VDC
network that direct-connects to an external network.
go
If the network services, such as DHCP settings, firewall settings, and so on, that are associated with
an organization VDC network are not working as expected, then you can reset the network.
Resetting a network basically reinitializes VMware vShield Edge in an effort to have DHCP,
VPN, firewalls, and routing work properly.
301
Managing vApps
Slide 7-24
Add vSphere virtual machines to an existing vApp

Create a vApp based on a vSphere virtual machine
Force a vApp to enter maintenance mode
Place a vApp in maintenance mode to prevent nonadministrator users from

changing the state of the vApp, including the vApp owner.
Maintenance mode is useful for backing up vApps with third-party software.

Placing a vApp into maintenance mode does not affect currently running
tasks that involve the vApp.
Other roles do not have rights to these actions.
ad
er
ho
tm
System administrators can perform these vApp management tasks:
ail
.co
m
th
ic_
re
A system administrator can place a vApp in maintenance mode to prevent nonadministrator users
from changing the state of the vApp. This prevention is useful, for example, when you want to back
up a vApp using a third-party backup solution.
go
When a vApp is in maintenance mode, nonadministrator users cannot perform any actions that
modify the state of the vApp or its virtual machine. They can view information about the vApp and
its virtual machines and access the virtual machine consoles. Placing a vApp in maintenance mode
does not affect any currently running tasks that involve the vApp.
A system administrator can force stop a running vApp when an organization user is unable to do
so. In some cases, a user might be unable to stop a running vApp. If traditional methods for stopping
the vApp fail, you can force stop the vApp to prevent the user from getting billed. Force stopping a
vApp does not prevent the vApp from consuming resources in vSphere. After you force stop a vApp
in vCloud Director, use the VMware vSphere Client to check the status of the vApp in vSphere
and take the necessary action.
302
Lab 13: Managing Organization Resources

Slide 7-25
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Manage resources as an organization administrator
303

Slide 7-26

Manage organization policies
Manage organization edge gateways and networks
Manage vApps
Configure organization email notifications
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
304
Key Points
Slide 7-27
Provider VDCs, organization VDCs, external networks, organization

VDC networks, and network pools are considered cloud resources.
After you add cloud resources to vCloud Director, you can modify them
and view information about their relationships with one another.
Most management of cloud cells is done from the vCloud Director

server.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Questions?
305
ail
.co
m
tm
ho
@
er
ad
re
ic_
th
go
306
MODULE 8
Managing VMware vSphere

Resources
Slide 8-1
g g
p
8
Module 8
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
307
You Are Here

Slide 8-2

Resources

Components

Components

Users
ail
.co
m
Course Introduction
go
th
ic_
re
ad
er
ho
tm
308
Importance
Slide 8-3
VMware vSphere is the foundation layer for VMware vCloud

Director.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
In this module, you will learn how to manage vSphere resources from
the vCloud Director console.
Module 8 Managing VMware vSphere Resources
309
vSphere provides the compute, storage, and networking resources

required for the cloud. Knowing how to manage these vSphere
resources from vCloud Director is critical.
Learner Objectives
Slide 8-4
objectives:
Manage the following vSphere resources:
VMware vCenter Server systems
Resource pools
VMware ESXi hosts
vSphere datastores and datastore clusters
vSphere storage policies
Switches and port groups
Stranded items
ail
.co
m
go
th
ic_
re
ad
er
ho
tm
310
vCloud Director in the vSphere Web Client

Slide 8-5
vCloud Director does not communicate

status to vCenter Server.
ad
er
ho
tm
ail
.co
m
vCloud Director appears as an extension in

the VMware vSphere Web Client under
vCenter Solutions Manager after it has been
registered with vCenter Server.
go
th
ic_
re
You can see that VMware vCloud Director has been connected to VMware vCenter Server
in the VMware vSphere Web Client. Go to Home > vCenter Server Extensions. vCloud
Director 5.1 does not communicate status to the vCenter Server system.
311
Managing vCenter Server Systems

Slide 8-6
Manage & Monitor > vCenters > <vCenter_Server_system>
Reconnect to a vCenter Server system.

Refresh information from a vCenter Server system.
Refresh available storage profiles.
Enable or disable a vCenter Server system.
ail
.co
m
Detach a vCenter Server system.

Open the VMware vSphere Web Client.
ad
er
ho
tm
Change connection information or name of a

vCenter Server system.
ic_
re
There are many things that can be done from the vCloud Director > Manage & Monitor panel
concerning vCenter Server systems. Possible actions include:
th
Reconnect to the vCenter Server system
go
Refresh information from the vCenter Server system (other than VMware vSphere storage
policies)
Refresh information on vSphere storage policies
Enable or disable a specific vCenter Server system
Detach a specific vCenter Server system
Change the connection information or the name of the vCenter Server system as it appears in
vCloud Director
312
Before you upgrade a vCenter Server system that is attached to vCloud Director, you must prepare
the vCenter Server system by using the following procedure:
1. Disable the vCenter Server system in vCloud Director. Wait for the status to change to
Disabled.
2. Upgrade the vCenter Server system using the standard vCenter Server upgrade procedure.
3. After the upgrade on the vCenter Server system is finished, go back to the vCloud Director Web
4. Reregister the vCloud Director with the upgraded vCenter Server system before you start using
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
it.
313
console, right-click the vCenter Server name, and select Enable.
Managing Resource Pools at the vSphere Level (1)

Slide 8-7
You can view information about the resource pools that vCloud Director
uses.
ad
er
ho
tm
ail
.co
m
Manage & Monitor > Resource Pools
th
ic_
re
Every provider virtual data center (VDC) in a vCloud Director installation requires a unique
resource pool in vSphere to provide its compute and memory resources. You must create and
configure resource pools in vSphere before you can add them to a provider VDC, but you can view
information about the resource pools that vCloud Director uses.
go
You can view information about the used and total CPU and memory reservations for a resource
pool. You can also view information about the datastores that are available to the resource pool.
To view the resource pool properties go to the Manage & Monitor tab, select Resource Pools >
resource pool name > Properties.
Here you can see information on a specific resource pool. The information includes:
Name of the resource pool
Memory reservation used / total
CPU reservation used/total
314
Datastores that are available to this resource pool

Name of each datastore
Datastore type
Whether the datastore is connected
Datastore capacity
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Percentage of space used in the datastore
315
Managing Resource Pools at the vSphere Level (2)

Slide 8-8
Multiple resource pools can be on a single cluster, with each resource

pool assigned to a provider. Resources can be overcommitted, so
carefully manage the resources to minimize the potential negative
effect.
Reservations and limits should be consistent with the allocation model
that will be used in the organization VDC that leverages the pool.
A hierarchical resource pool is not supported with vCloud Director.
ad
er
ho
tm
The best practice is for each resource pool to be an entire cluster that is
dedicated to a provider virtual data center (VDC).
ail
.co
m
ic_
re
The best practice is for each resource pool to be an entire cluster that is dedicated to a provider
VDC.
go
th
Even though it is not the best practice, you can have multiple resource pools on a single cluster, with
each resource pool being assigned to a different provider VDC. However this design makes it easy
to overcommit resources. If you are going to use multiple resource pools in a single VMware
vSphere Distributed Resource Scheduler cluster you will need to carefully monitor and manage
utilization.
The type of settings used on the resource pool (reservations and limits) should be consistent with the
allocation model that will be used in the organization VDC that leverages each resource pool.
Resource pools created to support Pay-As-You-Go organization VDCs will always have no
reservations or limits. Pay-As-You-Go settings only affect overcommitment. A 100-percent
guarantee means no overcommitment is possible. The lower the percentage, the more
overcommitment is possible.
316
Redeploying All Virtual Machines on a Host

Slide 8-9
Performing maintenance on the host

Moving all the virtual machines from one host to another in the same cluster
You must disable the host first.
Redeploy all virtual

machines. vCenter
Server puts this host
into maintenance mode.
ad
er
ho
tm
ail
.co
m
Manage & Monitor > Hosts > <host_name> >

Redeploy All VMs
th
ic_
re
You can move all the virtual machines from one VMware ESXi host to other ESXi hosts in the
same cluster. This ability is useful to unprepare a host, or to perform maintenance on a host without
affecting running virtual machines.
go
Disable the host first before redeploying the host. When you select Redeploy All VMs then vCloud
Director puts the host into maintenance mode and moves all of its virtual machines to other hosts in
the same cluster.
You redeploy all virtual machines on a host when doing the following:
317
When to Disable a Host

Slide 8-10
To prevent VMware vSphere vApps from starting on the host

To perform maintenance
ad
er
ho
tm
ail
.co
m
Manage & Monitor > Hosts > <host_name> >

Disable Host
th
NOTE
ic_
re
You can disable a host to prevent VMware vSphere vApps from starting up on the host. Virtual
machines that are already running on the host are not affected.
go
vCloud Director enables or disables the host for all provider VDCs that use its resources.
318
Managing Datastores and Datastore Clusters

Slide 8-11
Disable a datastore or a datastore cluster for

maintenance. No vApps will start on it and no
vApps will be created on it.
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
The vCloud Director Manage & Monitor panel reports all available datastores and datastore clusters.
In order to take a datastore or a datastore cluster down for maintenance you should disable it first.
After a datastore or datastore cluster has been disabled, no vApps that are assigned to it can be
powered on and no vApps can be created on it.
319
Low Disk Space Warnings for a Datastore

Slide 8-12
Manage & Monitor > Datastores &
Datastore Clusters >
<datastore_name> > Properties
ad
er
ho
tm
ail
.co
m
Email alert is sent

when the datastore
crosses the threshold.
th
ic_
re
You can configure low disk space warnings on a datastore. vCloud Director issues a warning email
when the datastore reaches a specific threshold of available capacity. These warnings alert you to a
low disk situation before it becomes a problem.
go
vCloud Director allows you to set two thresholds: yellow and red. When vCloud Director sends an
email alert, the message indicates which threshold was crossed. The yellow threshold determines the
point at which fast provisioning will stop initiating shadow virtual machine creation.
vCloud Director will send an email alert when the datastore crosses the specified threshold.
320
Virtual Machine Migration Between Datastores

Slide 8-13
Both datastores should be part of a datastore cluster.

Place the datastore into vSphere Storage DRS maintenance mode in
the vSphere Web Client.
Virtual machines are automatically moved to other datastores in the

datastore cluster.
ad
er
ho
tm
ail
.co
m
Virtual machines can be moved from one datastore to another

datastore by VMware vSphere Storage DRS.
ic_
re
What if a datastore runs out of space? How do you move running virtual machines from one
datastore to another one?
go
th
Although it is possible to manually migrate running virtual machines from one datastore to another
in the vSphere Web Client, this can cause problems for vCloud Director vApps and is not
recommended. Instead you should use VMware vSphere Storage DRS to move powered-on
virtual machines that are part of vCloud Director vApps from one datastore to another. To do this the
datastore must already be part of a datastore cluster.
First vSphere Storage DRS must already be configured in the DRS cluster. Both the datastore you
want to evacuate and other migration candidate datastores must be in a datastore cluster. Use the
vSphere Web Client to place the datastore into Storage DRS Maintenance Mode. vSphere will
automatically move all virtual machines off of that datastore and onto other datastores in the
datastore cluster.
If you do not already have the vSphere Web Client open, all submenus in the vCloud Director
Manage & Monitor panel under vSphere Resources have an option to open the vSphere Web Client.
321
Storage Policies Attached to a Datastore

Slide 8-14
ad
er
ho
tm
ail
.co
m
Manage & Monitor > Datastores & Datastore Clusters > <datastore_name> > Properties >
Storage Profiles
go
th
ic_
re
You can determine exactly which vSphere storage policies are attached to a specific datastore by
using Manage & Monitor > Datastores & Datastore Clusters > <datastore_name> > Properties
> Storage Policies. The panel allows you to search for a specific vSphere storage policy if the
vCenter Server system is configured with a large number of vSphere storage policies. The panel will
also report how much storage space on the selected datastore is being actively used by the vSphere
storage policy.
322
Storage Policy Information

Slide 8-15
Number of provider VDCs attached

Number of organization VDCs attached
Space: used, provisioned, and requested
Number of datastores in the storage profile

ad
er
ho
tm
ail
.co
m
Manage & Monitor > Storage Profiles
go
th
ic_
re
Manage & Monitor > Storage Policies will report all of the vSphere storage policies available to
the system. The panel also reports the number of the VDCs using each vSphere storage policy (both
provider and organization), the number of datastores in each vSphere storage policy, and has much
space has been used, provisioned, and requested.
323
Listing Datastores Assigned to Storage Policies

Slide 8-16
ad
er
ho
tm
ail
.co
m
Manage & Monitor > Storage Profiles > <policy_name> > Properties
go
th
ic_
re
You have already seen that each datastore can report all of the vSphere storage policies that have
been attached to it. It is also possible to get a list of all of the datastores assigned to a specific
vSphere storage policy.
324
Available Distributed Switches

Slide 8-17
Manage & Monitor > Switches & Port Groups
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
Manage & Monitor > Switches & Port Groups will report all of the distributed switches that are
available in the system. This is information-only. There is no way to configure or change these
switches from this menu.
325
Switches and Port Groups

Slide 8-18
Switches & Port Groups lists all vCenter Server virtual switches and
port groups, including those created by vCloud Director:
Type: Distributed or standard

Associated cloud network
Type of cloud network
ad
er
ho
tm
ail
.co
m
Manage & Monitor > Switches & Port Groups > Port Groups
go
th
ic_
re
Manage & Monitor > Switches & Port Groups > Port Groups reports all of the port groups in
use on a distributed switch. This panel gives important information that correlates which cloud
networks are associated with which port groups.
326
Stranded Items
Slide 8-19
Objects deleted from vCloud Director that still exist in vSphere appear
as stranded items.
8
vSphere Client
ad
er
ho
tm
ail
.co
m
Manage & Monitor > Stranded Items > <stranded_item> >

Delete
th
ic_
re
When you delete an object in vCloud Director and that object also exists in vSphere, vCloud
Director attempts to delete the object from vSphere. In some situations, vCloud Director might not
be able to delete the object in vSphere. If the attempted deletion fails, the object becomes stranded.
go
You can view a list of stranded items and try again to delete them, or you can use the vSphere Client
to delete the stranded objects in vSphere.
You can delete a stranded item to try to remove an object from vSphere that you already deleted
from vCloud Director.
If vCloud Director cannot delete a stranded item, you can force delete it to remove it from the
stranded items list. The stranded item continues to exist in vSphere.
327
Lab 14: Managing VMware vSphere Resources

Slide 8-20
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Manage vSphere resources
328

Slide 8-21

Manage the following vSphere resources:
VMware vCenter Server systems
Resource pools
VMware ESXi hosts
vSphere datastores and datastore clusters
vSphere storage policies
Switches and port groups
Stranded items
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
329
Key Points
Slide 8-22
Modify vCenter Server settings to change connection information or

name.
Before upgrading a vCenter Server system that is attached to vCloud
Director, you must prepare the vCenter Server system by disabling it in
vCloud Director.
Selecting Redeploy All VMs on the selected host allows vCloud
Director to put the host into maintenance mode.
You can configure low disk space warnings on a datastore to receive
an email from vCloud Director whenever the datastore reaches a
specific threshold of available capacity.
ail
.co
m
go
th
ic_
re
ad
er
ho
tm
Questions?
330
MODULE 9
Monitoring VMware vCloud

Components
Slide 9-1
Module 9
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Monitoring VMware vCloud Components
331
You Are Here

Slide 9-2

Resources

Components

Components

Users
ail
.co
m
Course Introduction
go
th
ic_
re
ad
er
ho
tm
332
Importance
Slide 9-3
Monitoring VMware vCloud components enables you to see the

performance and availability of the VMware vCloud Director
installation.
Monitoring enables you to keep the cloud running and avoid any
major availability issues for the cloud users.
In this module, you will learn how to monitor vCloud components.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Module 9 Monitoring VMware vCloud Components
333
Learner Objectives
Slide 9-4
objectives:
Monitor provider and organization virtual data center use
View system-level and organization-level task and event logs
Enable debug display in task logs
Configure and synchronize Syslog server settings
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
334
Task Log
Slide 9-5
Task logs are available at the system level and for each organization.
Related VMware vSphere tasks are included when applicable.
tm
ho
@
er
ad
re
ic_
go
th
Each task is associated with an owner. The owner is either system or a particular user account. All
tasks with an indicated owner of system are initiated by vCloud Director to perform various
operations, including housekeeping tasks. All tasks with a non-system owner were initiated by a
given user account, such as a system administrator or organization administrator.
Each tasks log entry can be examined to view additional details about the operation. If relevant to
the task performed, a list of associated VMware vSphere tasks will also be available. When
relevant vSphere tasks are listed, you can obtain further details about each task by selecting the
entry then choosing the Open in VMware vSphere Web Client option under the Gear menu.
The system administrator can enable and disable the display of debug information in task log details.
When this setting is enabled, debug information pertaining to the task is listed at the bottom of each
task details page. Only the system administrator can change this setting. Debug information will
only appear in the task details when viewed by a system administrator.
This setting does not control the logging of debug information. Enabling this setting simply means
that debug information may be viewed for any logged task, regardless of when the task was
performed.
335
ail
.co
m
9
VMware vCloud Director tasks represent long-running operations and their status changes as the
task progresses. For example, a tasks status generally starts as Running. When the task finishes, its
status changes to Successful or Error.
Event Log
Slide 9-6
Click an event to view its

details.
Events do not have related
vSphere tasks.
ad
er
ho
tm
Event logs are available at the system level and for each organization.
ail
.co
m
go
th
ic_
re
vCloud Director events represent one-time occurrences that typically indicate an important part of
an operation or a significant state change for a vCloud Director object. For example, vCloud
Director logs an event when a user initiates the creation an organization virtual data center (VDC)
and another event when the process completes. vCloud Director also logs an event every time a user
logs in and notes whether the attempt was successful or not.
Each event has a target specification that identifies, by name, the vCloud Director infrastructure
component or vCloud Director object that was the focus of the event. For login events, the target
will be the name of the account being used to access the system.
In general, each event is associated with an owner. The owner is either system or a particular user
account. All events with an indicated owner of system are initiated by vCloud Director to perform
various operations, including housekeeping tasks. All events with a non-system owner were initiated
by a given user account, such as a system administrator or organization administrator.
Each events log entry can be examined to view additional details about the event. Event details
never include associated vSphere operations.
336
Log Activity Settings

Slide 9-7
How many days log entries are retained before being automatically deleted.
How many days log entries are available for viewing.
Inclusion of debug information when viewing task details.
Activity settings apply to both the task and event logs.
tm
ho
@
er
ad
th
ic_
re
The system administrator is responsible for configuring activity history settings. Activity history
settings are applied system-wide and include the system logs and all organization logs. Organization
administrators cannot view nor manage activity history settings.
go
The history shown time frame controls the volume of log data available when viewing logs in the
vCloud Director console interface.
The history to keep time frame defines how long log entries are to be maintained by the system
before being deleted.
The system administrator can also enable the display of task-related debug information. This setting
is covered on the following page.
337
ail
.co
m
The system administrator configures activity settings.
Syslog Server for Cell Use

Slide 9-8
An integrated Syslog collector is included with vSphere 5.5.

Any standard Syslog collector can be used.
ad
er
ho
tm
ail
.co
m
The Syslog server for cell use is specified when vCloud Director is
installed.
go
th
ic_
re
When you install vCloud Director, you can specify a Syslog server for cell use. An integrated
Syslog collector is included with vSphere 5.1.
338
Syslog Settings for Networks

Slide 9-9
Syslog servers for network use are required for firewall rule logging.
Changes to syslog server settings must be manually synchronized.
ail
.co
m
tm
New edge gateways and vApp networks synchronize once automatically

when deployed.
Synchronizing at an edge gateway does not cause synchronization of vApp
networks.
Synchronization must be performed for each edge gateway and each vApp
network where logging is to be performed.
Any user with sufficient rights can synchronize settings.
@
er
ad
go
th
ic_
re
You can configure up to two Syslog servers IP addresses for networks to use. This setting does not
apply to logging performed by cloud cells. The Syslog servers specified here are for use by edge
gateways and VMware vSphere vApp networks that have a firewall component. Unlike the
Syslog server for cell use, which is configured during vCloud Director installation, the Syslog server
settings for networks are configured after vCloud Director has been installed and deployed.
After configuring or changing the Syslog server settings for networks to use, those settings must be
explicitly synchronized with each organization edge gateway and each running vApp network where
logging is to occur. vApp networks and edge gateways created after the settings have been updated
will automatically receive new or updated values.
vApp networks will not be updated when an upstream edge gateway is synchronized.
Synchronization must be performed on each deployed vApp network or edge gateway where
logging firewall rules have been configured.
339
Can be the same Syslog server for cell use

Configured after vCloud Director has been installed and deployed
Applies to edge gateways and VMware vSphere vApp networks
The system administrator must explicitly configure Syslog settings for

networks:
ho
Monitoring Provider Virtual Data Centers

Slide 9-10
Displayed columns can be customized.
ad
er
ho
tm
ail
.co
m
Values for each provider virtual data center (VDC) are

listed separately.
ic_
re
You can monitor the utilization of each provider VDC separately and use that information to plan
mitigation of any resource issues found.
go
th
For evaluating resource utilization, you can compare three different types of values: Used,
Allocation, and Overhead. Compare these values to determine if additional resources should be
allotted and to monitor the overall utilization of each provider VDC. You can compare Memory,
Storage, and Processor values.
Used percentages indicate the percentage of pool resources that are consumed by the provider VDC.
Allocation indicates the percentage of pool resources committed to the provider VDC.
340
Monitoring Provider Storage Policies and Datastores

Slide 9-11
Values for each storage policy used by the provider VDC are listed
separately.
Example: Determine which storage policies or datastores are
underutilized.
tm
ho
@
er
ad
re
ic_
go
th
You can monitor the utilization of each datastore used by a provider VDC. Datastores cannot be
managed directly in vCloud Director, instead the containing storage policy must be managed.
Compare the Used, Provisioned, and Requested values to determine which policies are overutilized
or underutilized.
341
ail
.co
m
9
You can monitor the utilization of each storage policy used by a provider VDC. Compare the Used,
Provisioned, and Requested values to determine which policies are overutilized or underutilized.
Monitoring Organization VDCs

Slide 9-12
Values for each organization VDC are listed separately.

Displayed columns can be customized.
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
You can monitor CPU, memory, and storage resources for each organizations VDC. If you see the
resources are low, then you can add more resources if needed.
342
Upload Quarantine
Slide 9-13
Quarantined uploads are not user-accessible until they are accepted by

the system.
Uploads that are not accepted within the specified timeout period are
deleted.
tm
ho
@
er
ad
th
ic_
re
Quarantine files are vApp templates and media files that users upload to their organization. vCloud
Director enables you to monitor the quarantined files. But you must first enable upload quarantine
and use third-party tools (for example, a virus scanner) to process the uploaded files before vCloud
Director accepts them.
go
You can use any Java Message Service (JMS) client that understands the STOMP protocol to
monitor and respond to messages from the vCloud Director quarantine service.
When an uploaded file is quarantined, a JMS broker sends a message to a request queue on a cloud
cell. The receiver decides whether to accept or reject the upload by sending a message to a response
queue.
For details, see the product documentation at www.vmware.com/support/pubs/vcd_pubs.html.
Each vCloud Director server host exposes a number of MBeans through Java Management
Extensions (JMX). This exposure enables operational management of the server and provides access
to internal statistics.
What are MBeans? MBeans are managed beans, Java objects that represent resources to be
managed. An MBean has a management interface.
343
ail
.co
m
All vApps and media files uploaded by users are quarantined for a
period of time.
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
What is JMX? JMX is a Java technology that supplies tools for managing and monitoring
applications, system objects, devices (for example, printers) and service oriented networks. Those
resources are represented by objects called MBeans.
344
Viewing vCloud Director Logs

Slide 9-14
Console output from the vCloud Director cell
vcloud-container-debug.log
Debug-level log messages from the cell
vcloud-container-info.log
Warnings or errors encountered by the cell
vmware-vcd-watchdog.log
When the cell crashed, restarted, and so on
diagnostics.log
Diagnostics information (but first must be enabled in

the local logging configuration)
YYYY_MM_DD.request.log
HTTP request logs in the Apache common log format
ho
tm
ail
.co
m
cell.log
ad
er
To view these logs, go to /opt/vmware/vcloud-director/logs.
ic_
re
vCloud Director provides logging information for each cloud cell in the system. You can view the
logs to monitor your cells and to troubleshoot issues.
go
th
You can find the logs for a cell at /opt/vmware/cloud-director/logs
345
What the log shows
Log name
Lab 15: Monitoring Cloud Components

Slide 9-15
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Monitor cloud components
346

Slide 9-16

Monitor provider and organization virtual data center use
View system-level and organization-level task and event logs
Enable debug display in task logs
Configure and synchronize Syslog server settings
9
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
347
Key Points
Slide 9-17
You can monitor completed and in-progress operations and view

resource usage information at the following levels:
Provider VDC
Organization VDC
Storage policy
Datastore
You can monitor CPU, memory, and storage resources for each
organization VDC.
vCloud Director provides logging information for each cloud cell in the
system.
ail
.co
m
go
th
ic_
re
ad
er
ho
tm
Questions?
348
MODULE 10

Organization Users
10
Slide 10-1
10
ail
.co
m
Module 10
go
th
ic_
re
ad
er
ho
tm
VMware vCloud Director Organization Users
349
You Are Here

Slide 10-2

Resources

Components

Components

Users
ail
.co
m
Course Introduction
go
th
ic_
re
ad
er
ho
tm
350
Importance
Slide 10-3
Organization users have access to a wide variety of configuration

options and features based on their roles.
10
ail
.co
m
In this module, you will learn how to manage VMware vSphere

vApps from the point of view of an organization user.
go
th
ic_
re
ad
er
ho
tm
Module 10 VMware vCloud Director Organization Users
351
Learner Objectives
Slide 10-4
objectives:
Share an organization catalog with other organization users
Change ownership of a vApp
Share a vApp with other organization users
Force customization of a vApp
Reset a vApp network
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
352
Sharing the Organization Catalog

Slide 10-5
Catalogs that are created by the system administrator by using the

VMware vCloud Director main menu are not automatically shared
with organization users.
Catalogs can be shared with other organizations.

If catalogs are shared with another organization, all users in that
organization have access.
ho
@
er
ad
go
th
ic_
re
Catalogs can be created in a number of ways by different users. When a system administrator creates
a catalog using the VMware vCloud Director console main menu, sharing options are not
presented. The catalog will be visible to the organization administrator only, but not shared with
other organization users. Sharing of the catalog with other organization users must be explicitly
configured after the catalog is created.
Catalogs created by any user, including the system administrator, using the New Catalog icon in the
organization catalogs list can be configured for sharing as part of the catalog creation process. By
default, catalogs created in this manner are not shared with other organization users. You must select
the groups and users that will be able to access the catalog, or chose to share the catalog with all
organization users.
353
tm
10
ail
.co
m
The system administrator or organization administrator must explicitly

configure catalog sharing for each catalog.
Changing Ownership of a vApp

Slide 10-6
Ownership of a vApp can be

changed by:
Ownership is singular, a group of

users cannot own a vApp.
ad
er
Ownership of a vApp can be

transferred to any user account.
tm
The system administrator

The organization administrator
The vApp owner
ail
.co
m
ho
th
ic_
re
Each user has a My Cloud container that shows all of the instantiated VMware vSphere vApps
the user has access to. vApps that appear in My Cloud are either owned by the user, have been
shared with the user, or are listed because of the users role, such as the organization administrator.
go
Ownership of a vApp can be transferred to any organization user with vApp User or above rights. A
group of users cannot own management of an instantiated vApp. The system administrator,
organization administrator, or the current vApp owner can change the ownership of a vApp.
354
Sharing a vApp with Other Organization Users

Slide 10-7
All organization users

One or more specific organization users
A vApp can be shared by:
The system administrator

The organization administrator
The vApp owner
ho
@
er
ad
go
th
ic_
re
Many users can share access to an instantiated vApp with management of the vApp being restricted
to administrative roles and the vApp owner. vApps can be shared to other users by a system
administrator, an organization administrator, or the vApp owner. The vApp will appear in the My
Cloud container for all users that the vApp has been shared with.
355
tm
10
ail
.co
m
A vApp can be shared to:
My Cloud Visibility of vApps

Slide 10-8
A vApp is visible in My Cloud for:
System administrators
Organization administrators
The vApp owner
Any account that the vApp has been shared with
ad
er
ho
tm
ail
.co
m
ic_
The user owns the vApp
re
A vApp will appear in a user My Cloud container when:
th
The user is a system administrator
go
The user is an organization administrator

The vApp has been shared with the user
The owner column can be used to determine which user is the actual owner of the vApp. This can be
most useful to the administrator roles which have the most visibility.
356
Forcing Recustomization
Slide 10-9
A system or organization administrator can power on and force

recustomization of a virtual machine in a vApp.
This action is not applied at the vApp level. It must be executed per virtual
machine.
10
ail
.co
m
ad
er
ho
tm
go
th
ic_
re
If the settings on a guest virtual machine are not in synch with vCloud Director or an attempt to
perform guest customization has failed, you can power on and force the recustomization of the
virtual machine.
357
Resetting a vApp Network

Slide 10-10
A system or organization administrator can reset a deployed vApp

network.
The vApp network VMware vShield Edge device is redeployed.
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
If the network services, such as DHCP and NAT on are not working as expected, an organization
administrator can reset the network. Network services are not unavailable while the reset is
performed.
358
Lab 16: Organization Users

Slide 10-11
10
ail
.co
m
Manage vApps as an organization user
go
th
ic_
re
ad
er
ho
tm
359

Slide 10-12

Share an organization catalog with other organization users
Change ownership of a vApp
Share a vApp with other organization users
Force customization of a vApp
Reset a vApp network
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
360
Key Points
Slide 10-13
Visibility of vApps in My Cloud is based on role, ownership, and

sharing.
Organization catalogs are not shared with all organization users by
default.
10
ail
.co
m
Questions?
go
th
ic_
re
ad
er
ho
tm
361
ail
.co
m
tm
ho
@
er
ad
re
ic_
th
go
362
M O D U L E 11
VMware vCloud Director Installation 11

Slide 11-1
go
th
ic_
re
ad
er
ho
11
tm
ail
.co
m
Module 11
363
You Are Here

Slide 11-2

Resources

Components

Components

Users
ail
.co
m
Course Introduction
go
th
ic_
re
ad
er
ho
tm
364
Importance
Slide 11-3
VMware vCloud is a complex system that has many interconnected

components. A proper installation of VMware vCloud Director
requires that all of these components be installed and configured
correctly.
go
th
ic_
re
ad
er
ho
11
tm
ail
.co
m
Making the correct choices during installation can help save you time
and improve scalability and performance.
Module 11 VMware vCloud Director Installation
365
Module Lessons
Slide 11-4
Installation Prerequisites
Lesson 2:
Installation Procedure
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
Lesson 1:
366
Lesson 1: Installation Prerequisites

Slide 11-5
go
th
ic_
re
ad
er
ho
11
tm
ail
.co
m
Lesson 1:
Installation Prerequisites
367
Learner Objectives
Slide 11-6
objective:
Describe the prerequisites for vCloud Director installation
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
368
Configuration Requirements
Slide 11-7
vSphere distributed switches must be used for cross-host fencing and

network pool allocation.
vCenter Server clusters used with vCloud Director must be configured
to use automated VMware vSphere Distributed Resource
Scheduler.
vCenter Server systems must trust their VMware ESX or VMware
ESXi hosts.
All hosts in all clusters managed by vCloud Director must be configured to

require verified host certificates.
You must determine, compare, and select matching thumbprints for all
hosts.
11
er
ad
ic_
re
VMware vCloud Director has several specific configuration requirements that must be
configured in VMware vSphere. Most of this can be summarized in the following:
th
Resources in the resource cluster should be shared and distributed (networks and storage).
go
VMware vCenter Server systems should be set to automated configurations (automated

VMware vSphere Distributed Resource Scheduler, automated VMware vSphere Storage
DRS).
All systems in the resource cluster should be preconfigured with verified security. vCenter
Server systems must trust their VMware ESXi hosts.
369
ho
ail
.co
m
VMware vCenter Server networks intended for use as vCloud

Director external networks or network pools must be available to all
hosts in any cluster intended for vCloud Director to use.
tm
vSphere Licensing Requirements

Slide 11-8
vCloud Director requires the following vSphere licenses:
VMware vSphere Distributed Switch and dvFilter, licensed by

vSphere Enterprise Plus. (This license enables creation and use of
vCloud Director isolated networks.)
vCloud Director requires the use of VMware vShield Manager
servers in some compatible form. These servers must be properly
licensed.
The license for VMware vCloud Networking and Security that is included
with vCloud Director does not include such features as SSL VPN and load
balancing.
For virtual private network (VPN) and load balancing, vCloud Director
requires the fully licensed VMware vCloud Networking and Security
Advanced Edition license.
ad
er
ho
ail
.co
m
vSphere DRS, licensed by VMware vSphere Enterprise Edition and

VMware vSphere Enterprise Plus Edition
tm
go
th
ic_
re
vCloud Director requires that you have at least two major vSphere licenses. These licenses include
vSphere DRS, licensed by VMware vSphere Enterprise Edition and VMware vSphere
Enterprise Plus Edition, and VMware vSphere Distributed Switch and dvFilter, licensed by
vSphere Enterprise Plus. These licenses enable the creation and use of vCloud Director isolated
networks.
vCloud Director requires the use of VMware vShield Manager servers in some compatible
form. These must be properly licensed. In vCloud Director 5.1 this will normally be VMware
vCloud Networking and Security. A basic license for vCloud Networking and Security is
included with vCloud Director 5.1, but it does not include advanced features.
370
VMware Product Interoperability Matrixes

Slide 11-9
For current information about supported products, see VMware

Product Interoperability Matrixes at
http://partnerweb.vmware.com/comp_guide/sim/interop_matrix.php
Supported vCenter Server versions

Supported ESX/ESXi versions
ESXi 5.x is required for fast provisioning and hardware version 8.

ESXi 5.5 is required for hardware version 10.
Stateless ESXi is supported.
Supported vCloud Networking and Security or supported vShield

Manager versions
New vCloud Director installations should use VMware vCloud Networking
and Security App for vShield functionality.
ad
er
ho
11
tm
ail
.co
m
th
ic_
re
VMware strongly recommends that vCenter Server 5.1 and ESXi 5.1 be used with vCloud
Director 5.1. Although earlier versions are supported, some features will not be available if these
earlier versions are used.
go
Stateless ESXi hosts were introduced in vSphere 5.0. These are fully supported with vCloud
Director 5.1. Customers should avoid stateless designs that require a host-specific configuration
when the host is going to be used in a VMware vCloud resource cluster.
371
Additional Compatibility Checks

Slide 11-10
See the VMware vCloud Director Installation and Upgrade Guide to

determine the following requirements:
Operating systems supported for a vCloud Director cell
Minimum hardware requirements for a vCloud Director cell
Minimum Java version required on the cell
Supported browsers and versions
Supported Adobe Flash Player versions
ail
.co
m
Supported LDAP servers
Commands for configuring databases for use with vCloud Director

Network protocols and ports used by vCloud Director
ad
er
ho
tm
th
ic_
re
In addition to the other required software packages, which should be available by default, you must
have Java Runtime Environment 1.6.0 update 10 or later. Only the 32-bit version is supported. By
default this version of Java JRE is not present on RHE 5 systems. Java JRE must be upgraded before
the installation of vCloud Director.
go
You can install vCloud Director 5.1 without Java JRE 1.6.0 preinstalled on the Red Hat server. The
installation of vCloud Director 5.1 will install the Java JRE keytool software, which is the only
required component from Java JRE 1.6.0. The keytool software must be configured prior to
attempting to create and install SSL certificates for vCloud Director.
vCloud Director uses secure communications. To do this, clients must use SSL. Supported versions
include SSL 3.0 and Transport Layer Security (TLS) 1.0. In SSL and TLS, supported cipher suites
include RSA, decision support system (DSS), and Elliptic Curve signatures. Supported ciphers
include DES3, AES-128, or AES-256.
372
vCloud Director Operating System and Server

Slide 11-11
vCloud Director must be installed on a Linux system. The following

operating systems are supported by vCloud Director:
CentOS 6, Update 4
Red Hat Enterprise Linux 5 (64-bit), Update 4-9
Red Hat Enterprise Linux 6 (64-bit), Update 1-4
The Linux server that vCloud Director is installed on must meet the
following minimum disk and memory requirements:
ail
.co
m
1350 MB free disk space for installation and log files

1 GB of RAM:
2 GB of RAM is recommended.
go
th
ic_
re
ad
er
ho
11
tm
373
Creating Databases and SSL Certificates Before Installation

Slide 11-12
Before installing vCloud Director, you must have the following

information:
Location and password of the SSL keystore file
Password for each SSL certificate
Host name or IP address of the database server
Database instance (Microsoft SQL Server)
Database service name (Oracle)
ail
.co
m
Database name and connection port

Database user credentials:
Specific database user privileges are required. See Installing and

Configuring a vCloud Director Database in VMware vCloud Director
Installation and Upgrade Guide.
ad
er
ho
tm
go
th
ic_
re
The database that will be used by vCloud Director must be created before installing the first vCloud
Director cell. Specific requirements exist for database configuration and for the rights and privileges
that the user ID of the vCloud Director service will use to access the database. Make sure your
database administrator reads the section on configuring the database in VMware vCloud Director
Installation and Configuration Guide.
Before installation of vCloud Director, you must install security certificates. This installation should
be done after you have confirmed that your network configuration is correct (including DNS) and
that you have the correct version of Java Runtime Environment. You must use the JRE keytool
command to create your certificate requests.
You can use either self-signed security certificates or certificates that have been issued by an
external certificate authority (CA).
374
vCloud Director Network Requirements (1)

Slide 11-13
The vCloud Director cell server must have two network interfaces on
the production network.
One TCP/IP address for console connections
One TCP/IP address for HTTP service

IP aliases or multiple network interfaces:
Linux ip addr add does not work.
Network Time Service:
ail
.co
m
The maximum allowable drift is two seconds.
All vCloud Director servers, including the database server, must be

configured to be in the same time zone.
11
go
th
ic_
re
ad
er
ho
Use NTP to synchronize all vCloud Director servers and their database
server.
tm
375

Slide 11-14
Host name resolution:

All host names specified during vCloud Director installation must be
resolvable by DNS:
Forward and reverse lookup

Fully qualified domain name
Unqualified host name
Use the nslookup command to confirm with the vCloud Director server.
Examples for mycloud.example.com, with a console IP address of
192.168.1.1 and an HTTPS address of 192.168.1.2:
nslookup mycloud
nslookup mycloud.example.com
tm
nslookup 192.168.1.1
ail
.co
m
go
th
ic_
re
ad
er
ho
nslookup 192.168.1.2
376

Slide 11-15
Transfer server storage is used as temporary storage for uploads and

downloads:
NFS or other shared storage must be accessible to all vCloud Director

servers in a vCloud Director cluster.
Volume must have write permission for root.
Must be mounted at $VCLOUD_HOME/data/transfer
Uploads and downloads occupy this storage for up to 24 hours.

Transferred images can be large.
Recommended size of storage is several hundred gigabytes.
go
th
ic_
re
ad
er
ho
11
tm
A single vCloud Director server uses /opt/vmware/vclouddirector/data/transfer by default.
ail
.co
m
377
vCloud Director Network Security Requirements

Slide 11-16
Do not connect vCloud Director servers directly to the public Internet.

Always protect vCloud Director servers with a firewall.
A vCloud Director server should have only port 443 (HTTPS) open for
incoming connections from the Internet or other public networks.
(Optional) You can open port 22 (SSH) and port 80 (HTTP) to public
networks if necessary, but these open ports are not recommended.
ad
er
ho
tm
ail
.co
m
go
th
ic_
re
Connections to the vCloud Director server from the Internet and from public networks must be
tightly controlled. The only port that is recommended to be open to the Internet and public networks
is 443 (HTTPS). This port should be open only if you are using a public cloud model and plan to
have external customers access the vCloud Director console from public or Internet-connected
systems.
378
vCloud Director Network Ports
ad
er
See VMware knowledge base article 1030816 at http://kb.vmware.com/kb/1030816.
go
th
ic_
re
On internal networks, only a few other ports should be open on vCloud Director servers. Port 443 is
not listed here because it was mentioned earlier. Port 443 should also be open on internal networks
to allow local administrators to connect to the vCloud Director administration console.
379
ho
11
tm
ail
.co
m
Slide 11-17

Slide 11-18

Describe the prerequisites for vCloud Director installation
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
380
Lesson 2: Installation Procedure

Slide 11-19
go
th
ic_
re
ad
er
ho
11
tm
ail
.co
m
Lesson 2:
Installation Procedure
381
Learner Objectives
Slide 11-20
objective:
Use the proper procedure to install vCloud Director
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
382
Recommended Installation Procedure

Slide 11-21
1. Prepare the resource group.

2. Configure the database.
3. Configure DNS.
4. Confirm networking configuration.
5. Confirm vCloud Director server software configuration.
6. Create and install security certificates.
7. Configure vShield Manager.
ail
.co
m
8. Install vCloud Director.
9. Create the Sysprep deployment package.
go
th
ic_
re
ad
er
ho
11
tm
10.Configure vCloud Director cells.
383
Preparing the Resource Group

Slide 11-22
Colocating prevents cloud performance problems caused by network time lags.
Each provider virtual datacenter must have one vSphere DRS/vSphere

HA cluster.
Resource pools should not be present in the vSphere DRS/vSphere HA cluster.
Use best practices when configuring networks:
Separate management, VMware vSphere vMotion, storage, and production traffic.

Configure network redundancy for VMware vSphere High Availability.
Make management networks accessible by the vCloud Director

servers.
Group storage into storage tiers of comparable speed and cost.
go
th
ic_
re
ad
er
ail
.co
m
Colocate the physical equipment of all resource group vSphere

DRS/vSphere HA clusters into the same geographical site.
tm
The best practice is to dedicate vSphere DRS/vSphere HA clusters in

the resource group for use by vCloud Director.
ho
Install and configure one or more vSphere DRS/vSphere HA clusters.
384
Configuring DNS
Slide 11-23
The DNS server that vCloud Director uses should have records
preconfigured. These records include the following:
Host records (A) preconfigured for both the vCloud Director HTTP and
the vCloud Director console proxy network connections
Reverse address lookup records preconfigured for both the vCloud
Director HTTP and the vCloud Director console proxy network
connections
vCenter Server host name and address

ESX/ESXi host name and address
11
tm
Names and addresses for other servers such as database server,

LDAP server, vCloud Networking and Security server, and so on
er
ad
go
th
ic_
re
The DNS configuration is critical for vCloud Director. All server names specified during vCloud
Director installation must be resolvable by DNS, including names assigned to the HTTP service
network interface and the console service network interface. Both the short name and the fully
qualified domain name (FQDN) must be resolvable. Reverse lookup of the addresses assigned must
also be configured into the DNS server. Use the nslookup command to confirm that DNS name
resolution is working for both host names and reverse IP addresses.
As mentioned in the prerequisites lesson, the DNS server must be configured with both A and PTR
records for the vCloud Director network interfaces before the installation of vCloud Director.
385
ho
ail
.co
m
VMware recommends that other frequently used addresses be

preconfigured:
Confirming Networking Configuration

Slide 11-24
Before installation, you should confirm that the vCloud Director

network configuration is correct.
DNS name resolution of both vCloud Director addresses and any other
address name resolution that is required during installation
Network connectivity to the vCenter Server systems and the ESX/ESXi
hosts in the resource clusters
Network connectivity to the database server
Network connectivity to the vShield Manager server

Network connectivity to NTP servers
Network connectivity to other servers, such as LDAP and Syslog
ad
er
One for HTTPS

One for console proxy
ail
.co
m
tm
Two addresses on the management network:
ho
Database server
go
th
ic_
re
After you have configured your DNS server and have created the two required network interfaces on
the vCloud Director server, you should confirm that your networking configuration is correct. Use
the nslookup command to make sure you can resolve all of the names and IP addresses from a
console or terminal window on the vCloud Director server. Also use ping or other tools to confirm
that the vCloud Director server has network connectivity to the following:
vCenter Server systems

vShield Manager servers
NTP servers
Any other systems that will be used, such as LDAP
386
Creating the Microsoft Sysprep Deployment Package

Slide 11-25
Guest OS
Directory Name
Windows 2003 (32-bit)
../sysprep/svr2003
Windows 2003 (64-bit)
../sysprep/svr2003-64
Windows XP (32-bit)
../sysprep/xp
Windows XP (64-bit)
../sysprep/xp-64
11
Ensure that all Sysprep files are readable by the vcloud.vcloud

user.
ad
go
th
ic_
re
vCloud Director uses Microsoft sysprep packages to customize VMware vSphere Apps during
vApp deployment. You should load Microsoft sysprep software on your vCloud Director server
before creating the packages. You must use the directory names specified above for each sysprep
package. You do not have to have all of the sysprep packages if you do not plan to deploy all of
these Windows operating systems in vApps.
The sysprep software must be loaded into the proper directory on the vCloud Director server before
it can be used. If you have a multicell environment, you must have this software on each cell.
387
er
Create subdirectories as listed and load the Sysprep contents.
ail
.co
m
tm
You must download these packages from Microsoft to your vCloud

Director server.
Packages must be stored in /opt/vmware/vclouddirector/guestcustomization/default/windows/sysprep.
ho
vCloud Director uses Microsoft Sysprep packages to customize

VMware vSphere vApps during vApp deployment.
Installing Other Components

Slide 11-26
Determine which additional components should be installed and how to

install each.
An example is vCloud Director Networking and Security.
Identify additional preinstallation steps
Create and configure the vCloud Director database

Examples are creating and installing security certificates
Formulate an installation strategy appropriate for your cloud

environment.
go
th
ic_
re
ad
er
ho
tm
See VMware vCloud Director Installation and Upgrade Guide before

and during installation of vCloud Director and all collateral components.
ail
.co
m
388
Lab 17: Installing VMware vCloud Director

Slide 11-27
go
th
ic_
re
ad
er
ho
11
tm
ail
.co
m
Install vCloud Director
389

Slide 11-28

Use the proper procedure to install vCloud Director
go
th
ic_
re
ad
er
ho
tm
ail
.co
m
390
Key Points
Slide 11-29
To complete the installation of vCloud Director, you must do the

following:
Meet required prerequisites.

Understand the relationship of the interconnected systems.
Use the proper installation procedure.
go
th
ic_
re
ad
er
ho
11
tm
ail
.co
m
Questions?
391
ail
.co
m
tm
ho
@
er
ad
re
ic_
th
go
392

VCloud Director-Install-Configure Manage Allchapters

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

VCloud Director-Install-Configure Manage Allchapters

Uploaded by

Copyright:

Available Formats

MODULE 1

VMware vCloud Director: Install, Configure, Manage

VMware vCloud Director: Install, Configure, Manage

This course trains you in using VMware vCloud Director to deliver

Your instructor demonstrates the basics of how vCloud Director

VMware vCloud Director: Install, Configure, Manage

Manage vCloud Director to satisfy private cloud business needs

Manage and monitor the vCloud Director environment

Deploy vCloud Director as a private cloud

Module 1 Course Introduction

You Are Here

Managing VMware vCloud Director

VMware vCloud Director Architecture and

Managing VMware vSphere Resources

VMware vCloud Director Networking

Monitoring VMware vCloud Director

VMware vCloud Director Providers

VMware vCloud Director Organization

VMware vCloud Director Installation

VMware vCloud Director Organizations

VMware vCloud Director Basic Security

VMware vCloud Director: Install, Configure, Manage

Filenames, folder names, path

What the user types:

Graphical user interface items:

Book titles and emphasis:

The following typographical conventions are used in this course:

Module 1 Course Introduction

Classroom Discussion: Cloud Computing

Define cloud computing:

Cloud computing is an approach to computing that leverages the

efficient pooling of on-demand, self-managed virtual infrastructure that is

VMware vCloud Director: Install, Configure, Manage

Classroom Discussion: Cloud Computing Types

List the three types of cloud deployment:

Briefly state what you understand about each of these cloud

Hybrid: Composition of two or more interoperable clouds, enabling data

Private: Operated solely within an enterprise for consumption by one or

Module 1 Course Introduction

Classroom Discussion: Components

Which product provides the networking services in vCloud Director?

VMware vCloud Networking and Security servers provide the

To which VMware products does each vCloud Director server group

VMware vCloud Director: Install, Configure, Manage

Classroom Discussion: Using vCloud Director

What is an organization composed of?

What is the role of the organization administrator after the system

Module 1 Course Introduction

VMware Online Resources

VMware Communities: http://communities.vmware.com

Start a discussion, and access communities and user groups.

VMware Support: http://www.vmware.com/support

Access the knowledge base, documentation, technical papers, and

VMware Education: http://www.vmware.com/education

For easy access to online resources, install the VMware toolbar.

VMware vCloud Director: Install, Configure, Manage

www.vmware.com > Products > vCloud Director > Resources

Module 1 Course Introduction

All documents referenced in

VMware vCloud Director: Install, Configure, Manage

Architecture and Components

Architecture and Components

VMware vCloud Director: Install, Configure, Manage

You Are Here