Changing Active Directory OU of vRA Provisioned Machines

In this post we will make use of ActiveDirectory.rename in the vRO Active Directory plugin to move a computer object to a new OU as a custom action from within the vRA portal. Although technically it isn’t quite Solarwinds integration with vRA, we can cheat by monitoring the new OU. In this setup we will have vRA provision machines to a standard unmonitored OU, and then have an action in the portal triggering a vRO workflow to move the computer account to a monitored OU.

Solarwinds_vRA

vRO Configuration

  • Log into the vRealize Orchestrator client and switch to Design view. Open the Workflows tab.
  • The steps below assume that an Active Directory server has been registered with vRA. If this is not the case then browse to Library, Microsoft, Active Directory, Configuration. Run the Add an Active Directory server workflow and enter the AD information. If successful the AD server should be listed in the Inventory tab under Active Directory.
  • Now from the Workflow tab right click the folder where the new workflow will be created and click New workflow. Enter a name for the new workflow and click Ok.
  • Enter a description if required. Under the Attributes header add a new attribute, give the attribute a name (in this case AD_Host) and change the type to AD:AdHost. The value will be the Active Directory host already configured as mentioned above.

New_Workflow_1

  • Click the Inputs tab. Add a new parameter, give the parameter a name (in this case vmName) and change the type to VC:Virtual Machine. There are no outputs.
  • Click the Schema tab. Drag and drop the Scriptable task item onto the design canvas.
  • Click the Scriptable task. From the Info tab update the task name (in this case I have used Add to Monitored OU).
  • From the IN tab click the Bind to workflow parameter/attribute button. Select the attribute (AD_Host) and parameter (vmName) we created earlier.

New_Workflow_2

  • Open the Scripting tab. The commands I have used are below, this finds and outputs the computer name (using the vmName parameter) from AD (searching the Active Directory host specified in the AD_Host attribute), and then moves it to the new OU.
  • Save and close the workflow.

var object = ActiveDirectory.getComputerAD(vmName.name,AD_Host);

System.log("Searching for computer: " + vmName.name)
System.log("Found computer: " + object)

ActiveDirectory.rename(object.distinguishedName, "CN= " +vmName.name , "OU=Monitored,OU=Servers,DC=Corp,DC=Local" , AD_Host)

vRA Configuration

The next step is to hook the vRO workflow into vRA. Log into the vRealize Automation portal as a user with service architect permissions. From the Design tab select XaaS and Resource Actions. Any existing resource actions are listed. Click New.

Existing_Resource

Map the resource action to the relevant vRO workflow. In this case we need to expand Library, Solarwinds and select the Add to Monitoring workflow.

SW_vRA

The input mappings should already be populated; the resource type is IaaS VC Virtual Machine, the input parameter matches up with the parameter configured in the vRO workflow (vmName which passes the virtual machine name), and this maps to the VC:VirtualMachine orchestrator type.

SW_vRA_1

Accept the default values in the Details tab. Edit the Form as appropriate, in this example I have added just a text description for the user. When you’re done click Finish.

SW_vRA_2

The new resource action is now listed as a draft. To start using the action select it and click Publish. Now select the Administration tab and Catalog Management. Open the Actions page, the new resource action we created should now be displayed.

If you want to change the icon of the resource action you can do so by selection the action and clicking Configure. There are a number of useful vRA icons available here, including sample icons for day 2 actions. Note for users of vRA 7.2 there is a known issue with changing the icon for custom actions, resolved in 7.3 as per this KB article.

SW_Catalog

The next step is to assign our custom action to an entitlement. Open the Entitlements page and select the relevant entitlement. Click the Items & Approvals tab, under Entitled Actions click the green plus symbol. Locate the new resource action and select the check box to add it to the entitled actions. Click Ok and Finish.

SW_Catalog_1

To confirm the configuration has worked browse to the Items tab and select Machines. Any virtual machines that have the custom resource action added to the entitlement will show the new action in the drop-down Actions menu.

SW_Catalog_2

When selecting the new action I am presented with the action form as per the design canvas we saw earlier. In this example when I click Submit the Add to Monitoring workflow is run moving the computer object of the virtual machine to the OU specified in the script.

 

CLI Reference for Troubleshooting NSX

Quick post documenting some useful CLI commands for troubleshooting NSX, mainly for my own reference. Other useful information can be found at NSX CLI Cheat Sheet and NSX for vSphere Command Line Interface Reference.

ESXi Hosts

Open an SSH session to an ESXi host. The SSH service can be started from the Configure, System, Security Profile page in the vSphere web client, or under Manage, Services when logging into the host UI.

ESXi_SSH

  • esxcli software vib list displays installed vibs, add | grep esx to filter.
  • vmkload_mod -l | grep vd displays the loaded drivers, add | grep nsx to filter, nsx-vdl2, nsx-vdrb, and nsx-vsip kernel modules should be loaded (
  • /etc/init.d/vShield-Stateful-Firewall status displays the status of user world agent vsfwd which connects the host to NSX Manager.
  • /etc/init.d/netcpad status displays the status of user world agent netcpa which connects the host to the controller cluster.

ESXi_SSH_1

  • tail -f /var/log/netcpa.log tails the user world agent netcpa log.
  • Note – to change the logging level for netcpa execute the following commands on the ESXi host:
    • chmod +wt /usr/lib/vmware/netcpa/etc/netcpa.xml gives write permissions to the file.
    • vi /usr/lib/vmware/netcpa/etc/netcpa.xml opens the file in an editor. Find <level>info</level>, press insert to edit the line and replace info with verbose. Press escape twice and enter :wq to save the file and quit.
    • /etc/init.d/netcpad restart restarts netcpad.

ESXi_SSH_3.png

  • esxcfg-advcfg -g /UserVars/RmqIpAddress lists the IP address of the registered NSX Manager.
  • esxcli network ip connection list lists active TCP/IP connections, add | grep 5671 to filter port 5671 used to connect to NSX Manager.
  • ping ++netstack=vxlan -d -s 1572 -I vmk3 <VMK> <VTEP> can be used to ping a VTEP IP address using an increased packet size, where <VMK> is the VMkernel to use on the source host, and <VTEP> is the destination VTEP IP address to ping.
    • For example ping ++netstack=vxlan -d -s 1572 -I vmk4 192.168.30.12
    • If the ping comes back successful then we know the MTU is set correctly, since the command specifies a packet size of 1572 (there is a 28 byte overhead = 1600). If the ping drops the packet then try reducing the packet size to 1472: ping ++netstack=vxlan -d -s 1472 -I (again + 28 byte overhead = 1500). If the smaller ping packet is successful but the larger packet is dropped then we know there is an MTU mismatch.
  • pktcap-uw can be used for packet capturing, full syntax here.
  • esxtop is a useful host troubleshooting tool, type n to switch to network view.

ESXi_SSH_2

NSX Manager Appliance

Open an SSH session to the NSX Manager. The SSH service can be started from the Summary page of the NSX Manager Virtual Appliance Management page.

Enable_SSH

  • show interface displays information for the NSX Manager management interface.
  • show ip route NSX Manager route information.
  • show filesystem NSX Manager file system capacity.
  • show log manager follow follows the NSX Manager log.

NSX_SSH_1

  • show controller list all displays the controller nodes status.
  • show cluster all displays vSphere clusters managed by the vCenter Server.
  • show logical-switch list all displays all logical switch information.
  • show logical-switch controller master vni 5001 connection displays the hosts connected to segment ID 5001, also replace connection with vtep mac arp.
  • show logical-router list all displays all distributed logical router information.

Updating vCenter Server with External PSC

The following post demonstrates the update process for applying minor updates to a vSphere environment running multiple vCenter Server appliances and external Platform Services Controllers.

In this instance we are updating vCenter to 6.5 U1e as one of the remediation actions for the Branch Target Injection issue (CVE-2017-5715) commonly known as Spectre. For more information on Meltdown and Spectre see this blog post, VMwares responses can be found here, on the VMware Security & Compliance Blog here, as well as VMware Security Announcement VMSA-2018-0004.2 here.

meltdown-spectre-vmware

Pre-Update Checks

When upgrading vSphere with an external Platform Services Controller (PSC), upgrade the PSC first, then the vCenter Server, then the ESXi hosts, and finally the virtual machines (hardware versions, VMware Tools).

Prior to updating vCenter ensure you have verified the compatibility of any third party products such as backups, anti-virus, monitoring, etc. Also cross-check the compatibility of other VMware products using the Product Interoperability Matrix. Since we are applying a minor update to vCenter Server the usual pre-requisites such as FQDN resolution, time synchronization, relevant ports open, etc. should already be in place. For vCenter 6.5 U1e all hosts must be running at least ESXi version 5.5. For more information on the requirements for vCenter Server 6.5, or if you are upgrading from an earlier version, the following posts may be of use:

Before beginning the update process take a backup and snapshot of the vCenter Server Appliance. There is downtime during the update but this is minimal – around 10 mins to update and reboot using an ISO as an update source, when using the online repository the update time may vary depending on your internet connection.

Review the version release notes and the VMware Docs site here.

VAMI Update

Platform Services Controller (PSC) appliances that are replicating should all be updated before the vCenter Server appliances. The easiest way of updating the vCenter Servers and Platform Services Controllers is through the VAMI (vCenter Server Appliance Management Interface). Browse to https://PSC:5480, where PSC is the FQDN or IP address of the external Platform Services Controller. Log in as the root user.

VAMI1

Select the Update option from the navigator.

vcupgrade2

Click the Check Updates drop-down. If the VCSA has internet access then select Check Repository to pull the update direct from the VMware online repository.

If the VCSA does not have internet access, or you’d prefer to provide the update manually then download the relevant update from VMware here (in this case VMware-vCenter-Server-Appliance-6.5.0.14000-7515524-patch-FP.iso) and attach the ISO to the CD/DVD drive of the VCSA in the virtual machine settings. Back in the VAMI update page select the Check Updates drop-down and click Check CDROM.

VAMI3

Details of the available update from either the online repository or attached ISO are displayed. Click Install Updates. Accept the EULA and click Install to begin the installation.

vcupgrade3

When the update process has completed click OK. From an attached ISO the update took around 5 minutes. The updated version and release date should now be displayed in the current version details. Finally, to complete the upgrade reboot the vCenter Server Appliance. Select Summary from the navigator and click Reboot.

vcupgrade4

If you are running multiple external PSCs then repeat the above process for each PSC in the SSO domain. Do not update the vCenter Server appliances until all PSC appliances are running the same updated version.

Once all external PSC appliances that replicate between one another have been upgraded then move on to the vCenter Server appliances. Repeat the above process for each vCenter Server in the SSO domain.

CLI Update

Alternatively the vCenter Server Appliance can be updated from the command line. Again, either using the online repository or by downloading the update from VMware here (VMware-vCenter-Server-Appliance-6.5.0.10000-5973321-patch-FP.iso or latest version) and attaching the ISO to the CD/DVD drive of the VCSA in the virtual machine settings. For more information on updating the vCenter Server Appliance using the appliance shell see this section of VMware docs.

Platform Services Controller (PSC) appliances that are replicating should all be updated before the vCenter Server appliances. Log in to the external Platform Services Controller appliance as root. First stage the patches from your chosen source using either:

  • software-packages stage --iso --acceptEulas stages software packages from ISO and accepts EULA.
  •  software-packages stage --url --acceptEulas stages software packages from the default VMware online repository and accepts EULA.

Next, review the staged packages, install the update, and reboot the VCSA.

  • software-packages list --staged lists the details of the staged software package.
  • software-packages install --staged installs the staged software package.
  • shutdown reboot -r update reboots the VCSA where ‘update’ is the reboot reason. Use -d to add a delay.

CLI4

If you are running multiple external PSCs then repeat the above process for each PSC in the SSO domain. Do not update the vCenter Server appliances until all PSC appliances are running the same updated version.

Once all external PSC appliances that replicate between one another have been upgraded then move on to the vCenter Server appliances. Repeat the above process for each vCenter Server in the SSO domain.

Veeam Integration with vRA Part 2: Restore

In this 2 part series we will walk through integrating Veeam with vRealize Automation and vRealize Orchestrator. Part 1 focused on giving users the ability to add virtual machines to existing Veeam backup jobs from within the vRA self-service portal. In Part 2 we will add the ability to restore virtual machines from a list of available restore points in vRA. The versions used are Veeam 9.5 and vRA 7.2 / 7.3.

The steps outlined below assume that you have already installed and configured Veeam Backup and Replication, and vRealize Automation with either embedded or external vRealize Orchestrator instance, as well as having a basic knowledge of both areas. The following process and the sample workflows we will import are not endorsed by, or supported by Veeam. Finally, Veeam Enterprise Manager is required to use Veeam RESTful API. For further reading material see the Veeam RESTful API Reference here. Alternative sample workflows and reading provided by The IT Hollow here, and another useful article by vRatpack here with vRA 6.2.

Add the REST Host

If you have already added your Veeam backup server as a REST host in part 1 then skip this step. Otherwise, open the vRealize Orchestrator client and log in as an administrator, change the view to Design from the drop down menu. The first thing we will do is add the Veeam server as a REST host. From the Workflows tab expand Library, HTTP-REST, Configuration.

REST_host_1

Right click Add a REST host and click Start workflow. Enter the name and URL of the Veeam server, the default URL uses port 9399, for example http://VeeamServer:9399. Review the default options and click Next.

REST_host_2

Configure the host authentication options as required. Here I have used Basic authentication, and entered the credentials for a service account with administrative access to Veeam.

REST_host_3

Configure proxy and advanced settings if required, then click Submit. The workflow will run and add the Veeam server as a REST host. There are also Update a REST host, and Remove a REST host, workflows if you want to make any changes. Existing REST hosts can be viewed from the inventory tab under expand HTTP-REST.

Import the Sample Workflows

If you have already imported the sample workflows in part 1 then skip this step. In this example I am using sample workflows provided here, again these are not supported by Veeam. Download and extract the ZIP file to a location accessible from the vRO client. Change to the packages tab and click the Import Package icon. When prompted browse to the downloaded package file and click Import.

Veeam_Package_1

Ensure all the required elements are included and click Import selected elements.

Veeam_Package_2

We have now imported the backup workflow and action, and the restore workflow and action. The final element is a settings file which we will use to determine the REST host. Open the configurations tab and expand Library, Veeam. Click the Settings file and the pencil icon to edit. Select Attributes and locate the restHost attribute, click the Not set value and expand HTTP-REST, select the Veeam server we added earlier from the list of REST hosts and click Select. Click Save and close. The value of the restHost attribute should now be the Veeam backup server.

The restore jobs users select from are pulled using the getVMRestorePoints action under com.veeam.library in the actions tab. If you want to examine the workflow in more detail go to the workflows tab and expand Library, Veeam. Select the Restore VM workflow and go through the tabs in the right hand pane. From the General tab you can see the restHost attribute is using the settings configuration file we have just configured. The Inputs for the workflow are Date (the Veeam restore point) and vmObj (virtual machine name). Under the Schema tab you can view the Scripting task which is making the API calls.

Restore_VM

Update Sample Script

If you are using the sample script referenced in this post then there are further steps required to fix the date formatting with later versions of Veeam. If you are using alternative or custom workflows then the following is not required.

  • Edit the Restore VM workflow, open the Schema tab and click the Find Restore Point script. Update the date and time format on line 25 to: var rpDateLocale = System.getDateFromFormat(restorePointNodes.item(i).getElementsByTagName(“CreationTimeUTC”).item(0).textContent,”yyyy-MM-dd’T’HH:mm:ss.sss’Z'”).toLocaleString();

Find_Restore_Point_OldFind_Restore_Point_New

  • Edit the getVMRestorePoints action, open the Scripting tab. Update the date and time format on line 26 to: var rpDateLocale = System.getDateFromFormat(restorePointNodes.item(i).getElementsByTagName(“CreationTimeUTC”).item(0).textContent + ” UTC”,”yyyy-MM-dd’T’HH:mm:ss.sss’Z’ ZZZ”).toLocaleString();

Restore_Point_Action_OldRestore_Point_Action_New

  • You can test the API calls are successfully bringing back restore points by running the workflow in vRO and selecting a virtual machine, a list of available restore points should be displayed.

Run_vRO

vRA Integration

The final step is to hook the vRO workflow into vRA. Log into the vRealize Automation portal as a user with service architect permissions. From the Design tab select XaaS and Resource Actions. Any existing resource actions are listed. Click New.

Existing_Resource

Map the resource action to the relevant vRO workflow. In this case we need to expand Library, Veeam and select the Restore VM workflow. Click Next.

Restore_VM_Resource

The input mappings should already be populated; the resource type is IaaS VC Virtual Machine, the input parameter matches up with the parameter configured in the vRO workflow (vmObj which passes the virtual machine name), and this maps to the VC:VirtualMachine orchestrator type.

Restore_VM_Input

Accept the default values for the resource action form and click Finish.

Restore_VM_Form

The new resource action is now listed as a draft. To start using the action select it and click Publish.

New_Resource

Now select the Administration tab and Catalog Management. Open the Actions page, the new resource action we created should now be displayed.

If you want to change the icon of the resource action you can do so by selection the action and clicking Configure. There are a number of useful vRA icons available here, including sample icons for day 2 actions. Note for users of vRA 7.2 there is a known issue with changing the icon for custom actions, resolved in 7.3 as per this KB article.

Restore_VM_Action

The next step is to assign our custom action to an entitlement. Open the Entitlements page and select the relevant entitlement. Click the Items & Approvals tab, under Entitled Actions click the green plus symbol. Locate the new resource action and select the check box to add it to the entitled actions. Click Ok and Finish.

Restore_VM_Entitlement

To confirm the configuration has worked browse to the Items tab and select Machines. Any virtual machines that have the custom resource action added to the entitlement will show the new action in the drop-down Actions menu.

restore_vm_item

When selecting the new action I am presented with the action form as per the design canvas we saw earlier. In this example I select the restore point from the drop-down list that the getVMRestorePoints vRO action has pulled from the Veeam backup server, and click Submit.

restore_request

The virtual machine name is then passed through to the next stage of the workflow, along with the restore point ID. You can check the status of the job in vRA under the Requests tab, check the Restore VM workflow has run successfully in the vRO console, and check the restore task that will be running as normal in the Veeam Backup & Replication console.

_______________

Veeam Integration with vRA Part 1: Backup

Veeam Integration with vRA Part 2: Restore

Veeam Integration with vRA Part 1: Backup

In this 2 part series we will walk through integrating Veeam with vRealize Automation and vRealize Orchestrator. Part 1 will focus on giving users the ability to add virtual machines to existing Veeam backup jobs from within the vRA self-service portal. In Part 2 we will add the ability to restore virtual machines from a list of available restore points in vRA. The versions used are Veeam 9.5 and vRA 7.2 / 7.3.

The steps outlined below assume that you have already installed and configured Veeam Backup and Replication, and vRealize Automation with either embedded or external vRealize Orchestrator instance, as well as having a basic knowledge of both areas. The following process and the sample workflows we will import are not endorsed by, or supported by Veeam. Finally, Veeam Enterprise Manager is required to use Veeam RESTful API. For further reading material see the Veeam RESTful API Reference here. Alternative sample workflows and reading provided by The IT Hollow here, and another useful article by vRatpack here with vRA 6.2.

Add the REST Host

Open the vRealize Orchestrator client and log in as an administrator, change the view to Design from the drop down menu. The first thing we will do is add the Veeam server as a REST host. From the Workflows tab expand Library, HTTP-REST, Configuration.

REST_host_1

Right click Add a REST host and click Start workflow. Enter the name and URL of the Veeam server, the default URL uses port 9399, for example http://VeeamServer:9399. Review the default options and click Next.

REST_host_2

Configure the host authentication options as required. Here I have used Basic authentication, and entered the credentials for a service account with administrative access to Veeam.

REST_host_3

Configure proxy and advanced settings if required, then click Submit. The workflow will run and add the Veeam server as a REST host. There are also Update a REST host, and Remove a REST host, workflows if you want to make any changes. Existing REST hosts can be viewed from the inventory tab under expand HTTP-REST.

Import the Sample Workflows

In this example I am using sample workflows provided here, again these are not supported by Veeam. Download and extract the ZIP file to a location accessible from the vRO client. Change to the packages tab and click the Import Package icon. When prompted browse to the downloaded package file and click Import.

Veeam_Package_1

Ensure all the required elements are included and click Import selected elements.

Veeam_Package_2

We have now imported the backup workflow and action, and the restore workflow and action. The final element is a settings file which we will use to determine the REST host. Open the configurations tab and expand Library, Veeam. Click the Settings file and the pencil icon to edit. Select Attributes and locate the restHost attribute, click the Not set value and expand HTTP-REST, select the Veeam server we added earlier from the list of REST hosts and click Select. Click Save and close. The value of the restHost attribute should now be the Veeam backup server.

The backup jobs users select from are pulled using the getBackupJobs action under com.veeam.library in the actions tab. If you want to examine the workflow in more detail go to the workflows tab and expand Library, Veeam. Select Add VM to Backup Job and go through the tabs in the right hand pane. From the General tab you can see the restHost attribute is using the settings configuration file we have just configured. The Inputs for the workflow are jobname (Veeam backup job) and vmObj (virtual machine name). Under the Schema tab you can view the Scripting task which is making the API calls.

Add_VM

vRA Integration

The final step is to hook the vRO workflow into vRA. Log into the vRealize Automation portal as a user with service architect permissions. From the Design tab select XaaS and Resource Actions. Any existing resource actions are listed. Click New.

Existing_Resource

Map the resource action to the relevant vRO workflow. In this case we need to expand Library, Veeam and select the Add VM to Backup Job workflow.

Backup_VM_Resource

The input mappings should already be populated; the resource type is IaaS VC Virtual Machine, the input parameter matches up with the parameter configured in the vRO workflow (vmObj which passes the virtual machine name), and this maps to the VC:VirtualMachine orchestrator type.

Backup_VM_Input

Accept the default values for the resource action and click Finish.

Backup_VM_Form

The new resource action is now listed as a draft. To start using the action select it and click Publish.

vra6

Now select the Administration tab and Catalog Management. Open the Actions page, the new resource action we created should now be displayed.

If you want to change the icon of the resource action you can do so by selection the action and clicking Configure. There are a number of useful vRA icons available here, including sample icons for day 2 actions. Note for users of vRA 7.2 there is a known issue with changing the icon for custom actions, resolved in 7.3 as per this KB article.

vra7

The next step is to assign our custom action to an entitlement. Open the Entitlements page and select the relevant entitlement. Click the Items & Approvals tab, under Entitled Actions click the green plus symbol. Locate the new resource action and select the check box to add it to the entitled actions. Click Ok and Finish.

vra8

To confirm the configuration has worked browse to the Items tab and select Machines. Any virtual machines that have the custom resource action added to the entitlement will show the new action in the drop-down Actions menu.

vra9

When selecting the new action I am presented with the action form as per the design canvas we saw earlier. In this example I select the backup job from the drop-down list of jobs that the getBackupJobs vRO action has pulled from the Veeam backup server, and click Submit.

vra10

The virtual machine name is then passed through to the next stage of the workflow, which adds the virtual machine to the selected backup job. You can check the status of the job in vRA under the Requests tab, check the Add VM to Backup Job workflow has run successfully in the vRO console, and check the backup job itself has been updated using the Veeam Backup & Replication console.

_______________

Veeam Integration with vRA Part 1: Backup

Veeam Integration with vRA Part 2: Restore

Deploying an NSX Load Balancer with vRA

In this post we will walk through the process of deploying an NSX Load Balancer using vRealize Automation. We will also cover high availability and post deployment scaling. In order to take advantage of the direct NSX API integration with vRA you will need to be running at least v7.3, read more about the enhancements made in vRA 7.3 from the release notes or what’s new. In the example we’ll work towards multiple web servers are provisioned with an On-Demand Load Balancer, along with app servers and a database server. The On-Demand Load Balancer deploys an NSX edge for load balancing and adds the web servers as pool members. There are a number of available customisations which we’ll cover in the configuration process below.

Blueprint_2

Adding Endpoints

The following process assumes that you have a fully deployed vRA topology with all the components required to provision virtual machines; vCenter endpoint(s), reservations, compute resources, and a published catalog with entitlements. It would also be beneficial to have an understanding of using an NSX edge for load balancing or have deployed an edge manually to see the corresponding deployment options.

The first step is to add the NSX Manager as a vRA endpoint. From the Infrastructure tab select Endpoints and Endpoints again. Click New and select Networking and Security, NSX. Enter the details for the NSX Manager. Before adding the NSX endpoint we can create an association with the registered vCenter Server. From the Associations tab, click New. Select the vCenter Server from the dropdown, the platform type will auto-populate to vSphere and the description vSphere to NSX Association. Click Test Connection and then Ok to save the configuration.

NSX_Endpoint

Blueprint Modifications

After NSX has been added as an endpoint navigate to Blueprints under the Design tab. From the design canvas of a new or existing blueprint select Network & Security, drag and drop the On-Demand Load Balancer onto the canvas.

Blueprint_1

Click the On-Demand Load Balancer that has been added to the canvas. When the load balancer is provisioned in NSX the servers associated with the load balancer in the blueprint are automatically added as members in the pool. This is set in the Member field, in the example below the web servers in the blueprint are added as members of the load balancer.

Blueprint_3

The network for the member servers and the network for the VIP address are configured in the appropriate fields. Leave the IP address blank to automatically assign an IP address from the associated VIP network. Under Virtual servers click New, here you can configure the protocol settings for the load balancer, and the algorithm/persistence, health check, and connection settings by selecting Customize.

Customize_LB

Before saving the blueprint click the settings cog at the top of the page, this opens the blueprint properties. From the NSX Settings tab set the Transport zone to attach the load balancer to, this can be a local or universal transport zone. Next select the Edge and routed gateway reservation policy, this is the reservation policy (compute, storage) that will be used when provisioning the edge.

Blueprint_Properties_1

Click the Properties tab and select Custom Properties. There are a number of optional parameters we can add here.

  • NSX.Edge.ApplianceSize sets the appliance size of the edge, accepted values are compact, large, quadlarge and xlarge.
  • NSX.Edge.HighAvailability deploys the edge appliance in HA mode when the value is true. Without this property only a single appliance is deployed.
  • NSX.Edge.HighAvailability.PortGroup references the port group to use for the heartbeat network of the edge appliances deployed in HA mode.

Blueprint_Properties_2

Click Ok and Finish to save the blueprint. Make the blueprint available as a catalog item and request a test deployment. In vSphere you will see the edge and VMs being provisioned and, once complete, the virtual machines will be added as members in the load balacer pool. You can view the settings of the deployed edge in the vSphere web client under Networking & Security, NSX Edges, double click the edge and select Load Balancer.

NSX_Load_Balancer

Post Deployment

When the deployment is destroyed the edge appliances are removed along with the VMs as part of the cleanup process. If the deployment is scaled out then the new server is added as a member to the existing load balancer pool, likewise if the deployment is scaled in then the server deleted is also removed from the pool.

Scale_Out

The scale in and scale out actions are assigned as entitled actions from within the relevant entitlement  Aswell as having the permissions to perform the scale actions the blueprint must also contain a higher number of maximum instances. In the example below 2 web servers will be deployed with an On-Demand Load Balancer, as the maximum number of instances is set to 10 the requester can scale out the number of web servers and pool members to a maximum of 10 servers.

Blueprint_Scale

Configuring VMware Cross-vCenter NSX

This post provides an overview of cross-vCenter NSX and walks through the configuration steps. Cross-vCenter NSX allows central management of network virtualization and security policies across multiple vCenter Server systems. Cross vCenter NSX introduces universal objects; such as universal logical switches, universal logical routers, and universal distributed firewall rules. Universal objects are able to span multiple sites or vCenter Server instances, enhancing workload mobility by allowing cross vCenter and long distance vMotion for virtual machines, whilst keeping the same network settings and firewall rules. This improves DR capabilities, overcomes scale limits of vCenter Server, and gives administrators more control over resource pooling and the separation of environments.

Cross vCenter-NSX was introduced in NSX v6.2 and requires vSphere v6.0 or later. As normal NSX Manager is deployed with vCenter server in a 1:1 pairing.  In a single site NSX deployment the NSX Manager is given the standalone role by default. When configuring cross-vCenter NSX one NSX Manager is assigned the primary role, and up to seven other NSX Managers are assigned the secondary role. NSX Managers configured for cross-vCenter NSX must all be running the same version. The primary NSX Manager is responsible for deploying the Universal Controller Cluster; forming the control plane across the NSX Managers. The Universal Controller Cluster runs in the site of the primary NSX Manager. Universal objects are created on the primary NSX Manager and automatically synchronized across the multi-site NSX environment.

Configuring Cross-vCenter NSX

The steps below assume you have already deployed and registered the NSX Managers, and have a good understanding of NSX. This post is intended as add on to the NSX Install Guide to provide an outline of the additional or different steps required for a cross-vCenter NSX install, further resources are listed at the bottom of the page. If you are using vCenter enhanced linked mode then multiple NSX Manager instances are displayed within the same interface, or single pane of glass, when managing the Network & Security section of the vSphere web client. Enhanced linked mode is not a requirement for cross-vCenter NSX however, and vCenter Server systems not in enhanced linked mode can still be configured for cross-vCenter NSX.

From the Networking & Security page of the vSphere web client select Installation, highlight the NSX Manager in the primary site, from the Actions menu select Assign Primary Role.

NSX_Promote

The secondary NSX Manager(s) synchronize with the primary using the Universal Synchronization Service. These sites do not run any NSX Controllers, although they can be redeployed easily in the event of a primary site outage. Before assigning the secondary role you should ensure there are no existing NSX Controllers deployed in the associated vCenter. If you have already assigned a segment ID pool to the NSX Managers then ensure the segment ID pools do not overlap. Select the primary NSX Manager and from the Actions menu click Add Secondary NSX Manager. Enter the secondary NSX Manager information and admin password.

NSX2

Review the table of NSX Managers, the roles have now changed accordingly.

NSX_Roles

The universal controller cluster is formed by individually deploying the NSX controllers from the primary NSX Manager, the method of deploying the controllers is the same (see NSX Install Guide Part 1 – Mgmt and Control Planes for further assistance). Once the controllers are deployed you will notice placeholder controllers listed against the secondary NSX Manager, these are not connected or deployed. In the event of a site failure the configuration is synchronized between NSX Managers so you can simply re-deploy the controllers in the DR site. To see the failover process review this blog post. VMware recommend deploying 3 controllers on different hosts with anti-affinity rules.

NSX_Controllers

The next part of the install process is to follow the host preparation and VXLAN configuration steps as normal (see NSX Install Guide Part 2 – Data Plane for further assistance). Create the segment ID pools for each NSX Manager, making sure they do not overlap. On the primary NSX Manager you will also assign a universal segment ID pool.

In order for us to deploy universal logical switches we need to create a universal transport zone. A universal transport zone determines which hosts a universal logical switch can reach, spanning multiple vCenters. From the Logical Network Preparation tab open Transport Zones, ensure the primary NSX Manager is selected and click the plus symbol. Select Mark this object for Universal Synchronization, and enter the configuration for the universal transport zone. All universal objects must be created on the primary NSX Manager, change the NSX Manager to the secondary site and you will see the universal transport zone has synchronized there also.

NSX_TZ

Next we will create a universal logical switch for the transit network. Local objects such as logical switches, logical routers, and Edge Services Gateways can still be deployed from each NSX Manager, although by design they are only local to the vCenter linked to that specific NSX Manager, and cannot be deployed or edited elsewhere. From the left hand navigation pane in Networking & Security select Logical Switches, ensure the primary NSX Manager is selected and click the plus symbol. Enter a name for the transit network and select the universal transport zone we created earlier.

NSX_Universal_Transit

At this stage you can also deploy another universal logical switch, connecting a couple of test VMs on a private subnet, and have them ping one another to confirm connectivity. Now that we have a transit network and test universal logical switches connected to our universal transport zone we can go ahead and create a universal DLR. In this particular environment we have already deployed an ESG in each site. For further assistance with deploying an ESG and DLR see NSX Install Guide Part 3 – Edge and DLR.

From the Networking & Security page click NSX Edges, ensure the primary NSX Manager is selected and click the plus symbol. The control VM for the DLR is deployed to the primary site, again the configuration is synchronized and this can be re-deployed to the DR site in the event of a primary site outage. Select Universal Logical Router and follow the wizard as normal, if local egress is required then check the appropriate box. Sites configured in a cross-vCenter NSX environment can use the same physical routers for egress traffic, or have the local egress feature enabled within a universal logical router. The local egress feature allows routes to be customized at host, cluster, or router level.

NSX_UDLR

From the NSX Edges page double click the new universal DLR, select Manage, Settings, Interfaces and click the add button. In order for traffic to route from the universal DLR to the ESG(s) we must add an uplink interface connecting them to the universal transit network. Change the logical router interface to Uplink, in the Connected To field select the transit network universal logical switch we created earlier. Configure the IP and MTU settings of the interface per your own environment.

NSX_UDLR_Interface

You can also add Internal interfaces here corresponding with universal logical switches for virtual machine subnets. Before these subnets can route out follow the same process to add an Internal interface to the ESG(s) connecting them to the same transit network.

A virtual machine connected to the test universal logical switch can now vMotion between sites keeping the same IP addressing, providing L2 over L3 capability. As well as remaining on the same logical network a virtual machine can also be migrated across sites without any additional firewall rules, this is achieved with the use of universal firewall rules. Universal firewall rules require a dedicated section creating under the Firewall section of Networking & Security, you must select Mark this section for Universal Synchronization. For assistance with creating universal firewall rules see here.

NSX_Universal_Firewall

Additional Resources

To plan a cross-vCenter NSX installation review the VMware Cross-vCenter NSX Design Guide, Cross-vCenter NSX Topologies Guide, and the VMware Cross-vCenter Installation Guide. For more information on cross-vCenter NSX design see the following blog posts: