vCloud Director Extender configuration – Service Provider side

Soon after the release of vCloud Director 9.0, VMware has released the replacement for vCloud Connector, a new tool named vCloud Director Extender.

vCloud Director Extender enables a Tenant to cold or warm migrate its workloads from vSphere to a vCloud Director based Public Cloud. All the easy steps are wizard-driven and the Tenant has also the option to leverage the automatic creation of a L2VPN connection that can stretch the networking between on premises and the vCloud Director Cloud.

vCloud Director Extender works with vCloud Director 8.20.x and vCloud Director 9.0

You can read the Release Notes for version 1.0 here.

In this first post about vCloud Director Extender, I’ll guide you through the necessary steps to configure the vCloud Director Extender Service from a Service Provider perspective.

vCloud Director Extender Architecture

Before to start, I want to show you the architecture of the Service:

vCloud Director Extender - Architecture

On the Provider Side, we have the following components:

  • vCloud Director Extender: the Virtual Appliance that you download and deploy, known as “CX Cloud Service”. After its deployment and configuration, it is used to provide setup and configuration of the overall CX Service.
  • Cloud Continuity Manager (aka “Replication Manager”): this Virtual Appliance is deployed by the CX Cloud Service and its role is to oversee the work done by the Replicator.
  • Cloud Continuity Engine (aka “Replicator”): this Virtual Appliance is deployed by the CX Cloud Service and its role is to manage the VMs replication between the Tenant’s vSphere environment and the Service Provider’s vCloud Director. The Replicator leverages the new H4 Replication Engine.

On the Tenant side, we only need vCloud Director Extender and the Cloud Continuity Engine.

Let’s start now with the installation and configuration steps on the Service Provider side.

vCloud Director Extender Service Provider Setup

The first step is to access myVMware Website and to download the vCloud Director Extender OVA file, located under the “Drivers & Tools” section of the VMware vCloud Director 9.0 download page.vCloud Director Extender - myVMware

myVMware

Following the “Go to Downloads” link you’ll find the vCloud Director Extender 1.0.0 download page.

vCloud Director Extender - Download

The next step is to deploy the OVA file we just downloaded. Select the target vCenter (tipically the Management Cluster vCenter) and select “Deploy OVF Template”.

vCloud Director Extender - Deploy OVF part 1

Choose “Browse” to select a local file.
vCloud Director Extender - Deploy OVF part 2

Choose the OVA file you download previously from the myVMware Website and select “Open”. Once you’re back on the Select Template page, click “Next”.
vCloud Director Extender - Deploy OVF part 3

Choose a name for the vCloud Director Extender Virtual Appliance as you want it to appear in your vCenter inventory, then click “Next”.
vCloud Director Extender - Deploy OVF part 4

Select a Target Cluster/Host and click “Next”.
vCloud Director Extender - Deploy OVF part 5

Click “Next” on the Review details page.
vCloud Director Extender - Deploy OVF part 6

Click “Accept” on the EULA page after reading it, then click “Next”.vCloud Director Extender - Deploy OVF part 7

Select a virtual disk format, a VM storage policy and a target datastore for the Virtual Appliance, then click “Next”.vCloud Director Extender - Deploy OVF part 8

Select a destination Network (PortGroup) for the Virtual Appliance, then click “Next”.vCloud Director Extender - Deploy OVF part 9

In the “Customize Template” tab, you’ll set all the Virtual Appliance Parameters.
In the Service Provider environment, based on vCloud Director, you must choose the deployment type “cx-cloud-service“.
vCloud Director Extender - Deploy OVF part 10

Click “Finish” after having reviewed your configuration, to deploy the Virtual Appliance.
vCloud Director Extender - Deploy OVF part 11

vCloud Director Extender Service Provider Setup

Once deployed, you can access the vCloud Director Extender Virtual Appliance via https on the configured IP Address.
You will be presented with the Cloud Service Setup page.
Enter your Local or vCenter (SSO) credentials to access the application and start the configuration wizard.
vCloud Director Extender - Configuration Wizard

Select “SETUP WIZARD” to start the Service configuration.
vCloud Director Extender - Setup part 1

In Step 1, you’ll enter the parameters needed to connect to the Management vCenter. Then click “Next”.vCloud Director Extender - Setup part 2

In Step 2, provide the parameters needed to connect to your vCloud Director instance, then click “Next”.vCloud Director Extender - Setup part 3

In Step 3, provide the parameters needed to connect to your Resource vCenter(s), then click “Next”.
vCloud Director Extender - Setup part 4

Wait for the “Successfully linked Resource vCenter” confirmation message, then click “Next”.
vCloud Director Extender - Setup part 5

In Step 4, specify the parameters needed to create the Replication Manager Virtual Appliance, then click “Next”.
vCloud Director Extender - Setup part 6

You will see a progress bar indicating the Replication Manager creation status.
vCloud Director Extender - Replication Manager creation

In Step 5, set the Root password for the Replication Manager Appliance, specify the Public Endpoint URL needed to reach the Service (optional, only needed if the Appliance is behind a Proxy/NAT), then click “Next”.
vCloud Director Extender - Setup part 7

Wait for the activation confirmation message, then click “Next”.
vCloud Director Extender - Setup part 8

In Step 6, specify the parameters needed to create the Replicator Virtual Appliance, then click “Next”.
vCloud Director Extender - Setup part 9

You will see a progress bar indicating the Replicator creation status.
vCloud Director Extender - Replicator creation

In Step 7, set the Root password for the Replicator Appliance, specify Lookup Service URL and credentials for the Resource vCenter and the Public Endpoint URL needed to reach the Service (optional, only needed if the Appliance is behind a Proxy/NAT), then click “Next”.
vCloud Director Extender - Setup part 10

Step 8 will conclude the Wizard. Click “Finish”.
vCloud Director Extender - Setup part 11

vCloud Director Extender – Service Provider L2VPN Server Setup

The last step to enable the Service, only necessary if L2 stretching is needed between the on premises environment and vCloud Director, is to configure the L2VPN Service on the target Organization Virtual Datacenter(s) Edge Gateway(s).
To create L2VPN connections, you need to convert the Edge Services Gateway(s) to Advanced and grant the needed rights to the vCloud Organization.
You can read one of my previous posts, Self Service NSX Services in vCloud Director, to understand how this works and how to complete this part of the configuration, if needed.

At this stage you can configure the L2VPN Server on the Tenant Edge Gateway (this can be done by the Service Provider or can be delegated to the Customer).
L2VPN Server

When you configure an L2VPN Server, you must configure a Peer Site. You’ll configure a dummy Peer Site at this stage, just to conclude the Setup on the Tenant side. We’ll could leave this Peer site disabled because we won’t use it, it will be vCloud Director Extender on the Tenant side to configure the needed Peer Sites on this Edge Gateway.
L2VPN Server - Dummy Peer Site

This concludes the Service Provider side of the vCloud Director Extender Service configuration.
In the next post I’ll show you how to configure the CX Service on the Tenant side.

Self Service NSX Services in vCloud Director

Starting from the 8.20 release, vCloud Director has the capability to offer NSX Advanced Services to Tenants.

In this post, I’ll show you how to grant Self-Service advanced consumption of NSX to a specific Tenant. This apply to both vCloud Director 8.20.x and the recently announced vCloud Director 9.0

I’m writing “to a specific Tenant” because the additional powerful feature in vCloud Director is that you can grant granular access to NSX Services on a Tenant basis through Role Based Access Control (RBAC). When a new Organization is created and Users are added to the Organization, the roles you grant to Users are cloned from a Template Role, in this way every Organization will inherit dedicated and specific Roles that you can modify, in effect enabling the Service Provider in building a very granular offer.

How it works

In my scenario, I’ve created a new Organization named “ACME” and a User named acmeadmin. I’ve assigned the default “Organization Administrator” role to the user.

Create vCD Session via API

The first step we need to  take is to create an authentication session with vCloud Director.
We’ll use the following Headers:

  • Accept: application/*;version=9.0
  • Authorization: Basic (username in the user@org format)

We’ll make the following API call:

POST https://<vcd-IP>/api/sessions

vCloud Director - Create vCD session via API

We need the x-vcloud-authorization header for the successive API calls.

List available Organizations in our vCloud Director instance

We need to list all the Rights available to the Organization using the following API call:

GET https://<vcd-IP>/api/org

We’ll use the following Headers:

  • Accept: application/*;version=9.0
  • Authorization: Basic (username in the user@org format)
  • x-vcloud-authorization: x-vcloud-authorization value from the previous API call

vCloud Director - List available Organizations

The response will give us the list of available Organizations:

vCloud Director - Organization List

We will use the highlighted REST reference to the ACME Organization for our subsequent API calls.

List all the Rights available to the Organization

We’ll use the same Headers as the previous call to make the next API call. With this call we’ll obtain the list of all the Rights available by default to an Organization. In this specific case we’ll get the list of available Rights for the ACME Organization.

The API call we’ll make is the following:

GET https://<vcd-IP>/api/admin/org/<ORG-ID>/rights

vCloud Director - List Organization Rights

We’ll take note of the output of the Response Body and we’ll use these data in the following steps, when we’ll add the new Rights.

Here’s an excerpt of the output from the original API call used to list all the Rights available to the Organization:

<?xml version=”1.0″ encoding=”UTF-8″?>
<OrgRights xmlns=”http://www.vmware.com/vcloud/v1.5″ href=”https://vcd-01a.corp.local/api/admin/org/e46b03d6-46bc-4c95-94fc-27a6c78737a9/rights” type=”application/vnd.vmware.admin.org.rights+xml” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xsi:schemaLocation=”http://www.vmware.com/vcloud/v1.5 http://vcd-01a.corp.local/api/v1.5/schema/master.xsd”>
<Link rel=”edit” href=”https://vcd-01a.corp.local/api/admin/org/e46b03d6-46bc-4c95-94fc-27a6c78737a9/rights” type=”application/vnd.vmware.admin.org.rights+xml”/>
<RightReference href=”https://vcd-01a.corp.local/api/admin/right/39ec03d4-440d-32cf-8507-f01acd822540” name=”Catalog: Change Owner” type=”application/vnd.vmware.admin.right+xml”/>
<RightReference href=”https://vcd-01a.corp.local/api/admin/right/4886663f-ae31-37fc-9a70-3dbe2f24a8c5” name=”Catalog: Add vApp from My Cloud” type=”application/vnd.vmware.admin.right+xml”/>
……….

Convert Edge Gateway to Advanced Gateway

The next step we need to do is to convert each Edge Gateway available in the Organization on which we want to leverage Advanced Networking Services. Note: the conversion enables the new HTML5 User Interface for Networking Services, potentially enabling the Tenant to consume these services. It’s the Service Provider that still has to enable the Services and make them available to the Tenant for consumption. In simple terms, the conversion has nothing to do with the “NSX Advanced Bundle” you can find in the VMware Cloud Provider Program Product Usage Guide. The guide instructs you on how much you’ll be charged for if you’ll use a specific service, instead the conversion technically enables the possibility to consume the Services. I repeat, the possibility is enabled, not the consumption.

vCloud Director - Convert Edge Gateway to Advanced

After the conversion, selecting the action “Edge Gateway Services…” bring us to the new H5 User Interface.

As you can see, the conversion of the Edge in Advanced mode has not enable the Organization (Administrator) to consume NSX Advanced Services. In fact, only the “Base” NSX features (NAT, IPSec VPN, LB etc.) are exposed to the Tenant.

If we look at Roles, Edge Gateway Advanced Services are not shown as available to be assigned (e.g. to Organization Administration Role):

The Service Provider can now choose to grant specific and very granular rights to the Organization to manage Networking Services. Once added, these additional rights will be available to the Service Provider (or to the Organization Administration) to be granted to Roles in the Organization.

Add Advanced Networking Rights to the Organization

A new set of API is available starting from vCloud Director 8.20, specifically provided to manage NSX Services. These new API version is 27.0

We’ll use the following Headers:

  • Accept: application/*;version=27.0
  • Authorization: Basic (username in the user@org format)
  • x-vcloud-authorization: x-vcloud-authorization field value from the previous API call
  • Content-Type: application/vnd.vmware.admin.rights+xml

And we’ll make the following API call:

PUT https://<vcd-IP>/api/admin/org/<ORG-ID>rights

We’ll compile the Body section of the request with the saved content from the previous step (the one used to obtain the list of User Rights available to the Organization), but we’ll append the list of Advanced Networking Services related Rights we want to make available to the Organization.

vCloud Director - Add Rights to the Organization

You can find the list of available NSX related Rights in the following KB article: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2149016
In the KB you can find a downloadable pre-formatted XML file listing all the Networking Rights, so you can use it as a template to add specific Networking Services Rights to an Organization.

An interesting scenario is the SSL VPN-Plus. This Service would always been potentially offered by Service Provider but this didn’t happen because SSL VPN-Plus wasn’t available as a Service in the vCloud Director UI. It’s still not available until you convert the Edge Gateway to Advanced and grant the specific right to the Tenant. In addition, it’s very important to mention that the SSL VPN is now available as part of the NSX Base Bundle!

The list of Rights we’ll need to add to an Organization to cover the NSX “Base” (a.k.a vCNS Mode) use case are the following:

  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/b080bb50-cff1-3258-9683-842d34255a95″ name=”Organization vDC Gateway: Configure Services” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/84ddb40f-a49a-35e1-918e-3f11507825d7″ name=”Organization vDC Gateway: Configure Syslog” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/ff3fc70f-fd25-3c0a-9d90-e7ff82456be5″ name=”Organization vDC Gateway: Configure System Logging” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/9dc33fcb-346d-30e1-8ffa-cf25e05ba801″ name=”Organization vDC Gateway: Convert to Advanced Networking” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/e90fa73c-3347-3ec7-b407-e25eae2cfe8d” name=”Organization vDC Gateway: Create” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/e22e674f-17c3-32cc-ba8a-aecc6733b977″ name=”Organization vDC Gateway: Delete” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/bc655eb3-964c-335a-b588-167a9a69cd13″ name=”Organization vDC Gateway: Modify Form Factor” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/6122ae98-30b3-3450-b4d1-e1b935e36fbd” name=”Organization vDC Gateway: Update” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/93268d9c-3f30-3924-bc2e-9e42bfe6418c” name=”Organization vDC Gateway: Update Properties” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/7e1af410-d811-3056-8593-85e2b1808ad9″ name=”Organization vDC Gateway: Upgrade” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/d1c77fc0-a4b9-3d99-bd4b-d7fab35e4fae” name=”Organization vDC Gateway: View” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/be1abe9a-7ddc-38f6-bdf3-94affb01e46b” name=”Organization vDC Gateway: Configure DHCP” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/b755b050-772e-3c9c-9197-111c286f563d” name=”Organization vDC Gateway: Configure Firewall” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/209cde55-55db-33f1-8357-b27bba6898ed” name=”Organization vDC Gateway: Configure IPSec VPN” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/27be9828-4ce4-353e-8f68-5cd69260d94c” name=”Organization vDC Gateway: Configure Load Balancer” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/c9e19573-3d54-3d4a-98f2-f56e446a8ef9″ name=”Organization vDC Gateway: Configure NAT” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/72c5e652-c8d7-3f19-ab83-283d30cb679f” name=”Organization vDC Gateway: Configure Remote Access” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/92b7d500-6bb6-3176-b9eb-d1fda4ce444d” name=”Organization vDC Gateway: Configure SSL VPN” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/f72af304-97b0-379e-9d6d-68eb89bdc6cf” name=”Organization vDC Gateway: Configure Static Routing” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/8e16d30d-1ae3-3fff-8d4b-64c342b186a9″ name=”Organization vDC Gateway: View DHCP” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/7fee6646-ec0c-34c9-9585-aff6f4d92473″ name=”Organization vDC Gateway: View Firewall” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/82beb471-ab7f-3e2b-a615-136ba6645525″ name=”Organization vDC Gateway: View IPSec VPN” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/2a097e48-f4c4-3714-8b24-552b2d573754″ name=”Organization vDC Gateway: View Load Balancer” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/fb860afe-2e15-3ca9-96d8-4435d1447732″ name=”Organization vDC Gateway: View NAT” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/65439584-6aad-3c2c-916f-794099ee85bf” name=”Organization vDC Gateway: View Remote Access” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/cdb0edb0-9623-30a8-89de-b133db7cfeab” name=”Organization vDC Gateway: View SSL VPN” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/9740be24-4dd7-373c-9237-91896338c11e” name=”Organization vDC Gateway: View Static Routing” type=”application/vnd.vmware.admin.right+xml”/>

Once added, all these new Rights are available to be assigned to Roles in the Organization. Note that this Organization Administrator is specific to the ACME Organization. As a result, the Service Provider and/or the Org. Admin can grant specific Rights to different Roles in a very granular way.

The following screenshot shows you the new Rights available to the Organization.

vCloud Director - Advanced Networking Services

This is the resultant view in the new vCloud Director HTML5 Window:

vCloud Director - SSL VPN

As you can see, SSL VPN-Plus can now be configured by the Organization Administrator.

Looking at a specific Service tab like VPN, we can notice that IPsec VPN is present, but L2VPN is not. The reason for this is that we have only included “Base” Services in the list of Service that this Tenant can consume.

vCloud Director - No L2VPN Option

Let’s imagine that our ACME Tenant wants to leverage the Hybrid Cloud capabilities of vCloud Director, for this reason she decides to buy our L2VPN Service offering.

With a simple API PUT, the Service Provider will add the new Right to the ACME Organization:

  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/eeb2b2a0-33a1-36d4-a121-6547ad992d59″ name=”Organization vDC Gateway: Configure L2 VPN” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/105191de-9e29-3495-a917-05fcb5ec1ad0″ name=”Organization vDC Gateway: View L2 VPN” type=”application/vnd.vmware.admin.right+xml”/>

After the API call, L2VPN is available as a Right for the ACME Organization. In this example, we are adding the Right to the Organization Administrator.

vCloud Director - L2VPN Flag available

As a result, our Organization Administrator can now configure L2VPN on its Edge Gateways!

vCloud Director - L2VPN Configuration

Once additional Rights are granted to an Organization, an Organization Administrator can assign these Rights to all new Roles that can be added (via API) to the Organization. As a result, a possible use case could be the creation of a limited role for a Security/Network Admin, entitled to only create and/or change Network and Security configurations on Edge Gateways but not to interact with vApps.