VMware Cloud on AWS – Let’s create our first VMware SDDC on AWS!

VMware Cloud on AWS quick overview

–edited on January, 2018 to align with some changes in the Service–

VMware Cloud on AWS has been released two years ago and has got a lot of impressive positive feedback from customers.
There are tons of official and unofficial blog posts out there explaining what the VMware Cloud on AWS service is, the advantages for customers and all the use cases, so I’ll give you just a quick overview:
VMware Cloud on AWS is a unified SDDC platform that integrates VMware vSphere, VMware vSAN and VMware NSX virtualization technologies, and will provide access to the broad range of AWS services, together with the functionality, elasticity, and security customers have come to expect from the AWS Cloud.
Integrates VMware’s flagship compute, storage, and network virtualization products (vSphere, vSAN and NSX) along with vCenter management, and optimizes it to run on next-generation, elastic, bare-metal AWS infrastructure.
The result is a complete turn-key solution that works seamlessly with both on-premises vSphere based private clouds and advanced AWS services.
The service is sold, delivered, operated and supported by VMware. The service is delivered over multiple releases with increasing use-cases, capabilities, and regions.

VMware Cloud on AWS

SDDC Creation Steps

The first step we have to do is connecting to the VMC on AWS console, pointing to the following URL https://vmc.vmware.com/console/
The landing page provides an overview of the available SDDCs (if any).

VMware Cloud on AWS

Create SDDC

To create a new SDDC, we have to click on the “Create SDDC” button.

SDDC Properties

The SDDC creation wizard starts, we must choose an AWS Region that will host the SDDC, we must give the SDDC a unique name, and we must select the number of ESXi Hosts our Cluster will be made of. The minimum number of Hosts for a production Cluster is 3. You can create a 1-node Cluster for test and demo purposes, this single Host Cluster will expire under 30 days and can be converted to a full SDDC before expiration.

VMware Cloud on AWS

Stretched Cluster option

When we Select Multi-Host for a production deployment, we can choose to have our SDDC (vSphere Cluster) hosted in a single AWS Availability Zone (one subnet) or distributed across two AZs on two different subnets (vSphere Stretched Cluster).

VMware Cloud on AWS

Connect AWS Account

The next step in the wizard is to choose an AWS Account that will be connected to the VMware Cloud account. This enables us to choose the VPC and Availability Zone(s) where we want our SDDC to be Hosted. In the case we’ll use native AWS Services, these will be charged on this AWS Account.

VMware Cloud on AWS

Choose VPC and Subnet (Availability Zone)

In the next step we must choose the VPC and Subnet that will host our SDDC.

VMware Cloud on AWS

Management Subnet CIDR

The final step of the wizard is to choose a CIDR for the Management Network. This step is optional and you can leave the default, being sure that the default CIDR doesn’t overlap with any network that will connect to the SDDC (e.g. on-premises network that will connect to the SDDC trough a VPN connection). We can now deploy the SDDC.

VMware Cloud on AWS

Check SDDC creation progress

The progress window will show. As you can see, we are going to have our 4-node SDDC ready in less than 2 hours!

VMware Cloud on AWS

New SDDC deployed

Once deployed, we’ll be able to see our brand new SDDC under the SDDCs tab in the console.

VMware Cloud on AWS

SDDC details

Clicking on “VIEW DETAILS” we can access the SDDC Summary and all the available options such as adding and removing Hosts from the Cluster or accessing the network configuration.

VMware Cloud on AWS

Add a new Host

Let’s add a new Host to our SDDC. It’s simple like clicking on “ADD HOST”. If this new Host is only needed to manage a burst in our compute power needs, we can simply remove the Host when it will not be needed anymore and we’ll have an additional charge, for the additional capacity we added, only for the time frame the additional Host existed.

VMware Cloud on AWS

Specify number of Hosts to add

We can specify how many Hosts we want to add, till the maximum supported size of 16 Hosts per Cluster.

VMware Cloud on AWS

New Host(s) addition task progress

We’ll see a task in progress for the new Host addition to the Cluster.

VMware Cloud on AWS

Expanded SDDC

After a few minutes, we’ll have our SDDC made of 5 Hosts.

VMware Cloud on AWS

Manage SDDC Networking

One we have our SDDC in place, we’ll need to manage it remotely and to configure firewall and NAT rules to publish services. This is managed in the Network tab. Once we enter the network configuration tab, the first thing we are shown is a very nice diagram that highlights the network and security configuration of our SDDC.
Here we can see the Management and Compute Gateway configuration overview and any VPN or Firewall rule we have in place.

Management Gateway

Scrolling Down we can see the Management Gateway section, where we can create and manage IPsec VPNs and Firewalling to/from the Management Network.

VMware Cloud on AWS

Compute Gateway

Under the Compute Gateway section we can create and manage IPsec VPNs, L2VPNs, Firewall Rules, NAT to/from the Compute Networks, where our workloads reside.

VMware Cloud on AWS

Direct Connect

The last section we find under the Network tab is the Direct Connect section. Here we can manage the Virtual Interfaces (vifs) in case we have a Direct Connect in place to connect our SDDC with another on-premises or Service Provider hosted environment.

VMware Cloud on AWS

Tech Support real-time CHAT

In the bottom right corner of the console you can always find the Chat button. This is a fantastic feature that enables you to have real-time support from VMware Technical Support.

VMware Cloud on AWS

SDDC Add Ons

In the Add Ons tab we can manage the available add ons to the VMware Cloud on AWS offering: Hybrid Cloud Extension and Site Recovery.
Hybrid Cloud Extension is included in the VMware Cloud on AWS offering and enables us to seamlessly migrate workloads from remote vCenters to the SDDC.
Site Recovery is a paying add on that enables our SDDC as a target for Disaster Recovery from remote vCenters.

VMware Cloud on AWS

SDDC Troubleshooting

The troubleshooting tab gives us a tool to check and validate connectivity for a selected use case.

VMware Cloud on AWS

SDDC Settings

The settings tab provides us the overview of all the main settings for the SDDC.

VMware Cloud on AWS

SDDC Support

The Support tab provides us all the information we should provide to Technical Support when needed.

VMware Cloud on AWS

This concludes the creation of our first SDDC in VMware Cloud on AWS.
In a couple of hours we can have a powerful VMware full-stack SDDC deployed in AWS, enabling us to quickly respond to a lot of use cases such as Disaster Recovery, Geo expansion and global scale, bursting.
What a great stuff!


Self Service NSX Services in vCloud Director

Starting from the 8.20 release, vCloud Director has the capability to offer NSX Advanced Services to Tenants.

In this post, I’ll show you how to grant Self-Service advanced consumption of NSX to a specific Tenant. This apply to both vCloud Director 8.20.x and the recently announced vCloud Director 9.0

I’m writing “to a specific Tenant” because the additional powerful feature in vCloud Director is that you can grant granular access to NSX Services on a Tenant basis through Role Based Access Control (RBAC). When a new Organization is created and Users are added to the Organization, the roles you grant to Users are cloned from a Template Role, in this way every Organization will inherit dedicated and specific Roles that you can modify, in effect enabling the Service Provider in building a very granular offer.

How it works

In my scenario, I’ve created a new Organization named “ACME” and a User named acmeadmin. I’ve assigned the default “Organization Administrator” role to the user.

Create vCD Session via API

The first step we need to  take is to create an authentication session with vCloud Director.
We’ll use the following Headers:

  • Accept: application/*;version=9.0
  • Authorization: Basic (username in the user@org format)

We’ll make the following API call:

POST https://<vcd-IP>/api/sessions

vCloud Director - Create vCD session via API

We need the x-vcloud-authorization header for the successive API calls.

List available Organizations in our vCloud Director instance

We need to list all the Rights available to the Organization using the following API call:

GET https://<vcd-IP>/api/org

We’ll use the following Headers:

  • Accept: application/*;version=9.0
  • Authorization: Basic (username in the user@org format)
  • x-vcloud-authorization: x-vcloud-authorization value from the previous API call

vCloud Director - List available Organizations

The response will give us the list of available Organizations:

vCloud Director - Organization List

We will use the highlighted REST reference to the ACME Organization for our subsequent API calls.

List all the Rights available to the Organization

We’ll use the same Headers as the previous call to make the next API call. With this call we’ll obtain the list of all the Rights available by default to an Organization. In this specific case we’ll get the list of available Rights for the ACME Organization.

The API call we’ll make is the following:

GET https://<vcd-IP>/api/admin/org/<ORG-ID>/rights

vCloud Director - List Organization Rights

We’ll take note of the output of the Response Body and we’ll use these data in the following steps, when we’ll add the new Rights.

Here’s an excerpt of the output from the original API call used to list all the Rights available to the Organization:

<?xml version=”1.0″ encoding=”UTF-8″?>
<OrgRights xmlns=”http://www.vmware.com/vcloud/v1.5″ href=”https://vcd-01a.corp.local/api/admin/org/e46b03d6-46bc-4c95-94fc-27a6c78737a9/rights” type=”application/vnd.vmware.admin.org.rights+xml” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xsi:schemaLocation=”http://www.vmware.com/vcloud/v1.5 http://vcd-01a.corp.local/api/v1.5/schema/master.xsd”>
<Link rel=”edit” href=”https://vcd-01a.corp.local/api/admin/org/e46b03d6-46bc-4c95-94fc-27a6c78737a9/rights” type=”application/vnd.vmware.admin.org.rights+xml”/>
<RightReference href=”https://vcd-01a.corp.local/api/admin/right/39ec03d4-440d-32cf-8507-f01acd822540” name=”Catalog: Change Owner” type=”application/vnd.vmware.admin.right+xml”/>
<RightReference href=”https://vcd-01a.corp.local/api/admin/right/4886663f-ae31-37fc-9a70-3dbe2f24a8c5” name=”Catalog: Add vApp from My Cloud” type=”application/vnd.vmware.admin.right+xml”/>

Convert Edge Gateway to Advanced Gateway

The next step we need to do is to convert each Edge Gateway available in the Organization on which we want to leverage Advanced Networking Services. Note: the conversion enables the new HTML5 User Interface for Networking Services, potentially enabling the Tenant to consume these services. It’s the Service Provider that still has to enable the Services and make them available to the Tenant for consumption. In simple terms, the conversion has nothing to do with the “NSX Advanced Bundle” you can find in the VMware Cloud Provider Program Product Usage Guide. The guide instructs you on how much you’ll be charged for if you’ll use a specific service, instead the conversion technically enables the possibility to consume the Services. I repeat, the possibility is enabled, not the consumption.

vCloud Director - Convert Edge Gateway to Advanced

After the conversion, selecting the action “Edge Gateway Services…” bring us to the new H5 User Interface.

As you can see, the conversion of the Edge in Advanced mode has not enable the Organization (Administrator) to consume NSX Advanced Services. In fact, only the “Base” NSX features (NAT, IPSec VPN, LB etc.) are exposed to the Tenant.

If we look at Roles, Edge Gateway Advanced Services are not shown as available to be assigned (e.g. to Organization Administration Role):

The Service Provider can now choose to grant specific and very granular rights to the Organization to manage Networking Services. Once added, these additional rights will be available to the Service Provider (or to the Organization Administration) to be granted to Roles in the Organization.

Add Advanced Networking Rights to the Organization

A new set of API is available starting from vCloud Director 8.20, specifically provided to manage NSX Services. These new API version is 27.0

We’ll use the following Headers:

  • Accept: application/*;version=27.0
  • Authorization: Basic (username in the user@org format)
  • x-vcloud-authorization: x-vcloud-authorization field value from the previous API call
  • Content-Type: application/vnd.vmware.admin.rights+xml

And we’ll make the following API call:

PUT https://<vcd-IP>/api/admin/org/<ORG-ID>rights

We’ll compile the Body section of the request with the saved content from the previous step (the one used to obtain the list of User Rights available to the Organization), but we’ll append the list of Advanced Networking Services related Rights we want to make available to the Organization.

vCloud Director - Add Rights to the Organization

You can find the list of available NSX related Rights in the following KB article: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2149016
In the KB you can find a downloadable pre-formatted XML file listing all the Networking Rights, so you can use it as a template to add specific Networking Services Rights to an Organization.

An interesting scenario is the SSL VPN-Plus. This Service would always been potentially offered by Service Provider but this didn’t happen because SSL VPN-Plus wasn’t available as a Service in the vCloud Director UI. It’s still not available until you convert the Edge Gateway to Advanced and grant the specific right to the Tenant. In addition, it’s very important to mention that the SSL VPN is now available as part of the NSX Base Bundle!

The list of Rights we’ll need to add to an Organization to cover the NSX “Base” (a.k.a vCNS Mode) use case are the following:

  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/b080bb50-cff1-3258-9683-842d34255a95″ name=”Organization vDC Gateway: Configure Services” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/84ddb40f-a49a-35e1-918e-3f11507825d7″ name=”Organization vDC Gateway: Configure Syslog” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/ff3fc70f-fd25-3c0a-9d90-e7ff82456be5″ name=”Organization vDC Gateway: Configure System Logging” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/9dc33fcb-346d-30e1-8ffa-cf25e05ba801″ name=”Organization vDC Gateway: Convert to Advanced Networking” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/e90fa73c-3347-3ec7-b407-e25eae2cfe8d” name=”Organization vDC Gateway: Create” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/e22e674f-17c3-32cc-ba8a-aecc6733b977″ name=”Organization vDC Gateway: Delete” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/bc655eb3-964c-335a-b588-167a9a69cd13″ name=”Organization vDC Gateway: Modify Form Factor” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/6122ae98-30b3-3450-b4d1-e1b935e36fbd” name=”Organization vDC Gateway: Update” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/93268d9c-3f30-3924-bc2e-9e42bfe6418c” name=”Organization vDC Gateway: Update Properties” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/7e1af410-d811-3056-8593-85e2b1808ad9″ name=”Organization vDC Gateway: Upgrade” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/d1c77fc0-a4b9-3d99-bd4b-d7fab35e4fae” name=”Organization vDC Gateway: View” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/be1abe9a-7ddc-38f6-bdf3-94affb01e46b” name=”Organization vDC Gateway: Configure DHCP” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/b755b050-772e-3c9c-9197-111c286f563d” name=”Organization vDC Gateway: Configure Firewall” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/209cde55-55db-33f1-8357-b27bba6898ed” name=”Organization vDC Gateway: Configure IPSec VPN” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/27be9828-4ce4-353e-8f68-5cd69260d94c” name=”Organization vDC Gateway: Configure Load Balancer” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/c9e19573-3d54-3d4a-98f2-f56e446a8ef9″ name=”Organization vDC Gateway: Configure NAT” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/72c5e652-c8d7-3f19-ab83-283d30cb679f” name=”Organization vDC Gateway: Configure Remote Access” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/92b7d500-6bb6-3176-b9eb-d1fda4ce444d” name=”Organization vDC Gateway: Configure SSL VPN” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/f72af304-97b0-379e-9d6d-68eb89bdc6cf” name=”Organization vDC Gateway: Configure Static Routing” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/8e16d30d-1ae3-3fff-8d4b-64c342b186a9″ name=”Organization vDC Gateway: View DHCP” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/7fee6646-ec0c-34c9-9585-aff6f4d92473″ name=”Organization vDC Gateway: View Firewall” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/82beb471-ab7f-3e2b-a615-136ba6645525″ name=”Organization vDC Gateway: View IPSec VPN” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/2a097e48-f4c4-3714-8b24-552b2d573754″ name=”Organization vDC Gateway: View Load Balancer” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/fb860afe-2e15-3ca9-96d8-4435d1447732″ name=”Organization vDC Gateway: View NAT” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/65439584-6aad-3c2c-916f-794099ee85bf” name=”Organization vDC Gateway: View Remote Access” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/cdb0edb0-9623-30a8-89de-b133db7cfeab” name=”Organization vDC Gateway: View SSL VPN” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/9740be24-4dd7-373c-9237-91896338c11e” name=”Organization vDC Gateway: View Static Routing” type=”application/vnd.vmware.admin.right+xml”/>

Once added, all these new Rights are available to be assigned to Roles in the Organization. Note that this Organization Administrator is specific to the ACME Organization. As a result, the Service Provider and/or the Org. Admin can grant specific Rights to different Roles in a very granular way.

The following screenshot shows you the new Rights available to the Organization.

vCloud Director - Advanced Networking Services

This is the resultant view in the new vCloud Director HTML5 Window:

vCloud Director - SSL VPN

As you can see, SSL VPN-Plus can now be configured by the Organization Administrator.

Looking at a specific Service tab like VPN, we can notice that IPsec VPN is present, but L2VPN is not. The reason for this is that we have only included “Base” Services in the list of Service that this Tenant can consume.

vCloud Director - No L2VPN Option

Let’s imagine that our ACME Tenant wants to leverage the Hybrid Cloud capabilities of vCloud Director, for this reason she decides to buy our L2VPN Service offering.

With a simple API PUT, the Service Provider will add the new Right to the ACME Organization:

  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/eeb2b2a0-33a1-36d4-a121-6547ad992d59″ name=”Organization vDC Gateway: Configure L2 VPN” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/105191de-9e29-3495-a917-05fcb5ec1ad0″ name=”Organization vDC Gateway: View L2 VPN” type=”application/vnd.vmware.admin.right+xml”/>

After the API call, L2VPN is available as a Right for the ACME Organization. In this example, we are adding the Right to the Organization Administrator.

vCloud Director - L2VPN Flag available

As a result, our Organization Administrator can now configure L2VPN on its Edge Gateways!

vCloud Director - L2VPN Configuration

Once additional Rights are granted to an Organization, an Organization Administrator can assign these Rights to all new Roles that can be added (via API) to the Organization. As a result, a possible use case could be the creation of a limited role for a Security/Network Admin, entitled to only create and/or change Network and Security configurations on Edge Gateways but not to interact with vApps.