PowerCLI

Common PowerCLI examples for VM Provisioning in VMware Cloud on AWS

02/07/2019 by William Lam Leave a Comment

One of the huge benefits of VMware Cloud on AWS (VMC) is not only the ability to extend your existing on-premises environment and tap into the potentially unlimited capacity of the Cloud, but customers can continue to use the existing tools and scripts that they are already familiar with. When it comes to Automation, PowerCLI is still by far the most popular tool that our customers uses on a regular basis. With VMC, this is no different as the SDDC is simply made up of vSphere, vSAN and NSX which PowerCLI fully supports.

One learning curve that I have seen for some customers when working with VMC is around general provisioning and the implication of the restrictive permission model in VMC. Unlike your on-premises vSphere environment, in VMC, you are no longer running as a vSphere Administrator but rather a Cloud Administrator. This simply means you no longer have to worry about managing the underlying infrastructure (patch, upgrade, monitor, etc) and you get to focus deploying and managing your workloads.

What this technically translates to is that you are restricted to a particular part of the vSphere Inventory where you have permissions to actually deploy workloads. This is to help isolate your workloads and ensure that you do not negatively impact the VMware Management VMs by accident and thus affecting your SDDC.

From the Hosts/Clusters view, you must use the Compute-ResourcePool
From the VM view, you must use the Workloads Folder
From the Datastore view, you must use the WorkloadDatastore

When using the vSphere UI to deploy new workloads, the UI does a really good job of guiding you towards the right inventory objects, but this may not always be apparent when using the CLI or API, especially for new folks or folks who never use the UI 😉

Using NSX-T Policy API to retrieve the Routing Table in VMC

02/04/2019 by William Lam Leave a Comment

When configuring connectivity from your on-premises environment to your VMware Cloud on AWS (VMC) NSX-T SDDC, you can either use a Direct Connect (DX) or a Route/Policy-based VPN. During the configuration, it can really be useful to have insights into the network routing table, especially if you need to verify a specific route or for general network debugging. Today, the NSX-T routing table in VMC is not currently available in the Network and Security UI, however this information can be retrieved using the NSX-T Policy API, which I have written about quite extensively here, here, here and here.

The NSX-T routing table can be retrieved by performing a GET operation on /policy/api/v1/infra/tier-0s/vmc/routing-table?enforcement_point_path=/infra/deployment-zones/default/enforcement-points/vmc-enforcementpoint By default, you will get the entire routing table, but you also filter out specific route sources such as BGP, Static or Connected routes by appending the following query parameter to the request URL ?route_source={BGP,CONNECTED,STATIC}

To demonstrate how this API works, I have created a new function in my VMC NSX-T PowerShell Module as well as a quick shell script sample using cURL.

For PowerShell/PowerCLI users, I have a new Get-NSXTRouteTable function which will list the entire routing table by default as shown in the screenshot below.

You can also filter on a specific route source such as BGP, CONNECTED or STATIC routes by simply providing the -RouteSource argument and the route source type. In the screenshot below, I am only interested in the BGP routes.

Here is the output when running the list_vmc_nsxt_route_table.sh script which requires a valid CSP Refresh Token, OrgId and SDDCId

Automating Customer Experience Improvement Program (CEIP) configuration using vSphere API and PowerCLI

01/24/2019 by William Lam 2 Comments

After publishing my recent article on the new the vSphere Health capability which takes advantage of VMware's Customer Experience Improvement Program (CEIP), I had a couple of folks reach out asking how their customers could check whether CEIP is enabled for a given vCenter Server and if not, how to enable it using Automation. For one of these customers, they had over 25+ vCenter Server, so they were not interested in doing this by hand and nor should they.

For those interested in the vSphere UI, the CEIP settings is configured in the Administration menu under the Deployment section as shown in the screenshot below.

We can also manage the CEIP settings programmatically using vSphere API and this is controlled by an Advanced vCenter Server setting called VirtualCenter.DataCollector.ConsentData. The value of this property is actually a JSON payload as you can see in the screenshot below and when updating this property, we need to update both the change version as well as whether we want CEIP enabled or disabled for a given vCenter Server.

New VMC API to rename SDDC

01/12/2019 by William Lam Leave a Comment

A commonly requested feature in VMware Cloud on AWS (VMC) is the ability to rename an SDDC. Currently, it is not possible to rename an SDDC after it has been deployed. On Friday, an update was made to the VMC Service to introduce a new VMC API (Tech Preview) that will allow customers to rename their SDDC. The API is just the first step and our UI folks are already working on adding this natively to the VMC UI which I actually got a sneak peak of just a few days ago.

UPDATE (02/11/19) - The ability to rename an SDDC is now also available within the VMC Console UI, so you can use either UI or API to perform this operation.

The new SDDC rename API is very straight forward to use, you simply perform a PATCH operation the specific SDDC /orgs/{orgID}/sddcs/{sddcID} which includes a payload containing the updated name. Below are three ways in which you can easily rename your SDDC, including a UI method for those that want to quickly rename an SDDC and not have to write a single line of code.

Instant Clone Microsoft Windows & VM Keystroke VMworld demo and code posted

01/08/2019 by William Lam 1 Comment

Apologies for the delay in getting my VMworld 2018 demo and code posted online, I know a number of you have been asking about the Windows Instant Clone samples to get an idea on how to create your own customization scripts for managing more "recent" Microsoft Windows releases 😉 and perhaps you might even consider submitting a pull request to share with the community. I have posted both the videos and code samples below. Enjoy and happy Automating!

Instant Clone Microsoft Windows

To demonstrate the power of the newly re-architected Instant Clone feature in vSphere 6.7 and to help make the point clear that the Instant Clone feature is really Guest Operating System agnostic, meaning you can Instant Clone any to Virtual Machine that can run VMware Tools, I thought it would be fun to see how old of a Microsoft OS that I could Instant Clone. After a bit of trial/error, that turned out to be Windows 98 and Windows 2000 🙂

Windows 98 Demo

Windows 2000 Demo

Managing Distributed Firewall Rules in VMC using PowerShell & NSX-T Policy API

01/04/2019 by William Lam Leave a Comment

Back in November 2018, VMware Cloud on AWS (VMC) SDDC 1.5 Patch 1 was released and it was one of the most highly anticipated release by our customers. Although this was a "patch" release, it included a ton of new features and also brought the full power of the NSX-T platform to VMC as a generally available feature!

With NSX-T, customers also now have access to the highly requested Distributed Firewall (DFW) capability which enables granular control over East-West traffic between application workloads. In addition to enabling micro-segmentation in VMC, customers can now easily manage DFW rules using a number of grouping constructs (Tags, Virtual Machines & Conditional Statements) to create dynamic policies which follow their workloads.

Customers can configure DFW (as well as Edge Firewall) rules using the VMC Console UI but many of you have been asking for an automated method, especially if you need to create a large number of policies for more than a couple of workloads. After returning from the holiday, I spent the last couple of days updating my NSX-T Policy PowerShell Module which now includes basic support for managing DFW. For those of you who are new to using the NSX-T Policy API and PowerCLI, be sure to give these two articles a read here and here before proceeding further.