PowerCLI

Automating the creation of NSX-T “Disconnected” Segments for DR testing on VMware Cloud on AWS

03/05/2020 by William Lam 1 Comment

Disaster Recovery (DR) and Disaster Avoidance (DA) on VMware Cloud on AWS is still one of the most popular use case amongst our customers, just second to Datacenter Migration and Evacuation. The VMware Site Recovery service makes it extremely easy and cost effective for customers to protect their critical workloads without having to worry about the underlying infrastructure. Most often, the biggest cost of having a dedicated DR site is the on-going operational and maintenance cost of that infrastructure.

Most recently I have seen several requests come in where customers were looking to streamline their DR testing which is fantastic to hear. Just having a DR solution is not enough, you actually need to exercise it and verify that your workloads and applications are functioning as expected. Today, customers can verify that their applications are functioning as expected by creating NSX-T network segments that are "Disconnected" and then using a VM-based router to provide internal connectivity between these isolated environments.

Here is a screenshot of the VMware Cloud console and under the Networking & Security tab, when creating a new segment you can specify whether the segment is "Connected" (Routed) or "Disconnected".

Obviously, the NSX-T UI is just one way of creating a segment. In fact, most customers that have asked about this is wanting to do this via Automation which not only brings speed to testing but also consistency! With that, I have updated my NSX-T PowerShell Community Module for VMC to include two new updates. If you have never used this VMC module before, please take a look at the Getting Started guide here.

Using PowerCLI to automate the retrieval of VCSA Identity Sources

03/02/2020 by William Lam 3 Comments

Similiar to automating the retrieval of the vCenter Server Appliance (VCSA) password policies using PowerCLI, we can extend that example and leverage the Guest Operations API via Invoke-VMScript cmdlet to also retrieve the identity sources configured for a given VCSA without requiring SSH access.

I have created a new VCSA.psm1 PowerCLI Module which now includes the previous Get-VCSAPasswordPolicy function along with the new Get-VCSAIdentitySource function which accepts the name of the VCSA VM and root password to the VM as shown in the screenshot below.

If you need to add a specific Identity Source such as an Active Directory Domain which you have joined the VCSA, you can simply use Invoke-VMScript cmdlet and pass in the following command:

/opt/vmware/bin/sso-config.sh -add_identity_source -type nativead -domain vmware.corp

How to automate the creation multiple routable VLANs on single L2 network using VyOS

02/12/2020 by William Lam 4 Comments

My personal homelab has a very simple network topology, everything is connected to a single flat network. This has served me well over the years, but sometimes it can prevent me from deploying more complex scenarios. Most recently while working with NSX-T and Project Pacific, I had a need for additional VLANs which my home router does not support. There are a number of software solutions that can be used including the popular pfSense, which I have used before.

Over the Winter break, a colleague introduced me to VyOS, which is another popular software firewall and router solution. I had not heard of VyOS before but later realized it was derived from Vyatta, which I had heard of, but development of that solution had stopped and VyOS is now the open source version of that software. Having never played with VyoS before, I thought this might be a good learning opopournity and started to dabble with VyOS over the holiday. At a high level, I have VyOS connected to two networks: Outside network as VyOS refers which is your local LAN and Inside network as VyOS refers which is an is an isolated vSphere Portgroup (VSS/VDS) that is not connected to anything and configured to pass all traffic (4095). From here, you can create multiple VLANs in VyOS which can then be untagged using Virtual Guest Tagging (VGT) by placing a Nested ESXi VM on the same isolated portgroup and then creating the respective portgroups within the Nested ESXi VM mapping to the VyOS VLANs you have created.

One of the nice benefits of this solution is that you can create multiple "Isolated" yet routable networks that can still reach your primary LAN network and still have to access core infrastructure services running like Active Directory, DNS, etc. which was one of my requirements. After figuring out how VyOS works and applying that to my specific use case, I thought why not build some basic automation to setup this solution as I probably will forget how I setup everything. Initially I was using the VyOS OVA but later found out it was an extremely out of date there was no public version of the latest VyOS release in OVA form. I decided to use their latest rolling release and apply some vSphere API Automation to not only install VyOS but also fully configure based on template containing VyOS commands. I know the latest version of VyOS now includes a REST API but its a bit of a chicken/egg to enable and not very friendly to use compared to the solution I have built.

Listing all Events for vCenter Server

12/16/2019 by William Lam 2 Comments

I had a conversation with one of our VMware Cloud on AWS field leaders a couple of weeks ago at reInvent on his initial experience with the vCenter Event Broker Appliance (VEBA) Fling. There were lots great feedback but one thing that stood out to me which looks to have been a barrier to getting started was being able to figure out a specific vCenter Event and its respective identifier. Although the list of "default" vCenter Events are documented in the vSphere API, it is definitely not the first place most folks would go to look nor is it very intuitive to browse.

To be honest, this is not a unique ask for VEBA. I have also seen this requests come up from customers who are automating vCenter Alarms, which can also be based off of vCenter Events and the same question has come up on before. One challenge with such a request is that the number and the types of vCenter Events will vary from customer to customer depending on the number of 2nd and 3rd party solutions deployed, not to mention it will also vary from version to version. In addition, as a customer, you can also publish your own custom Events into vCenter Server which makes this difficult to provide a single list that would cover all possible scenarios.

Ultimately, this ask is completely valid and I started to look at the vSphere API to see if there was something that could help. It did not take look before I stumbled onto the EventDescription which is part of the EventManager, which provides a nice registry for all currently registered vCenter Events. Time for some Automation 🙂

Configure NSX-T Enhanced Data path / Network Stack (ENS) for Nested ESXi

12/10/2019 by William Lam Leave a Comment

After publishing my Running Nested ESXi, NSX-V or NSX-T on top of NSX-T article which actually turned out to be quite popular, I received an interesting question on whether ENS for NSX-T could also be configured within a Nested ESXi deployment? I was a little familiar with ENS, which I will explain in a second. However, I was not completely sure about the benefits of running ENS in a Nested environment.

With the help from my friend Frank Escaros-Buechsel, who actually works in our NFV group at VMware. Frank helped validate the instructions but he also provided some additional insights on why this could be useful in a lab setup for verifying configuration and behaviors when additional tuning maybe required. If you are NOT running NFV-based workloads, ENS is not something you need to configure when running NSX-T using Nested ESXi.

So what is ENS? Enhanced Network Stack (ENS) also referred to as Enhanced Data Path is an NSX-T capability which was first introduced with NSX-T 2.3. ENS is specifically designed for Network Function Virtualization (NFV) workloads that require a high performance data path. Such workloads include Telco, 5G and IoT based deployments where improved packet throughput is critical for the responsiveness of these applications.

Customizing vCenter Alarm Email Subject and Body

11/20/2019 by William Lam 1 Comment

One of the automated actions that can be configured when a vCenter Server Alarm is triggered is to send an email notification. Over the years, I have seen a number of requests and questions about customizing the email and whether an email template exists. I personally have not used this feature much which has been around since the introduction of vCenter Server and mainly because I have always worked in an environment where we had dedicated monitoring tools that provide notifications including emails.

Most recently, I noticed an increase number of questions around this topic and I was curious on whether a solution exists today or if this is still a gap today? A quick Google search landed me on this 2013 VMTN thread which included several workarounds that customers have found. However, the only viable "supported" and "persisted" option at the time within that thread was to use the vSphere API/PowerCLI to customize the alarm action.

While going through this exercise myself, I found that our vSphere UI has had some enhancements since that 2013 thread and I thought it was worth sharing an update in 2019 on how customers can customize both the email subject and body for vCenter Alarms. One thing to note is that there is no generic email template that can be edited, the email customizations are applied on a per-Alarm action basis and this is applicable for both vCenter Server running in a traditional on-premises environment as well as for VMware Cloud on AWS or Dell EMC.