vSphere Web Client

Creating vCenter Alarms based on Task Events such as Folder creation

02/11/2019 by William Lam 6 Comments

The vCenter Server Events sub-system is an incredibly rich and powerful interface that enables customers to monitor, alert and even trigger additional actions based on a particular event. One such example that I have written about before is to key off of a VM provisioned event and automatically apply security hardening settings when the VM is created or cloned. This can be useful if customers are not taking advantage of VM Templates or if a VI Admins manually creates a VM from scratch, you can still ensure you have a compliant VM deployment through the use of Automation. You can either poll for the VM created event and then execute a script as shown in this example or you can automatically trigger a remote action by generating an SNMP trap when the event actually occurs.

The possibilities are truly endless on what you can do with vCenter Events and for the complete list of all Event types, you can refer to the vSphere API documentation here. One thing to be aware of is that not every operation within vCenter Server generates an Event, one example of this is when a Folder object is created or deleted. You can use vCenter Server Tasks sub-system to query for this info but there is not a respective vCenter Event that you can key off of to generate an Alarm for example. This was something I had noticed myself and assumed it was a limitation of the platform or feature teams that publish VC Events.

Recently, this question came up again from a customer who was looking for a way to trigger an alarm every time a VM Folder was created. I took another look at this and came to learn about a more generic type of Event that can be used to create an Alarm for such use cases where a native VC Event may not exists called a Task Event.

Automating Customer Experience Improvement Program (CEIP) configuration using vSphere API and PowerCLI

01/24/2019 by William Lam 2 Comments

After publishing my recent article on the new the vSphere Health capability which takes advantage of VMware's Customer Experience Improvement Program (CEIP), I had a couple of folks reach out asking how their customers could check whether CEIP is enabled for a given vCenter Server and if not, how to enable it using Automation. For one of these customers, they had over 25+ vCenter Server, so they were not interested in doing this by hand and nor should they.

For those interested in the vSphere UI, the CEIP settings is configured in the Administration menu under the Deployment section as shown in the screenshot below.

We can also manage the CEIP settings programmatically using vSphere API and this is controlled by an Advanced vCenter Server setting called VirtualCenter.DataCollector.ConsentData. The value of this property is actually a JSON payload as you can see in the screenshot below and when updating this property, we need to update both the change version as well as whether we want CEIP enabled or disabled for a given vCenter Server.

Dynamic vSphere Health Checks in vSphere 6.7+

01/22/2019 by William Lam 11 Comments

One really neat feature of the vSphere HTML5 Client that was shipped in vSphere 6.7 is the ability to deliver new data applications that can run in the vSphere UI without requiring customers to update or upgrade their underlying vCenter Server. An example of this is the vSphere Health Check plugin that was included in vSphere 6.7, which I am guessing most folks probably did not even notice, including myself. The vSphere Health plugin is located at the vCenter Server level and under Monitor->Health as shown in the screenshot below.

Unlike a traditional vSphere Plugin, where the code and business logic is local to the vCenter Server and must be updated each time for new functionality, these data applications are actually delivered automatically and more importantly, out-of-band to a vCenter Server patch or upgrade. This means as new functionality is added, customers will automatically get the latest updates without having to do anything. So how does this actually work?

How to change the default CPU and Memory requirements for deploying the VMC vCenter Cloud Gateway

01/13/2019 by William Lam 1 Comment

When deploying the VMware Cloud on AWS (VMC) vCenter Cloud Gateway (VCG), there is a minimum amount of vCPU and memory that is required for deployment. For customers who wish to evaluate this solution for non-production usage, such as a lab environment, it would be nice to be able to reduce the requirements purely for testing purposes. Today, the vCPU and Memory is not configurable and is currently encoded within a JSON configuration file as well as the VCG OVA. The fact that this is not part of the installer itself but within the OVA means we can actually change the default 🙂 Below are the instructions for updating the vCPU and Memory requirements for the VCG.

Step 1 - Download the VCG ISO from MyVMware and extract the ISO.

Can I assign my Active Directory users a non-CloudAdmin vCenter Server role in VMC?

10/08/2018 by William Lam Leave a Comment

In VMware Cloud on AWS (VMC), when a user is logged into vCenter Server, they are not running as the Administrator role like you might in an on-prem vSphere environment but rather a restrictive vCenter role called CloudAdmin. The reason for this is that VMware is responsible for managing the infrastructure, including the management software and we want to make sure customers do not accidentally make changes that could affect those operations. More importantly, with VMC being a service, customers can now focus their attention on the consumption of resources in VMC and leave the maintenance of the infrastructure for VMware to manage.

Note: For those interested, you can find the complete list of vCenter privileges for the CloudAdmin role here.

The ability to create and consume custom vCenter roles has been an extremely powerful capability of vCenter Server and although this is currently not possible in VMC, it is something that is actively being worked on. With that said, many of the requests that I have seen in regards to this topic has actually been about consuming some of the default vCenter roles. This is especially true for the "Read Only" role which is useful for auditing and monitoring purposes. As a CloudAdmin user, you can assign default vCenter roles that either have equal or lesser privileges than the CloudAdmin role which also includes the default "Read Only" vCenter role.

Enhancements to Hybrid Linked Mode (HLM) in VMC using the new vCenter Cloud Gateway

10/04/2018 by William Lam Leave a Comment

It has been almost a year since VMware introduced the Hybrid Linked Mode (HLM) capability, which provides customers with a consistent operating experience for managing and consuming resources from both their on-premises and VMware Cloud on AWS (VMC) environments. Feedback from customers on HLM has been fantastic, especially when new or prospective VMC customers learn about HLM for the very first time. Customers were pleasantly surprised at how seamless the experience was when consuming VMC resources, using a familiar interface, the vSphere UI.

Here is a quick recap of what HLM provides today:

HLM allows customers to link a single VMC instance to a single on-prem SSO Domain which can contain one or more vCenter Servers (Enhanced Linked Mode) while maintaining separate administrative domains (e.g. on-prem user is Administrator while VMC user is CloudAdmin only)
SSO Domains will be different between on-prem and VMC, however it is a 1:1 relationship
A trust is established where the on-prem vCenter Server trusts the incoming connections from VMC as they share the same Active Directory identity source. Data is sync'ed uni-directionally from on-prem to VMC
Can be configured at any point in the on-prem vCenter Server lifecycle, no restrictions to initial install and can easily be un-linked unlike ELM
Both Embedded & External vCenter Server deployments are supported
HLM supports different versions of vCenter Server between on-prem (6.5d+) and VMC, especially as VMC will almost always run a newer version of vSphere
Users MUST login to VMC vCenter Server for single-pane of glass management (H5 Client supported only), logging into on-prem vCenter Server will NOT show VMC vCenter Server
Roles are NOT replicated due to the restrictive access model in VMC