HLM

Can I assign my Active Directory users a non-CloudAdmin vCenter Server role in VMC?

10/08/2018 by William Lam Leave a Comment

In VMware Cloud on AWS (VMC), when a user is logged into vCenter Server, they are not running as the Administrator role like you might in an on-prem vSphere environment but rather a restrictive vCenter role called CloudAdmin. The reason for this is that VMware is responsible for managing the infrastructure, including the management software and we want to make sure customers do not accidentally make changes that could affect those operations. More importantly, with VMC being a service, customers can now focus their attention on the consumption of resources in VMC and leave the maintenance of the infrastructure for VMware to manage.

Note: For those interested, you can find the complete list of vCenter privileges for the CloudAdmin role here.

The ability to create and consume custom vCenter roles has been an extremely powerful capability of vCenter Server and although this is currently not possible in VMC, it is something that is actively being worked on. With that said, many of the requests that I have seen in regards to this topic has actually been about consuming some of the default vCenter roles. This is especially true for the "Read Only" role which is useful for auditing and monitoring purposes. As a CloudAdmin user, you can assign default vCenter roles that either have equal or lesser privileges than the CloudAdmin role which also includes the default "Read Only" vCenter role.

Enhancements to Hybrid Linked Mode (HLM) in VMC using the new vCenter Cloud Gateway

10/04/2018 by William Lam Leave a Comment

It has been almost a year since VMware introduced the Hybrid Linked Mode (HLM) capability, which provides customers with a consistent operating experience for managing and consuming resources from both their on-premises and VMware Cloud on AWS (VMC) environments. Feedback from customers on HLM has been fantastic, especially when new or prospective VMC customers learn about HLM for the very first time. Customers were pleasantly surprised at how seamless the experience was when consuming VMC resources, using a familiar interface, the vSphere UI.

Here is a quick recap of what HLM provides today:

HLM allows customers to link a single VMC instance to a single on-prem SSO Domain which can contain one or more vCenter Servers (Enhanced Linked Mode) while maintaining separate administrative domains (e.g. on-prem user is Administrator while VMC user is CloudAdmin only)
SSO Domains will be different between on-prem and VMC, however it is a 1:1 relationship
A trust is established where the on-prem vCenter Server trusts the incoming connections from VMC as they share the same Active Directory identity source. Data is sync'ed uni-directionally from on-prem to VMC
Can be configured at any point in the on-prem vCenter Server lifecycle, no restrictions to initial install and can easily be un-linked unlike ELM
Both Embedded & External vCenter Server deployments are supported
HLM supports different versions of vCenter Server between on-prem (6.5d+) and VMC, especially as VMC will almost always run a newer version of vSphere
Users MUST login to VMC vCenter Server for single-pane of glass management (H5 Client supported only), logging into on-prem vCenter Server will NOT show VMC vCenter Server
Roles are NOT replicated due to the restrictive access model in VMC

Enhanced Linked Mode (ELM) vs Hybrid Linked Mode (HLM)

09/25/2017 by William Lam 2 Comments

In the last few weeks, albeit due to VMworld, I have seen a large number of inquiries from customers regarding the existing vCenter Enhanced Linked Mode (ELM) as it compares to the newly announced Hybrid Linked Mode (HLM) feature. In some cases, certain assumptions were being made based on what was initially announced and I think that also led to some confusion on what the future holds for both of these capabilities. Hopefully with this article, I can help clarify the differences between ELM and HLM and their respective use cases. I will also quickly touch upon some of the future thinkings for both of these features as they were discussed at several VMworld Sessions both in the US and Europe.

Disclaimer: Hopefully folks are familiar with the standard VMworld Disclaimer slide that is shown before any session which states features are subject to change and must not be included in contracts, purchase orders or sales agreement of any kind. I am sure many of you have memorized it by now, but this is a good time to re-iterate that point, especially as we talk about futures 🙂

Current

Lets start off by reviewing what we have today and explaining the differences between ELM and HLM.