VMC

Auditing detailed operations within VMware Cloud on AWS using the Activity Log API

06/29/2018 by William Lam Leave a Comment

All operations (UI or API) that occurs within VMware Cloud AWS (VMC), including but not limited to SDDC creation, deletion, updates, network configurations, user authorization/access, etc. is all captured as part of the Activity Log in the VMC Console. Within the Activity Log, customers will be able view the type of operation, the time the operation occurred, the applicable SDDC as well the user of the operation and all of these fields can be filtered out further.

The UI is great for quickly looking up quick changes, however for customers who require auditing level logging, this may not be sufficient. This was actually a question that I had received from a customer who was interested in getting more details but also a way to send this information back to their on-premises environment for auditing purposes. Luckily, the Activity Log actually stores a lot more information than what is shown in the UI and all of this data is available through the VMC API.

All entries are scoped within a VMC Organization and you can use the following APIs to retrieve all activities or a specific activity given the VMC Task Id:

GET /orgs/{org}/tasks - List all tasks for organization
GET /orgs/{org}/tasks/{task} - Get task details

OVFTool and VMware Cloud on AWS

06/18/2018 by William Lam 1 Comment

Recently, I had noticed a number of questions that have come up regarding the use of OVFTool with the VMware Cloud on AWS (VMC) service. I had a chance to take a look at this last Friday and I can confirm that customers can indeed use this tool to import/export VMs into VMC whether they are from a vSphere/vCloud Director-based environment or simply OVF/OVAs you have on your desktop. Outlined below are the requirements and steps that you must have setup before you can use OVFTool with VMC. In addition, I have also include an OVFTool command snippet which you can use and adapt in your own environment.

Requirements:

You must setup VPN connection between your onPrem environment and the Management Gateway on VMC (direct internet access to ESXi is not supported)
Configure the VMC Firewall to allow access between your onPrem and VMC's ESXi host on port 443 (data transfer occurs at ESXi host level)
Specify the Workload VM Folder as a target
Specify the Compute-ResourcePool Resource Pool as a target
Specify the WorkloadDatastore Datastore as a target

Instructions:

Step 1 - Create a Management VPN connection, please see the official documentation here for more details.

Step 2 - Create a two new Firewall Rules that allow traffic from your onPrem environment to both vCenter Server and ESXi host on port 443. vCenter Server will obviously be used for UI/API access and for ESXi, this is where the data traffic transfer will take place.

Step 3 - Construct your OVFTool command-line arguments and ensure you are using the VM Folder "Workloads", Resource Pool "Compute-ResourcePool" and Datastore "WorkloadDatastore" as your target destination since the CloudAdmin user will have restrictive privileges within VMC.

Here is an example command to upload an OVA from my desktop to the VMC vCenter Server:

ovftool.exe `
--acceptAllEulas `
--name=William-To-The-Cloud `
--datastore=WorkloadDatastore `
--net:None=sddc-cgw-network-1 `
--vmFolder=Workloads `
C:\Users\primp\desktop\William.ova `
'vi://cloudadmin@vmc.local:FillInYourOwnPassword@vcenter.sddc-A-B-C-C.vmc.vmware.com/SDDC-Datacenter/host/Cluster-1/Resources/Compute-ResourcePool/'

ovftool.exe `

--acceptAllEulas `

--name=William-To-The-Cloud `

--datastore=WorkloadDatastore `

--net:None=sddc-cgw-network-1 `

--vmFolder=Workloads `

C:\Users\primp\desktop\William.ova `

'vi://cloudadmin@vmc.local:FillInYourOwnPassword@vcenter.sddc-A-B-C-C.vmc.vmware.com/SDDC-Datacenter/host/Cluster-1/Resources/Compute-ResourcePool/'

Note: OVFTool also supports the ability to specify a VM that is residing in your vSphere environment as a source, so you do not have to export it locally to your desktop and you can directly transfer it (your client desktop acting as a proxy) to VMC.

Here is the output from running the above command:

Once the upload has completed, you should see your new VM appear in your vSphere Inventory

VPN Configuration to VMware Cloud on AWS using pfSense

10/10/2017 by William Lam 1 Comment

Provisioning a new SDDC on VMware Cloud on AWS (VMC) is not an operation that I perform on a regular basis. Usually, one of the first tasks after a new SDDC deployment is setting up a VPN connection between your on-premises datacenter and your VMC environment. Given this is not a frequent activity, I always forget the specific configurations required for my particular VPN solution and figure I would document this for myself in the future as well as anyone else who might also have a simliar setup.

Since the VMC Gateways are just NSX-v Edges, any VPN solution that supports the NSX-v configurations will also work with VMC. In my environment, I am using pfSense which is a popular and free security Virtual Appliance that many folks run in their VMware home lab. Before getting started, it is also important to note that there are two gateway endpoints that you can setup separate VPN connections to. The first is the Management Gateway which provides access to the management infrastructure such vCenter Server, NSX and ESXi hosts and the second is the Compute Gateway which provide access to the VM workloads running within VMC. Since the instructions are exactly the same for setting up the VPN for either gateways, I am just going over the Management Gateway configuration and where applicable, I will note the minor differences.

Step 1 - Login to the VMC Portal (vmc.vmware.com) and select one of your deployed SDDCs. Click on the Network tab and you should be taken to a page like the one shown in the screenshot below. Here is where you will be applying your VPN configuration from the VMC side. Start off by making a note of the public IP Address for the Management Gateway (highlighted in yellow), this will needed when configuring the VPN configuration on the on-prem side. It is probably a good idea to also note down the Compute Gateway IP Address if you plan on configuring that as well.

VMworld Hackathon Hardware/Software BOM

10/03/2017 by William Lam 7 Comments

I know many of you have been asking about the hardware setup that we had used in this years VMworld Hackathon. I finally got a chance to document the details and you can find the complete hardware and software BOM below. For VMworld US, we had two different HW configurations, one for the primary Hackathon which was also re-used for VMworld Europe but we also had another configuration for the Hackathon Training sessions which was new this year. For VMworld Europe, we re-used the primary Hackathon hardware, but we also had the opportunity to take advantage of the new VMware Cloud on AWS offering and built a similiar configuration that teams could also remotely connect to as well. The only difference between the on-premises hardware and VMWonAWS, is the latter required users to RDP to a Windows jump host. Both options were provided and teams could select either environment to use.

Note: Internally, CDW is one of our vendors for purchasing hardware/software and that is why there are links directly to their site. However, you may find better pricing by looking online, especially Amazon which majority of the components are cheaper except for the server which you can get an exclusive vGhetto Discount at MITXPC. I have added links to both CDW/Amazon where applicable and I recommend doing research to find the best pricing if you are on a budget.

Here is a picture of the setup at VMworld US:

Here is a picture of the setup at VMworld EU: