Wednesday, December 17, 2014

vCAC 6: Configuring IaaS-Tenants and Roles

This blog will cover configuring IaaS. In the last we learnt about IaaS installation

in this blog  we will discuss Tenants and Roles

A tenant is an organizational unit in a vCloud Automation Center deployment. When the system administrator configures single sign-on during the installation of VMware vCloud Automation Center, a default tenant is created. The default tenant includes a built-in  system administrator account to log in to the vCloud Automation Center console.If only one organizational unit is necessary for a deployment, the system administrator can then configure and use the default tenant.

There is a Division of Tenant and Non-Tenant Entities. Non-tenanted entities are visible and
consumable by all tenants. This means non-tenanted items like Build Profiles and Reservation
Policies are consumable in some tenanted objects, like blueprints.

To access the default tenant:
1.   Go to https://VCAC_Server_FQDN/shell-ui-app.

2.   Use the system administrator account(administrator@vsphere.local) to create additional tenants,
manage identity sources, and configure system roles.

In a single-tenant deployment, all configuration occurs in the default tenant. The tenant
administrators manage users and groups. The administrators also configure branding, notifications,
business policies, and catalog offerings.

In a single-tenant scenario, the system administrator and tenant administrator roles are typically
assigned to the same person, but the accounts are distinct. The system administrator account is
always administrator@vsphere.local, while the tenant administrator must be a user in one of the
tenant identity stores.

In a multitenant environment the system administrator creates new tenants for each organization:
Each tenant has a unique URL to access the vCloud Automation Center console:
    https://vcac_hostname/shell-ui-app/org/tenant_ URL_name
  • Tenant-level configuration for new tenants is segregated from the default tenant. 
  • Users with system-wide roles can view and manage configuration across multiple tenants.
A multitenant environment can be deployed in the following ways:
  • Default tenant-managed multitenancy
  • Individual tenant-managed multitenancy
Individual Tenant-Managed Multitenancy

In tenant-managed multitenancy, each tenant might have a dedicated infrastructure or use shared
infrastructure. Each tenant has IaaS administrators and fabric administrators that manage resources
for business groups in their own tenant.

Each tenant must be associated with at least one identity store. Identity stores can be OpenLDAP or Active Directory (AD). For a default tenant, you can also use AD in native mode.

System-Wide Roles

System administrator: The system administrator is typically the person who installs vCloud
Automation Center and is responsible for ensuring its availability for other users. 

Infrastructure (Iaas) administrator: The IaaS administrator is responsible for managing
endpoints and endpoint credentials, and creating fabric groups.

Fabric administrator: A fabric administrator is the administrator of one or more fabric groups.
Fabric administrators manage physical machines and compute resources in their groups, and
manage reservations and reservation policies associated with those resources. 

Tenant roles have responsibilities that are limited to a specific tenant, and cannot affect other tenants
in the system. Tenant roles are of the following types:
Tenant administrators: Tenant administrators are typically the business manager or IT administrator who is responsible for a tenant. Tenant administrators configure vCloud Automation Center according to the needs of their organizations. The responsibilities of tenant administrators include the following:
• User and group management.
• Tenant branding and notifications.
• Business policies such as approvals and entitlements.
• Tracking resource usage by all users in the tenant.
• Initiating reclamation requests for virtual machines.
• Managing business groups and shared blueprints in IaaS.

Approval administrator: An approval administrator has the ability to define approval policies.
These policies can be applied to catalog requests through entitlements that are managed by a
tenant administrator or business group manager.

Service Architect: This is role designation for the individuals who are responsible for creating
the blueprints for the catalog items that consumers can request from the service catalog

Business Group Manager: The business group manager is designated by the tenant administrator when creating or editing business groups. Manages one or more business groups. Typically a line manager or project manager. Business group managers manage catalog items and entitlements for their groups in the service catalog. 

• Support user: The support user is a role in a business group. Support users can request and
manage catalog items for other members of their groups. A support user is typically an executive administrator or department administrator.

• Business user: Any user in the system can be a consumer of IT services. Users can request
catalog items from the service catalog and manage their provisioned resources.

• Approver: As part of an approval policy, any user of vCloud Automation Center, for example, a
line manager, finance manager, or project manager can be designated as an approver

vCAC 6: Installation

In the last blog we covered pre-requisites of installation. Now we finally go ahead and do the installation

Lets Start with vCloud Automation Center Appliance Installation

To install the vCloud Automation Center appliance, we would need to accomplish below tasks:
1. Deploy the vCloud Automation Center virtual appliance.
2. Configure time settings.
3. Configure CAFE name.
4. Configure SSL certificates.
5. Configure SSO.

6. Type a license key

Deploy the vCloud Automation Center virtual appliance: We would need to deploy OVF or OVA template for this.

Now login to the appliance with root user id and password supplied at the time of installation. go to http://VCAC_Appliance_FQDN:5480/ 

Configure time settings
Go to admin tab and configure the time settings

Configure CAFE name

From Host Settings, select Resolve Host Name to set the CAFE host name

 Configure SSL certificates.

Configure SSO.

Type a license key

We have now completely installed VCAC appliance. Now we will do IAAS installation

To install the IaaS components:
1. Download the installation wizard from the vCloud Automation Center Appliance:
2. Validate prerequisite tests.
3. Select the installation type.
4. Type credentials.
5. Set service account details and passphrase.
6. Set configure database settings.
7. Configure DEM and agent names.

Now login to the appliance

Select the installation type.
• Complete Install will install all IaaS components on this machine.
• Custom Install allows an administrator to selectively choose IaaS components for a distributed installation.

Run Pre-requisite checker

now configure server and account settings
Confirm the name of the DEM Worker and the DEM Orchestrator. The endpoint name configured for the vSphere Agent is required when configuring endpoints.

Configure all the necessary settings for the component registry, SSO login, and the IaaS hostname

and you are done with installation. Next is configuration

Tuesday, December 16, 2014

vCAC 6: Installation Pre-requisites

Now we will discuss installation of vCAC 6.

Installation Pre-requisites:

vCloud Automation Center can be deployed in two Configurations:

  1. A minimal installation is the deployment of a single instance of each vCloud Automation Center component.
  2. distributed installation  installs multiple instances over separate servers for scalability, redundancy, high availability, and disaster recovery

vCloud Automation Center consists of the following components:

  •  Single sign-on (SSO) server : VMware Identity Appliance or VMware vCenter 5.5 U1 SSO
  • vCloud Automation Center appliance
  • VMware infrastructure as a service (IaaS)
  • Distributed Execution Managers (DEM)
  • Agents
We need to follow the below flowchart if we want to implement VCAC successfully

A vCloud Automation Center Appliance stores data in a PostgreSQL database. The default installation creates the PostgreSQL database locally but an administrator may install it on another server

The IaaS server supports the following database platforms:
Microsoft SQL Server
• SQL Server 2008 R2 SP1, SQL Server 2008 R2 SP2
- Enterprise, Standard, Express
• SQL Server 2012, SQL Server 2012 SP1
- Enterprise, Standard, Express
IaaS server database connectivity requirements:
TCP/IP protocol enabled for MS SQL Server
Microsoft Distributed Transaction Coordinator Service (MS DTC) enabled on all SQL nodes in the system Appropriate network ports open between Database Server and IaaS Server
If using SQL Server Express, the SQL Server Browser service must be running.


Identity Appliance ingress ports
Identity Appliance: Egress Ports

the remaining ports are

Now we need to determine compute requirements

component CPU Memory  Storage
Identity Server Virtual Appliance  1 2GB  2.5GB
vCloud Automation Center Appliance  2 8GB 30GB
IaaS Server  2 4GB 30GB
ITBM Standard  2 4GB 16GB
Application Director  2 4GB 16GB

Now we would need to determine IAAS service  manager requirements

The IaaS Manager Service requires the following:
  • .NET Framework 4.5 must be installed
  • Microsoft PowerShell 2.0 (included with Windows Server 2008 R2 SP1 and later) or Microsoft PowerShell 3.0 on Windows Server 2012 must be installed. SecondaryLogOnService must be running. Appropriate network ports between DEM host and Windows Server should be open.
We would also need to determine credentials for access.

vCenter service account A domain or local account is needed for endpoint access
Virtual appliance installation Administrative privileges on the deployment platform are required
IaaS installation The user that executes the installation should be a local administrator
IaaS database credentials The user must have IaaS database owner privileges
IaaS service user credentials The user must be a domain user and have local administrator privileges
on all systems with installed IaaS components

Now we are ready for Installation.

Sunday, December 14, 2014

vCloud (vCAC 6): Architecture and components

Below is the overall refernce architecture of VCAC 6

The table below identifies common use cases and the functionality available with each edition

Smmary Comparison
vRealize Automation
Features Standard (1) Advanced Enterprise
vRealize Automation
VMware Infrastructure Services, cloning only, vRealize Orchestrator Integration
Multi-vendor, multi-cloud Infrastructure (2), and multi-vendor SW provisioning  
Custom Services (XaaS), Approvals, Reclamation, Chargeback, multi-tenancy  
Application Services, Release Automation, DevOps Integration    
Detail Comparison
vRealize Automation
Features Standard Advanced Enterprise
Services Provisioned and Managed
Infrastructure Services (vSphere and vCloud only)
Day-2 Operations for Infrastructure: Reconfigure, Snapshot
Infrastructure Services (multi-vendor virtual, physical, and public cloud) (2)  
Custom Services  
Application Services ( virtual, private and public cloud)    
Day-2 Operations for Applications: Update, Rollback, Scale-in and Scale-out    
Software Deployment Mechanisms
Hypervisor and vApp Cloning
Multi-vendor software deployment tools (e.g. BMC BladeLogic, HP Server Automation, Microsoft SCCM, NetApp FlexClone, Citrix Provisioning Server, Linux Kickstart/AutoYast, Windows WIM Imaging PXE Boot and others)  
Deploy integrated multi-tier applications    
Leverage existing services in new application deployments (e.g. Production LoadBalancer)    
Governance and Controls
Business rules, resource allocation and infrastructure service definition policies
Multi-tenancy and approvals  
Application definition and release automation policies    
Business Management
Chargeback and cost display throughout the product  
Integration with VMware vRealize Business Standard Edition ( IT cost management solution)  
Solution Extensibility
vRealize Orchestrator Integration
Optional vRealize Automation Development Kit (SDK)
VMware Cloud Management Marketplace solutions
Advanced Service Designer  
Integration with Configuration Management Solutions e.g. Puppet, Chef and SaltStack    

When planning a vCloud Automation Center deployment you must consider all the logical

With single sign-on (SSO), Active Directory users who are granted access to the vCloud Automation Center portal can log in without typing a user name and password again. The Identity Appliance is deployed from an Open Virtualization Format (OVF) template

At least one vCloud Automation Center appliance is required. The appliance includes the
Web console, which provides a single portal for self-service provisioning and management of cloud
services. The console also provides authoring, administration, and governance. You can deploy
multiple instances of vCloud Automation Center behind a load balancer

The IaaS component of vCloud Automation Center is made up of
multiple parts:
• IaaS Web site
• Distributed Execution Managers (DEMs)
• Agents
• Model Manager
• Manager Service
• Database

The IaaS Web site component provides the infrastructure
administration and service authoring capabilities to the vCloud Automation Center console. The IaaS
Web site component communicates with the Model Manager, which provides updates from
the DEM, proxy agents, and database.

The Model Manager holds the core of the business logic for vCloud Automation Center. This
business logic contains all the information required for connecting to external systems like VMware
vSphere®, Microsoft System Center Virtual Machine Manager, and Cisco UCS Manager. The
Model Manager Web service component can have multiple instances that communicate with a single
database. The database can be a clustered instance

The Manager Service coordinates communication between agents, the IaaS database, Active Directory (or LDAP), and SMTP. The Manager Service communicates with the console Web site through the Model Manager. This service requires local administrative privileges to run.

DEMs are used for provisioning and managing machines on:
• vCloud Director and vCloud Hybrid Service
• Red Hat Enterprise Virtualization (RHEV) Manager
• Microsoft System Center Virtual Machine Manager (SCVMM)
• Amazon Web Services
• Physical Server Management Interfaces for Dell, HP, and Cisco

Agents are used for provisioning and managing machines and
services on:
• Hypervisor proxy agents (vSphere, Citrix, XenServer, Hyper-V)
• External provisioning infrastructure (EPI)
• Virtual Desktop Infrastructures
• Windows Management Instrumentation

Distributed Execution Managers (DEMs) are responsible for coordinating and executing the
requested workflows. The two types of DEMs are the Orchestrator and the Worker. The Worker
DEM is responsible for executing the requested workflows. The Orchestrator is responsible for
preprocessing and scheduling the workflows on all available Worker DEMs

Agents, like DEMs, are used to integrate vCloud Automation Center with external systems:
• Virtualization proxy agents are used to collect data from and provision virtual machines on 
virtualization hosts, for example, a Hyper-V agent, a vSphere agent, or a Xen agent.
• Integration agents provide vCloud Automation Center integration with virtual desktop systems, for 
example, an EPI Windows PowerShell agent, or a VDI Windows PowerShell agent.
• Windows Management Instrumentation agents enable data collection
from Windows machines managed by vCloud Automation Center.

vCenter Orchestrator integrates with vCloud Automation Center to extend the business process
automation capabilities of your cloud infrastructure. The standard master workflow in vCloud
Automation Center can be extended to call vCenter Orchestrator workflows that communicate with
external systems or perform external processes

Upon approval, a work
order is generated against an external management system. At the time of provisioning, a custom 
script is executed and CMDB is updated to reflect the new machine. After provisioning, the machine 
can be backed up or changed. That change in the machine requires an update to the CMDB. The CMDB is  updated once again when the machine is not needed, put into retirement, and subsequently
VMware vCloud Application Director automates the deployment, update, and maintenance of
applications. Application Director integrates with vCloud Automation Center to form an extensible,
flexible, and automated system for deploying and managing the lifecycle of machines and

The distributed deployment architecture.
This option uses multiple load balancers to balance parts of the vCloud Automation Center
deployment. This type of scaled-out design requires more infrastructure resources than a minimal
deployment design. The added expense and complexity of this design results in a more scalable,
potentially higher performing, and more highly available cloud infrastructure. You can also use
vSphere to protect against hardware failure

VMware NSX provides dynamic networking for machines provisioned by using vCloud
Automation Center. vCloud Automation Center integrated with VMware NSX can dynamically
provision NSX logical services customized to the specific needs of each applications

Thursday, December 11, 2014


This is the third blog in the series. The earlier two blogs in vCloud Air are:
VMware vCloud Air : Architecture and Principles

This Blog contains the following lessons:
Deploy a machine from the Enterprise catalog
Copy an Existing Virtual Machine to vCloud Air


Select The Virtual machines Tab 

Deploy a VM 

This is the Virtual Machine tab.  From here you can create new VMs as well as modify existing VMs. Click the Deploy a Virtual Machine button
Now select the destination Virtual Data center (vDC)

Now you get the Select template window.  When you create a new VM, you have the option of creating a VM from a template from the VMware catalog, a template that you've imported, or create a VM from scratch.  

1. Select the VMware Catalog tab.
2. Click on the button labeled 64 bitnext to CentOS 6.3 64 bit.


Assign your VM a name and assign it resources.  Unlike other public clouds that force you to use a VM of a particular size, vCloud Air allows you to allocate resources to a VM as you see fit.  Moreover, if you decide later that you need to increase or decrease the amount of resources assigned to a VM, you can do so without having to destroy it.  You also have the option of attaching the VM to different network segments during this phase which is useful when specific network and application architectures are required
1. In the Name field type in the name for your virtual machine (this will be the name of your vApp): TestVM
2. In the Guest OS Name field, type the name of your guest OS: TestVM
3. Click the Change hyperlink next to allocated resources.  Leave the resource allocation unchanged.

4. Click the Green Deploy This Virtual Machine button

Wait for VM to be deployed. And that's it


Copying a machine to vCloud Air involves a virtual appliance known as vCloud Connector (vCC).  Once the appliance is imported into your vSphere environment and properly configured, it will manifest itself as a plug-in for the vSphere client

Launch the VMware vSphere Client

Once VSphere Client is launced, Click on vCloud connector button

1. At the top left of the screen click the Home button.
2. On the home page, click the vCloud Connector icon in the Solutions and Applications area.
3. If you receive a warning. Ignore it and accept the link.

4. The vCloud Connector Client will launch

Prepare to add local vSphere environment to vCloud Connector

1. In the Browser panel on the left, click on Clouds to select it.
2. In the Objects panel, click the Add(green plus) icon.

Note: only clouds that have been previously registered with the vCloud Connector Server will appear in the "name" drop down field.  As part of the vCloud Connector setup, you register a vCloud Connector node for each cloud on the vCloud Connector Server.  The node registration includes the name and URL for the node.

ADD the Local Datacenter to vCloud Connector

Add the Local Datacenter production organization to vCloud Connector



1. Click on the  Local Datacenter Cloud in the left panel.
2. In the inventory panel click theVirtual Machines tab.
3. Select Tiny Linux. This is a powered down virtual machine in the local vSphere environment.

To copy a VM to the vCloud Air it first needs to be powered off.  If you know you're going to be moving a lot of data, e.g. > 300GB, you may want to consider doing an Offline Data Transfer (ODT) instead.  With an ODT, VMware will ship you a 12 TB appliance that you can copy your VMs and templates onto [using vCC].  Once you're finished copying your data to the encrypted drive, you return the drive to VMware, where upon arrival, the VMs and templates are imported directly into your environment. 



1. Next to the Select VDC drop down box select the dc1-vpc1vDC.
2. Click the Next button.

Note: All VMs copied to vCloud Air are thick provisioned.

1. Place a check mark in the Deploy vApp after copy checkbox, then choose fenced from the Network Connection Mode drop down list.  
2. Select the "dc1-vpc1-default-isolated" as the Selected network configuration. This list is populated automatically with the networks within the vDC.
3. Select Power on vApp after deployment checkbox.
4. Select Remove temporary vApp template in destination vCloud catalog checkbox.

5. Click Next to continue

Featured Post

Amazon Route 53

Amazon Route 53 is a highly available and scalable Domain Name System (DNS) web service.Route 53  perform three main functions in any...