VMware Hands-on Labs - HOL-2011-01-SDC


Lab Overview - HOL-2011-01-SDC - VMware vSphere - Getting Started

Lab Guidance


Note: It may take more than 90 minutes to complete this lab.  You don't need to complete every module during this time; the modules are independent of each other.  You can use the Table of Contents to access any module of your choosing.

The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.

This lab will detail the new features of vSphere 6.7 Update 2.  You will be able to determine if your business would benefit from any of the vSphere 6.7 Update 2 enhancements after taking this lab.  Some of the features will be delivered via videos due to the nature of the features. There is also some hands-on work. There are other labs that will give you a more in-depth, hands-on experience for each of the pillars discussed in this lab.

Feel free to explore and look around!  This lab contains two vCenter servers which allows you to experience Enhanced Linked Mode.  

Lab Module List:

Lab Captain:   

Content Leads:

This lab manual can be downloaded from the Hands-on Labs Document site found here:

http://docs.hol.vmware.com

This lab may be available in other languages.  To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf


 

Location of the Main Console

 

  1. The area in the RED box contains the Main Console.  The Lab Manual is on the tab to the Right of the Main Console.
  2. A particular lab may have additional consoles found on separate tabs in the upper left. You will be directed to open another specific console if needed.
  3. Your lab starts with 90 minutes on the timer.  The lab can not be saved.  All your work must be done during the lab session.  But you can click the EXTEND to increase your time.  If you are at a VMware event, you can extend your lab time twice, for up to 30 minutes.  Each click gives you an additional 15 minutes.  Outside of VMware events, you can extend your lab time up to 9 hours and 30 minutes. Each click gives you an additional hour.

 

 

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.

 

 

Click and Drag Lab Manual Content Into Console Active Window

You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.  

 

 

Accessing the Online International Keyboard

 

You can also use the Online International Keyboard found in the Main Console.

  1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

 

 

Click once in active console window

 

In this example, you will use the Online Keyboard to enter the "@" sign used in email addresses. The "@" sign is Shift-2 on US keyboard layouts.

  1. Click once in the active console window.
  2. Click on the Shift key.

 

 

Click on the @ key

 

  1. Click on the "@ key".

Notice the @ sign entered in the active console window.

 

 

Activation Prompt or Watermark

 

When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.  

One of the major benefits of virtualization is that virtual machines can be moved and run on any platform.  The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple datacenters.  However, these datacenters may not have identical processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements.  The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation.  Without full access to the Internet, this automated process fails and you see this watermark.

This cosmetic issue has no effect on your lab.  

 

 

Look at the lower right portion of the screen

 

Please check to see that your lab has finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes your lab has not changed to "Ready", please ask for assistance.

 

Module 1 - vSphere 6.7 Overview (15 minutes)

Introduction


This lab is an overview of the new features in vSphere 6.7 Update 2. After completing this module, you should get a good understanding of which of the next 5 modules are of interest to you. The remaining modules will use videos and the lab environment to demonstrate new features in the below categories.

In Module 1 we will go over the new features around installs, upgrades, backups, user interface, and the CLI.

Here are the topics we will cover in depth in other modules: 

•    Simple & Efficient Management at Scale (Core vSphere & vCenter Server)
•    Comprehensive Built-in Security (VBS, TPM 2.0, vTPM)
•    Universal App Platform (PMEM, NVIDIA GRID, RDMA)
•    Seamless Hybrid Cloud Experience (Hot & Cold Migration, Hybrid Linked Mode)
•    Interactive simulation covering AppDefense install, configuration, and use

 


Simple and Efficient Management at Scale


vSphere 6.7 Update 2 builds on the technological innovation delivered by vSphere 6.5, and elevates the customer experience to an entirely new level. It provides exceptional management, simplicity, operational efficiency, and faster time to market, all at scale.


 

vCenter Server Appliance

vSphere 6.7 Update 2 delivers an exceptional experience for the user with an enhanced vCenter Server Appliance (vCSA). It introduces several new APIs that improve the efficiency and experience to manage the vCSA.  It also significantly simplifies the vCenter Server topology through vCenter with an embedded Platform Services Controller (PSC) in Enhanced Linked Mode.  This topology enables customers to link multiple vCenters and have seamless visibility across the environment without the need for an external PSC or load balancers.

vSphere 6.7 Update 2 vCSA delivers phenomenal performance improvements (all metrics compared at cluster scale limits, versus vSphere 6.5):

These performance improvements ensure a blazing fast experience for vSphere users and deliver significant value.  It provides time and cost savings in a variety of use cases such as VDI, scale-out applications, Big Data, High Performance Computing (HPC), DevOps, and distributed cloud native applications.

 

 

 

Single Reboot/Quick Boot

vSphere 6.7 Update 2 improves efficiency at scale when updating ESXi hosts.  Single Reboot significantly reduces maintenance time by eliminating one of two reboots normally required for major version upgrades. In addition to that, vSphere Quick Boot restarts the ESXi hypervisor without rebooting the physical host, skipping time-consuming hardware initialization.  This allows for faster upgrades and patching.

 

 

VMware Tools

The VMXNET3 driver is now available through Windows Update for Windows Server 2016 in the latest version of VMware Tools.  A previous release of VMware Tools made the Paravirtual SCSI (PVSCSI) storage driver available through Windows Update.  This means that you can update both drivers as part of your regular Windows patching cycle which reduces the required number of reboots.

While updates to these drivers will still require a guest OS reboot, this can happen in conjunction with other Windows patching operations. If patching and rebooting is done prior to updating VMware Tools, a subsequent reboot will not be required.

When critical drivers can be updated in conjunction with other Windows patching, vSphere administrators benefit when subsequently updating VMware Tools because the driver will not require an update and a guest OS reboot will not be triggered.

The latest release of VMware tools also includes updates to the Open Source components glib, openssl and libxml2.

 

 

VM Compatibility 15

vSphere 6.7 Update 2 introduces VM Compatibility 15 (formerly known as Virtual Hardware).  This version increases the maximum number of logical processors from 128 to 256 for compute-intensive workloads. VM Compatibility 15 is only supported on ESXi 6.7 Update 2 (and later) hosts.

 

 

 

HTML 5 vSphere Client

The HTML5-based vSphere Client is now fully-featured in vSphere 6.7 Update 2!  This means there is no longer a need to switch between the vSphere Client (HTML5-based) and the vSphere Web Client (Flash-based).  Every aspect of your vSphere environment can be managed in the HTML5-based vSphere Client.  It provides a modern, simplified user interface that is very responsive and easy to use. With vSphere 6.7 Update 2, it includes added functionality to support not only the typical workflows that customers need but also other key functionality like managing NSX, vSAN, VUM, and 3rd-party components.

 

 

Support for 4k Native Storage

Storage vendors are moving towards cost-efficient 4K native (4Kn) drives. The migration to 4K sized sectors will provide a shorter path to higher densities and hard drive capacities as well as more robust error correction. The HDD vendors have been manufacturing 4K-sectored drives by using emulation (512e) in the firmware to reduce the impact of the format change to the host clients. 512e drives were introduced to enable the transition to 4Kn drives. Vendors expect mass adoption of 4Kn within the next few years. Subsequently, VMware has been working to enable 4Kn drives in vSphere to ensure utilization of the latest technology.

4Kn drives have various benefits over 512 sector size drives. Higher capacity and improved performance from the more optimized placement of data on the drive. Efficient space utilization with optimized meta-data giving up to 10% more available data. Improved drive reliability and error correction with larger meta-data by increasing the ECC block from 50 to 100 bytes. This provides a much-needed improvement in error correction efficiency.

In vSphere 6.7 Update 2, 4Kn direct attached drives are now supported natively via 4Kn Software Emulation (SWE). The software emulation layer allows the use of 4Kn drives while still allowing legacy OS, applications, and existing VMs to run on newer 4Kn drives.

There are some limitations for 4Kn drives; only local SAS, SATA HDDs are supported, they must use VMFS6, and booting from 4Kn drives requires UEFI. Also, 4Kn SSD, NVMe, and Raw Device Mapping (RDM) disks for Guest Operating System (GOS) are not supported. vSAN and VVOL may declare themselves as 512e if they can handle both 512 byte and 4K I/Os without any atomicity issues. Third party multi-pathing plugins are not supported.

 

Comprehensive Built-in Security


vSphere 6.7 Update 2 builds on the security capabilities in vSphere 6.5 and leverages its unique position as the hypervisor to offer comprehensive security that starts at the core, via an operationally simple policy-driven model.


 

Integration with Trusted Platform Modules

A Trusted Platform Module (TPM) is a computer chip/microcontroller that can securely store artifacts used to authenticate the platform (your PC or laptop). These artifacts can include measurements, passwords, certificates, or encryption keys. A TPM can also be used to digitally sign content and store platform measurements that help ensure that the platform remains trustworthy. The Trusted Computing Group has a detailed overview of what a TPM is and does.

Since ESXi 5.x, ESXi has had support for TPM 1.2. Prior to 6.7, the APIs and functionality of TPM 1.2 were limited to 3rd party applications created by VMware partners.

vSphere 6.7 Update 2 supports TPM 2.0. TPM 2.0 and TPM 1.2 are two entirely different implementations and there is no backward compatibility. For all intents and purposes, they are considered two different devices to ESXi.

If you are running 6.5 on a server with TPM 2.0 you will not see the TPM 2.0 device because there is no support in 6.5 for TPM 2.0. New features in 6.7 Update 2 do not use the TPM 1.2 device.

At a high level, TPM 2.0 is used to store measurements of a known good boot of ESXi. This measurement is then compared by vCenter with what ESXi reports.

In other words, the TPM provides a mechanism that provides assurance that ESXi has booted with Secure Boot enabled. By confirming that Secure Boot is enabled we can then ensure that ESXi has booted using only digitally signed code.

This is an excellent example of the iterative approach to security that we are delivering. In 6.5 we delivered Secure Boot support. In 6.7 Update 2 we built upon that by delivering TPM 2.0 to provide assurance that Secure Boot is turned on.

 

 

Virtualization Based Security

vSphere 6.7 Update 2 introduces support for the entire range of Microsoft's Virtualization Based Security (VBS) technologies. This is a result of close collaboration between VMware and Microsoft to ensure Windows VMs running on vSphere support in-guest security features while maintaining high performance.

vSphere 6.7 Update 2 delivers comprehensive built-in security and is the heart of a secure SDDC. It has deep integration and works seamlessly with other VMware products such as vSAN, NSX, and the vRealize Suite to provide a complete security model for the data center.

 

 

Data Encryption

Data encryption was introduced with vSphere 6.5 and very well received. With vSphere 6.7 Update 2, VM Encryption is further enhanced and more operationally simple to manage. vSphere 6.7 Update 2 simplifies workflows for VM Encryption designed to protect data at rest and in motion.  Protection for data in motion has been enhanced by allowing encrypted vMotion across different vCenter instances as well as versions, making it easy to securely conduct data center migrations, move data across a hybrid cloud environment (between on-premises and public cloud), or across geographically distributed data centers.

 

Universal Application Platform


vSphere 6.7 Update 2 is a universal application platform that supports new workloads (including 3D Graphics, Big Data, HPC, Machine Learning, In-Memory, and Cloud-Native) as well as existing mission-critical applications. It also supports and leverages some of the latest hardware innovations in the industry, delivering exceptional performance for a variety of workloads.


 

Enhancements to NVIDIA GRID™ vGPU

vSphere 6.7 Update 2 further enhances the support and capabilities introduced for GPUs through VMware's collaboration with NVIDIA by virtualizing NVIDIA GPUs for non-VDI and use cases such as artificial intelligence, machine learning, big data and more. With enhancements to NVIDIA GRID vGPU technology in vSphere 6.7 Update 2, customers can suspend and resume VMs running on GPUs instead of powering off these workloads.  This allows for better lifecycle management of the underlying host and significantly reduces disruption for end-users. VMware continues to invest in this area with the goal of bringing the full vSphere experience to GPUs in the future.

 

 

vSphere Persistent Memory (PMEM)

vSphere 6.7 Update 2 continues to showcase VMware's technological leadership and collaboration with our key partners by adding support for persistent memory. With vSphere Persistent Memory (PMEM), customers using supported hardware modules can leverage them as super-fast storage with high IOPS or expose them to the guest operating system as non-volatile memory. This will significantly enhance performance of the OS as well as applications across a variety of use cases, making existing applications faster and enabling customers to create new high-performance applications that can leverage vSphere Persistent Memory.

 

 

 

Instant Clone

You can use the Instant Clone technology to create powered-on virtual machines from the running state of another powered-on virtual machine. The result of an Instant Clone operation is a new virtual machine that is identical to the source virtual machine. With Instant Clone, you can create new virtual machines from a controlled point in time. Instant cloning is very convenient for large scale application deployments because it ensures memory efficiency and allows for creating numerous virtual machines on a single host.


 

Seamless Hybrid Cloud


With the fast adoption of vSphere-based public clouds through VMware Cloud Provider Program partners, VMware Cloud on AWS, and other public cloud providers, VMware is committed to delivering a seamless hybrid cloud experience for customers.


 

vCenter Server Hybrid Linked Mode

vSphere 6.7 Update 2 supports vCenter Server Hybrid Linked Mode which provides customers visibility and simplified manageability across an on-premises vSphere environment and a vSphere-based public cloud (ex. VMC on AWS).  With Hybrid Linked Mode, the different environments are not required to use the same versions of vSphere.  This ensures that fast-paced innovation and introduction of new capabilities in the public cloud does not mean an upgrade for a customer's on-premises vSphere environment.

 

 

 

Cross-Cloud Cold and Hot Migration

vSphere 6.7 Update 2 also includes Cross-Cloud Cold and Hot Migration, further enhancing the ease of management across and enabling a seamless and non-disruptive hybrid cloud experience for customers.

As virtual machines migrate between different data centers or from an on-premises data center to the cloud and back, they likely move across different CPU types. vSphere 6.7 Update 2 delivers a capability that is key for the hybrid cloud, called Per-VM EVC. Per-VM EVC enables the EVC (Enhanced vMotion Compatibility) mode to become an attribute of the VM rather than the specific processor generation it happens to be booted on in the cluster. This allows for seamless migration across different CPUs by persisting the EVC mode per-VM during migrations across clusters and during power cycles.

Previously, vSphere 6.0 introduced provisioning between vCenter instances. This is often called cross-vCenter provisioning. The use of two vCenter instances introduces the possibility that the instances are on different release versions. vSphere 6.7 Update 2 enables customers to use different vCenter versions while allowing cross-vCenter, mixed-version provisioning operations (vMotion, Full Clone and cold migrate) to continue seamlessly. This is especially useful for customers leveraging VMware Cloud on AWS as part of their hybrid cloud.

 

Conclusion


VMware vSphere 6.7 Update 2 is the efficient and secure platform for the hybrid cloud. It provides a powerful, flexible, and secure foundation for business agility that accelerates the digital transformation to the hybrid cloud as well as success in the digital economy. vSphere 6.7 Update 2 supports both existing and next-generation workloads through its:

  1. Simple and efficient management at scale, to elevate the customer experience to an entirely new level
  2. Comprehensive built-in security that starts at the core, via an operationally simple, policy-driven model
  3. Universal application platform that supports new workloads and leverages hardware innovations for enhanced performance
  4. Seamless hybrid cloud experience with easy visibility, migration, and management of workloads between on-premises data centers and the public cloud

With vSphere 6.7 Update 2, you can now run, manage, connect, and secure applications in a common operating environment, across their hybrid cloud.


 

You have finished Module 1!

 

Congratulations on completing Module 1!

To review more info on the new features please use the links below:

Proceed to any module below which interests you most.

 

 

 

Test Your Skills!

 

Now that you’ve completed this lab, try testing your skills with VMware Odyssey, our newest Hands-on Labs gamification program. We have taken Hands-on Labs to the next level by adding gamification elements to the labs you know and love. Experience the fully automated VMware Odyssey as you race against the clock to complete tasks and reach the highest ranking on the leaderboard. Try the vSphere Odyssey lab

 

 

How to End Lab

 

To end your lab click on the END button.  

 

Module 2 -Simple & Efficient Management at Scale (60 minutes)

Introduction


vSphere 6.7 Update 2 builds on the technological innovation delivered by vSphere 6.5, and elevates the user experience to an entirely new level. It provides exceptional management simplicity, operational efficiency, and faster time to market, all at scale.

This module will highlight:


•    Enhanced vCenter Server Appliance – Delivers more efficient management and an exceptional experience for the user, with significant performance improvements.

•    Single Reboot and vSphere Quick Boot – Reduces time patching and upgrading.

•    Improved HTML5-based vSphere Client – Enables fast performance and easy management of connected components. 

•    Enhanced Linked Mode with Embedded PSCs

•    vCenter Server cross-SSO Domain repoint

•    vCenter Server Appliance migration tool improvements

•    vCenter Server Appliance native file-based backup improvements

•    vSphere Health

•    VAMI improvements

•    vCenter Server Appliance / PSC batch deployment CLI

•    vSphere Client plugins such as VUM, Host Profiles, vSAN, and vRealize Operations

•    Content Library Improvements


Enhanced vCenter Server Appliance


In vSphere 6.7 Update 2, many of the new features and enhancements were developed around the vCenter Server Appliance.  This is the last release that will offer a Windows installation of vCenter.  The appliance has a new, simplified user interface, enhanced monitoring of services, file-based backup and other great features.


 

Installation

One significant change for the vCenter Server Appliance is around simplifying the architecture. vSphere 6.7 Update 2 allows you to deploy the vCenter Server Appliance with Embedded PSC with Enhanced Link Mode.  Now all vCenter Server services are running on a single instance.  Let's take a look at the benefits this deployment model brings:

 

 

Migration Tool

vSphere 6.7 is the last release to include vCenter Server for Windows. Customers can migrate to the vCenter Server Appliance with the built-in Migration Tool. In vSphere 6.7 Update 2, we can select how to import the historical and performance data during a migration:

Customers will also get an estimated time of how long each option will take when migrating. Estimated time will vary based on historical and performance data size in your environment. While importing data in the background, customers have the option to pause and resume. This new ability is available in the vSphere Appliance Management Interface (VAMI). Another improvement to the migration process is support of custom ports. Customers who changed the default Windows vCenter Server ports are no longer blocked.  

 

 

Video - vCenter Server Appliance Migration (5:10)

We will now log into the vCSA and take a look at some of the enhancements

 

 

 

Open Chrome Browser from Windows Quick Launch Task Bar

 

  1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.

 

 

Gain screen space in Chrome by zooming out

 

  1. Select the Options menu in Chrome.
  2. Click the '-' button to zoom out to 90%

This will provide more viewing space while still allowing you to read the text.

 

 

Log in to Appliance Management UI

For this lab, we will log in with the root account.

However, vSphere 6.7 Update 2 now allows local vSphere SSO users to log into the VAMI.  The local vSphere SSO users must be a member of the SystemConfiguration.Administrators group.  In addition, members of the SystemConfiguration.BashShellAdministrators group can use their local vSphere SSO account to log into the VCSA bash shell.  From a security perspective, using a local SSO user account to manage the VAMI makes it easier to audit the user who logged in and track actions performed by that user.

 

 

  1. Click the HOL Admin bookmark
  2. Click the vcsa-01a Mgmt shortcut in the drop-down
  3. Type root for the username
  4. Type VMware1! for the password
  5. Click Login

A lot of investment went into improving monitoring for the vCenter Server Appliance. We saw these improvements starting in vSphere 6.5, and vSphere 6.7 Update 2 has added several new enhancements. When accessing the vSphere Appliance Management Interface (VAMI) on port 5480, the first thing we notice is the VAMI has been updated to the Clarity UI. We also notice there are several new tabs on the left-hand side compared to vSphere 6.5.

 

 

Monitoring and Management

There is now a tab dedicated to monitoring where we can see CPU, memory, disk, network, and database utilization.

 

  1. From the menu on the left, click Monitor
  2. The default view should be the CPU & Memory tab.  If not, click this tab.  Explore the graphs shown for these components.

 

A new section of the monitoring tab called Disks is now available. Customers can now see each of the disk partitions for the vCenter Server appliance along with the remaining space available and utilization.

  1. Click the Disks tab.  Review the partitions and utilization of the disks for the vCenter Server appliance
  2. Click the Network tab to see transfer rates for network packets
  3. Click the Database tab to see space utilization

 

 

Firewall

In vSphere 6.7 Update 2, firewall rules can be managed for the vCenter Server Appliance directly from the VAMI.  In the past, this functionality was only available using the VAMI APIs.

 

We will create a new firewall rule for the vCenter Server appliance.

  1. From the menu on the left, click Firewall
  2. Click Add

 

 

Create New Firewall Rule

 

  1. Enter 10.10.10.10 in the IP Address field
  2. Enter 24 in the Subnet Prefix Length field
  3. Select Accept from the Action drop-down menu
  4. Click Save

The firewall rule is now displayed.  We will now delete this rule.

 

 

Delete Firewall Rule

 

 

  1. In the Firewall section, click the radio button next to the firewall rule that will be deleted
  2. Click Delete

 

 

  1. Click Delete to confirm that you want to remove the firewall rule

 

 

Services

The Services tab is now located in the VAMI and provides out-of-band troubleshooting. All of the services that make up the vCenter Server Appliance, their startup type, health, and state are visible here. We are also given the option to start, stop, and restart services if needed.

While the Syslog and Update tabs are not new to the VAMI, there are improvements in these areas. Syslog now supports up to three syslog forwarding targets. There is now more flexibility in patching and updating. From the Update tab, we will now have the option to select which patch or update to apply. Customers will also have more information including type, severity, and if a reboot is necessary. Expanding a patch or update in the view will display more information about what is included. Finally, we can now stage and install a patch or update from the VAMI. This capability was previously only available from the CLI.

 

 

 

File-Based Backup and Restore

In vSphere 6.7 Update 2, the vCenter Server Appliance (vCSA) has an out-of-the-box file-based backup and restore solution. You can back up  all of vCenter Server’s core configuration, inventory, and historical data to a single folder. The newest supported protocols for built-in file-based Backup and Restore include Network File System (NFS)Samba (SMB). The addition of NFS and SMB now brings the protocol choices up to 7 total (HTTP, HTTPS, FTP, FTPS, SCP, NFS, and SMB) when configuring a vCenter Server for file-based Backup or Restore. Currently supported versions of these new protocols are NFSv3 and SMB2.  When it is time to restore to a previous backup, you can deploy a new appliance, point to the folder location of the vCenter Server backup files, and restore all of the vCenter server's configuration and inventory data (with optional historical data) from the backup.  Improvements to the Backup functionality in vCenter 6.7 Update 2 include a scheduling option!

 

 

Create Backup

 

 

  1. From the menu on the left, select Backup
  2. Click Backup Now.

 

 

Backup Wizard

 

 

  1. For Backup location, enter ftp://192.168.110.60
  2. Enter root in the User name field
  3. Enter VMware1! in the Password field
  4. Ensure Stats, Events and Tasks is selected
  5. Enter HOL Test Backup in the Description field
  6. Click Start

 

 

Backup Status

 

This step provides a backup status summary which gives you a confirmation of your backup protocol, location, credentials, encryption, and optional data.  

NOTE: Due to the lack of storage in the lab, the transfer will error out.

 

 

Configuring a Schedule in the Backup Wizard

 

New to vCenter 6.7 is the ability to create a recurring backup schedule.  We will walk through setting up a schedule to finish off this part of the lab.

  1. Click Configure in the Backup Schedule section.

 

 

  1. For Backup location, enter ftp://192.168.110.60
  2. Enter root in the User name field
  3. Enter VMware1! in the Password field
  4. In the Schedule field, leave the default value
  5. In the Number of backups to retain field, leave the default value that is selected
  6. Ensure Stats, Events and Tasks is selected
  7. Click Create

 

 

Confirm the Schedule Creation

 

  1. Click on the small chevron beside the Status to expand the Schedule selection.  
  2. Confirm that the schedule has been created.  You can use the Edit, Disable, or Delete buttons to manage the scheduled backup job.

Click on the video to watch a video on scheduling a backup.

 

 

Video - File-Based Backup and Restore (4:29)

 

 

Cross-SSO Domain Repoint

The vCenter Server Appliance 6.7 Update 2 CLI also has some new enhancements.  Here we will discuss the repointing enhancements using cmsso-util. While not a new feature, it was not available in vSphere 6.5 and makes a return in vSphere 6.7.

Customers can now repoint their vCenter Server Appliance across vSphere SSO domains. Can you say consolidation? The domain repoint feature supports both embedded and external deployments running vSphere 6.7 Update 2. The domain repoint feature has a pre-check option and it is highly recommended to use this. The pre-check compares the two vSphere SSO domains and lists any discrepancies in a JSON file. This provides the opportunity to resolve any discrepancies before running the domain repoint tool. The repoint tool can migrate licenses, tags, categories, and permissions from one vSphere SSO Domain to another.

 

 

 

vCSA/PSC Batch Deployment

Another CLI enhancement includes using the CLI installer to manage the vCenter Server Appliance lifecycle. The vCenter Server Appliance ISO file comes with JSON template examples. These JSON templates are a way to ensure consistency across installs, upgrades, and migrations. Usually, we would have to run the JSON template from the CLI installer one at a time in the correct order. This manual per-node deployment is now a thing of the past with batch operations. With batch operations, several JSON templates can be run in sequence from a single directory without intervention. Before running, use the pre-checks option on the directory to verify the templates including sequence.

 

 

Improved HTML5-Based vSphere Client


In this lab module we will explore the improved made to the vCenter HTML5-Based client.


 

vSphere Client (HTML5)

In vSphere 6.7 Update 2, the vSphere Client is now fully featured.  This means that all aspects of the vSphere environment can be managed using only the HTML-5 based vSphere Client.  There is no need to switch to the Flash-based vSphere Web Client.

Some of the newer workflows in the updated vSphere Client include:

 

To simplify management, the Platform Services Controller (PSC) user interface is now part of the vSphere Client. PSC management is located under the Administration menu. The PSC options are divided between two tabs: Certificates > Certificate Management and Single Sign On > Configuration

We will discuss some of the updates to the vSphere Client below.

 

 

Dark Theme

Having the dark theme option has been one of the most requested features for the vSphere Client.  Customers can now switch between the traditional light theme to the new dark theme in a single click.

 

 

 

 

Code Capture

Have you ever wanted to know what tasks performed in the vSphere Client would look like in code?  You can now easily accomplish this by using Code Capture.  You may already be familiar with its predecessor - ONYX.  This popular feature started out in the vSphere HTML5 Web Client Fling and it is now available in vSphere 6.7 Update 2.  

Once enabled, simply press the "Record" button.  Code Capture allows you to record your actions in the vSphere Client and translates these actions into executable code.

 

 

 

API Explorer

vSphere 6.7 Update 2 brings the API Explorer directly into the vSphere Client.  In previous releases, users would have to navigate to a separate URL and provide credentials before having the ability to interact with the REST APIs.  This extra step has now been eliminated.  

An Execute button now appears for each method allowing users to quickly perform the action via the REST API.  These are live changes to the environment so proceed with caution when using this feature.  You will receive pop-up warnings before any actions are executed.

 

 

 

Update Manager

There are several enhancements and improved workflows in the vSphere Client for the Update Manager interface.  Let's take a look at a few of these.  First, we now have the ability to filter by baselines to improve searching capabilities.

 

VMware Tools and VM Hardware upgrades are now a 1-click remediation and you no longer have to create baselines!  

 

 

With vSphere 6.7 Update 2 we introduced the ability to attach multiple baselines or baseline groups to an object

 

In the past, if you wanted to remediate multiple baselines you were required to create a Baseline Group. With vSphere 6.7 Update 2, you are now allowed to remediate multiple baselines without a baseline group.

 

In vSphere 6.7 Update 2, creating and attaching a baseline or baseline group is now in a single workflow.  In previous versions of Update Manager, if you started the process of attaching a baseline but then decided you wanted to create a new one, you had to exit the workflow and navigate to Update Manager Home to create the baseline. This workflow has also been enhanced to simplify this process.

 

You can now view the contents of an ESXi image in the vSphere Client!  This is extremely helpful to all users but especially to those who create custom images or use vendor-provided images. This option allows the ability to see what patches and drivers are included within a specific ESXi image when performing an upgrade.

 

Previously when the Remediation Pre-check ran and detected VM’s with attached CD drives, it was required that the user take user action to disconnect the removable drives. If the removable drive was not removed, it could prevent the host from entering maintenance mode.

 

With vSphere 6.7 Update 2, we now provide the option to allow vSphere Update Manager to automatically disconnect removable media devices that might prevent a host from entering maintenance mode.

Another setting that you are able to modify is the option to disable vSphere Quick Boot. Previously this option was enabled by default.  Now customers are able to disable Quick Boot on a host if they wish to have pending firmware or drivers installed upon the next full reboot of that host.

 

Another pre-check that has been added is the ability to detect if DRS is enabled. If DRS is disabled, hosts may not be automatically placed into maintenance mode so user attention is suggested to correct this.

 

Another important feature in vSphere 6.7 Update 2 is the option to disable the host health check after installation. This feature was aimed at vSAN users.  This helps in a situation where a host fails a health check and causes the entire cluster remediation to fail.  This would mean that the ESXi host that was upgraded would remain in maintenance mode.

 

 

Lifecycle Management Operations


VMware vSphere 6.7 Update 2 includes several improvements that accelerate the host lifecycle management experience to save administrators valuable time.


 

Open Chrome Browser from Windows Quick Launch Task Bar

 

  1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.

 

 

Log into the vSphere Web Client

 

Using the Chrome web browser, navigate to the URL for the Web client.  For this lab, you can use the shortcut in the address bar.

  1. Click the RegionA bookmark folder
  2. Click on bookmark for RegionA vSphere Client (HTML)
  3. Check the Use Windows session authentication box
  4. Click Login

Alternatively, you could use these credentials

  1. User name: corp\Administrator
  2. Password: VMware1!

Please Note: All of the user credentials used in this lab are listed in the README.TXT file on the desktop.

 

 

Gain screen space in Chrome by zooming out

 

The lab desktop is limited to 1280x800 screen resolution. It might be helpful to zoom out the browser for better readability.

  1. Select the Options menu in Chrome.
  2. Click the '-' button to zoom out to 90%

This will provide more viewing space while still allowing you to read the text.

 

 

Navigate to Update Manager

 

Navigate to the Update Manager interface

  1. Click the Menu icon
  2. Click Update Manager

 

  1. Click on Updates
  2. Filter on the ID
  3. Enter 2018

The results will be filtered for any patches released in 2018.  You can also filter by the version, under releases, category, and type.

 

 

Update Manager with Embedded Linked Mode

With the introduction of embedded linked mode in vSphere 6.7, you can now manage Update Manager instances through the same interface.

 

 

  1. Select the drop down arrow
  2. Select vcsa-01b.corp.local

Browse the settings in the other vCenter.

 

 

Upgrades from 6.5 to 6.7

Hosts that are currently on ESXi 6.5 will be upgraded to 6.7 significantly faster than ever before. This is because several optimizations have been made for that upgrade path, including eliminating one of two reboots traditionally required for a host upgrade. In the past, hosts that were upgraded with Update Manager were rebooted a first time in order to initiate the upgrade process, and then rebooted once again after the upgrade was complete. Modern server hardware, equipped with hundreds of gigabytes of RAM, typically take several minutes to initialize and perform self-tests. Doing this hardware initialization twice during an upgrade really adds up, so this new optimization will significantly shorten the maintenance windows required to upgrade clusters of vSphere infrastructure.

These new improvements reduce the overall time required to upgrade clusters, shortening maintenance windows so that valuable efforts can be focused elsewhere.

Recall that, because of DRS and vMotion, applications are never subject to downtime during hypervisor upgrades  VMs are moved seamlessly from host to host, as needed.

 

 

vSphere Quick Boot

What is the Quick Boot functionality? Quick Boot functionality allows restarting only the hypervisor instead of going through a full reboot of the host hardware including POSTing, etc. This functionality is utilized with vSphere Update Manager so that patching and upgrades are completed much more quickly. A note here before getting excited about potential backwards compatibility, this functionality is only available for hosts that are running ESXi 6.7. Even if your hardware is compatible with the new Quick Boot, if you are running a legacy version of ESXi, this won't be available.

Host reboots occur infrequently but are typically necessary after activities such as applying a patch to the hypervisor or installing a third-party component or driver. Modern server hardware that is equipped with large amounts of RAM may take many minutes to perform device initialization and self-tests.

Quick Boot eliminates the time-consuming hardware initialization phase by shutting down ESXi in an orderly manner and then immediately re-starting it. If it takes several minutes, or more, for the physical hardware to initialize devices and perform necessary self-tests, then that is the approximate time savings to expect when using Quick Boot! In large clusters, that are typically remediated one host at a time, it's easy to see how this new technology can substantially shorten time requirements for data center maintenance windows.

Due to the nature of our lab, we can't demonstrate Quick Boot because ESXi running on ESXi!  Click on this video to watch Quick Boot in action!

 

 

Video - vSphere Quick Boot (1:53)

While we can't watch the reboot go any faster in this lab, let's go check where we enable this setting.  

 

  1. From Update Manager, click the Settings tab
  2. Under Remediation Settings click on Hosts
  3. Click on Edit

 

  1. Notice the Enable Quick Boot is checked by default
  2. Review the available host settings
  3. Click on Cancel to exit

 

Getting Started with Update Manager


VMware vSphere Update Manager is a tool that simplifies and centralizes automated patch and version management for VMware vSphere and offers support for VMware ESX hosts, virtual machines, and virtual appliances.  

With Update Manager, you can perform the following tasks:

  1. Upgrade and Patch ESXi hosts.
  2. Upgrade virtual machine hardware, VMware Tools, and Virtual Appliances.

vSphere Update Manager is installed and running by default in the vCenter Server Appliance. Each vCenter Appliance will have a single vSphere Update Manager paired with it.


 

Open Chrome Browser from Windows Quick Launch Task Bar

 

  1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.

 

 

Log into the vSphere Web Client

 

Using the Chrome web browser, navigate to the URL for the Web client.  For this lab, you can use the shortcut in the address bar.

  1. Click the RegionA bookmark folder
  2. Click on bookmark for RegionA vSphere Client (HTML)
  3. Check the Use Windows session authentication box
  4. Click Login

Alternatively, you could use these credentials

  1. User name: corp\Administrator
  2. Password: VMware1!

Please Note: All of the user credentials used in this lab are listed in the README.TXT file on the desktop.

 

 

Gain screen space in Chrome by zooming out

 

The lab desktop is limited to 1280x800 screen resolution. It might be helpful to zoom out the browser for better readability.

  1. Select the Options menu in Chrome.
  2. Click the '-' button to zoom out to 90%

This will provide more viewing space while still allowing you to read the text.

 

 

Navigate to Update Manager

 

Navigate to the Update Manager interface

  1. Click the Menu icon
  2. Click Update Manager

 

 

Select vcsa-01b.corp.local

 

We are going to create a baseline on the vcsa-01b vCenter Server.

  1. Ensure vcsa-01b.corp.local is selected in the host drop down menu.

 

 

Baselines and Baseline Groups

 

Baselines can be upgrade, extension, or patch baselines.  Baselines contain a collection of one or more patches, extensions, or upgrades.  

Baseline groups are assembled from existing baselines, and might contain one upgrade baseline per type of upgrade baseline, and one or more patch and extension baselines.  When you scan hosts, virtual machines, and virtual appliances, you evaluate them against baselines and baseline groups to determine their level of compliance.

By default, Update Manager contains two predefined dynamic patch baselines.

We are going to create a new baseline, which we will then use to scan a vSphere host so that we can make sure that it has the latest patches.

  1. Select the Baselines tab
  2. Click New
  3. Click Baseline

 

 

Create Baseline

 

 

  1. Enter HOL Host Baseline for the name
  2. Enter Host Baseline for the description
  3. Select the Patch radio button
  4. Click Next to continue.

 

 

Select Patches Automatically

 

This screen gives the baseline the ability to continually update itself based on the criteria you select.  You can use these options to narrow the scope of the patches added to this baseline (selecting embeddedEsx 6.5.0 would limit this baseline to only those patches relevant to ESXi 6.5).

Some areas you can refine the baseline patches to are:

  1. For our example, we will leave the default setting to automatically update the baseline as new patches become available. We will also leave the default Criteria settings of Any for all options.
  2. Click Next

 

 

Select Patches Manually

 

From this screen you have the ability to manually select patches for the baseline to include.  Since we have selected the option to have this baseline automatically updated, this screen will appear without patches to select.  If you disable the automatic option in the previous screen, you would now be presented with a listing of all patches available which you could manually select to include in this baseline.

  1. Click Next

 

 

Summary

 

Review the settings of the patch baseline you created before finishing the wizard

  1. Click Finish to complete the Patch Baseline

 

 

Return to Hosts and Clusters View

 

Next, we are going to attach the baseline we just created to a host. This makes sure that scanning and remediation happens for the host.

  1. Click on the Menu Icon
  2. Select Hosts and Clusters

 

 

Attach the Patch Baseline to a Host

 

 

  1. Expand vcsa-01b.corp.local vCenter Server --> RegionB01 Datacenter --> RegionB01-COMP01 Cluster
  2. Click on the host esx-02b.corp.local
  3. Select the Updates tab.
  4. Click on Attach (Note: You may need to scroll down to see this)
  5. Click Attach Baseline or Baseline Group

 

 

Select the Baseline

 

In the new window that opens,

  1. Select HOL Host Baseline - this is the new Baseline that we just created
  2. Click Attach

 

 

Verify the Baseline is Attached

 

Before we scan the host for compliance against our new baseline, let's verify the new baseline is attached and see what the current status of its compliance is.

  1. Verify HOL Host Baseline is listed in the Attached Baselines
  2. Notice that the current status indicates Unknown, this is a normal status when you attach a new baseline. Update Manager has not yet scanned this host and compared its current state to the baseline state.

In the next step, we will scan the host and see if it is in compliance with the attached baseline.

 

 

Scan the Host

 

We will now scan this host to see if it is compliant with the baseline.

  1. Click the CHECK COMPLIANCE button
  2. You may receive a message in a blue bar at the top of your screen indicating a refresh is needed, click the Refresh link to update the screen. After you click Refresh, you can safely close the message window with the "X"
  3. Notice the new status of this host.  It is now "Compliant". This indicates that the host meets the patch criteria selected in this baseline. 

Had this host been missing any patches identified in the baseline criteria, the status would have shown "Not Compliant" indicating the host is missing a patch identified in the baseline, you could then remediate this host using the Remediate option on this screen.

 

 

Video: Upgrading VMware Tools Using vSphere Update Manager (5:14)

vSphere Update Manager can also be used to update the VMware tools on a virtual machine.  The following video outlines the process.

 

Converge Tool


Convergence is the process of reconfiguring or converting a vCenter Server instance with an external Platform Services Controller (PSC) to a vCenter Server instance with an embedded PSC.

The Converge Tool was introduced in vSphere 6.7 Update 1 as the method to move from an external PSC deployment to an embedded PSC using the vCenter Server CLI. Now with vCenter Server 6.7 Update 2, the convergence functionality is now available within the vSphere Client!

In vCenter Server 6.7 Update 2 within the table view, you will see two new buttons: Converge to Embedded and Decommission PSC. You no longer are required to utilize the CLI and JSON templates to run the vCenter Server Converge Tool. One additional benefit when running the Converge Tool through the vSphere Client is that if you have internet access, any required components will be automatically downloaded from the VMware Online Repository.  This provides a simple method to migrate your external vCenter server deployment to an embedded vCenter server deployment.

Watch the video on the next page to learn more!


 

Video - Converge Tool (3:10)

 

Embedded Linked Mode


vCenter Embedded Linked Mode is enhanced linked mode support for vCenter Server Appliance with an embedded Platform Services Controller.  This lab is configured using vSphere 6.7 Embedded Linked Mode.

With vCenter Embedded Linked Mode, you can connect multiple vCenter Server Appliances with embedded Platform Services Controllers together to form a domain. vCenter Embedded Linked Mode is not supported for Windows vCenter Server installations. vCenter Embedded Linked Mode is supported starting with vSphere 6.5 Update 2 and suitable for most deployments.

Other features of vCenter Embedded Linked Mode include:


 

Video - Embedded Linked Mode (4:03)

 

vSphere Health


vSphere Health enables you to identify and resolve potential issues before they have an impact to your environment. vSphere telemetry data is collected and used to analyze pre-conditions in your vSphere environment related to stability and incorrect configurations. These issues are reported under vSphere Health and resolution recommendations are provided.  You can check the health of vSphere hosts and vCenter server.

 

VMware Analytics Cloud (VAC) is the platform that enables VMware products to send telemetry data to VMware.  vSphere Health works in conjunction with the Customer Experience Improvement Program (CEIP) to send anonymous data to VAC for analysis which in turn provides the assessment within the vSphere Client.

New to vSphere Health in vSphere 6.7 Update 2 is Categories and Alarms. Alarms are generated when a new issue is detected in vSphere. vSphere Health alarms can be set to Acknowledge or Reset to Green much like other vCenter Server alarms.

Health checks are now grouped into one of four health categories: Online Availability, Compute, Network, and Storage.  This new grouping feature not only allows for a simple, organized view of all vSphere Health checks but also aligns with the goal of improving the overall organization of vSphere Health as more health checks are introduced.

We will now review how to use this feature in vSphere 6.7 Update 2.


vSphere Client Plug-ins


Managing and monitoring the deployment of vSphere client plug-ins has become easier with the release of vSphere 6.7 Update 2.  Prior to this release, troubleshooting client plug-in errors would require admins to review logs to determine the root cause of the issue.  

The deployment state of a client plug-in can now be easily viewed from the vSphere Client.  This improves the visibility and transparency of the plug-in installation workflow by reporting plug-in errors, incompatibility information, and possible remediation steps all in the Client Plug-ins UI.  Access this interface by selecting Administration from the Menu, then select Client Plug-Ins under Solutions.

Check out the video on the next page for more information!


 

Video - vSphere Client Plug-ins (3:02)

 

Content Library Improvements


Content libraries are container objects for VM templates, vApp templates, and other types of files.  Customers can use the templates in the library to deploy virtual machines and vApps in the vSphere inventory. Sharing templates and files across multiple vCenter Server instances in the same or different locations allows for consistency, compliance, efficiency, and automation in deploying workloads at scale.

The Content Library service now supports virtual machine (.vmtx) templates which allows users to deploy a virtual machine from native VM templates.  Open Virtual Appliance (OVA) files are also supported in a Content Library. The OVA files are unzipped during the import, providing manifest and certificate validations, and create an OVF library item that enables deployment of virtual machines from a Content Library.

vCenter Server 6.7 Update 2 continues to add new functionally when utilizing the Content Library.  Syncing of native VM templates between Content Libraries is now available when vCenter Server is configured for Enhanced Linked Mode. Published libraries can now become subscriber-aware allowing newly published items to replicate to other subscribed Content Libraries.

Publish option is available when viewing the VMTX template or from the Subscriptions tab of the local library. Publishing from the local library will sync the VM template to the selected Subscriber Libraries.

See how you can use subscriptions to distribute VM templates in the video below.


 

Video - Using Subscriptions to Distribute VM Templates to a Subscriber (4:00)

 

Conclusion


vSphere 6.7 Update 2 builds on the technological innovation delivered by vSphere 6.5, and elevates the customer experience to an entirely new level. It provides exceptional management simplicity, operational efficiency, and faster time to market, all at scale.

vSphere 6.7 Update 2 delivers an exceptional experience for the user with an enhanced vCenter Server Appliance (vCSA). It introduces several new APIs that improve the efficiency and experience to deploy vCenter, to deploy multiple vCenters based on a template, to make management of vCenter Server Appliance significantly easier, as well as for backup and restore. It also significantly simplifies the vCenter Server topology through vCenter with embedded platform services controller in enhanced linked mode, enabling customers to link multiple vCenters and have seamless visibility across the environment without the need for an external platform services controller or load balancers.

Moreover, with vSphere 6.7 vCSA delivers phenomenal performance improvements:

These performance improvements ensure a blazing fast experience for vSphere users, and deliver significant value, as well as time and cost savings in a variety of use cases, such as VDI, Scale-out apps, Big Data, HPC, DevOps, distributed cloud native apps, etc.

vSphere 6.7 Update 2 improves efficiency at scale when updating ESXi hosts, significantly reducing maintenance time by eliminating one of two reboots normally required for major version upgrades (Single Reboot). In addition to that, vSphere Quick Boot is a new innovation that restarts the ESXi hypervisor without rebooting the physical host, skipping time-consuming hardware initialization.

Another key component that allows vSphere 6.7 Update 2 to deliver a simplified and efficient experience is the graphical user interface itself. The HTML5-based vSphere Client provides a modern user interface experience that is both responsive and easy to use. With vSphere 6.7 Update 2, it includes added functionality to support not only the typical workflows customers need but also other key functionality like managing NSX, vSAN, VUM as well as third-party components.


 

You've finished Module 2!

 

Congratulations on completing Module 2!

To review more info on the new management features please use the links below:

Proceed to any module below which interests you most.

 

 

 

How to End Lab

 

To end your lab click on the END button.  

 

Module 3 - Comprehensive Built-in Security (60 minutes)

Introduction


vSphere 6.7 Update 2 builds on the security capabilities in vSphere 6.5 and leverages its unique position as the hypervisor to offer comprehensive security that starts at the core, via an operationally simple policy-driven model.

This module will highlight:
•    Support for TPM 2.0 for ESXi – Ensures hypervisor integrity and enables remote host attestation.
•    Virtual TPM 2.0 – Provides the necessary support for guest operating system security features while retaining operational features such as vMotion and disaster recovery.
•    Enhanced VM Encryption and Cross-vCenter encrypted vMotion – Secures against unauthorized data access both at rest and in motion, across the hybrid cloud
•    Support for VBS – Supports Windows 10 and Windows 2016 security features, like Credential Guard, on vSphere.
•    New Security Features in vSphere 6.7 Update 2

 


Support for New Security Technologies


The goals of security in vSphere 6.7 Update 2 are twofold. Introduce more easy-to-use security features and meet requirements set by customers, IT, and security teams. With vSphere 6.7 Update 2, we have achieved both goals. Let's dive into some of the new features and changes.  vSphere 6.7 Update 2 includes support for the latest security features on the market.


 

TPM 2.0 Support for ESXi

TPM (Trusted Platform Module) is a device on your laptop, desktop or server system. It is used to store encrypted data (keys, credentials, hash values). TPM 1.2 support has been around for many years on ESXi but was primarily used by partners. TPM 2.0 is not backwards compatible with 1.2 and required all new device drivers and API development. The Trusted Computing Group has a great overview on what a TPM is and does.

ESXi's use of TPM 2.0 builds upon our work in 6.5 with Secure Boot. We validate that the system has booted with Secure Boot enabled and we take measurements and store them in the TPM. vCenter reads those measurements and compares them with values reported by ESXi itself. If the values match, then the host has booted with Secure Boot enabled and all the good stuff such as only running signed code and the inability to install unsigned code is assured. vCenter will provide an attestation report in the vCenter web client showing you the status of each host.

 

 

Video - ESXi and TPM 2.0 (2:13)

 

 

Virtual TPM 2.0 for VMs

In order to support TPMs for virtual machines our engineers created a virtualized TPM 2.0 device. It shows up in Windows as a normal TPM 2.0 device. Like a physical TPM, it can do crypto operations and store credentials. But how do we secure data stored IN the virtual TPM? We write that data to the VMs nvram file and secure that file with VM Encryption. This keeps the data in the vTPM secured and it travels with the VM. If I copy that VM to another datacenter and that datacenter is not configured to talk to my KMS then the data in that vTPM is secured. All the same VM Encryption rules apply.

Note: Only VM home files are encrypted, not VMDKs unless you choose to encrypt them.

Why didn't we use the hardware TPM?

A hardware TPM has many limitations. It is a serial device so it's slow. It has a secured nvram storage size measured in bytes. It's not designed for accommodating 100+ VMs on a host. It won't be able to store all their TPM data on the physical TPM. It would need a scheduler for the crypto operations it does. Imagine 100 VMs trying to encrypt something and depending on a serial device that can only do one at a time?

Even if I could physically store the data, consider a vMotion. I would have to securely remove the data from one physical TPM and copy it to another. And re-sign data with the new TPMs keys. All of these actions are very slow in practice and fraught with additional security issues and requirements.

Note: In order to run virtual TPMs, you will need VM Encryption. That means you will need a 3rd party key management infrastructure in place. 

 

 

Support for Microsoft Virtualization Based Security

Back in 2015, Microsoft introduced Virtualization Based Security (VBS). We have worked very closely with Microsoft to provide support for these features in vSphere 6.7 Update 2. Let's do a quick overview of what is going on behind the scenes to make this happen.

When you enable VBS on your laptop running Windows 10 the system will reboot and instead of booting Windows 10 directly the system will boot Microsoft's hypervisor. For vSphere, this means the virtual machine that was running Windows 10 directly is now running Microsoft's hypervisor which is now running Windows 10. This is called nested virtualization and it is something that VMware has a HUGE amount of experience with. We have been using nested virtualization in our Hands-On Labs for years.

When you enable VBS at the vSphere level that one checkbox is turning on a number of features.

What this will NOT do is enable VBS within the VMs Guest OS. For that, you would follow Microsoft guidance. This can be done with PowerShell scripts, Group Policies, etc.

The point being is that vSphere's role is to provide the virtual hardware to support enablement of VBS. Combined with a virtual TPM you can now enable VBS and turn on features such as Credential Guard.

 

VM Encryption


VMware vSphere® virtual machine encryption (VM encryption) is a feature introduced in vSphere 6.5 to enable the encryption of virtual machines. VM encryption provides security to VMDK data by encrypting I/Os from a virtual machine (which has the VM encryption feature enabled) before it gets stored in the VMDK.


 

How to Enable VM Encryption for vSphere 6.7

Creating an encrypted virtual machine is faster and uses fewer storage resources than encrypting an existing virtual machine. Encrypt the virtual machine as part of the creation process if possible.  

Prerequisites

Procedure

  1. Connect to vCenter Server by using the vSphere HTML 5 Client.
  2. Select an object in the inventory that is a valid parent object of a virtual machine, for example, an ESXi host or a cluster.
  3. Right-click the object, select New Virtual Machine > New Virtual Machine, and follow the prompts to create an encrypted virtual machine.

 

 

 

Enabling VM Encryption

Check out this video to see how you enable VM encryption on a VM in vSphere 6.7

 

Configure Hytrust KMS Server in vCenter Server


In this lesson, we will add (2) HyTrust KMS servers which allows us to encrypt virtual machines as well as use encrypted vMotion. Without a trust established between the vCenter server and a KMS server, we would not be able to take advantage of the new vSphere 6.7 encryption capabilities.


 

Launch Google Chrome

 

If Google Chrome is not already open, perform the following step, otherwise skip this step:

  1. Click the Google Chrome icon on the Quick Launch bar.

 

 

RegionA

 

Do the below step If you are opening a new Google Chrome browser window, otherwise, you can skip this step:

  1. Click on the RegionA folder in the Bookmark Toolbar.
  2. Then click on RegionA vSphere Client (HTML).

 

 

Log into RegionA vCenter Server

 

If already logged into the RegionA vCenter server, you can skip the below steps. If you aren't, complete the following steps:

  1. Click the checkbox to the left of "Use Windoes session authentication". (Note: If the checkbox is greyed out, refresh the browser)
  2. Click on the Login button.

 

 

Menu Drop-down

 

  1. Click on the Menu drop-down icon at the top of the screen.
  2. Then select Global Inventory Lists from the Menu drop-down menu.

 

 

Select vCenter Server

 

  1. Click on vCenter Servers from the Global Inventory List.

 

 

vcsa-01a.corp.local

 

  1. Click on the vcsa-01a.corp.local vCenter Server.

 

 

Add HyTrust Key Manager (KMS) Server

 

In order to use any type of encryption in vSphere, we must first have a Key Management Server (KMS) server up and running. Then we have to add at least (1) KMS server to vCenter server and configure the trust relationship between the KMS and vCenter servers. So the first thing we need to do is add a KMS server to vCenter, perform the following tasks to accomplish this:

  1. Click on the Configure tab in the content pane.
  2. Click on Key Management Servers under the More category.
  3. Click ADD in the content pane to add a KMS server.

 

 

vcsa-01a.corp.local - Add KMS

 

  1. Type HOL-KMS-01a in the New cluster name text field.
  2. Type kms-01a in the Server name text field.
  3. Type kms-01a.corp.local in the Server address text field.
  4. then type 5696 in the Server port text field.
  5. Now click the ADD button.

 

 

kms-01a.corp.local - Trust

 

  1. Click on the TRUST button in the Make vCenter Trust KMS pop-up window.

 

 

Make KMS Trust vCenter

 

We see that the HyTrust KMS server is showing its Connection State with nothing in it, so at this point we need to finish setting up the trust between the vCenter server and the HyTrust KMS server.

To create the trust relationship between the HyTrust KMS Server and the vCenter server:

  1. Select the radio button next to the kms-01a KMS server name.
  2. Click on the MAKE KMS TRUST VCENTER link.

 

 

KMS Certificate and Private Key

 

  1. Select the radio button next to KMS certificate and private key.  
  2. Click on the NEXT button.

 

 

Import KMS Certificate and Private Key

 

  1. Click on the Upload file button at the top half of the pop-up window.

 

 

Select Certificate

 

We have already downloaded this certificate PEM file from the HyTrust KMS server web interface.

  1. Browse to the following path "C:\labfiles\HOL-2011\KMIPvcsa01a\"
  2. Select the KMIPvcsa01a.pem file.
  3. Click on the Open button.

NOTE:  Make sure that you selected the KMIPvcsa01a.pem file from the KMIPvcsa01a folder and not from the KMIPvcsa01b folder!

 

 

Upload Certificate

 

  1. Click on the Upload file button.

 

 

Select Certificate

 

We have already downloaded this certificate PEM file from the HyTrust KMS server web interface.

  1. Browse to the following path "C:\labfiles\HOL-2011\KMIPvcsa01a\"
  2. Select the KMIPvcsa01a.pem file.
  3. Click on the Open button.

NOTE:  Make sure that you selected the KMIPvcsa01a.pem file from the KMIPvcsa01a folder and not from the KMIPvcsa01b folder!

 

 

Establish Trust

 

  1. Click on the ESTABLISH TRUST button.

 

 

Confirm Trust and Connection Status

 

To validate a trust relationship has been established between the HyTrust KMS Server and the vCenter server:

  1. Verify that it shows the HyTrust KMS server with a status of Connected under Connection State column and it says Valid under vCenter Certificate Status column.

 

 

Configure HyTrust KMS Server in vCenter Server - Complete

You have completed the first lesson "Configure HyTrust KMS Server in vCenter Server" in this module!

We have completed this lesson of adding a HyTrust KMS server and creating and the associated trusts between it and the vCenter server. 

 

Encrypt VMs Using HyTrust KMS Server


In this lesson, we will encrypt a virtual machine using a HyTrust KMS server that is already installed. We will use the vSphere Web Client (HTML5) to do the encrypting and decrypting of the virtual machine.


 

Menu Drop-down

 

Lets first look at the Policies and Profiles section of vCenter to look at the default VM Encryption Policies:

  1. Click on the Menu icon at the top of the page.
  2. Select Policies and Profiles from the Menu drop-down.

 

 

Default VM Encryption Policies

 

  1. Click on VM Storage Policies from the Navigation pane.
  2. We see that there are already (2) VM Encryption Policies, where there is one on each of the vCenter servers by default.  

NOTE: Although VMware creates default VM Encryption Policies automatically, you can also create your own policies if you wish.

 

 

Default Encryption Properties

 

  1. Click on the Storage Policy Components in the Navigation pane.
  2. We see both Default encryption properties components listed, one for each vCenter server.
  3. We also see a description in the bottom of the Content pane.

 

 

Menu Drop-down

 

At this point, lets return to the Hosts and Clusters view so we can start the process of encrypting the core-01a virtual machine:

  1. Click on the Menu icon at the top of the page.
  2. Select Hosts and Clusters from the Menu drop-down.

 

 

Select core-01a

 

We are now going to encrypt the core-01a virtual machine, to do this, perform the following steps:

  1. Right-click on the core-01a virtual machine in the left Navigation Pane.
  2. Click on VM Policies from the drop-down menu.
  3. Then click on Edit VM Storage Policies from the VM Policies drop-down menu.

 

 

core-01a - Edit VM Storage Policies

 

Here we see there are a few default policies that VMware has created already, but we will be selecting the VM Encryption Policy specifically by doing the following:

  1. Click on the arrow in the VM storage policy drop-down menu and select VM Encryption Policy.
  2. Then click on the Configure per disk slider to enable it.

NOTE: In this lab exercise, we are encrypting all the components of the virtual machine. But as we can see, we have the option to select to encrypt just the VM Home folder or the Hard disk 1. In order to encrypt just one item, you must click on the slider in the upper right-hand corner of the window to allow you to select an individual item.

 

 

core-01a - Configure Per Disk

 

We see that once we enabled the Configure per disk option, the VM Home folder and Hard disk 1 are no longer grayed out and we can manage policies individually.

  1. Temporarily click on the drop-down for Hard disk 1 and select VM Encryption Policy. We now see how to individually assign policies for both components of the virtual machine. After reviewing the options, return it to the Datastore Default option.

NOTE: In this lab exercise, we are encrypting all the components of the virtual machine. But as we can see, we have the option to select to encrypt just the VM Home folder or the Hard disk 1.

 

 

core-01a - Edit VM Storage Policies

 

  1. Click on the slider to turn off Configure per disk
  2. Click on the arrow in the VM storage policy drop-down menu and select VM Encryption Policy if it isn't already selected.
  3. Then click on the OK button.

 

 

core-01a - Verify VM Storage Policy Compliance

 

While still having core-01a selected in the Navigation pane, perform the following steps:

  1. In the content pane for core-01a, use the scroll bar to get to the bottom of the page until you see the VM Storage Policies widget.
  2. If needed, click on the arrow in the upper right-hand corner of the VM Storage Policies widget to open it up.
  3. We should now see that the VM Encryption Policy has been assigned to the virtual machine and is also compliant which is represented by a green check mark.

 

 

core-01a - Not Compliant (if needed)

 

If for any reason the VM Storage Policy widget has no information in it after a minute or two or says that it is not compliant, perform the following step:

  1. Click on the Check Compliance link to update the compliance information.

NOTE: Now after clicking on the Check Compliance link, it should update the information in less than a minute and show complaint. If the status doesn't change, try refreshing the web browser window. After that, if it still hasn't updated to reflect correctly, raise your hand for assistance either in the Hands On Lab interface or physically raise your hand to get a proctors attention.

 

 

Select core-01a

 

We are now going to decrypt the core-01a virtual machine, to do this, perform the following steps:

  1. Right-click on the core-01a virtual machine in the left Navigation Pane.
  2. Click on VM Policies
  3. Select Edit VM Storage Policies

 

 

core-01a - Edit VM Storage Policies

 

  1. Click on the arrow in the VM storage policy drop-down menu and select Datastore Default.
  2. Then click on the OK button.

 

 

core-01a - Verify VM Decrypted

 

  1. Click on the Check Compliance link to update the compliance information.
  2. We should now see that the VM Encryption Policy is no longer listed.

NOTE: Now after clicking on the Check Compliance link, it should update the information in less than a few minutes and show  the VM Storage Policy widget empty now. If the status doesn't change, REFRESH the web browser window and recheck the VM Storage Policies widget. If still showing an encryption policy, raise your hand for assistance either in the Hands On Lab interface or physically raise your hand to get a proctors attention.

 

 

Encrypt VM Using HyTrust KMS Server - Complete

In this lesson, we applied the VM Encryption Policy to the core-01a virtual machine using the vSphere Web Client. After we applied the policy, it showed that the virtual machine was compliant with the VM Encryption Policy. Then we went through the same steps to remove the encryption policy from the core-01a virtual machine. Once we completed that task, we could see the VM Storage Policy widget went back to a blank widget. This was an expected behavior and means we successfully removed the encryption on the virtual machines files.

Using the vSphere Web Client is not the only method to encrypting or decrypting a virtual machine. We can also use PowerCLI commands to do the same actions to a single or numerous virtual machines at once and in a more efficient manner. If changing the encryption status of a large amount at virtual machines at once, the best practice would to be use the PowerCLI commands to do so.

In an upcoming lesson, we will discuss the use of PowerCLI for the various encryption related tasks in more detail. Also, later in this module, we will actually encrypt and decrypt virtual machines using the PowerCLI commands.

 

Set VM to Encrypted vMotion Mode


In this lesson, we will walk through the steps to setup a virtual machine to use Encrypted vMotion Mode. We will show the process of configuring it from within the vSphere Web Client. However, we will NOT be actually performing a vMotion action in the lab environment due to resource limitations. Not to mention, we can't actually "see" that the virtual machine does a vMotion action and is encrypted.


 

core-01a - Edit Settings

 

  1. Right-click on the virtual machine named core-01a.
  2. Select Edit Settings from the drop-down menu.

NOTE: The list of virtual machines may be slightly different in the lab environment from what is in the screen capture.

 

 

core-01a - VM Options

 

In the following lab steps, we will go through the steps of setting up Encrypted vMotion, but we won't actually go through with completing the steps since we can't actually see that a vMotion action is encrypted. Not to mention, this helps reduce the amount of required resources in the labs.

  1. Click on the VM Options tab in the pop-up window.
  2. Click on the arrow next to Encryption to expand it and show the Encrypt VM and Encrypted vMotion settings.
  3. We see that either can select None or VM Encryption Policy from here which shows us another way to set the encryption on a virtual machine other than in the Policies and Profiles section.  

 

 

core-01a - Encrypted vMotion

 

As a side note, if the virtual machine settings are already set to encrypted, then it will automatically use encrypted vMotion. But we see that we have (3) options for Encrypted vMotion.

  1. Since the VM was previously encrypted, the Encrypted vMotion setting is already set to Required but can be changed.
  2. Click on the CANCEL button since we don't need to actually make the changes since we won't be doing an actual vMotion action.  

 

 

core-01a - Migrate

 

In the next few steps, we won't actually complete the vMotion action since we can't actually see that a vMotion action is encrypted. Not to mention, this helps reduce the amount of required resources in the lab environment.

  1. Right-click on the virtual machine named core-01a.
  2. Select Migrate from the drop-down menu.

 

 

core-01a - Select a Migration Type

 

  1. Keep the default setting Change compute resource only radius button, then click on the NEXT button.

 

 

core-01a - Select a compute resource

 

Currently, the core-01a virtual machine should be on esx-02a.corp.local, so we would migrate it to esx-01a.corp.local.

  1. Select the esx-01a.corp.local host to migrate to.
  2. Verify it says Compatibility checks succeeded under Compatibility.
  3. Then click on the Next button.

 

 

core-01a - Select Networks

 

  1. Verify it says Compatibility checks succeeded under Compatibility.
  2. Keep the default network selected and click on the Next button.

 

 

core-01a - Ready to Complete

 

NOTE:  We are not actually performing the vMotion action for following reasons:

To finish the last step:

  1. We would then review the information to ensure all of the selections we selected are correct.
  2. Since this is a lab environment, select the CANCEL button so we don't initiate the vMotion task. Normally we would select the Finish button in a true production environment.  

 

 

Set VM to Encrypted vMotion Mode - Complete

That completes this lesson on setting virtual machines to enable encrypted vMotion. We learned that no matter if a virtual machine is already encrypted or not, the virtual machine can be encrypted on the source host and then decrypted on the destination host. We also learned that Encrypted vMotion requires no additional settings when the virtual machine is already encrypted. However, when the virtual machine is not encrypted already, we can manually select to encrypt it just to perform a vMotion from one host to another if we wish.

 

Configure Windows 10 for VBS


In this lesson, we will show how to enable Virtualized-Based Security (VBS) on a Windows 10 virtual machine.


 

Launch Google Chrome

 

If Google Chrome is not already open, perform the following step, otherwise you can skip this step if already open:

  1. Or click the Google Chrome icon on the Quick Launch bar.

 

 

RegionA

 

Do the below step If you are opening a new Google Chrome browser window, otherwise, you can skip this step:

  1. Click on the RegionA folder in the Bookmark Toolbar.
  2. Then click on RegionA vSphere Client (HTML).

 

 

Log into RegionA vCenter Server

 

If you are still logged into the RegionA vCenter server, you can skip this step. Otherwise, complete the below steps:

  1. Click the checkbox next to "Use WIndows session authentication".
  2. Then click the Login button.

 

 

Hosts and Clusters

 

  1. Click on the Hosts and Clusters icon in the Navigation pane.
  2. If need be, click on the arrow next to vcsa-01b.corp.local vCenter server and expand everything until you see the list of virtual machines.  

 

 

win10 - Power Off

 

  1. Right-click on the win10 virtual machine in the Navigation pane.
  2. Click on Power from the drop-down menu.
  3. Then click on Power Off from the Power drop-down menu.

 

 

win10 - Confirm Power Off

 

  1. Click on the YES button in the pop-up window to confirm power off.

 

 

win10 - Edit Settings

 

  1. Right-click on the win10 virtual machine in the Navigation pane.
  2. The click on Edit Settings.

 

 

win10 - Enable Secure Boot

 

We are now going to verify that Secure Boot is enabled for the win10 virtual machine. If it isn't, make sure you select the check box to enable Secure Boot.

  1. Click on VM Options in the Edit Settings window.
  2. Expand Boot Options.
  3. Click on the Enabled check box to enable Secure Boot.
  4. Click OK.

 

 

win10 - Power On

 

  1. Right-click on the win10 virtual machine in the Navigation pane.
  2. Click on Power from the drop-down menu.
  3. Then click on Power On from the Power drop-down menu.

 

 

win10 - VMs

 

  1. Click on the VMs and Templates icon in the Navigation pane.
  2. Click on the vcsa-01b.corp.local vCenter server in the Navigation pane.
  3. Then click on the VMs tab in the Content pane.

 

 

win10 - Show/Hide Columns

 

  1. Click on the down-arrow in the column heading.
  2. Click on the Show/Hide Columns.
  3. Then scroll all the way to the bottom of the list using the scroll bar.
  4. Check the box to enable the TPM and VBS columns.
  5. Click anywhere in the blank area to get rid of the drop-down menu so you can see the TPM column now.

 

 

win10 - VBS Column

 

  1. We now see that in the VBS column the win10 virtual machine reflects it is Not Present.

 

 

win10 - Launch Web Console

 

  1. Click on the Hosts and Clusters icon in the Navigation pane.
  2. Click on the win10 virtual machine in the Navigation pane.
  3. Click on the Summary tab.
  4. Then click on the Launch Web Console link to open a console window for the virtual machine.

 

 

win10 - Launch Console

 

  1. Click "OK" to launch the Web Console.

 

 

win10 - Desktop

 

  1. Click anywhere on the desktop to bring up the Login screen.

 

 

win10 - Login

 

  1. Type in VMware1! for the Password text field.
  2. Then click on the arrow icon to log into the virtual machine.

 

 

win10 - Launch PowerShell (Admin)

 

  1. Right-click on the Windows icon in the lower left-hand corner of the desktop.
  2. Then click on Windows PowerShell (Admin) in the menu.

 

 

PowerShell - Set-ExecutionPolicy

 

We need to first set the execution policy to allow us to run the DG_Readiness_Tool_v3.5.ps1 script.

  1. Type the following command in the PowerShell to change directory location.
Set-ExecutionPolicy Unrestricted
  1. Type the following command in the PowerShell to make the changes on ALL.
A

 

 

PowerShell - Change Directory & Run Script

 

  1. Type the following command in the PowerShell to change directory location.
cd C:\DG_Readiness_Tool_v3.5\
  1. Type the following command in the PowerShell to run the DG Readiness Tool script.
./DG_Readiness_Tool_v3.5.ps1 -Capable -DG -CG -HVCI

 

 

PowerShell - Script Output

 

  1. We see from the output of running the DG Readiness Tool script that Secure Boot for the win10 virtual machine is enabled for it. This is a requirement to enable VBS.

 

 

Configure Windows 10 for VBS - Complete

In this lesson, we verified the win10 virtual machine's settings that EFI Firmware, Secure Boot, and the Virtual Based Security (VBS) was enabled.

 

FIPS 140-2 Validated Cryptographic Modules by Default


Within vSphere (vCenter Server and ESXi) systems, two modules are used for cryptographic operations. The VMware Kernel Cryptographic Module is used by the VM Encryption and Encrypted vSAN features; the OpenSSL module is used for functions such as certificate generation and TLS connections. These two modules have passed FIPS 140-2 validation. Customers have asked whether vSphere is FIPS Certified. FIPS Certified applies to a full solution of hardware and software that is tested and configured together. VMware has made it much easier for our partners to certify vSphere systems for FIPS operations. Cryptographic operations in vSphere systems are performed using the highest standards because all FIPS 140-2 cryptographic operations are enabled by default.


Conclusion


vSphere 6.7 Update 2 enables organizations to implement new security features and makes it easier to comply with regulatory requirements and secure your environment from threats.  Please check out the lab HOL-2011-03-SDC - vSphere Security - Getting Started for a deeper dive into all the new features.


 

You've finished Module 3!

 

Congratulations on completing Module 3!

To review more info on the security features please use the links below:

Proceed to any module below which interests you most.

 

 

 

How to End Lab

 

To end your lab click on the END button.  

 

Module 4 - Universal Application Platform (15 minutes)

Introduction


vSphere 6.7 Update 2 is a universal application platform that supports new workloads (including 3D Graphics, Big Data, HPC, Machine Learning, In-Memory, and Cloud-Native) as well as existing mission critical applications. It also supports and leverages some of the latest hardware innovations in the industry, delivering exceptional performance for a variety of workloads.

This module will highlight:
•    Enhancements for Nvidia GRID™ vGPUs – Improves host lifecycle management and reduces end-user disruption.
•    vSphere Persistent Memory – Significantly enhances performance for existing and new apps.
•    vSphere Integrated Containers 1.3 – Delivers the easiest way to bring containers to an existing vSphere environment.
•    Instant Clone – Reduces provisioning times, especially beneficial for scale-out applications.


NVIDIA Grid: Optimize GPU Usage For VM on vSphere 6.7 Servers


Learn how to optimize GPU usage for virtual machines on vSphere Servers. When you enable 3D graphics, you can select a hardware or software graphics renderer and optimize the graphics memory allocated to the virtual machine. You can increase the number of displays in multi-monitor configurations and change the video card settings to meet your graphics requirements.


 

Video - Optimize GPU Usage (3:24)

 

Persistent Memory


With vSphere Persistent Memory, customers using supported hardware servers, can get the benefits of ultra-high-speed storage at a price point closer to DRAM-like speeds at flash-like prices. The following diagram shows the convergence of memory and storage.

 

Technology at the top of the pyramid (comprised of DRAM and the CPU cache and registers) have the shortest latency (best performance) but this comes at a higher cost relative to the items at the bottom of the pyramid. All of these components are accessed directly by the application  also known as load/storage access.

Technology at the bottom of the pyramid  represented by Magnetic media (HDDs and tape) and NAND flash (represented by SSDs and PCIe Workload Accelerators) have longer latency and lower costs relative to the technology at the top of the pyramid. These technology components have block access meaning data is typically communicated in blocks of data and the applications are not accessed directly.

PMEM is a new layer called Non-Volatile Memory (NVM) and sits between NAND flash and DRAM, providing faster performance relative to NAND flash but also providing the non-volatility not typically found in traditional memory offerings. This technology layer provides the performance of memory with the persistence of traditional storage.

Enterprise applications can be deployed in virtual machines which are exposed to PMEM datastores. PMEM datastores are created from NVM storage attached locally to each server. Performance benefits can then be attained as follows:

Applications deployed on PMEM backed datastores can benefit from live migration (VMware vMotion) and VMware DRS  this is not possible with PMEM in physical deployments.


 

Remote Directory Memory Access

vSphere 6.7 Update 2 introduces new protocol support for Remote Direct memory Access (RDMA) over Converged Ethernet, or RoCE (pronounced rocky) v2, a new software Fiber Channel over Ethernet (FCoE) adapter, and iSCSI Extension for RDMA (iSER). These features enable customers to integrate with even more high-performance storage systems providing more flexibility to use the hardware that best compliments their workloads.

RDMA support is enhanced with vSphere 6.7 Update 2 to bring even more performance to enterprise workloads by leveraging kernel and OS bypass reducing latency and dependencies. This is illustrated in the diagram below.

 

When virtual machines are configured with RDMA in a pass-thru mode, the workload is basically tied to a physical host with no DRS capability i.e. no ability to vMotion. However customers who want to harness the power vMotion and DRS and still experience the benefits of RDMA , albeit at a very small performance penalty can do so  with para virtualized RDMA software (PVRDMA). With PVRDMA, applications can run even in the absence of an Host Channel Adapter (HCA) card. RDMA-based applications can be run in ESXi guests while ensuring virtual machines can be live migrated.

Use cases for this technology include distributed databases, financial applications, and Big Data.

 

 

Summary

vSphere 6.7 continues to showcase VMware's technological leadership and collaboration with our partners by adding support for a key industry innovation to significantly enhance performance for existing and new apps.

 

 

Video - vSphere Persistent Memory (2:43)

 

vSphere Integrated Containers


vSphere Integrated Containers enables IT teams to seamlessly run traditional workloads and container workloads side-by-side on existing vSphere infrastructure.

The solution is delivered as an appliance, that comprises the following major components:

All components run on Photon OS 2.0. These components currently support the Docker image format. vSphere Integrated Containers is entirely Open Source and free to use!

For an introduction to containers, Docker, and container registries watch the videos on the VMware Cloud-Native YouTube Channel


Cloning a Virtual Machine with Instant Clone


You can use the Instant Clone technology to create powered on virtual machines from the running state of another powered on virtual machine. The result of an Instant Clone operation is a new virtual machine that is identical to the source virtual machine. With Instant Clone you can create new virtual machines from a controlled point in time. Instant cloning is very convenient for large scale application deployments because it ensures memory efficiency and allows for creating numerous virtual machines on a single host.

The result of an Instant Clone operation is a virtual machine that is called a destination virtual machine. The processor state, virtual device state, memory state, and disk state of the destination virtual machine are identical to those of the source virtual machine. To avoid network conflicts, you can customize the virtual hardware of the destination virtual machine during an Instant Clone operation. For example, you can customize the MAC addresses of the virtual NICs or the serial and parallel port configurations of the destination virtual machine. vSphere 6.7 does not support customization of the guest OS of the destination virtual machine. For information about manual guest OS customization, see the vSphere Web Services SDK Programming Guide.

During an Instant Clone operation, the source virtual machine is stunned for a short period of time, less than 1 second. While the source virtual machine is stunned, a new writable delta disk is generated for each virtual disk and a checkpoint is taken and transferred to the destination virtual machine. The destination virtual machine then powers on by using the source's checkpoint. After the destination virtual machine is fully powered on, the source virtual machine also resumes running.

Instant Cloned virtual machines are fully independent vCenter Server inventory objects. You can manage Instant Cloned virtual machines like regular virtual machines without any restrictions.


 

Video - Instant Clone (1:05)

 

Conclusion


vSphere 6.7 Update 2 further improves the support and capabilities introduced for graphics processing units (GPUs) through the VMware collaboration with NVIDIA. Persistent Memory and Instant Clone technology allow for a universal application platform that supports new workloads and leverages hardware innovations for enhanced performance.


 

You've finished Module 4!

 

Congratulations on completing Module 4!

To review more info on the features covered in this module, please use the links below.

Proceed to any module below which interests you most.

 

 

 

How to End Lab

 

To end your lab click on the END button.  

 

Module 5 - Seamless Hybrid Cloud Experience (15 minutes)

Introduction


This module is a brief overview module of newly enabled VMware Cloud on AWS capabilities of vSphere 6.7 Update 2.

With the fast adoption of vSphere-based public clouds through VMware Cloud Provider Program partners, VMware Cloud on AWS, and other public cloud providers, VMware is committed to delivering a seamless hybrid cloud experience for customers. 

This module will highlight:
•    Hybrid Linked Mode – Enables easy adoption of new public cloud capabilities with unified visibility, without disrupting or burdening on-premises environments.
•    Cold and Hot Migration – Enhances ease of management across the hybrid cloud.
•    Per-VM EVC – Enables seamless migration of VMs between data centers and the cloud.
•    Cross-vCenter Mixed Version Provisioning – Simplifies provisioning across hybrid cloud environments.



 

Video - Seamless Hybrid Cloud Experience (1:53)

 

Migrating Virtual Machines from vCenter to vCenter


Cross vCenter vMotion

The use of Cross vCenter vMotion (x-vC-vMotion) allows for migration of VM's between vCenters that are in the same or different datacenters. This feature allows administrators to easily move VM's between vCenters without downtime. The vCenters can be in the same data center or another data center with no more than 150 milliseconds of latency between the datacenters.

Requirements for Migration Between vCenter Server Instances


 

Open Chrome Browser from Windows Quick Launch Task Bar

 

  1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.

 

 

Log in to the vCenter Server

 

Log in to the RegionA vCenter

  1. Click on the RegionA folder in the Bookmark toolbar.
  2. Click on RegionA vSphere Client (HTML) link in the bookmark toolbar.
  3. Check the Use Windows session authentication check box.
  4. Click the Login button.

 

 

Gain screen space in Chrome by zooming out

 

  1. Select the Options menu in Chrome.
  2. Click the '-' button to zoom out to 90%

    Note that this will provide more viewing space while still allowing you to read the text. This is necessary because of the lower than normal resolution we must use in the lab environment to support various devices and to accommodate large-scale events.

 

 

Navigate to Hosts and Clusters

 

  1. Click on the Menu icon
  2. Select Hosts and Clusters

 

 

Make sure the VM to be Migrated is Running

 

As you work through this lab, you will notice there are two vCenters. We will vMotion a running VM between these two vCenters as part of this lab. If it is not already running, start the "core-01a" VM by performing the following steps:  

  1. Expand the navigation tree in the left pane exposing all of the virtual machines, and check to see if the core-01a is running (it will have a green arrow on the icon if it is). If it is running, skip the rest of the steps below. If it is not running, please go through the steps below.
  2. Right click core-01a.
  3. Hover over Power.
  4. Select Power On.

 

 

Start the Migration Wizard

 

  1. Right click core-01a.
  2. Select Migrate from the context menu that appears.

This will start the migration wizard where we can select the destination for the VM.  The list of VMs shown may vary based on other labs you may have completed. Also, note that this is the same option you would use if you were performing a vMotion with a vCenter or cluster. You use the same regardless of what the vMotion destination is.

 

 

Select a migration type

 

  1. Select Change both compute resource and storage option.
  2. Click Next

 

 

Select a compute resource

 

  1. Expand the tree under vcsa-01b.corp.local, RegionB01, and RegionB01-COMP01
  2. Select host esx-01b.corp.local
  3. NOTE: The wizard will check the compatibility of the host to verify that it meets a set of requirements to migrate. Additional information on what is being checked can be found in the VMware vSphere 6.7 Documentation Center.
  4. Click Next

 

 

Select storage

 

  1. Select the storage RegionB01-iSCSI01-COMP01
  2. Click Next

The vMotion will migrate the VM to a new datastore that is available on the new host. This allows VM's to be moved between clusters, vCenters, or datacenters that do not have shared storage.

 

 

Select folder

 

  1. Select RegionB01
  2. Click Next

 

 

Select networks

 

  1. Select the VM-RegionB01-vDS-COMP network.
  2. Click Next

This will change the port group the VM is associated with. There are no changes within the VM to the IP or network configuration. Your network must be setup in a way that allows the VM to move to this new port group without these changes. Network Virtualization is a way to extend the layer 2 network across Layer 3 boundaries. 

Note that depending on which other modules you may have done, you may see an additional screen in the wizard asking you to set a vMotion Priority. If you see this screen, leave the default settings and click Next.

 

 

Ready to complete

 

  1. Review the settings that vCenter will use to perform the vMotions, and click Finish

 

 

Watch Progress in Recent Tasks

 

We can view the progress of the operation in the Recent Tasks pane at the bottom of the screen.

Note that if you do not see the Recent Tasks pane, you may need to expand it by clicking on Recent Tasks on the right side of the screen.

 

 

 

Migration Complete

 

That's all there is to it. In the left navigation pane you can now see the core-01a VM has been moved to the RegionB01-COMP01 Cluster, which is in the vcsa-01b.corp.local vCenter. As with any other vMotion, this is completed with no downtime. The ability to vMotion VMs between hosts, clusters, vCenters, and virtual switches give you even greater flexibility than you had before when managing your workloads.

Note: If you plan on continuing and taking other modules in this lab, please use the same process to vMotion the VM back to the RegionA vCenter. Use the following information to assist with this:

 

 

Conclusion

Migrating VM's between vCenters is a very simple process. Cross vCenter vMotion allows an administrator to easily move workloads between vCenters that are in the same data center or different data centers without down time. This reduces the amount of time spent during migrations and consolidations. Storage is also migrated allowing for migrations between different types of storage and removing the need for storage replication and downtime. The network must be available on both ends of the migration to prevent the VM from losing its network connection. This can be done through Layer 2 stretching or Network Virtualization.

 

Enhanced vMotion Capability


Let's say your manager tells you that the company has purchased a competitor and they would like to migrate all the VMs from the acquisition's data center to your company's data center over the next few months.  What do you need to know to plan this migration?  With vSphere 6.7 you can do this using Per VM-EVC to migrate machines from one hardware platform to another.


 

Per VM-EVC

Cluster-level EVC ensures CPU compatibility between hosts in a cluster, so that you can seamlessly migrate virtual machines within the EVC cluster. In vSphere 6.7 Update 2, you can also enable, disable, or change the EVC mode at the virtual machine level. The per-VM EVC feature facilitates the migration of the virtual machine beyond the cluster and across vCenter Server systems and datacenters that have different processors.

The EVC mode of a virtual machine is independent from the EVC mode defined at the cluster level. The cluster-based EVC mode limits the CPU features a host exposes to virtual machines. The per-VM EVC mode determines the set of host CPU features that a virtual machine requires in order to power on and migrate.

By default, when you power on a newly created virtual machine, it inherits the feature set of its parent EVC cluster or host. However, you can change the EVC mode for each virtual machine separately. You can raise or lower the EVC mode of a virtual machine. Lowering the EVC mode increases the CPU compatibility of the virtual machine. You can also use the API calls to customize the EVC mode further.

 

 

Cluster-based EVC and Per-VM EVC

There are several differences between the way the EVC feature works at the host cluster level and at the virtual machine level.

 

VMware Cloud (VMC) on AWS


VMware Cloud on AWS is an integrated cloud offering jointly developed by AWS and VMware delivering a highly scalable, secure and innovative service that allows organizations to seamlessly migrate and extend their on-premises VMware vSphere-based environments to the AWS Cloud running on next-generation Amazon Elastic Compute Cloud (Amazon EC2) bare metal infrastructure. VMware Cloud on AWS is ideal for enterprise IT infrastructure and operations organizations looking to migrate their on-premises vSphere-based workloads to the public cloud, consolidate and extend their data center capacities, and optimize, simplify and modernize their disaster recovery solutions. VMware Cloud on AWS is delivered, sold, and supported globally by VMware and its partners with availability in the following AWS Regions: US West (Oregon), US East (N. Virginia), Europe (London), and Europe (Frankfurt).

 

VMware Cloud on AWS brings the broad, diverse and rich innovations of AWS services natively to the enterprise applications running on VMware's compute, storage and network virtualization platforms. This allows organizations to easily and rapidly add new innovations to their enterprise applications by natively integrating AWS infrastructure and platform capabilities such as AWS Lambda, Amazon Simple Queue Service (SQS), Amazon S3, Elastic Load Balancing, Amazon RDS, Amazon DynamoDB, Amazon Kinesis and Amazon Redshift, among many others.

With VMware Cloud on AWS, organizations can simplify their Hybrid IT operations by using the same VMware Cloud Foundation technologies including vSphere, vSAN, NSX, and vCenter Server across their on-premises data centers and on the AWS Cloud without having to purchase any new or custom hardware, rewrite applications, or modify their operating models. The service automatically provisions infrastructure and provides full VM compatibility and workload portability between your on-premises environments and the AWS Cloud. With VMware Cloud on AWS, you can leverage AWS's breadth of services, including compute, databases, analytics, Internet of Things (IoT), security, mobile, deployment, application services, and more.


 

Onboarding VMware Cloud on AWS

Joining the VMware Cloud on AWS (VMC) service is not like deploying vCenter or other VMware products. Because VMC is a managed service operated by VMware, you need on onboard to the service and create what we call an Organization which is the key tenant construct within VMC.

In the video below, we show this process from beginning to end.

 

 

Migration from On-prem to VMC on AWS - NSX Hybrid Connect

 

Conclusion


The primary benefit of the hybrid cloud model is flexibility and freedom, but it also creates a seamless experience such that end users are completely indifferent as to whether an application is running in a public or private cloud. IT has the ability to deploy and run applications anywhere without the risk of getting locked in to the APIs of a specific cloud provider and can access infrastructure on demand using a consistent set of tools and skillsets. Cross vCenter vMotion, Enhance vMotion Capability with Per-VM EVC, and VMware Cloud on AWS all help deliver the Seamless Hybrid Cloud Experience.

 


 

You've finished Module 5!

 

Congratulations on completing Module 5!

To review more info on the features covered in this module, please use the links below: 

Proceed to any module below which interests you most.

 

 

 

Test Your Skills!

 

Now that you’ve completed this lab, try testing your skills with VMware Odyssey, our newest Hands-on Labs gamification program. We have taken Hands-on Labs to the next level by adding gamification elements to the labs you know and love. Experience the fully automated VMware Odyssey as you race against the clock to complete tasks and reach the highest ranking on the leaderboard. Try the vSphere Odyssey lab

 

 

How to End Lab

 

To end your lab click on the END button.  

 

Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-2011-01-SDC

Version: 20200722-235353