VMware Hands-on Labs - HOL-2146-01-HCI


Lab Overview - HOL-2146-01-HCI - VMware Cloud Foundation - What's New

Lab Overview and Guidance


***Note: It may take more than 120 minutes to complete this lab.  The modules are not dependent on one another they flow from one to the next in logical order and the lab would best be consumed in that way.

The Table of Contents can be accessed in the upper right-hand corner.

Module 1 - Cloud Foundation Overview (15 minutes)

Module 2 - User Interface Exploration (15 minutes)

Module 3 - Automated Workload Domain Deployment (iSIM) (15 minutes)

Module 4 - Automated NSX Edge Deployment (iSIM) (15 minutes)

Module 5 - Enable vSphere with Tanzu (iSIM) (15 minutes)

Module 6 - Lifecycle Management (30 minutes)

Module 7 - Workload Domain Operations (45 minutes)

Module 8 - Certificate Management (30 minutes)

Module 9 - Role Based Access Control and Password Management  (30 minutes)

Module 10 - Multi-Instance Management (30 minutes)

Module 11 - Removing Hosts, Clusters, and Workload Domains (30 minutes)

Lab Captains:
Phil Balfanz, Senior Solutions Engineer - VMware Cloud Foundation, USA
Jeff Wong - Staff Advanced Customer Engagement Architect, USA

VMware Cloud Foundation™ is VMware’s unified SDDC platform for a modern hybrid cloud. This product brings together VMware’s compute, storage, and network virtualization into a natively integrated stack, and allows you to deliver enterprise-ready cloud infrastructure with automation and management capabilities for simplified operations that are consistent across private and public clouds.

A deployed VMware Cloud Foundation™ system includes the following VMware software as standard components:

  • SDDC Manager - Virtual appliance that provides administrators with a centralized portal to provision, manage, and monitor the VMware Cloud Foundation™ solution.
  • vSphere - Enterprise-class hypervisor for compute virtualization
  • vCenter Server Standard - Provides centralized management of vSphere virtual infrastructure
  • vSAN – Delivers flash-optimized, high-performance storage for a hyper-converged infrastructure.
  • NSX - VMware NSX is the network virtualization platform for the Software-Defined Data Center. NSX embeds networking and security functionality that is typically handled in hardware directly into the hypervisor.
  • vSphere with Tanzu - vSphere with Tanzu provides the capability to run Kubernetes workloads directly on ESXi hosts and to create upstream Tanzu Kubernetes Grid clusters within dedicated resource pools.

The following VMware software components may be optionally deployed as part of VMware Cloud Foundation:

  • vRealize Operations - Correlates data from applications to storage in a unified, easy-to-use management tool that provides control over performance, capacity, and configuration, with predictive analytics driving proactive action, and policy-based automation.
  • vRealize Automation - Automates the delivery of the compute, storage and network resources on a per application basis, delivered through repeatable blueprints and accessed though a self service user portal.
  • vRealize Log Insight – Allows administrators to view, manage, and analyze log information from various points within the solution.
  • Horizon - The ability to deploy an Enterprise class End User Compute environment with easily consumable deployment wizard.

This lab will demonstrate the ability to use SDDC Manager to configure, manage, maintain, and consume hyper-converged infrastructure.  We make use of all the software listed above to show an example of a fully deployed VMware Cloud Foundation™ System.


 

Credentials

 

The following is a summary of the credentials used for this lab.  For your convenience, links to the management interfaces are located in the bookmark bar of Google Chrome shown in the image.

Additional credentials for components not listed below may be found in the README.txt file located on the desktop of the Main Console.

  • SDDC Manager
    • Username: administrator@vsphere.local
    • Password: VMware1!
  • SDDC Manager as Sam Jones
    • Username: sam@corp.local
    • Password: VMware1!
  • vCenter Server Admin Console
    • Username: root
    • Password: VMware1!
  • vSphere Web Client
    • Username: administrator@vsphere.local
    • Password: VMware1!
  • VMware NSX Manager
    • Username: admin
    • Password NSX-T: VMware1!VMware1!

 

 

Accessing the Online International Keyboard

 

You can also use the Online International Keyboard found in the Main Console.

  1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

 

 

Click once in active console window

 

In this example, you will use the Online Keyboard to enter  the "@" sign used in email addresses. The "@" sign is Shift-2 on US  keyboard layouts.

  1. Click once in the active console window.
  2. Click on the Shift key.

 

 

Click on the @ key

 

  1. Click on the "@"key.

Notice the @ sign entered in the active console window.

 

 

Activation Prompt or Watermark

 

When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.

One  of the major benefits of virtualization is that virtual machines can be  moved and run on any platform. The Hands-on Labs utilizes this benefit  and we are able to run the labs out of multiple data centers. However,  these data centers may not have identical processors, which triggers a  Microsoft activation check through the Internet.

Rest  assured, VMware and the Hands-on Labs are in full compliance with  Microsoft licensing requirements. The lab that you are using is a  self-contained pod and does not have full access to the Internet, which  is required for Windows to verify the activation. Without full access  to the Internet, this automated process fails and you see this  watermark.

This cosmetic issue has no effect on your lab.

 

 

Look at the lower right portion of the screen

 

Please check to see that your lab is finished all the startup routines  and is ready for you to start. If you see anything other than "Ready",  please wait a few minutes. If after 5 minutes your lab has not changed  to "Ready", then please ask for assistance.

 

Module 1 - Cloud Foundation Overview (15 minutes)

Cloud Foundation Overview


VMware Cloud Foundation is the hybrid cloud platform for managing VMs and orchestrating containers, built on full stack hyper converged infrastructure (HCI) technology. With a single architecture that’s easy to deploy, VMware Cloud Foundation enable consistent, secure infrastructure and operations across private and public clouds.

 


 

Workload Domains

VMware Cloud Foundation consists of two types of Workload Domains that make up the Cloud Foundation Platform. These two Workload Domains are pools of logical resources. Each pool is a cluster or multiple clusters of ESXi hosts managed by an associated vCenter Server and NSX manager. Each cluster manages the resources of all the hosts that are assigned to it. Within each cluster Cloud Foundation enables the VMware vSphere® High Availability (HA), VMware vSphere® Distributed Resource Scheduler™ (DRS), and VMware vSAN capabilities.

Management Domain

There is one management domain that is used to manage the SDDC infrastructure components within a Cloud Foundation deployment. The management domain is automatically provisioned using the first four hosts when the environment is initially configured for Cloud Foundation (a process referred to as "Bring Up"). The management domain contains all of the management components of the SDDC Platform. This includes, vCenter, vSAN, NSX-T Manager Controller Cluster, SDDC Manager, and any of the optional vRealize Suite components, such as vRealize Operations, vRealize Log Insight and vRealize Automation.

Virtual Infrastructure (VI) Workload Domain

A Virtual Infrastructure (VI) Workload Domain is designed to run your business applications. When creating VI Workload Domains, Cloud Foundation takes the number of hosts specified by the cloud administrator and automatically deploys the VI Workload Domain with VMware best practices. The first VI Workload Domain has its own, vCenter and NSX-T Manager Controller. This creates a highly reliable and secure infrastructure for your business applications. Additional VI Workload Domains can be added, each additional VI Workload Domains has its own vCenter server, but the customer has the choice to deploy new a NSX-T Manager Controller Clusters, or share an existing one, depending on the customer’s needs.

 

 

Separating the Management Domain from the Workload Domains provides several benefits.

  • The Management Domain and VI Workload Domain being separated allows for dedicated resource management for higher business application performance.
  • Security is improved by creating a separate role-based access control of the infrastructure components. This separation allows for a more granular control of who has access or control of resources inside your private cloud.
  • Lifecycle management (patching and upgrades) can be completed on different schedules. The management domain will always be patched first, but the VI Workload Domains can be patched at different intervals that best suit the business application needs.

You use the SDDC Manager Web interface in a browser for the single-point-of-control management of your VMware Cloud Foundation system. The SDDC Manager provides centralized access as well as an integrated view of both the physical and virtual infrastructure of the system.

SDDC Manager does not mask the individual component management products.  Along with the SDDC Manager Web interface, for certain tasks, you might also use web interfaces for administration tasks involving their associated VMware software components that are part of a VMware SDDC. All of these interfaces run in a browser, and you can launch many of them from locations in the SDDC Manager Web interface.

We have provided a full VMware Cloud Foundation experience in a virtual environment, however procedures may have been modified to account for the simulated environment that the HOL uses or to accelerate time for the user's convenience. 

 

 

Page Loading Symbol

***Note: In the Hands on Labs environment, as you are navigating through the various screens, you may encounter long refresh operations for extended periods of time in the order of 1-3 minutes.  Please resist the urge to click refresh on the page during these times as it will most likely extend the wait.

When building the lab we attempted to minimize these loading times, however, in some instances, operations such as timeouts when waiting for hardware to reply were unavoidable, as this is a nested environment and not connected to physical hardware.  Thank you for your patience! 

 

 

 

Initial Log In

  1. Please ensure that the Lab Status is green and says “Ready”.  If it does not please let a proctor know by raising your virtual hand.
  2. After you have verified that the lab is ready please launch Google Chrome using the shortcut on the desktop.

 

 

 

Dashboard

The Dashboard page is the home page that provides the overall administrative view of your system. The Dashboard page provides a top-level view of the physical and logical resources across all of the physical racks in your system, including available CPU, memory, and storage capacity. From this page, you can start the process of creating a VI Workload Domain.  You use the links on the dashboard to drill-down and examine details about the physical resources and the virtual environments that are provisioned for the management and workload domains.

On the left side of the interface is the Navigation bar. The Navigation bar provides icons for navigating to the corresponding pages.  We will explore each of these in more detail later in the lab.

  1. Select the SDDC Manager Tab at the top of the browser window. Here we can see the dashboard view and recent tasks that have been completed.
  2. Due to the resolution of the Hands On Lab environment, the Tasks tray will need to be resized, or you will need to scroll over while reviewing the tasks.  You also have the option to minimize the Tasks tray by clicking the X.

NOTE: You may close the yellow warning about NSX Manager backups and Skyline. We will be fixing the NSX Backup in future modules.

 

 

 

Workload Domain Exploration

Rainpole Inc. has just deployed VMware Cloud Foundation.  Let’s begin by exploring the Workload Domains.

  1. From the left hand navigation pane, select the Inventory menu item, then select Workload Domains.

 

 

 

End of Module 1

You have completed Module 1 and should now have a good understanding of how to navigate the SDDC Manager web interface. You should also at this point conceptually understand what a workload domain is and what it it used for.  Please continue to Module 2 - "User Interface Exploration"

 

Module 2 - User Interface Exploration (15 minutes)

Add User Account


You can manage users and groups using the User Management page of the SDDC Manager Web Interface. Your VMware Cloud Foundation system provides role-based access control.

Authentication to the SDDC Manager Web interface uses the VMware vCenter® Single Sign-On authentication service that is installed with the vCenter feature during the deployment of your system. This authentication service constructs an internal security domain based on the values entered during the deployment process of your system, and the SDDC Manager is registered in that domain. The service can authenticate users from a set of users and groups that you enter directly into the system or it can connect to trusted external directory services such as Microsoft Active Directory. Using roles, authenticated users are given permissions to operate within SDDC Manager, according to the assignments you specify using the SDDC Manager Web interface.  System administrators can assign roles to users and groups, change passwords, and create backups.

 


 

Initial Log In

  1. Please ensure that the Lab Status is green and says “Ready”. 
  2. After you have verified that the lab is ready please launch Google Chrome using the shortcut on the desktop.

 

 

 

Manage User Accounts

Once you have logged in and authenticated to both SDDC Manager and the vCenter Server...

  1. Select the browser tab for the SDDC Manager
  2. Select the Administration Menu item in the left window pane
  3. Select Users from the available drop down options
  4. Click the +USER OR GROUP button in the main window pane.

 

 

 

End of Module 2

You have completed Module 2 and should now have a good understanding of how to interact with and customize an individual users interface. Please continue to Module 3.

 

Module 3 - Automated Workload Domain Deployment (iSIM) (15 minutes)

Introduction


This interactive simulation walks you through

  • How to deploy Workload Domain using VMware Cloud Foundation


Hands-on Labs Interactive Simulation: Deploy Workload Domain


This part of the lab is presented as a Hands-on Labs Interactive Simulation. This will allow you to experience steps which are too time-consuming or resource intensive to do live in the lab environment. In this simulation, you can use the software interface as if you are interacting with a live environment.

  1. Click here to open the interactive simulation. It will open in a new browser window or tab.
  2. When finished, click the “Return to the lab” link to continue with this lab.

The lab continues to run in the background. If the lab goes into standby mode, you can resume it after completing the module.


Conclusion


End of Module 3

You have completed Module 3 and should now have a good understanding of how to deploy a Workload Domain. Please continue to Module 4.


Module 4 - Automated NSX Edge Deployment (iSIM) (15 minutes)

Introduction


This interactive simulation walks you through

  • How to deploy NSX Edge using VMware Cloud Foundation


Hands-on Labs Interactive Simulation: Deploy NSX Edge


This part of the lab is presented as a Hands-on Labs Interactive Simulation. This will allow you to experience steps which are too time-consuming or resource intensive to do live in the lab environment. In this simulation, you can use the software interface as if you are interacting with a live environment.

  1. Click here to open the interactive simulation. It will open in a new browser window or tab.
  2. When finished, click the “Return to the lab” link to continue with this lab.

The lab continues to run in the background. If the lab goes into standby mode, you can resume it after completing the module.


Conclusion


End of Module 4

In this module we have seen how VMware Cloud Foundation can help to rapidly deploy infrastructure solutions to enable vSphere Tanzu, please continue to Module 5.


Module 5 - Enable vSphere with Tanzu (iSIM) (15 minutes)

Introduction


This interactive simulation walks you through

  • How to deploy vSphere with Tanzu using VMware Cloud Foundation


Hands-on Labs Interactive Simulation: Deploy vSphere with Tanzu


This part of the lab is presented as a Hands-on Labs Interactive Simulation. This will allow you to experience steps which are too time-consuming or resource intensive to do live in the lab environment. In this simulation, you can use the software interface as if you are interacting with a live environment.

  1. Click here to open the interactive simulation. It will open in a new browser window or tab.
  2. When finished, click the “Return to the lab” link to continue with this lab.

The lab continues to run in the background. If the lab goes into standby mode, you can resume it after completing the module.


Conclusion


End of Module 5

In this module we have seen how VMware Cloud Foundation can automate help the deployment of vSphere with Tanzu, please continue to Module 6.


Module 6 - Lifecycle Management (30 minutes)

Patching and Upgrading


In Cloud Foundation, the Life Cycle Management (LCM) capabilities include automated patching and upgrades for both the SDDC Manager (SDDC Manager and LCM) and other VMware software components (vCenter Server, ESXi, NSX and vSAN).

The high level update workflow is described below.

  1. Authorize My VMware credentials.
  2. Download update bundle.
  3. Select update targets and schedule update.
  4. Verify update.

 

 

Even though SDDC Manager may be available while the update is installed, it is recommended that you schedule the update at a time when it is not being heavily used.


 

Initial Log In

  1. Please ensure that the Lab Status is green and says “Ready”. 
  2. After you have verified that the lab is ready please launch Google Chrome using the shortcut on the desktop.

 

 

 

Update Repository

An update is now available for the VMware Cloud Foundation deployment.  Let’s walk through our options for downloading and deploying this update.

  1. Select Bundle Management from the Repository menu on the left.
  2. Click DOWNLOAD NOW - NOTE: This update may take a minute to start and then another minute or two to download. You may proceed while the download continues.   
  3. Clicking on View Details, you can see more information

 

  1. Due to time constraints within the lab environment, click to UPDATE NOW button to begin an immediate update.  
  2. After you click the UPDATE NOW button, you will see a Scheduled message displayed. After a 1-2 min wait, an update dialog window will appear.

 

 

 

End of Module

You have completed the module and should now have a good understanding of the upgrade and patching process within the VMware Cloud Foundation environment.  Please continue to the next module.

 

Module 7 - Workload Domain Operations (45 minutes)

Workload Domain Expansion


Your manager at Rainpole Inc. has just informed you that the Datacenter Operations team has completed the racking and powering on of a new server in your rack for consumption by VMware Cloud Foundation. You will walk through the commissioning and preparation of this new server for addition into the existing SDDC-MGMT management domain cluster.

 

In this image we will be adding a server as noted in the *Available Capacity.


 

SDDC Manager Log In

  1. Please ensure that the Lab Status is green and says “Ready”. 
  2. After you have verified that the lab is ready please launch Google Chrome using the shortcut on the desktop.

 

 

 

Additional IP addresses

In order to provision hosts into an existing cluster or workload domain, network IP addresses will be required for vMotion and vSAN or NFS connectivity. Cloud Foundation achieves this by configuring it with IP addresses from a nominated inclusion range of IP addresses from a network pool.

We would need to add additional IP addresses into the existing network pool with an additional IP address inclusion range. We will be adding an inclusion range of two IP addresses to the existing bringup-networkpool Network Pool currently assigned to the SDDC-MGMT management domain.


  1. Navigate to the SDDC Manager browser tab.
  2. To edit the existing network pool, click on Network Settings under the Administration menu dropdown on the left menu.
  3. Click on the 3 dots next to the bringup-networkpool and select Edit

 

  1. For the vSAN Network, add the IP range from 10.10.20.61 to 10.10.20.62 and click Add.
  2. For the vMotion Network, add the IP range from 10.10.30.61 to 10.10.30.62 and click Add.

 

We will now confirm that the new inclusion range had successfully be added.

  1. Click on Network Settings under the Administration menu dropdown on the left menu.
  2. Click on the arrow next to the bringup-networkpool to expand for more information.
  3. You should now have two (2) free IP addresses each for the vMotion and vSAN network.

 

 

 

Commission Host

For new ESXi host(s) to be made available for consumption by a new or existing cluster, the host(s) must first be commissioned into the VMware Cloud Foundation inventory. In this exercise, we will commission a single host into inventory.

  1. Click on Dashboard from the left menu.
  2. Click on the COMMISSION HOSTS button on the top right side of the main page.

 

 

 

Add Host to Cluster

In this section, we will be adding the newly commissioned host to an existing cluster known as SDDC-Cluster1 within the SDDC-MGMT management domain. This task will automate the multitude of tasks a typical administrator would have to have performed manually such as adding host(s) to a cluster, configuring storage including vSAN, configuring networking such as vMotion and NSX in a consistent manner.

  1. Click on Workload Domains under the Inventory dropdown on the left menu.
  2. Click on SDDC-MGMT.

 

  1. Within the SDDC-MGMT screen, click the Clusters tab. 
  2. Click SDDC-Cluster1.

 

  1. Within the SDDC-Cluster1 screen, click ACTIONS and select Add Host.

 

 

 

Select the Host

The Add Hosts dialog box will walk you through adding a host.

  1. Scroll down to the bottom of the page until the host inventory is visible.
  2. Place a check mark on the checkbox next to esx-11a.corp.local.
  3. Click the NEXT button to continue with the wizard.

 

  1. On the Licenses window, click the drop down to the right and select the pre-populate license that is marked 'USE THIS KEY'.
  2. Click NEXT to continue

 

  1. Validate the selected information. When ready, click the FINISH button to proceed.

 

 

 

Monitor Progress

  1. Expand the Task window at the bottom left of the main page and click the Refresh link.
  2. Click the Adding new host(s) to cluster link to view the subtasks.

 

  1. Expand the Tasks window to fill the browser by clicking on the double arrow link on the top right side of the Tasks window.
  2. Review the status of all subtasks and ensure that all complete successfully. This could take a few minutes. Please do not proceed to the next step in the manual until all tasks have completed successfully.
  3. Minimize the tasks window by clicking the X in the top right corner of the page.

 

 

 

Validate Host Addition in vSphere Client

We will now navigate to the vSphere Client to validate that the ESXi Host has been added to the cluster successfully.

  1. Select the second browser tab and the top of the page to open the vSphere Client
  2. Expand the vcsa-01a.corp.local vCenter Server > SDDC-Datacenter Data Center and the SDDC-Cluster1 vSphere cluster.
  3. Verify that the esx-11a.corp.local host is visible under the SDDC-Cluster1 cluster.

 

  1. vCenter alarms may be raised during the automated configuration process. They are safe to Acknowledge, Suppress or Reset To Green.

 

 

 

Section Completed

Congratulations. You have completed this section. You should now have a good understanding on how to expand the capacity of an existing Workload Domain. Please continue to the next section.

 

Workload Domain Multi-cluster


In VMware Cloud Foundation we enable the administrator to quickly deploy additional clusters in a single workload domain.  This will allow them to add clusters without deploying additional vCenter and NSX Manager.  As depicted below we will add an additional cluster to the SDDC-MGMT management domain for Rainpole Inc.

 


 

Workload Domain Cluster Creation

For new ESXi host(s) to be made available for consumption by a new or existing cluster, the host(s) must first be commissioned into the VMware Cloud Foundation inventory. In this exercise, we will commission three hosts into inventory using a bulk import method from a json file that contains pre-populated details of the hosts to be efficient.

 

Module 8 - Certificate Management (30 minutes)

Certificate Management


If you completed the previous Module (although not required) you saw that the certificates were untrusted for vCenter and NSX, we will be resolving that in this module.

An easy way to increase the security of an environment, and a common practice for most IT organizations, is to replace the self signed certificates that are generated during installation with a certificate signed by the organizations Certificate Authority (CA). VMware Cloud Foundation simplifies this process allowing customers to easily update and manage these certificates.

You can manage certificates for all external-facing Cloud Foundation component resources, including configuring a certificate authority, generating and downloading CSRs, and installing them. This section provides instructions for using Microsoft certificate authority, however Cloud Foundation also supports the use of 3rd party certificate authorities.

You can manage the certificates for the following components.

  • vCenter Server
  • NSX Manager
  • SDDC Manager

 

SDDC Manager Log In

  1. Please ensure that the Lab Status is green and says “Ready”. 
  2. After you have verified that the lab is ready please launch Google Chrome using the shortcut on the desktop.

 

 

 

Configure Certificate Authority

  1.  Select the SDDC Manager browser tab.
  2. Click the Administration menu item in the left navigation window.
  3. Click the Security sub-menu item.
  4. Click the EDIT button.
  5. Enter the password for the corp\administrator. The password is VMware1!
  6. Click the Save button to continue.

This will create the connection from the SDDC Manager to the backend Certificate Authority and allow us to use it in the next step.

 

 

 

Certificate Authority Validation

  1. Verify the CA Server Certificate information and click ACCEPT when done.
  2. You should receive a notification that the CA Configuration was successful.

 

 

 

Generate CSR

  1. Select the Workload Domains menu item in the navigation window.
  2. On the resulting screen, Click the SDDC-MGT Domain link

 

 

 

Generate CSR

  1. Select the Security Tab
  2. Place a check in the box next to the sddcmanager or sddc-manager.corp.local
    NOTE: Due to time constraints we will be replacing the SDDC Manager certificate.
  3. Uncheck any other boxes
  4. Click on the Generate CSR button.  

NOTE: The "CA" under issuer. This indicates that the self signed certificate is in use.

 

 

 

Generate CSR Wizard

Populate the Fields in the CSR wizard with the following information.

Algorithm: RSA

Key Size: 2048

Email: sam@corp.local

Organizational Unit: IT

Organization: Rainpole

Locality: Palo Alto

State: CA

Country: US

  1. Click Generate CSR when completed

 

 

 

Generate Signed Certificate

  1. Now that the CSR has been generated, click the Generate Signed Certificates button.  
  2. Select Microsoft as the Certificate Authority
  3. Click on the Generate Certificates button.

If you were using a 3rd party CA, you would click download CSR after step 1. to submit to the 3rd party Certificate Provider.

 

 

 

Install Signed Certificates

  1. Click the Install Certificates button.

 

 

 

Certificate Installation Validation

Due to the formatting of the Hands On Lab environment, you may need to scroll over to the right to see the status of the vCenter vcsa-02a.corp.local certificate replacement.

This process takes a couple minutes to replace the certificate in the Hands On Lab Environment.  While this is running please proceed in the lab, you can come back to check this status later if you wish to do so.  

Verify that the Certificate Installation Status for the vcenter shows SUCCESSFUL.

 

 

 

SSH to SDDC Manager

  1. Launch Putty
  2. Select the sddc-manager.corp.local
  3. Click Open

 

 

 

Restart the SDDC Manager Service

  1. Run the following command:

sh /opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh

2. Click Y

 

 

 

Log in to SDDC Manager

After the service restart you will need to login back into SDDC manager. The service may take 2-3 minutes for the service fully restart.

  1. Select the SDDC Manager tab and verify the page URL to ensure you have the correct user interface. The SDDC Manager login URL should read https://psc-1.corp.local
  2. In the User name box enter: administrator@vsphere.local
  3. In the Password box enter: VMware1!
  4. Click the Login button

 

 

 

Verify Certificate Replacement

  1. Select the lock icon
  2. Click Certificate

 

 

 

Verify Certificate Continued

  1. Select the Details tab
  2. Verify that the issue is CONTROLCENTER-CA
  3. Select the Serial Number. Note the number.

 

 

 

Navigate to the Management Workload Domain

  1. Select Workload Domains
  2. Select the SDDC-MGT workload domain.

 

 

 

Verify Cert Serial Number

  1. Click Security
  2. Expand the SDDC Manager
    Note that the number matches.

 

 

 

Module Completed.

Congratulations. You have completed the module Certificate Management. We have demonstrated how Cloud Foundation can help to easily replace certificates. Please continue on to the next module.

 

Module 9 - Role Based Access Control and Password Management (30 minutes)

Role Based Access Control and Password Management


VMware Cloud Foundation provides a way to control the access of infrastructure while making it easier to manage . Using the roles within SDDC Manager and vCenter Rainpole can easily ensure that the administrator Sam only has access to what is required to do his job. In addition to Role Based Access Control we have the ability to easily update and rotate passwords from a single interface.

In this module we will give Sam access to VMware Cloud Foundation and then using the administrator role update the passwords on the ESX hosts.

You can rotate passwords for the logical and physical entities on all racks in your system. The process of password rotation generates randomized passwords for the selected accounts.

You can change passwords for the following entities:

  • ESXi
  • vCenter Server
  • NSX Manager
  • NSX Controllers
  • vRealize Suite LCM (vRSLCM)

Previous versions of VMware Cloud Foundation 3.x used a mechanism called Dual Authentication. In VCF 4.0 this has been replaced with Role Based Access Control to ensure only an elevated user has the rights to change passwords.


 

SDDC Manager Log In

  1. Please ensure that the Lab Status is green and says “Ready”. 
  2. After you have verified that the lab is ready please launch Google Chrome using the shortcut on the desktop.

 

 

 

Log in to SDDC Manager

NOTE: If you have completed Module 2 please skip to step "Login as Sam"

Once the browser has launched you will see two tabs open by default. The first tab is the SDDC Manager Login, the second is the vCenter Login. 

  1. Select the SDDC Manager tab and verify the page URL to ensure you have the correct user interface. The SDDC Manager login URL should read https://psc-01a.corp.local
  2. In the User name box enter: administrator@vsphere.local
  3. In the Password box enter: VMware1!
  4. Click the Login button

 

 

 

User Management

Navigate toe the Users Section

  1. Select Administration and Users
  2. Click +User or Group

 

 

 

Add User or Group

We have already enable Active Directory(AD) as an Identify Source in vCenter. This allows us to search AD users and groups.

  1. Search for Sam@corp.local
  2. Select sam
  3. Change the role to Operator
  4. Click ADD

By having multiple roles we can delegate some of the management to other users while ensuring that only an elevated user has the rights to complete more advanced or destructive tasks.

 

 

 

Logout

Logout of SDDC Manager

  1. Click the administrator@vsphere.local
  2. Click Log out

 

 

 

Login as Sam

Login as Sam

  1. In the User name box enter: sam@corp.local
  2. In the Password box enter: VMware1!
  3. Click the Login button

 

 

 

Operator Rights

Since Sam is an Operator he does not have access to User Management, Password Management or  Backup Configurations.

As we can see on the left the User section we just used is not there as well as the Backup Configuration section.

Sam now has the ability to create, remove and upgrade workload domains.

  1. Select Security under the Administration heading. Password Management is no longer available.

 

 

 

vCenter Access

Let's check the vCenter Access

  1. Select the second tab for vCenter-01a. If you do not have a second tab open another tab and select the vCenter-01a bookmark from the bar.
  2. Click Refresh

We did not give Sam access to vCenter so he does not have the ability to login to vCenter. The administrator can give Sam access to vCenter if that is required.

 

 

 

Logout as Sam

Now we will switch back to the Administrator account and explore how passwords can be managed in SDDC Manager.

  1. Select the SDDC Manager tab
  2. Select Sam@corp.local
  3. Click Logout

 

 

 

SDDC Manager Login

Login as Administrator

  1. Select the SDDC Manager tab and verify the page URL to ensure you have the correct user interface. The SDDC Manager login URL should read https://psc-01a.corp.local
  2. In the User name box enter: administrator@vsphere.local
  3. In the Password box enter: VMware1!
  4. Click the Login button

 

 

 

Password Update

Once logged into the SDDC Manager interface:

  1. Click Administration
  2. Click Security
  3. Click Password Management

 

  1. Select the check box next to esx-01a
  2. Click the UPDATE button

 

Once the Update Password dialog box is open, fill in the password you would like it changed to.

  1. Use VMware123! as the password
  2. Click UPDATE

 

 

 

Monitor the Task

Monitor the progress of the task by opening the Tasks window in the lower left and

  1. Tasks link
  2. Clicking the REFRESH link.

 

 

 

Validate the Password Change

Once the password update has completed successfully we will validate that the password change has occurred.

  1. In the browser open a new tab, from the bookmarks shortcut bar, select ESXi Hosts and then select esx-01a

 

Once the page opens use the following credentials to validate the password change was successful.

  1. Fill in the values:
    • Username: root
    • Password: VMware123! (or the password you supplied in the previous step when changing the root user password)
  2. Click the Log In button
    Successful login shows that the password was updated.

 

 

 

Switch back to SDDC Manager

  1. Close the ESXi tab in Chrome
  2. Select the SDDC Manager tab

 

 

 

Password Rotation

The other option is to rotate instead of update.  We can test this by navigating back to the first tab for SDDC Manager

  1. Click Administration
  2. Click Security
  3. Click Password Management

 

 

 

Change Password

  1. Select the check box next to esx-01a.
  2. Click the ROTATE button.

 

 

 

Rotate

 

  1. Click the ROTATE button again in the confirmation pop-up dialog box.

This will rotate the password to a randomly generated password that will be stored in the SDDC Manager database.

 

 

 

Validate the Password Rotation

There are two ways to look up the password once it has been rotated. You may either (1) SSH into the SDDC Manager and follow the admin guide to and use the lookup_passwords command. This requires SSH access into the host or (2) use the the API to lookup the credentials. We will do the latter int this exercise.

  1. Navigate to Developer Center
  2. Click the API Explorer tab
  3. Expand the APIs for managing Credentials
  4. Expand GET /v1/credentials

 

 

 

 

Get Credentials API

  1. Enter the resourceName esx-01a.corp.local
  2. Click Execute
  3. Expand PageOfCredential and Credential(GUID) View the password information (see yellow box below) Your password will be different then what is listed below.
  4. Copy the random password without the quotes.

 

 

 

Login to ESX

 

 

End of Module

This concludes this module. We explored how we can use Role Based Access Control to limit what users can do in SDDC Manager with the Operator role as well as how the Administrator role has the ability to update and rotate passwords. Please continue on to the next module.

 

Module 10 - Multi-Instance Management (30 minutes)

Multi-Instance Management


Rainpole has seen great success in modernizing their data center with VMware Cloud Foundation.  Sam, Rainpole’s Cloud Administrator, has deployed a new data center to keep up with Rainpole’s expanding business, and infrastructure.  With the expansion Rainpole is looking to keep operating expenses low and therefore Sam will be operating both data centers, but will have some remote hands at the new data center.  Cloud Foundation was a great fit for Rainpole in this case by utilizing the Multi-Instance Management features.

Let’s review what the Multi-Instance Management feature is, and what advantages it will have for Rainpole.

From the VMware Cloud Foundation Operations and Administration Guide: Multiple Cloud Foundation instances can be managed together by grouping them into a federation, such that each member can view information about the entire federation and the individual instances within it. Federation members can view inventory across the Cloud Foundation instances in the federation as well as the available and used capacity (CPU, memory, and storage). This allows you to maintain control over the different sites and ensure that they are operating with the right degree of freedom and meeting compliance regulations for your industry. It also simplifies patch management by showing the number of patches available across sites in the global view.


 

SDDC Manager Log In

  1. Please ensure that the Lab Status is green and says “Ready”. 
  2. After you have verified that the lab is ready please launch Google Chrome using the shortcut on the desktop.

 

 

 

Log in to SDDC Manager

Once the browser has launched you will see two tabs open by default. The first tab is the SDDC Manager Login, the second is the vCenter Login. 

  1. Select the SDDC Manager tab and verify the page URL to ensure you have the correct user interface. The SDDC Manager login URL should read https://psc-01a.corp.local
  2. In the User name box enter: administrator@vsphere.local
  3. In the Password box enter: VMware1!
  4. Click the Login button

 

 

 

Create a Federation

Start the Create a Federation Wizard

  1. Select the Multi-Instance Manager icon at the top of the screen
  2. Select Create under Create a Federation

 

 

 

Create a Federation Wizard

This will be the start of our federation. Once complete we can add additional members and controllers to our federation.

  1. Federation Name: Rainpole
  2. Member Name: Site-1-VCF
  3. Country: United States
  4. City: San Francisco
  5. Click Create

NOTE: This step will take a few minutes to complete.

 

 

 

Invite Member

Invite the second site

  1. Click Invite Member to select the next site

 

 

 

Invite Member Wizard

Enter member FQDN

  1. Enter the FQDN of the second SDDC Manager, sddc-manager-2.corp.local
  2. Select CHECK CERTIFICATE
  3. Click the Confirm fingerprint checkbox
  4. Click Next

 

 

 

High Availability

We will not be enabling high availability for this lab due to time constraints. You are able to designate 2 additional servers as controllers. This will ensure accessibility if you lose access to one of the controller sites.

  1. Click Next

 

 

 

 

New Member Setup

There are two options for joining the federation. You can either use the URL to launch the dialog box and enter the required information or copy the token and controller FQDN to manually join the federation from the other SDDC manager.

  1. Click the URL - This will launch another tab in Chrome to sdcc-manager-2 and start the setup of  

 

 

 

Join Federation

  1. Enter the Member Name: Site-2-VCF
  2. Select United States as the country
  3. Select Atlanta for the city.
  4. Click CHECK CERTIFICATE, you should see a green Certificate validated successfully message.
  5. Click JOIN

NOTE: This will take a few minutes to complete.

 

 

 

Explore Multi-Instance Management

Once joined you will see the world map where you can see and select the different VCF instances that have been registered to the VCF Federation.

  1. Sometimes the screen doesn't refresh after the join is complete. Click the browser refresh button if you are not seeing both locations.
  2. Select the Atlanta location
  3. View the capacity information
  4. Close the Window

 

 

 

Detail View

  1. Select the Detailed view icon
  2. Expand Site-1-VCF to see the Workload domain details. Here we can easily view the capacity for a VI Workload Domain within a Cloud Foundation instance.
  3. If you select the NFS-WLD you can manage that specific VI Workload Domain.

 

 

 

SDDC Manager 1

  1. Click the SDDC Manager tab
  2. Click Done

 

 

 

Login to SDDC-Manager-2

  1. Select the Atlanta site
  2. Click LOGIN

If you closed the sddc-manager-2 tab you may need to re-login using adminstrator@vsphere.local and VMware1!

 

 

 

Leave the Federation

  1. From SDDC-Manager-2
  2. Select the detailed view
  3. Select the three dots next to Site-2-VCF
  4. Click Leave Federation

 

 

 

Leave Federation

  1. Enter the Federation Name: Rainpole
    • This name must match whatever you named the federation. You can find the exact spelling in the window. This is a safety feature so you don't leave the federation accidentally.
  2. Click LEAVE

 

 

 

End of Module

This concludes this module, easily manage multiple VMware Cloud Foundation instances through a single management interface. As Rainpole scales they can easily expand the management of their infrastructure using VMware Cloud Foundation.

 

Module 11 - Removing Hosts, Clusters, and Workload Domains (30 minutes)

Remove Hosts, Clusters, Workload Domains


The automation provided by VMware Cloud Foundation doesn't stop and the standing up and building of new Workload Domains. There are times when resources need to be removed to be retired or re-allocated to another project or environment. In this case VCF can help with removal and deletion of hosts and clusters.

  1. Please ensure that the Lab Status is green and says “Ready”.  
  2. After you have verified that the lab is ready please launch Google Chrome using the shortcut on the desktop.

 


 

Log in to SDDC Manager

Once the browser has launched you will see two tabs open by default. The first tab is the SDDC Manager Login, the second is the vCenter Login. 

  1. Select the SDDC Manager tab and verify the page URL to ensure you have the correct user interface. The SDDC Manager login URL should read https://vcsa-1.corp.local
  2. In the User name box enter: administrator@vsphere.local
  3. In the Password box enter: VMware1!
  4. Click the Login button

 

 

 

Login to the vSphere Client

  1. After the successful log in to the SDDC Manager, select the second tab in the Chrome browser for the vSphere Client.
  2. Select the URL refresh button in the second browser tab. This action should allow you to be signed into the vSphere Client without having to enter any additional log in credentials. As we have already authenticated with the SDDC Manager and since they are both in the same SSO domain, our credentials should carry through to the second browser tab.

The refresh process can take a couple minutes to complete, but you can continue on to the next step in the lab.

 

 

 

Remove Host from a Cluster

You have just been informed that Rainpole Inc. has secured a major contract with the leading Enterprise Public Cloud provider. Work on this new project is to begin immediately. In order to support the various workloads needed for the project, additional compute capacity will be required for the new vSphere cluster you will be commissioning.

You will now proceed to remove and decommission the ESXi host you recently added to the SDDC-MGMT Workload domain

  1. Navigate back to the SDDC Manager interface by selecting the first browser tab at the top of the screen.
  2. Select the Workload Domains sub-menu item below the Inventory menu in the left navigation menu
  3. Click the NFS-WLD workload domain link.

 

 

 

Select the Cluster

Select Cluster

  1. Select the Clusters menu item in the lower half of the main NFS-WLD page.
  2. Click on the link Production.

 

 

 

Host Removal

Select Host for Removal

  1. Select the Hosts Menu item
  2. Place a checkmark in the box next to the esx-11a.corp.local host
  3. Click the REMOVE SELECTED HOSTS link to proceed  

 

 

 

Confirm Removal

You will see the Remove hosts dialog box informing you that once the host is removed it will need to be decommissioned prior to adding it to another domain.

1. Click the Remove button to execute the removal of the host.

*In the unlikely event that the removal of the host fails, you can select the Force Remove Host checkbox

- If needed, check the box and then click Remove.

 

 

 

Monitor Progress

Monitor Host Removal Progress

  1. Expand the Task window at the bottom left of the main page and click the Refresh link.
  2. Click the Removing host(s) from cluster link to see the subtasks.  Drill down into all associated tasks that have been performed.

 

 

 

Subtask Review

Check the Status of the Sub Tasks

  1. Expand the Tasks window to fill the browser by clicking on the double arrow link on the top right side of the Tasks window.
  2. Review the status of all subtasks and ensure that all complete successfully.
  3. Click REFRESH to update the status information. (This process could take up to 5 minutes.)
  4. The final subtask is ReleaseLockContractAction which would indicate a Successful removal of the host from the cluster.
  5. Minimize the tasks window by clicking the X in the top right corner of the page.

 

 

 

Remove a Cluster

To remove a cluster start by navigating to the cluster you would like to remove we will do this by logging into SDDC Manager (left most tab in your browser) and then navigate by clicking

  1. Select Workload Domains from the Inventory menu on the left
  2. Click on the link NFS-WLD.

 

 

 

Select Clusters

  1. Click on the link Clusters

 

 

 

Delete Cluster

  1. By selecting the three dots in front of RainpoleAppCluster then
  2. Clicking Delete Cluster, we can begin this workflow:

 

 

 

Confirm Deletion

  1. For extra security we will need to type the name of the cluster RainpoleAppCluster before a delete will occur
  2. Fill out the name and then click Delete Cluster, progress can be monitored in tasks

 

 

 

Monitor Progress

  1. Progress can be monitored in Tasks.  Once the task is successful (approximately 5-10 minutes) we can proceed to the next step

 

 

Bulk Host Decommission

You can decommission multiple hosts at one time.  To begin, log in to SDDC Manager

  1. Click Inventory>Hosts on the left navigation bar.

 

 

 

Unassigned Hosts

  1. Then click UNASSIGNED HOSTS

 

 

 

Decomission Hosts

  1. Select the Checkbox to select all the hosts to be decommissioned
  2. Then select DECOMMISSION SELECTED HOSTS

 

 

 

Confirm Decomission

  1. Select CONFIRM

Again, the progress can be tracked in the Tasks view.

 

 

 

Workload Domain Deletion

You just received a call from the IT Director of Rainpole Inc. An existing company project has had it's delivery deadline moved up a few months. In order to meet this new deadline, additional compute capacity will be required to support the application workloads and additional development staff.

In order to provide the additional capacity for the project, you will need to decommission the VI-WLD Workload Domain

Let's walk through reclaiming this capacity for Rainpole Inc.  Keep in mind this may be a long running task.

Before you proceed with the deletion of the workload domain lets confirm what we will be decommissioning in the vSphere Web Client.

  1. Click on the second tab in the browser to view the vSphere Client.  
  2. You should already be authenticated and logged into the vSphere Client if you followed the directions at the beginning of this module. If however the session has timed out, simply Refresh the browser page to re-authenticate to vCenter.
  3. Expand the vcsa-02a.corp.local vCenter server listed in the Navigator pane. Expanding the view further shows the Datacenter NFS-WLD-DC, the Production and RainpoleAppCluster Cluster, and the 6 ESXi Hosts.

 

 

 

End of Module

You have completed this module.  Please take a few minutes to provide feedback on your experience taking the lab as this will help with future updates to this lab.

 

Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-2146-01-HCI

Version: 20210514-164755