vRA 7.2 DIG – 02, Deploy and Configure VMware NSX

We will be leveraging VMware NSX in this implementation to provide the load balancing services for the vRA deployment as well as integrating into vRA for application-centric network and security. Before any of this is possible, we must deploy NSX to the vSphere cluster, prepare the hosts, and configure logical network services. The guide assumes the use of NSX for these services, but this is NOT a requirement. A distributed installation of vRA can be accomplished with most load balancers. VMware certifies NSX, F5, and NetScaler.

(You can skip this section if you do not plan on using NSX in your environment)

Checklist:

  • Deploy (3) NSX Controller Nodes
  • Prep vSphere Hosts
  • Complete Logical Network Preparation
  • Configure VXLAN Network
  • Configure Transport Zone

Video

vRA 7.2 DIG – 01, Introduction

vRA 7.x focuses a lot on the user experience (UX), starting with one of the most critical — deploying the solution — then the second most critical, configuring it.  Following through with the promise of a more streamlined deployment experience, vRA 7’s release made a significant UX leap with the debut of the wizard-driven and completely automated installation of the entire platform and automated initial configuration.  And all of this in a significantly reduced deployment architecture.

The overall footprint of vRA has been drastically reduced. For a typical highly-available 6,x implementation, you would need at least 8 VA’s to cover just the core services (not including IaaS/windows components and the external App Services VA). In contrast, vRA 7’s deployment architecture brings that all down to a single pair of VA’s for core services. Once deployed, just 2 load-balanced VA’s will deliver vRA’s framework services, Identity Manager (SSO/vIDM), vPostgres DB, vRO, and RabbitMQ — all clustered and configurable behind a single load balance VIP and a single SSL cert. All that goodness, now down to 2 VA’s and all done automatically (!) during deployment.

While the IaaS (.net) components remain external, several services have moved to the VA(s). This will continue to be the case over time as more and more services make it over — eventually eliminating the Windows dependencies all together.…

vRA 7.2 Detailed Implementation Guide

Welcome to the vRealize Automation 7.2 Detailed Implementation Guide (DIG). This series of posts — made up of detailed how-to, end-to-end videos, plenty of commentary, and other related content — was put together to help you deploy and configure a highly-available, production-worthy vRealize Automation 7.2 distributed environment, complete with SDDC integration (e.g. VSAN, NSX), extensibility examples and ecosystem integrations. The design assumes VMware NSX will provide the load balancing capabilities and includes details on deploying and configuring NSX from from scratch to deliver these capabilities.

This little project has been in the works for quite some time and will continue to expand as I include additional how-to’s for a variety of use cases (e.g. IPAM and ITSM integration).

Target Audience

This guide was created for anyone looking to install and/or configure vRealize Automation 7.2 in any environment. And, as were my intentions in previous POC guides, the content here can be used as a form of training and education or simply a reference document for existing or new vRA environments.

As for skill level, this guide assumes you have a general idea of vRealize Automation and VMware’s broader Cloud Management products. However there is no expectation that you’ve previously deployed and configured vRA.…

Storage Over-Provisioning in vRealize Automation

A driving factor of virtualization in the old days was the immediate efficiencies that were realized with each P2V. It was money in the bank each time consolidation ratios increased and fewer physical boxes were required. In the physical world, we tried to ensure each OS and associated app(s) had plenty of excess CPU, memory, and storage resources available to it…just in case they were needed at some point in the future. The target utilization rate was typically under 20% (often less than half that) and a sustained rate above that was a cause for concern. In contrast, virtualization aspired resource utilization rates of 60-80% per host and a little below that cluster-wide. While high utilization became the new norm, over-provisioning of resources was typically avoided (at least in production).

Fast forward to the cloud era (private / public, doesn’t matter), where over-provisioning of machines consuming shared resources is a necessary evil for driving efficiencies at every level of infrastructure and scale. This is especially true for infrastructure-as-a-service. This evil is also one of the benefits…it’s what helps deliver the perception of unlimited resources to the consumer without actually making that kind of investment. While the cost of spare capacity has become less of an issue over time, over-provisioning of resources remains a common practice for many small shops, enterprises, and service providers alike.…

vRA and NSX – Part 3, Security Groups and Policies

Introduction

Recapping Part 2 of this series: We staged a number of NSX Logical Switches to be consumed by vRA machines as External Networks. vRA collects and identifies these networks as traditional [vSphere] Network Paths and allows them to be wired for consumption in the Converged Blueprint (CBP) designer as needed (or using custom properties, but that’s beyond this post). Logical Switches can be created for a consumption-only model, automatically created per Deployment when using On-Demand services, or some combination of these.

Moving on…

Similar to it’s relationship with NSX Logical Switches, vRA provides both consumption-based and dynamic security services to deliver a number of use cases leveraging NSX Security Groups and Security Policies.

A Security Group defines — and logically groups — the objects you want to protect (e.g. virtual machines) and the policies that protect them (via a security policy). Group membership can be static or dynamic (e.g. based on logical naming, containers, tags, or as members of other security groups). Pre-created security groups are collected by vRA endpoint inventory and consumed as Existing Security Groups (SG) within the Converged Blueprint designer. These security groups may ultimately contain a combination of unmanaged vSphere VMs and vRA-managed machines.

vra7-327vRA also supports On-Demand Security Groups (ODSG) within CBP, which requires the use of an existing Security Policy.…

vRA and NSX – Part 2, Staging Logical Networks

Introduction

A logical switch emulates a traditional network switch by creating logical networks that can be used to connected one or more vnics of a virtual machine to the corresponding logical network. In an NSX environment, logical switches are directly mapped to an available Transport Zone (VXLAN) and is stretched across all hosts and clustered configured with that VXLAN. Similarly, a Universal Logical Switch is deployed when used with Universal Transport Zones and can be stretched across hosts, clusters, and even vCenters. Logical switches are typically created and managed using the vSphere Web Client. Once created, machines can be logically wired to them for connectivity to other machines and/or upstream services (e.g. NSX Edge Services Gateway or Distributed Logical Router…or anything else wired to the resulting logical network). Thanks to the power of NSX, these networks can be spun up rapidly (albeit statically) and exist exclusively in the virtualization layer, saving countless management cycles and associated overhead (+ cost).

As you are well versed by now, NSX delivers the critical services needed for a modern network infrastructure while lifecycle automation of network and security services — from provisioning to decommissions (and everything in between) — are defined by the automation layer.…

vRA and NSX – Intro to Network and Security Automation

Network and security automation — and specifically the use of on-demand services — will continue to play a more significant role as NSX (and network virtualization in general) continues to become more and more prominent. Customers are still trying to understand the impacts of app-centric networking and whether or not they’re ready to hand these critical services to automation tools. There’s a perception that automation reduces control and/or visibility into networking and security services that traditionally involve a ton of ownership, red tape, and several siloed personalities that love to hear their own voice (I used to be one!). Plus, there are personal domains and certifications to protect!

Once these folks realize vRA + NSX will provide greater control, more governance, and better visibility than they’ve ever had before, heads tend to deflate a bit. NSX adoption is on a rocketship and its benefits are resonating with traditional network silos and modern shops alike. As adoption (and resulting trust) continues to grow within an enterprise, the second part of the equation — automation — become the obvious next step for streamlining network and security services, often getting kicked off with two wonderful words: now what? Enter vRealize Automation.

For its part, vRA is designed to bridge the gap between a pure consumption model and on-demand everything.…

vRA and NSX – Part 1, vSphere Prep

Introduction

There are a few prerequisite steps to complete on the vSphere and NSX side before vRA can be configured to consume its services or deliver on-demand networking and security. In Part 1 of this series, we will use the vSphere Web Client to review the NSX baseline deployment and add the necessary configurations for staging. What is configured here will depend on the desired objectives and use cases…I’ll cover minimum requirements.

Note: These steps assume you have already deployed NSX Manager, registered NSX with vSphere, and prepared hosts / clusters per best practice.

Objectives:

  • Review NSX deployment in vSphere to ensure prerequisites are in tact
  • Validate Logical Network / VXLAN configuration

As mentioned previously, this guide assumes a basic NSX deployment has been completed. This section will review the lab configuration and validate NSX has been properly deployed and configured.

1.  Log in the vSphere Web Client.

2.  Navigate to Networking & Security to review the existing NSX deployment configuration.

3.  Select Installation in the Networking & Security pane.

4.  In the Management tab, verify that at least one primary NSX Manager is available and at least one NSX Controller Node has been deployed (with status: Connected):

vra7-135

5.  In the Host Preparation tab, expand the target clusters and ensure Installation status, Firewall, and VXLAN are all showing a green check mark:

vra7-133

In this example, there are two configured clusters — Cloud Cluster and Mgmt Cluster.