Notes from the field – Cloud Design Part 1

I’ve had an interesting last couple of weeks having discussions with customers who are both already in the public cloud and those that are dipping a toe. One recurrent theme seems to be the idea of taking what you have on premises and putting it into the cloud and expecting it to work in exactly the same way.

I’ve been working with cloud technologies for coming up on 5 years now, and in that time, this concept has been prevalent all the way through. There is a famous quote that seems to have been attributed to different historical people, including Einstein and Henry Ford, but instead I’m going to use Aerosmith’s interpretation of it:-

Cause if you do what you’ve always done
you’ll always get what you always got
Uh could that be nothin’

Steven Tyler, Aerosmith “Get A Grip”

Now that I’ve shoe horned in a hard rock reference, let’s look at what that actually means. For a start, many larger organisations use the end of a DC lease to trigger their move into public cloud by doing a “lift and shift” of VMs into the cloud, maybe deploying a couple of third party appliances (such as CloudGuard IaaS, of course) and then declaring themselves “in the cloud”. Job done.

Well yes and no.

Let me be clear on my view that if you are moving to cloud to save money, you’re doing it for entirely the wrong reasons. Really what you’re buying into is hyperscale technologies – the ability to provision highly complex stacks with a few clicks of a button and paying only for what you use.

If you drag and drop a bunch of most probably oversized VMs into cloud, when you get the monthly bill, you’re in for a shock. In my experience, compute charges make up the lion’s share of your bill. Do your research ahead of time and look if there are ways you can mitigate this cost.

For starters, if you have simple web serving needs, why not use the ability to publish web sites via S3 buckets, or maybe an Azure Web App? There are multiple tiers in the latter service, depending on what levels of performance and resilience you want.

If you have bursty compute requirements, look at auto scaling technologies or even serverless. Don’t be sucked into the dogma that serverless cures all ills, because it doesn’t. Used in the right way, it can be highly cost effective and elegant. Used in the wrong way, it can be expensive and inflexible for your needs.

noun [ C or U ] disapproving
UK /ˈdɒɡ.mə/ US /ˈdɑːɡ.mə/

a fixed, especially religious, belief or set of beliefs that people are expected to accept without any doubts

Cambridge Dictionary

Not to say there isn’t anything wrong with lift and shift of VMs into Azure, AWS, GCP, etc. But it’s a staging post, it’s not a destination. One public sector body I worked with a couple of years ago were really switched on to this. They saw L&S as very much a phase one, then used the “long tail” method of transitioning their apps to something more cloud native, using technologies such as Azure SQL and Azure Web Apps.

As usual, this post is a bit more of a brain dump than anything more formal. In future posts I intend to explore some more of the experiences I’ve had in the field and hopefully some will resonate with you.

As always, comments welcome. You can reach me on Twitter @ChrisBeckett.




VMworld Europe Day One

Today saw the start of VMworld Europe in Barcelona, with today being primarily for partners and TAM customers (usually some of the bigger end users). However, that doesn’t mean that the place is quiet, far from it! There are plenty of delegates already milling around, I saw a lot of queues around the breakout sessions and also for the hands on labs.

As today was partner day, I already booked my sessions on the day they were released. I know how quickly these sessions fill, and I didn’t want the hassle of queuing up outside and hoping that I would get in. The first session was around what’s new in Virtual SAN. There have been a lot of press inches given to the hyper converged storage market in the last year, and I’ve really tried to blank them out. Now the FUD seems to have calmed down, it’s good to be able to take a dispassionate look at all the different offerings out there, as they all have something to give.

My first session was with Simon Todd and was titled VMware Virtual SAN Architecture Deep Dive for Partners. 

It was interesting to note the strong numbers of customer deploying VSAN. There was a mention of 3,000 globally, which isn’t bad for a product that you could argue has only just reached a major stage of maturity. There was the usual gratuitous customer logo slide, one of which was of interest to me. United Utilities deal with water related things in the north west, and they’re a major VSAN customer.

There were other technical notes, such as VSAN being an object based file system, not a distributed one. One customer has 14PB of storage over 64 nodes, and the limitation to further scaling out that cluster is a vSphere related one, rather than a VSAN related one.

One interesting topic of discussion was whether or not to use passthrough mode for the physical disks. What this boils down to is the amount of intelligence VSAN can gather from the disks if they are in passthrough mode. Basically, there can be a lot of ‘dialog’ between the disks and VSAN if there isn’t a controller in the way. I have set it up on IBM kit in our lab at work, and I had to set it to RAID0 as I couldn’t work out how to set it to passthrough. Looks like I’ll have to go back to that one! To be honest, I wasn’t getting the performance I expected, and that looks like it’s down to me.

VSAN under the covers seems a lot more complex than I thought, so I really need to have a good read of the docs before I go ahead and rebuild our labs.

There was also an interesting thread on troubleshooting. There are two fault types in VSAN – degraded and absent. Degraded state is when (for example) an SSD is wearing out, and while it will still work for a period of time, performance will inevitably suffer and the part will ultimately go bang. Absent state is where a temporary event has occured, with the expectation that this state will be recovered from quickly. Examples of this include a host (maintenance mode) or network connection down and this affects how the VSAN cluster behaves.

There is also now the ability to perform some proactive testing, to ensure that the environment is correctly configured and performance levels can be guaranteed. These steps include a ‘mock’ creation of virtual machines and a network multicast test. Other helpful troubleshooting items include the ability to blink the LED on a disk so you don’t swap out the wrong one!

The final note from this session was the availability of the VSAN assessment tool, which is a discovery tool run on customer site, typically for a week, that gathers existing storage metrics and provides sizoing recommendations and cost savings using VSAN. This can be requested via a partner, so in this case, Frontline!

The next session I went to was Power Play :What’s New With Virtual SAN and How To Be Successful Selling It. Bit of a mouthful I’ll agree, and as I’m not much of a sales or pre-sales guy, there wasn’t a massive amount of takeaway for me from this session, but Rory Choudhari took us through the current and projected revenues for the hyperconverged market, and they’re mind boggling.

This session delved into the value proposition of Virtual SAN, mainly in terms of costs (both capital and operational) and the fact that it’s simple to set up and get going with. He suggested it could live in harmony with the storage teams and their monolithic frames, I’m not so sure myself. Not from a tech standpoint, but from a political one. It’s going to be difficult in larger, more beauracratic environments.

One interesting note was Oregon State University saving 60% using Virtual SAN as compared to refreshing their dedicated storage platform. There are now nearly 800 VASN production customers in EMEA, and this number is growing weekly. Virtual SAN6.1 also brings with it support for Microsoft and Oracle RAC clustering. There is support for OpenStack, Docker and Photon and the product comes in two versions.

If you need an all flash VSAN and/or stretched clusters, you’ll need the Advanced version. For every other use case, Standard is just fine.

After all the VSAN content I decided to switch gears and attend an NSX session called  Disaster Recovery with NSX, SRM and vRO with Gilles Chekroun. Primarily this session seemed to concentrate on the features in the new NSX 6.2 release, namely the universal objects now available (distributed router, switch, firewall) which span datacentres and vCenters. With cross vCenter vMotion, VMware have really gone all out removing vCenter as the security or functionality boundary to using many of their products, and it’s opened a whole new path of opportunity, in my opinion.

There are currently 700 NSX customers globally, with 65 paying $1m or more in their deployments. This is not just licencing costs, but also for integration with third party products such as Palo Alto, for example. Release 6.2 has 20 new features and has the concept of primary and secondary sites. The primary site hosts an NSX Manager appliance and the controller cluster, and secondary sites host only an NSX Manager appliance (so no controller clusters). Each site is aware of things such as distributed firewall rules, so when a VM is moved from one site to another, the security settings arew preserved.

Locale IDs have also been added to provide the ability to ‘name’ a site and use the ID to direct routing traffic down specific paths, either locally on that site or via another site. This was the key takeway from the session that DRis typically slow, complex and expensive, with DR tests only being invoked annually. By providing network flexibility between sites and binding in SRM and vRO for automation, some of these issues go away.

In between times I sat the VCP-CMA exam for the second time. I sat the beta release of the exam and failed it, which was a bit of a surprise as I thought I’d done quite well. Anyway, this time I went through it, some of the questions from the beta were repeated and I answered most in the same way and this time passed easily with a 410/500. This gives me the distinction of now holding a full house of current VCPs – cloud, desktop, network and datacenter virtualisation. Once VMware Education sort out the cluster f**k that is the Advanced track, I hope to do the same at that level.

Finally I went to a quick talk called 10 Reasons Why VMware Virtual SAN Is The Best Hyperconverged Solution. Rather than go chapter and verse on each point I’ll list them below for your viewing pleasure:-

  1. VSAN is built directly into the hypervisor, giving data locality and lower latency
  2. Choice – you can pick your vendor of choice (HP, Dell, etc.) And either pick a validated, pre-built solution or ‘roll your own’ from a list of compatible controllers and hard drives from the VMware HCL
  3. Scale up or scale out, don’t pay for storage you don’t need (typically large SAN installations purchase all forecasted storage up front) and grow as you go by adding disks, SAS expanders and hosts up to 64 hosts
  4. Seamless integration with the existing VMware stack – vROps adapters already exist for management, integration with View is fully supported etc
  5. Get excellent performance using industry standard parts. No need to source specialised hardware to build a solution
  6. Do more with less – achieve excellent performance and capacity without having to buy a lot of hardware, licencing, support etc
  7. If you know vSphere, you knopw VSAN. Same management console, no new tricks or skills to learn with the default settings
  8. 2000 customers using VSAN in their production environment, 65% of whom use it for business critical applications. VSAN is also now third generation
  9. Fast moving road map – version 5.5 to 6.1 in just 18 months, much faster rate of innovation than most monolithic storage providers
  10. Future proof – engineered to work with technologies such as Docker etc

All in all a pretty productive day – four sessions and a new VCP for the collection, so I can’t complain. Also great to see and chat with friends and ex-colleagues who are also over here, which is yet another great reason to come to VMworld. It’s 10,000 people, but there’s still a strong sense of community.


VCP6-CMA – Section 2: Administer vRealize Automation Users, Roles and Privileges


Objective 2.1: Create Roles and Apply Privileges to Roles

Configure system-wide roles and responsibilities

  • There are three system wide roles, they are:-
    • System Administrator (create tenants, configure identity stores, assign IaaS and tenant administrator roles, configure Orchestrator, configure branding, notifications and monitor system logs)
    • IaaS Administrator (configure IaaS features and global properties, manage IaaS licences, create and manage fabric groups, create and manage endpoints and associated credentials, configure proxy agents, manage AWS instance types, monitor IaaS logs)
    • Fabric Administrator (manage build profiles, manage compute resources, manage cost profiles, manage network profiles, manage AWS EBS volumes and key pairs, manage machine prefixes, manage property dictionary, manage reservations and reservation policies)
    • Login as a tenant administrator and go to Administration > Users & Groups > Identity Store Users & Groups. Search for the required group, add the required roles from the list and click Update to save.

Assign user roles within tenants

    • There are seven tenant based roles, including:-
      • Tenant administrator (manage tenant identity stores, user and group roles, custom groups, tenant branding, notification providers and scenarios, create and manage approval policies, manage catalog services, item and actions, manage entitlements, monitor tenant machines and send reclamation requests, configure Orchestrator servers, plug-ins and workflows for use in the Advanced Service Designer, create and publish shared IaaS blueprints)
  • Service Architect (Define custom resource types, create and publish service blueprints with the ASD, create and publish custom actions)
  • Business Group Manager (create and publish business group specific blueprints from IaaS, catalog items and entitlements, monitor resource usage in a business group)
  • Support User (Request and manage items on behalf of other users within their business groups)
  • Business User (Request and manage services)
  • Approval Administrator (Create and manage approval policies)
  • Approver (Approve catalog requests, including provisioning requests or any resource actions)
  • Login as a tenant administrator and go to Administration > Users & Groups > Identity Store Users & Groups. Search for the required group, add the required roles from the list and click Update to save.

Configure tenant roles and responsibilities

  • Login to the vRealize Appliance as a tenant administrator
  • Select Administration > Groups
  • Click the Add icon
  • Select Identity Store Group
  • Type a group name in the Add existing Identity Store groups to this group search box
  • Select one or more roles from the Add Roles to this Group list (The Authorities Granted by Selected Roles list indicates the specific authorities you are granting)
  • Click Update.
  • Changes to user access rights are reflected immediately

 Add identity stores

    • Login to the vRealize Appliance as a tenant administrator
    • Select Administration > Identity Stores
    • Click the Add icon
    • Type a name in the Name text box
    • Select the type of the identity store from the Type drop-down menu
      • OpenLDAP
      • Active Directory
  •  Type the URL for the identity store in the URL text box. (For example, ldap://
  • Type the domain for the identity store in the Domain text box
  • (Optional) Type the domain alias in the Domain Alias text box
  • Type the login user Distinguished Name in the Login User DN text box (For example, cn=demoadmin,ou=demo,dc=dev,dc=mycompany,dc=com).
  • Type the password for the identity store login user in the Password text box.
  • Type the group search base Distinguished Name in the Group Search Base DN text box (For example, ou=demo,dc=dev,dc=mycompany,dc=com)
  • Type the user search base Distinguished Name in the User Search Base DN text box (For example, ou=demo,dc=dev,dc=mycompany,dc=com)
  • Click Test Connection
  • Click Add

Appoint tenant administrators

  • IaaS administrators cannot be added until IaaS components have been installed
  • You must first configure an identity store
  • Type the name of a user or group in the Tenant Administrators or Infrastructure Administrators search box and press Enter
  • Verify that the user or group name appears in Tenant Administrators or Infrastructure Administrators list
  • Click Update

Objective 2.2: Configure AD/LDAP Integration

Configure identity stores

  • Login to the vRealize Appliance as a tenant administrator
  • Procedure is much the same as in the “Add Identity Stores” listed above.
  • Changes can be made to search DNs, LDAP bind user and LDAP URL/port if required
  • Each tenant must have at least one identity store

Link an identity store to a tenant

  • Login to the vRealize Appliance as the system administrator
  • Click Add Tenant and fill in the details
  • Procedure is much the same as in the “Add Identity Stores” listed above

Configure a Native Active Directory Identity Store

  • Native Active Directory identity store is only available on the default tenant
  • Login to the vRealize Appliance as a system administrator
  • Join your Identity Appliance to Active Directory to enable Native Mode
  • When in the tenants view, select the default tenant (vsphere.local)
  • Click the Identity Stores tab, click Add and type in the name of the joined AD domain
  • Click Add and Update


vRealise Automation – What I Learned This Week

As I mentioned previously, my new role has meant that I have to get up to speed on all things automation very quickly indeed. This week I have been spending all of my time getting to grips with vRA – it’s architecture, components, installation and design considerations (amongst other things). I’m not going to re-invent the wheel by writing my own install and config guide, there are a ton of brilliant resources out there already, so I’m going to link to them (more for my own reference than anything else I think).

I think the first thing is not to be fazed by putting together a small scale vRA setup. You just need three VMs to get started, and two of those are already built out for you as virtual appliances. Install in this order:-

  • Deploy SSO / ID appliance OVF and configure as appropriate (IP addresses, root passwords etc.)
  • Deploy vRA appliance OVF and configure as appropriate (IP addresses, root passwords etc)
  • Deploy IaaS stack on a Windows Server

To get started and before you install anything, I’d highly recommend watching the videos at virtualjad.com. They’re pretty bite size (generally 15-20 mins per video) and go through the install path and configuration. I managed to follow that quite easily, but I’ll be honest and say that the customisation stuff blew my brain. I’ll have to go back and re-watch that, it just could have been a bit of overload.

In terms of the actual installation, as the OVFs can be redeployed at any time, there’s no real worry about breaking those on initial installation. The Windows IaaS box should be snapshotted before running the main installation and make sure to run Brian Graf’s awesome pre-reqs PowerShell script to make sure all bits like Windows Server roles, Java and IIS is configured correctly. I did this by hand previously and it was torture.

Configure a service account and give it administrator permissions from vCenter down (I know this is bad practice, but we’re talking about a lab environment) and also give it access to SQL. Don’t create the vRA database, the IaaS installer will do this for you. Also, there is no need to configure an ODBC connection.

The install pre-req script does not appear to set the local security policy on the IaaS box, so you will need to add in your service account user to the “Log on Locally” and “Logon as a service” policies. You will get a warning from the IaaS installer if this has been missed, so don’t worry. If you get any 401 errors when browsing within the Infrastructure tab, double check your service account is a member of the local Administrators group.

Other Random Stuff

Can’t see the vCenter VM templates in the vRA interface? Ensure you have a network policy configured and mapped to the port group on the vCenter side, then you should see the templates when creating a blueprint. This one kept me going for hours.

Can’t see the Advanced Services designer? Follow this blog post and ensure you have a Service Architect role properly configured.

Can’t add a plug-in into the built in Orchestrator server on the vRA appliance? You need to start the vco-configurator service on the appliance. Thanks again to Ryan Kelly, who seems to have bumped his head on all the things I’ve seen so far and helped me fix it. Top man!


Top vBlog 2015 Voting Is Open!

Anyone who know me knows that I am as shamelessly competitive as the next man, but if you hadn’t heard, voting is now open in the annual 2015 Top vBlog competition, over at vSphere-Land.com. There are dozens and dozens of fine blogs from which to choose, from the industry heavyweights such as Duncan Epping and Frank Denneman, to jobbing journeymen like me.

I’ve already voted in the poll and in keeping with the spirit of the competition, I’ve not voted for myself and neither have I voted for anyone who is a friend but whose blog I don’t commonly visit.

Why vote?

Blogs take time, money and energy to keep going. More often than not, they are written in the author’s own time and on web sites paid for out of their own pocket. Certainly in my case, I’ve learned a lot over the years from blogs, and if you’ve been in this game long enough, a blog posting somewhere (usually from years back) will have got you out of a pickle at some point.

By voting for your favourite blogs, it’s your way of giving these folks a pat on the back for the fine work they continue to do, not just about VMware products but also related ecosystem products such as networking, storage and utilities. It costs you nothing except about 10 minutes of your valuable time and you should pick the blogs you read and enjoy the most. I read Duncan and Cormac Hogan’s blogs a lot, so I made sure I voted for them. There are no massive cash rewards for this, just the knowledge that people enjoy and respect the effort that goes in, and more than anything else, the willingness to share it.

So vote now!

The poll is open until 19th March, but don’t leave it until the last minute or you’ll just forget. As I said earlier, the whole thing is simple and takes 10 minutes, tops.

I will! What’s involved?

Basically pick your 10 favourite blogs and then rank them into order of preference. I won’t say who I voted as number 1, but I suspect it will be the same as many others!

Then choose your favourite storage blog, your favourite scripting blog, favourite VDI blog (cough Virtual Fabric, cough, splutter!), favourite new blogger and favourite independent blogger. There are also categories for favourite news site and favourite podcast.

Enter your e-mail address (not shared with anyone) , complete the captcha and you’re done! Do it now and pat your favourite blogger virtually on the back!

Click here to vote.


Why the VMUG UK conference is not a “poor man’s” VMworld

Miss VMworld this year? Yep, me too. I seem to attend every other year, and this year was when I missed out. That being said, what did you miss? Well the keynotes were streamed live and can be played back again now on demand. Hands On Labs? Well you can use them any time you like via the magic of the interwebs. OK, so you don’t get access to the Solutions Exchange and there were lots of really cool breakout sessions that you can only view if you have the appropriate access to the VMworld website.

Did you know that on November 18th there is the UK VMUG User Conference? It’s at the National Motorcycle Museum in Solihull, a small journey away from Birmingham airport. I’m here to tell you that this event is not a poor man’s VMworld and the two should not really be compared. Here’s why.

I’ve been to VMworld twice and the UK VMUG twice, so I feel pretty well qualified to comment on both events. The UK VMUG is obviously a much smaller event, but remember that old saying “small ones are more juicy?”. Even though it’s a fraction of the scale of VMworld, you can get just as much out of the single day at the UK VMUG as you can from VMworld.

For starters, the keynote is by Joe Baguley. For those that don’t know, he’s the CTO for EMEA at VMware. His keynotes are often quite thought provoking, witty and a little left field. They’re not a typical dry keynote of numbers and bar charts, roadmaps and gratuitous slides with customer logos on them. They’re probably in there too, but this event is a little different. It’s for users by users.

As well as there being several parallel breakout tracks, you can decide which areas you want to specialise in, such as EUC (obviously where I’ll be!), SDDC, NSX and partner sessions. You don’t have to register for the breakouts in advance, just turn up. If you don’t feel like going to the vRealise session, don’t. Go to the Horizon View one instead! There’s a much easier flow to these events than you get at VMworld.

In terms of partner support, pretty much all the main guys are there. Veeam are platinum sponsors and then there is an array of gold sponsors with household names such as Brocade, Cisco and SanDisk, as well as up and coming partners such as Nutanix, Atlantis and Tintri (apologies if I haven’t name checked you!). The point being is that all the main partners will be there, in a much smaller and more intimate setting and in a more techie based environment than you might get at VMworld. Plus there’s a better chance of having a decent conversation with one of the aforementioned vendors! At VMworld, the large scale of it all doesn’t always make it easy to sit down with the appropriate person at a vendor booth.

So why else should you go? Here’s an abridged roll call of the confirmed speakers so far :-

  • Chris Wahl
  • Joe Baguley
  • Cormac Hogan
  • Mike Laverick
  • Matt Steiner
  • Alan Renouf
  • Barry Coombs
  • Peter Von Oven
  • Jonathan Medd
  • Lee Dilworth
  • Ricky El-Qasem

All well known names in the community and excellent presenters all. There are also several more informal sessions taking place throughout the day, including an AMA (Ask Me Anything) session with VMware GSS (so I’ll be asking my stock question of “if you were a dinosaur, which one would you be and why?”) and the now traditional design session with my former colleague Darren “Grandpa” Woollard. Sit down with him and whiteboard out some design discussions around deployment of VMware and associated technologies. Just remember to SPEAK SLOWLY AND LOUDLY! ;-). The latest event agenda is available here.

There are also the usual slew of event giveaways and prizes, and if you ask him nicely, Darren may autograph your left pectoral.

So then, there you go. I will be along there, feel free to say hello if you see me, I don’t bite. Unless you’re slathered in Nutella, obviously.

Did I say it was free? Register here now, and get yourself along!



VCAP-DTA – Objective 5.2 – Deploy ThinApp Applications using Active Directory

Once we have a repository configured for our ThinApps, we next continue the groundwork by preparing Active Directory. We can then harness Active Directory groups to control access to the ThinApps.

  • Create an Active Directory OU for ThinApp packages or groups – From your domain server, go to Administrative Tools and select Active Directory Users and Groups. From wherever in the hierarchy the exam asks you to, right click and select New, Organizational Unit. Give the OU a name and click OK.
  • Add users to individual ThinApp package OU or groups – Again not really a View skill as such, just some basic AD administration. Now you created your OU(s) as above, to create a user right click on the ThinApp OU, click New, User, fill out the appropriate details, click Next, enter password information and click Next and Finish. To add a group, right click on the appropriate OU, click New, Group, give the group a name and select the type and click OK. To add users to an existing group, double click the group, click Members, Add and enter the user names and click Check Names. Click OK twice.
  • Leverage AD GPOs for individual ThinApp MSIs – Group Policy can be used to publish an existing ThinApp MSI without the need for a repository, or in parallel. To configure this, go to Administrative Tools, Group Policy Management. Right click the OU in which you would like to create the GPO. Select Create a GPO in this domain, and link it here (for a new GPO, or select Link an existing GPO if asked).Name the GPO and click OK. Once the GPO is created, right click on it and select Edit. In either Computer Configuration or User Configuration select Policies and then Software Settings. Right click on Software Installation and select New, Package. Browse to the network location of the MSI and select the MSI and then Open. Accept the defaults to Assign the package to a user or computer or click Advanced for further settings. Click OK. If you select Advanced, use the tabs across the top to make changes as appropriate and click OK. You may need to run gpupdate.exe to refresh Group Policy.
  • Create and maintain a ThinApp login script – The ThinReg utility can be used in an existing login script to deploy ThinApps to users. For example, in the NETLOGON share, you can add a line or lines into the logon script to invoke thinreg.exe. In it’s simplest form, just add the line thinreg.exe \\server\share\application.exe /Q. The /Q switch just runs the command silently. It may well crop up as a specific requirement on the exam.