Introduction
Hybrid Linked Mode allows you to link your VMware Cloud on AWS vCenter Server instance with an on-premises vCenter Single Sign-On domain.
If you link your cloud vCenter Server to a domain that contains multiple vCenter Server instances linked using Enhanced Linked Mode, all of those instances are linked to your cloud SDDC.
Using Hybrid Linked Mode, you can:
- View and manage the inventories of both your on-premises and VMware Cloud on AWS Datacenters from a single vSphere Client interface, accessed using your on-premises credentials.
- Migrate workloads between your on-premises data center and cloud SDDC.
- Share tags and tag categories from your vCenter Server instance to your cloud SDDC.
Hybrid Linked Mode supports on-premises vCenter Server systems running 6.0 Update 3 patch c and later with either embedded or external Platform Services Controller (both Windows and enter Server Appliance). vCenter Server systems with external Platform Services Controller instances linked in Enhanced Linked Mode are also supported.
You have two options for configuring Hybrid Linked Mode. You can use only one of these options at a time.
- You can install the Cloud Gateway Appliance and use it to link from your on-premises data center to your cloud SDDC. In this case, SSO users and groups are mapped from your on-premises environment to the SDDC.
- You can link your VMware Cloud on AWS SDDC to your on-premises vCenter Server. In this case, you must add an identity source to the SDDC LDAP domain.
For this lab, we'll use the Cloud Gateway Appliance (Option 1). This is the favored option as it doesn’t require you to expose your AD infrastructure to the cloud and open multiple firewall ports
Below are key prerequisites to configuring Hybrid Linked Mode:
- Configure a connection between your on-premises data center and the SDDC. Direct Connect, a VPN, or both can be used.
- Regardless of the type of connection chosen, the vCenter FQDN must resolve to a private IP address. This is not the default configuration.
- Ensure that your on-premises data center and your cloud SDDC are synchronized to an NTP service or other authoritative time source. When using Hybrid Linked Mode, VMware Cloud on AWS can tolerate a time skew of up to ten minutes between the on-premises data center and the cloud SDDC.
- The maximum latency between your cloud SDDC and on-premises data center cannot exceed 100 ms round-trip.
- Decide which of your on-premises users will have Cloud Administrator permissions. Add these users to a group within your identity source. Ensure that this group has access to the on-premises environment. In this lab, we use a user called “SDDCAdmin”
- On-Premises and Management Gateway Firewalls must allow the required ports
Prerequisites for this lab are Labs 2-4, excluding the additional labs.
TASKS
An alternative to using the vCenter Cloud Gateway, is to configure Hybrid Linked Mode from the cloud SDDC.
In this lab, you'll use your cloud SDDC's vSphere Client to view and manage your complete inventory. When you link from the cloud SDDC, you can link only one on-premises domain.
- From your VDI Desktop, launch a google chrome browser tab and click the VMware Cloud SDDC browser bookmark
or go to https://vmc.vmware.com/console/sddc to access your SDDC - If prompted, log in as:
- Username: vmcexpert#-xx@vmware-hol.com (where # is the Environment ID & xx is your student number): i.e. [email protected]
- Password: VMware1!
- Click View Details at the bottom of your SDDC tile
- Click the Troubleshooting Tab
-
Enter the following values for the Hybrid Linked Mode Connectivity Test
- On-Prem Primary DNS Server: 192.168.110.10
- On-Prem Secondary DNS Server: 192.168.110.10
- On-Prem vCenter: vc-l-01a.vcn.ninja.local
- On-Prem PSC FQDN: vc-l-01a.vcn.ninja.local
- On-Prem Active Directory: 192.168.110.10
- On-Prem ESX: 192.168.110.101
- Click Run All Tests
- At the end of the test the status of each test is displayed
NOTE: The test takes up to 5 mins to run and upon concluding the status for each test group should be Success.
In some instances due to network latency it is not uncommon that the vCenter and PSC returns a warning message that the current latency exceeds 100ms.This is expected and not a cause for worry
- If one or more failed status is returned for any test group. Please confirm you completed lab 4 successfully
and ask your instructor for assistance. if necessary
We'll need a group in our Active Directory for all the users we want to have cloudadmin access rights to the Cloud vCenter. We will RDP to the Active Directory Controller to create this.
- From the VDI Desktop Click the Remote Desktop Shortcut on the desktop to connect to the Domain controller.
Click the Ninja DC&DNS icon - If Prompted enter the following details to connect to the domain controller:
- Computer: 192.168.110.10
- Username: Ninja\Administrator
- Password: VMwareNinja1! Note: You can also use ctrl+m to paste in the password
- From the start menu of the Domain Controller Click the blue icon on the right for Active Directory Users and Computers
- Right-Click the Users Container
- Select New, Click Group
- Group Name: SDDC Admins
- Leave group scope as Global and type as security (defaults)
- Click OK
- Double-Click the Newly created “SDDC Admins” Group
- In the Popup click the Members Tab
- Click Add
- In the second pop up type SDDCAdmin and Click Check Names
- Click OK (To add SDDCAdmin user to the SDDC Admins Group) and close the 2nd pop up
- Click Apply, then OK to close the pop up
- Close/Disconnect the Remote Desktop Session
To complete the configuration of Hybrid Linked Mode from the cloud SDDC, you need to link your on-premises data center from your cloud vCenter Server. In this task we will do just that.
- From your VDI Desktop, click your VMC on AWS SDDC Browser tab
- If prompted, log in as:
- Username: vmcexpert#-xx@vmware-hol.com (where # is the Environment ID & xx is your student number): i.e. [email protected]
- Password: VMware1!
- Click Open vCenter
- Click Show Credentials
- Click the copy icon next to the Default vCenter user Password
- Click Open vCenter
- Log into the SDDC vCenter as:
- Username: [email protected]
- Password: <The_password_copied_in-step_7>
- Click the Hamburger menu in the upper left-hand corner
- Click Administration
- Click the Hybrid Management, under Hybrid Cloud
- Click the Link vCenter button
- In the Link vCenter Wizard, read the prerequisite and Click Next
- Click the Dropdown next to Identity Source Field
- Select Add Identity Source
- Enter the following values to configure your On-Prem Identity Source
- Identity Source Name: Ninja Domain
- Base distinguished name for users: dc=ninja,dc=local
- Base distinguished name for groups: dc=ninja,dc=local
- Domain name: ninja.local
- Domain alias: ninja
- Username: [email protected]
- Password: VMwareNinja1!
- Primary Server URL: ldap://192.168.110.10
- Click Add
- In the Groups field search for and select SDDC Admins (Note: You must select the Group)
- Click Next
- In the On-Premises vCenter Section, enter the following values:
- Platform Services Controller: vc-l-01a.vcn.ninja.local
- HTTPS Port: 443
- SSO Username: [email protected]
- SSO Password: VMwareNinja1! Note: You can also use ctrl+m to paste in the password
- Click Finish
- Click Continue to accept the vCenter SSL Thumbprint
Note: it takes 60 secsonds or more to complete the Join
We will now log into the Cloud vCenter with a user from the Active Directory "SDDC Admins" group we created in Task 2. We want to confirm our ability after the configuration to access the cloud vCenter and On-Prem vCenter with unique and individual active directory credentials rather than sharing the [email protected] credentials across multiple admins.
- From your VDI Desktop SDDC vCenter browser tab, click the dropdown next to [email protected]
(Upper right-hand corner) - Click Logout
- Log back in as:
- Username: [email protected]
- Password: VMwareNinja1!
- Open an new Browser tab, click the VI Management --> vSphere Client Bookmark
- Log into the On-Premises vCenter with the same AD Credentials in step 3
NOTE: The Ninja AD Identity Source had already been added to the On-Prem vCenter and the SDDCAdmin account granted admin right to the On-Prem vCenter. You, therefore, did not need to perform this task in the lab.
While this method of HLM configuration allows you to add your On-Premises AD credentials to the Cloud vCenter and therefore provides a common vCenter user login experience across On-Premises and in the cloud, it requires your AD Domain Controller, DNS & PSC to be accessible from to the cloud SDDC. An alternate option is to use the cloud Gateway appliance which negates this requirement and provides unified management of cloud and On-Prem Inventory
NOTE: As of M20 (vSphere 8) a unified display of On-Prem and SDDC Inventory from the cloud SDDC has been deprecated. for a unified view of the inventory, you must deploy and configure the Cloud Gateway Appliance.
The Cloud Gateway option is the preferred option when configuring HLM. In this lab you will walk though the configuration steps using a prerecorded interactive simulation
To access the Interactive simulation and lab guide go here - https://vmwarecloud.expert/student-resources/2022-10-26-lab-5/
Conclusion
With Hybrid Linked Mode now configured, you can:
- View and manage the inventories of both your on-premises and VMware Cloud on AWS data centers from a single vSphere Client interface, accessed using your on-premises credentials.
- Migrate workloads between your on-premises data center and cloud SDDC.
- Share tags and tag categories from your vCenter Server instance to your cloud SDDC.
0 Comments
Add your comment