VMware Cloud Expert

Lab 02 - Working with your SDDC

Updated

Introduction

In this lab, we will look at the basic SDDC operations you can perform to begin consumption of your cloud resources in VMC on AWS. We will perform the following:

  • Create and configure network segments for our application(s)
  • Configure Firewall rules to allow remote access to vCenter
  • Deploy your 1st Virtual Machines in VMC on AWS

If you are still logged into your VMC on AWS Organization from the previous lab you can skip the steps outlined below and begin task one. If not, you'll first need to log into your VMC on AWS organization.

To log into your VMC on AWS Organization, follow the steps below:

  1. From your Desktop/laptop launch your preferred  browser
    NOTE: In tests, Google Chrome in Incognito mode worked best
  2. In the browser address bar, go to https://vmc.vmware.com/console/sddcs and login as
    • VMware Account:   vmcexpert#-{XX}@vmware-hol.com (Where # is your Environment ID, and{XX} is your assigned student number)
    • Password:   VMware1!

TASKS

Task 1 - Create a Logical Network

You will now create and configure a network segment that will be used in Task 4 when you create your first two Virtual Machines in your SDDC
NOTE: VMC Network Segments are backed by NSX-T Geneve Overlay Segments.

NSX-T Overlay-backed Segment
In an overlay-backed segment, traffic between two VMs on different hosts but attached to the same overlay segment have their layer 2 traffic carried by a tunnel between the hosts. NSX-T Data Center instantiates and maintains this IP tunnel without the need for any segment-specific configuration in the physical infrastructure. This means, there is no need to configure VLANs on the physical network to enforce isolation. As a result, the virtual network infrastructure is decoupled from the physical network infrastructure. That is, you can create segments dynamically without any configuration of the physical network infrastructure.

VMware Cloud on AWS allows you to quickly and easily create new logical network segments on demand. Let’s create a new network segment in the SDDC.

Select your SDDC, if you aren't currently within it and click View Details

  1. Click the Networking & Security tab
  2. click Segments to display the existing network segments.
  3. Click on ADD SEGMENT to create a new network segment.
  4. Enter the following values:
    • Name: Demo-Net
    • Connected Gateway: Routed
    • Subnets: 10.10.xx.1/24 (where xx is your student number, for students(1-9) do not include the a leading 0),  i.e. 10.10.1.1/24
      This represents the default gateway and the prefix length of the network 
    • VPN Tunnel ID: Leave Blank
    • Domain Name: Leave Blank
    • Description: Leave Blank
    • Tags: Leave Blank
  5. Click the SET DHCP CONFIG button to enable and configure DHCP in the pop up

 

  1. On the pop up slide the “DHCP CONFIG” slider to Enable DHCP
  2. Enter 10.10.XX.11-10.10.XX.200 for the DHCP IP Range. (Where XX is your student number, for students(1-9) do not include the a leading 0) i.e. 10.10.1.11-10.10.1.200
    This is the range of IP addresses the DHCP server will grant to workloads attached to the network.
    NOTE: Ensure the DHCP range turns blue, matches the range, and puts a bubble around the range. If it is red, please redo the steps.
    If you have a student number in the single digits, you must omit the leading zero. (ie 10.10.8.11
    ) 
  3. Leave the other fields as their default values. As before ensure the bubble turns blue and not red. 
    • DHCP Type: Gateway DHCP Server
    • DHCP Profile: Default
    • Lease Time: Leave Blank
    • DNS Servers: Leave Blank
  1. Click Apply
  2. Click Save to save the logical network.
    Note: You might need to scroll down to the bottom of the add segment box for the Save button to appear
  3. When prompted to continue configuring the segment, Click NO
  4. Repeat the steps 1 - 8 using the information below to create a 2nd virtual network segment in the SDDC
    • Segment Name:     Desktop-Net
    • Subnet:                   10.10.1(xx).1/24 - where xx is your student number.
      For students(1-9) include the a leading 0), i.e. 10.10.109.1/24
    • DHCP Config
      • DHCP Type:      Gateway DHCP Server
      • DHCP Config:   Enabled
      • DHCP Range:   10.10.1(xx).11-10.10.1(xx).50 - where xx (1 - 30) is your student number
      • DNS Servers (click add item each IP):    
        • 8.8.8.8
        • 192.168.110.10

Verify Network Segment Configuration

  1. Verify the network segments were added correctly. Your Segments List should be displaying both the Demo and Desktop segments as shown in the screenshot below.
Task 2 - Configure Firewall rule for vCenter Access

By default, all inbound firewall traffic into the SDDC is denied in VMware Cloud on AWS. In order to access vCenter from your Desktop/Laptop or any other external device, you will need to configure a firewall rule allowing inbound access. The Management Gateway (MGW) controls access to vCenter, the ESXi hosts and all other management components.

Note: In most enterprise environments, you would configure a VPN or Direct Connect VIF to allow limited access firewall rules to vCenter. In this environment, we will open it to any IP address on the internet which is not recommended.

As of the the June 2021 release of VMC on AWS, a High Severity notification is triggered when the SDDC vCenter is exposed to the world using an ANY to vCenter Firewall rule

  1. Navigate to the VMC on AWS console > Student## SDDC > Settings > Network & Security Menu
  2. Click on Gateway Firewall on the left-hand side of the screen.
  3. If it is not already selected, click on Management Gateway to create firewall rules that allow access to management components in the SDDC.
  4. Click + ADD RULE to add a new rule to the edge gateway. A row titled new rule should appear.
  5. Click the “New Rule” text from the “Name” column and change it to vCenter Inbound Rule.
  6. Leave the Source set as Any.
  7. Hover over the new rule's "Destinations" column, then click the blue Edit button to edit the destination field.
  8. On the Pop Up, click the radio button next to System Defined Groups.
  9. Select the Radio-button next to vCenter.
  10. Click Apply to save the destination information in the rule.
  11. Hover over the new rule's "Services" column, then click the blue Edit button , select HTTPS (TCP 443) & SSO (TCP 7444) to allow access to the vCenter server.
  12. Publish the rules by clicking PUBLISH button to activate the Firewall rule.

vCenter should now be accessible from anywhere on the internet. In the next section, we will access vCenter via the HTML5 client to begin the deployment and configuration of virtual machines.

Task 2.1 - Log into VMware Cloud on AWS vCenter

Now that the firewall rule has been modified to allow external access to vCenter, we would be able to log in, but before doing so, we need to first gather the following pieces of information from our VMC Console:

  • vCenter (FQDN and/or IP)
  • Default Cloud Admin Account
  • Default Cloud Admin Password

To access this information

  1. Click the Settings tab
  2. Expand the Default vCenter User Account and vSphere Client (HTML5) sections
  3. Copy the following values to the provided excel workbook, you will use them to log into vCenter and be using them again soon in task 2.2. If you need to find these items in the future this is where you find them. 
    • vSphere Client (HTML5) URL
    • User Name
    • Password
  1. At the top right of the page, click OPEN VCENTER
  2. On the Pop Up, click on the SHOW CREDENTIALS Button
  3. Click the Clipboard icon next to Password to copy the administrative user password to your clipboard.

Task 2.2 - Log into the vSphere Client (HTML5)

  1. Click the OPEN VCENTER button to open a connection to the vCenter HTML5 client.
  2. In the [email protected] field enter [email protected]
  3. Right-click in the Password field and paste the password copied in the previous step.
  4. Click LOGIN.
  5. On the Summary page Click Reset to green for any visible warnings and/or errors

You are now logged in to your VMware Cloud on AWS SDDC vCenter Server as [email protected] user.

Task 2.3 - Create Content Library

Content Libraries

Content libraries are container objects for VM templates, vApp templates, and other types of files like ISO images.

You can create a content library in the vSphere Client (HTML5), and populate it with templates, which you can use to deploy virtual machines or vApps in your VMware Cloud on AWS environment. If you already have a Content Library in your on-premises data center, you can use the Content Library to import content into your SDDC.

You can create two types of libraries: local or subscribed libraries.

Local Libraries

You use a local library to store items in a single vCenter Server instance. You can publish the local library so that users from other vCenter Server systems can subscribe to it. When you publish a content library externally, you can configure a password for authentication.

VM templates and vApps templates are stored as OVF file formats in the content library. You can also upload other file types, such as ISO images, text files, and so on, in a content library.

Subscribed Libraries

You subscribe to a published library by creating a subscribed library. You can create the subscribed library in the same vCenter Server instance where the published library is, or in a different vCenter Server system. In the Create Library wizard, you have the option to download all the contents of the published library immediately after the subscribed library is created, or to download only metadata for the items from the published library and later to download the full content of only the items you intend to use.

To ensure the contents of a subscribed library are up to date, the subscribed library automatically synchronizes to the source published library at regular intervals. You can also manually synchronize subscribed libraries.

You can use the option to download content from the source published library immediately or only when needed to manage your storage space.

Synchronization of a subscribed library that is set with the option to download all the contents of the published library immediately, synchronizes both the item metadata and the item contents. During synchronization, the library items that are new for the subscribed library are fully downloaded to the storage location of the subscribed library.

Synchronization of a subscribed library only downloads content when needed. It synchronizes the metadata for the library from the published library and does not download the contents of the items. This saves storage space. If you need to use a library item, you need to synchronize that item. After you are done using the item, you can delete the item contents to free space on the storage. For subscribed libraries that are set with the option to download contents only when needed, synchronizing the subscribed library downloads only the metadata of all the items in the source published library, while synchronizing a library item downloads the full content of that item to your storage.

If you use a subscribed library, you can only utilize the content, but cannot contribute with content. Only the administrator of the published library can manage the templates and files.

A newly created VMC on AWS SDDC will have no Workload Virtual Machines pre-deployed, nor any of your corporate deployment images. Before you can begin deploying Virtual Machines based on your corporate-approved images into your SDDC you must first copy those images into the SDDC. One of the most effective ways to do so is to subscribe to a published vSphere Content Library. In this task, we will do just that.

 

  1. In the  Top Left of the page, click the Menu Icon (3 dashes | Hamburger Menu Icon)
  2. Click on Content Libraries
  3. In your Content Library window, click Create to add a new Content Library
  1. In the Name and Location section, enter VMC Content Library for the Name of the library. The other values should default to the appropriate selections. 
  2. Click the NEXT button.
  1. In the Configure Content Library section, select the radio button next to Subscribed content library.
  2. Under Subscription URL enter the following: https://vmc-elw-vms.s3-accelerate.amazonaws.com/lib.json
  3. Leave the checkbox unchecked next to Enable Authentication.
  4. Make sure Download content is set to immediately.
  5. Click Next to continue.
    NOTE: If Prompted to accept the SSL Thumbprint, Click Yes.
  1. On the Apply Security Policy Section, Click NEXT
  2. In the Add Storage section click on WorkloadDatastore for content library storage.
  3. Click the Next button.
  4. In the Ready to Complete section verify that all the data matches the steps above then click Finish

Note: Depending the size and number of templates it can take a while to synchronize the content. This content library should only take a few minutes to synchronize. We will proceed with task 2.4 to allow time to synchronize. The sync of the "photoapp-u" virtual appliance must complete before moving to task 3. You don't have to wait on MonkeyIsland & VMC-Win10-Template before proceeding to Task 3.

Task 2.4 - Create a Linux & Windows Customization Specification

When you clone a virtual machine or deploy a virtual machine from a template, you can customize the guest operating system of the virtual machine to change properties such as the computer name, network settings, and license settings.

Customizing guest operating systems can help prevent conflicts that can result if virtual machines with identical settings are deployed, such as conflicts due to duplicate computer names.

You can specify the customization settings by launching the Guest Customization wizard during the cloning or deployment process. Alternatively, you can create customization specifications, which are customization settings stored in the vCenter Server database. During the cloning or deployment process, you can select a customization to apply to the new virtual machine.

Use the Customization Specification Manager to manage customization specifications you create with the Guest Customization wizard.

  1. From within vSphere client, click Menu.
  2. In the menu dropdown click on Policies and Profiles.
  3. Click the VM Customization Specifications menu item
  4. Click on+New to add a new Linux Customization Specification.
  5. Enter a Name for the Linux Customization Specification (LinuxSpec in this example).
  6. Optionally enter a Description.
  7. Select the radio button for Linux next to Target guest OS.
  8.  click the Next button to continue.
  1. In the Computer Name section click the radio button next to Use the virtual machine name.
  2. For Domain name enter corp.local.
  3. Click the Next button to continue
  1. In the Time Zone section select the appropriate Area by clicking on the arrow next to the drop-down field. We are using the US for this lab. 
  2. Select the appropriate Location. You can use Eastern
  3. Click the Next button to continue.
  4. Click Next to Skip the Customization Script page
  5. On the Network section ensure the radio button next to Use standard network settings for the guest operating system, including enabling DHCP in all network interfaces is selected.
  6. Click Next to continue.
  1. On the DNS settings sections enter 8.8.8.8 for the Primary DNS server.
    • Enter 8.8.4.4 for the Secondary DNS server.
    • For the DNS Search paths enter corp.local.
    • Click the Add button to add the corp.local domain to the DNS search path. Verify that it was added. 
  2. Click Next to continue
  3. Review your entries and click on the Finish button.

Try to complete the steps below from memory, but if you have trouble use the steps above in task 2.4 modified with the following fields to create a Customization Specification for Microsoft Windows Virtual Machines
Note: Leave the default selection for any fields not mentioned below

  • Name and Target OS Page
    • Name:                           WindowsSpec
    • Target guest OS:          Windows
  • Registration Information Page
    • Owner Name:              (Your Name)
    • Owner Organization:  (Your Organization)
  • Computer Name Page
    • Computer Name:        Select - Use the virtual machine name
  • Administrator Password Page
    • Password:                    VMware1!
  • Time Zone page
    • Time Zone:                 (Select your timezone)
  • Click Next and leave defaults through the Commands to Run Once, Network, Workgroup or Domain. Then click Finish on the “ready to complete” section.
Task 3 - Deploy Virtual Machines in VMC on AWS

In the vSphere client window already opened, you will deploy a Virtual Machine from a template in the content library. You'll then clone the deployed Virtual Machine to create a second VM. In both cases you will use the Customization Specification you created in task 2 to modify the Operating System configuration.

 

Task 3.1 - Deploy Virtual Machine from template

 

  1. Click Menu.
  2. Click on Content Libraries.
  3. Click on the VMC Content Library that was previously synchronized.
  4. Click the Templates tab to access the template synchronized in the content library.
  5. Click the OVF & OVA Templates Tab
  6. Right-click on the photoapp-u template to expose the Actions menu.
  7. Click on New VM from This Template to deploy a virtual machine from template.
  1. In the Select Name and Folder section enter webserver01 for the virtual machine name.
  2. Click the arrow next to SDDC-Datacenter to expose the folders available.
  3. In VMware Cloud on AWS customer workloads should be placed in the Workloads folder (or subfolder).
  4. Click the Workloads folder.
  5. Select the checkbox next to Customize the operating system.
  6. Click Next to continue
  7. On the Customize guest OS page, select LinuxSpec customization specification.
  8. Click Next to continue.

 

  1. In the Select Compute Resource section, click the arrow next to Cluster-1 to expose the resource pools available.
    Select Compute-ResourcePool.
    In VMware Cloud on AWS customer workloads should be placed in the Compute-ResourcePool (or a sub-pool).
  2. Click Next to continue

Review the details of the template to be deployed. There may be a security warning displayed, but you can safely ignore that for the purpose of this lab.

  1. Click Next to continue.
  2. In Select Storage Click WorkloadDatastore to select the datastore where the virtual machine will be provisioned.
    Each VMware Cloud on AWS SDDC will include two datastores in order to separate management and customer workloads. All customer workloads must be placed in the datastore named WorkloadDatastore
  3. Click Next to continue
  4. Click the drop-down below Destination Network to select the network for the virtual machine.
  5. Click Browse..., then Select Demo-Net the network previously created in Task 1.
  6. Click Next to continue.

 

  1. Review the information for accuracy and click Finish to deploy the virtual machine

It should take a couple of minutes for the virtual machine to deploy. Continue to the next task to clone this virtual machine to create a second web server.

Task 3.2 - Clone a Virtual Machine

You will now create your second Virtual Machine by cloning the previously deployed Virtual machine (webserver01).

 

Validate the virtual machine deployment completed in the previous exercise by looking for the Deploy OVF Template task, verify it is Completed successfully. Once completed you may move on to the steps listed below. You will start by powering on the previously deployed VM to allow the OS customization to proceed. If the deployment failed please notify your instructor or go back through the steps listed in Task 3.1 again.

  1. Click Menu.
  2. Click on VMs and Templates.
  3. Click the arrow next to SDDC-Datacenter to expose the sub-folders.
  4. Click the arrow next to Workloads to expose webserver01
  5. Click on the virtual machine webserver01
  6. Click the green arrow at the top center of the screen to execute the power on operation.

Note: Please wait until the virtual machine is fully powered on and has an IP before proceeding to the next step.

If the webserver does not connect to the network and does not receive an IP address from DHCP, follow these steps. 1) Hit refresh on the page a few times. 2) Ensure the NIC is connected by right-clicking on webserver01 and then Edit Settings and make sure the checkbox next to Connected is selected.

 

You may need to repeat this step for the cloned VM webserver02

3.2.1 - Clone Webserver01
  1. Right-click on webserver01 to expose the Actions menu.
  2. Click on Clone to expose a secondary menu of options.
  3. Click Clone to Virtual Machine to initiate the cloning wizard.

 

  1. Next to Virtual machine name enter webserver02.
  2. Click the arrow next to SDDC-Datacenter to expose the folders available.
  3. Click the Workloads folder for the virtual machine location.
  4. Click Next to continue.
  5. Click the arrow next to Cluster-1 to expose the resource pools available
  6. Click on Compute-ResourcePool to ensure it is selected for the target virtual machine.
  7. Click Next to continue.
  8. Click on WorkloadDatastore to ensure it is selected as the destination for the virtual machine.
  9. Click Next to continue.

    We will now set the options for cloning. We will need to customize the operating system to change the server name and also power on the virtual machine after cloning is complete.
  10. Click the checkbox next to Customize the operating system.
  11. Click the checkbox next to Power on virtual machine after creation.
  12. Click Next to continue.
  13. Select the LinuxSpec customization specification.
  14. Click Next to continue.
  15. Review the information for accuracy and click Finish to clone the virtual machine.

It should take a couple of minutes for the virtual machine to clone. Continue to the next exercises to deploy a windows VM and learn about securing workloads in VMware Cloud on AWS.

Task 3.3 - Deploy a Windows 10 Virtual Machine

In this task you will deploy and customize a Windows 10 Virtual Machine from the VMC Content Library

  1. Click Menu.
  2. Click on Content Libraries.
  3. Click on the VMC Content Library that was previously synchronized.
  4. Click the Templates tab to access the template synchronized in the content library.
  5. Click the OVF & OVA Templates Tab
  6. Right-click on the VMC-Win10-Template template to expose the Actions menu.
  7. Click on New VM from This Template to deploy a virtual machine from template.
  1. Enter Win10-Desktop for the virtual machine name.
  2. Click the arrow next to SDDC-Datacenter to expose the folders available.
    In VMware Cloud on AWS customer workloads should be placed in the Workloads folder (or subfolder).
  3. Click the Workloads folder.
  4. Select the checkbox next to Customize the operating system.
  5. Click Next to continue
  1. On the Customize guest OS page, select WindowsSpec customization specification.
  2. Click Next to continue.
  3. Click the arrow next to Cluster-1 to expose the resource pools available.
    In VMware Cloud on AWS customer workloads should be placed in the Compute-ResourcePool (or subpool).
  4. Select Compute-ResourcePool.
  5. Click Next to continue
  6. Click Next
  7. Click WorkloadDatastore to select the datastore where the virtual machine will be provisioned.
  8. Click Next to continue
  9. Click the arrow below Destination Network to select the network for the virtual machine.
  10. Click Desktop-Net to select the network previously created.
  11. Click Next to continue.
  12. Review the information for accuracy and click Finish to deploy the virtual machine
  1. Power-on the Windows 10 desktop once the deployment is complete.

Task 3.4 - Test Connectivity between the Virtual Machines

In this exercise we will test the connectivity between webserver01 and webserver02, which we created in the previous exercises. You will need to open a console session to webserver01 to validate it can communicate with webserver02.

  1. In the vSphere Client (HTML5) click on Webserver01 to bring it into focus. (You may need to Navigate to Menu > VMs and Templates)
  2. Take note of the IP Address for webserver01 in the middle of the screen
  3. Click LAUNCH WEB CONSOLE. The console should open in a new browser tab
  1. Go back to the vSphere Client browser tab 
  2. Select webserver02 
  3. Take note of the IP Address for webserver02 in the middle of the screen. This will be needed in the next step.
  4. Click the Chrome Tab of the console session for webserver01 to bring it back into focus.
  5. At the login prompt enter root and press Enter.
  6. At the password prompt enter VMware1! and press Enter.
  7. At the console prompt, enter ping -c3 <Your WebServer02 IP> i.e. 10.10.1.12 (you recorded webserver02 IP in step 5) and press Enter.
    The third octet is based on student number and the last octet of the IP address in most cases it will be 12, but verify this in your configuration.
  8. Verify the pings are successful.

NOTE: Please leave this ping and console Window open for the next lesson. We will revisit it to verify the web servers can no longer communicate.

Task 3.5 - Configure VMC on AWS Advanced Network Services

VMware Cloud on AWS Advanced Network Services is now available for new SDDC deployments.

Using VMware Cloud on AWS Advanced Network Services, users have the capability to implement micro-segmentation with Distributed Firewall. Granular security policies can be applied at the VM-level allowing for segmentation within the same L2 network or across separate L3 networks. This is shown in the diagram below.

All networking and security configuration is now done through the VMware Cloud on AWS console via the Networking & Security tab, including creating network segments. This provides ease of operations and management by having all networking and security access through the console.

From the below screenshot, you can see, in addition to the ability to create multiple sections, users can organize Distributed Firewall rules into groups (Emergency Rules, Infrastructure Rules, Environment Rules, and Application Rules). The rules are hit from the top-down.

In addition to the new Distributed Firewall capabilities, grouping objects can now be leveraged within security policies. Security groups support the following grouping criteria/constructs:

  • IP Address
  • VM Instance
  • Matching criteria of VM Name
  • Matching Criteria of Security Tag

As shown below, Security Groups can be created under Compute Groups or Management Groups. Compute Groups can be used in DFW and CGW firewall policies and Management Groups can be used under MGW firewall policies. Management Groups only support IP addresses as these groups are infrastructure based. Predefined Management Groups already exist for vCenter, ESXi hosts, and NSX Manager. Users can also create groups here based on IP address for on-premises ESXi hosts, vCenter, and other management appliances.

Task 3.5.1 - Apply Security Tag to Virtual Machines

We will now create a network firewall policy in the distributed firewall to prevent communications between webserver01 and webserver02.  To facilitate this, we will first create a tag, which will be applied to the VMs, followed by a dynamic group based on the tag.  

  1. Navigate back to the VMC on AWS console tab in your browser. You may need to sign back in. Click on the Networking & Security tab to access the networking configuration.
  2. Under Inventory, click on Virtual Machines to access the virtual machines that are part of the SDDC.
  3. Locate webserver01 and click the three vertical dots and click Edit.
  4. Under Tags, Type Web
  5. Click Add Item(s): Web 
  6. Leave the Scope field blank Select the blue + sign to add the tag (a popup should appear and web should have a bubble around it)
  7. Click Save to commit the changes
  8. Repeat steps 3 - 7 for webserver02
Task 3.5.2 - Create a Dynamic Security Group

Groups can be used in VMware Cloud on AWS Advanced Network Services to group virtual machines and simplify rule based configuration. In this exercise we will group the two webservers into a group and then create a firewall rule to block communication between them. In a properly architected traditional application, there is usually no need for servers in the web tier to communicate.

We will now create a group of web servers based on the dynamic security tag we applied earlier.

  1. In the Networking & Security menu, click on Groups under Inventory.
  2. Click on Compute Groups, then Add Group
  3. Under Name enter Web for the name of the group.
  4. Click Set Members 
  1. Select+ADD CRITERIA.
  2. Leave the Virtual machine, Tag, Equals fields as is and in the 4th column type and select "Web". You should now see VM Tag Equals Web as your criteria.  You can leave scope as blank. 
  3. Click APPLY
  4. Click SAVE

 

Validate that both webserver01 and webserver02 appear in the group membership, by clicking View Members. Close the popup once complete

If they do not, go back and verify there are no typos. Common errors encountered include typo on the tags, or not clicking the blue plus sign when adding the tag in the previous step.

Task 3.5.3 - Create Distributed Firewall Policy

Now that we have created our dynamic group, let’s create a firewall rule to block access between the web servers.

  1. In the Networking and Security Section, click Distributed Firewall on the left-hand side of the screen.
  2. On the Arrow Shaped menu, click the Application bar.
  3. Click+ADD POLICY to create a new section for the rule. This functionality allows you to group rules logically to make operating the environment simpler.
  4. Click the “new policy” text in the name column, Type Web Tier.
  5. Click the Checkbox next to the Web Tier section.
  6. Click Add Rule in the menu above the rules.
  7. Under Name, Type Block Web To Web.
  8. Under Action, click the drop-down and select Drop.
  9. Under Sources hover over any and select the blue edit button.
  10. In the popup click the checkbox next to Web.
  11. Click Apply to commit the changes to the rule.
  12. Under Destinations, hover over any and select the blue edit button.
  13. In the popup window click the checkbox next to Web.
  14. Click Apply to commit the changes to the rule.
  15. Click the Gear at the far right of the rule
  16. Move the Slider to the right to enable logging
  17. Click APPLY
  18. Click Publish to commit the rule and begin blocking traffic between the web servers.
    NOTE: Action should be set to Drop

It might take a few seconds for the rule to be published. You can click the refresh button next to the rule to ensure the rule status turns from yellow to green.

Task 3.5.4 - Confirm Success of the DFW Policy

You should still have a console session to webserver01 active. If not, launch the webconsole again and run the ping command.


Ping the IP address for webserver02 you noted previously. You can also press the up arrow then enter to run the last command if you still had the console active. (ping -c3 xx.xxx.xxx.xx)

  1. Click the Chrome Tab for webserver01.
  2. Ping webserver02 IP address 10.10.xx.xxx. (ping -c3 xx.xx.xx.xx)

    The pings should have stopped responding meaning that the distributed firewall rules have been correctly applied. This simple demonstration should give you an idea of the power of the distributed firewall.

    Now, let's pinging the gateway address of the Desktop-net segment (10.10.1
    xx.1, where xx is your student number). You can reference your Desktop-net segment subnet gateway address from Task 1, Step 12.
  1. Type Ping -c3 10.10.1xx.1 (i.e ping -c3 10.10.120.1)
  2. Your ping test should succeed

NOTE: If this pinging the Desktop-net gateway fails you need to double-check your Distributed firewall rule. Consult the rule definition in TASK 3.5.3, review your distributed firewall rule and make the necessary changes. If the firewall rule is not corrected it will negatively impact the results of Lab 3.

See your instructor for assistance if needed.

Task 4 - Visibility & Operations

The Activity Log contains a history of significant actions in your organization, such as SDDC deployments and removals, as well as notifications sent by VMware for events such as SDDC upgrades and maintenance.

All operations (UI or API) that occurs within VMware Cloud AWS (VMC), including but not limited to SDDC creation, deletion, updates, network configurations, user authorization/access, etc. is all captured as part of the Activity Log in the VMC Console. Within the Activity Log, you can view the type of operation, the time the operation occurred, the applicable SDDC as well the user of the operation and all of these fields can be filtered out further.

In this task we will take a look at the activity log, we will also look at Log Insight Cloud for more details and logs

  1. In the left pane of your VMC on AWS SDDC Console, Click Activity Log
    You would see a number of SDDC activities recorded, such as:
    • SDDC Created
    • HCX deployed
    • etc..

We'll now take a look at Log Insight were we will be able to see log entries providing more details and from multiple sources.

  1. Click vRealize Log Insight Cloud
  2. In the left pane Click Content Packs
  3. Confirm the following content packs are enabled and if not enable them
    • NSX-T events for VMware Cloud SDDC
    • NSX-T for VMware Cloud on AWS
  4. Look through the list of other Content Packs you can enable for vRealize Log Insight Cloud
    NOTE: Content packs contain dashboards, extracted fields, saved queries, and alerts that are related to a specific product or set of logs
  1. In the left Pane, Click Log Sources, to see all of the sources log insight cloud supports
  1. In the Left Pane, Click Dashboards
  2. Scroll down and click Distributed Firewall - Traffic
  3. adjust the time scope to 6H. to See log entries over the past 6 hours
  4. Click Explore Log, in the left pane
  5. In the search bar type in the <IP address of your webserver01> (10.10.x.x)
  6. Notice the firewall log entries from your earlier pings
  1. Also search for your <SDDC user account> (vmcexpert#-xx) to see audit events for the user account

Conclusion

In this module, we explored the setup of configuration of a VMware Cloud on AWS SDDC including utilizing the content library, deploying virtual machines, modifying firewall rules and working with virtual machines

2nd Gen Intel® Xeon® Scalable processors are designed to take full advantage of the scalable memory, storage and network bandwidth offered by AWS storage-optimized i3en instances to deliver optimal performance for your applications running in VMware Cloud on AWS.

https://www.vmware.com/company/news/releases/vmw-newsfeed.VMware-Cloud-on-AWS-Delivers-on-Customer-Requirements-for-Agility-Business-Continuity-and-Better-Cloud-Economics.7aa53d77-e377-458d-960f-5bf151e3f90c.html

VMware Cloud on AWS running on i3en.metal instances powered by 2nd Generation Intel® Xeon® Scalable processors, include new capabilities that provide an enhanced solution for disaster recovery and migrating application to the cloud.

  • Intel® Mesh architecture optimizes data sharing and memory access between all vCPUs to fully take advantage of the 1.5x more RAM and 4.3x more raw storage capacity (as compared to i3) while delivering consistent, low latencies.
  • VMware vSphere® vMotion® allows live migration of VMs from one Intel host to another with zero downtime.
  • I3en instances deliver 4x the raw storage capacity at roughly half the cost per GB of storage per host compared to previous offerings, making them ideal for disaster recovery and other storage-demanding use cases.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.