table of contents - vmware · each other. you can use the table of contents to access any module of...
TRANSCRIPT
Table of ContentsLab Overview - HOL-2011-01-SDC - VMware vSphere - Getting Started ...........................3
Lab Guidance .......................................................................................................... 4Module 1 - vSphere 6.7 Overview (15 minutes) .............................................................. 10
Introduction........................................................................................................... 11Simple and Efficient Management at Scale ........................................................... 12Comprehensive Built-in Security ........................................................................... 16Universal Application Platform .............................................................................. 18Seamless Hybrid Cloud ......................................................................................... 21Conclusion............................................................................................................. 23
Module 2 -Simple & Efficient Management at Scale (60 minutes) ..................................25Introduction........................................................................................................... 26Enhanced vCenter Server Appliance..................................................................... 27Improved HTML5-Based vSphere Client ................................................................ 43Lifecycle Management Operations........................................................................ 55Getting Started with Update Manager ................................................................. 62Converge Tool ....................................................................................................... 76Embedded Linked Mode........................................................................................ 77vSphere Health ..................................................................................................... 78vSphere Client Plug-ins ......................................................................................... 79Content Library Improvements ............................................................................. 80Conclusion............................................................................................................. 81
Module 3 - Comprehensive Built-in Security (60 minutes) .............................................. 84Introduction........................................................................................................... 85Support for New Security Technologies ................................................................. 86VM Encryption ....................................................................................................... 89Configure Hytrust KMS Server in vCenter Server .................................................. 92Encrypt VMs Using HyTrust KMS Server .............................................................. 106Set VM to Encrypted vMotion Mode .................................................................... 117Configure Windows 10 for VBS............................................................................ 126FIPS 140-2 Validated Cryptographic Modules by Default ...................................139Conclusion........................................................................................................... 140
Module 4 - Universal Application Platform (15 minutes) ............................................... 142Introduction......................................................................................................... 143NVIDIA Grid: Optimize GPU Usage For VM on vSphere 6.7 Servers .....................144Persistent Memory .............................................................................................. 145vSphere Integrated Containers ........................................................................... 149Cloning a Virtual Machine with Instant Clone ...................................................... 150Conclusion........................................................................................................... 152
Module 5 - Seamless Hybrid Cloud Experience (15 minutes) ........................................154Introduction......................................................................................................... 155Migrating Virtual Machines from vCenter to vCenter ..........................................156Enhanced vMotion Capability .............................................................................. 169
HOL-2011-01-SDC
Page 1HOL-2011-01-SDC
VMware Cloud (VMC) on AWS.............................................................................. 171Conclusion........................................................................................................... 173
HOL-2011-01-SDC
Page 2HOL-2011-01-SDC
Lab Overview -HOL-2011-01-SDC -VMware vSphere -
Getting Started
HOL-2011-01-SDC
Page 3HOL-2011-01-SDC
Lab GuidanceNote: It may take more than 90 minutes to complete this lab. You don't needto complete every module during this time; the modules are independent ofeach other. You can use the Table of Contents to access any module of yourchoosing.
The Table of Contents can be accessed in the upper right-hand corner of theLab Manual.
This lab will detail the new features of vSphere 6.7 Update 2. You will be able todetermine if your business would benefit from any of the vSphere 6.7 Update 2enhancements after taking this lab. Some of the features will be delivered via videosdue to the nature of the features. There is also some hands-on work. There are otherlabs that will give you a more in-depth, hands-on experience for each of the pillarsdiscussed in this lab.
Feel free to explore and look around! This lab contains two vCenter servers whichallows you to experience Enhanced Linked Mode.
• vSphere 6.7 Update 2 Overview - Highlights New Features• Simple & Efficient Management at Scale - vSphere & vCenter Server
Enhancements• Comprehensive Built-in Security - Virtual Based Security (VBS), Trusted Platform
Module (TPM) 2.0, Virtual Trusted Platform Module (vTPM)• Universal App Platform - Persistent Memory (PMEM), NVIDIA GRID, Remote Direct
Memory Access (RDMA),• Seamless Hybrid Cloud Experience (Hot & Cold Migration, Hybrid Linked Mode)• AppDefense - Deployment and Configuration, Process Monitoring
Lab Module List:
• Module 1 - vSphere 6.7 Overview (15 minutes) (Basic) Brief overview ofwhat’s new in the vSphere 6.7 Update 2 release.
• Module 2 - Simple & Efficient Management at Scale (60 minutes) (Basic)Explore improvements and new features in ESXi and vCenter Server managementand lifecycle.
• Module 3 - Comprehensive Built-in Security (60 minutes)(Basic)Experience the improved VM Encryption workflow as well as added support forTPM 2.0, vTPM, and Virtualization Based Security.
• Module 4 - Universal Application Platform (15 minutes) (Basic) Discovernew vSphere capabilities that make it the platform for all applications includingthe most mission-critical.
• Module 5 - Seamless Hybrid Cloud (15 minutes)(Basic) Learn how vSphere6.7 Update 2 and VMware Cloud on AWS create a seamless hybrid cloud
HOL-2011-01-SDC
Page 4HOL-2011-01-SDC
experience with easy visibility, migration, and management of workloadsbetween on-premises and public cloud
Lab Captain:
• Sonya Harley, Consulting Architect, USA
Content Leads:
• Bob Plankers, Technical Marketing Architect, USA
This lab manual can be downloaded from the Hands-on Labs Document site found here:
http://docs.hol.vmware.com
This lab may be available in other languages. To set your language preference and havea localized manual deployed with your lab, you may utilize this document to help guideyou through the process:
http://docs.hol.vmware.com/announcements/nee-default-language.pdf
Location of the Main Console
1. The area in the RED box contains the Main Console. The Lab Manual is on the tabto the Right of the Main Console.
2. A particular lab may have additional consoles found on separate tabs in the upperleft. You will be directed to open another specific console if needed.
HOL-2011-01-SDC
Page 5HOL-2011-01-SDC
3. Your lab starts with 90 minutes on the timer. The lab can not be saved. All yourwork must be done during the lab session. But you can click the EXTEND toincrease your time. If you are at a VMware event, you can extend your lab timetwice, for up to 30 minutes. Each click gives you an additional 15 minutes.Outside of VMware events, you can extend your lab time up to 9 hours and 30
minutes. Each click gives you an additional hour.
Alternate Methods of Keyboard Data Entry
During this module, you will input text into the Main Console. Besides directly typing itin, there are two very helpful methods of entering data which make it easier to entercomplex data.
Click and Drag Lab Manual Content Into Console ActiveWindow
You can also click and drag text and Command Line Interface (CLI) commands directlyfrom the Lab Manual into the active window in the Main Console.
Accessing the Online International Keyboard
You can also use the Online International Keyboard found in the Main Console.
1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.
<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=xS07n6GzGuo" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>
HOL-2011-01-SDC
Page 6HOL-2011-01-SDC
Click once in active console window
In this example, you will use the Online Keyboard to enter the "@" sign used in emailaddresses. The "@" sign is Shift-2 on US keyboard layouts.
1. Click once in the active console window.2. Click on the Shift key.
Click on the @ key
1. Click on the "@ key".
Notice the @ sign entered in the active console window.
HOL-2011-01-SDC
Page 7HOL-2011-01-SDC
Activation Prompt or Watermark
When you first start your lab, you may notice a watermark on the desktop indicatingthat Windows is not activated.
One of the major benefits of virtualization is that virtual machines can be moved andrun on any platform. The Hands-on Labs utilizes this benefit and we are able to run thelabs out of multiple datacenters. However, these datacenters may not have identicalprocessors, which triggers a Microsoft activation check through the Internet.
Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoftlicensing requirements. The lab that you are using is a self-contained pod and does nothave full access to the Internet, which is required for Windows to verify the activation.Without full access to the Internet, this automated process fails and you see this
watermark.
This cosmetic issue has no effect on your lab.
Look at the lower right portion of the screen
HOL-2011-01-SDC
Page 8HOL-2011-01-SDC
Please check to see that your lab has finished all the startup routines and is ready foryou to start. If you see anything other than "Ready", please wait a few minutes. If after5 minutes your lab has not changed to "Ready", please ask for assistance.
HOL-2011-01-SDC
Page 9HOL-2011-01-SDC
Module 1 - vSphere 6.7Overview (15 minutes)
HOL-2011-01-SDC
Page 10HOL-2011-01-SDC
IntroductionThis lab is an overview of the new features in vSphere 6.7 Update 2. After completingthis module, you should get a good understanding of which of the next 5 modules are ofinterest to you. The remaining modules will use videos and the lab environment todemonstrate new features in the below categories.
In Module 1 we will go over the new features around installs, upgrades, backups, userinterface, and the CLI.
Here are the topics we will cover in depth in other modules:
• Simple & Efficient Management at Scale (Core vSphere & vCenter Server)• Comprehensive Built-in Security (VBS, TPM 2.0, vTPM)• Universal App Platform (PMEM, NVIDIA GRID, RDMA)• Seamless Hybrid Cloud Experience (Hot & Cold Migration, Hybrid Linked Mode)• Interactive simulation covering AppDefense install, configuration, and use
HOL-2011-01-SDC
Page 11HOL-2011-01-SDC
Simple and Efficient Management atScalevSphere 6.7 Update 2 builds on the technological innovation delivered by vSphere 6.5,and elevates the customer experience to an entirely new level. It provides exceptionalmanagement, simplicity, operational efficiency, and faster time to market, all at scale.
vCenter Server Appliance
vSphere 6.7 Update 2 delivers an exceptional experience for the user with anenhanced vCenter Server Appliance (vCSA). It introduces several new APIs thatimprove the efficiency and experience to manage the vCSA. It also significantlysimplifies the vCenter Server topology through vCenter with an embedded PlatformServices Controller (PSC) in Enhanced Linked Mode. This topology enablescustomers to link multiple vCenters and have seamless visibility across the environmentwithout the need for an external PSC or load balancers.
vSphere 6.7 Update 2 vCSA delivers phenomenal performance improvements (allmetrics compared at cluster scale limits, versus vSphere 6.5):
• 2X faster performance in vCenter operations per second• 3X reduction in memory usage• 3X faster DRS-related operations (e.g. power-on virtual machine)
HOL-2011-01-SDC
Page 12HOL-2011-01-SDC
These performance improvements ensure a blazing fast experience for vSphere usersand deliver significant value. It provides time and cost savings in a variety of use casessuch as VDI, scale-out applications, Big Data, High Performance Computing (HPC),DevOps, and distributed cloud native applications.
Single Reboot/Quick Boot
vSphere 6.7 Update 2 improves efficiency at scale when updating ESXi hosts. SingleReboot significantly reduces maintenance time by eliminating one of two rebootsnormally required for major version upgrades. In addition to that, vSphere QuickBoot restarts the ESXi hypervisor without rebooting the physical host, skipping time-consuming hardware initialization. This allows for faster upgrades and patching.
VMware Tools
The VMXNET3 driver is now available through Windows Update for Windows Server 2016in the latest version of VMware Tools. A previous release of VMware Tools made theParavirtual SCSI (PVSCSI) storage driver available through Windows Update. This means
HOL-2011-01-SDC
Page 13HOL-2011-01-SDC
that you can update both drivers as part of your regular Windows patching cycle whichreduces the required number of reboots.
While updates to these drivers will still require a guest OS reboot, this can happen inconjunction with other Windows patching operations. If patching and rebooting is doneprior to updating VMware Tools, a subsequent reboot will not be required.
When critical drivers can be updated in conjunction with other Windows patching,vSphere administrators benefit when subsequently updating VMware Tools because thedriver will not require an update and a guest OS reboot will not be triggered.
The latest release of VMware tools also includes updates to the Open Sourcecomponents glib, openssl and libxml2.
VM Compatibility 15
vSphere 6.7 Update 2 introduces VM Compatibility 15 (formerly known as VirtualHardware). This version increases the maximum number of logical processors from 128to 256 for compute-intensive workloads. VM Compatibility 15 is only supported on ESXi6.7 Update 2 (and later) hosts.
HOL-2011-01-SDC
Page 14HOL-2011-01-SDC
HTML 5 vSphere Client
The HTML5-based vSphere Client is now fully-featured in vSphere 6.7 Update 2! Thismeans there is no longer a need to switch between the vSphere Client (HTML5-based)and the vSphere Web Client (Flash-based). Every aspect of your vSphere environmentcan be managed in the HTML5-based vSphere Client. It provides a modern, simplifieduser interface that is very responsive and easy to use. With vSphere 6.7 Update 2, itincludes added functionality to support not only the typical workflows that customersneed but also other key functionality like managing NSX, vSAN, VUM, and 3rd-partycomponents.
Support for 4k Native Storage
Storage vendors are moving towards cost-efficient 4K native (4Kn) drives. The migrationto 4K sized sectors will provide a shorter path to higher densities and hard drivecapacities as well as more robust error correction. The HDD vendors have beenmanufacturing 4K-sectored drives by using emulation (512e) in the firmware to reducethe impact of the format change to the host clients. 512e drives were introduced toenable the transition to 4Kn drives. Vendors expect mass adoption of 4Kn within thenext few years. Subsequently, VMware has been working to enable 4Kn drives invSphere to ensure utilization of the latest technology.
4Kn drives have various benefits over 512 sector size drives. Higher capacity andimproved performance from the more optimized placement of data on the drive.Efficient space utilization with optimized meta-data giving up to 10% more availabledata. Improved drive reliability and error correction with larger meta-data by increasingthe ECC block from 50 to 100 bytes. This provides a much-needed improvement in errorcorrection efficiency.
In vSphere 6.7 Update 2, 4Kn direct attached drives are now supported natively via 4KnSoftware Emulation (SWE). The software emulation layer allows the use of 4Kn driveswhile still allowing legacy OS, applications, and existing VMs to run on newer 4Kn drives.
There are some limitations for 4Kn drives; only local SAS, SATA HDDs are supported,they must use VMFS6, and booting from 4Kn drives requires UEFI. Also, 4Kn SSD, NVMe,and Raw Device Mapping (RDM) disks for Guest Operating System (GOS) are notsupported. vSAN and VVOL may declare themselves as 512e if they can handle both512 byte and 4K I/Os without any atomicity issues. Third party multi-pathing plugins arenot supported.
HOL-2011-01-SDC
Page 15HOL-2011-01-SDC
Comprehensive Built-in SecurityvSphere 6.7 Update 2 builds on the security capabilities in vSphere 6.5 and leverages itsunique position as the hypervisor to offer comprehensive security that starts at the core,via an operationally simple policy-driven model.
Integration with Trusted Platform Modules
A Trusted Platform Module (TPM) is a computer chip/microcontroller that can securelystore artifacts used to authenticate the platform (your PC or laptop). These artifacts caninclude measurements, passwords, certificates, or encryption keys. A TPM can also beused to digitally sign content and store platform measurements that help ensure thatthe platform remains trustworthy. The Trusted Computing Group has a detailed overviewof what a TPM is and does.
Since ESXi 5.x, ESXi has had support for TPM 1.2. Prior to 6.7, the APIs and functionalityof TPM 1.2 were limited to 3rd party applications created by VMware partners.
vSphere 6.7 Update 2 supports TPM 2.0. TPM 2.0 and TPM 1.2 are two entirely differentimplementations and there is no backward compatibility. For all intents and purposes,they are considered two different devices to ESXi.
If you are running 6.5 on a server with TPM 2.0 you will not see the TPM 2.0 devicebecause there is no support in 6.5 for TPM 2.0. New features in 6.7 Update 2 do not usethe TPM 1.2 device.
At a high level, TPM 2.0 is used to store measurements of a known good boot of ESXi.This measurement is then compared by vCenter with what ESXi reports.
In other words, the TPM provides a mechanism that provides assurance that ESXi hasbooted with Secure Boot enabled. By confirming that Secure Boot is enabled we canthen ensure that ESXi has booted using only digitally signed code.
This is an excellent example of the iterative approach to security that we are delivering.In 6.5 we delivered Secure Boot support. In 6.7 Update 2 we built upon that bydelivering TPM 2.0 to provide assurance that Secure Boot is turned on.
Virtualization Based Security
vSphere 6.7 Update 2 introduces support for the entire range of Microsoft'sVirtualization Based Security (VBS) technologies. This is a result of closecollaboration between VMware and Microsoft to ensure Windows VMs running onvSphere support in-guest security features while maintaining high performance.
HOL-2011-01-SDC
Page 16HOL-2011-01-SDC
vSphere 6.7 Update 2 delivers comprehensive built-in security and is the heart of asecure SDDC. It has deep integration and works seamlessly with other VMware productssuch as vSAN, NSX, and the vRealize Suite to provide a complete security model for thedata center.
Data Encryption
Data encryption was introduced with vSphere 6.5 and very well received. With vSphere6.7 Update 2, VM Encryption is further enhanced and more operationally simple tomanage. vSphere 6.7 Update 2 simplifies workflows for VM Encryption designed toprotect data at rest and in motion. Protection for data in motion has been enhanced byallowing encrypted vMotion across different vCenter instances as well asversions, making it easy to securely conduct data center migrations, move data across ahybrid cloud environment (between on-premises and public cloud), or acrossgeographically distributed data centers.
HOL-2011-01-SDC
Page 17HOL-2011-01-SDC
Universal Application PlatformvSphere 6.7 Update 2 is a universal application platform that supports new workloads(including 3D Graphics, Big Data, HPC, Machine Learning, In-Memory, and Cloud-Native)as well as existing mission-critical applications. It also supports and leverages some ofthe latest hardware innovations in the industry, delivering exceptional performance for avariety of workloads.
Enhancements to NVIDIA GRID™ vGPU
vSphere 6.7 Update 2 further enhances the support and capabilities introduced for GPUsthrough VMware's collaboration with NVIDIA by virtualizing NVIDIA GPUs for non-VDI anduse cases such as artificial intelligence, machine learning, big data and more. Withenhancements to NVIDIA GRID vGPU technology in vSphere 6.7 Update 2,customers can suspend and resume VMs running on GPUs instead of powering off theseworkloads. This allows for better lifecycle management of the underlying host andsignificantly reduces disruption for end-users. VMware continues to invest in this areawith the goal of bringing the full vSphere experience to GPUs in the future.
HOL-2011-01-SDC
Page 18HOL-2011-01-SDC
vSphere Persistent Memory (PMEM)
vSphere 6.7 Update 2 continues to showcase VMware's technological leadership andcollaboration with our key partners by adding support for persistent memory. WithvSphere Persistent Memory (PMEM), customers using supported hardware modulescan leverage them as super-fast storage with high IOPS or expose them to the guestoperating system as non-volatile memory. This will significantly enhance performance ofthe OS as well as applications across a variety of use cases, making existingapplications faster and enabling customers to create new high-performance applicationsthat can leverage vSphere Persistent Memory.
Instant Clone
You can use the Instant Clone technology to create powered-on virtual machines fromthe running state of another powered-on virtual machine. The result of an Instant Cloneoperation is a new virtual machine that is identical to the source virtual machine. WithInstant Clone, you can create new virtual machines from a controlled point in time.Instant cloning is very convenient for large scale application deployments because it
HOL-2011-01-SDC
Page 19HOL-2011-01-SDC
ensures memory efficiency and allows for creating numerous virtual machines on asingle host.
HOL-2011-01-SDC
Page 20HOL-2011-01-SDC
Seamless Hybrid CloudWith the fast adoption of vSphere-based public clouds through VMware Cloud ProviderProgram partners, VMware Cloud on AWS, and other public cloud providers, VMware iscommitted to delivering a seamless hybrid cloud experience for customers.
vCenter Server Hybrid Linked Mode
vSphere 6.7 Update 2 supports vCenter Server Hybrid Linked Mode which providescustomers visibility and simplified manageability across an on-premises vSphereenvironment and a vSphere-based public cloud (ex. VMC on AWS). With Hybrid LinkedMode, the different environments are not required to use the same versions of vSphere.This ensures that fast-paced innovation and introduction of new capabilities in the
public cloud does not mean an upgrade for a customer's on-premises vSphereenvironment.
Cross-Cloud Cold and Hot Migration
vSphere 6.7 Update 2 also includes Cross-Cloud Cold and Hot Migration, furtherenhancing the ease of management across and enabling a seamless and non-disruptivehybrid cloud experience for customers.
HOL-2011-01-SDC
Page 21HOL-2011-01-SDC
As virtual machines migrate between different data centers or from an on-premises datacenter to the cloud and back, they likely move across different CPU types. vSphere 6.7Update 2 delivers a capability that is key for the hybrid cloud, called Per-VM EVC. Per-VM EVC enables the EVC (Enhanced vMotion Compatibility) mode to become anattribute of the VM rather than the specific processor generation it happens to bebooted on in the cluster. This allows for seamless migration across different CPUs bypersisting the EVC mode per-VM during migrations across clusters and during powercycles.
Previously, vSphere 6.0 introduced provisioning between vCenter instances. This is oftencalled cross-vCenter provisioning. The use of two vCenter instances introduces thepossibility that the instances are on different release versions. vSphere 6.7 Update 2enables customers to use different vCenter versions while allowing cross-vCenter,mixed-version provisioning operations (vMotion, Full Clone and cold migrate) tocontinue seamlessly. This is especially useful for customers leveraging VMware Cloud onAWS as part of their hybrid cloud.
HOL-2011-01-SDC
Page 22HOL-2011-01-SDC
ConclusionVMware vSphere 6.7 Update 2 is the efficient and secure platform for the hybrid cloud. Itprovides a powerful, flexible, and secure foundation for business agility that acceleratesthe digital transformation to the hybrid cloud as well as success in the digital economy.vSphere 6.7 Update 2 supports both existing and next-generation workloads through its:
1. Simple and efficient management at scale, to elevate the customer experience toan entirely new level
2. Comprehensive built-in security that starts at the core, via an operationallysimple, policy-driven model
3. Universal application platform that supports new workloads and leverageshardware innovations for enhanced performance
4. Seamless hybrid cloud experience with easy visibility, migration, andmanagement of workloads between on-premises data centers and the publiccloud
With vSphere 6.7 Update 2, you can now run, manage, connect, and secure applicationsin a common operating environment, across their hybrid cloud.
You have finished Module 1!
Congratulations on completing Module 1!
To review more info on the new features please use the links below:
• What's New in vSphere 6.7 Whitepaper• vSphere 6.7 On YouTube• Mike Foley's Blog - ESXi & TPM
HOL-2011-01-SDC
Page 23HOL-2011-01-SDC
• Or use your smart device to scan the QRC Code.
Proceed to any module below which interests you most.
• Module 2 - Simple and Efficient Management at Scale (60 minutes) (Basic)Explore improvements and new features in ESXi and vCenter Server managementand lifecycle.
• Module 3 - Comprehensive Built-in Security (60 minutes) (Basic) Experiencethe improved VM Encryption workflow as well as added support for TPM 2.0,vTPM, and Virtualization Based Security.
• Module 4 - Universal Application Platform (15 minutes) (Basic) Discover newvSphere capabilities that make it the platform for all applications including themost mission critical.
• Module 5 - Seamless Hybrid Cloud (15 minutes) (Basic) Learn how vSphere6.7 and VMware Cloud on AWS creates a seamless hybrid cloud experience witheasy visibility, migration and management of workloads between on-premisesand public cloud.
Test Your Skills!
Now that you’ve completed this lab, try testing your skills with VMware Odyssey, ournewest Hands-on Labs gamification program. We have taken Hands-on Labs to the nextlevel by adding gamification elements to the labs you know and love. Experience thefully automated VMware Odyssey as you race against the clock to complete tasks andreach the highest ranking on the leaderboard. Try the vSphere Odyssey lab
• HOL-2011-07-ODY - VMware Odyssey - vSphere - Getting Started Game
How to End Lab
To end your lab click on the END button.
HOL-2011-01-SDC
Page 24HOL-2011-01-SDC
Module 2 -Simple &Efficient Management at
Scale (60 minutes)
HOL-2011-01-SDC
Page 25HOL-2011-01-SDC
IntroductionvSphere 6.7 Update 2 builds on the technological innovation delivered by vSphere 6.5,and elevates the user experience to an entirely new level. It provides exceptionalmanagement simplicity, operational efficiency, and faster time to market, all at scale.
This module will highlight:
• Enhanced vCenter Server Appliance – Delivers more efficient management and anexceptional experience for the user, with significant performance improvements.
• Single Reboot and vSphere Quick Boot – Reduces time patching and upgrading.
• Improved HTML5-based vSphere Client – Enables fast performance and easymanagement of connected components.
• Enhanced Linked Mode with Embedded PSCs
• vCenter Server cross-SSO Domain repoint
• vCenter Server Appliance migration tool improvements
• vCenter Server Appliance native file-based backup improvements
• vSphere Health
• VAMI improvements
• vCenter Server Appliance / PSC batch deployment CLI
• vSphere Client plugins such as VUM, Host Profiles, vSAN, and vRealize Operations
• Content Library Improvements
HOL-2011-01-SDC
Page 26HOL-2011-01-SDC
Enhanced vCenter Server ApplianceIn vSphere 6.7 Update 2, many of the new features and enhancements were developedaround the vCenter Server Appliance. This is the last release that will offer a Windowsinstallation of vCenter. The appliance has a new, simplified user interface, enhancedmonitoring of services, file-based backup and other great features.
Installation
One significant change for the vCenter Server Appliance is around simplifying thearchitecture. vSphere 6.7 Update 2 allows you to deploy the vCenter Server Appliancewith Embedded PSC with Enhanced Link Mode. Now all vCenter Server services arerunning on a single instance. Let's take a look at the benefits this deployment modelbrings:
• No load balancer required for high availability and fully supports native vCenterServer High Availability.
• SSO Site boundary removal provides flexibility of placement.• Supports vSphere scale maximums.• Allows for 15 deployments in a vSphere Single Sign-On Domain.• Reduces the number of nodes to manage and maintain.
Migration Tool
vSphere 6.7 is the last release to include vCenter Server for Windows. Customers canmigrate to the vCenter Server Appliance with the built-in Migration Tool. In vSphere 6.7Update 2, we can select how to import the historical and performance data during amigration:
• Deploy & import all data• Deploy & import data in the background
Customers will also get an estimated time of how long each option will take whenmigrating. Estimated time will vary based on historical and performance data size inyour environment. While importing data in the background, customers have the optionto pause and resume. This new ability is available in the vSphere ApplianceManagement Interface (VAMI). Another improvement to the migration process is supportof custom ports. Customers who changed the default Windows vCenter Server ports areno longer blocked.
HOL-2011-01-SDC
Page 27HOL-2011-01-SDC
Video - vCenter Server Appliance Migration (5:10)
We will now log into the vCSA and take a look at some of the enhancements
Open Chrome Browser from Windows Quick Launch TaskBar
1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.
<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=m-Fu-_GTEvU" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>
HOL-2011-01-SDC
Page 28HOL-2011-01-SDC
Gain screen space in Chrome by zooming out
1. Select the Options menu in Chrome.2. Click the '-' button to zoom out to 90%
This will provide more viewing space while still allowing you to read the text.
Log in to Appliance Management UI
For this lab, we will log in with the root account.
HOL-2011-01-SDC
Page 29HOL-2011-01-SDC
However, vSphere 6.7 Update 2 now allows local vSphere SSO users to log into theVAMI. The local vSphere SSO users must be a member of theSystemConfiguration.Administrators group. In addition, members of theSystemConfiguration.BashShellAdministrators group can use their local vSphere SSOaccount to log into the VCSA bash shell. From a security perspective, using a local SSOuser account to manage the VAMI makes it easier to audit the user who logged in andtrack actions performed by that user.
1. Click the HOL Admin bookmark2. Click the vcsa-01a Mgmt shortcut in the drop-down3. Type root for the username4. Type VMware1! for the password5. Click Login
A lot of investment went into improving monitoring for the vCenter Server Appliance. Wesaw these improvements starting in vSphere 6.5, and vSphere 6.7 Update 2 has addedseveral new enhancements. When accessing the vSphere Appliance ManagementInterface (VAMI) on port 5480, the first thing we notice is the VAMI has been updated to
HOL-2011-01-SDC
Page 30HOL-2011-01-SDC
the Clarity UI. We also notice there are several new tabs on the left-hand side comparedto vSphere 6.5.
Monitoring and Management
There is now a tab dedicated to monitoring where we can see CPU, memory, disk,network, and database utilization.
1. From the menu on the left, click Monitor2. The default view should be the CPU & Memory tab. If not, click this tab.
Explore the graphs shown for these components.
HOL-2011-01-SDC
Page 31HOL-2011-01-SDC
A new section of the monitoring tab called Disks is now available. Customers can nowsee each of the disk partitions for the vCenter Server appliance along with theremaining space available and utilization.
1. Click the Disks tab. Review the partitions and utilization of the disks for thevCenter Server appliance
2. Click the Network tab to see transfer rates for network packets3. Click the Database tab to see space utilization
Firewall
In vSphere 6.7 Update 2, firewall rules can be managed for the vCenter ServerAppliance directly from the VAMI. In the past, this functionality was only available usingthe VAMI APIs.
We will create a new firewall rule for the vCenter Server appliance.
1. From the menu on the left, click Firewall2. Click Add
HOL-2011-01-SDC
Page 32HOL-2011-01-SDC
Create New Firewall Rule
1. Enter 10.10.10.10 in the IP Address field2. Enter 24 in the Subnet Prefix Length field3. Select Accept from the Action drop-down menu4. Click Save
The firewall rule is now displayed. We will now delete this rule.
Delete Firewall Rule
1. In the Firewall section, click the radio button next to the firewall rule that will bedeleted
2. Click Delete
HOL-2011-01-SDC
Page 33HOL-2011-01-SDC
1. Click Delete to confirm that you want to remove the firewall rule
Services
The Services tab is now located in the VAMI and provides out-of-band troubleshooting.All of the services that make up the vCenter Server Appliance, their startup type, health,and state are visible here. We are also given the option to start, stop, and restartservices if needed.
HOL-2011-01-SDC
Page 34HOL-2011-01-SDC
While the Syslog and Update tabs are not new to the VAMI, there are improvements inthese areas. Syslog now supports up to three syslog forwarding targets. There is nowmore flexibility in patching and updating. From the Update tab, we will now have theoption to select which patch or update to apply. Customers will also have moreinformation including type, severity, and if a reboot is necessary. Expanding a patch orupdate in the view will display more information about what is included. Finally, we cannow stage and install a patch or update from the VAMI. This capability was previouslyonly available from the CLI.
File-Based Backup and Restore
In vSphere 6.7 Update 2, the vCenter Server Appliance (vCSA) has an out-of-the-box file-based backup and restore solution. You can back up all of vCenter Server’s coreconfiguration, inventory, and historical data to a single folder. The newest supportedprotocols for built-in file-based Backup and Restore include Network File System(NFS) & Samba (SMB). The addition of NFS and SMB now brings the protocol choicesup to 7 total (HTTP, HTTPS, FTP, FTPS, SCP, NFS, and SMB) when configuring a vCenterServer for file-based Backup or Restore. Currently supported versions of these newprotocols are NFSv3 and SMB2. When it is time to restore to a previous backup, you candeploy a new appliance, point to the folder location of the vCenter Server backup files,and restore all of the vCenter server's configuration and inventory data (with optionalhistorical data) from the backup. Improvements to the Backup functionality in vCenter6.7 Update 2 include a scheduling option!
HOL-2011-01-SDC
Page 35HOL-2011-01-SDC
Create Backup
1. From the menu on the left, select Backup2. Click Backup Now.
HOL-2011-01-SDC
Page 36HOL-2011-01-SDC
Backup Wizard
1. For Backup location, enter ftp://192.168.110.602. Enter root in the User name field3. Enter VMware1! in the Password field4. Ensure Stats, Events and Tasks is selected5. Enter HOL Test Backup in the Description field6. Click Start
HOL-2011-01-SDC
Page 37HOL-2011-01-SDC
Backup Status
This step provides a backup status summary which gives you a confirmation of yourbackup protocol, location, credentials, encryption, and optional data.
NOTE: Due to the lack of storage in the lab, the transfer will error out.
Configuring a Schedule in the Backup Wizard
New to vCenter 6.7 is the ability to create a recurring backup schedule. We will walkthrough setting up a schedule to finish off this part of the lab.
HOL-2011-01-SDC
Page 38HOL-2011-01-SDC
1. Click Configure in the Backup Schedule section.
1. For Backup location, enter ftp://192.168.110.602. Enter root in the User name field3. Enter VMware1! in the Password field4. In the Schedule field, leave the default value5. In the Number of backups to retain field, leave the default value that is
selected6. Ensure Stats, Events and Tasks is selected7. Click Create
HOL-2011-01-SDC
Page 39HOL-2011-01-SDC
Confirm the Schedule Creation
1. Click on the small chevron beside the Status to expand the Schedule selection.2. Confirm that the schedule has been created. You can use the Edit, Disable, or
Delete buttons to manage the scheduled backup job.
Click on the video to watch a video on scheduling a backup.
Video - File-Based Backup and Restore (4:29)
Cross-SSO Domain Repoint
The vCenter Server Appliance 6.7 Update 2 CLI also has some new enhancements. Herewe will discuss the repointing enhancements using cmsso-util. While not a new feature,it was not available in vSphere 6.5 and makes a return in vSphere 6.7.
Customers can now repoint their vCenter Server Appliance across vSphere SSOdomains. Can you say consolidation? The domain repoint feature supports bothembedded and external deployments running vSphere 6.7 Update 2. The domain
<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=r05k2AeQgcU" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>
HOL-2011-01-SDC
Page 40HOL-2011-01-SDC
repoint feature has a pre-check option and it is highly recommended to use this. Thepre-check compares the two vSphere SSO domains and lists any discrepancies in a JSONfile. This provides the opportunity to resolve any discrepancies before running thedomain repoint tool. The repoint tool can migrate licenses, tags, categories, andpermissions from one vSphere SSO Domain to another.
HOL-2011-01-SDC
Page 41HOL-2011-01-SDC
vCSA/PSC Batch Deployment
Another CLI enhancement includes using the CLI installer to manage the vCenter ServerAppliance lifecycle. The vCenter Server Appliance ISO file comes with JSON templateexamples. These JSON templates are a way to ensure consistency across installs,upgrades, and migrations. Usually, we would have to run the JSON template from theCLI installer one at a time in the correct order. This manual per-node deployment is nowa thing of the past with batch operations. With batch operations, several JSON templatescan be run in sequence from a single directory without intervention. Before running, usethe pre-checks option on the directory to verify the templates including sequence.
HOL-2011-01-SDC
Page 42HOL-2011-01-SDC
Improved HTML5-Based vSphere ClientIn this lab module we will explore the improved made to the vCenter HTML5-Basedclient.
vSphere Client (HTML5)
In vSphere 6.7 Update 2, the vSphere Client is now fully featured. This means that allaspects of the vSphere environment can be managed using only the HTML-5 basedvSphere Client. There is no need to switch to the Flash-based vSphere Web Client.
Some of the newer workflows in the updated vSphere Client include:
• vSphere Update Manager• Content Libraries• vSAN• Storage Policies• Host Profiles• Network Topology Diagram• Licensing
To simplify management, the Platform Services Controller (PSC) user interface is nowpart of the vSphere Client. PSC management is located under the Administrationmenu. The PSC options are divided between two tabs: Certificates > CertificateManagement and Single Sign On > Configuration
HOL-2011-01-SDC
Page 43HOL-2011-01-SDC
We will discuss some of the updates to the vSphere Client below.
Dark Theme
Having the dark theme option has been one of the most requested features for thevSphere Client. Customers can now switch between the traditional light theme to thenew dark theme in a single click.
HOL-2011-01-SDC
Page 44HOL-2011-01-SDC
Code Capture
Have you ever wanted to know what tasks performed in the vSphere Client would looklike in code? You can now easily accomplish this by using Code Capture. You mayalready be familiar with its predecessor - ONYX. This popular feature started out in thevSphere HTML5 Web Client Fling and it is now available in vSphere 6.7 Update 2.
Once enabled, simply press the "Record" button. Code Capture allows you to recordyour actions in the vSphere Client and translates these actions into executable code.
API Explorer
vSphere 6.7 Update 2 brings the API Explorer directly into the vSphere Client. Inprevious releases, users would have to navigate to a separate URL and providecredentials before having the ability to interact with the REST APIs. This extra step hasnow been eliminated.
HOL-2011-01-SDC
Page 45HOL-2011-01-SDC
An Execute button now appears for each method allowing users to quickly perform theaction via the REST API. These are live changes to the environment so proceed withcaution when using this feature. You will receive pop-up warnings before any actionsare executed.
HOL-2011-01-SDC
Page 46HOL-2011-01-SDC
Update Manager
There are several enhancements and improved workflows in the vSphere Client for theUpdate Manager interface. Let's take a look at a few of these. First, we now have theability to filter by baselines to improve searching capabilities.
HOL-2011-01-SDC
Page 47HOL-2011-01-SDC
VMware Tools and VM Hardware upgrades are now a 1-click remediation and you nolonger have to create baselines!
HOL-2011-01-SDC
Page 48HOL-2011-01-SDC
With vSphere 6.7 Update 2 we introduced the ability to attach multiple baselines orbaseline groups to an object
In the past, if you wanted to remediate multiple baselines you were required to create aBaseline Group. With vSphere 6.7 Update 2, you are now allowed to remediate multiplebaselines without a baseline group.
HOL-2011-01-SDC
Page 49HOL-2011-01-SDC
In vSphere 6.7 Update 2, creating and attaching a baseline or baseline group is now in asingle workflow. In previous versions of Update Manager, if you started the process ofattaching a baseline but then decided you wanted to create a new one, you had to exitthe workflow and navigate to Update Manager Home to create the baseline. Thisworkflow has also been enhanced to simplify this process.
HOL-2011-01-SDC
Page 50HOL-2011-01-SDC
You can now view the contents of an ESXi image in the vSphere Client! This isextremely helpful to all users but especially to those who create custom images or usevendor-provided images. This option allows the ability to see what patches and driversare included within a specific ESXi image when performing an upgrade.
HOL-2011-01-SDC
Page 51HOL-2011-01-SDC
Previously when the Remediation Pre-check ran and detected VM’s with attached CDdrives, it was required that the user take user action to disconnect the removabledrives. If the removable drive was not removed, it could prevent the host from enteringmaintenance mode.
With vSphere 6.7 Update 2, we now provide the option to allow vSphere UpdateManager to automatically disconnect removable media devices that might prevent ahost from entering maintenance mode.
HOL-2011-01-SDC
Page 52HOL-2011-01-SDC
Another setting that you are able to modify is the option to disable vSphere Quick Boot.Previously this option was enabled by default. Now customers are able to disable QuickBoot on a host if they wish to have pending firmware or drivers installed upon the nextfull reboot of that host.
Another pre-check that has been added is the ability to detect if DRS is enabled. If DRSis disabled, hosts may not be automatically placed into maintenance mode so userattention is suggested to correct this.
Another important feature in vSphere 6.7 Update 2 is the option to disable the hosthealth check after installation. This feature was aimed at vSAN users. This helps in asituation where a host fails a health check and causes the entire cluster remediation to
HOL-2011-01-SDC
Page 53HOL-2011-01-SDC
fail. This would mean that the ESXi host that was upgraded would remain inmaintenance mode.
HOL-2011-01-SDC
Page 54HOL-2011-01-SDC
Lifecycle Management OperationsVMware vSphere 6.7 Update 2 includes several improvements that accelerate the hostlifecycle management experience to save administrators valuable time.
Open Chrome Browser from Windows Quick Launch TaskBar
1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.
Log into the vSphere Web Client
Using the Chrome web browser, navigate to the URL for the Web client. For this lab, youcan use the shortcut in the address bar.
1. Click the RegionA bookmark folder
HOL-2011-01-SDC
Page 55HOL-2011-01-SDC
2. Click on bookmark for RegionA vSphere Client (HTML)3. Check the Use Windows session authentication box4. Click Login
Alternatively, you could use these credentials
1. User name: corp\Administrator2. Password: VMware1!
Please Note: All of the user credentials used in this lab are listed in the README.TXT fileon the desktop.
Gain screen space in Chrome by zooming out
The lab desktop is limited to 1280x800 screen resolution. It might be helpful to zoomout the browser for better readability.
1. Select the Options menu in Chrome.2. Click the '-' button to zoom out to 90%
This will provide more viewing space while still allowing you to read the text.
HOL-2011-01-SDC
Page 56HOL-2011-01-SDC
Navigate to Update Manager
Navigate to the Update Manager interface
HOL-2011-01-SDC
Page 57HOL-2011-01-SDC
1. Click the Menu icon2. Click Update Manager
1. Click on Updates2. Filter on the ID3. Enter 2018
The results will be filtered for any patches released in 2018. You can also filter by theversion, under releases, category, and type.
Update Manager with Embedded Linked Mode
With the introduction of embedded linked mode in vSphere 6.7, you can now manageUpdate Manager instances through the same interface.
1. Select the drop down arrow2. Select vcsa-01b.corp.local
HOL-2011-01-SDC
Page 58HOL-2011-01-SDC
Browse the settings in the other vCenter.
Upgrades from 6.5 to 6.7
Hosts that are currently on ESXi 6.5 will be upgraded to 6.7 significantly faster than everbefore. This is because several optimizations have been made for that upgrade path,including eliminating one of two reboots traditionally required for a host upgrade. In thepast, hosts that were upgraded with Update Manager were rebooted a first time in orderto initiate the upgrade process, and then rebooted once again after the upgrade wascomplete. Modern server hardware, equipped with hundreds of gigabytes of RAM,typically take several minutes to initialize and perform self-tests. Doing this hardwareinitialization twice during an upgrade really adds up, so this new optimization willsignificantly shorten the maintenance windows required to upgrade clusters of vSphereinfrastructure.
These new improvements reduce the overall time required to upgrade clusters,shortening maintenance windows so that valuable efforts can be focused elsewhere.
Recall that, because of DRS and vMotion, applications are never subject to downtimeduring hypervisor upgrades VMs are moved seamlessly from host to host, as needed.
vSphere Quick Boot
What is the Quick Boot functionality? Quick Boot functionality allows restarting only thehypervisor instead of going through a full reboot of the host hardware includingPOSTing, etc. This functionality is utilized with vSphere Update Manager so thatpatching and upgrades are completed much more quickly. A note here before gettingexcited about potential backwards compatibility, this functionality is only available forhosts that are running ESXi 6.7. Even if your hardware is compatible with the new QuickBoot, if you are running a legacy version of ESXi, this won't be available.
Host reboots occur infrequently but are typically necessary after activities such asapplying a patch to the hypervisor or installing a third-party component or driver.Modern server hardware that is equipped with large amounts of RAM may take manyminutes to perform device initialization and self-tests.
Quick Boot eliminates the time-consuming hardware initialization phase by shuttingdown ESXi in an orderly manner and then immediately re-starting it. If it takes severalminutes, or more, for the physical hardware to initialize devices and perform necessaryself-tests, then that is the approximate time savings to expect when using Quick Boot!In large clusters, that are typically remediated one host at a time, it's easy to see howthis new technology can substantially shorten time requirements for data centermaintenance windows.
Due to the nature of our lab, we can't demonstrate Quick Boot because ESXi running onESXi! Click on this video to watch Quick Boot in action!
HOL-2011-01-SDC
Page 59HOL-2011-01-SDC
Video - vSphere Quick Boot (1:53)
While we can't watch the reboot go any faster in this lab, let's go check where weenable this setting.
<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=T3OZiuAJnmE" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>
HOL-2011-01-SDC
Page 60HOL-2011-01-SDC
1. From Update Manager, click the Settings tab2. Under Remediation Settings click on Hosts3. Click on Edit
1. Notice the Enable Quick Boot is checked by default2. Review the available host settings3. Click on Cancel to exit
HOL-2011-01-SDC
Page 61HOL-2011-01-SDC
Getting Started with Update ManagerVMware vSphere Update Manager is a tool that simplifies and centralizes automatedpatch and version management for VMware vSphere and offers support for VMware ESXhosts, virtual machines, and virtual appliances.
With Update Manager, you can perform the following tasks:
1. Upgrade and Patch ESXi hosts.2. Upgrade virtual machine hardware, VMware Tools, and Virtual Appliances.
vSphere Update Manager is installed and running by default in the vCenter ServerAppliance. Each vCenter Appliance will have a single vSphere Update Manager pairedwith it.
Open Chrome Browser from Windows Quick Launch TaskBar
1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.
HOL-2011-01-SDC
Page 62HOL-2011-01-SDC
Log into the vSphere Web Client
Using the Chrome web browser, navigate to the URL for the Web client. For this lab, youcan use the shortcut in the address bar.
1. Click the RegionA bookmark folder2. Click on bookmark for RegionA vSphere Client (HTML)3. Check the Use Windows session authentication box4. Click Login
Alternatively, you could use these credentials
1. User name: corp\Administrator2. Password: VMware1!
Please Note: All of the user credentials used in this lab are listed in the README.TXT fileon the desktop.
HOL-2011-01-SDC
Page 63HOL-2011-01-SDC
Gain screen space in Chrome by zooming out
The lab desktop is limited to 1280x800 screen resolution. It might be helpful to zoomout the browser for better readability.
1. Select the Options menu in Chrome.2. Click the '-' button to zoom out to 90%
This will provide more viewing space while still allowing you to read the text.
HOL-2011-01-SDC
Page 64HOL-2011-01-SDC
Navigate to Update Manager
Navigate to the Update Manager interface
1. Click the Menu icon2. Click Update Manager
Select vcsa-01b.corp.local
We are going to create a baseline on the vcsa-01b vCenter Server.
1. Ensure vcsa-01b.corp.local is selected in the host drop down menu.
HOL-2011-01-SDC
Page 65HOL-2011-01-SDC
Baselines and Baseline Groups
Baselines can be upgrade, extension, or patch baselines. Baselines contain a collectionof one or more patches, extensions, or upgrades.
Baseline groups are assembled from existing baselines, and might contain one upgradebaseline per type of upgrade baseline, and one or more patch and extension baselines.When you scan hosts, virtual machines, and virtual appliances, you evaluate them
against baselines and baseline groups to determine their level of compliance.
By default, Update Manager contains two predefined dynamic patch baselines.
• Critical Host Patches - Checks ESXi hosts for compliance with all criticalpatches
• Non-Critical Host Patches - Checks ESXi hosts for compliance with all optionalpatches
We are going to create a new baseline, which we will then use to scan a vSphere host sothat we can make sure that it has the latest patches.
1. Select the Baselines tab2. Click New3. Click Baseline
HOL-2011-01-SDC
Page 66HOL-2011-01-SDC
Create Baseline
1. Enter HOL Host Baseline for the name2. Enter Host Baseline for the description3. Select the Patch radio button4. Click Next to continue.
HOL-2011-01-SDC
Page 67HOL-2011-01-SDC
Select Patches Automatically
This screen gives the baseline the ability to continually update itself based on thecriteria you select. You can use these options to narrow the scope of the patches addedto this baseline (selecting embeddedEsx 6.5.0 would limit this baseline to only thosepatches relevant to ESXi 6.5).
Some areas you can refine the baseline patches to are:
• Vendor• Product• Severity (Critical, Important, Moderate, Low)• Category (Security, BugFix, Enhancement, Other)
1. For our example, we will leave the default setting to automatically update thebaseline as new patches become available. We will also leave the default Criteriasettings of Any for all options.
2. Click Next
HOL-2011-01-SDC
Page 68HOL-2011-01-SDC
Select Patches Manually
From this screen you have the ability to manually select patches for the baseline toinclude. Since we have selected the option to have this baseline automatically updated,this screen will appear without patches to select. If you disable the automatic option inthe previous screen, you would now be presented with a listing of all patches availablewhich you could manually select to include in this baseline.
1. Click Next
HOL-2011-01-SDC
Page 69HOL-2011-01-SDC
Summary
Review the settings of the patch baseline you created before finishing the wizard
1. Click Finish to complete the Patch Baseline
Return to Hosts and Clusters View
Next, we are going to attach the baseline we just created to a host. This makes sure thatscanning and remediation happens for the host.
HOL-2011-01-SDC
Page 70HOL-2011-01-SDC
1. Click on the Menu Icon2. Select Hosts and Clusters
Attach the Patch Baseline to a Host
1. Expand vcsa-01b.corp.local vCenter Server --> RegionB01 Datacenter -->RegionB01-COMP01 Cluster
2. Click on the host esx-02b.corp.local3. Select the Updates tab.4. Click on Attach (Note: You may need to scroll down to see this)5. Click Attach Baseline or Baseline Group
HOL-2011-01-SDC
Page 71HOL-2011-01-SDC
Select the Baseline
In the new window that opens,
1. Select HOL Host Baseline - this is the new Baseline that we just created2. Click Attach
HOL-2011-01-SDC
Page 72HOL-2011-01-SDC
Verify the Baseline is Attached
Before we scan the host for compliance against our new baseline, let's verify the newbaseline is attached and see what the current status of its compliance is.
1. Verify HOL Host Baseline is listed in the Attached Baselines2. Notice that the current status indicates Unknown, this is a normal status when
you attach a new baseline. Update Manager has not yet scanned this host andcompared its current state to the baseline state.
In the next step, we will scan the host and see if it is in compliance with the attachedbaseline.
HOL-2011-01-SDC
Page 73HOL-2011-01-SDC
Scan the Host
We will now scan this host to see if it is compliant with the baseline.
1. Click the CHECK COMPLIANCE button2. You may receive a message in a blue bar at the top of your screen indicating a
refresh is needed, click the Refresh link to update the screen. After you clickRefresh, you can safely close the message window with the "X"
3. Notice the new status of this host. It is now "Compliant". This indicates that thehost meets the patch criteria selected in this baseline.
Had this host been missing any patches identified in the baseline criteria, the statuswould have shown "Not Compliant" indicating the host is missing a patch identified inthe baseline, you could then remediate this host using the Remediate option on thisscreen.
HOL-2011-01-SDC
Page 74HOL-2011-01-SDC
Video: Upgrading VMware Tools Using vSphere UpdateManager (5:14)
vSphere Update Manager can also be used to update the VMware tools on a virtualmachine. The following video outlines the process.
<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=HLZvcjH95mE" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>
HOL-2011-01-SDC
Page 75HOL-2011-01-SDC
Converge ToolConvergence is the process of reconfiguring or converting a vCenter Server instancewith an external Platform Services Controller (PSC) to a vCenter Server instance with anembedded PSC.
The Converge Tool was introduced in vSphere 6.7 Update 1 as the method to move froman external PSC deployment to an embedded PSC using the vCenter Server CLI. Nowwith vCenter Server 6.7 Update 2, the convergence functionality is now available withinthe vSphere Client!
In vCenter Server 6.7 Update 2 within the table view, you will see two new buttons:Converge to Embedded and Decommission PSC. You no longer are required toutilize the CLI and JSON templates to run the vCenter Server Converge Tool. Oneadditional benefit when running the Converge Tool through the vSphere Client is that ifyou have internet access, any required components will be automatically downloadedfrom the VMware Online Repository. This provides a simple method to migrate yourexternal vCenter server deployment to an embedded vCenter server deployment.
Watch the video on the next page to learn more!
Video - Converge Tool (3:10)
<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=HlL4KzAPx0c" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>
HOL-2011-01-SDC
Page 76HOL-2011-01-SDC
Embedded Linked ModevCenter Embedded Linked Mode is enhanced linked mode support for vCenter ServerAppliance with an embedded Platform Services Controller. This lab is configured usingvSphere 6.7 Embedded Linked Mode.
With vCenter Embedded Linked Mode, you can connect multiple vCenter ServerAppliances with embedded Platform Services Controllers together to form a domain.vCenter Embedded Linked Mode is not supported for Windows vCenter Serverinstallations. vCenter Embedded Linked Mode is supported starting with vSphere 6.5Update 2 and suitable for most deployments.
Other features of vCenter Embedded Linked Mode include:
• No external Platform Services Controller, providing a more simplified domainarchitecture than enhanced linked mode.
• A simplified backup and restore process.• A simplified HA process, removing the need for load balancers.• Up to 15 vCenter Server Appliances can be linked together using vCenter
Embedded Linked Mode and displayed in a single inventory view.• For a vCenter High Availability (vCenter HA) cluster, three nodes are considered
one logical vCenter Servernode. This represents ten times the vCenter HAclusters in a vCenter Embedded Linked Mode for a total of 30 VMs.
Video - Embedded Linked Mode (4:03)
<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=46iAm_ddM0k" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>
HOL-2011-01-SDC
Page 77HOL-2011-01-SDC
vSphere HealthvSphere Health enables you to identify and resolve potential issues before they have animpact to your environment. vSphere telemetry data is collected and used to analyzepre-conditions in your vSphere environment related to stability and incorrectconfigurations. These issues are reported under vSphere Health and resolutionrecommendations are provided. You can check the health of vSphere hosts and vCenterserver.
VMware Analytics Cloud (VAC) is the platform that enables VMware products to sendtelemetry data to VMware. vSphere Health works in conjunction with the CustomerExperience Improvement Program (CEIP) to send anonymous data to VAC for analysiswhich in turn provides the assessment within the vSphere Client.
New to vSphere Health in vSphere 6.7 Update 2 is Categories and Alarms. Alarms aregenerated when a new issue is detected in vSphere. vSphere Health alarms can be setto Acknowledge or Reset to Green much like other vCenter Server alarms.
Health checks are now grouped into one of four health categories: Online Availability,Compute, Network, and Storage. This new grouping feature not only allows for asimple, organized view of all vSphere Health checks but also aligns with the goal ofimproving the overall organization of vSphere Health as more health checks areintroduced.
We will now review how to use this feature in vSphere 6.7 Update 2.
HOL-2011-01-SDC
Page 78HOL-2011-01-SDC
vSphere Client Plug-insManaging and monitoring the deployment of vSphere client plug-ins has become easierwith the release of vSphere 6.7 Update 2. Prior to this release, troubleshooting clientplug-in errors would require admins to review logs to determine the root cause of theissue.
The deployment state of a client plug-in can now be easily viewed from the vSphereClient. This improves the visibility and transparency of the plug-in installation workflowby reporting plug-in errors, incompatibility information, and possible remediation stepsall in the Client Plug-ins UI. Access this interface by selecting Administration from theMenu, then select Client Plug-Ins under Solutions.
Check out the video on the next page for more information!
Video - vSphere Client Plug-ins (3:02)
<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=ztvxeDxG0NY" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>
HOL-2011-01-SDC
Page 79HOL-2011-01-SDC
Content Library ImprovementsContent libraries are container objects for VM templates, vApp templates, and othertypes of files. Customers can use the templates in the library to deploy virtualmachines and vApps in the vSphere inventory. Sharing templates and files acrossmultiple vCenter Server instances in the same or different locations allows forconsistency, compliance, efficiency, and automation in deploying workloads at scale.
The Content Library service now supports virtual machine (.vmtx) templates whichallows users to deploy a virtual machine from native VM templates. Open VirtualAppliance (OVA) files are also supported in a Content Library. The OVA files are unzippedduring the import, providing manifest and certificate validations, and create an OVFlibrary item that enables deployment of virtual machines from a Content Library.
vCenter Server 6.7 Update 2 continues to add new functionally when utilizing theContent Library. Syncing of native VM templates between Content Libraries is nowavailable when vCenter Server is configured for Enhanced Linked Mode. Publishedlibraries can now become subscriber-aware allowing newly published items to replicateto other subscribed Content Libraries.
A Publish option is available when viewing the VMTX template or fromthe Subscriptions tab of the local library. Publishing from the local library will sync theVM template to the selected Subscriber Libraries.
See how you can use subscriptions to distribute VM templates in the video below.
Video - Using Subscriptions to Distribute VM Templates toa Subscriber (4:00)
<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=k8v8mRrxJPE" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>
HOL-2011-01-SDC
Page 80HOL-2011-01-SDC
ConclusionvSphere 6.7 Update 2 builds on the technological innovation delivered by vSphere 6.5,and elevates the customer experience to an entirely new level. It provides exceptionalmanagement simplicity, operational efficiency, and faster time to market, all at scale.
vSphere 6.7 Update 2 delivers an exceptional experience for the user with anenhanced vCenter Server Appliance (vCSA). It introduces several new APIs thatimprove the efficiency and experience to deploy vCenter, to deploy multiple vCentersbased on a template, to make management of vCenter Server Appliance significantlyeasier, as well as for backup and restore. It also significantly simplifies the vCenterServer topology through vCenter with embedded platform services controller inenhanced linked mode, enabling customers to link multiple vCenters and haveseamless visibility across the environment without the need for an external platformservices controller or load balancers.
Moreover, with vSphere 6.7 vCSA delivers phenomenal performance improvements:
• 2X faster performance in vCenter operations per second• 3X reduction in memory usage• 3X faster DRS-related operations (e.g. power-on virtual machine)
These performance improvements ensure a blazing fast experience for vSphere users,and deliver significant value, as well as time and cost savings in a variety of use cases,such as VDI, Scale-out apps, Big Data, HPC, DevOps, distributed cloud native apps, etc.
vSphere 6.7 Update 2 improves efficiency at scale when updating ESXi hosts,significantly reducing maintenance time by eliminating one of two reboots normallyrequired for major version upgrades (Single Reboot). In addition to that, vSphereQuick Boot is a new innovation that restarts the ESXi hypervisor without rebooting thephysical host, skipping time-consuming hardware initialization.
Another key component that allows vSphere 6.7 Update 2 to deliver a simplified andefficient experience is the graphical user interface itself. The HTML5-based vSphereClient provides a modern user interface experience that is both responsive and easy touse. With vSphere 6.7 Update 2, it includes added functionality to support not only thetypical workflows customers need but also other key functionality like managing NSX,vSAN, VUM as well as third-party components.
HOL-2011-01-SDC
Page 81HOL-2011-01-SDC
You've finished Module 2!
Congratulations on completing Module 2!
To review more info on the new management features please use the links below:
• Upgrading from vSphere 6.5 to 6.7• Or use your smart device to scan the QRC Code.
Proceed to any module below which interests you most.
• Module 1 - vSphere 6.7 Overview(15 minutes) (Basic) Brief overview of what'snew in the vSphere 6.7 release.
• Module 2 - Simple and Efficient Management at Scale(60 minutes) (Basic)Explore improvements and new features in ESXi and vCenter Server managementand lifecycle.
• Module 3 - Comprehensive Built-in Security (60 minutes) (Basic) Experiencethe improved VM Encryption workflow as well as added support for TPM 2.0,vTPM, and Virtualization Based Security.
• Module 4 - Universal Application Platform (15 minutes) (Basic) Discover newvSphere capabilities that make it the platform for all applications including themost mission critical.
• Module 5 - Seamless Hybrid Cloud (15 minutes) (Basic) Learn how vSphere6.7 and VMware Cloud on AWS creates a seamless hybrid cloud experience witheasy visibility, migration and management of workloads between on-premisesand public cloud.
HOL-2011-01-SDC
Page 82HOL-2011-01-SDC
How to End Lab
To end your lab click on the END button.
HOL-2011-01-SDC
Page 83HOL-2011-01-SDC
Module 3 -Comprehensive Built-inSecurity (60 minutes)
HOL-2011-01-SDC
Page 84HOL-2011-01-SDC
IntroductionvSphere 6.7 Update 2 builds on the security capabilities in vSphere 6.5 and leverages itsunique position as the hypervisor to offer comprehensive security that starts at the core,via an operationally simple policy-driven model.
This module will highlight:• Support for TPM 2.0 for ESXi – Ensures hypervisor integrity and enables remote hostattestation.• Virtual TPM 2.0 – Provides the necessary support for guest operating system securityfeatures while retaining operational features such as vMotion and disaster recovery.• Enhanced VM Encryption and Cross-vCenter encrypted vMotion – Secures againstunauthorized data access both at rest and in motion, across the hybrid cloud• Support for VBS – Supports Windows 10 and Windows 2016 security features, likeCredential Guard, on vSphere.• New Security Features in vSphere 6.7 Update 2
HOL-2011-01-SDC
Page 85HOL-2011-01-SDC
Support for New Security TechnologiesThe goals of security in vSphere 6.7 Update 2 are twofold. Introduce more easy-to-usesecurity features and meet requirements set by customers, IT, and security teams. WithvSphere 6.7 Update 2, we have achieved both goals. Let's dive into some of the newfeatures and changes. vSphere 6.7 Update 2 includes support for the latest securityfeatures on the market.
TPM 2.0 Support for ESXi
TPM (Trusted Platform Module) is a device on your laptop, desktop or server system. It isused to store encrypted data (keys, credentials, hash values). TPM 1.2 support has beenaround for many years on ESXi but was primarily used by partners. TPM 2.0 is notbackwards compatible with 1.2 and required all new device drivers and APIdevelopment. The Trusted Computing Group has a great overview on what a TPM is anddoes.
ESXi's use of TPM 2.0 builds upon our work in 6.5 with Secure Boot. We validate that thesystem has booted with Secure Boot enabled and we take measurements and storethem in the TPM. vCenter reads those measurements and compares them with valuesreported by ESXi itself. If the values match, then the host has booted with Secure Bootenabled and all the good stuff such as only running signed code and the inability toinstall unsigned code is assured. vCenter will provide an attestation report in thevCenter web client showing you the status of each host.
Video - ESXi and TPM 2.0 (2:13)
<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=Bfdwpr15A_s" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>
HOL-2011-01-SDC
Page 86HOL-2011-01-SDC
Virtual TPM 2.0 for VMs
In order to support TPMs for virtual machines our engineers created a virtualized TPM2.0 device. It shows up in Windows as a normal TPM 2.0 device. Like a physical TPM, itcan do crypto operations and store credentials. But how do we secure data stored IN thevirtual TPM? We write that data to the VMs nvram file and secure that file with VMEncryption. This keeps the data in the vTPM secured and it travels with the VM. If Icopy that VM to another datacenter and that datacenter is not configured to talk to myKMS then the data in that vTPM is secured. All the same VM Encryption rules apply.
Note: Only VM home files are encrypted, not VMDKs unless you choose to encrypt them.
Why didn't we use the hardware TPM?
A hardware TPM has many limitations. It is a serial device so it's slow. It has a securednvram storage size measured in bytes. It's not designed for accommodating 100+ VMson a host. It won't be able to store all their TPM data on the physical TPM. It would needa scheduler for the crypto operations it does. Imagine 100 VMs trying to encryptsomething and depending on a serial device that can only do one at a time?
Even if I could physically store the data, consider a vMotion. I would have to securelyremove the data from one physical TPM and copy it to another. And re-sign data withthe new TPMs keys. All of these actions are very slow in practice and fraught withadditional security issues and requirements.
Note: In order to run virtual TPMs, you will need VM Encryption. That means youwill need a 3rd party key management infrastructure in place.
Support for Microsoft Virtualization Based Security
Back in 2015, Microsoft introduced Virtualization Based Security (VBS). We have workedvery closely with Microsoft to provide support for these features in vSphere 6.7 Update2. Let's do a quick overview of what is going on behind the scenes to make this happen.
When you enable VBS on your laptop running Windows 10 the system will reboot andinstead of booting Windows 10 directly the system will boot Microsoft's hypervisor. ForvSphere, this means the virtual machine that was running Windows 10 directly is nowrunning Microsoft's hypervisor which is now running Windows 10. This is called nestedvirtualization and it is something that VMware has a HUGE amount of experience with.We have been using nested virtualization in our Hands-On Labs for years.
When you enable VBS at the vSphere level that one checkbox is turning on a number offeatures.
• Nested virtualization• IOMMU• EFI firmware
HOL-2011-01-SDC
Page 87HOL-2011-01-SDC
• Secure Boot
What this will NOT do is enable VBS within the VMs Guest OS. For that, you would followMicrosoft guidance. This can be done with PowerShell scripts, Group Policies, etc.
The point being is that vSphere's role is to provide the virtual hardware to supportenablement of VBS. Combined with a virtual TPM you can now enable VBS and turn onfeatures such as Credential Guard.
HOL-2011-01-SDC
Page 88HOL-2011-01-SDC
VM EncryptionVMware vSphere® virtual machine encryption (VM encryption) is a feature introduced invSphere 6.5 to enable the encryption of virtual machines. VM encryption providessecurity to VMDK data by encrypting I/Os from a virtual machine (which has the VMencryption feature enabled) before it gets stored in the VMDK.
How to Enable VM Encryption for vSphere 6.7
Creating an encrypted virtual machine is faster and uses fewer storage resources thanencrypting an existing virtual machine. Encrypt the virtual machine as part of thecreation process if possible.
Prerequisites
• Establish a trusted connection with the KMS and select a default KMS.• Create an encryption storage policy, or use the bundled sample, VM Encryption
Policy.• Ensure that the virtual machine is powered off.• Verify that you have the required privileges:
◦ Cryptographic operations > Encrypt new◦ If the host encryption mode is not Enabled, you also need Cryptographic
operations > Register host.
Procedure
HOL-2011-01-SDC
Page 89HOL-2011-01-SDC
1. Connect to vCenter Server by using the vSphere HTML 5 Client.2. Select an object in the inventory that is a valid parent object of a virtual machine,
for example, an ESXi host or a cluster.3. Right-click the object, select New Virtual Machine > New Virtual Machine, and
follow the prompts to create an encrypted virtual machine.
Enabling VM Encryption
Check out this video to see how you enable VM encryption on a VM in vSphere 6.7
HOL-2011-01-SDC
Page 90HOL-2011-01-SDC
<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=JfPvhZ4ii28" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>
HOL-2011-01-SDC
Page 91HOL-2011-01-SDC
Configure Hytrust KMS Server invCenter ServerIn this lesson, we will add (2) HyTrust KMS servers which allows us to encrypt virtualmachines as well as use encrypted vMotion. Without a trust established between thevCenter server and a KMS server, we would not be able to take advantage of the newvSphere 6.7 encryption capabilities.
Launch Google Chrome
If Google Chrome is not already open, perform the following step, otherwise skip thisstep:
1. Click the Google Chrome icon on the Quick Launch bar.
RegionA
Do the below step If you are opening a new Google Chrome browser window, otherwise,you can skip this step:
1. Click on the RegionA folder in the Bookmark Toolbar.2. Then click on RegionA vSphere Client (HTML).
HOL-2011-01-SDC
Page 92HOL-2011-01-SDC
Log into RegionA vCenter Server
If already logged into the RegionA vCenter server, you can skip the below steps. If youaren't, complete the following steps:
1. Click the checkbox to the left of "Use Windoes session authentication".(Note: If the checkbox is greyed out, refresh the browser)
2. Click on the Login button.
HOL-2011-01-SDC
Page 93HOL-2011-01-SDC
Menu Drop-down
1. Click on the Menu drop-down icon at the top of the screen.2. Then select Global Inventory Lists from the Menu drop-down menu.
HOL-2011-01-SDC
Page 94HOL-2011-01-SDC
Select vCenter Server
1. Click on vCenter Servers from the Global Inventory List.
vcsa-01a.corp.local
1. Click on the vcsa-01a.corp.local vCenter Server.
HOL-2011-01-SDC
Page 95HOL-2011-01-SDC
Add HyTrust Key Manager (KMS) Server
In order to use any type of encryption in vSphere, we must first have a Key ManagementServer (KMS) server up and running. Then we have to add at least (1) KMS server tovCenter server and configure the trust relationship between the KMS and vCenterservers. So the first thing we need to do is add a KMS server to vCenter, perform thefollowing tasks to accomplish this:
1. Click on the Configure tab in the content pane.2. Click on Key Management Servers under the More category.3. Click ADD in the content pane to add a KMS server.
HOL-2011-01-SDC
Page 96HOL-2011-01-SDC
vcsa-01a.corp.local - Add KMS
1. Type HOL-KMS-01a in the New cluster name text field.2. Type kms-01a in the Server name text field.3. Type kms-01a.corp.local in the Server address text field.4. then type 5696 in the Server port text field.5. Now click the ADD button.
HOL-2011-01-SDC
Page 97HOL-2011-01-SDC
kms-01a.corp.local - Trust
1. Click on the TRUST button in the Make vCenter Trust KMS pop-up window.
Make KMS Trust vCenter
We see that the HyTrust KMS server is showing its Connection State with nothing in it, soat this point we need to finish setting up the trust between the vCenter server and theHyTrust KMS server.
To create the trust relationship between the HyTrust KMS Server and the vCenter server:
1. Select the radio button next to the kms-01a KMS server name.2. Click on the MAKE KMS TRUST VCENTER link.
HOL-2011-01-SDC
Page 98HOL-2011-01-SDC
KMS Certificate and Private Key
1. Select the radio button next to KMS certificate and private key.2. Click on the NEXT button.
HOL-2011-01-SDC
Page 99HOL-2011-01-SDC
Import KMS Certificate and Private Key
1. Click on the Upload file button at the top half of the pop-up window.
HOL-2011-01-SDC
Page 100HOL-2011-01-SDC
Select Certificate
We have already downloaded this certificate PEM file from the HyTrust KMS server webinterface.
1. Browse to the following path "C:\labfiles\HOL-2011\KMIPvcsa01a\"2. Select the KMIPvcsa01a.pem file.3. Click on the Open button.
NOTE: Make sure that you selected the KMIPvcsa01a.pem file from theKMIPvcsa01a folder and not from the KMIPvcsa01b folder!
HOL-2011-01-SDC
Page 101HOL-2011-01-SDC
Upload Certificate
1. Click on the Upload file button.
HOL-2011-01-SDC
Page 102HOL-2011-01-SDC
Select Certificate
We have already downloaded this certificate PEM file from the HyTrust KMS server webinterface.
1. Browse to the following path "C:\labfiles\HOL-2011\KMIPvcsa01a\"2. Select the KMIPvcsa01a.pem file.3. Click on the Open button.
NOTE: Make sure that you selected the KMIPvcsa01a.pem file from theKMIPvcsa01a folder and not from the KMIPvcsa01b folder!
HOL-2011-01-SDC
Page 103HOL-2011-01-SDC
Establish Trust
1. Click on the ESTABLISH TRUST button.
Confirm Trust and Connection Status
To validate a trust relationship has been established between the HyTrust KMS Serverand the vCenter server:
1. Verify that it shows the HyTrust KMS server with a status of Connected underConnection State column and it says Valid under vCenter Certificate Statuscolumn.
HOL-2011-01-SDC
Page 104HOL-2011-01-SDC
Configure HyTrust KMS Server in vCenter Server -Complete
You have completed the first lesson "Configure HyTrust KMS Server in vCenter Server" inthis module!
We have completed this lesson of adding a HyTrust KMS server and creating and theassociated trusts between it and the vCenter server.
HOL-2011-01-SDC
Page 105HOL-2011-01-SDC
Encrypt VMs Using HyTrust KMS ServerIn this lesson, we will encrypt a virtual machine using a HyTrust KMS server that isalready installed. We will use the vSphere Web Client (HTML5) to do the encrypting anddecrypting of the virtual machine.
Menu Drop-down
Lets first look at the Policies and Profiles section of vCenter to look at the default VMEncryption Policies:
1. Click on the Menu icon at the top of the page.2. Select Policies and Profiles from the Menu drop-down.
HOL-2011-01-SDC
Page 106HOL-2011-01-SDC
Default VM Encryption Policies
1. Click on VM Storage Policies from the Navigation pane.2. We see that there are already (2) VM Encryption Policies, where there is one
on each of the vCenter servers by default.
NOTE: Although VMware creates default VM Encryption Policies automatically, you canalso create your own policies if you wish.
Default Encryption Properties
1. Click on the Storage Policy Components in the Navigation pane.
HOL-2011-01-SDC
Page 107HOL-2011-01-SDC
2. We see both Default encryption properties components listed, one for eachvCenter server.
3. We also see a description in the bottom of the Content pane.
Menu Drop-down
At this point, lets return to the Hosts and Clusters view so we can start the process ofencrypting the core-01a virtual machine:
1. Click on the Menu icon at the top of the page.2. Select Hosts and Clusters from the Menu drop-down.
HOL-2011-01-SDC
Page 108HOL-2011-01-SDC
Select core-01a
We are now going to encrypt the core-01a virtual machine, to do this, perform thefollowing steps:
1. Right-click on the core-01a virtual machine in the left Navigation Pane.2. Click on VM Policies from the drop-down menu.3. Then click on Edit VM Storage Policies from the VM Policies drop-down menu.
HOL-2011-01-SDC
Page 109HOL-2011-01-SDC
core-01a - Edit VM Storage Policies
Here we see there are a few default policies that VMware has created already, but wewill be selecting the VM Encryption Policy specifically by doing the following:
1. Click on the arrow in the VM storage policy drop-down menu and select VMEncryption Policy.
2. Then click on the Configure per disk slider to enable it.
NOTE: In this lab exercise, we are encrypting all the components of the virtual machine.But as we can see, we have the option to select to encrypt just the VM Home folder orthe Hard disk 1. In order to encrypt just one item, you must click on the slider in theupper right-hand corner of the window to allow you to select an individual item.
HOL-2011-01-SDC
Page 110HOL-2011-01-SDC
core-01a - Configure Per Disk
We see that once we enabled the Configure per disk option, the VM Home folderand Hard disk 1 are no longer grayed out and we can manage policies individually.
1. Temporarily click on the drop-down for Hard disk 1 and select VM EncryptionPolicy. We now see how to individually assign policies for both components ofthe virtual machine. After reviewing the options, return it to the DatastoreDefault option.
NOTE: In this lab exercise, we are encrypting all the components of the virtual machine.But as we can see, we have the option to select to encrypt just the VM Home folder orthe Hard disk 1.
HOL-2011-01-SDC
Page 111HOL-2011-01-SDC
core-01a - Edit VM Storage Policies
1. Click on the slider to turn off Configure per disk2. Click on the arrow in the VM storage policy drop-down menu and select VM
Encryption Policy if it isn't already selected.3. Then click on the OK button.
core-01a - Verify VM Storage Policy Compliance
HOL-2011-01-SDC
Page 112HOL-2011-01-SDC
While still having core-01a selected in the Navigation pane, perform the following steps:
1. In the content pane for core-01a, use the scroll bar to get to the bottom of thepage until you see the VM Storage Policies widget.
2. If needed, click on the arrow in the upper right-hand corner of the VM StoragePolicies widget to open it up.
3. We should now see that the VM Encryption Policy has been assigned to thevirtual machine and is also compliant which is represented by a green checkmark.
core-01a - Not Compliant (if needed)
If for any reason the VM Storage Policy widget has no information in it after a minuteor two or says that it is not compliant, perform the following step:
1. Click on the Check Compliance link to update the compliance information.
NOTE: Now after clicking on the Check Compliance link, it should update theinformation in less than a minute and show complaint. If the status doesn't change, tryrefreshing the web browser window. After that, if it still hasn't updated to reflectcorrectly, raise your hand for assistance either in the Hands On Lab interface orphysically raise your hand to get a proctors attention.
HOL-2011-01-SDC
Page 113HOL-2011-01-SDC
Select core-01a
We are now going to decrypt the core-01a virtual machine, to do this, perform thefollowing steps:
1. Right-click on the core-01a virtual machine in the left Navigation Pane.2. Click on VM Policies3. Select Edit VM Storage Policies
HOL-2011-01-SDC
Page 114HOL-2011-01-SDC
core-01a - Edit VM Storage Policies
1. Click on the arrow in the VM storage policy drop-down menu and selectDatastore Default.
2. Then click on the OK button.
core-01a - Verify VM Decrypted
1. Click on the Check Compliance link to update the compliance information.2. We should now see that the VM Encryption Policy is no longer listed.
HOL-2011-01-SDC
Page 115HOL-2011-01-SDC
NOTE: Now after clicking on the Check Compliance link, it should update theinformation in less than a few minutes and show the VM Storage Policy widget emptynow. If the status doesn't change, REFRESH the web browser window and recheck theVM Storage Policies widget. If still showing an encryption policy, raise your hand forassistance either in the Hands On Lab interface or physically raise your hand to get aproctors attention.
Encrypt VM Using HyTrust KMS Server - Complete
In this lesson, we applied the VM Encryption Policy to the core-01a virtual machine usingthe vSphere Web Client. After we applied the policy, it showed that the virtual machinewas compliant with the VM Encryption Policy. Then we went through the same steps toremove the encryption policy from the core-01a virtual machine. Once we completedthat task, we could see the VM Storage Policy widget went back to a blank widget. Thiswas an expected behavior and means we successfully removed the encryption on thevirtual machines files.
Using the vSphere Web Client is not the only method to encrypting or decrypting avirtual machine. We can also use PowerCLI commands to do the same actions to a singleor numerous virtual machines at once and in a more efficient manner. If changing theencryption status of a large amount at virtual machines at once, the best practice wouldto be use the PowerCLI commands to do so.
In an upcoming lesson, we will discuss the use of PowerCLI for the various encryptionrelated tasks in more detail. Also, later in this module, we will actually encrypt anddecrypt virtual machines using the PowerCLI commands.
HOL-2011-01-SDC
Page 116HOL-2011-01-SDC
Set VM to Encrypted vMotion ModeIn this lesson, we will walk through the steps to setup a virtual machine to useEncrypted vMotion Mode. We will show the process of configuring it from within thevSphere Web Client. However, we will NOT be actually performing a vMotion action inthe lab environment due to resource limitations. Not to mention, we can't actually "see"that the virtual machine does a vMotion action and is encrypted.
core-01a - Edit Settings
1. Right-click on the virtual machine named core-01a.2. Select Edit Settings from the drop-down menu.
NOTE: The list of virtual machines may be slightly different in the lab environment fromwhat is in the screen capture.
HOL-2011-01-SDC
Page 117HOL-2011-01-SDC
core-01a - VM Options
In the following lab steps, we will go through the steps of setting up Encrypted vMotion,but we won't actually go through with completing the steps since we can't actually seethat a vMotion action is encrypted. Not to mention, this helps reduce the amount ofrequired resources in the labs.
1. Click on the VM Options tab in the pop-up window.2. Click on the arrow next to Encryption to expand it and show the Encrypt VM and
Encrypted vMotion settings.3. We see that either can select None or VM Encryption Policy from here which
shows us another way to set the encryption on a virtual machine other than inthe Policies and Profiles section.
HOL-2011-01-SDC
Page 118HOL-2011-01-SDC
core-01a - Encrypted vMotion
As a side note, if the virtual machine settings are already set to encrypted, then it willautomatically use encrypted vMotion. But we see that we have (3) options forEncrypted vMotion.
1. Since the VM was previously encrypted, the Encrypted vMotion setting isalready set to Required but can be changed.
2. Click on the CANCEL button since we don't need to actually make the changessince we won't be doing an actual vMotion action.
HOL-2011-01-SDC
Page 119HOL-2011-01-SDC
core-01a - Migrate
In the next few steps, we won't actually complete the vMotion action since we can'tactually see that a vMotion action is encrypted. Not to mention, this helps reduce theamount of required resources in the lab environment.
1. Right-click on the virtual machine named core-01a.2. Select Migrate from the drop-down menu.
HOL-2011-01-SDC
Page 120HOL-2011-01-SDC
core-01a - Select a Migration Type
1. Keep the default setting Change compute resource only radius button, thenclick on the NEXT button.
HOL-2011-01-SDC
Page 121HOL-2011-01-SDC
core-01a - Select a compute resource
Currently, the core-01a virtual machine should be on esx-02a.corp.local, so we wouldmigrate it to esx-01a.corp.local.
1. Select the esx-01a.corp.local host to migrate to.2. Verify it says Compatibility checks succeeded under Compatibility.3. Then click on the Next button.
HOL-2011-01-SDC
Page 122HOL-2011-01-SDC
core-01a - Select Networks
1. Verify it says Compatibility checks succeeded under Compatibility.2. Keep the default network selected and click on the Next button.
HOL-2011-01-SDC
Page 123HOL-2011-01-SDC
core-01a - Ready to Complete
NOTE: We are not actually performing the vMotion action for following reasons:
• Being a lab environment, we want to reduce the resources used for actions likevMotion.
• And finally, we can't really see that the vMotion is encrypted unless we wereusing a packet sniffer in between the hosts. So essentially there is no point inperforming the encrypted vMotion activity.
To finish the last step:
1. We would then review the information to ensure all of the selections we selectedare correct.
2. Since this is a lab environment, select the CANCEL button so we don't initiate thevMotion task. Normally we would select the Finish button in a true productionenvironment.
Set VM to Encrypted vMotion Mode - Complete
That completes this lesson on setting virtual machines to enable encrypted vMotion. Welearned that no matter if a virtual machine is already encrypted or not, the virtualmachine can be encrypted on the source host and then decrypted on the destinationhost. We also learned that Encrypted vMotion requires no additional settings when thevirtual machine is already encrypted. However, when the virtual machine is not
HOL-2011-01-SDC
Page 124HOL-2011-01-SDC
encrypted already, we can manually select to encrypt it just to perform a vMotion fromone host to another if we wish.
HOL-2011-01-SDC
Page 125HOL-2011-01-SDC
Configure Windows 10 for VBSIn this lesson, we will show how to enable Virtualized-Based Security (VBS) on aWindows 10 virtual machine.
Launch Google Chrome
If Google Chrome is not already open, perform the following step, otherwise you canskip this step if already open:
1. Or click the Google Chrome icon on the Quick Launch bar.
RegionA
Do the below step If you are opening a new Google Chrome browser window, otherwise,you can skip this step:
1. Click on the RegionA folder in the Bookmark Toolbar.2. Then click on RegionA vSphere Client (HTML).
HOL-2011-01-SDC
Page 126HOL-2011-01-SDC
Log into RegionA vCenter Server
If you are still logged into the RegionA vCenter server, you can skip this step. Otherwise,complete the below steps:
1. Click the checkbox next to "Use WIndows session authentication".2. Then click the Login button.
HOL-2011-01-SDC
Page 127HOL-2011-01-SDC
Hosts and Clusters
1. Click on the Hosts and Clusters icon in the Navigation pane.2. If need be, click on the arrow next to vcsa-01b.corp.local vCenter server and
expand everything until you see the list of virtual machines.
HOL-2011-01-SDC
Page 128HOL-2011-01-SDC
win10 - Power Off
1. Right-click on the win10 virtual machine in the Navigation pane.2. Click on Power from the drop-down menu.3. Then click on Power Off from the Power drop-down menu.
win10 - Confirm Power Off
1. Click on the YES button in the pop-up window to confirm power off.
HOL-2011-01-SDC
Page 129HOL-2011-01-SDC
win10 - Edit Settings
1. Right-click on the win10 virtual machine in the Navigation pane.2. The click on Edit Settings.
HOL-2011-01-SDC
Page 130HOL-2011-01-SDC
win10 - Enable Secure Boot
We are now going to verify that Secure Boot is enabled for the win10 virtual machine. Ifit isn't, make sure you select the check box to enable Secure Boot.
1. Click on VM Options in the Edit Settings window.2. Expand Boot Options.3. Click on the Enabled check box to enable Secure Boot.4. Click OK.
HOL-2011-01-SDC
Page 131HOL-2011-01-SDC
win10 - Power On
1. Right-click on the win10 virtual machine in the Navigation pane.2. Click on Power from the drop-down menu.3. Then click on Power On from the Power drop-down menu.
win10 - VMs
HOL-2011-01-SDC
Page 132HOL-2011-01-SDC
1. Click on the VMs and Templates icon in the Navigation pane.2. Click on the vcsa-01b.corp.local vCenter server in the Navigation pane.3. Then click on the VMs tab in the Content pane.
win10 - Show/Hide Columns
1. Click on the down-arrow in the column heading.2. Click on the Show/Hide Columns.3. Then scroll all the way to the bottom of the list using the scroll bar.4. Check the box to enable the TPM and VBS columns.5. Click anywhere in the blank area to get rid of the drop-down menu so you can see
the TPM column now.
HOL-2011-01-SDC
Page 133HOL-2011-01-SDC
win10 - VBS Column
1. We now see that in the VBS column the win10 virtual machine reflects it is NotPresent.
win10 - Launch Web Console
1. Click on the Hosts and Clusters icon in the Navigation pane.2. Click on the win10 virtual machine in the Navigation pane.3. Click on the Summary tab.4. Then click on the Launch Web Console link to open a console window for the
virtual machine.
HOL-2011-01-SDC
Page 134HOL-2011-01-SDC
win10 - Launch Console
1. Click "OK" to launch the Web Console.
win10 - Desktop
1. Click anywhere on the desktop to bring up the Login screen.
HOL-2011-01-SDC
Page 135HOL-2011-01-SDC
win10 - Login
1. Type in VMware1! for the Password text field.2. Then click on the arrow icon to log into the virtual machine.
win10 - Launch PowerShell (Admin)
1. Right-click on the Windows icon in the lower left-hand corner of the desktop.2. Then click on Windows PowerShell (Admin) in the menu.
HOL-2011-01-SDC
Page 136HOL-2011-01-SDC
PowerShell - Set-ExecutionPolicy
We need to first set the execution policy to allow us to run theDG_Readiness_Tool_v3.5.ps1 script.
1. Type the following command in the PowerShell to change directory location.
Set-ExecutionPolicy Unrestricted
2. Type the following command in the PowerShell to make the changes on ALL.
A
PowerShell - Change Directory & Run Script
1. Type the following command in the PowerShell to change directory location.
cd C:\DG_Readiness_Tool_v3.5\
2. Type the following command in the PowerShell to run the DG Readiness Toolscript.
./DG_Readiness_Tool_v3.5.ps1 -Capable -DG -CG -HVCI
HOL-2011-01-SDC
Page 137HOL-2011-01-SDC
PowerShell - Script Output
1. We see from the output of running the DG Readiness Tool script that SecureBoot for the win10 virtual machine is enabled for it. This is a requirement toenable VBS.
Configure Windows 10 for VBS - Complete
In this lesson, we verified the win10 virtual machine's settings that EFI Firmware,Secure Boot, and the Virtual Based Security (VBS) was enabled.
HOL-2011-01-SDC
Page 138HOL-2011-01-SDC
FIPS 140-2 Validated CryptographicModules by DefaultWithin vSphere (vCenter Server and ESXi) systems, two modules are used forcryptographic operations. The VMware Kernel Cryptographic Module is used by the VMEncryption and Encrypted vSAN features; the OpenSSL module is used for functionssuch as certificate generation and TLS connections. These two modules have passedFIPS 140-2 validation. Customers have asked whether vSphere is FIPS Certified. FIPSCertified applies to a full solution of hardware and software that is tested and configuredtogether. VMware has made it much easier for our partners to certify vSphere systemsfor FIPS operations. Cryptographic operations in vSphere systems are performed usingthe highest standards because all FIPS 140-2 cryptographic operations are enabled bydefault.
HOL-2011-01-SDC
Page 139HOL-2011-01-SDC
ConclusionvSphere 6.7 Update 2 enables organizations to implement new security features andmakes it easier to comply with regulatory requirements and secure your environmentfrom threats. Please check out the lab HOL-2011-03-SDC - vSphere Security -Getting Started for a deeper dive into all the new features.
You've finished Module 3!
Congratulations on completing Module 3!
To review more info on the security features please use the links below:
• vSphere 6.7 Security Guide• Encrypting and Decrypting a Virtual Machine• Configuring TPM 2.0• Prepping an ESX Host for Secure Boot• Mike Foley's Blog - ESXi &TPM• Or use your smart device to scan the QRC Code.
Proceed to any module below which interests you most.
• Module 1 - vSphere 6.7 Overview(15 minutes) (Basic) Brief overview of what'snew in the vSphere 6.7 release.
• Module 2 - Simple and Efficient Management at Scale(60 minutes) (Basic)Explore improvements and new features in ESXi and vCenter Server managementand lifecycle.
HOL-2011-01-SDC
Page 140HOL-2011-01-SDC
• Module 3 - Comprehensive Built-in Security (60 minutes) (Basic) Experiencethe improved VM Encryption workflow as well as added support for TPM 2.0,vTPM, and Virtualization Based Security.
• Module 4 - Universal Application Platform (15 minutes) (Basic) Discover newvSphere capabilities that make it the platform for all applications including themost mission critical.
• Module 5 - Seamless Hybrid Cloud (15 minutes) (Basic) Learn how vSphere6.7 and VMware Cloud on AWS creates a seamless hybrid cloud experience witheasy visibility, migration and management of workloads between on-premisesand public cloud.
How to End Lab
To end your lab click on the END button.
HOL-2011-01-SDC
Page 141HOL-2011-01-SDC
Module 4 - UniversalApplication Platform (15
minutes)
HOL-2011-01-SDC
Page 142HOL-2011-01-SDC
IntroductionvSphere 6.7 Update 2 is a universal application platform that supports new workloads(including 3D Graphics, Big Data, HPC, Machine Learning, In-Memory, and Cloud-Native)as well as existing mission critical applications. It also supports and leverages some ofthe latest hardware innovations in the industry, delivering exceptional performance for avariety of workloads.
This module will highlight:• Enhancements for Nvidia GRID™ vGPUs – Improves host lifecycle management andreduces end-user disruption.• vSphere Persistent Memory – Significantly enhances performance for existing andnew apps.• vSphere Integrated Containers 1.3 – Delivers the easiest way to bring containers toan existing vSphere environment.• Instant Clone – Reduces provisioning times, especially beneficial for scale-outapplications.
HOL-2011-01-SDC
Page 143HOL-2011-01-SDC
NVIDIA Grid: Optimize GPU Usage ForVM on vSphere 6.7 ServersLearn how to optimize GPU usage for virtual machines on vSphere Servers. When youenable 3D graphics, you can select a hardware or software graphics renderer andoptimize the graphics memory allocated to the virtual machine. You can increase thenumber of displays in multi-monitor configurations and change the video card settingsto meet your graphics requirements.
Video - Optimize GPU Usage (3:24)
<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=PwVReRauY50" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>
HOL-2011-01-SDC
Page 144HOL-2011-01-SDC
Persistent MemoryWith vSphere Persistent Memory, customers using supported hardware servers, can getthe benefits of ultra-high-speed storage at a price point closer to DRAM-like speeds atflash-like prices. The following diagram shows the convergence of memory and storage.
Technology at the top of the pyramid (comprised of DRAM and the CPU cache andregisters) have the shortest latency (best performance) but this comes at a higher costrelative to the items at the bottom of the pyramid. All of these components areaccessed directly by the application also known as load/storage access.
Technology at the bottom of the pyramid represented by Magnetic media (HDDs andtape) and NAND flash (represented by SSDs and PCIe Workload Accelerators) havelonger latency and lower costs relative to the technology at the top of the pyramid.These technology components have block access meaning data is typicallycommunicated in blocks of data and the applications are not accessed directly.
PMEM is a new layer called Non-Volatile Memory (NVM) and sits between NAND flashand DRAM, providing faster performance relative to NAND flash but also providing thenon-volatility not typically found in traditional memory offerings. This technology layerprovides the performance of memory with the persistence of traditional storage.
HOL-2011-01-SDC
Page 145HOL-2011-01-SDC
Enterprise applications can be deployed in virtual machines which are exposed toPMEM datastores. PMEM datastores are created from NVM storage attached locally toeach server. Performance benefits can then be attained as follows:
• vSphere can allocate a piece of the PMEM datastore and present it to the virtualmachine as a disk -virtual persistent memory disk which is used as an ultra-fastdisk. In this mode, no guest-OS or application change is required.
• vSphere can allocate a piece of the PMEM datastore in a server and present it to avirtual machine as a virtual NVDIMM. This type of virtual device exposes a byteaddressable persistent memory to the virtual machine.
◦ Virtual NVDIMM is compatible with latest Guest Operating Systems whichsupport persistent memory. Applications do not change and experiencefaster file access as the modified OS filesystem bypasses the buffer cache.
◦ Applications can be modified to take advantage of PMEM and experiencethe highest increase in performance via direct and uninterrupted access tohardware.
Applications deployed on PMEM backed datastores can benefit from live migration(VMware vMotion) and VMware DRS this is not possible with PMEM in physicaldeployments.
Remote Directory Memory Access
vSphere 6.7 Update 2 introduces new protocol support for Remote Direct memoryAccess (RDMA) over Converged Ethernet, or RoCE (pronounced rocky) v2, a newsoftware Fiber Channel over Ethernet (FCoE) adapter, and iSCSI Extension for RDMA(iSER). These features enable customers to integrate with even more high-performancestorage systems providing more flexibility to use the hardware that best complimentstheir workloads.
HOL-2011-01-SDC
Page 146HOL-2011-01-SDC
RDMA support is enhanced with vSphere 6.7 Update 2 to bring even more performanceto enterprise workloads by leveraging kernel and OS bypass reducing latency anddependencies. This is illustrated in the diagram below.
When virtual machines are configured with RDMA in a pass-thru mode, the workload isbasically tied to a physical host with no DRS capability i.e. no ability to vMotion.However customers who want to harness the power vMotion and DRS and stillexperience the benefits of RDMA , albeit at a very small performance penalty can do sowith para virtualized RDMA software (PVRDMA). With PVRDMA, applications can run
even in the absence of an Host Channel Adapter (HCA) card. RDMA-based applicationscan be run in ESXi guests while ensuring virtual machines can be live migrated.
Use cases for this technology include distributed databases, financial applications, andBig Data.
Summary
vSphere 6.7 continues to showcase VMware's technological leadership and collaborationwith our partners by adding support for a key industry innovation to significantlyenhance performance for existing and new apps.
HOL-2011-01-SDC
Page 147HOL-2011-01-SDC
Video - vSphere Persistent Memory (2:43)
<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=wI5G6RmtyLo" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>
HOL-2011-01-SDC
Page 148HOL-2011-01-SDC
vSphere Integrated ContainersvSphere Integrated Containers enables IT teams to seamlessly run traditional workloadsand container workloads side-by-side on existing vSphere infrastructure.
The solution is delivered as an appliance, that comprises the following majorcomponents:
• vSphere Integrated Containers Engine, a container runtime for vSphere thatallows you to provision containers as virtual machines, offering the same securityand functionality of virtual machines in VMware ESXi™ hosts or vCenter Server®instances.
• vSphere Integrated Containers Plug-In for vSphere Client, that providesinformation about your vSphere Integrated Containers setup and allows you todeploy virtual container hosts directly from the vSphere Client.
• vSphere Integrated Containers Registry (Harbor), an enterprise-classcontainer registry server that stores and distributes container images. vSphereIntegrated Containers Registry extends the Docker Distribution open sourceproject by adding the functionality that an enterprise requires, such as security,identity and management.
• vSphere Integrated Containers Management Portal, a containermanagement portal, built on the VMware Admiral project, that provides a UI forDevOps teams to provision and manage containers, including the ability to obtainstatistics and information about container instances. Management Portaladministrators can manage container hosts and apply governance to their usage,including capacity quotas and approval workflows. Management Portaladministrators can create projects, and assign users and resources such asregistries and virtual container hosts to those projects.
All components run on Photon OS 2.0. These components currently support the Dockerimage format. vSphere Integrated Containers is entirely Open Source and free to use!
For an introduction to containers, Docker, and container registries watch the videos onthe VMware Cloud-Native YouTube Channel
HOL-2011-01-SDC
Page 149HOL-2011-01-SDC
Cloning a Virtual Machine with InstantCloneYou can use the Instant Clone technology to create powered on virtual machines fromthe running state of another powered on virtual machine. The result of an Instant Cloneoperation is a new virtual machine that is identical to the source virtual machine. WithInstant Clone you can create new virtual machines from a controlled point in time.Instant cloning is very convenient for large scale application deployments because itensures memory efficiency and allows for creating numerous virtual machines on asingle host.
The result of an Instant Clone operation is a virtual machine that is called a destinationvirtual machine. The processor state, virtual device state, memory state, and disk stateof the destination virtual machine are identical to those of the source virtual machine.To avoid network conflicts, you can customize the virtual hardware of the destinationvirtual machine during an Instant Clone operation. For example, you can customize theMAC addresses of the virtual NICs or the serial and parallel port configurations of thedestination virtual machine. vSphere 6.7 does not support customization of the guestOS of the destination virtual machine. For information about manual guest OScustomization, see the vSphere Web Services SDK Programming Guide.
During an Instant Clone operation, the source virtual machine is stunned for a shortperiod of time, less than 1 second. While the source virtual machine is stunned, a newwritable delta disk is generated for each virtual disk and a checkpoint is taken andtransferred to the destination virtual machine. The destination virtual machine thenpowers on by using the source's checkpoint. After the destination virtual machine is fullypowered on, the source virtual machine also resumes running.
Instant Cloned virtual machines are fully independent vCenter Server inventory objects.You can manage Instant Cloned virtual machines like regular virtual machines withoutany restrictions.
HOL-2011-01-SDC
Page 150HOL-2011-01-SDC
Video - Instant Clone (1:05)
<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=mRHeJLxEAaY" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>
HOL-2011-01-SDC
Page 151HOL-2011-01-SDC
ConclusionvSphere 6.7 Update 2 further improves the support and capabilities introduced forgraphics processing units (GPUs) through the VMware collaboration with NVIDIA.Persistent Memory and Instant Clone technology allow for a universal applicationplatform that supports new workloads and leverages hardware innovations for enhancedperformance.
You've finished Module 4!
Congratulations on completing Module 4!
To review more info on the features covered in this module, please use the links below.
• Add an NVIDIA GRID vGPU to a Virtual Machine• Instant Clone in vSphere 6.7 Rocks!• New Instant Clone Architecture in vSphere 6.7 Part 1• Or use your smart device to scan the QRC Code.
Proceed to any module below which interests you most.
• Module 1 - vSphere 6.7 Overview(15 minutes) (Basic) Brief overview of what'snew in the vSphere 6.7 release.
• Module 2 - Simple and Efficient Management at Scale(60 minutes) (Basic)Explore improvements and new features in ESXi and vCenter Server managementand lifecycle.
• Module 3 - Comprehensive Built-in Security (60 minutes) (Basic) Experiencethe improved VM Encryption workflow as well as added support for TPM 2.0,vTPM, and Virtualization Based Security.
HOL-2011-01-SDC
Page 152HOL-2011-01-SDC
• Module 4 - Universal Application Platform (15 minutes) (Basic) Discover newvSphere capabilities that make it the platform for all applications including themost mission critical.
• Module 5 - Seamless Hybrid Cloud (15 minutes) (Basic) Learn how vSphere6.7 and VMware Cloud on AWS creates a seamless hybrid cloud experience witheasy visibility, migration and management of workloads between on-premisesand public cloud.
How to End Lab
To end your lab click on the END button.
HOL-2011-01-SDC
Page 153HOL-2011-01-SDC
Module 5 - SeamlessHybrid Cloud Experience
(15 minutes)
HOL-2011-01-SDC
Page 154HOL-2011-01-SDC
IntroductionThis module is a brief overview module of newly enabled VMware Cloud on AWScapabilities of vSphere 6.7 Update 2.
With the fast adoption of vSphere-based public clouds through VMware Cloud ProviderProgram partners, VMware Cloud on AWS, and other public cloud providers, VMware iscommitted to delivering a seamless hybrid cloud experience for customers.
This module will highlight:• Hybrid Linked Mode – Enables easy adoption of new public cloud capabilities withunified visibility, without disrupting or burdening on-premises environments.• Cold and Hot Migration – Enhances ease of management across the hybrid cloud.• Per-VM EVC – Enables seamless migration of VMs between data centers and thecloud.• Cross-vCenter Mixed Version Provisioning – Simplifies provisioning across hybridcloud environments.
Video - Seamless Hybrid Cloud Experience (1:53)
<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=Zcb-TFWFBlk" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>
HOL-2011-01-SDC
Page 155HOL-2011-01-SDC
Migrating Virtual Machines fromvCenter to vCenterCross vCenter vMotion
The use of Cross vCenter vMotion (x-vC-vMotion) allows for migration of VM's betweenvCenters that are in the same or different datacenters. This feature allowsadministrators to easily move VM's between vCenters without downtime. The vCenterscan be in the same data center or another data center with no more than 150milliseconds of latency between the datacenters.
Requirements for Migration Between vCenter Server Instances
• The source and destination vCenter Server instances and ESXi hosts must be 6.0or later.
• The cross vCenter Server and long distance vMotion features require anEnterprise Plus license. For more information, see: https://www.vmware.com/products/vsphere.html#compare
• Both vCenter Server instances must be time-synchronized with each other forcorrect vCenter Single Sign-On token verification.
• For migration of compute resources only, both vCenter Server instances must beconnected to the shared virtual machine storage.
• When using the vSphere Web Client, both vCenter Server instances must be inEnhanced Linked Mode and must be in the same vCenter Single Sign-On domainso that the source vCenter Server can authenticate to the destination vCenterServer.
Open Chrome Browser from Windows Quick Launch TaskBar
1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.
HOL-2011-01-SDC
Page 156HOL-2011-01-SDC
Log in to the vCenter Server
Log in to the RegionA vCenter
1. Click on the RegionA folder in the Bookmark toolbar.2. Click on RegionA vSphere Client (HTML) link in the bookmark toolbar.3. Check the Use Windows session authentication check box.4. Click the Login button.
HOL-2011-01-SDC
Page 157HOL-2011-01-SDC
Gain screen space in Chrome by zooming out
1. Select the Options menu in Chrome.2. Click the '-' button to zoom out to 90%
Note that this will provide more viewing space while still allowing you to read thetext. This is necessary because of the lower than normal resolution we must usein the lab environment to support various devices and to accommodate large-scale events.
HOL-2011-01-SDC
Page 158HOL-2011-01-SDC
Navigate to Hosts and Clusters
1. Click on the Menu icon2. Select Hosts and Clusters
HOL-2011-01-SDC
Page 159HOL-2011-01-SDC
Make sure the VM to be Migrated is Running
As you work through this lab, you will notice there are two vCenters. We will vMotion arunning VM between these two vCenters as part of this lab. If it is not already running,start the "core-01a" VM by performing the following steps:
1. Expand the navigation tree in the left pane exposing all of the virtual machines,and check to see if the core-01a is running (it will have a green arrow on theicon if it is). If it is running, skip the rest of the steps below. If it is not running,please go through the steps below.
2. Right click core-01a.3. Hover over Power.4. Select Power On.
HOL-2011-01-SDC
Page 160HOL-2011-01-SDC
Start the Migration Wizard
1. Right click core-01a.2. Select Migrate from the context menu that appears.
This will start the migration wizard where we can select the destination for the VM. Thelist of VMs shown may vary based on other labs you may have completed. Also, notethat this is the same option you would use if you were performing a vMotion with avCenter or cluster. You use the same regardless of what the vMotion destination is.
HOL-2011-01-SDC
Page 161HOL-2011-01-SDC
Select a migration type
1. Select Change both compute resource and storage option.2. Click Next
HOL-2011-01-SDC
Page 162HOL-2011-01-SDC
Select a compute resource
1. Expand the tree under vcsa-01b.corp.local, RegionB01, andRegionB01-COMP01
2. Select host esx-01b.corp.local3. NOTE: The wizard will check the compatibility of the host to verify that it meets a
set of requirements to migrate. Additional information on what is being checkedcan be found in the VMware vSphere 6.7 Documentation Center.
4. Click Next
HOL-2011-01-SDC
Page 163HOL-2011-01-SDC
Select storage
1. Select the storage RegionB01-iSCSI01-COMP012. Click Next
The vMotion will migrate the VM to a new datastore that is available on the new host.This allows VM's to be moved between clusters, vCenters, or datacenters that do nothave shared storage.
HOL-2011-01-SDC
Page 164HOL-2011-01-SDC
Select folder
1. Select RegionB012. Click Next
HOL-2011-01-SDC
Page 165HOL-2011-01-SDC
Select networks
1. Select the VM-RegionB01-vDS-COMP network.2. Click Next
This will change the port group the VM is associated with. There are no changes withinthe VM to the IP or network configuration. Your network must be setup in a way thatallows the VM to move to this new port group without these changes. NetworkVirtualization is a way to extend the layer 2 network across Layer 3 boundaries.
Note that depending on which other modules you may have done, you may see anadditional screen in the wizard asking you to set a vMotion Priority. If you see thisscreen, leave the default settings and click Next.
HOL-2011-01-SDC
Page 166HOL-2011-01-SDC
Ready to complete
1. Review the settings that vCenter will use to perform the vMotions, and clickFinish
Watch Progress in Recent Tasks
We can view the progress of the operation in the Recent Tasks pane at the bottom ofthe screen.
Note that if you do not see the Recent Tasks pane, you may need to expand it byclicking on Recent Tasks on the right side of the screen.
HOL-2011-01-SDC
Page 167HOL-2011-01-SDC
Migration Complete
That's all there is to it. In the left navigation pane you can now see the core-01a VMhas been moved to the RegionB01-COMP01 Cluster, which is in thevcsa-01b.corp.local vCenter. As with any other vMotion, this is completed with nodowntime. The ability to vMotion VMs between hosts, clusters, vCenters, and virtualswitches give you even greater flexibility than you had before when managing yourworkloads.
Note: If you plan on continuing and taking other modules in this lab, please use thesame process to vMotion the VM back to the RegionA vCenter. Use the followinginformation to assist with this:
• Compute Resource: esx-02a.corp.local• Storage: RegionA01-ISCSI01-COMP01• Folder: RegionA01• Network: ESXi-RegionA01-vDS-COMP
Conclusion
Migrating VM's between vCenters is a very simple process. Cross vCenter vMotion allowsan administrator to easily move workloads between vCenters that are in the same datacenter or different data centers without down time. This reduces the amount of timespent during migrations and consolidations. Storage is also migrated allowing formigrations between different types of storage and removing the need for storagereplication and downtime. The network must be available on both ends of the migrationto prevent the VM from losing its network connection. This can be done through Layer 2stretching or Network Virtualization.
HOL-2011-01-SDC
Page 168HOL-2011-01-SDC
Enhanced vMotion CapabilityLet's say your manager tells you that the company has purchased a competitor andthey would like to migrate all the VMs from the acquisition's data center to yourcompany's data center over the next few months. What do you need to know to planthis migration? With vSphere 6.7 you can do this using Per VM-EVC to migrate machinesfrom one hardware platform to another.
Per VM-EVC
Cluster-level EVC ensures CPU compatibility between hosts in a cluster, so that you canseamlessly migrate virtual machines within the EVC cluster. In vSphere 6.7 Update 2,you can also enable, disable, or change the EVC mode at the virtual machine level. Theper-VM EVC feature facilitates the migration of the virtual machine beyond the clusterand across vCenter Server systems and datacenters that have different processors.
The EVC mode of a virtual machine is independent from the EVC mode defined at thecluster level. The cluster-based EVC mode limits the CPU features a host exposes tovirtual machines. The per-VM EVC mode determines the set of host CPU features that avirtual machine requires in order to power on and migrate.
By default, when you power on a newly created virtual machine, it inherits the featureset of its parent EVC cluster or host. However, you can change the EVC mode for eachvirtual machine separately. You can raise or lower the EVC mode of a virtual machine.Lowering the EVC mode increases the CPU compatibility of the virtual machine. You canalso use the API calls to customize the EVC mode further.
Cluster-based EVC and Per-VM EVC
There are several differences between the way the EVC feature works at the host clusterlevel and at the virtual machine level.
• Unlike cluster-based EVC, you can change the per-VM EVC mode only when thevirtual machine is powered off.
• With cluster-based EVC, when you migrate a virtual machine out of the EVCcluster, a power cycle resets the EVC mode that the virtual machine has. WithPer-VM EVC, the EVC mode becomes an attribute of the virtual machine. A powercycle does not affect the compatibility of the virtual machine with differentprocessors.
• When you configure EVC at the virtual machine level, the per-VM EVC modeoverrides cluster-based EVC. If you do not configure per-VM EVC, when you poweron the virtual machine, it inherits the EVC mode of its parent EVC cluster or host.
• If a virtual machine is in an EVC cluster and the per-VM EVC is also enabled, theEVC mode of the virtual machine cannot exceed the EVC mode of the EVC clusterin which the virtual machine runs. The baseline feature set that you configure for
HOL-2011-01-SDC
Page 169HOL-2011-01-SDC
the virtual machine cannot contain more CPU features than the baseline featureset applied to the hosts in the EVC cluster. For example, if you configure a clusterwith the Intel "Merom" Generation EVC mode, you should not configure a virtualmachine with any other Intel baseline feature set. All other sets contain more CPUfeatures than the Intel "Merom" Generation feature set and as a result of suchconfiguration, the virtual machine fails to power on.
HOL-2011-01-SDC
Page 170HOL-2011-01-SDC
VMware Cloud (VMC) on AWSVMware Cloud on AWS is an integrated cloud offering jointly developed by AWS andVMware delivering a highly scalable, secure and innovative service that allowsorganizations to seamlessly migrate and extend their on-premises VMware vSphere-based environments to the AWS Cloud running on next-generation Amazon ElasticCompute Cloud (Amazon EC2) bare metal infrastructure. VMware Cloud on AWS is idealfor enterprise IT infrastructure and operations organizations looking to migrate their on-premises vSphere-based workloads to the public cloud, consolidate and extend theirdata center capacities, and optimize, simplify and modernize their disaster recoverysolutions. VMware Cloud on AWS is delivered, sold, and supported globally by VMwareand its partners with availability in the following AWS Regions: US West (Oregon), USEast (N. Virginia), Europe (London), and Europe (Frankfurt).
VMware Cloud on AWS brings the broad, diverse and rich innovations of AWS servicesnatively to the enterprise applications running on VMware's compute, storage andnetwork virtualization platforms. This allows organizations to easily and rapidly add newinnovations to their enterprise applications by natively integrating AWS infrastructureand platform capabilities such as AWS Lambda, Amazon Simple Queue Service (SQS),Amazon S3, Elastic Load Balancing, Amazon RDS, Amazon DynamoDB, Amazon Kinesisand Amazon Redshift, among many others.
With VMware Cloud on AWS, organizations can simplify their Hybrid IT operations byusing the same VMware Cloud Foundation technologies including vSphere, vSAN, NSX,and vCenter Server across their on-premises data centers and on the AWS Cloud withouthaving to purchase any new or custom hardware, rewrite applications, or modify theiroperating models. The service automatically provisions infrastructure and provides fullVM compatibility and workload portability between your on-premises environments andthe AWS Cloud. With VMware Cloud on AWS, you can leverage AWS's breadth ofservices, including compute, databases, analytics, Internet of Things (IoT), security,mobile, deployment, application services, and more.
Onboarding VMware Cloud on AWS
Joining the VMware Cloud on AWS (VMC) service is not like deploying vCenter or otherVMware products. Because VMC is a managed service operated by VMware, you needon onboard to the service and create what we call an Organization which is the keytenant construct within VMC.
In the video below, we show this process from beginning to end.
HOL-2011-01-SDC
Page 171HOL-2011-01-SDC
Migration from On-prem to VMC on AWS - NSX HybridConnect
<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=I7lm2dJD50M" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>
<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=7pwZxXMayXU" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>
HOL-2011-01-SDC
Page 172HOL-2011-01-SDC
ConclusionThe primary benefit of the hybrid cloud model is flexibility and freedom, but it alsocreates a seamless experience such that end users are completely indifferent as towhether an application is running in a public or private cloud. IT has the ability to deployand run applications anywhere without the risk of getting locked in to the APIs of aspecific cloud provider and can access infrastructure on demand using a consistent setof tools and skillsets. Cross vCenter vMotion, Enhance vMotion Capability with Per-VMEVC, and VMware Cloud on AWS all help deliver the Seamless Hybrid Cloud Experience.
You've finished Module 5!
Congratulations on completing Module 5!
To review more info on the features covered in this module, please use the links below:
• Configuring Per-VM EVC with PowerCLI• VMware Hybrid Cloud Extension• Or use your smart device to scan the QRC Code.
Proceed to any module below which interests you most.
• Module 1 - vSphere 6.7 Overview(15 minutes) (Basic) Brief overview of what'snew in the vSphere 6.7 release.
• Module 2 - Simple and Efficient Management at Scale(60 minutes) (Basic)Explore improvements and new features in ESXi and vCenter Server managementand lifecycle.
HOL-2011-01-SDC
Page 173HOL-2011-01-SDC
• Module 3 - Comprehensive Built-in Security (60 minutes) (Basic) Experiencethe improved VM Encryption workflow as well as added support for TPM 2.0,vTPM, and Virtualization Based Security.
• Module 4 - Universal Application Platform (15 minutes) (Basic) Discover newvSphere capabilities that make it the platform for all applications including themost mission critical.
• Module 5 - Seamless Hybrid Cloud (15 minutes) (Basic) Learn how vSphere6.7 and VMware Cloud on AWS creates a seamless hybrid cloud experience witheasy visibility, migration and management of workloads between on-premisesand public cloud.
Test Your Skills!
Now that you’ve completed this lab, try testing your skills with VMware Odyssey, ournewest Hands-on Labs gamification program. We have taken Hands-on Labs to the nextlevel by adding gamification elements to the labs you know and love. Experience thefully automated VMware Odyssey as you race against the clock to complete tasks andreach the highest ranking on the leaderboard. Try the vSphere Odyssey lab
• HOL-2011-07-ODY - VMware Odyssey - vSphere - Getting Started Game
How to End Lab
To end your lab click on the END button.
HOL-2011-01-SDC
Page 174HOL-2011-01-SDC
ConclusionThank you for participating in the VMware Hands-on Labs. Be sure to visithttp://hol.vmware.com/ to continue your lab experience online.
Lab SKU: HOL-2011-01-SDC
Version: 20200429-144529
HOL-2011-01-SDC
Page 175HOL-2011-01-SDC