I was contacted by Brian Atkinson to review his new VCP 5 study guide book from Sybex. They sent me a copy that I plan on giving away in some fashion now that I’ve examined the book. I was never a big fan of books focused just on helping you pass an exam. I tend to come from the school of work hard gain the knowledge through actual hands on experience and pass the test. I was surprised by the in depth content that Brian put into this book, its not an exam cram type book.

The study guide is 700+ pages of VMware content that would be very useful to admins even if you are not studying for the VCP. It covers a huge amount of topics from installs to setting networking and store. These chapters are not small high level ones, they really go into a good amount of info and spell out the details for you.

Each of the chapters has questions at the end to help you review the information that you just gained. This seems like a decent approach to learning tech info. Overall I would say that the book is worth the price to anyone studying for the exam and it is currently selling for around $30 on Amazon.

After a couple of recent projects that implemented vShield app in various ways I thought it would be good to start building a list of best practices. These are some of the suggestions that I have collected in working with different customers and VMware people. I will continue to update as new things come to light.

Consider reading my list of vCloud best practices when you are done with this list, since they are used together often.

vShield Manager

• Do not deploy vShield manager appliance to a cluster that it will be protecting, can cause connection to itself and vCenter to be lost. (With vShield 5.0.1 you can exclude the appliance from protection, but I would still avoid)
• Access to default services like DNS, syslog, NTP and other similar services that all your VMs need access to should be created as Layer 3 low precedence rules at the datacenter level.
• To provide additional resiliency beyond HS considering using Fault Tolerance (FT) for protecting vShield Manager

vShield App instances (Appliances)

•  When deploying use local datastore on host if available to prevent accidental vMotion
• Consider setting DRS host affinity to make sure the vShield app appliance does not get vMotioned off of host, DRS is disabled by default for the appliance VM.
• Follow vSphere hardening recommendations for virtual switches
• Use Security Groups to group together server of same functions (Domain controllers, Web server, DB server etc.)
• Ensure that the HA restart priority for the vShield App appliance is set to high to ensure it is the first to restart, making sure that its running before the VMs its protecting are started.

I’ve been talking to a lot of customers lately on the  possibilities of VMware Orchestrator. Things like do they use it now, what they might be able to use if for in their current environment. But most of the discussions are in tandem with a vCloud design. Orchestrator has been a mystery for the last few years but VMware has been working on changing that since vSphere 5 was released. It is now being talked about more and 3rd parties are actively developing plug-ins to expand its abilities to automate other infrastructure.

I don’t plan on teaching you how to use Orchestrator, there is a good book by written by Cody Bunch on Orchestrator. What I do want to talk about is some ideas of what you might be able to use Orchestrator for and get your creativity flowing.

Orchestrator ideas:

Idea 1:

A workflow that clones a VM from a template , nothing exciting right. Well what if you could have the workflow do the customization part for you? So what does this mean, well the workflow could look at the template you are deploying from and then select a License Key for the proper OS that is being used. Then it could place the VM in the Active Directory OU of your choosing. Try doing this type stuff with standard vCenter customization templates, the licensing would take multiple customization files and the OU part would require the template to already belong to the OU you want it to end up in. This would add a lot of layers of complexity to your environment doing it the old way. But with a Orchestrator workflow you can accomplish this and make your admins lifes easier.

Idea 2:

The idea here is not that much different from Idea 1, but it involves VCD. So the idea would be that we have several Organizations setup inside of VCD and the VMs from each Org need to belong to a different OU in Active Directory. Well you probably say there is no easy way to do that. You are right but with Orchestrator we can create a blocking task and a workflow with logic in it that will listen to the request coming from VCD and do a look up for which Org is requesting the VM and match that to logic provided in the workflow that will let it know with OU to use.

Idea 3:

This idea came from one of the local VMware reps that I work with. The idea is to use Infoblox for IP and DNS management for vCloud. To make this work a blocking task would be created that would step in when a new vApp was created and use the Infoblox plug-in for Orchestrator. To give you an idea of how this would work in simple terms. You would deploy vApp and select that it grab an IP from a static pool in VCD. This allows the VM to be created but the IP is only temp and is taken from a small pool that is used just for this purpose. Then the blocking task will step in and request a permanent IP from Infoblox and register it with DNS. The workflow will then go back into VCD and change the IP address selection method to static-manual because it was now being provided from Infoblox.

These are some basic ideas but ones that I know people might be able to use. The whole idea is to get you thinking about what types of automation you might be able to accomplish with Orchestrator by providing some examples.

If you have some workflows that you have already created or an idea for one drop me a comment to add to the discussion to help others.

To be open I work for a partner and on a regular basis get introduced to new products. For this I spend a decent amount of time researching these products, playing with them in a lab and tacking training from the Vendors. There are a few vendors that do a good job with their training and there are a lot that don’t do a very good job. Yesterday one of my co-workers mentioned something to me about how he thought these training programs should be structured.

What it comes down to is there are a few layers or roles within partners and customers that need to be trained on a new product. I’ve broken it out below into 3 classes that vendors should offer for their products. These translated into software or hardware products I believe.

• How do I design for your product – This should be an design / architecture focused class. In this class we should be talking about customer requirements, sizing decisions and other things that might affect how I would create a design for Product X.
• How do I install your product – This class is focused on install and implementation work. I think this is pretty straight forward, what are the pitfalls to look out for when setting up your product etc.
• How do I manage your product – So this one might be a bit more customer focused but partners still need to be able to understand this and be able to assist their customers on these types of issues. What types of tasks do you expect me to have to complete on a daily, weekly and monthly basis. How do I patch or upgrade your product and these types of tasks.

To me it seems that if these classes were available I could pick out the one that I needed at the time to gain the knowledge that I needed. For me I would usually start out with the design course but also need to understand the other parts at some point.

Out of all the Vendors that I deal with VMware seems to be the one closest to this model. They do have a limited amount of design classes. The most popular VCP related course is heavily focused on the install porting with a bit of management. And the newer performance related courses would fall into the management area. I would like to see other vendors take this approach also.

While working on a recent project this question came up. If you create new vShield App rules in vShield manager how does it push these rules out to the vShield App appliances?

As an example you have a large environment with several clusters and you create and publish some new rules that affect only a couple of VMs. Will vShield manager push the rules out to every App appliance in the vCenter Datacenter, every cluster or just the cluster or host that has the VMs affected?

The answer is vShield manager only pushes out the rule updates to the vShield appliances that are affected. So only the ones that are protecting the VMs that the new rules apply to. As an example you can create vShield App rules at the datacenter level, cluster level, port group or per vNic. So based on what level the rule was created at and which App appliances are protecting that level determines where the rules are pushed to.

As part of my lab upgrade process of updating all the vCloud parts I wanted to document the vShield Manager update steps. Since vShield manager is a VMware appliance it has a database that holds your rules and settings that are distributed out to the various vShield App and Edge devices that you are using. So if you just did a rip and replace with the appliance to get to the new version you would break a lot of things and have to recreate your rules and re-deploy the agents to hosts. This would be a very bad thing in a production install. This is why you should use the update feature built in the vShield manager console. You can review my post on upgrading the vCloud appliance also.

To update vShield manager you need to download the gZip package from VMware. When you look at the download options for vShield there is an OVF package that deploys a fresh version of the appliance or there is a zipped package that you use for updates. Grab the update package and use for the next step.

In Figure 1 below you can see that after logging into the management page of the vShield Manager appliance you need to navigate to the “Settings & Reports” option in the left tree. Then choose the updates tab and then upload settings. This will present you with the option to upload the zipped update file that you downloaded earlier.

Figure 1 - vShield manager update

Something that was slipped into vCloud 1.5 that did not get much press was the idea on an elastic vDC. This gives the ability to add extra capacity to the underlying provider vDC in vCloud. If you have worked with vCloud before you might be saying wait I could always do this by expanding the size of my cluster or pool that was providing the resources. And this was certainly one option for adding more capacity. But what if you had larger clusters that could not be expanded or if you were using linked clones (Fast Provisioning) and you reached the 8 host maximum for your cluster. You would have to create a new provider vDC and present this capacity as a new Org vDC to your cloud consumer.

The idea of an elastic vDC allows you to add another resource pool to a provider vDC which in turn presents this capacity up to the Org vDC. Now today this option is only available for Org vDCs that are setup for the Pay as You Go allocation model. What it allows you to do is add in the resources from additional vCenter resource pools to a provider vDC. Thus allowing you to grow the resources that are presented up to any Org vDCs using the proper allocation model.

You can see from the image at the bottom of this post that the first resource pool presented is marked as the primary and is what would be used to provide resources to Org vDCs that are using the Allocated or Reserved allocation models.

To add another resource pool you must navigate to the provider vDC that you wish to add the resources to and select the resource pool tab. Then simple click the green plus icon to add the resources by selecting from the vCenter that you choose. Below is a summary of the VMware KB that describes the features and limitations as they stand today.