Configuring Hybrid Linked Mode between VMConAWS and Multi-Site On-Prem environment

Few weeks ago, I have joined the VMware Cloud on AWS VMUG Community and entered a contest to win One Month of free Single-Host SDDC. I was lucky enough to be selected as one of the winners. Before I start with the post, I would like to thank the team for selecting me and giving me the opportunity to test this solution.

This first post will cover two parts, creating a SDDC for the first time and configuring Hybrid Linked Mode.

If you have your SDDC already set up you may skip Part 1 and jump straight to Part 2.

Part 1: Setting up SDDC

The process of creating your first SDDC is very straight-forward and only takes a couple of minutes to finish.

To start, click on Create SDDC:1

Choose your AWS Region, preferably one that is closest to you, and enter your SDDC Name:2

In the next step, connect SDDC to your AWS account by entering the account ID:3

Select your VPC and Subnet from the drop-down menu:4

Define a Management Subnet you would like to use. Make sure it does not overlap with any of your networks. Default management subnet 10.2.0.0/16 will be selected if you do not enter any subnet:5

Deployment will start once you click on Deploy SDDC and will take approximately 2 hours to complete:6

Once finished, you will see your newly deployed SDDC in the list:7At this point, you can access your vCenter by clicking on Open vCenter. As it is the first time you are accessing it, you will be asked to open access to the management gateway. At this stage, you can click on Internet Firewall rules. This will open HTTPS traffic to vCenter from Any location. We will configure Management Gateway VPN in the next section.

This slideshow requires JavaScript.

16

Part 2: Configuring Hybrid Linked Mode

First thing we need to do before enabling Hybrid Linked Mode is to configure Management Gateway IPsec VPN to our On-Premises environment.

To do so, click on Network tab under your SDDC and expand Management Gateway IPsec VPN and click on Add VPN.

You will have to fill in following details:

  • VPN name  – define a name of your VPN
  • Remote Gateway Public IP – enter Public IP of your On-Prem gateway
  • Remote Networks – enter your On-Prem networks
  • Encryption – select AES 256
  • Perfect Forward Secrecy – select Enabled
  • Diffie Hellman – select your preferred level of secure key exchange that matches your On-Prem VPN settings
  • IKE Version – has to match your On-Prem VPN settings
  • SHA Version – select SHA_256
  • Pre-shared Key – enter a strong password

44

After you click Save, download the configuration file. This will be used to configure On-Prem VPN. At this point I would like to thank HobbitCloud’s Chief Network Architect for configuring the On-Prem VPNs on Junipers. More details on how that needs to be configured will follow.

Next step is to configure Firewall rules. You can either add them manually one by one or use the Firewall Rule Accelerator feature that adds them for you. If you have more than one Remote Network, make sure to add rules for all:25

Once the On-Prem VPN has been set up, you should see your IPsec VPN as Connected. If it’s not the case, you may try to disable and re-enable it using the Actions menu on the right side:45

As we are trying to configure HLM to a Multi-site environment, we need to make sure we configure Management VPN for all sites before proceeding. Repeat the steps to set up a second VPN:35

Please note that some settings may vary depending on the capabilities of your On-Prem equipment.

Once saved, download the second configuration file to configure the On-Prem VPN and add required firewall rules. You should now see both VPNs connected:46

Last step we need to do in our SDDC network configuration is to change DNS to point to On-Prem DNS servers. You must also change the vCenter FQDN Resolution to Private IP resolvable from VPN. You can select this option from a drop-down menu:30

Make sure to only proceed with this step once the VPNs are connected.

You can now login to vCenter from your On-Prem Network using the cloudadmin@vmc.local account. To configure HLM, click on Menu -> Administration -> Hybrid Cloud and select Linked Domains:

47

First thing we need to do is to configure Identity Source for our On-Prem Domain:31

To Connect to On-Prem vCenter Server, enter your primary Platform Service Controller and SSO admin details.

Once the Identity Source has been added, you will be able to add your domain group to Cloud Administrators:33

Click on Link, accept the certificate and wait for the domain to be linked.

This slideshow requires JavaScript.

You can now log off from vCenter and login again using your domain credentials:43

You should now be able to see all your vCenters linked:

42

That concludes this post, I hope you have enjoyed it. There will be more topics covered in upcoming posts.

In case of any questions, you can find me on Twitter.

Thanks!

Moving vRealize Automation blueprints between environments with vRealize Suite Lifecycle Manager 1.2

When large enterprises deploy a cloud management platform like VMware vRealize Automation, they often have a number of different environments. To ensure best practices, blueprints and orchestration scripts are created in development before being tested in another environment, before finally being transported into  Continue reading

Wednesday Tidbit: Enable VIC-as-a-Service on vRealize Automation with custom SSL certificates

20161114-1vRealize Automation brings a raft of benefits to an organisation. The biggest of these is the ability to enable users to consume complex services without having to rely on the corporate IT department. An example of this is the ability to provision a Docker endpoint, in the form of a vSphere Integrated Containers Virtual Container Host, for developers to deploy containers against. Continue reading

Deploying Kubernetes with vRealize Automation

20161114-1A number of customers are very excited about the upcoming release of PKS. However, some are itching to get started with Kubernetes today, and are wondering how they can leverage VMware’s Cloud Management Platform, vRealize Automation, to do so. In this post I will show how you can design a blueprint which with two clicks can deploy a Kubernetes cluster for your users.  Continue reading

Wednesday Tidbit: Stop failed vRealize Automation software deployments from auto-deleting

This will quite possibly be the shortest, but yet most useful, posts on vRealize Automation you’ve ever read…

If you regularly develop software components for vRA, you’ve undoubtedly discovered that if for some reason a deployment fails, the machine is automatically deleted within a couple of minutes. This is frustrating as it gives you no time to debug why it failed, as all evidence is deleted with the machine.

Thankfully, Sam McGeown shared the answer a couple of weeks back:

So there you have it. One custom property attached to your blueprint will enable you to see why your deployment failed.

This is one of those things I wished I’da known ages ago!

Vulnerability scanning with VMware Harbor 1.2 and Clair – Part 1: Building Harbor

At VMworld 2017 VMware announced the latest release of vSphere Integrated Containers, version 1.2. This release also included updated versions Admiral, VMware’s container management platform; and Harbor, their enterprise-class container registry. VMware makes all these products available to consume from a single OVA which can be Continue reading