deployment of region a · vmware validated design 5.1.1 vmware validated design for...

Deployment of Region A

Modified on 14 JAN 2020VMware Validated Design 5.1VMware Validated Design for Software-Defined Data Center 5.1VMware Validated Design 5.1.1VMware Validated Design for Software-Defined Data Center 5.1.1

You can find the most up-to-date technical documentation on the VMware website at:

https://docs.vmware.com/

If you have comments about this documentation, submit your feedback to

[email protected]

VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com

Copyright © 2018-2020 VMware, Inc. All rights reserved. Copyright and trademark information.


VMware, Inc. 2

https://docs.vmware.com/

mailto:[email protected]

http://pubs.vmware.com/copyright-trademark.html

Contents

1 About VMware Validated Design Deployment of Region A 6

2 Prepare the Environment for Deployment in Region A 8Prerequisites for Virtual Infrastructure Layer Implementation in Region A 8

Prerequisites for Installation of ESXi Hosts in Region A 9

Install ESXi Interactively on All Hosts in Region A 10

Configure the Network on All Hosts in Region A 11

Configure the Virtual Machine Network Port Group on All Hosts in Region A 13

Configure SSH and NTP on All Hosts in Region A 13

Mount NFS Storage on All ESXi Hosts in Region A 14

Configure DNS Settings for the Platform Services Controller Load Balancer in Region A 16

Prerequisites for Operations Management Layer Implementation in Region A 17

Deploy and Configure a Linux Virtual Machine for vSphere Update Manager Download Service in Region A 18

Prerequisites for Cloud Management Layer Implementation in Region A 20

Deploy and Configure the Master Windows System for vRealize Automation IaaS Nodes in Region A20

Deploy and Configure the External SQL Server for vRealize Automation in Region A 22

Generate Certificates for the SDDC Components in Region A 26

Prerequisites for Generating Signed Certificates for the SDDC Components in Region A 26

Create and Add a Microsoft Certificate Authority Template in Region A 27

Generate Signed Certificates for the SDDC Components in Region A 28

3 VMware Cloud Builder Implementation in Region A 31Prerequisites for VMware Cloud Builder Implementation in Region A 31

Deploy the Virtual Appliance of VMware Cloud Builder on a Management Hostin Region A 32

4 Deploy the Software-Defined Data Center Components in Region A 34Automated SDDC Deployment in Region A 34

Prerequisites for Automated SDDC Deployment in Region A 35

Upload the VMware Validated Design Software Bundle and Signed Certificates to VMware Cloud Builderin Region A 36

Generate the JSON Deployment Files for the Management and the Shared Edge and Compute Clusters in Region A 37

Validate the Deployment Parameters and Target Environment Prerequisites for the Management Cluster and the Shared Edge and Compute Cluster in Region A 38

Start the Automated Deployment of the Management Cluster in Region A 39

Start the Automated Deployment for the Shared Edge and Compute Cluster in Region A 40

Skyline Manual Deployment in Region A 41

VMware, Inc. 3

Prerequisites for Deploying VMware Skyline in Region A 42

Configure User Access in vSphere for Integration with VMware Skyline in Region A 43

Configure User Privileges in NSX Manager for the Skyline Collector Instances in Region A 45

Configure User Privileges in vRealize Operations Manager for the Skyline Collector Instances in Region A 46

Prepare for Skyline Collector Registration with VMware Cloud Services 47

Deploy the Skyline Collector Appliance in Region A 49

Configure the Skyline Collector Instance in Region A 51

5 Post-Deployment Virtual Infrastructure Configuration in Region A 65Update the Host Profile for the Management Cluster in Region A 65

Distributed Firewall Configuration in Region A 67

Add the vCenter Server Appliance to the NSX Distributed Firewall Exclusion List in Region A 68

Create IP Sets for the Components of the Management Cluster in Region A 68

Create Security Groups in Region A 70

Create Distributed Firewall Rules in Region A 72

Update the Host Profile for the Shared Edge and Compute Cluster in Region A 75

Update the DNS Records for the Platform Services Controller Load Balancer in Region A 76

6 Post-Deployment Operations Management Configuration in Region A 78Post-Deployment Configuration of Update Manager Download Service in Region A 78

Reconfigure Update Manager Download Service in Region A 79

Post-Deployment Configuration of vRealize Operations Manager in Region A 80

Integrate vRealize Log Insight with vRealize Operations Manager in Region A 81

Configure User Privileges in vRealize Operations Manager for vRealize Automation Tenant Workload Reclamation in Region A 82

Verify the Integration of vRealize Operations Manager as a Metrics Provider in vRealize Automation in Region A 82

Define the Monitoring Goals for the Default Policy in vRealize Operations Manager in Region A83

Update the SNMP Configuration of the Network Devices Adapter in vRealize Operations Manager84

Post-Deployment Configuration of vRealize Log Insight in Region A 85

Configure vRealize Orchestrator to Forward Log Events to vRealize Log Insight in Region A 85

Add Skyline Collector and Site Recovery Manager to the Agent Group for Management Virtual Appliances in Region A 86

Post-Deployment Configuration of vRealize Suite Lifecycle Manager in Region A 87

Configure NTP and DNS Settings of the vRealize Suite Lifecycle Manager Appliance in Region A87

Save the Configuration Baselines for the vRealize Suite Products in vRealize Suite Lifecycle Manager 88

Register vRealize Suite Lifecycle Manager with My VMware 88

7 Post-Deployment Cloud Management Configuration in Region A 90


VMware, Inc. 4

Configure vRealize Automation for a Large-Scale Deployment in Region A 91

Reconfigure the Microsoft SQL Server for vRealize Automation in Region A 92

Configure Content Library in Region A 95

Configure a Content Library in the First Compute vCenter Server Instance in Region A 96

Import the OVF Files for the Virtual Machine Templates in Region A 97

Create Machine Prefixes in Region A 97

Create Business Groups in Region A 99

Create Logical Switches for Business Groups in Region A 100

Create Reservation Policies in Region A 101

Create External Network Profiles in Region A 102

Create Reservations for the Shared Edge and Compute Cluster in Region A 104

Create Reservations for the User Edge Resources in Region A 106

Create Virtual Machines Using VM Templates in the Content Library in Region A 108

Convert Virtual Machines to VM Templates in Region A 109

Configure Single Machine Blueprints in Region A 110

Create a Service Catalog in Region A 111

Create a Single Machine Blueprint in Region A 111

Create Entitlements for Business Groups in Region A 114

Configure Entitlements for Blueprints in Region A 115

Test the Deployment of a Single Machine Blueprint in Region A 116


VMware, Inc. 5

About VMware Validated Design Deployment of Region A 1The VMware Validated Design Deployment of Region A documentation provides step-by-step instructions for installing, configuring, and operating a software-defined data center (SDDC) based on the VMware Validated Design for Software-Defined Data Center, using the VMware Cloud Builder virtual appliance to automate the implementation of this Validated Design.

The VMware Validated Design Deployment of Region A documentation does not contain step-by-step instructions for performing all required post-configuration tasks because their nature often depends on the requirements of your organization.

Intended AudienceThe VMware Validated Design Deployment of Region A documentation is intended for cloud architects, infrastructure administrators, and cloud administrators who are familiar with and want to use VMware software to deploy in a short time and manage an SDDC that meets the requirements for capacity, scalability, backup and restore, and extensibility for disaster recovery support.

Required VMware SoftwareThe VMware Validated Design Deployment of Region A documentation is compliant and validated with certain product versions. See VMware Validated Design Release Notes for more information about supported product versions.

Before You Apply This GuidanceThe sequence of the documentation of VMware Validated Design follows the stages for implementing and maintaining an SDDC. See Documentation Map for VMware Validated Design.

To use VMware Validated Design Deployment of Region A, you must be acquainted with the following guidance:

n Introducing VMware Validated Designs

n Optionally, VMware Validated Design Architecture and Design

n VMware Validated Design Planning and Preparation

VMware, Inc. 6

https://docs.vmware.com/en/VMware-Validated-Design/services/documentation-map/GUID-EE7CF703-7DE5-4478-9AEF-98F51812465D.html

Update HistoryThis VMware Validated Design Deployment of Region A is updated with each release of the product or when necessary.

Revision Description

14 JAN 2020 n The content is now updated for the VMware Validated Design 5.1.1 release.

n Updated the procedure for creating Distributed Firewall rules by adding steps to generate firewall rules for the TCP protocol. See Create Distributed Firewall Rules in Region A.

n Changed the compute resource for data collection when creating a single machine blueprint. See Create a Single Machine Blueprint in Region A.

12 SEP 2019 The Active Directory prerequisite now includes computer objects. See Prerequisites for Automated SDDC Deployment in Region A.

18 JUL 2019 Initial release.


VMware, Inc. 7

Prepare the Environment for Deployment in Region A 2Before you start the automated deployment of VMware Validated Design for Software-Defined Data Center by using VMware Cloud Builder, your environment must meet target prerequisites and be in a specific starting state. Prepare each layer of the SDDC by deploying and configuring the necessary infrastructure, operational, and management components.

n Prerequisites for Virtual Infrastructure Layer Implementation in Region A

To prepare the virtual infrastructure layer of the SDDC, you first install ESXi on all hosts for the management cluster and for the shared edge and compute cluster, then you configure the management network, DNS, NTP, and SSH services.

n Prerequisites for Operations Management Layer Implementation in Region A

To prepare the operations management layer for automated deployment of the SDDC components with Cloud Builder, you deploy and configure a Linux virtual machine for vSphere® Update Manager™.

n Prerequisites for Cloud Management Layer Implementation in Region A

To prepare the cloud management layer for automated deployment of the SDDC components using Cloud Builder, you deploy and configure the Master Windows system for vRealize Automation Infrastructure as a Service (IaaS) nodes and deploy and configure the external SQL server for vRealize Automation.

n Generate Certificates for the SDDC Components in Region A

To ensure secure and operational connectivity between the SDDC components, you generate new signed certificates for the SDDC components.

Prerequisites for Virtual Infrastructure Layer Implementation in Region ATo prepare the virtual infrastructure layer of the SDDC, you first install ESXi on all hosts for the management cluster and for the shared edge and compute cluster, then you configure the management network, DNS, NTP, and SSH services.

Procedure

1 Prerequisites for Installation of ESXi Hosts in Region A

2 Install ESXi Interactively on All Hosts in Region A

VMware, Inc. 8

3 Configure the Network on All Hosts in Region A

After the initial boot, use the ESXi Direct Console User Interface (DCUI) for initial host network configuration and administrative access.

4 Configure the Virtual Machine Network Port Group on All Hosts in Region A

You perform the network configuration for each ESXi host by using the VMware Host Client.

5 Configure SSH and NTP on All Hosts in Region A

Complete the initial configuration of all ESXi hosts by enabling the TSM-SSH service. You also configure the NTP service to avoid time synchronization issues in the SDDC.

6 Mount NFS Storage on All ESXi Hosts in Region A

This VMware Validated Design uses NFS storage as secondary storage for the SDDC management components. You mount the NFS storage to provide storage capacity for archiving log data, backup, and application templates.

7 Configure DNS Settings for the Platform Services Controller Load Balancer in Region A

This validated design deploys two VMware Platform Services Controller™ instances behind a load balancer implemented through NSX Data Center for vSphere. When you prepare your environment for automated deployment with Cloud Builder, NSX Data Center for vSphere is not yet available. To emulate an existing load balancer IP address, you perform a DNS configuration.

Prerequisites for Installation of ESXi Hosts in Region AYou prepare for the installation and configuration of all VMware ESXi™ hosts in the management cluster and in the shared edge and compute cluster. You use the same process to install and configure the hosts for both clusters.

Before you start:

n Download the ESXi ISO.

n Make sure that you have a host machine for SDDC access. You use this host to connect to the data center and perform configuration steps.

IP Addresses, Host Names, and Network ConfigurationThe following values are required to configure your hosts.

Table 2-1. Management Cluster Hosts

FQDN IP VLAN ID Default Gateway NTP Server

sfo01m01esx01.sfo01.rainpole.local 172.16.11.101 1611 172.16.11.253 n ntp.sfo01.rainpole.local

n ntp.lax01.rainpole.local




VMware, Inc. 9

Table 2-1. Management Cluster Hosts (continued)






Table 2-2. Shared Edge and Compute Cluster Hosts


sfo01w01esx01.sfo01.rainpole.local 172.16.31.101 1631 172.16.31.253 n ntp.sfo01.rainpole.local








Install ESXi Interactively on All Hosts in Region AInstall ESXi on all hosts in the management and the shared edge and compute clusters interactively.

Repeat this procedure for all hosts in the management and the shared edge and compute clusters. Enter the respective values from the prerequisites section for each host that you configure. See Prerequisites for Installation of ESXi Hosts in Region A.

Procedure

1 Power on the sfo01m01esx01 host.

2 Mount and boot from ESXi ISO.

3 For VMware Validated Design 5.1, on the Welcome to the VMware ESXi 6.7 U2 Installation screen, press Enter to start the installation.

4 For VMware Validated Design 5.1.1, on the Welcome to the VMware ESXi 6.7 U3 Installation screen, press Enter to start the installation.

5 On the End User License Agreement (EULA) screen, press F11 to accept the EULA.


VMware, Inc. 10

6 On the Select a Disk to Install or Upgrade screen, select the USB drive under local storage to install ESXi and press Enter to continue.

7 Select the keyboard layout and press Enter.

8 Enter the esxi_root_user_password, enter the password a second time to confirm the spelling, and press Enter.

9 On the Confirm Install screen, press F11 to start the installation.

10 After the installation completes successfully, unmount the USB drive and press Enter to reboot the host.

Configure the Network on All Hosts in Region AAfter the initial boot, use the ESXi Direct Console User Interface (DCUI) for initial host network configuration and administrative access.

Perform the following tasks to configure the host network settings:

n Configure the network adapter (vmk0) and VLAN ID for the Management Network.

n Configure the IP address, subnet mask, gateway, DNS server, and FQDN for the ESXi host.

Repeat this procedure for all hosts in the management and shared edge and compute clusters. Enter the respective values from the prerequisites section for each host that you configure. See Prerequisites for Installation of ESXi Hosts in Region A.


VMware, Inc. 11

Procedure

1 Open the DCUI on the sfo01m01esx01.sfo01.rainpole.local ESXi host.

a Open a console window to the host.

b Press F2 to enter the DCUI.

c Log in by using the following credentials.

Setting Value

User name root

Password esxi_root_user_password

2 Configure the network.

a Select Configure Management Network and press Enter.

b Select VLAN (Optional) and press Enter.

c Enter 1611 as the VLAN ID for the Management Network and press Enter.

d Select IPv4 Configuration and press Enter.

e Configure the IPv4 network settings and press Enter.

Setting Value

Set static IPv4 address and network configuration Selected

IPv4 Address 172.16.11.101

Subnet Mask 255.255.255.0

Default Gateway 172.16.11.253

f Select DNS Configuration and press Enter.

g Configure the DNS settings and press Enter.

Setting Value

Use the following DNS Server address and hostname Selected

Primary DNS Server 172.16.11.5

Alternate DNS Server 172.16.11.4

Hostname sfo01m01esx01.sfo01.rainpole.local

h Select Custom DNS Suffixes and press Enter.

i Ensure that there are no suffixes listed and press Enter.

3 Press Escape to exit and press Y to confirm the changes.


VMware, Inc. 12

Configure the Virtual Machine Network Port Group on All Hosts in Region AYou perform the network configuration for each ESXi host by using the VMware Host Client.

You configure the VLAN ID of the VM Network port group on the vSphere Standard Switch. This configuration provides connectivity and common network configuration for the virtual machines that reside on each host.

You repeat this procedure for all hosts in the management and the shared edge and compute clusters with the following VLAN IDs.

Table 2-3. Default VM Network Port Group for the Management and the Shared Edge and Compute Clusters

Host VLAN ID

sfo01m01esx01.sfo01.rainpole.local 1611




sfo01w01esx01.sfo01.rainpole.local 1631




Procedure

1 In a Web browser, log in to the ESXi host by using the VMware Host Client.

Settings Value

URL https://sfo01m01esx01.sfo01.rainpole.local/ui

User name root


2 Click OK to join the Customer Experience Improvement Program.

3 Configure a VLAN for the VM Network port group.

a In the navigation pane, click Networking.

b Click the Port groups tab, select the VM network port group, and click Edit Settings.

c On the Edit port group - VM network page, enter 1611 for VLAN ID, and click Save.

Configure SSH and NTP on All Hosts in Region AComplete the initial configuration of all ESXi hosts by enabling the TSM-SSH service. You also configure the NTP service to avoid time synchronization issues in the SDDC.


VMware, Inc. 13

Repeat this procedure for all hosts in the management and the shared edge and compute clusters. See Prerequisites for Installation of ESXi Hosts in Region A.

Procedure


Settings Value


User name root


2 Configure and start the TSM-SSH service.

a In the navigation pane, click Manage and click the Services tab.

b Select the TSM-SSH service, and click the Actions menu.

c Select Policy and click Start and stop with host.

d To start the service, click Start.

3 Configure and start the NTP service.

a In the navigation pane, click Manage, and click the System tab.

b Click Time & date and click Edit settings.

c On the Edit time configuration page, select the Use Network Time Protocol (enable NTP client) radio button, and change the NTP service startup policy to Start and stop with host.

d In the NTP servers text box, enter ntp.sfo01.rainpole.local,ntp.lax01.rainpole.local, and click Save.

e To start the service, click Actions, select NTP service, and click Start.

Mount NFS Storage on All ESXi Hosts in Region AThis VMware Validated Design uses NFS storage as secondary storage for the SDDC management components. You mount the NFS storage to provide storage capacity for archiving log data, backup, and application templates.

Repeat this procedure for all hosts in the management and the shared edge and compute clusters. See Prerequisites for Installation of ESXi Hosts in Region A.

Prerequisites

Verify that you allocated static IP addresses for each ESXi VMkernel storage port.


VMware, Inc. 14

Procedure


Settings Value


User name root


2 Configure the Maximum Transmission Units (MTU) on the standard virtual switch.

a In the navigation pane, click Networking and click Virtual switches.

b Click vSwitch0 and click Edit settings.

c On the Edit standard virtual switch page, enter the values, and click Save.

Setting Value

MTU 9000

Uplink1 vmnic0-Up

3 Configure a VMkernel storage port on all ESXi hosts.

a In the navigation pane, select Networking.

b Select the VMkernel NICs tab and click Add VMkernel NIC.

c In the Add VMkernel NIC page, enter the values, and click Create.

SettingValue for the Management Cluster

Value for the Shared Edge and Compute Cluster

Port Group New port group New port group

New Port Group Storage Storage

Virtual Switch vSwitch0 vSwitch0

VLAN ID 1615 1625

MTU 9000 9000

IP version IPv4 only IPv4 only

IPv4 settings Static Static

Address 172.16.15.101 172.16.25.101

Subnet mask 255.255.255.0 255.255.255.0

TCP/IP stack Default TCP/IP stack Default TCP/IP stack

Services Deselected Deselected

4 Mount the NFS datastore on the ESXi host.

a In the navigation pane, click Storage.

b Click the Datastores tab and click New datastore.


VMware, Inc. 15

c On the Select creation type page, select Mount NFS datastore and click Next.

d On the Provide NFS mount details page, configure the values, and click Next.

Setting Value for the Management ClusterValue for the Shared Edge and Compute Cluster

Name sfo01-m01-bkp01 sfo01-w01-lib01

NFS Server 172.16.15.251 172.16.25.251

NFS Share /VVD_backup01_nfs01_MgmtA_6TB /VVD_vRA_ComputeA_1TB

NFS Version NFS 3 NFS 3

e On the Ready to complete page, click Finish.

Configure DNS Settings for the Platform Services Controller Load Balancer in Region AThis validated design deploys two VMware Platform Services Controller™ instances behind a load balancer implemented through NSX Data Center for vSphere. When you prepare your environment for automated deployment with Cloud Builder, NSX Data Center for vSphere is not yet available. To emulate an existing load balancer IP address, you perform a DNS configuration.

Prerequisites

Verify that the following static IP addresses are allocated.

n Static IP address for the Management Platform Services Controller

n Static IP address for the Platform Services Controller Load Balancer Virtual IP

Table 2-4. IP Addresses and Host Names for the Platform Services Controller Load Balancer and the Platform Services Controller for the Management Cluster

Component Hostname IP Address Domain

Platform Services Controller Load Balancer

sfo01psc01 172.16.11.71 sfo01.rainpole.local

Platform Services Controller for the Management Cluster

sfo01m01psc01 172.16.11.61 sfo01.rainpole.local

Procedure

1 Log in to the dc01rpl.rainpole.local DNS server.

2 Open the Windows Start menu, in the Search bar, enter dnsmgmt.msc, and press Enter.

The DNS Manager dialog box appears.


VMware, Inc. 16

3 Create an A Record for the Platform Services Controller Load Balancer VIP.

a In the DNS Manager dialog box, expand Forward Lookup Zones.

b Right click the sfo01.rainpole.local zone and select New Host (A or AAAA).

c Enter the following values and click Add Host.

Setting Value

Name sfo01psc01

Fully qualified domain name (FQDN) sfo01psc01.sfo01.rainpole.local

IP address 172.16.11.61

Create associate pointer (PTR) record Deselected

Important To create an operational network configuration for sfo01psc01.sfo01.rainpole.local, Cloud Builder requires forward lookup with IP 172.16.11.61 and reverse lookup with IP 172.16.11.71 (the load balancer VIP). Ensure that the A record and the pointer (PTR) record are not associated and point to different IPs.

4 Create a pointer (PTR) record for the Platform Services Controller Load Balancer VIP and point it to the A record of the Platform Services Controller Load Balancer VIP.

a In the DNS Manager dialog box, expand Reverse Lookup Zones.

b Right-click the 11.16.172.in-addr.arpa zone and select New Pointer (PTR)…

c Configure the following values and click OK.

Setting Value

Host IP address 172.16.11.71

Fully qualified domain name (FQDN) 71.11.16.172.in-addr.arpa

Host name sfo01psc01.sfo01.rainpole.local

Prerequisites for Operations Management Layer Implementation in Region ATo prepare the operations management layer for automated deployment of the SDDC components with Cloud Builder, you deploy and configure a Linux virtual machine for vSphere® Update Manager™.

Procedure

1 Deploy and Configure a Linux Virtual Machine for vSphere Update Manager Download Service in Region A

Before you deploy vSphere Update Manager with Cloud Builder, you deploy and configure a virtual machine with an Ubuntu Server operating system.


VMware, Inc. 17

Deploy and Configure a Linux Virtual Machine for vSphere Update Manager Download Service in Region ABefore you deploy vSphere Update Manager with Cloud Builder, you deploy and configure a virtual machine with an Ubuntu Server operating system.

You create a virtual machine on the sfo01m01esx01.sfo01.rainpole.local host for vSphere Update Manager Download Service with the following virtual machine and network configuration requirements. Ensure that the virtual machine has access to the Internet.

Table 2-5. Virtual Machine Requirements for the vSphere Update Manager Download Service Linux VM

Setting Value

ESXi Host sfo01m01esx01

VM Name sfo01umds01

Guest OS Ubuntu Server 18.04 LTS

CPU 2

Memory 2 GB

Hard Disk 120 GB

SCSI Controller LSI Logic SAS

Network Interface VM Network

Network Adapter Type VMXNET3

Datastore sfo01-m01-bkp01

Table 2-6. Network Requirements for the vSphere Update Manager Download Service Linux VM

Setting Value

Host Name sfo01umds01

Static IPv4 Address 172.16.11.67


Subnet Mask 255.255.255.0

DNS Server 172.16.11.5, 172.16.11.4

DNS Domain sfo01.rainpole.local

DNS Search sfo01.rainpole.local

Procedure

1 Deploy the vSphere Update Manager Download Service Linux VM with the specified configuration.


VMware, Inc. 18


Settings Value


User name root


3 In the navigation pane, click Virtual machines.

4 Select the sfo01umds01 virtual machine, click Console, and select Open browser console.

5 Create the svc-umds service account for vSphere Update Manager Download Service.

a Run the command for adding the user.

adduser svc-umds

b When prompted, enter and confirm the password, and provide the svc-umds full user name.

6 Assign administrative privileges to the svc-umds service account by running the following command.

usermod -aG sudo svc-umds

7 Install Secure Shell (SSH) server by running the following command.

sudo apt-get update

sudo apt-get -y install ssh

8 Verify the status of the SSH service by running the following command.

service ssh status

9 Install Expect and Nginx packages for Ubuntu by running the following commands.

sudo apt-get install -y expect

sudo apt-get install -y nginx


VMware, Inc. 19

Prerequisites for Cloud Management Layer Implementation in Region ATo prepare the cloud management layer for automated deployment of the SDDC components using Cloud Builder, you deploy and configure the Master Windows system for vRealize Automation Infrastructure as a Service (IaaS) nodes and deploy and configure the external SQL server for vRealize Automation.

Procedure

1 Deploy and Configure the Master Windows System for vRealize Automation IaaS Nodes in Region A

You deploy and configure a single Master Windows system virtual machine which will be cloned and reconfigured during the SDDC deployment to provision the vRealize Automation IaaS components - IaaS Web Servers, IaaS Manager Service Servers, IaaS DEM Servers, and IaaS Proxy Servers.

2 Deploy and Configure the External SQL Server for vRealize Automation in Region A

You deploy and configure a Windows virtual machine to host the SQL Server database required for the vRealize Automation IaaS components. After you install the SQL Server instance, you perform additional configurations to allow Cloud Builder to perform the initial validation and deploy the necessary vRealize Automation components.

Deploy and Configure the Master Windows System for vRealize Automation IaaS Nodes in Region AYou deploy and configure a single Master Windows system virtual machine which will be cloned and reconfigured during the SDDC deployment to provision the vRealize Automation IaaS components - IaaS Web Servers, IaaS Manager Service Servers, IaaS DEM Servers, and IaaS Proxy Servers.

You create a virtual machine on the sfo01m01esx01.sfo01.rainpole.local host for the Master Windows system with the following virtual machine, software, and network configuration.

Table 2-7. Virtual Machine Requirements for the Master Windows System

Setting Value


VM Name master-iaas-vm

Guest OS Microsoft Windows Server 2016 (64-bit)

vCPU 2

Memory 8 GB

Virtual Disk 60 GB




Network Adapter Type 1 x VMXNET3


VMware, Inc. 20

Network Requirements:

n Verify that you allocated a static or DHCP IP address for the Master Windows system.

n Verify that the Master Windows system has access to the Internet.

Table 2-8. Software Requirements for the Master Windows System

Component Requirement

Operating System Windows Server 2016 (64-bit)

VMware Tools Latest version

Active Directory Join the virtual machine to the sfo01.rainpole.local domain.

Internet Explorer Enhanced Security Configuration Turn off ESC.

Remote Desktop Protocol Enable RDP access.

Secondary Logon Service Start Secondary Logon service and set start-up type to Automatic.

Procedure

1 Deploy the Master Windows System for vRealize Automation with the specified configuration.

2 Log in to the vRealize Automation Master Windows virtual machine by using a Remote Desktop Protocol (RDP) client.

Settings Value

FQDN vRealize Automation Master Windows virtual machine

User name Windows administrator user

Password windows_administrator_password

3 Click Start, right-click Windows PowerShell, and select More > Run as Administrator.

4 Set the execution policy.

a Run the command for setting the execution policy.

Set-ExecutionPolicy Unrestricted

b When prompted, confirm the execution policy change.

5 Disable User Account Control (UAC) by running the following command.

Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name

"EnableLUA" -Value "0"

6 Disable IPv6 protocol.

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters" -Name

"DisabledComponents" -Value 0xff


VMware, Inc. 21

7 Verify that the source path for Microsoft Windows Server is available.

a Mount the Microsoft Windows Server ISO file on the Master Windows system virtual machine.

b Create the \sources\sxs directory by running the following command in Windows PowerShell.

mkdir C:\sources\sxs

c Copy the Microsoft Windows Server source files from sources\sxs on the ISO file to the C:\sources\sxs directory on the virtual machine.

d Update the registry with the full system path of the Microsoft Windows Server source files by running the following commands in Windows PowerShell.

New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing"

set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing\" -

Name "LocalSourcePath" -value "c:\sources\sxs"

e Unmount the Microsoft Windows Server ISO file.

8 Add the svc-vra service account to the Local Administrators group.

a Click Start, right-click Windows PowerShell, and select More > Run as Administrator.

b Run the following command.

net localgroup administrators rainpole\svc-vra /add

9 Create the svc-vra user profile by logging in to the vRealize Automation Master Windows virtual machine.

a Open an RDP connection to the virtual machine.

b Log in using the following credentials.

Setting Value

User name rainpole\svc-vra

Password svc-vra_password

After the successful login, the svc-vra user profile is created.

10 Shut down the Master Windows system virtual machine.

Deploy and Configure the External SQL Server for vRealize Automation in Region AYou deploy and configure a Windows virtual machine to host the SQL Server database required for the vRealize Automation IaaS components. After you install the SQL Server instance, you perform additional configurations to allow Cloud Builder to perform the initial validation and deploy the necessary vRealize Automation components.


VMware, Inc. 22

You create a virtual machine on the sfo01m01esx01.sfo01.rainpole.local host for the SQL Server with the following virtual machine, software, and network configuration requirements.

Table 2-9. Virtual Machine Requirements for the External vRealize Automation SQL Server

Setting Value


VM Name vra01mssql01

Guest OS Microsoft Windows Server 2016

vCPU 8

Memory (GB) 16

Hard Disk (GB) 200




Network Adapter Type 1 x VMXNET3

Table 2-10. Network Requirements for the External vRealize Automation SQL Server

Setting Value

Host Name vra01mssql01

Static IPv4 Аddress 172.16.11.72

Subnet Мask 255.255.255.0


DNS Server n 172.16.11.5

n 172.16.11.4

FQDN vra01mssql01.rainpole.local

Table 2-11. Software Requirements for the External vRealize Automation SQL Server


Operating System Microsoft Windows Server 2016

VMware Tools Latest version

SQL Server Microsoft SQL Server 2017 Standard Edition or higher

Microsoft SQL Server Management Studio

Instance Configuration: Default Instance (MSSQLSERVER)

SQL Server Network Configuration: Default TCP Port (1433)

Important During the SQL Server installation, the Database Engine configuration wizard prompts you to provide the user name and password for the SQL Server administrator. If this user is not added during the SQL Server installation, select SQL Authentication from the Authentication drop-down menu, enter sa in the User name text box, and sa_password in the Password text box.


VMware, Inc. 23

Table 2-11. Software Requirements for the External vRealize Automation SQL Server (continued)


Active Directory Join the virtual machine to the rainpole.local domain.

Remote Desktop Protocol Enable RDP access.

Privileges Verify that the svc-vra service account is a member of the Local Administrators group for the SQL server virtual machine.

Procedure

1 Deploy the External vRealize Automation SQL Server VM with the specified configuration.

2 Log in to the SQL Server virtual machine by using a Remote Desktop Protocol (RDP) client.

Settings Value

FQDN vra01mssql01.rainpole.local



3 Enable Microsoft Distributed Transaction Coordinator (MSDTC).

a Click the Windows Start icon, enter comexp.msc, and press Enter.

The Component Services window opens.

b In the left pane, from the Console Root tree, navigate to Component Services > Computers > My Computer > Distributed Transaction Coordinator.

c Right-click Local DTC and select Properties.

d In the Local DTC Properties dialog box, click the Security tab, configure the following values, and click OK.

Setting Value

Network DTC Access Selected

Allow Remote Clients Selected

Allow Remote Administration Selected

Allow Inbound Selected

Allow Outbound Selected

e In the MSDTC Service dialog box, click Yes to restart the MSDTC service.

4 Create the vRealize Automation account in the SQL Server instance.

a Click the Windows Start icon and open Microsoft SQL Server Management Studio.

b In the Connect to Server dialog box, leave the default value for the Server Name text box, from the drop-down menu, select Windows Authentication, and click Connect.


VMware, Inc. 24

c In the Object Explorer tree, expand the VRA01MSSQL01 server instance, right-click the Security folder, and select New > Login.

d In the Login dialog box, under General, in the Login name text box, enter rainpole\svc-vra.

e On the Server Roles page, select sysadmin and click OK.

5 Create the vRealize Automation database.

a In the Object Explorer section, right-click the Databases folder and select New Database.

The New Database wizard appears.

b In the General page, enter VRADB01 for Database name and rainpole\svc-vra for Owner.

c On the Options page, configure the following recovery model settings, and click OK.

Setting Value

Recovery model Simple

Compatibility level SQL Server 2014 (120)

Other options > Miscellaneous > Allow Snapshot Isolation True

Other options > Miscellaneous > Is Read Committed Snapshot On

True

6 Allow access to Microsoft SQL Server on TCP port 1433.

a Click the Windows Start button, type WF.msc, and press Enter.

The Windows Firewall with Advanced Security window appears.

b In the navigation pane, right-click Inbound Rules and select New Rule.

The New Inbound Rule Wizard appears.

c On the Rule Type page, select the Port radio button, and click Next.

d On the Protocol and Ports page, select TCP, enter the port number 1433 in the Specific local ports text box, and click Next.

e On the Action page, select Allow the connection, and click Next.

f On the Profile page, select the Domain, Private, and Public profiles, and click Next.

g On the Name page, enter Microsoft SQL Server Port (1433) and click Finish.

7 Allow access for Microsoft Distributed Transaction Coordinator.

a Click the Windows Start icon, enter WF.msc, and press Enter.

The Windows Firewall with Advanced Security window appears.

b In the navigation pane, right-click Inbound Rules and select New Rule.

The New Inbound Rule Wizard appears.

c On the Rule Type page, click the Predefined radio button, select Distributed Transaction Coordinator, and click Next.


VMware, Inc. 25

d On the Predefined Rules page, select all rules for Distributed Transaction Coordinator (RPC-EPMAP), Distributed Transaction Coordinator (RPC), and Distributed Transaction Coordinator (TCP-In), and click Next.

e On the Action page, select Allow the connection, and click Finish.

8 Unmount any ISO files mounted to the virtual machine.

Generate Certificates for the SDDC Components in Region ATo ensure secure and operational connectivity between the SDDC components, you generate new signed certificates for the SDDC components.

You use the Certificate Generation Utility for VMware Validated Design (CertGenVVD) to generate the certificate configuration files based on the deployment specification configured in the Deployment Parameters XLS file for Region A. You then generate new certificates signed by the Microsoft certificate authority (MSCA) for all management products.

You later upload the newly generated and signed certificates to VMware Cloud Builder as part of the deployment and configuration procedure of the virtual appliance.

For information about the VMware Validated Design Certificate Generation Utility, see VMware Knowledge Base article 70678 and VMware Validated Design Planning and Preparation.

Procedure

1 Prerequisites for Generating Signed Certificates for the SDDC Components in Region A

Before you generate MSCA signed certificates for the SDDC components, verify that your environment fulfills the requirements for this process.

2 Create and Add a Microsoft Certificate Authority Template in Region A

You first set up a Microsoft Certificate Authority template on the Active Directory (AD) servers for the region. The template contains the certificate authority (CA) attributes for signing certificates for the SDDC components. After you create the template, you add it to the certificate templates of the Microsoft CA.

3 Generate Signed Certificates for the SDDC Components in Region A

Use the Certificate Generation Utility for VMware Validated Design (CertGenVVD) to generate new signed certificates for the SDDC components.

Prerequisites for Generating Signed Certificates for the SDDC Components in Region ABefore you generate MSCA signed certificates for the SDDC components, verify that your environment fulfills the requirements for this process.


VMware, Inc. 26

https://kb.vmware.com/s/article/70678

This VMware Validated Design sets the Certificate Authority service on the Active Directory (AD) dc01rpl.rainpole.local (root CA) server. Verify that your environment satisfies the following prerequisites generating signed certificates for the components of the SDDC.

Certificate Generation Prerequisites

Prerequisite Value

Active Directory n Verify that the Certificate Authority Service role and the Certificate Authority Web Enrollment role are installed and configured on the Active Directory server.

n Verify that a new Microsoft Certificate Authority template is created and enabled.

n Use a hashing algorithm of SHA-256 or higher on the certificate authority.

n Verify that relevant firewall ports relating to the Microsoft Certificate Authority and related services are open.

Windows Server host n Verify that the Windows Server host on which you plan to generate the certificates has access to the data center and is joined to the domain of the Microsoft Certificate Authority.

n Install Java Runtime Environment version 1.8 or later.

n Configure the JAVA_HOME environment variable to the Java installation directory.

n Update the PATH system variable to include the bin folder of Java installation directory.

n Install OpenSSL toolkit version 1.0.2 for Windows.

n Update the PATH system variable to include the bin folder of the OpenSSL installation directory.

Software Features n Fill in the Deployment Parameters XLS file in Region A. See Deployment Specification in the VMware Validated Design Planning and Preparation documentation.

Installation Packages Download the CertGenVVD-version.zip file of the Certificate Generation Utility from VMware Knowledge Base article 70678 and extract the ZIP file to the C: drive.

Create and Add a Microsoft Certificate Authority Template in Region AYou first set up a Microsoft Certificate Authority template on the Active Directory (AD) servers for the region. The template contains the certificate authority (CA) attributes for signing certificates for the SDDC components. After you create the template, you add it to the certificate templates of the Microsoft CA.


VMware, Inc. 27

https://docs.vmware.com/en/VMware-Validated-Design/5.1/sddc-planning-and-preparation/GUID-BF3BCB52-C34B-4529-9FC9-C89825B0241D.html

https://kb.vmware.com/s/article/70678

Procedure

1 Log in to the Active Directory server by using a Remote Desktop Protocol (RDP) client.

FQDN Active Directory Host

User Active Directory administrator

Password ad_admin_password

2 Click Start > Run, enter certtmpl.msc, and click OK.

3 In the Certificate Template Console window, under Template Display Name, right-click Web Server and select Duplicate Template.

4 In the Duplicate Template dialog box, leave Windows Server 2003 Enterprise selected for backward compatibility and click OK.

5 In the Properties of New Template dialog box, click the General tab.

6 In the Template display name text box, enter VMware.

7 Click the Extensions tab and configure the following.

a Select Application Policies and click Edit.

b Select Server Authentication, click Remove, and click OK.

c If present, select the Client Authentication policy, click Remove, and click OK.

d Select Key Usage and click Edit.

e Select the Signature is proof of origin (nonrepudiation) check box.

f Leave the defaults for all other options.

g Click OK.

8 Click the Subject Name tab, ensure that the Supply in the request option is selected, and click OK to save the template.

9 Add the new template to the certificate templates of the Microsoft CA.

a Click Start > Run, enter certsrv.msc, and click OK

b In the Certification Authority window, expand the left pane, right-click Certificate Templates, and select New > Certificate Template to Issue.

c In the Enable Certificate Templates dialog box, select VMware, and click OK.

Generate Signed Certificates for the SDDC Components in Region AUse the Certificate Generation Utility for VMware Validated Design (CertGenVVD) to generate new signed certificates for the SDDC components.


VMware, Inc. 28

Procedure

1 Log in to the Windows Server host that you allocated for certificate generation.

2 Set the execution policy to Unrestricted.

a Click Start, right click Windows PowerShell, and select More > Run as Administrator.

b Set the execution policy by running the following command.

Set-ExecutionPolicy Unrestricted

c Enter Y to confirm the execution policy change.

3 Prepare the certificate .csv file to generate certificates using CertGenVVD.

a Open the populated Deployment Parameters XLS file and select the CertConfig worksheet.

b From the File menu, select Save As…, set the file format to Comma delimited (*.csv), rename the file to SDDC-CertConfig.csv, and click Save.

c Open the SDDC-CertConfig.csv file and add a new row below vRealize Business for Cloud Server. Fill the new row with the following information and save the file.

Setting Value

Name VMware Skyline Collector

DNS1 sfo01sky01

Domain sfo01.rainpole.local

Filename sfo01sky01

d Rename the C:\CertGenVVD-version\ConfigFiles folder to ConfigFiles.Old.

4 Validate the environment configuration for the CertGenVVD utility.

a In the Windows PowerShell terminal, navigate to the C:\CertGenVVD-version folder and validate the configuration by running the following command.

.\CertGenVVD-version.ps1

b To validate the environment, in the main menu, enter V and press Enter.

The local machine configuration is validated successfully if there are no error messages.

c To return to the main menu, press any key.

5 Generate the signed certificate files by using the CertGenVVD utility.

a In the Windows PowerShell terminal, navigate to the C:\CertGenVVD-version folder and generate the signed certificates by running the following command.

.\CertGenVVD-version.ps1

b In the main menu, enter 1 and enter to Create & Submit CSRs.


VMware, Inc. 29

c Enter the location of the SDDC-CertConfig.csv file

d Follow the on-screen instructions and set the following values.

Setting Value

Default Organization Rainpole Inc

Default OU Rainpole

Default Location SFO

Default State CA

Default Country US

Default Key Size 2048

e Follow the on-screen instruction and enter a passphrase for PEM/P12 file encryption.

All MSCA signed certificates are generated in the C:\CertGenVVD-version\SignedByMSCACerts folder.

6 Verify that all certificates in C:\CertGenVVD-version\SignedByMSCACerts are validated and generated correctly.

7 Rename the C:\CertGenVVD-version\SignedByMSCACerts folder to SignedByMSCACerts-sfo.

8 Copy the vra01svr01, vrb01svr01, and vrs01lcm01 folder and their content to a location that you can access during the deployment of Region B.


VMware, Inc. 30

VMware Cloud Builder Implementation in Region A 3You deploy and configure the VMware Cloud Builder appliance to start the automated implementation of the SDDC components.

You deploy dedicated VMware Cloud Builder appliances for both Region A and Region B. You use each region's dedicated appliance to deploy the SDDC components.

Procedure

1 Prerequisites for VMware Cloud Builder Implementation in Region A

Before you deploy the virtual appliance of VMware Cloud Builder, verify that your environment fulfills the requirements for this deployment.

2 Deploy the Virtual Appliance of VMware Cloud Builder on a Management Hostin Region A

You deploy the virtual appliance of VMware Cloud Builderin Region Aand configure the appliance to start the automated implementation of the SDDC components for the region.

Prerequisites for VMware Cloud Builder Implementation in Region ABefore you deploy the virtual appliance of VMware Cloud Builder, verify that your environment fulfills the requirements for this deployment.

Network ConfigurationVerify that the static IP address and FQDN for the VMware Cloud Builder appliance are available.

Setting Value

IP address 172.16.11.60

Host name sfo01cb01.sfo01.rainpole.local

Default gateway 172.16.11.253

DNS servers n 172.16.11.5

n 172.16.11.4

DNS domain sfo01.rainpole.local

DNS search sfo01.rainpole.local,rainpole.local

VMware, Inc. 31

Setting Value

Subnet mask 255.255.255.0

NTP Servers n ntp.sfo01.rainpole.local


Deployment PrerequisitesVerify that your environment satisfies the following prerequisites for the deployment of the VMware Cloud Builder appliance.

Prerequisite Value

Environment Verify that your environment is configured for deployment of VMware Cloud Builder and of the SDDC. See Chapter 2 Prepare the Environment for Deployment in Region A.

CPU 4 vCPUs

Memory 8 GB

Storage n Virtual disk provisioning: Thin

n Required storage: 350 GB

Installation Packages Download the .ova file(s) for VMware Cloud Builder.

Deploy the Virtual Appliance of VMware Cloud Builder on a Management Hostin Region AYou deploy the virtual appliance of VMware Cloud Builderin Region Aand configure the appliance to start the automated implementation of the SDDC components for the region.

Procedure


Settings Value


User name root


2 In the navigation pane, select Host and click Create / Register VM.

The New virtual machine wizard opens.

3 On the Select creation type page, select Deploy a virtual machine from an OVF or OVA file and click Next.

4 On the Select OVF and VMDK files page, enter sfo01cb01 for the virtual machine name, select the VMware Cloud Builder .ova file, and click Next.

5 In the Select storage page, select sfo01-m01-bkp01, and click Next.


VMware, Inc. 32

6 On the License agreements page, click I agree to accept the license agreement, and click Next.

7 On the Deployment options page, enter the following values and click Next.

Setting Value

Network mappings VM network

Disk provisioning Thin

Power on automatically Selected

8 On the Additional settings page, expand Application, enter the following values, and click Next.

Setting Value

Deployment Architecture vvd

Admin User name admin

Admin Password sfo01cb01_admin_password

Note The passwords must be at least 8 characters, must contain uppercase, lowercase, digits, and special characters.

Admin Password confirm sfo01cb01_admin_password

Root Password sfo01cb01_root_password

Note The passwords must be at least 8 characters, must contain uppercase, lowercase, digits, and special characters.

Root Password confirm sfo01cb01_root_password

Host name sfo01cb01

Network 1 IP Address 172.16.11.60

Network 1 Subnet Mask 255.255.255.0


DNS Servers 172.16.11.5,172.16.11.4

DNS Domain Name sfo01.rainpole.local

DNS Domain Search Paths sfo01.rainpole.local,rainpole.local

NTP Servers ntp.sfo01.rainpole.local ,ntp.lax01.rainpole.local

9 On the Ready to complete page, review the virtual machine configuration and click Finish.


VMware, Inc. 33

Deploy the Software-Defined Data Center Components in Region A 4After you deploy and configure the VMware Cloud Builder appliance, you generate the JSON deployment files based on the values populated in the Deployment Parameters XLS file. You then validate the necessary run parameters and start the automated deployment of the SDDC components for the management cluster and for the shared edge and compute cluster in Region A.

Procedure

1 Automated SDDC Deployment in Region A

To deploy the SDDC management domain end-to-end and a virtual infrastructure workload domain for tenant workloads by using automation, use VMware Cloud Builder.

2 Skyline Manual Deployment in Region A

Starting from VMware Validated Design 5.1, you connect the SDDC to VMware Skyline for proactive product support. In each region, an instance of Skyline Collector sends product usage data from the management components to the analytics engine in the cloud. You deploy the Skyline Collector instance for the region manually after you complete the automated deployment of the other SDDC management components by using Cloud Builder.

Automated SDDC Deployment in Region ATo deploy the SDDC management domain end-to-end and a virtual infrastructure workload domain for tenant workloads by using automation, use VMware Cloud Builder.

In this version of VMware Validated Design, VMware Cloud Builder deploys all components of the SDDC stack except the VMware Skyline Collector instances.

Procedure

1 Prerequisites for Automated SDDC Deployment in Region A

Before you start the automated SDDC deployment, verify that your environment fulfills the requirements for this deployment.

VMware, Inc. 34

2 Upload the VMware Validated Design Software Bundle and Signed Certificates to VMware Cloud Builderin Region A

After you deploy the VMware Cloud Builder appliance, you prepare for an automated deployment of the SDDC components by uploading the software bundles and the generated signed certificates. You then mount the software bundle and configure application properties for the automated deployment process.

3 Generate the JSON Deployment Files for the Management and the Shared Edge and Compute Clusters in Region A

4 Validate the Deployment Parameters and Target Environment Prerequisites for the Management Cluster and the Shared Edge and Compute Cluster in Region A

5 Start the Automated Deployment of the Management Cluster in Region A

After you successfully validate the vvd-std-rega-mgmt.json file, you start the automated deployment of the components in the management cluster.

6 Start the Automated Deployment for the Shared Edge and Compute Cluster in Region A

Prerequisites for Automated SDDC Deployment in Region ABefore you start the automated SDDC deployment, verify that your environment fulfills the requirements for this deployment.

Deployment PrerequisitesVerify that your environment satisfies the following prerequisites for the automated SDDC deployment.

Prerequisite Value

Environment Verify that your environment is configured for deployment of the SDDC. See Chapter 2 Prepare the Environment for Deployment in Region A.

Physical Network Verify that your environment meets all physical network requirements, all host names and IP addresses are allocated for external services and SDDC components.

Active Directory Verify that Active Directory is configured with all child domains and all service accounts, groups, and computer objects are created and configured.

DNS Verify that DNS entries are configured for the root and child domains.

NTP Services Verify that two external to the SDDC NTP servers are configured and time synchronization is configured on all ESXi hosts and AD domain controllers.


VMware, Inc. 35

Prerequisite Value

Storage Primary vSAN storage:

n Verify that the necessary primary storage capacity is allocated. See Deployment Parameters XLS file for Region A for automatic capacity calculation.

Secondary NFS storage:

n Verify that NFS storage is mounted.

n Verify that you allocated the necessary storage capacity. See Datastore Requirements in the VMware Validated Design Planning and Preparation documentation.

Software Features n Fill in the Deployment Parameters XLS file for Region A. See Deployment Specification in the VMware Validated Design Planning and Preparation documentation.

n Verify that you generated CA-signed certificates for the management components of the SDDC. See Generate Signed Certificates for the SDDC Components in Region A.

Installation Packages Download the two .iso files (sddc-dr-bundle and sddc-vrealize-bundle) of the software bundle for VMware Validated Design to your local file system.

For additional information, see the VMware Validated Design Planning and Preparation documentation.

Upload the VMware Validated Design Software Bundle and Signed Certificates to VMware Cloud Builderin Region AAfter you deploy the VMware Cloud Builder appliance, you prepare for an automated deployment of the SDDC components by uploading the software bundles and the generated signed certificates. You then mount the software bundle and configure application properties for the automated deployment process.

Procedure

1 Log in to the VMware Cloud Builder appliance by using a Secure Copy Protocol (SCP) client.

Setting Value

FQDN sfo01cb01.sfo01.rainpole.local

User name admin

Password cloudbuilder_admin_password

2 Upload the VMware Validated Design software bundle files, sddc-dr-bundle-x.x.x.x-xxxxxxxx.iso and sddc-vrealize-bundle-x.x.x.x-xxxxxxxx.iso, to the /mnt/hgfs directory on the VMware Cloud Builder appliance.

3 Upload all folders and their content from the C:\CertGenVVD-version\SignedByMSCACerts-sfo to the /opt/vmware/vvd/certificates directory on the VMware Cloud Builder appliance.


VMware, Inc. 36

https://docs.vmware.com/en/VMware-Validated-Design/5.1/sddc-planning-and-preparation/GUID-AB8E74A4-BC52-45EC-AAEA-F8B7EDD38658.html

https://docs.vmware.com/en/VMware-Validated-Design/5.1/sddc-planning-and-preparation/GUID-BF3BCB52-C34B-4529-9FC9-C89825B0241D.html

https://docs.vmware.com/en/VMware-Validated-Design/5.1/sddc-planning-and-preparation/GUID-75126B85-2186-46F9-9EA0-00FC55451A1F.html

4 Log in to the VMware Cloud Builder appliance by using a Secure Shell (SSH) client.

Setting Value

FQDN sfo01cb01.sfo01.rainpole.local

User name admin


5 Switch to the root user by running the su command and entering the root password.

6 Мount the VMware Validated Design software bundle .iso files by running the command.

/opt/vmware/vcf/cloud-builder/install/reconfigure.sh

The script mounts the bundle files and allows the bring-up service access to the certificate files.

Generate the JSON Deployment Files for the Management and the Shared Edge and Compute Clusters in Region AAfter you populate all required configuration values in the Deployment Parameters XLS file, you upload it to the VMware Cloud Builder appliance and generate the JSON files that automate the deployment of the SDDC components in the management and the shared edge and compute clusters.

Procedure

1 In a Web browser, log in to VMware Cloud Builder by using the administration interface.

Settings Value

URL https://sfo01cb01.sfo01.rainpole.local

User name admin


2 On the End User License Agreement page, accept the license agreement.

3 In the navigation pane, click the Deployment wizard icon.

4 On the Upload config file tab, from the Select architecture type drop-down menu, select the architecture for Region A.

n For VMware Validated Design 5.1, select the VVD for SDDC 5.1 (Region A) architecture.

n For VMware Validated Design 5.1.1, select the VVD for SDDC 5.1.1 (Region A) architecture.

5 Click Upload config file, navigate to the Deployment Parameters XLS file, and click Open.

6 Click Generate JSON.

7 If the JSON generation fails, to download the output log files, click Logs, remediate any errors, and repeat the procedure.


VMware, Inc. 37

Results

VMware Cloud Builder generates one JSON file for the management cluster and one JSON file for the shared edge and compute cluster.

Table 4-1. Region A JSON Deployment Files

Architecture Type JSON File name Workload Domain Deployment Order

VVD for SDDC Region A vvd-std-rega-mgmt.json Management 1

vvd-std-rega-comp.json Compute 2

What to do next

After the JSON deployment files for Region A are generated, you validate their content for configuration, application, and bring-up readiness, and perform validation of the target platform.

Validate the Deployment Parameters and Target Environment Prerequisites for the Management Cluster and the Shared Edge and Compute Cluster in Region AYou perform validation of both JSON deployment files and specific target environment prerequisites to ensure that you can successfully deploy the components of the management and the shared edge and compute clusters with VMware Cloud Builder.

You validate the JSON deployment files, vvd-std-rega-mgmt.json for the management cluster and vvd-std-rega-comp.json for the shared edge and compute cluster. In case any of the tests fail, you must remediate any errors and perform the validation process again. Additional information can be found in the audit log file.

Table 4-2. VMware Cloud Builder Platform Audit Log File Location

Cloud Builder Component Location

Platform Audit /opt/vmware/sddc-support/cloud_admin_tools/logs/

PlatformAudit.log

Procedure


Settings Value


User name admin



3 Click the Validate environment tab.

4 From the Select file to validate drop-down menu, select the vvd-std-rega-mgmt.json file and click Validate.


VMware, Inc. 38

5 If the validation fails because of problems with the signed certificate files, resolve the issues and re-upload the modified certificate files.

a Upload the modified certificate files to the VMware Cloud Builder appliance by using an SCP software, such as WinSCP.

b Open an SSH connection to sfo01cb01.sfo01.rainpole.local.

c Run the command.

su /opt/vmware/vcf/cloud-builder/install/reconfigure.sh

d When prompted, enter the cloudbuilder_root_password.

6 If the validation fails with a user input errors message, remediate the Deployment Parameters XLS file.

a On the Upload config file tab, from the Select architecture type drop-down menu, select the architecture for Region A.

n For VMware Validated Design 5.1, select the VVD for SDDC 5.1 (Region A) architecture.

n For VMware Validated Design 5.1.1, select the VVD for SDDC 5.1.1 (Region A) architecture.

b Click Upload config file, navigate to the Deployment Parameters XLS file, and click Open.

c Click Generate JSON.

d In the dialog box, click Yes.

e On the Validate environment tab, from the Select file to validate drop-down menu, select the vvd-std-rega-mgmt.json file, and click Validate.

The vvd-std-rega-mgmt.json file is successfully validated against the predefined run parameters.

7 After the successful validation of vvd-std-rega-mgmt.json, click Back and, from the Select file to validate drop-down menu, select the vvd-std-rega-comp.json file, and click Validate.

The vvd-std-rega-comp.json file is successfully validated against the predefined run parameters.

What to do next

After the successful validation of vvd-std-rega-mgmt.json and vvd-std-rega-comp.json files, click Next to start the deployment of the management cluster.

Start the Automated Deployment of the Management Cluster in Region AAfter you successfully validate the vvd-std-rega-mgmt.json file, you start the automated deployment of the components in the management cluster.


VMware, Inc. 39

Procedure


Settings Value


User name admin



3 Click the Deploy an SDDC tab.

4 From the Select deployment file drop-down menu, select the vvd-std-rega-mgmt.json file and click Deploy.

The automated deployment of the components in the management cluster starts.

5 Monitor the deployment and check the following log files for errors.

Table 4-3. VMware Cloud Builder Bring Up Service Log File Location


Bring Up Service /opt/vmware/bringup/logs/vcf-bringup.log

/opt/vmware/bringup/logs/vcf-bringup-debug.log

Start the Automated Deployment for the Shared Edge and Compute Cluster in Region AAfter you successfully validated the vvd-std-rega-comp.json file and deployed the management cluster, you start the automated deployment of the components of the shared edge and compute cluster.

Procedure


Settings Value


User name admin



3 Click the Deploy an SDDC tab.

4 From the Select deployment file drop-down menu, select the vvd-std-rega-comp.json file and click Deploy.

The automated deployment of the components of the shared edge and compute cluster starts.


VMware, Inc. 40

5 Monitor the deployment and check the following log files for errors.

Table 4-4. VMware Cloud Builder Bring Up Service Log File Location


Bring Up Service /opt/vmware/bringup/logs/vcf-bringup.log

/opt/vmware/bringup/logs/vcf-bringup-debug.log

Skyline Manual Deployment in Region AStarting from VMware Validated Design 5.1, you connect the SDDC to VMware Skyline for proactive product support. In each region, an instance of Skyline Collector sends product usage data from the management components to the analytics engine in the cloud. You deploy the Skyline Collector instance for the region manually after you complete the automated deployment of the other SDDC management components by using Cloud Builder.

Procedure

1 Prerequisites for Deploying VMware Skyline in Region A

Before you deploy and configure the Skyline Collector instance in Region A, verify that the environment fulfills the requirements for this deployment.

2 Configure User Access in vSphere for Integration with VMware Skyline in Region A

Assign the svc-skyline-vsphereservice account for the Skyline Collector instance the minimum permissions that are required for connecting and collecting data from the vCenter Server instances in the SDDC.

3 Configure User Privileges in NSX Manager for the Skyline Collector Instances in Region A

Assign the svc-skyline-nsx service account the required permissions for authentication and data collection in VMware Skyline by associating the account with the default NSX Administrator role in VMware NSX® Data Center for vSphere®.

4 Configure User Privileges in vRealize Operations Manager for the Skyline Collector Instances in Region A

On VMware vRealize® Operations Manager™, give the [email protected] service account read-only privileges. These privileges provide the Skyline Collector instances in the SDDC with access to vRealize Operations Manager.

5 Prepare for Skyline Collector Registration with VMware Cloud Services

Before you register the Skyline Collector instances with VMware Cloud Services and start using VMware Skyline for proactive product support, you must create an organization on VMware Cloud Services and generate a registration token for the Skyline Collector instances.

6 Deploy the Skyline Collector Appliance in Region A

You deploy the Skyline Collector appliance in the management cluster, configuring storage, networking, and other appliance attributes.


VMware, Inc. 41

7 Configure the Skyline Collector Instance in Region A

After you deploy the Skyline Collector appliance, proceed with configuring log forwarding to vRealize Log Insight for monitoring the operation of the collector, replacing the certificate, and with the registration of the endpoints for the SDDC management components in the region.

Prerequisites for Deploying VMware Skyline in Region ABefore you deploy and configure the Skyline Collector instance in Region A, verify that the environment fulfills the requirements for this deployment.

IP Addresses and Host NamesVerify that static IP address and FQDN for the Skyline Collector instance are available in the region-specific application virtual network.

Configure both forward and reverse DNS records with designated fully qualified domain name and IP address.

Table 4-5. IP Addresses and Host Names for the Skyline Collector Appliance in Region A

Setting Value

IP address 192.168.31.70

FQDN sfo01sky01.sfo01.rainpole.local


DNS search n sfo01.rainpole.local

n rainpole.local

DNS servers n 172.16.11.5

n 172.16.11.4


NTP servers n ntp.sfo01.rainpole.local


Deployment PrerequisitesVerify that your environment satisfies the following prerequisites for the deployment of the Skyline Collector appliance.

Prerequisite Value

Storage n Virtual disk provisioning: Thin

n Required storage: 87 GB (1.1 GB initial if thin provisioned)

Software Features n Verify that the Management vCenter Server and Compute vCenter Server are operational.

n Verify that the vSphere cluster has DRS and HA enabled.

n Verify that the NSX Manager instances are operational.

n Verify that vRealize Operations Manager is operational.

n Verify that the Mgmt-RegionA01-VXLAN application virtual networks is available.


VMware, Inc. 42

Prerequisite Value

Installation Package Download the .ova file of the Skyline Collector virtual appliance from My VMware to a host that has access to the SDDC. See VMware Validated Design Release Notes for the version for this VMware Validated Design.

Active Directory Verify that you have a parent Active Directory with these SDDC user accounts configured for the rainpole.local domain.

n svc-skyline-vsphere (User)

n svc-skyline-nsx (User)

n svc-skyline-vrops (User)

Certificate Authority n Verify that you have generated a CA-signed certificates for Skyline. See Generate Signed Certificates for the SDDC Components in Region A.

Configure User Access in vSphere for Integration with VMware Skyline in Region AAssign the svc-skyline-vsphereservice account for the Skyline Collector instance the minimum permissions that are required for connecting and collecting data from the vCenter Server instances in the SDDC.

You associate the svc-skyline-vsphere service account in the Active Directory with a user role that has certain privileges. You assign the user to all vCenter Server instances in the inventory by using global permissions.

Define a User Role in vSphere for the Skyline Collector Instances in Region ATo give the Skyline Collector instances rights to collect data from the vSphere endpoints, first create a user role with the required minimum privileges on the vCenter Server instances in the SDDC.

Procedure

1 In a Web browser, log in to vCenter Server by using the vSphere Client.

Setting Value

URL https://sfo01m01vc01.sfo01.rainpole.local/ui

User name [email protected]

Password vsphere_admin_password

2 On the Home page of the vSphere Client, in the navigation pane, select Administration.

3 On the Administration page, select Roles.


VMware, Inc. 43

4 Create a role for the Skyline Collector instances.

a From the Roles provider drop-down menu, select sfo01m01vc01.sfo01.rainpole.local.

b Select Read-only and click the Clone role action icon.

You clone the Read-only role because it includes the System.Anonymous, System.View, and System.Read privileges. The Skyline Collector instances require these privileges to collect information from the vCenter Server endpoint in each workload domain and the vSphere infrastructure components.

c In the Clone Role dialog box, enter Skyline Collector User as the name for the role and click OK.

5 Grant the necessary permissions to the Skyline Collector nodes to provide proactive support.

a From the list of Roles, select the Skyline Collector User role.

b Click the Edit role action icon.

c For VMware Validated Design 5.1, on the Edit role dialog box, select Global in the left pane and select the following permissions in the right pane.

Category Privilege

Global Licenses

d For VMware Validated Design 5.1.1, on the Edit role dialog box, select Global in the left pane and select the following permissions in the right pane.

Category Privilege

Global Diagnostics

Health

Licenses

Settings

e Click Next and click Finish.

Results

The Skyline Collector user role is propagated to the other linked vCenter Server instances.

Configure User Privileges in vSphere for the Skyline Collector Instancesin Region ATo give the svc-skyline-vsphere service account rights for collecting product analytics data from all connected vCenter Server endpoints, assign global permissions to the account.

The [email protected] service account receives global read-only access to the object inventory and global access to the license information on all linked vCenter Server instances. You define these access rights in the Skyline Collector User custom role.


VMware, Inc. 44

Procedure


Setting Value




2 On the Home page of the vSphere Client, in the navigation pane, select Administration.

3 On the Administration page, under Access Control, select Global Permissions.

4 On the Global Permissions page, click the Add Permission icon.

5 In the Add Permission-Global Permissions Root dialog box, from the User drop-down menu, select rainpole.local.

6 In the search box, enter svc and press Enter.

7 From the list of users and groups, select the svc-skyline-vsphere user.

8 From the Role drop-down menu, select Skyline Collector User, select Propagate to children, and click OK.

Configure User Privileges in NSX Manager for the Skyline Collector Instances in Region AAssign the svc-skyline-nsx service account the required permissions for authentication and data collection in VMware Skyline by associating the account with the default NSX Administrator role in VMware NSX® Data Center for vSphere®.

The NSX Administrator role has the permissions for collecting NSX Edge support log bundles by using Skyline Log Assist.

You configure the NSX Administrator role for the svc-skyline-nsx service account on the NSX Manager instances in Region A.

Table 4-6. NSX Manager Instances in Region A

NSX Manager FQDN IP Address

sfo01m01nsx01.sfo01.rainpole.local 172.16.11.65

sfo01w01nsx01.sfo01.rainpole.local 172.16.11.66


VMware, Inc. 45

Procedure

1 In a Web browser, log in to vCenter Server by using the vSphere Web Client.

Setting Value

URL https://sfo01m01vc01.sfo01.rainpole.local/vsphere-client/



2 In the Networking & Security inventory, under System, select Users and Domains.

3 On the Users tab, from the NSX Manager drop-down menu, select 172.16.11.65.

4 Click the Add icon.

The Assign Role wizard appears.

5 On the Identify User page, select the Specify a vCenter User radio button, enter [email protected] in the User text box, and click Next.

6 On the Select Roles page, select the NSX Administrator radio button, and click Finish.

7 Repeat the procedure on the other NSX Manager instance in the region.

Configure User Privileges in vRealize Operations Manager for the Skyline Collector Instances in Region AOn VMware vRealize® Operations Manager™, give the [email protected] service account read-only privileges. These privileges provide the Skyline Collector instances in the SDDC with access to vRealize Operations Manager.

Procedure

1 In a Web browser, log in to the vRealize Operations Manager by using the operations interface.

Settings Value

URL https://vrops01svr01.rainpole.local

User name admin

Password vrops_admin_password

2 On the main navigation bar, click Administration.

3 In the left pane of vRealize Operations Manager, expand Access and click Access Control.

4 On the Access Control page, click the User Accounts tab and click the Import Users icon.

5 On the Import Users page, import the [email protected] service account.

a From the Import From drop-down menu, select Rainpole.local.

b Select the Basic option for the search query.


VMware, Inc. 46

c In the Search String text box, enter svc-skyline-vrops and click Search.

d In the search results, select [email protected] and click Next.

6 On the Assign Groups and Permissions page, click the Objects tab, assign the read-only role to the service account, and click Finish.

Setting Value

Select Role ReadOnly

Assign this role to the user Selected

Allow access to all objects in the system Selected

Prepare for Skyline Collector Registration with VMware Cloud ServicesBefore you register the Skyline Collector instances with VMware Cloud Services and start using VMware Skyline for proactive product support, you must create an organization on VMware Cloud Services and generate a registration token for the Skyline Collector instances.

Procedure

1 Create an Organization on VMware Cloud Services

The Skyline Collector instance in the region sends product analytics data to VMware Cloud Services for analysis and proactive support. To enable registration of your Skyline Collector instances with VMware Cloud Services, first create an organization on VMware Cloud Services.

2 Associate Your Support Entitlement and Create a Registration Token for VMware Skyline

On VMware Cloud Services, associate your Production Support or Premier Services Support entitlement with VMware Skyline so that you can initiate product usage analysis by using the data from the Skyline Collector instances in the SDDC.

Create an Organization on VMware Cloud ServicesThe Skyline Collector instance in the region sends product analytics data to VMware Cloud Services for analysis and proactive support. To enable registration of your Skyline Collector instances with VMware Cloud Services, first create an organization on VMware Cloud Services.


VMware, Inc. 47

Procedure

1 Log in to the getting started page of VMware Skyline.

a Open a Web browser and go to https://skyline.vmware.com/get-started.

b Click Get started.


Setting Value

User name Email address registered with My VMware

Password Password for My VMware

2 Click Create Your First Organization.

3 On the Set up your organization page, enter settings for your organization and click Continue.

Setting Value

Organization Name Name of your organization on VMware Cloud Services

Organization Address

Country Country of your organization

Address Address of your organization

City City where organization is located

State/Province State where your organization is located

Zip/Postal Code Zip code of your organization's location

I agree to the VMware Cloud Services Terms of Service

Selected

Results

After you create the Organization on VMware Cloud Services, the Associate Support Entitlement to Skyline page opens.

Associate Your Support Entitlement and Create a Registration Token for VMware SkylineOn VMware Cloud Services, associate your Production Support or Premier Services Support entitlement with VMware Skyline so that you can initiate product usage analysis by using the data from the Skyline Collector instances in the SDDC.


VMware, Inc. 48

Procedure

1 Log in to the getting started page of VMware Skyline.

a Open a Web browser and go to https://skyline.vmware.com/get-started.

b Click Get started.


Setting Value

User name Email address registered with My VMware

Password Password for My VMware

2 Click Associate Support Entitlement.

3 Click Proceed to Next Step.

4 On the Download Skyline Collector page, click Proceed to Next Step.

5 On the Install and configure Skyline Collector page, click Proceed to Next Step.

6 On the Register Skyline Collector page, click Create New Token.

7 Copy, and save the token for later use.

A token for Skyline Collector registration is valid for 12 hours. If a token expires, you must generate a new one.

Deploy the Skyline Collector Appliance in Region AYou deploy the Skyline Collector appliance in the management cluster, configuring storage, networking, and other appliance attributes.

Procedure


Setting Value




2 In the Hosts and clusters inventory, expand the sfo01m01vc01.sfo01.rainpole.local tree and expand the sfo01-m01dc data center.

3 Right-click the sfo01-m01-mgmt01 cluster and select Deploy OVF Template.

4 On the Select OVF template page, select Local file, browse to the location of the Skyline Collector OVA file, and click Next.


VMware, Inc. 49

5 On the Select a name and folder page, enter the following information, and click Next.

Setting Value

Name sfo01sky01

Datacenter sfo01-m01dc

VM Folder sfo01-m01fd-mgmt

6 On the Select a compute resource page, select sfo01-m01-mgmt01 and click Next.

7 On the Review details page, review the virtual appliance details such as product, version, download size, and size on disk, and click Next.

8 On the License agreements page, read and accept the End-User License Agreement, and click Next.

9 On the Select storage page, select the following parameters and click Next.

Setting Value

VM storage policy vSAN Default Storage Policy

Datastores sfo01-m01-vsan01

10 On the Select networks page, select the distributed port group that ends with Mgmt-RegionA01-VXLAN from the Destination network drop-down menu and click Next.

11 On the Customize template page, enter and confirm the root password for the virtual appliance in the Application section.

12 On the Customize template page, configure the following values in the Networking properties section and click Next.

Option Value


Domain Name sfo01.rainpole.local

Domain Search Path sfo01.rainpole.local,rainpole.local

Domain Name Servers 172.16.11.5,172.16.11.4

Network 1 IP Address 192.168.31.70

Network 1 Netmask 255.255.255.0

Root Password skyline_root_password

Confirm Root Password skyline_root_password

13 On the Ready to complete page, click Finish and wait for the process to complete.

14 In the VMs and templates inventory, expand the sfo01m01vc01.sfo01.rainpole.local tree and expand the sfo01-m01dc data center.

15 Expand the sfo01-m01fd-mgmt folder.

16 Select the sfo01sky01 virtual machine and from the Actions menu select Power > Power on.


VMware, Inc. 50

Configure the Skyline Collector Instance in Region AAfter you deploy the Skyline Collector appliance, proceed with configuring log forwarding to vRealize Log Insight for monitoring the operation of the collector, replacing the certificate, and with the registration of the endpoints for the SDDC management components in the region.

Procedure

1 Enable SSH on the Skyline Collector Appliance in Region A

You access the Skyline Collector appliance over SSH for configuring NTP, uploading a CA-signed certificate, and configuring log forwarding. Because it is disabled by default on the appliance, enable SSH after you deploy the appliance.

2 Replace the Certificate for the Skyline Collector User Interface in Region A

To establish a trusted connection to the Skyline Collector user interface, replace the SSL certificate for the Skyline Collector appliance with a custom certificate. The custom certificate is signed by the certificate authority available on the parent Active Directory.

3 Replace the Certificate for the Skyline Collector Appliance Management Interface in Region A

To establish a trusted connection to the Skyline Collector instance, you replace the SSL certificate for the virtual appliance management interface (VAMI) with a custom certificate. The custom certificate is signed by the certificate authority available on the parent Active Directory or on the intermediate Active Directory.

4 Enable NTP on the Skyline Collector Instance in Region A

Enable NTP on the Skyline Collector appliance in the region so that it remains synchronized with the other SDDC components.

5 Connect the Skyline Collector Instance to vRealize Log Insight in Region A

To be able to monitor and troubleshoot the operation of the Skyline Collector appliance in the region by using vRealize Log Insight, install and configure the vRealize Log Insight agent on the appliance. vRealize Log Insight receives log data from vRealize Log Insight agents that run on the management components of the SDDC.

6 Disable SSH on the Skyline Collector Appliance in Region A

After you complete the configuration of the services on the Skyline Collector appliance that you must perform over SSH, disable SSH for security reasons.

7 Complete the Initial Configuration of the Skyline Collector Instance in Region A

After you complete the deployment and service configuration of the appliance, register the Skyline Collector instance with VMware Cloud Services and connect the collector to the ManagementvCenter Server, NSX Manager for the management cluster, and vRealize Operations Manager.


VMware, Inc. 51

8 Register the Components for the Shared Edge and Compute Cluster with the Skyline Collector Instance in Region A

During the initial configuration of the Skyline Collector instance, you can add endpoints only for the Management vCenter Server, the NSX Manager instance for the management cluster, and vRealize Operations Manager. To collect all product data that is available in the region for the supported solution types, connect the collector also to the Compute vCenter Server and the NSX Manager instances for the shared edge and compute cluster.

Enable SSH on the Skyline Collector Appliance in Region AYou access the Skyline Collector appliance over SSH for configuring NTP, uploading a CA-signed certificate, and configuring log forwarding. Because it is disabled by default on the appliance, enable SSH after you deploy the appliance.

Procedure


Setting Value





3 In the sfo01-m01fd-mgmt virtual machine folder, right-click the sfo01sky01 appliance and select Open Remote Console.

4 In the console window to the appliance, to switch to the command prompt, press Enter.

5 At the command line, log in as the root user by using skyline_root_password password.

6 Open the configuration file for the SSH daemon sshd_config in the vi editor by running this command.

vi /etc/ssh/sshd_config

7 To permit SSH login for the root user, set the PermitRootLogin property to yes in the sshd_config file.

PermitRootLogin yes

8 Save the configuration and exit the vi editor.

9 Restart the SSH daemon on the appliance by running this command.

systemctl restart sshd

10 To return to the original screen, run the exit command.


VMware, Inc. 52

11 Close the appliance console.

Replace the Certificate for the Skyline Collector User Interface in Region ATo establish a trusted connection to the Skyline Collector user interface, replace the SSL certificate for the Skyline Collector appliance with a custom certificate. The custom certificate is signed by the certificate authority available on the parent Active Directory.

Procedure


2 In the C:\CertGenVVD-version\SignedByMSCACerts folder, duplicate the files for the Skyline Collector instance generated by using the Certificate Generation Utility for VMware Validated Design under new file names.

File Type Original File Name VVD 5.1 New File Name VVD 5.1.1 New File Name

Certificate sfo01sky01.2.chain.pem nginx-selfsigned.crt nginx.crt

Key sfo01sky01-orig.key nginx-selfsigned.key nginx.key

3 Log in to the Skyline Collector appliance by using a Secure Shell (SSH) client.

Setting Value


User name root

Password skyline_root_password

4 By using an scp software such as WinSCP, upload and overwrite the certificate and key files on the Skyline Collector appliance.

n For VMware Validated Design 5.1, replace the nginx-selfsigned.crt and nginx-selfsigned.key files in the /usr/local/skyline/ui/ directory on the appliance.

n For VMware Validated Design 5.1.1, replace the nginx.crt and nginx.key files in the /etc/nginx directory on the appliance.

5 To update the certificate on the Skyline user interface, restart the Nginx service.

a Restart the Ngnix service by running this command.

systemctl restart nginx

b Check the status of the Ngnix service by running this command .

systemctl status nginx


VMware, Inc. 53

6 After restarting the services, verify that the certificate on the Skyline user interface is updated.

a Close all Web browser windows.

b Open a Web browser window and go to https://sfo01sky01.sfo01.rainpole.local.

c Verify that you see the new certificate in the Web browser.

Replace the Certificate for the Skyline Collector Appliance Management Interface in Region ATo establish a trusted connection to the Skyline Collector instance, you replace the SSL certificate for the virtual appliance management interface (VAMI) with a custom certificate. The custom certificate is signed by the certificate authority available on the parent Active Directory or on the intermediate Active Directory.

Procedure


2 In the C:\CertGenVVD-version\SignedByMSCACerts folder, duplicate the chain.pem file generated by using the Certificate Generation Utility for VMware Validated Design under a new file name.

File Type Original File Name New File Name

Certificate sfo01sky01.2.chain.pem server.pem


Setting Value


User name root


4 By using an scp software such as WinSCP, copy the server.pem file to the /opt/vmware/etc/lighttpd/ directory on the appliance

Overwrite the original server.pem file in the /opt/vmware/etc/lighttpd/ directory.

5 Restart the virtual appliance management interface (VAMI) service by running this command.

/etc/init.d/vami-lighttp restart

6 After restarting the service, verify that the certificate on the Skyline Collector VAMI interface is updated.

a Close all Web browser windows.

b Open a Web browser window and go to https://sfo01sky01.sfo01.rainpole.local:5480.

c Verify that you see the new certificate in the Web browser.


VMware, Inc. 54

Enable NTP on the Skyline Collector Instance in Region AEnable NTP on the Skyline Collector appliance in the region so that it remains synchronized with the other SDDC components.

Time synchronization issues can result in serious problems with your environment. You enable and start the systemd-timesyncd service on the appliance to ensure accurate time synchronization.

Procedure


Setting Value


User name root


2 Configure the NTP source for the Skyline Collector appliance.

a Open the /etc/systemd/timesyncd.conf file for editing by using a text editor such as vi.

vi /etc/systemd/timesyncd.conf

b Remove the comment for the NTP configuration, add the NTP settings, and save the file.

NTP=ntp.sfo01.rainpole.local ntp.lax01.rainpole.local

3 Enable and start the systemd-timesyncd service, and verify its status by running these commands.

a Enable and start the systemd-timesyncd service.

timedatectl set-ntp true

b Restart the systemd-timesyncd service.

systemctl restart systemd-timesyncd

c Verify the status of the service.

timedatectl status

4 Log out of the session by entering logout.

Connect the Skyline Collector Instance to vRealize Log Insight in Region ATo be able to monitor and troubleshoot the operation of the Skyline Collector appliance in the region by using vRealize Log Insight, install and configure the vRealize Log Insight agent on the appliance.


VMware, Inc. 55

vRealize Log Insight receives log data from vRealize Log Insight agents that run on the management components of the SDDC.

Procedure

1 Install the vRealize Log Insight Agent on the Skyline Collector Instance in Region A

To start sending log data from the Skyline Collector appliance to vRealize Log Insight, first install the vRealize Log Insight agent for Linux on the appliance in the region.

2 Configure the vRealize Log Insight Agent on the Skyline Collector Instance in Region A

After you install the vRealize Log Insight agent on the Skyline Collector appliance, to start forwarding log events to vRealize Log Insight, configure the agent with the location of the vRealize Log Insight cluster, set the log ingestion API as the protocol for remote logging, and disable SSL-enabled log collection.

Install the vRealize Log Insight Agent on the Skyline Collector Instance in Region A

To start sending log data from the Skyline Collector appliance to vRealize Log Insight, first install the vRealize Log Insight agent for Linux on the appliance in the region.

Procedure

1 In a Web browser, log in to vRealize Log Insight by using the user interface.

Setting Value

URL https://sfo01vrli01.sfo01.rainpole.local

User name admin

Password vrli_admin_password

2 Click the configuration drop-down menu icon and select Administration.

3 Under Management, click Agents.

4 On the Agents page, click the Download Log Insight Agent Version link.

5 In the Download Log Insight Agent Version dialog box, click Linux RPM (32-bit/64-bit) and save the .rpm file.

6 By using an scp client such as WinSCP, copy the VMware-Log-Insight-Agent-4.8.0-xxxxxx.noarch_192.168.31.10.rpm file to the /tmp folder on the Skyline Collector appliance.


Setting Value


User name root



VMware, Inc. 56

8 Install the vRealize Log Insight Linux agent by running this command.

rpm -i /tmp/VMware-Log-Insight-Agent-4.8.0-xxxxxx.noarch_192.168.31.10.rpm

9 Configure the vRealize Log Insight agent to start automatically.

chkconfig liagentd on

Configure the vRealize Log Insight Agent on the Skyline Collector Instance in Region A

After you install the vRealize Log Insight agent on the Skyline Collector appliance, to start forwarding log events to vRealize Log Insight, configure the agent with the location of the vRealize Log Insight cluster, set the log ingestion API as the protocol for remote logging, and disable SSL-enabled log collection.

Procedure


Setting Value


User name root


2 Open the liagent.ini file for editing by using a text editor such as vi.

vi /var/lib/loginsight-agent/liagent.ini

3 Locate the [server] section, remove the comment for these parameters, insert the following values, and save the file.

[server]

; Log Insight server hostname or ip address

; If omitted the default value is LOGINSIGHT

hostname=sfo01vrli01.sfo01.rainpole.local

; Set protocol to use:

; cfapi - Log Insight REST API

; syslog - Syslog protocol

; If omitted the default value is cfapi

proto=cfapi

; Log Insight server port to connect to. If omitted the default value is:

; for syslog: 512

; for cfapi without ssl: 9000

; for cfapi with ssl: 9543

port=9000

; ssl - enable/disable SSL. Applies to cfapi protocol only.

; Possible values are yes or no. If omitted the default value is no.

ssl=no

; Time in minutes to force reconnection to the server

; If omitted the default value is 30

; reconnect=30


VMware, Inc. 57

4 Restart the vRealize Log Insight agent on the appliance.

/etc/init.d/liagentd restart

5 Verify that the vRealize Log Insight agent is running on the appliance.

/etc/init.d/liagentd status

Disable SSH on the Skyline Collector Appliance in Region AAfter you complete the configuration of the services on the Skyline Collector appliance that you must perform over SSH, disable SSH for security reasons.

Procedure


Setting Value





3 In sfo01-m01fd-mgmt virtual machine folder, right-click the sfo01sky01 appliance and select Open Console.

4 In the console to the appliance, press Enter to switch to the command prompt.

5 At the command prompt, log in as the root user by using skyline_root_password password.

6 Open the SSH daemon configuration in the vi editor by running this command.

vi /etc/ssh/sshd_config

7 To disable access of the root user by using SSH, set the PermitRootLogin property to no in the sshd_config file.

PermitRootLogin no

8 Save the configuration file and exit the vi editor.

9 Restart the SSH daemon on the appliance by running this command.

systemctl restart sshd

10 To return to the original screen, run the exit command.

11 Close the appliance console.


VMware, Inc. 58

Complete the Initial Configuration of the Skyline Collector Instance in Region AAfter you complete the deployment and service configuration of the appliance, register the Skyline Collector instance with VMware Cloud Services and connect the collector to the ManagementvCenter Server, NSX Manager for the management cluster, and vRealize Operations Manager.

Procedure

1 In a Web browser, log in to the Skyline Collector instance by using the user interface.

Setting Value

URL https://sfo01sky01.sfo01.rainpole.local

User name admin

Password default

2 On the You must change your password on first login page, use the following credentials and click Change.

Setting Value

Enter Old Password default

Enter New Password skyline_admin_password

Reenter New Password skyline_admin_password

3 Click Login Again.

4 Log in to the Skyline Collector user interface by using the new credentials.

Setting Value

User name admin

Password skyline_admin_password

The Initial Configuration wizard appears displaying the Network Connectivity page.

5 If your organization requires the use of an HTTP proxy for external network connections, enter the settings for connection to the proxy.

a Turn on the Use a Proxy Server toggle switch to Yes and fill in the proxy details.

Setting Value

Proxy Address / IP FQDN of the allocated HTTP proxy

Proxy Port HTTP proxy port for incoming requests

Username (optional) User name for authentication to the HTTP proxy

Password (optional) Password of the user for authentication to the HTTP proxy

b Click Test Connectivity.

c After a confirmation message appears, click Continue.


VMware, Inc. 59

6 On the Customer Experience Improvement Program (CIEP) page, review the configuration and click Continue .

7 On the Collector Registration page, connect the Skyline Collector instance to your VMware Cloud Services organization.

a In the Collector Registration Token box, enter the token you generated in the VMware Cloud Services portal.

b Click Register Collector and on the confirmation page, click Continue.

8 On the Continue Configuration page, click Continue.

9 On the Collector Name page, enter the friendly name of the collector.

a Enter sfo01sky01.sfo01.rainpole.local in the Friendly Name text box and click Set Friendly Name

b After a confirmation message appears, click Continue.

10 On the Auto-Upgrade page, to continue having auto-upgrade turned off, click Continue.

11 On the Configure vCenter page, configure the endpoint for the Management vCenter Server.

a In the Configure vCenter section, enter the settings for connection to the Management vCenter Server.

Setting Value

vCenter Host Address sfo01m01vc01.sfo01.rainpole.local

vCenter Read-Only Account [email protected]

Password svc-skyline-vsphere_password

b In the SSO Config section, enter the settings for authentication to the VMware Platform Services Controller™ pair by using vCenter Single Sign-On.

Setting Value

Use Custom SSO Configuration Yes

PSC/SSO Host Address sfo01psc01.sfo01.rainpole.local

SSO Admin URL https://sfo01psc01.sfo01.rainpole.local/sso-adminserver/sdk/vsphere.local

SSO STS URL https://sfo01psc01.sfo01.rainpole.local/sts/STSService/vsphere.local

Lookup Service URL https://sfo01psc01.sfo01.rainpole.local/lookupservice/sdk/vsphere.local

c In the Data Collection section, leave Collect from All Datacenters as Yes and click Add.

d To set the CA-signed certificate of the Management vCenter Server as trusted, accept the certificate from the vCenter Server instance by clicking Continue .

e After a confirmation message appears, click Continue.


VMware, Inc. 60

12 On the Configure NSX (optional) page, configure the endpoint for the NSX Manager instance for the management cluster.

a Enter the settings for connecting the collector to the NSX Manager instance and click Add.

Setting Value

NSX Address/IP sfo01m01nsx01.sfo01.rainpole.local

Username [email protected]

Password svc-skyline-nsx_password

b To set the CA-signed certificate of the NSX Manager instance as trusted, accept the certificate by clicking Continue.


13 On the Configure Horizon View (optional) page, click Continue.

14 On the Configure vRealize Operations (optional) page, configure the endpoint for vRealize Operations Manager.

a Enter the settings for connecting the collector to vRealize Operations Manager and click Add.

Setting Value

vROps Manager Host vrops01svr01.rainpole.local

Username [email protected]

Password svc-skyline-vrops_password

b To accept the CA-signed certificate of vRealize Operations Manager, click Continue.


15 On the Final Step page, review the configuration and click Finish.

16 On the System Status page, under Collector Overview, verify that the status of the collector is Your collector is running.

17 On the System Status page, under System Overview, verify that each of the sfo01m01vc01.sfo01.rainpole.local, sfo01m01nsx01.sfo01.rainpole.local, and vrops01svr01.rainpole.local endpoints has a Endpoints Working status.

Register the Components for the Shared Edge and Compute Cluster with the Skyline Collector Instance in Region ADuring the initial configuration of the Skyline Collector instance, you can add endpoints only for the Management vCenter Server, the NSX Manager instance for the management cluster, and vRealize Operations Manager. To collect all product data that is available in the region for the supported solution


VMware, Inc. 61

types, connect the collector also to the Compute vCenter Server and the NSX Manager instances for the shared edge and compute cluster.

Procedure

1 Register the Compute vCenter Server with the Skyline Collector Instance in Region A

To collect product data from all vCenter Server instances in the region, add an endpoint for the Compute vCenter Server in the region. During the initial configuration of the Skyline Collector instance, you can connect the collector only to the Management vCenter Server.

2 Register the NSX Manager for the Shared Edge and Compute Cluster with the Skyline Collector Instance in Region A

To collect product data from all NSX Manager instances in the region, add an endpoint for the NSX Manager for the shared edge and compute cluster in the region. During the initial configuration of the Skyline Collector instance, you can connect the collector only to the NSX Manager instance for the management cluster.

Register the Compute vCenter Server with the Skyline Collector Instance in Region A

To collect product data from all vCenter Server instances in the region, add an endpoint for the Compute vCenter Server in the region. During the initial configuration of the Skyline Collector instance, you can connect the collector only to the Management vCenter Server.

Procedure


Settings Value


User name admin


2 Select Configuration.

3 On the vCenter section, click + Add vCenter.


VMware, Inc. 62

4 On the Add vCenter page, add the endpoint for the Compute vCenter Server.

a In the Configure vCenter section, enter the settings for connection to the Compute vCenter Server.

Setting Value

vCenter Host Address sfo01w01vc01.sfo01.rainpole.local

vCenter Read-Only Account [email protected]

Password svc-skyline-vsphere_password

b In the SSO Config section, enter the settings for authentication to the Platform Services Controller pair by using vCenter Single Sign-On.

Setting Value

Use Custom SSO Configuration On

PSC/SSO Host Address sfo01psc01.sfo01.rainpole.local

SSO Admin URL https://sfo01psc01.sfo01.rainpole.local/sso-adminserver/sdk/vsphere.local

SSO STS URL https://sfo01psc01.sfo01.rainpole.local/sts/STSService/vsphere.local

Lookup Service URL https://sfo01psc01.sfo01.rainpole.local/lookupservice/sdk/vsphere.local

c Leave Collect from All Datacenters to Yes.

d In the Data Collection section, click Add.

e To set the CA-signed certificate of the Compute vCenter Server as trusted, accept the certificate and click Continue.

f After a confirmation message appears, click Finish.

5 In the vCenter section, verify that the sfo01w01vc01.sfo01.rainpole.local endpoint has a Endpoints Working status.

Register the NSX Manager for the Shared Edge and Compute Cluster with the Skyline Collector Instance in Region A

To collect product data from all NSX Manager instances in the region, add an endpoint for the NSX Manager for the shared edge and compute cluster in the region. During the initial configuration of the Skyline Collector instance, you can connect the collector only to the NSX Manager instance for the management cluster.


VMware, Inc. 63

Procedure


Settings Value


User name admin


2 Select Configuration.

3 Click NSX Managers.

4 In the NSX Managers section, click + Add NSX Manager.

5 On the Add NSX Manager page, add the endpoint for the NSX Manager instance for the shared edge and compute cluster.

a In the NSX Manager section, enter the settings for connection to the NSX Manager for the shared edge and compute cluster.

Setting Value

NSX Address/IP sfo01w01nsx01.sfo01.rainpole.local


Password svc-skyline-nsx_password

b To set the certificate of the NSX Manager instance for the shared edge and compute cluster as trusted, accept the certificate and click Continue .

c After a confirmation message appears, click Finish.

6 In the NSX Managers section, verify that the sfo01w01nsx01.sfo01.rainpole.local endpoint has a Endpoints Working status.


VMware, Inc. 64

Post-Deployment Virtual Infrastructure Configuration in Region A 5After you deploy the virtual infrastructure layer in Region A, to reach full functionality and operability of the layer, perform the necessary post-deployment product configuration tasks.

Procedure

1 Update the Host Profile for the Management Cluster in Region A

VMware Cloud Builder configures the ESXi hosts to join the Active Directory domain. You add the domain account credentials to the host profile for the management cluster in Region A and remediate the attached hosts to apply all host profile managed parameters. This brings all ESXi hosts in the cluster to compliant status.

2 Distributed Firewall Configuration in Region A

Configure the distributed firewall to improve the security in your environment by allowing only the required SDDC network traffic to pass through. You define explicit firewall rules to allow access to the management applications.

3 Update the Host Profile for the Shared Edge and Compute Cluster in Region A

You add the domain account credentials to the host profile for the shared edge and compute cluster in Region A and remediate the attached hosts to apply all host profile managed parameters. This brings all ESXi hosts in the cluster to compliant status.

4 Update the DNS Records for the Platform Services Controller Load Balancer in Region A

After setting up load balancing, you modify the DNS address of the Platform Services Controller load balancer in Region A.

Update the Host Profile for the Management Cluster in Region AVMware Cloud Builder configures the ESXi hosts to join the Active Directory domain. You add the domain account credentials to the host profile for the management cluster in Region A and remediate the attached hosts to apply all host profile managed parameters. This brings all ESXi hosts in the cluster to compliant status.

VMware, Inc. 65

Procedure


Setting Value




2 To update the Active Directory configuration, reset the host customizations for sfo01m01esx01.sfo01.rainpole.local.

a In the Policies and profiles inventory, click Host profiles.

b On the Host profiles page, click sfo01-m01hp-mgmt01.

The sfo01-m01hp-mgmt01 host profile page opens.

c On the Hosts tab, right-click sfo01m01esx01.sfo01.rainpole.local and select Host profiles > Reset host customizations.

d In the Reset host customizations dialog box, click Yes.

e Repeat the step to reset the host customizations for the remaining hosts in the management cluster.

3 Update the sfo01-m01hp-mgmt01 host profile.


b Right-click the sfo01-m01hp-mgmt01 host profile, and select Copy settings from host.

c In the Copy settings from host dialog box, select sfo01m01esx01.sfo01.rainpole.local, and click OK.

4 Edit the host customizations for the sfo01-m01hp-mgmt01 host profile.

a Right-click sfo01-m01hp-mgmt01, and select Edit host customizations.

The Edit host customizations wizard opens.

b On the Select hosts page, select all hosts and click Next.

c On the Customize hosts page, configure the Active Directory domain account for all ESXi hosts attached to the host profile, and click Finish.

Setting Value


Password svc-domain-join_password


VMware, Inc. 66

5 Verify compliance and remediate the ESXi hosts.

a On the Host profiles page, click sfo01-m01hp-mgmt01.

b On the sfo01-m01hp-mgmt01 host profile page, from the Actions drop-down menu, select Check host profile compliance.

c Click the Monitor tab, and in the left pane, click Compliance.

On the Host profile page, the Host profile compliance column shows sfo01m01esx01.sfo01.rainpole.local as Compliant. The remaining ESXi hosts are Not Compliant.

d Click Remediate.

e On the Remediate dialog box, select all non compliant hosts, select Automatically reboot hosts that require remediation, and click Remediate.

After restart, all hosts attached to the sfo01-m01hp-mgmt01 host profile show as Compliant.

Distributed Firewall Configuration in Region AConfigure the distributed firewall to improve the security in your environment by allowing only the required SDDC network traffic to pass through. You define explicit firewall rules to allow access to the management applications.

Procedure

1 Add the vCenter Server Appliance to the NSX Distributed Firewall Exclusion List in Region A

If a distributed firewall rule prevents network access between NSX Manager and vCenter Server, you cannot manage the firewall. To keep the network access open between the vCenter Server Appliance and NSX, you exclude the vCenter Server Appliance from all distributed firewall rules.

2 Create IP Sets for the Components of the Management Cluster in Region A

Create IP sets for all management applications. At a later stage, use the IP sets to create security groups to use with the distributed firewall rules.

3 Create Security Groups in Region A

To ease the creation and management of distributed firewall rules and to avoid per single virtual machine configuration, you create security groups containing vSphere inventory items that require similar levels of accessibility. You create security groups based on previously configured IP sets and as collections of existing security groups.

4 Create Distributed Firewall Rules in Region A

Create firewall rules to define administrative, user, and tenant access to applications, and to configure the necessary connectivity to the SDDC.


VMware, Inc. 67

Add the vCenter Server Appliance to the NSX Distributed Firewall Exclusion List in Region AIf a distributed firewall rule prevents network access between NSX Manager and vCenter Server, you cannot manage the firewall. To keep the network access open between the vCenter Server Appliance and NSX, you exclude the vCenter Server Appliance from all distributed firewall rules.

Procedure


Setting Value




2 In the Networking and security inventory, click Firewall settings.

3 Click the Exclusion list tab, and, from the NSX Manager drop-down menu, select 172.16.11.65.

4 Click Add .

The Select VMs to exclude dialog box opens.

5 From the Available objects section, select sfo01m01vc01, add it to the Selected objects section, and click OK.

Create IP Sets for the Components of the Management Cluster in Region ACreate IP sets for all management applications. At a later stage, use the IP sets to create security groups to use with the distributed firewall rules.

Repeat this procedure to configure all necessary IP sets. For applications that are load balanced, include their VIP in the IP set.

Table 5-1. IP Sets for the Management Components in Region A

Name IP Addresses

Platform Services Controller Instances 172.16.11.61

172.16.11.63

172.16.11.71

vCenter Server Instances 172.16.11.62

172.16.11.64

vRealize Automation Appliances 192.168.11.50

192.168.11.51

192.168.11.52

192.168.11.53


VMware, Inc. 68

Table 5-1. IP Sets for the Management Components in Region A (continued)

Name IP Addresses

vRealize Automation Windows 192.168.11.54

192.168.11.55

192.168.11.56

192.168.11.57

192.168.11.58

192.168.11.59

192.168.11.60

192.168.11.61

192.168.11.62

vRealize Automation Proxy Agents 192.168.31.52

192.168.31.53

vRealize Business Server 192.168.11.66

vRealize Business Data Collector 192.168.31.54

VMware VADP Solution vStorage-API for Data-Protection-Solution_IPs

vRealize Operations Manager 192.168.11.31

192.168.11.32

192.168.11.33

192.168.11.35

vRealize Operations Manager Remote Collectors 192.168.31.31

192.168.31.32

vRealize Log Insight 192.168.31.10

192.168.31.11

192.168.31.12

192.168.31.13

vRealize Suite Lifecycle Manager 192.168.11.20

Skyline Collector Instance 192.168.31.70

Site Recovery Manager 172.16.11.124

vSphere Replication 172.16.11.123

Update Manager Download Service 172.16.11.67

192.168.31.67

SDDC 192.168.31.0/24, Management-VLAN_Subnets, Management-VXLAN_Subnets

Administrators Administrators_Subnet


VMware, Inc. 69

Procedure


Setting Value




2 In the Networking and security inventory, click Groups and tags.

3 Click the IP sets tab and, from the NSX Manager drop-down menu, select 172.16.11.65.

4 Click the Add button.

The New IP set wizard opens.

5 Configure the IP set and click Add.

Setting Value

Name vCenter Server Instances

IP Addresses 172.16.11.62

172.16.11.64

Universal Synchronization On

6 Repeat this procedure to create all necessary IP sets.

Create Security Groups in Region ATo ease the creation and management of distributed firewall rules and to avoid per single virtual machine configuration, you create security groups containing vSphere inventory items that require similar levels of accessibility. You create security groups based on previously configured IP sets and as collections of existing security groups.

You perform this procedure multiple times to configure all security groups. You configure the Windows Servers and the VMware Appliances security groups after you create the necessary member security groups.

Table 5-2. Security Groups for the Management Components in the SDDC

Name Object Type Selected Object

Platform Services Controller Instances IP Sets Platform Services Controller Instances

vCenter Server Instances IP Sets vCenter Server Instances

vRealize Automation Appliances IP Sets vRealize Automation Appliances

vRealize Automation Windows IP Sets vRealize Automation Windows

vRealize Business Server IP Sets vRealize Business Server

vRealize Automation Proxy Agents IP Sets vRealize Automation Proxy Agents

vRealize Business Data Collector IP Sets vRealize Business Data Collector


VMware, Inc. 70

Table 5-2. Security Groups for the Management Components in the SDDC (continued)

Name Object Type Selected Object

vSphere Storage APIs - Data Protection based backup solution

IP Sets VMware VADP Solution

vRealize Operations Manager IP Sets vRealize Operations Manager

vRealize Operations Manager Remote Collectors

IP Sets vRealize Operations Manager Remote Collectors

vRealize Suite Lifecycle Manager IP Sets vRealize Suite Lifecycle Manager

Skyline Collector Instance IP Sets Skyline Collector Instance

Site Recovery Manager IP Sets Site Recovery Manager

vSphere Replication IP Sets vSphere Replication

vRealize Log Insight IP Sets vRealize Log Insight

Update Manager Download Service IP Sets Update Manager Download Service

SDDC IP Sets SDDC

Administrators IP Sets Administrators

Windows Servers Security Group n vRealize Automation Windows

n vRealize Automation Proxy Agents

VMware Appliances Security Group n Platform Services Controller Instances

n vCenter Server Instances

n vSphere Replication

n vRealize Automation Appliances

n vRealize Business Server

n Site Recovery Manager

n vRealize Business Data Collector

n vSphere Storage APIs - Data Protection based backup solution

n vRealize Operations Manager

n vRealize Operations Manager Remote Collectors

n vRealize Suite Lifecycle Manager

n vRealize Log Insight

n Skyline Collector Instance

n Update Manager Download Service

Procedure


Setting Value





VMware, Inc. 71

2 In the Networking and security inventory, click Groups and tags.

3 Click the Security groups tab and, from the NSX Manager drop-down menu, select 172.16.11.65.

4 Click Add.

The Create security group wizard opens.

5 On the Name and description page, configure the settings and click Next.

Setting Value

Name Platform Services Controller Instances

Universal Synchronization On

6 On the Select objects to include page, configure the settings and click Next.

Setting Value

Object type IP Sets

Selected objects Platform Services Controller Instances

7 On the Ready to complete page, review the security group configuration and click Finish.

8 Repeat this procedure to create all necessary security groups.

Create Distributed Firewall Rules in Region ACreate firewall rules to define administrative, user, and tenant access to applications, and to configure the necessary connectivity to the SDDC.

You create and configure the distributed firewall rules in the SDDC.

Table 5-3. Distributed Firewall Rules in the SDDC

Name Source Destination Service / Port

Allow vRealize Automation Portal to end users

* any n vRealize Automation Appliances

n vRealize Automation Windows

n vRealize Business Server

HTTP, HTTPS

Allow Orchestrator to admins Administrators vRealize Automation Appliances

TCP: 8281, 8283

Allow SDDC to any SDDC * any * any

Allow Platform Services Controller to admins

Administrators Platform Services Controller Instances

HTTPS

Allow SSH to admins Administrators n VMware Appliances

n Update Manager Download Service

SSH

Allow RDP to admins Administrators Windows Servers RDP

Allow vRealize Automation Console Proxy to end users

* any vRealize Automation Appliances

TCP:8444


VMware, Inc. 72

Table 5-3. Distributed Firewall Rules in the SDDC (continued)

Name Source Destination Service / Port

Allow vRealize Business Data Collector to admins

Administrators vRealize Business Data Collector

HTTP, HTTPS

Allow vRealize Operations to admins

Administrators n vRealize Operations Manager

n vRealize Operations Manager Remote Collectors

HTTP, HTTPS

Allow vRLI to admins Administrators vRealize Log Insight HTTP, HTTPS

Allow vRealize Suite Lifecycle Manager to admins

Administrators vRealize Suite Lifecycle Manager

HTTPS

Allow Skyline Collector instance to administrators

Administrators Skyline Collector Instances HTTPS

Allow VAMI to admins Administrators VMware Appliances TCP:5480

Allow VMware VADP Solution to admins

Administrators VMware Appliances TCP:8543

Procedure


Setting Value




2 Add a section of rules to organize the firewall rules for the management applications.

a In the Networking and security inventory, click Firewall and click the General tab.

b From the NSX Manager drop-down menu, select 172.16.11.65.

c Click Add section.

d Configure the settings and click Add.

Setting Value

Section name VMware Management Services

Universal synchronization On

3 Create a distributed firewall rule to allow SSH access to administrators for the different VMware appliances.

a Click Add rule.

b In the Name column, enter Allow SSH to admins.


VMware, Inc. 73

c In the Source column, click the Edit icon.

d From the Object type drop-down menu, select Security group, add Administrators to the Selected objects list, and click Save.

e In the Destination column, click the Edit icon.

f From the Object type drop-down menu, select Security group, add VMware appliances and Update Manager Download Service to the Selected objects list, and click Save.

g In the Service column, click the Edit icon.

h From the Object type drop-down menu, select Services, add SSH to the Selected objects list, and click Save.

i Click Publish.

4 Repeat Step 3 to create the remaining distributed firewall rules for the *any, HTTP, HTTPS, SSH, and RDP services in the Service / Port column of Table 5-3. Distributed Firewall Rules in the SDDC.

5 Create a distributed firewall rule for the TCP protocol to allow vRealize Orchestrator services to administrators.

a Click Add rule.

b In the Name column, enter Allow Orchestrator to admins.

c In the Source column, click the Edit icon.

d From the Object type drop-down menu, select Security group, add Administrators to the Selected objects list, and click Save.

e In the Destination column, click the Edit icon.

f From the Object type drop-down menu, select Security group, add vRealize Automation appliances, and click Save.

g In the Service column, click the Edit icon.

h On the Specify service dialog box, select the Raw Port-Protocol tab.

i Click the Add button, from the Protocol drop-down menu, select TCP, in the Destination port, enter 8281.

j Click the Add button, from the Protocol drop-down menu, select TCP, in the Destination port, enter 8283.

k On the Specify service, click Save.

l Click Publish.

6 Repeat Step 5 to create the remaining distributed firewall rules for the TCP protocol in the Service / Port column of Table 5-3. Distributed Firewall Rules in the SDDC.


VMware, Inc. 74

7 Change the default rule action to block.

a On the General tab, expand Default Section Layer3.

b For the default rule, from the Action drop-down menu, change the action to Block.

c Click Publish.

Update the Host Profile for the Shared Edge and Compute Cluster in Region AYou add the domain account credentials to the host profile for the shared edge and compute cluster in Region A and remediate the attached hosts to apply all host profile managed parameters. This brings all ESXi hosts in the cluster to compliant status.

Procedure


Setting Value




2 To update the Active Directory configuration, reset the host customizations for sfo01w01esx01.sfo01.rainpole.local.


b On the Host profiles page, click sfo01-w01hp-comp01.

The sfo01-w01hp-comp01 host profile page opens.

c On the Hosts tab, right-click sfo01w01esx01.sfo01.rainpole.local and select Host profiles > Reset host customizations.

d In the Reset host customizations dialog box, click Yes.

e Repeat the step to reset the host customizations for the remaining hosts in the shared edge and compute cluster.

3 Update the sfo01-w01hp-comp01 host profile.


b Right-click the sfo01-w01hp-comp01 host profile, and select Copy settings from host.

c On the Copy settings from host dialog box, select sfo01w01esx01.sfo01.rainpole.local, and click OK.


VMware, Inc. 75

4 Edit the hots customizations for the sfo01-w01hp-comp01 host profile.

a Right-click sfo01-w01hp-comp01 and select Edit host customizations.

The Edit host customizations wizard opens.

b On the Select hosts page, select all hosts and click Next.

c On the Customize hosts page, configure the Active Directory domain account for all ESXi hosts attached to the host profile, and click Finish.

Setting Value


Password svc-domain-join_password

5 Verify compliance and remediate the ESXi hosts.

a On the Host Profiles page, click sfo01-w01hp-comp01.

b On the sfo01-w01hp-comp01 page, from the Actions drop-down menu, select Check host profile compliance.

c Click the Monitor tab, and in the left pane, click Compliance.

On the Host profile page, the Host profile compliance column shows sfo01w01esx01.sfo01.rainpole.local as Compliant. The remaining ESXi hosts are Not Compliant.

d Click Remediate.

e On the Remediate dialog box, select all non compliant hosts, select Automatically reboot hosts that require remediation, and click Remediate.

After restart, all hosts attached to the sfo01-w01hp-comp01 host profile show as Compliant.

Update the DNS Records for the Platform Services Controller Load Balancer in Region AAfter setting up load balancing, you modify the DNS address of the Platform Services Controller load balancer in Region A.

You edit the sfo01psc01.sfo01.rainpole.local DNS entry to point to the virtual IP address (VIP) of the 172.16.11.71 load balancer, instead of pointing to the sfo01m01psc01 IP address.

Procedure

1 Log in to the DNS server that resides in the sfo01.rainpole.local domain.

2 Open the Windows Start menu, enter dnsmgmt.msc in the Search text box, and press Enter.

The DNS Manager dialog box opens.

3 In the DNS Manager dialog box, under Forward lookup zones, select the sfo01.rainpole.local domain and locate the sfo01psc01 record .


VMware, Inc. 76

4 Double-click sfo01psc01, configure the following settings, and click OK.

Setting Value

FQDN sfo01psc01.sfo01.rainpole.local

IP address 172.16.11.71

Update Associated Pointer (PTR) record Deselected


VMware, Inc. 77

Post-Deployment Operations Management Configuration in Region A 6After you deploy the operations management layer in Region A, to reach the full functionality and operability of the layer, perform the necessary post-deployment product configuration tasks.

Procedure

1 Post-Deployment Configuration of Update Manager Download Service in Region A

After you deploy Update Manager Download Service (UMDS), to provide persistent network access to the application, allocate a static IP address and connect UMDS to the application virtual network in Region A.

2 Post-Deployment Configuration of vRealize Operations Manager in Region A

After you deploy vRealize Operations Manager, perform the necessary post-deployment product configuration tasks to integrate with vRealize Log Insight and vRealize Automation and define monitoring goals for the default policy.

3 Post-Deployment Configuration of vRealize Log Insight in Region A

To complete the deployment of vRealize Log Insight, you configure the embedded vRealize Orchestrator to forward log events to vRealize Log Insight and add Skyline Collector Appliance to the Linux agent group.

4 Post-Deployment Configuration of vRealize Suite Lifecycle Manager in Region A

After you deploy VMware vRealize® Lifecycle Manager™ and the components of the operations management layer, save the configuration baselines of the vRealize Suite products deployments and perform the necessary post-deployment configuration tasks.

Post-Deployment Configuration of Update Manager Download Service in Region AAfter you deploy Update Manager Download Service (UMDS), to provide persistent network access to the application, allocate a static IP address and connect UMDS to the application virtual network in Region A.

VMware, Inc. 78

Procedure

1 Reconfigure Update Manager Download Service in Region A

After you deploy Update Manager Download Service (UMDS), the UMDS virtual machine is not part of the application virtual network. Add the UMDS virtual machine to the application virtual network in Region A and change the UMDS virtual machine's IP address.

Reconfigure Update Manager Download Service in Region AAfter you deploy Update Manager Download Service (UMDS), the UMDS virtual machine is not part of the application virtual network. Add the UMDS virtual machine to the application virtual network in Region A and change the UMDS virtual machine's IP address.

Procedure


Setting Value




2 In the Hosts and clusters inventory, expand the sfo01m01vc01.sfo01.rainpole.local tree and expand the sfo01-m01dc data center.

3 Expand the sfo01-m01-mgmt01 cluster.

4 Connect the Update Manager Download Service virtual machine to the Mgmt-RegionA01-VXLAN port group.

a Right-click sfo01umds01 and select Edit settings.

b On the Edit Settings dialog box, click the Virtual hardware tab.

c Under Network adapter 1, from the drop-down menu, select Browse, select the distributed port group that ends with Mgmt-RegionA01-VXLAN, and click OK.

5 Change the IP address of the Update Manager Download Service virtual machine.

a Right-click sfo01umds01 and select Open remote console.

b Log in by using the following credentials.

Setting Value

User name svc-umds

Password svc_umds_password

c Run the command to edit the 01-netcfg.yaml file.

sudo vi /etc/netplan/01-netcfg.yaml


VMware, Inc. 79

d When prompted, provide the password for the svc-umds account.

e In the 01-netcfg.yaml file, configure the following settings and save the file.

address: [192.168.31.67/24]

gateway4: 192.168.31.1

f To apply the changes, run the following command.

sudo netplan apply

6 Log in to the DNS server by using a Remote Desktop Protocol (RDP) client.

Setting Value

FQDN dc01rpl.rainpole.local

User name Active Directory administrator


7 Open the Windows Start menu, in the Search text box, enter dnsmgmt.msc, and press Enter.

The DNS Manager dialog box appears.

8 Under Forward lookup zones, select the sfo01.rainpole.local domain.

9 In the right pane, double-click the sfo01umds01 record, configure the following settings, and click OK.

Setting Value

Fully qualified domain name (FQDN) sfo01umds01.sfo01.rainpole.local

IP address 192.168.31.67

Update associated pointer (PTR) record Selected

Post-Deployment Configuration of vRealize Operations Manager in Region AAfter you deploy vRealize Operations Manager, perform the necessary post-deployment product configuration tasks to integrate with vRealize Log Insight and vRealize Automation and define monitoring goals for the default policy.

Procedure

1 Integrate vRealize Log Insight with vRealize Operations Manager in Region A

In VMware vRealize® Log Insight™, you enable the launch in context feature for vRealize Operations Manager. This allows vRealize Operations Manager to launch vRealize Log Insight with an object-specific query.


VMware, Inc. 80

2 Configure User Privileges in vRealize Operations Manager for vRealize Automation Tenant Workload Reclamation in Region A

Configure read only privilege for the [email protected] service account in vRealize Operations Manager. This allows vRealize Operations Manager to access compute vCenter instance and enables vRealize Automation to collect metrics from vRealize Operations Manager for reclamation of tenant workloads.

3 Verify the Integration of vRealize Operations Manager as a Metrics Provider in vRealize Automation in Region A

In vRealize Automation, verify that vRealize Operations Manager is integrated as a metrics provider to enable vRealize Automation to pull metrics for the reclamation of tenant workloads.

4 Define the Monitoring Goals for the Default Policy in vRealize Operations Manager in Region A

Define the default policy settings for monitoring the vCenter Server instances in the region in vRealize Operations Manager. vRealize Operations Manager uses these settings to analyze and monitor the objects associated with a vCenter Server instance.

5 Update the SNMP Configuration of the Network Devices Adapter in vRealize Operations Manager

If you are deploying version 5.1 of VMware Validated Design, during the automated deployment and configuration, VMware Cloud Builder configures the network devices adapter in vRealize Operations Manager with public SNMP read community strings to allow for automatic discovery and device pooling. After the automated deployment of VMware Validated Design 5.1, to enable device authentication and grant read-write access for the adapter to start the data collection, you reconfigure the SNMP read community string to private.

Integrate vRealize Log Insight with vRealize Operations Manager in Region AIn VMware vRealize® Log Insight™, you enable the launch in context feature for vRealize Operations Manager. This allows vRealize Operations Manager to launch vRealize Log Insight with an object-specific query.

Procedure


Setting Value


User name admin



3 In the left pane, under Integration, click vRealize Operations.

4 On the vRealize Operations Integration page, select Enable launch in context.

5 To validate the connection, click Test.


VMware, Inc. 81

6 Click Save and in the progress dialog box, click OK.

Configure User Privileges in vRealize Operations Manager for vRealize Automation Tenant Workload Reclamation in Region AConfigure read only privilege for the [email protected] service account in vRealize Operations Manager. This allows vRealize Operations Manager to access compute vCenter instance and enables vRealize Automation to collect metrics from vRealize Operations Manager for reclamation of tenant workloads.

Procedure

1 In a Web browser, log in to the vRealize Operations Manager by using the operations interface.

Settings Value


User name admin


2 On the main navigation bar, click the Administration tab.

3 In the left pane, navigate to Access > Access control.

4 On the Access control page, click the User accounts tab.

5 Select the [email protected] service account and click the Edit icon.

6 On the Edit permission dialog box, deselect the Allow access to all objects in the system check box, configure the settings, and click OK.

Setting Value

Select role ReadOnly

Assign this role to the user Selected

Select object hierarchies Adapter Instance

Select object vCenter Adapter > vCenter Adapter - sfo01w01vc01

Verify the Integration of vRealize Operations Manager as a Metrics Provider in vRealize Automation in Region AIn vRealize Automation, verify that vRealize Operations Manager is integrated as a metrics provider to enable vRealize Automation to pull metrics for the reclamation of tenant workloads.


VMware, Inc. 82

Procedure

1 In a Web browser, log in to vRealize Automation by using the Rainpole portal.

Setting Value

URL https://vra01svr01.rainpole.local/vcac/org/rainpole

User name vra-admin-rainpole

Password vra-admin-rainpole_password

Domain rainpole.local


3 In the left pane, navigate to Reclamation > Metrics provider.

4 Select vRealize Operations Manager endpoint, click Test connection, and verify that the test connection is successful.

Define the Monitoring Goals for the Default Policy in vRealize Operations Manager in Region ADefine the default policy settings for monitoring the vCenter Server instances in the region in vRealize Operations Manager. vRealize Operations Manager uses these settings to analyze and monitor the objects associated with a vCenter Server instance.

Procedure

1 In a Web browser, log in to vRealize Operations Manager by using the operations interface.

Setting Value


User name admin


2 On the main navigation bar, click Administration.

3 In the left pane, click Solutions > Configuration.

4 On the Solutions pane, select the VMware vSphere solution.

5 On the Configured adapter instances pane, click the Configure icon.

The Manage solution - VMware vSphere dialog box appears.

6 Under Instance name, select the sfo01m01vc01 vCenter adapter and click Define monitoring goals.

7 On the Define monitoring goals dialog box, leave the default definitions for monitored objects and type of alerts, click Yes for Enable vSphere hardening guide alerts, and click Save.

8 In the Success message box, click OK.

9 In the Manage solution - VMware vSphere dialog box, click Save Settings.


VMware, Inc. 83

10 In the Info message box, click OK.

11 Repeat Step 6 to Step 10 for the sfo01w01vc01 vCenter Server adapter.

12 In the Manage solution - VMware vSphere dialog box, click Close.

Update the SNMP Configuration of the Network Devices Adapter in vRealize Operations ManagerIf you are deploying version 5.1 of VMware Validated Design, during the automated deployment and configuration, VMware Cloud Builder configures the network devices adapter in vRealize Operations Manager with public SNMP read community strings to allow for automatic discovery and device pooling. After the automated deployment of VMware Validated Design 5.1, to enable device authentication and grant read-write access for the adapter to start the data collection, you reconfigure the SNMP read community string to private.

This procedure does not apply to VMware Validated Design 5.1.1 and later. Starting with version 5.1.1 of VMware Validated Design, VMware Cloud Builder configures the network devices adapter in vRealize Operations Manager with private SNMP read community strings.

Procedure

1 In a Web browser, log in to vRealize Operations Manager by using the operations interface.

Setting Value


User name admin



3 In the left pane, navigate to Solutions > Configuration.

4 In the Solutions section, select the Management pack for NSX-vSphere solution.

5 In the Configured adapter instances section, click the Configure icon.

The Manage solution - Management pack for NSX-vSphere dialog box opens.

6 In the Adapter type section, select Network devices adapter.

7 In the Instance name section, select Network devices adapter.

8 To modify the credentials for the network device adapter, in the Instance settings section, click the Edit icon.

9 In the Manage credential dialog box, for SNMP Read Community Strings, enter snmp_private_string and click OK.

10 On the Manage solution - Management pack for NSX-vSphere dialog box, click Save settings and click Close.


VMware, Inc. 84

11 Restart data collection for the network devices adapter.

a In the Configured adapter instances section, select theNetwork devices adapter.

b Click the Stop collecting icon.

c Click the Start collecting icon.

d Verify that the adapter Collection state is Collecting and the Collection Status is Data receiving.

Post-Deployment Configuration of vRealize Log Insight in Region ATo complete the deployment of vRealize Log Insight, you configure the embedded vRealize Orchestrator to forward log events to vRealize Log Insight and add Skyline Collector Appliance to the Linux agent group.

Configure vRealize Orchestrator to Forward Log Events to vRealize Log Insight in Region AYou configure the embedded vRealize Orchestrator appliance to forward system logs and events to the vRealize Log Insight. All syslog information can then be viewed and analyzed from the vRealize Log Insight Web interface.

Procedure

1 In a Web browser, log in to vRealize Orchestrator by using the Control Center interface.

Setting Value

URL https://vra01svr01a.rainpole.local:8283/vco-controlcenter/

User name root

Password vra_root_password

2 Click Logging integration.

3 Turn on the Enable logging to a remote log server toggle switch.

4 Configure the logging method and host and click Save.

Setting Value

Type Use Log Insight agent

Host sfo01vrli01.sfo01.rainpole.local

Port 9000

Protocol cfapi


VMware, Inc. 85

Add Skyline Collector and Site Recovery Manager to the Agent Group for Management Virtual Appliances in Region AAfter the SDDC deployment, add the Skyline Collector and Site Recovery Manager appliances to the agent group for the management virtual appliances. You use this agent group to apply common settings to the agents on the appliances in the region.

Procedure


Setting Value


User name admin



3 In the Management section, click Agents

4 In the All Agents drop-down menu, from the Active Groups section, select VA - Linux Agent Group.

5 In the agent filter text box, add the host name of the Skyline Collector appliance and the Site Recovery Manager appliance to the list of management virtual appliances in the region and press Enter.

Filter Operator Values

Hostname Matches n vrops01svr01a.rainpole.local

n vrops01svr01b.rainpole.local

n vrops01svr01c.rainpole.local

n sfo01vropsc01a.sfo01.rainpole.local

n sfo01vropsc01b.sfo01.rainpole.local

n vrslcm01svr01a.rainpole.local

n vra01svr01a.rainpole.local

n vra01svr01b.rainpole.local

n vra01svr01c.rainpole.local

n vrb01svr01.rainpole.local

n sfo01vrbc01.sfo01.rainpole.local

n sfo01sky01.sfo01.rainpole.local

n sfo01m01srm01.sfo01.rainpole.local

6 Click Save agent group.

7 Click the Refresh data icon and verify that all the agents listed in the filter appear in the Agents list.


VMware, Inc. 86

Post-Deployment Configuration of vRealize Suite Lifecycle Manager in Region AAfter you deploy VMware vRealize® Lifecycle Manager™ and the components of the operations management layer, save the configuration baselines of the vRealize Suite products deployments and perform the necessary post-deployment configuration tasks.

Configure NTP and DNS Settings of the vRealize Suite Lifecycle Manager Appliance in Region AConfigure NTP and DNS settings on the vRealize Suite Lifecycle Manager appliance to keep vRealize Suite Lifecycle Manager synchronized with the SDDC components.

Procedure

1 In a Web browser, log in to vRealize Suite Lifecycle Manager by using the administration interface.

Setting Value

URL https://vrslcm01svr01a.rainpole.local/vrlcm

User name admin@localhost

Password vrslcm_admin_password

2 In the navigation pane, click Settings > System administration and click the Time settings tab.

3 For Applicable time sync mode, select Use time server (NTP).

4 Add the ntp.sfo01.rainpole.local NTP server.

a In the Time server for system (NTP) section, click Add.

The Add NTP server dialog box opens.

b Configure the settings and click Add.

Setting Value

Name ntp.sfo01.rainpole.local

FQDN/IP Address ntp.sfo01.rainpole.local

5 Configure NTP server priority.

a On the Time server for system (NTP) section, click Select.

The NTP servers dialog box opens.

b On the Choose servers page, select ntp.sfo01.rainpole.local and click Next.

c On the Change server priority page, click Finish.

Setting Value

Server priority ntp.sfo01.rainpole.local


VMware, Inc. 87

6 On the Time settings tab, click Submit.

7 In the navigation pane, click Settings > Servers and protocol and click the DNS servers tab.

8 Click Add DNS server, configure the following DNS servers, and click Add.

DNS Server Name IP Address

dc01rpl.rainpole.local 172.16.11.4

dc01sfo.sfo01.rainpole.local 172.16.11.5

Save the Configuration Baselines for the vRealize Suite Products in vRealize Suite Lifecycle ManagervRealize Suite Lifecycle Manager uses the product baseline to generate configuration drift reports that show the difference between the current product configuration and the baseline configuration. You save a baseline to monitor each environment's configuration drift.

You save the baseline of the environment configuration for the following environments in vRealize Suite Lifecycle Manager.

n Cross-Region-Env

n SFO-Region-Env

Procedure


Setting Value




2 On the Home page, click Manage Environments.

3 In the Cross-Region-Env environment card, click the ellipsis on the top right corner and, from the drop-down menu, select Save Baseline.

The Baseline Save Initiated message appears in the Cross-Region-Env environment card,

4 Repeat this procedure for the remaining environments.

Register vRealize Suite Lifecycle Manager with My VMwareYou integrate vRealize Suite Lifecycle Manager with your My VMware account to download vRealize Suite products patch and upgrade binaries. You also use the My VMware account to download content from the VMware Marketplace.


VMware, Inc. 88

Prerequisites

Before you register vRealize Suite Lifecycle Manager with My VMware, verify your environment meets certain requirements.

n Verify that the vRealize Suite Lifecycle Manager appliance has access to the internet. If your organization restricts outbound access, configure a proxy server for the vRealize Suite Lifecycle Manager appliance.

n Verify that your My VMware account has the necessary product entitlements to download vRealize Suite products update and upgrade binaries.

Procedure


Setting Value




2 In the left pane, navigate to Settings > Product support.

3 Click the My VMware tab, enter your My VMware credentials, and click Submit.

4 In the Download product binaries dialog box, click No.

The Service registered with My VMware credentials provided message appears.


VMware, Inc. 89

Post-Deployment Cloud Management Configuration in Region A 7After you deploy the cloud management layer in Region A, to reach full functionality and operability of the layer, perform the necessary post-deployment product configuration tasks.

Procedure

1 Configure vRealize Automation for a Large-Scale Deployment in Region A

To enable data collection in vRealize Automation for an environment with a large number of vSphere objects, you reconfigure the vRealize Automation manager service by increasing the maximum allowed size and length of messages that can be received.

2 Reconfigure the Microsoft SQL Server for vRealize Automation in Region A

When you deploy vRealize Automation, the Microsoft SQL Server is outside of the vRealize Automation application virtual network and you must reconfigure the Microsoft SQL Server.

3 Configure Content Library in Region A

Content libraries are containers for VM templates, vApp templates, and other resources used for workload provisioning by vRealize Automation. You create and configure content libraries, and enable sharing templates and files across multiple vCenter Server instances to improve consistency, compliance, efficiency, and automation in deploying workloads at scale.

4 Create Machine Prefixes in Region A

As a fabric administrator, you create machine prefixes that can be used for naming virtual machines when provisioned by vRealize Automation. Tenant administrators and business group managers select the machine prefixes and assign them to provisioned machines through blueprints and business group defaults.

5 Create Business Groups in Region A

Tenant administrators create business groups to associate a set of services and resources to a set of users that often correspond to a line of business, department, or other organizational units. To request virtual machine provisioning, users must belong to a business group.

6 Create Logical Switches for Business Groups in Region A

For each compute vCenter Server instance, you create one logical switch per business group to simulate networks for the web, database, and application tiers.

VMware, Inc. 90

7 Create Reservation Policies in Region A

You use reservation policies to group similar reservations together. To allow a tenant administrator or a business group manager to use the reservation policy in a blueprint, first create the reservation policy tag and then add the policy to the reservations.

8 Create External Network Profiles in Region A

Before members of a business group can request virtual machines, fabric administrators must create network profiles to define the subnet and routing configuration for the virtual machines. Each network profile is configured for a specific network port group or virtual network to specify the IP address and the routing configuration for virtual machines provisioned to that network.

9 Create Reservations for the Shared Edge and Compute Cluster in Region A

Before members of a business group can request machines, as a fabric administrator, you must allocate compute resources by creating reservations. Each reservation is configured for a specific business group to grant access to request machines on a specified compute resource.

10 Create Reservations for the User Edge Resources in Region A

Before the members of a business group can request virtual machines, as a fabric administrator, you must allocate NSX Edge resources by creating reservations. Each reservation is configured for a specific business group to grant access for the group members to request virtual machines on a specified compute resource.

11 Create Virtual Machines Using VM Templates in the Content Library in Region A

vRealize Automation cannot directly access virtual machine templates in the content library. You must create a virtual machine using the virtual machine templates in the content library, then convert the template in vCenter Server. Perform this procedure on all vCenter Server compute clusters that you add to vRealize Automation, including the first vCenter Server compute instance.

12 Convert Virtual Machines to VM Templates in Region A

You convert the virtual machines directly to templates instead of making a copy by cloning.

13 Configure Single Machine Blueprints in Region A

Virtual machine blueprints regulate the attributes, policies, management settings, and provisioning manner of a virtual machine. You create a service catalog and add virtual machine blueprints, then configure entitlements to provide access to business groups to automatic virtual machine provisioning on the specified compute resources.

Configure vRealize Automation for a Large-Scale Deployment in Region ATo enable data collection in vRealize Automation for an environment with a large number of vSphere objects, you reconfigure the vRealize Automation manager service by increasing the maximum allowed size and length of messages that can be received.


VMware, Inc. 91

Procedure

1 Log in to the virtual machine of the vRealize Automation IaaS Manager Service by using a Remote Desktop Protocol (RDP) client.

Settings Value

FQDN vra01ims01a.rainpole.local

User name rainpole\svc-vra

Password svc-vra_password

2 Open the C:\Program Files (x86)\VMware\vCAC\Server\ManagerService.exe.config file in a text editor, with Administrative rights.

3 Locate the following line.

<binding name=”ProxyAgentServiceBinding” maxReceivedMessageSize=”13107200”>

<readerQuotas maxStringContentLength=”13107200” />

4 Edit the values of the following parameters, increasing them by a factor of 10.

Setting Value

maxReceivedMessageSize 131072000

maxStringContentLength 131072000

5 Save the changes to the ManagerService.exe.config file.

6 Restart the Windows guest operating system on the vRealize Automation virtual machine.

7 Repeat this procedure for the vra01ims01b.rainpole.local virtual machine.

Reconfigure the Microsoft SQL Server for vRealize Automation in Region AWhen you deploy vRealize Automation, the Microsoft SQL Server is outside of the vRealize Automation application virtual network and you must reconfigure the Microsoft SQL Server.

Procedure


Setting Value





VMware, Inc. 92

2 Shut down the vRealize Automation components.

a In the Hosts and clusters inventory, expand the sfo01m01vc01.sfo01.rainpole.local tree and expand the sfo01-m01dc data center.

b In the sfo01-m01-mgmt01 cluster, right-click each of the virtual machines, according to their shutdown order, and select Power > Shut down guest OS.

Table 7-1. Shutdown Order

Product Virtual Machine Name in Region A Shutdown Order

vRealize Business for Cloud Total Number of VMs (2) 1

sfo01vrbc01 1

vrb01svr01 2

vRealize Automation Total Number of VMs (12) 2

vra01dem01b 1

vra01dem01a 1

sfo01ias01b 1

sfo01ias01a 1

vra01ims01b 2

vra01ims01a 3

vra01iws01b 4

vra01iws01a 5

vra01svr01c 6

vra01svr01b 7

vra01svr01a 8

vra01mssql01 9

3 Connect the Microsoft SQL Server virtual machine to the Mgmt-xRegion01-VXLAN port group.

a In the Hosts and clusters inventory, expand the sfo01m01vc01.sfo01.rainpole.local tree and expand the sfo01-m01dc data center.

b Expand the sfo01-m01-mgmt01 cluster.

c For VMware Validated Design 5.1 only, right-click vra01mssql01, select Move to folder, select sfo01-m01fd-vra, and click OK.

d Right-click vra01mssql01 and select Edit settings.

e On the Edit settings dialog box, configure the following network and click OK.

Setting Value

Network adapter 1 A distributed port group that ends with Mgmt-xRegion01-VXLAN.

f Right-click vra01mssql01 and select Power > Power on.


VMware, Inc. 93

4 Change the IP address of the vra01mssql01 virtual machine.

a Right-click vra01mssql01 and select Open console.

b Log in by using the following credentials.

Setting Value



c From the Windows Start menu, select Control panel > Network and internet > Network and sharing center > Change adapter settings.

d Right-click the Ethernet adapter and select Properties.

e Select Internet Protocol Version 4 (TCP/IPv4), click Properties, configure the following settings, and click OK.

Setting Value

IP address 192.168.11.62



5 Change the IP address in the DNS that resides in the sfo01.rainpole.local domain for the vra01mssql01 virtual machine.

a Log in to the DNS server by using a Remote Desktop Protocol (RDP) client.

Setting Value

FQDN dc01rpl.rainpole.local

User name Active Directory administrator


b Open the Windows Start menu, in the Search text box, enter dnsmgmt.msc, and press Enter.

The DNS manager dialog box opens.

c Under Forward lookup zones, select the rainpole.local domain and in the right pane locate vra01mssql01.

d Double-click the vra01mssql01 record, configure the following settings, and click OK.

Setting Value

Fully qualified domain name (FQDN) vra01mssql01.rainpole.local

IP Address 192.168.11.62

Update associated pointer (PTR) record Selected


VMware, Inc. 94

6 Power on the remaining vRealize Automation components.

a In the Hosts and clusters inventory of the vSphere Web Client, expand the sfo01m01vc01.sfo01.rainpole.local tree and expand the sfo01-m01dc data center.

b In the sfo01-m01-mgmt01 cluster, right-click each of the virtual machines, according to their startup order, and select Power > Power on.

Table 7-2. Startup Order

Product Virtual Machine Name in Region A Startup Order

vRealize Automation Total Number of VMs (11) 1

vra01svr01a 1

vra01svr01b 2

vra01svr01c 3

vra01iws01a 4

vra01iws01b 5

vra01ims01a 6

vra01ims01b 7

sfo01ias01a 8

sfo01ias01b 8

vra01dem01a 8

vra01dem01b 8

vRealize Business for Cloud Total Number of VMs (2) 2

vrb01svr01 1

sfo01vrbc01 2

Configure Content Library in Region AContent libraries are containers for VM templates, vApp templates, and other resources used for workload provisioning by vRealize Automation. You create and configure content libraries, and enable sharing templates and files across multiple vCenter Server instances to improve consistency, compliance, efficiency, and automation in deploying workloads at scale.

You create and manage a content library from a single vCenter Server instance, but you can share the library items with other vCenter Server instances if the HTTP(S) traffic is allowed between them.

Procedure

1 Configure a Content Library in the First Compute vCenter Server Instance in Region A

Create a content library and populate it with templates that you can use to deploy virtual machines in your environment. Content libraries let you synchronize templates between different vCenter Server instances so that all the templates in your environment are consistent.


VMware, Inc. 95

2 Import the OVF Files for the Virtual Machine Templates in Region A

You can import OVF packages that you previously prepared to use as templates for virtual machine deployment. The virtual machine templates that you add to the content library are used as vRealize Automation blueprints.

Configure a Content Library in the First Compute vCenter Server Instance in Region ACreate a content library and populate it with templates that you can use to deploy virtual machines in your environment. Content libraries let you synchronize templates between different vCenter Server instances so that all the templates in your environment are consistent.

If you deploy additional vCenter Server instances in the compute cluster, they can also use this content library.

Procedure


Setting Value




2 In the Content libraries inventory, click the Add icon.

The New content library wizard opens.

3 On the Name and location page, configure the following settings and click Next.

Setting Value

Name sfo01-w01cl-vra01

vCenter Server sfo01w01vc01.sfo01.rainpole.local

4 On the Configure content library page, configure the following settings and click Next.

Setting Value

Local content library Selected

Enable publishing Selected

Enable authentication Selected

Password sfo01-w01cl-vra01_password

Confirm password sfo01-w01cl-vra01_password

5 On the Add storage page, select the sfo01-w01-lib01 datastore, and click Next.

6 On the Ready to complete page, click Finish.


VMware, Inc. 96

Import the OVF Files for the Virtual Machine Templates in Region AYou can import OVF packages that you previously prepared to use as templates for virtual machine deployment. The virtual machine templates that you add to the content library are used as vRealize Automation blueprints.

Table 7-3. Virtual Machine Templates in Region A

VM Template Name Operating System Type

ubuntu-server-1804 Ubuntu Server 18.04

windows-server-2016 Windows Server 2016

windows-server-2016-sql-server-2017 Windows Server 2016 with SQL Server 2017

Procedure


Setting Value




2 In the Content libraries inventory, right-click the sfo01-w01cl-vra01 content library and select Import item.

3 In the Import library item dialog box, configure the settings for the template and click Import.

Setting Value

Source file URL or local path to ubuntu-server-1804.ovf and .vmdk file

Item name ubuntu-server-1804

Notes Ubuntu Server 18.04

4 Repeat the procedure to import the remaining virtual machine templates.

Create Machine Prefixes in Region AAs a fabric administrator, you create machine prefixes that can be used for naming virtual machines when provisioned by vRealize Automation. Tenant administrators and business group managers select the machine prefixes and assign them to provisioned machines through blueprints and business group defaults.


VMware, Inc. 97

Machine prefixes are shared across all tenants. Every business group has a default machine prefix. Every blueprint must have a machine prefix or use the group default prefix. Fabric administrators are responsible for managing machine prefixes. A prefix consists of a base name to be followed by a counter of a specified number of digits. When all the digits are used, vRealize Automation rolls back to the first number.

Procedure


Setting Value





2 On the main navigation bar, click the Infrastructure tab.

3 In the left pane, navigate to Administration > Machine prefixes.

4 Create a default machine prefix for the Production business group.

a On the Machine prefixes page, click New and enter the following settings.

Setting Value

Name Prod-

Tenant All tenants

Number of Digits 5

Next Number 1

b Click the Save icon.

5 Create a default machine prefix for the Development business group.

a On the Machine prefixes page, click New and enter the following settings.

Setting Value

Name Dev-

Tenant All tenants

Number of Digits 5

Next Number 1

b Click the Save icon.


VMware, Inc. 98

Create Business Groups in Region ATenant administrators create business groups to associate a set of services and resources to a set of users that often correspond to a line of business, department, or other organizational units. To request virtual machine provisioning, users must belong to a business group.

For this implementation, you create two business groups, a Production business group and a Development business group.

Table 7-4. Business Groups in Region A

Business Group Group Manager Default Machine Prefix

Production [email protected] Prod-

Development [email protected] Dev-

Procedure


Setting Value






3 In the left pane, navigate to Users & groups > Business groups.

4 Create the Production business group.

a On the Business groups page, click New.

b On the General tab, enter the following settings and click Next.

Setting Value

Name Production

Send capacity alert emails to [email protected]

c On the Members tab, in the Group manager role text box, enter [email protected], click the search icon, and select the [email protected] universal group.

d Click Next.

e On the Infrastructure tab, from the Default machine prefix drop-down menu, select Prod- and click Finish.

5 Repeat this procedure to create the Development business group.


VMware, Inc. 99

Create Logical Switches for Business Groups in Region AFor each compute vCenter Server instance, you create one logical switch per business group to simulate networks for the web, database, and application tiers.

You repeat this procedure to create all logical switches.

Table 7-5. Logical Switches for Business Groups

Logical Switch Name Description

Production-Web-VXLAN Logical switch for the Web tier of the Production Business Group

Production-DB-VXLAN Logical switch for the Database tier of the Production Business Group

Production-App-VXLAN Logical switch for the Application tier of the Production Business Group

Development-Web-VXLAN Logical switch for the Web tier of the Development Business Group

Development-DB-VXLAN Logical switch for the Database tier of the Development Business Group

Development-App-VXLAN Logical switch for the Application tier of the Development Business Group

Procedure

1 In a Web browser, log in to the Compute vCenter Server by using the vSphere Client.

Setting Value

URL https://sfo01w01vc01.sfo01.rainpole.local/ui



2 In the Networking and security inventory, click Logical switches.

3 From the NSX Manager drop-down menu, select 172.16.11.66.

4 Create the first logical switch.

a Click the Add button.

The New logical switch dialog box opens.

b Configure the settings and click Add.

Setting Value

Name Production-Web-VXLAN

Description Logical switch for Web tier of Production Business Group

Transport Zone Comp Universal Transport Zone

Replication Mode Hybrid


VMware, Inc. 100

Setting Value

Enable IP Discovery Selected

Enable MAC Learning Deselected

5 Repeat the previous step to create the remaining logical switches.

Create Reservation Policies in Region AYou use reservation policies to group similar reservations together. To allow a tenant administrator or a business group manager to use the reservation policy in a blueprint, first create the reservation policy tag and then add the policy to the reservations.

When you request a machine, it can be provisioned on any reservation of the appropriate type that has sufficient capacity for the machine. To restrict the machines provisioned from a blueprint to a subset of available reservations, you apply a reservation policy to the blueprint. A reservation policy is often used to collect resources into groups for different service levels, or to make a specific type of resource easily available for a particular purpose. A reservation policy can include reservations of different types, but only reservations that match the blueprint type are considered when selecting a reservation for a particular request.

Table 7-6. Reservation Policies in Region A

Reservation Policy Name Type Description

SFO -Production-Policy Reservation Policy Reservation policy for the Production business group

SFO -Development-Policy Reservation Policy Reservation policy for the Development business group

SFO -Edge-Policy Reservation Policy Reservation policy for the Tenant Edge resources

Procedure


Setting Value






3 In the left pane, navigate to Reservations > Reservation Policies.


VMware, Inc. 101

4 Create a reservation policy for the Production business group.

a On the Reservation Policies page, click New and enter the following settings.

Setting Value

Name SFO -Production-Policy

Type Reservation Policy

Description Reservation policy for the Production business group

b Click OK.

5 Repeat this procedure to create the remaining reservation policies.

Create External Network Profiles in Region ABefore members of a business group can request virtual machines, fabric administrators must create network profiles to define the subnet and routing configuration for the virtual machines. Each network profile is configured for a specific network port group or virtual network to specify the IP address and the routing configuration for virtual machines provisioned to that network.

Repeat this procedure to create the following external network profiles.

n Ext-Net-Profile-Production-App

n Ext-Net-Profile-Production-DB

n Ext-Net-Profile-Production-Web

n Ext-Net-Profile-Development-App

n Ext-Net-Profile-Development-DB

n Ext-Net-Profile-Development-Web

Procedure


Setting Value






3 In the left pane, navigate to Reservations > Network profiles.

4 On the Network profiles page, click New > External.

The New network profile - external page opens.


VMware, Inc. 102

5 On the General tab, add the network profiles.

a For the Production group external network profile, configure the following settings.

SettingValue for Production-Web Profile

Value for Production-DB Profile

Value for Production-App Profile

Name Ext-Net-Profile-Production-Web

Ext-Net-Profile-Production-DB

Ext-Net-Profile-Production-App

Description External Network profile for the Web Tier of the Production business group

External Network profile for the DB Tier of the Production business group

External Network profile for the App Tier of the Production business group

Subnet mask 255.255.255.0 255.255.255.0 255.255.255.0

Gateway 172.11.10.1 172.11.11.1 172.11.12.1

b For the Development group external network profile, configure the following settings.

SettingValue for Development-Web Profile

Value for Development-DB Profile

Value for Development-App Profile

Name Ext-Net-Profile-Development-Web

Ext-Net-Profile-Development-DB

Ext-Net-Profile-Development-App

Description External Network profile for the Web Tier of the Development business group

External Network profile for the DB Tier of the Development business group

External Network profile for the App Tier of the Development business group

Subnet mask 255.255.255.0 255.255.255.0 255.255.255.0

Gateway 172.12.10.1 172.12.11.1 172.12.12.1

6 For production and development network profiles, click the DNS tab and configure the following settings.

Setting Value

Primary DNS 172.16.11.4

Secondary DNS 172.17.11.4

DNS suffix sfo01.rainpole.local

DNS search suffixes sfo01.rainpole.local


VMware, Inc. 103

7 Click the Network ranges tab, click New, and configure the network ranges.

a For the Production network range, enter the following settings.

SettingValue for Production-Web Profile

Value for Production-DB Profile

Value for Production-App Profile

Name Production-Web Production-DB Production-App

Description Static IP range for the Web Tier of the Production business group

Static IP range for the DB Tier of the Production business group

Static IP range for the App Tier of the Production business group

Start IP 172.11.10.20 172.11.11.20 172.11.12.20

End IP 172.11.10.250 172.11.11.250 172.11.12.250

b For the Development network range, enter the following settings.

SettingValue for Development-Web Profile

Value for Development-DB Profile

Value for Development-App Profile

Name Development-Web Development-DB Development-App

Description Static IP range for the Web Tier of the Development business group

Static IP range for the DB Tier of the Development business group

Static IP range for the App Tier of the Development business group

Start IP 172.12.10.20 172.12.11.20 172.12.12.20

End IP 172.12.10.250 172.12.11.250 172.12.12.250

c Click OK to save the network range.

8 Click OK to save the network profile.

Create Reservations for the Shared Edge and Compute Cluster in Region ABefore members of a business group can request machines, as a fabric administrator, you must allocate compute resources by creating reservations. Each reservation is configured for a specific business group to grant access to request machines on a specified compute resource.

You create reservations for both the Production and the Development business groups.

Table 7-7. Resource Reservations for Business Groups in Region A

Business Group Reservation Name Reservation Policy Compute Resource

Production SFO01-Comp01-Prod-Res01 SFO-Production-Policy sfo01-w01-comp01(sfo01w01vc01.sfo01.rainpole.local)

Development SFO01-Comp01-Dev-Res01 SFO-Development-Policy


VMware, Inc. 104

Procedure


Setting Value






3 In the left pane, navigate to Compute resources > Compute resources.

4 In the Name column, from the sfo01-w01-comp01 drop-down menu, select Data collection.

5 Click the Request now button for all data collections.

Wait for the data collection processes to complete with state Succeeded.

6 In the left pane, navigate to Reservations > Reservations.

7 On the Reservations page, click New > vSphere (vCenter).

The New reservation - vSphere (vCenter) page opens.

8 Click the General tab and configure the following settings for the Production and Development business groups.

SettingValue for Production Business Group

Value for Development Business Group

Name SFO01-Comp01-Prod-Res01 SFO01-Comp01-Dev-Res01

Tenant Rainpole Rainpole

Business Group Production Development

Reservation Policy SFO-Production-Policy SFO-Development-Policy

Priority 100 100

Enable This Reservation Selected Selected

9 For production and development reservations, click the Resources tab and configure the following settings.

Setting Value

Compute resource sfo01-w01-comp01(sfo01w01vc01.sfo01.rainpole.local)

Memory (GB) 200

Storage (GB) Storage path Primary compute datastore sfo01-w01-vsan01 or sfo01-w01-lib01

Reserved 2000


VMware, Inc. 105

Setting Value

Priority 1

Resource Pool sfo01-w01rp-user-vm

10 Click the Network tab.

a For the Production business group, configure the following settings.

Network Adapter Network Profile

vxw-dvs-xxxxx-Production-Web-VXLAN Ext-Net-Profile-Production-Web

vxw-dvs-xxxxx-Production-DB-VXLAN Ext-Net-Profile-Production-DB

vxw-dvs-xxxxx-Production-App-VXLAN Ext-Net-Profile-Production-App

b For the Development business group, configure the following settings.


vxw-dvs-xxxxx-Development-Web-VXLAN Ext-Net-Profile-Development-Web

vxw-dvs-xxxxx-Development-DB-VXLAN Ext-Net-Profile-Development-DB

vxw-dvs-xxxxx-Development-App-VXLAN Ext-Net-Profile-Development-App

11 To save this reservation, on the New reservation - vSphere (vCenter) click OK.

Create Reservations for the User Edge Resources in Region ABefore the members of a business group can request virtual machines, as a fabric administrator, you must allocate NSX Edge resources by creating reservations. Each reservation is configured for a specific business group to grant access for the group members to request virtual machines on a specified compute resource.

Repeat this procedure to create reservations for the Production and the Development business groups.

Table 7-8. Resource Reservations for Business Groups in Region A

Business Group Reservation Name Reservation Policy Compute Resource

Production SFO01-Comp01-Prod-Res01 SFO-Edge-Policy sfo01-w01-comp01(sfo01w01vc01.sfo01.rainpole.local)

Development SFO01-Comp01-Dev-Res01 SFO-Edge-Policy

Procedure


Setting Value




VMware, Inc. 106

Setting Value




3 In the left pane, navigate to Reservations > Reservations.

4 On the Reservations page, click New > vSphere (vCenter).

The New reservation - vSphere (vCenter) page opens.

5 On the General tab, configure the following settings.

SettingValue for Production Business Group

Value for Development Business Group

Name SFO01-Edge01-Prod-Res01 SFO01-Edge01-Dev-Res01

Tenant Rainpole Rainpole

Business Group Production Development

Reservation Policy SFO-Edge-Policy SFO-Edge-Policy

Priority 100 100

Enable This Reservation Selected Selected

6 For production and development reservations, click the Resources tab and configure the following settings.

Setting Value

Compute resource sfo01-w01-comp01(sfo01w01vc01.sfo01.rainpole.local)

Memory (GB) 200

Storage (GB) Storage path Primary compute datastore sfo01-w01-vsan01 or sfo01-w01-lib01

Reserved 2000

Priority 1

Resource Pool sfo01-w01rp-user-edge


VMware, Inc. 107

7 Click the Network tab.

a For the Production business group, configure the following settings.


vxw-dvs-xxxxx-Production-Web-VXLAN Ext-Net-Profile-Production-Web

vxw-dvs-xxxxx-Production-DB-VXLAN Ext-Net-Profile-Production-DB

vxw-dvs-xxxxx-Production-App-VXLAN Ext-Net-Profile-Production-App

b For the Development business group, configure the following settings.


vxw-dvs-xxxxx-Development-Web-VXLAN Ext-Net-Profile-Development-Web

vxw-dvs-xxxxx-Development-DB-VXLAN Ext-Net-Profile-Development-DB

vxw-dvs-xxxxx-Development-App-VXLAN Ext-Net-Profile-Development-App

8 To save this reservation, on the New reservation - vSphere (vCenter) click OK.

Create Virtual Machines Using VM Templates in the Content Library in Region AvRealize Automation cannot directly access virtual machine templates in the content library. You must create a virtual machine using the virtual machine templates in the content library, then convert the template in vCenter Server. Perform this procedure on all vCenter Server compute clusters that you add to vRealize Automation, including the first vCenter Server compute instance.

Repeat this procedure for each of the VM templates in the content library.

VM Template Name Guest OS


windows-server-2016-sql-server-2017 Windows Server 2016 with SQL Server 2017


Procedure


Setting Value




2 In the VMs and templates inventory, expand the sfo01w01vc01.sfo01.rainpole.local tree.

3 Right-click the sfo01-w01dc data center and select New folder > New VM and template folder.


VMware, Inc. 108

4 Enter VM Templates as the folder name and click OK.

5 In the Content libraries inventory, click sfo01-w01cl-vra01 and click the Templates tab.

6 Create the Windows Server 2016 virtual machine.

a Right-click the windows-server-2016 template and select New VM from this template.

The New virtual machine from content library wizard opens.

b On the Select a name and folder page, in the Virtual machine name text box, enter windows-server-2016.

To create a common service catalog that works across different vCenter Server instances within your data center, you use the VM template name as the virtual machine name.

c On the Select a name and folder page, expand the sfo01-w01dc data center, select the VM Templates folder, and click Next.

d On the Select a compute resource page, expand the sfo01-w01-comp01 cluster, select the sfo01-w01rp-user-vm resource pool, and click Next.

e On the Review details page, verify the template details and click Next.

f On the Select storage page, configure the following settings and click Next.

Setting Value

Select virtual disk format Thin provision

VM storage policy Datastore default

Datastore sfo01-w01-lib01

g On the Select networks page, select sfo01-w01-vds01-management for the Destination Network, and click Next.

vRealize Automation changes the network according to the blueprint configuration.

h On the Ready to complete page, review the virtual machine configuration and click Finish.

7 Repeat this procedure for all VM templates in the content library.

Convert Virtual Machines to VM Templates in Region AYou convert the virtual machines directly to templates instead of making a copy by cloning.

Repeat this procedure for each of the VM templates in the content library.

VM Template Name Guest OS


windows-server-2016-sql-server-2017 Windows Server 2016



VMware, Inc. 109

Procedure


Setting Value




2 In the VMs and templates inventory, expand the sfo01w01vc01.sfo01.rainpole.local tree and expand the sfo01-w01dc data center.

3 Expand the VM templates folder, right-click the windows-server-2016 virtual machine, and select Template > Convert to template.

4 To confirm the template conversion, click Yes.

5 Repeat this procedure for the remaining VM templates in the content library.

Configure Single Machine Blueprints in Region AVirtual machine blueprints regulate the attributes, policies, management settings, and provisioning manner of a virtual machine. You create a service catalog and add virtual machine blueprints, then configure entitlements to provide access to business groups to automatic virtual machine provisioning on the specified compute resources.

Procedure

1 Create a Service Catalog in Region A

A service catalog provides a common interface for consumers of IT services to request services, track their requests, and manage their provisioned service items.

2 Create a Single Machine Blueprint in Region A

Create blueprints for cloning the virtual machine templates that use the specified resources on the compute vCenter Server. Tenants can use these blueprints for automatic provisioning. A blueprint is the complete specification for a virtual, cloud, or physical machine.

3 Create Entitlements for Business Groups in Region A

You add a service, catalog item, or an action to an entitlement, to allow the users and groups identified in the entitlement to request provisionable items from the service catalog. The entitlement allows members of a specific business group (for example, the Production business group) to use the blueprint. Perform this procedure to create an entitlement for the Production business group.

4 Configure Entitlements for Blueprints in Region A

You entitle users to the actions and items that belong to the service catalog by associating each blueprint with an entitlement.


VMware, Inc. 110

5 Test the Deployment of a Single Machine Blueprint in Region A

Test your environment to confirm the successful provisioning of virtual machines by using the newly created blueprints. If you use multiple availability zones, you must manually place all virtual machines provisioned by vRealize Automation in the VM group that is appropriate for the availability zone.

Create a Service Catalog in Region AA service catalog provides a common interface for consumers of IT services to request services, track their requests, and manage their provisioned service items.

Procedure


Setting Value






3 In the left pane, navigate to Catalog Management > Services.

4 On the Services page, click New.

The New Service page appears.

5 Enter the following settings, and click OK.

Setting Value

Name SFO Service Catalog

Description Default setting (blank)

Status Active

Create a Single Machine Blueprint in Region ACreate blueprints for cloning the virtual machine templates that use the specified resources on the compute vCenter Server. Tenants can use these blueprints for automatic provisioning. A blueprint is the complete specification for a virtual, cloud, or physical machine.

Repeat this procedure to create the following blueprints.


VMware, Inc. 111

Blueprint Name VM TemplateCustomization Specification Network Profile Reservation Policy

Windows Server 2016 - SFO Prod

windows-server-2016 (sfo01w01vc01.sfo01.rainpole.local)

os-windows-joindomain-custom-spec

Ext-Net-Profile-Production-Web

SFO-Production-Policy

Windows Server 2016 with SQL Server 2017 - SFO Prod

windows-server-2016-sql-server-2017 (sfo01w01vc01.sfo01.rainpole.local)

os-windows-joindomain-custom-spec

Ext-Net-Profile-Production-DB


Ubuntu Server 18.04 - SFO Prod

ubuntu-server-1804(sfo01w01vc01.sfo01.rainpole.local)

os-linux-custom-spec Ext-Net-Profile-Production-App


Procedure


Setting Value





2 On the main navigation bar, click the Design tab.

3 In the left pane, click Blueprints.

4 On the Blueprints page, click New.

The New blueprint dialog box appears.

5 On the General tab, configure the following settings, and click OK.

Setting Value

Name Windows Server 2016 - SFO Prod

Deployment limit Default setting (blank)

Lease (days): Minimum 30

Lease (days): Maximum 270

Archive (days) 15

6 From the Categories pane, click Machine types, select the vSphere (vCenter) machine component and drag it in the Design Canvas.


VMware, Inc. 112

7 On the virtual machine specification section, click the General tab, configure the following settings, and click Save.

Setting Value

ID Default setting (vSphere_vCenter_Machine_1)


Display location on request Deselected

Reservation policy SFO -Production-Policy

Machine prefix Use group default

Instances: Minimum Default setting

Instances: Maximum 1

8 Click the Build information tab, enter the following settings, and click Save.

Setting Value

Blueprint type Server

Action Clone

Provisioning workflow CloneWorkflow

Clone from windows-server-2016

Customization spec os-windows-joindomain-custom-spec

Note If the value of the Clone from setting does not list the windows-server-2016 template, you must perform a data collection on the sfo01-w01-comp01 compute resource.

Verify that the required customization specification is available in the vSphere Client under Menu > Policies and Profiles > VM Customization Specifications.

9 Click the Machine Resources tab, configure the following settings, and click Save.

Setting Minimum Maximum

CPUs 2 4

Memory (MB) 4096 16384

Storage (GB) Default setting Same value as Minimum

10 Configure the network for the virtual machine blueprint.

a From the Categories pane, click Network & security, select the Existing network component and drag it in the Design Canvas.

b On the General tab of the existing network component, click the Browse icon, select the Ext-Net-Profile-Production-Web network profile, on the Select network profile dialog box click OK, and click Save.

c In the Design Canvas, select the vSphere_vCenter_Machine object.


VMware, Inc. 113

d Click the Network tab, click New, configure the following settings, and click OK.

Setting Value

Network Ext-Net-Profile-Production-Web

Assignment type Static IP

Address Default setting (blank)

e To save the blueprint, click Finish.

11 On the Blueprints page, select the Windows Server 2016 - SFO Prod blueprint and click Publish.

12 Repeat this procedure to create the remaining blueprints.

To test blueprints in a development environment, or according to your business needs, create development blueprints using the same process as for production blueprints.

Create Entitlements for Business Groups in Region AYou add a service, catalog item, or an action to an entitlement, to allow the users and groups identified in the entitlement to request provisionable items from the service catalog. The entitlement allows members of a specific business group (for example, the Production business group) to use the blueprint. Perform this procedure to create an entitlement for the Production business group.

Procedure


Setting Value






3 In the left pane, navigate to Catalog management > Entitlements.

4 On the Entitlements page, click New.

The New entitlement page appears.

5 Click the General tab, configure the following settings, and click Next.

Setting Value

Name Prod-SingleVM-Entitlement


Expiration Date Default setting (blank)

Status Active

Business Group Production


VMware, Inc. 114

Setting Value

All Users and Groups Deselected

Users & Groups ug-vra-admins-rainpole

6 On the Items & approvals tab, add the actions that the users from the Production business group are entitled to.

a In the Entitled Actions section, click the Add actions icon, select the following actions, and click OK.

n Connect using RDP (Machine)

n Power Cycle (Machine)

n Power off (Machine)

n Power on (Machine)

n Reboot (Machine)

n Shutdown (Machine)

b Click Finish.

Configure Entitlements for Blueprints in Region AYou entitle users to the actions and items that belong to the service catalog by associating each blueprint with an entitlement.

Repeat this procedure to associate the following blueprints with their entitlement.

Blueprint Name Service Catalog Entitlement

Windows Server 2016 - SFO Prod SFO Service Catalog Prod-SingleVM-Entitlement

Windows Server 2016 with SQL Server 2017 - SFO Prod

SFO Service Catalog Prod-SingleVM-Entitlement

Ubuntu Server 18.04 - SFO Prod SFO Service Catalog Prod-SingleVM-Entitlement

Procedure


Setting Value






VMware, Inc. 115

2 Configure the service catalog for the blueprint.

a On the main navigation bar, click the Administration tab.

b In the left pane, navigate to Catalog management > Catalog items.

c On the Catalog items page, click the Windows Server 2016 - SFO Prod blueprint.

The Configure catalog item page opens.

d On the General tab, from the Service drop-down menu, select SFO Service Catalog, and click OK.

e Repeat this step to configure service catalog for the remaining blueprints.

3 Associate the blueprint with an entitlement.

a In the left pane, under Catalog management click Entitlements.

b On the Entitlements page, click the Prod-SingleVM-Entitlement entitlement.

The Edit entitlement page opens.

c Click the Items & approvals tab.

d Under Entitled items, click the Add items icon, select the Windows Server 2016 - SFO Prod blueprint, and click OK.

e On the Edit entitlement page, click Finish.

f Repeat this step to associate the remaining blueprints with their entitlements.

Test the Deployment of a Single Machine Blueprint in Region ATest your environment to confirm the successful provisioning of virtual machines by using the newly created blueprints. If you use multiple availability zones, you must manually place all virtual machines provisioned by vRealize Automation in the VM group that is appropriate for the availability zone.

Procedure


Setting Value





2 On the main navigation bar, click the Catalog tab.

3 On the Catalog page, click the Click here to apply filters icon.

4 In the left pane, select the SFO service catalog check box.

5 On one of the blueprint cards, click Request and click Submit.


VMware, Inc. 116

6 Verify that the request finishes successfully.

a On the main navigation bar, click the Deployments tab.

b Click the deployment that you submitted, click the History tab and wait for the process to finish.

c Under Status, verify that the virtual machine is successfully provisioned.


Setting Value




8 Verify that the virtual machine is provisioned in the shared edge and compute cluster.

a In the Hosts and Clusters inventory, expand the sfo01w01vc01.sfo01.rainpole.local tree and expand the sfo01-w01dc data center.

b Expand the sfo01-w01-comp01 cluster and select the sfo01-w01rp-user-vm resource pool.

c Verify that the provisioned virtual machine is present and operational.


VMware, Inc. 117

deployment of region a · vmware validated design 5.1.1 vmware validated design for...

Documents