table of contents - vmware · modernizing your data center allows you to keep up with the new pace...

Table of ContentsLab Overview - HOL-1945-01-SLN - Modernizing Data Center for Maximum BusinessFlexibility .......................................................................................................................... 2

Lab Guidance .......................................................................................................... 3Module 1 - Introduction to Modernizing the Data Center (15 minutes) .............................9

Introduction........................................................................................................... 10Making the Case for Modernizing the Data Center................................................ 11Conclusion............................................................................................................. 13

Module 2 - Exploring the Components (60 minutes) ....................................................... 14Introduction........................................................................................................... 15Introducing vSphere 6.7........................................................................................ 16Compute & Storage Virtualization......................................................................... 22Network Virtualization........................................................................................... 50Conclusion............................................................................................................. 79

Module 3 - Flexibility for Any Future (15 minutes) .......................................................... 80Introduction........................................................................................................... 81Four Strategic Initiatives ....................................................................................... 82Conclusion............................................................................................................. 88

HOL-1945-01-SLN

HOL-1945-01-SLN

Lab Overview -HOL-1945-01-SLN -

Modernizing Data Centerfor Maximum Business

Flexibility

HOL-1945-01-SLN

HOL-1945-01-SLN

Lab GuidanceNote: It may take more than 90 minutes to complete this lab. You shouldexpect to only finish 2-3 of the modules during your time. The modules areindependent of each other so you can start at the beginning of any moduleand proceed from there. You can use the Table of Contents to access anymodule of your choosing.

The Table of Contents can be accessed in the upper right-hand corner of theLab Manual.

Modernizing your Data Center allows you to keep up with the new pace of businessinnovation. The ability to leverage the VMware Software Defined Data Center (SDDC)and build a versatile hybrid cloud provides organizations the flexibility they need togrow and drive the transformation their business requires.

Lab Module List:

• (15 minutes) (Basic)

Today’s digital transformation is driving rapid and fundamental changes in businessesand their operating models. To support this, IT must similarly transform. VMware enablesIT organizations to deliver IT infrastructure and application services with the speed andagility to support business innovation and growth while optimizing total cost ofownership.


Briefly explore vSphere, vSAN, and NSX to gain an understanding of each component,and what their roles in the VMware SDDC are.


Customers that evolve their operations into a modernized data center are building aforward-thinking and flexible strategy that is based upon key virtualization andautomation technologies that deliver the flexibility to leverage any type of cloud,application, or infrastructure future.

Lab Captains:

• Module 1 - Michael R. Federman, Senior Technical Account Manager, USA• Module 2 - Michael R. Federman, Senior Technical Account Manager, USA• Module 3 - Michael R. Federman, Senior Technical Account Manager,

USA

This lab manual can be downloaded from the Hands-on Labs Document site found here:

HOL-1945-01-SLN

HOL-1945-01-SLN

http://docs.hol.vmware.com

This lab may be available in other languages. To set your language preference and havea localized manual deployed with your lab, you may utilize this document to help guideyou through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf

Location of the Main Console

1. The area in the RED box contains the Main Console. The Lab Manual is on the tabto the Right of the Main Console.

2. A particular lab may have additional consoles found on separate tabs in the upperleft. You will be directed to open another specific console if needed.

3. Your lab starts with 90 minutes on the timer. The lab can not be saved. All yourwork must be done during the lab session. But you can click the EXTEND toincrease your time. If you are at a VMware event, you can extend your lab timetwice, for up to 30 minutes. Each click gives you an additional 15 minutes.Outside of VMware events, you can extend your lab time up to 9 hours and 30

minutes. Each click gives you an additional hour.

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing itin, there are two very helpful methods of entering data which make it easier to entercomplex data.

HOL-1945-01-SLN

HOL-1945-01-SLN

http://docs.hol.vmware.com

http://docs.hol.vmware.com/announcements/nee-default-language.pdf

Click and Drag Lab Manual Content Into Console ActiveWindow

You can also click and drag text and Command Line Interface (CLI) commands directlyfrom the Lab Manual into the active window in the Main Console.

Accessing the Online International Keyboard

You can also use the Online International Keyboard found in the Main Console.

1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=xS07n6GzGuo" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>

HOL-1945-01-SLN

HOL-1945-01-SLN

Click once in active console window

In this example, you will use the Online Keyboard to enter the "@" sign used in emailaddresses. The "@" sign is Shift-2 on US keyboard layouts.

1. Click once in the active console window.2. Click on the Shift key.

Click on the @ key

1. Click on the "@ key".

Notice the @ sign entered in the active console window.

HOL-1945-01-SLN

HOL-1945-01-SLN

Activation Prompt or Watermark

When you first start your lab, you may notice a watermark on the desktop indicatingthat Windows is not activated.

One of the major benefits of virtualization is that virtual machines can be moved andrun on any platform. The Hands-on Labs utilizes this benefit and we are able to run thelabs out of multiple datacenters. However, these datacenters may not have identicalprocessors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoftlicensing requirements. The lab that you are using is a self-contained pod and does nothave full access to the Internet, which is required for Windows to verify the activation.Without full access to the Internet, this automated process fails and you see this

watermark.

This cosmetic issue has no effect on your lab.

Look at the lower right portion of the screen

HOL-1945-01-SLN

HOL-1945-01-SLN

Please check to see that your lab is finished all the startup routines and is ready for youto start. If you see anything other than "Ready", please wait a few minutes. If after 5minutes your lab has not changed to "Ready", please ask for assistance.

HOL-1945-01-SLN

HOL-1945-01-SLN

Module 1 - Introduction toModernizing the DataCenter (15 minutes)

HOL-1945-01-SLN

HOL-1945-01-SLN

IntroductionThis module is read-only, and contains the following lessons:

• - Learn what it means to modernize your infrastructure• - Conclusion of this Module

HOL-1945-01-SLN

HOL-1945-01-SLN

Making the Case for Modernizing theData CenterLearn what it means to modernize the data center

A modern data center virtualizes computer, storage and networking resources to form aSoftware Defined Datacenter (SDDC). This lab introduces vSphere 6.5 (compute) vSAN(storage) and NSX (network).

Digital Evolution in the Multi-Cloud Era

Virtualization technology changed the game for compute. However, that led to amismatch between the highly-efficient compute layer versus shared storage andnetworking services. As a result, many organizations face high storage costs, complexmanagement, and limited flexibility.

Three trends are placing more pressure on IT infrastructure and operations:

• First, the digital economy is demanding more from IT than ever before. Businessinitiatives have multiple associated IT projects. Thanks to the simplicity ofdeploying new apps on our smartphones, clients expect near instantaneousresponses from IT.

• Second, IT budget constraints no longer allow massive spending for hardware.• Third, the fast pace of technology innovation requires investment and adaptation

to stay efficient. There are many options today for flash storage, compute, andcloud. How do companies minimizing the risk that their investment could beoutdated in a short time?

HOL-1945-01-SLN

HOL-1945-01-SLN

The data center of yesterday cannot keep up; it has to evolve.

What is Modernize the Data Center and the VMwareapproach?

Click on the ~13-minute video below to learn how VMware can help modernize yourdata center by leveraging some of the same principles that made compute virtualizationso successful.

<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=ov3CX1CA4Ws" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>

HOL-1945-01-SLN

HOL-1945-01-SLN

ConclusionThank you for completing Module 1. You can find more details about how toleverage the software defined data center to modernize the data center in oureBook (http://bit.ly/2tzpHh1).

You've finished Module 1

Congratulations on completing Module 1.

Additional information can be found here:

• VMware Modernize the Data Center (http://bit.ly/2JozsqV)• A Tour of the Modern Data Center (http://bit.ly/2JjyGLQ)

You may also be interested in one of these labs:

• HOL-1944-01ISM: Modernize Infrastructure - VMware Cloud Foundation• HOL-1944-02-ISM: VMware Cloud Foundation - Hybrid Cloud• HOL-1946-01-SLN: Modernize Infrastructure - VMware Cloud Foundation

There are 2 more modules in this lab:

• (60 minutes) (Basic)• (15 minutes) (Basic)

How to End Lab

If you prefer to end your lab now, you can click on the END button; otherwise continueto the next module.

HOL-1945-01-SLN

HOL-1945-01-SLN

http://bit.ly/2tzpHh1

http://bit.ly/2JozsqV

http://bit.ly/2JjyGLQ

Module 2 - Exploring theComponents (60 minutes)

HOL-1945-01-SLN

HOL-1945-01-SLN

IntroductionThis module contains the following lessons:

• - Compute Virtualization - In this section, you learn about some of the newfeatures in vSphere 6.7.

• - In this section, you will explore both vSphere & vSAN.• - In this section, you will explore NSX, leveraging micro-segmentation to prevent

VMs from talking.• - Conclusion of this Module.

HOL-1945-01-SLN

HOL-1945-01-SLN

Introducing vSphere 6.7Here is an introduction to some of the features in vSphere 6.7.

vSphere 6.7

vSphere 6.7 is the efficient and secure platform for hybrid clouds, fueling digitaltransformation by delivering simple and efficient management at scale, comprehensivebuilt-in security, a universal application platform, and seamless hybrid cloud experience.

vSphere 6.7 delivers key capabilities to enable IT organizations to address trends thatare putting new demands on their IT infrastructure:

• Explosive growth in quantity and variety of applications, from business criticalapps to new intelligent workloads.

• Rapid growth of hybrid cloud environments and use cases.• On-premises data centers growing and expanding globally, including at the Edge.• Security of infrastructure and applications attaining paramount importance.

Key Capabilities in vSphere 6.7

HOL-1945-01-SLN

HOL-1945-01-SLN

Simple and Efficient Management, at Scale

vSphere 6.7 provides exceptional management simplicity, operational efficiency, andfaster time to market, all at scale.

vSphere 6.7 delivers an exceptional experience for the user with an enhanced vCenterServer Appliance (vCSA). It introduces several new APIs that improve the efficiencyand experience to deploy vCenter, to deploy multiple vCenters based on a template, tomake management of vCenter Server Appliance significantly easier, as well as forbackup and restore. It also significantly simplifies the vCenter Server topology throughvCenter with embedded platform services controller in enhanced linked mode,enabling customers to link multiple vCenters and have seamless visibility across theenvironment without the need for an external platform services controller or loadbalancers.

HOL-1945-01-SLN

HOL-1945-01-SLN

vSphere 6.7 improves efficiency at scale when updating ESXi hosts, significantlyreducing maintenance time by eliminating one of two reboots normally required formajor version upgrades (Single Reboot). In addition to that, vSphere Quick Boot is anew innovation that restarts the ESXi hypervisor without rebooting the physical host,skipping time-consuming hardware initialization.

Another key component that allows vSphere 6.7 to deliver a simplified and efficientexperience is the graphical user interface itself. The HTML5-based vSphere Clientprovides a modern user interface experience that is both responsive and easy to use.With vSphere 6.7, it includes added functionality to support not only the typicalworkflows customers need but also other key functionality like managing NSX, vSAN,and third-party components.

HOL-1945-01-SLN

HOL-1945-01-SLN

Comprehensive Built-In Security

vSphere 6.7 builds on the security capabilities in vSphere 6.5 and leverages its uniqueposition as the hypervisor to offer comprehensive security that starts at the core, via anoperationally simple policy-driven model.

vSphere 6.7 adds support for Trusted Platform Module (TPM) 2.0 hardware devicesand also introduces Virtual TPM 2.0, significantly enhancing protection and assuringintegrity for both the hypervisor and the guest operating system. This capability helpsprevent VMs and hosts from being tampered with, prevents the loading of unauthorizedcomponents and enables guest operating system security features security teams areasking for.

Seamless Hybrid Cloud Experience

With the fast adoption of vSphere-based public clouds through VMware Cloud ProviderProgram partners, VMware Cloud on AWS, as well as other public cloud providers,VMware is committed to delivering a seamless hybrid cloud experience for customers.

HOL-1945-01-SLN

HOL-1945-01-SLN

vSphere 6.7 introduces vCenter Server Hybrid Linked Mode, which makes it easyand simple for customers to have unified visibility and manageability across an on-premises vSphere environment running on one version and a vSphere-based publiccloud environment, such as VMware Cloud on AWS, running on a different version ofvSphere. This ensures that the fast pace of innovation and introduction of newcapabilities in vSphere-based public clouds does not force the customer to constantlyupdate and upgrade their on-premises vSphere environment.

vSphere 6.7 also introduces Cross-Cloud Cold and Hot Migration, further enhancingthe ease of management across and enabling a seamless and non-disruptive hybridcloud experience for customers.

Learn More

As the ideal, efficient, secure universal platform for hybrid cloud, supporting new andexisting applications, serving the needs of IT and the business, vSphere 6.7 reinforcesyour investment in VMware. vSphere 6.7 is one of the core components of VMwaresSDDC and a fundamental building block of your cloud strategy. With vSphere 6.7, youcan now run, manage, connect, and secure your applications in a common operatingenvironment, across your hybrid cloud.

This article only touched upon the key highlights of this release, but there are manymore new features. To learn more about vSphere 6.7, please see the followingresources.

• vSphere 6.7 New Features Deep Dive Blog Posts• vSphere 6.7 Product Page

HOL-1945-01-SLN

HOL-1945-01-SLN

http://vmw.re/vsphere67launch

https://www.vmware.com/products/vsphere.html

• Press Release

HOL-1945-01-SLN

HOL-1945-01-SLN

http://www.vmware.com/go/vSphere-vSAN-April-17

Compute & Storage VirtualizationIn this section, you will explore vSphere 6.5 and vSAN.

vSphere Web Client

vSphere 6.5 has two web clients natively built in, the Flash/Flex Client and the HTML5Client. In this lab, we will solely be using the Flash/Flex client, as not all functionality issupported in the HTML5 Client yet. If at any time you wish to try the HTML5 client in thislab, there is a link in the bookmark bar titled "HTML5 Client".

Open Google Chrome

Login to vSphere

First select "Use Windows session authentication", and then select "Login".

You may also login by entering "[email protected]" as the username, and"VMware1!" as the password.

Explore vSphere

HOL-1945-01-SLN

HOL-1945-01-SLN

vSphere Home Screen

Select the home icon and the select "Home"

HOL-1945-01-SLN

HOL-1945-01-SLN

vSphere Client Home Tab

From this page, we are able to see all the different components currently configuredwith vCenter, as well as the other products working in conjunction with vCenter, plusany plugins that are installed (or ready to be installed).

Encrypted vMotion

Starting with vSphere 6.5, vSphere vMotion always uses encryption when migratingencrypted virtual machines. For virtual machines that are not encrypted, you can selectone of the encrypted vSphere vMotion options.

1. Disabled◦ Do not use Encrypted vMotion, even if available

2. Opportunistic◦ Use Encrypted vMotion if source and destination hosts support it, fall back

to unencrypted vMotion otherwise. This is the default option.

3. Required◦ Allow only Encrypted vMotion. If the source or destination host does not

support vMotion Encryption, do not allow the vMotion to occur.

HOL-1945-01-SLN

HOL-1945-01-SLN

Hosts and Clusters Page

As mentioned above, Opportunistic is the default setting. To change (or check) thissetting on an existing VM, let's go back to the "Hosts and Clusters" section

1. Select the Home icon at the top of the page2. Select "Hosts and Clusters" from the menu

HOL-1945-01-SLN

HOL-1945-01-SLN

Editing VM Encryption Settings

From the "Hosts and Clusters" page

1. Right click on "app-01a" from the left column2. Select "Edit Settings..."

HOL-1945-01-SLN

HOL-1945-01-SLN

Viewing VM Encryption Settings

Next

1. Select the "VM Options" tab2. Expand the "Encryption" section3. In the "Encrypted vMotion" sub-section, you can validate the setting. Here we

have the default configured4. Click Cancel to leave the default enabled

HOL-1945-01-SLN

HOL-1945-01-SLN

Exploring vSAN

Expand the Datacenter and Clusters by selecting

1. RegionA012. RegionA01-COMP013. RegionA01-MGMT014. RegionA01-VSAN

Reviewing vSAN Settings

Now that you have expanded out the 3 clusters, you can see that currently only theRegionA01-COMP01 and RegionA01-MGMT01 clusters have VMs in them. TheRegionA01-VSAN cluster has vSAN Enabled on it already, but let's review the settings.

HOL-1945-01-SLN

HOL-1945-01-SLN

Free Up Space

To give yourself more room, click the pin icon on the left-hand side of the screen

Validating vSAN is ON

1. Select the "RegionA01-VSAN" cluster2. Select the "Configure" tab

HOL-1945-01-SLN

HOL-1945-01-SLN

3. Select the "General" tab under the "vSAN" heading

On the top of the page, you can see that "vSAN is Turned ON"

Review the Disks

Select "Disk Management" under "vSAN" and you can review the Disk groupconfigured for the vsanDatastore.

You can see that there is a 5GB Flash Disk configured for the Cache Tier, and a 20GBDisk configured for the Capacity Tier.

HOL-1945-01-SLN

HOL-1945-01-SLN

Browsing Datastores

Select the Home icon and then select "Storage"

Expand the Datastores

1. On the left side of the screen, expand out "RegionA01" by selecting the blackarrow

2. Select the "Datastores" tab on right side of the screen

Here you can see that we have 3 datastores configured, 2 of which show type "VMFS 6"and one that is labeled with type "vsan"

HOL-1945-01-SLN

HOL-1945-01-SLN

Select the Datastore

1. Select the "vsanDatastore" on the left2. Click "Files" on the right

From here, you will see that nothing currently resides on this datastore.

Browse Files

1. Select "RegionA01-ISCSI01-COMP01"2. Right-click and select "Browse Files"

HOL-1945-01-SLN

HOL-1945-01-SLN

Reviewing the Contents

On this datastore, you can see that we have our 3 VMs (app-01a, db-01a and web-01a),along with some system generated folders (.dvsData and .sdd.sf).

Migrating a VM to the vsanDatastore


HOL-1945-01-SLN

HOL-1945-01-SLN

Expand the Navigator

1. On the left-hand side of the screen, click on Navigator2. Once expanded, click the pin icon in the top right, to make this window stay open

Select Migrate

1. Right click on "web-01a"2. Select "Migrate..."

HOL-1945-01-SLN

HOL-1945-01-SLN

Change the Resources

1. Select "Change both compute resource and storage"2. Click Next

HOL-1945-01-SLN

HOL-1945-01-SLN

Select the Compute Resource

1. Expand "RegionA01"2. Select "RegionA01-VSAN"3. Clicl Next

HOL-1945-01-SLN

HOL-1945-01-SLN


1. Change the "VM Storage Policy" to "Datastore Default"2. Select vsanDatastore3. Click Next

Note: At the bottom of this window, you should see a message with either the "i" icon,or a green check mark. If you see a red warning icon, validate that you changed the"VM Storage Policy" as instructed.

HOL-1945-01-SLN

HOL-1945-01-SLN

Keep the Default Value

Click Next

HOL-1945-01-SLN

HOL-1945-01-SLN

Verify the Changes

Review the settings, and click Finish

Monitor the vMotion

Watch the Recent Tasks tab to see the progress of the migration.

HOL-1945-01-SLN

HOL-1945-01-SLN

Validating the Migration

Once you see all the tasks as completed, take a look at RegionA01-VSAN, and you willsee that you have successfully changed the compute resources it utilizes.

HOL-1945-01-SLN

HOL-1945-01-SLN

Select Storage

Select the Home icon and then select "Storage"

Select the vsanDatastore

1. Select "vsanDatastore" and you will now see 2 objects.

When you migrate a VM onto a vSAN Datastore, it is given a hexadecimal name, and alink is created with the VM Name. If you click on either of those folders, you will seethey both contain the same files.

HOL-1945-01-SLN

HOL-1945-01-SLN

Migrate the VM Back


Select Migrate

1. Right click on "web-01a"

HOL-1945-01-SLN

HOL-1945-01-SLN

2. Select "Migrate..."

Change the Resources

1. Select "Change both compute resource and storage"2. Click Next

HOL-1945-01-SLN

HOL-1945-01-SLN

Select the Compute Resource

1. Expand "RegionA01"2. Expand "RegionaA01-COMP01"3. Select "esx-01a.corp.local"4. Click Next

Due to the way the 3-tier application is configured, the VM's cannot be placed onto thesame host, meaning each VM must be on a separate host. VM web-01a was onesx-01a before we migrated it to the vsanDatastore, so we will select that host again.

HOL-1945-01-SLN

HOL-1945-01-SLN


1. Change the "VM Storage Policy" to "Datastore Default".2. Select "RegionA01-ISCSI01-COMP01"3. Click Next

Note: If you fail to change the "VM Storage Policy" this time, you will get a yellowwarning that will prevent you from successfully changing the datastore the VM is on.

HOL-1945-01-SLN

HOL-1945-01-SLN

Keep the Default Value

Click Next

HOL-1945-01-SLN

HOL-1945-01-SLN

Verify the Changes

Review the settings, and click Finish

Monitor the vMotion

You can monitor the progress of the migration in the "Recent Tasks" tab.

HOL-1945-01-SLN

HOL-1945-01-SLN

Network VirtualizationIn this section, we will walk you through the process of deploying NSX distributedfirewall to protect a three tier application using an NSX Distributed Firewall (DFW).

As discussed before, traditional hardware-defined solutions rely on placing rigid securityconstructs primarily on the data center perimeter, leaving the inside of the data centerunguarded. By contrast, NSX enables a fundamentally-more secure data center byintegrating virtualized security and distributed firewalling directly into the infrastructure.

This functionality is called NSX Distributed Firewall (DFW). DFW is a hypervisorkernel-embedded firewall that provides visibility and control for virtualized workloadsand networks. You can create access control policies based on VMware vCenter objectslike datacenters, clusters, and virtual machine names; network constructs like IP orIPSets, VLAN (DVS port-groups), VXLAN (logical switches), security groups, as well asuser group identity from Active Directory. Firewall rules are enforced at the vNIC level ofeach virtual machine to provide consistent access control even when the virtualmachine gets vMotioned. The hypervisor-embedded nature of the firewall delivers closeto line rate throughput to enable higher workload consolidation on physical servers. Thedistributed nature of the firewall provides a scale-out architecture that automaticallyextends firewall capacity when additional hosts are added to a datacenter.

Micro-segmentation is powered by the Distributed Firewall (DFW) component of NSX.DFW operates at the ESXi hypervisor kernel layer and processes packets at near line-rate speed. Each VM has its own firewall rules and context. Workload mobility (vMotion)is fully supported with DFW, and active connections remain intact during the move. Thisadvanced security capability makes the data center network more secure by isolatingeach related group of virtual machines onto a distinct logical network segment, allowingthe administrator to firewall traffic traveling from one segment of the data center toanother (east-west traffic). This limits attackers’ ability to move laterally in the datacenter.

HOL-1945-01-SLN

HOL-1945-01-SLN

Protecting our 3-Tier Web Application

Next, we will leverage our simple 3-tier web app to demonstrate how to leverage NSXDFW to control communication between the different virtual machines. All three virtualmachines are running in the same "production" VLAN" and while the diagram abovedescribes the desired outcome, as of now, all 3 VMs are able to communicate with eachother.

Testing our 3-Tier App via Web Browser

1. Right click on the "3-Tier App" bookmark2. Select "Open in new tab"

HOL-1945-01-SLN

HOL-1945-01-SLN

Searching the Database

1. Enter "virtucon" in the text box2. Click Apply3. You will see a single entry

Test 3-Tier VM to VM Connectivity using PuTTY

Select PuTTY from the Windows Taskbar

HOL-1945-01-SLN

HOL-1945-01-SLN

Connecting to 3web-01a

1. Select 3web-01a2. Click Load3. Click Open

HOL-1945-01-SLN

HOL-1945-01-SLN

Logging In

If prompted for a username, enter "root" and click enter to login

Verifying Connectivity

To check connectivity between VMs, we will ping both the app-01a and db-01a VMs fromweb-01a.

ping -c 2 app-01aping -c 2 db-01a

HOL-1945-01-SLN

HOL-1945-01-SLN

Reviewing the Results

As you can see, web-01a can talk to both app-01a and db-01a, since we have not yetconfigured the NSX Distributed Firewall.

(Note: You might see DUP! at the end of a Ping line. This is due to the nature of thevirtual lab environment using nested virtualization and promiscuous mode on the virtualrouters. You will not see this in production.)

Don't close the window yet. For now, minimize it for later use.

Change the Default Firewall Policy from Allow to Block

1. Select the Home Icon2. Select "Networking & Security"

HOL-1945-01-SLN

HOL-1945-01-SLN

Navigating the vSphere Client

1. Select "Firewall" on the left-hand side2. If the section is not already expanded, click the black arrow to expand the 1003 -

Default Section Layer3 (Rule 1 - 3) rule.

Examine the Default Rules

Notice the Rules have green check marks. This means a rule is enabled. Rules arebuilt in the typical fashion with source, destination, and service fields. Services are acombination of protocols and ports.

The last Default Rule is a basic any-to-any-allow.

HOL-1945-01-SLN

HOL-1945-01-SLN

Modify the Default Rule

Hover over the Action column for the "Default Rule" and click the pencil icon.

Modify the Action

1. Change the Action dropdown to "Block"2. Click Save

HOL-1945-01-SLN

HOL-1945-01-SLN

Publish your changes

You will notice a green bar appears announcing that you now need to choose either toPublish Changes, Revert Changes or Save Changes. Publish pushes to the DFW. Revertcancels your edits. Save Changes allows you to save and publish later.

• Select Publish Change to save your block rule.

Verify the Rule Change Blocks Communication

HOL-1945-01-SLN

HOL-1945-01-SLN

PuTTY Session

To test the block rule using your previous Putty and browser sessions

• Putty: In a few moments opening Putty will show it is no longer active due to thedefault rule now blocks everything including SSH. Click OK and close PuTTY.

HOL-1945-01-SLN

HOL-1945-01-SLN

Web Browser

1. Select the Webapp tab in Chrome2. Click Refresh

Due to the new NSX Firewall rule, the Deny All action is working as expected, and wecannot access the application anymore.

Create 3-Tier Access Rules using NSX DFW

HOL-1945-01-SLN

HOL-1945-01-SLN

Create New Section

1. Select the vSphere Web client tab2. Click the "Add Section" button

HOL-1945-01-SLN

HOL-1945-01-SLN

Configuring the New Section

1. Enter "3-Tier App" in the name field2. Keep the default "Add above" selection3. Click Save

Note: This will cause the green bar with the option to publish or revert changes.

DO NOT Publish yet, as you have more changes to make.

Add First Rule to New Section

HOL-1945-01-SLN

HOL-1945-01-SLN

1. On the row for the new "3-Tier App" section click on the Add rule icon which is agreen plus-sign.

Edit the Rule

1. Click the Drop down arrow to open the rule2. Hover to the upper right corner of the "Name" field until a pencil icon appears,

then click on the pencil

Provide a Name

1. Enter "External to Web" for the name2. Click Save

Set First Rule Source and Destination

1. We will leave the Source set to "any"2. Hover the mouse pointer in the Destination field and select the Destination

pencil sign.

HOL-1945-01-SLN

HOL-1945-01-SLN

Specify the Destination

1. Pull down the Object Type and scroll down until you find Virtual Machine2. Click on web-01a3. Click on the top arrow to move the object to the right4. Click OK

Set the Rule service

1. Hover in the Service field and click on the pencil sign.

HOL-1945-01-SLN

HOL-1945-01-SLN

Specify the Service

In the search field you can search for service pattern matches.

1. Ensure that the Object Type is set to "Service"2. Enter "https" and press enter to see all services associated with the name

https3. Select the simple HTTPS service4. Click on the right arrow5. Enter "ssh" and press enter to see all services associated with the name ssh6. Select the simple SSH service7. Click on the right arrow8. Verify you see both HTTPS and SSH in the "Selected Objects" section9. Click OK

HOL-1945-01-SLN

HOL-1945-01-SLN

Add Second Rule to New Section

1. Start by opening the pencil sign next to the rule 1 you just created2. You want this rule to be processed below the previous rule so choose Add

Below from the drop down box

Edit Rule



Enter Name

1. Enter "Web to App" for the name2. Click Save

HOL-1945-01-SLN

HOL-1945-01-SLN

Set Second Rule Source and Destination

1. Hover the mouse pointer in the Source field and select the Source pencil sign.

Specify the Source

1. Change the Object Type to Virtual Machine2. Select web-01a3. Click the Right Arrow4. Click OK

HOL-1945-01-SLN

HOL-1945-01-SLN

Edit the Rule

1. Hover the mouse pointer in the Destination field and select the Destinationpencil sign.


1. Change the Object Type to Virtual Machine2. Select app-01a3. Click the Right Arrow4. Click OK

HOL-1945-01-SLN

HOL-1945-01-SLN

Create the Second Rule Service

1. Hover over the Service Field and click the pencil to edit.

Configure the Service

The 3-tier application uses tcp port 8443 between the web and app tiers. You will createa new Service called 3TierApp to be the allowed service.

1. Click on New Service2. Enter 3TierApp for the new service name3. Select TCP for the Protocol4. Enter 8443 for the Port number5. Click OK and OK again in the main Specify Service page

HOL-1945-01-SLN

HOL-1945-01-SLN

Specify the Service

Click OK

Add Third Rule to New Section

1. Start by opening the pencil sign next to the rule 2 you just created2. You want this rule to be processed below the previous rule so choose Add

Below from the drop down box

HOL-1945-01-SLN

HOL-1945-01-SLN

Edit Rule



Enter Name

1. Enter "App to DB" for the name2. Click Save

Create the Third Rule Source and Destination

1. Hover the mouse pointer in the Source field and select the Source pencil sign.

HOL-1945-01-SLN

HOL-1945-01-SLN

Specify the Source

1. Change the Object Type to Virtual Machine2. Select app-01a3. Click the Right Arrow4. Click OK

Edit the Rule

1. Hover the mouse pointer in the Destination field and select the Destinationpencil sign.

HOL-1945-01-SLN

HOL-1945-01-SLN


1. Change the Object Type to Virtual Machine2. Select db-01a3. Click the Right Arrow4. Click OK

Create Third Rule Service

1. Hover in the Service field and click on the pencil sign.

HOL-1945-01-SLN

HOL-1945-01-SLN

Specify the Service

In the search field you can search for service pattern matches.

1. Ensure that the Object Type is set to "Service"2. Enter "http" and press enter to see all services associated with the name http3. Select the simple HTTP service4. Click on the right arrow5. Verify you see HTTP in the "Selected Objects" section6. Click OK

HOL-1945-01-SLN

HOL-1945-01-SLN

Publish Your Rule Changes

Click Publish Changes

Verify New Rule Allows 3-Tier App Communication

Testing our 3-Tier App via Web Browser

1. In Chrome, click the Customer Database tab

HOL-1945-01-SLN

HOL-1945-01-SLN

2. Click Refresh

As you can see now, connectivity is back, and we are able to use the 3-Tier app. Thismeans that that web-01a is able to communicate with app-01a, and app-01a is ableto communicate with db-01a.

Test 3-Tier VM to VM Connectivity using PuTTY

Select PuTTY from the Windows Taskbar

Connecting to 3web-01a

HOL-1945-01-SLN

HOL-1945-01-SLN

1. Select 3web-01a2. Click Load3. Click Open

Logging In

If prompted for a username, enter "root" and click enter to login

Verifying Connectivity

To check connectivity between VMs, we will ping both the app-01a and db-01a VMs fromweb-01a.

HOL-1945-01-SLN

HOL-1945-01-SLN

ping -c 2 app-01aping -c 2 db-01a

Reviewing the Results

As you can see now, we are unable to ping either app-01a or db-01a, as the firewallrules we put in place do not allow for ping traffic.

Logout

Now go to the top right of the screen, select the "[email protected]" drop-down and select Logout.

Close Your Browser

Click the 'X' to close Chrome.

HOL-1945-01-SLN

HOL-1945-01-SLN

ConclusionIn this module you learned about vSphere 6.7 and explored vSphere 6.5, vSANand NSX.



You may also be interested in these labs:

• HOL-1903-01-NET: Getting Started with VMware NSX-v• HOL-1903-02-NEW: VMware NSX-v Security - Distributed Firewall and Micro-

Segmentation• HOL-1908-01-HCI: - vSAN 6.7 - Getting Started

There are 2 other modules in this lab:

• Module 1 - Introduction to Modernizing the Data Center (15 minutes)(Basic)

• Module 3 - Flexibility for Any Future (15 minutes) (Basic)

How to End Lab

If you prefer to end your lab now, you can click on the END button; otherwise continueto the next module.

HOL-1945-01-SLN

HOL-1945-01-SLN

Module 3 - Flexibility forAny Future (15 minutes)

HOL-1945-01-SLN

HOL-1945-01-SLN

IntroductionThis module is read-only, and contains the following lessons:

• - Understand the 4 key initiatives needed to achieve a modernized data center.• - Conclusion of this Module.

HOL-1945-01-SLN

HOL-1945-01-SLN

Four Strategic InitiativesCustomers that evolve their operations into a modernized data center are building aforward-thinking and flexible strategy that is based upon key virtualization andautomation technologies that deliver the flexibility to leverage any type of cloud,application, or infrastructure future.

VMware Initiatives for Customer Priorities

To achieve a Modernized Data Center, there are four key initiatives. They are:

1. Software Defined Private Cloud2. Hybrid Cloud3. Agility by Automation4. Next Generation Applications

In this module, we will review these four initiatives.

Initiative One: Software Defined Private Cloud

Embrace a hyper-converged data center strategy that includes virtual machines,virtual networks, and virtual storage with a common management platform. This hyper-

HOL-1945-01-SLN

HOL-1945-01-SLN

converged infrastructure strategy extends virtualization across the entire infrastructure(compute, storage and networking) via common hardware that is managed with existingtools and skillsets. This allows customers to speed deployments and unify and easeoperations, monitoring, and IT management, and at the same time improve their abilityto scale.

The key software-defined components of this hyper-converged strategy include:

• Compute virtualization, which uses software to simulate the existence ofhardware and create a virtual computer system that can run more than onevirtual system and multiple operating systems and applications on a single serverto reduce costs through server consolidation, increase workload availability andperformance, and minimize or eliminate downtime.

• Storage virtualization, that pools together server-attached flash devices and/orhard disks to provide a highly resilient shared datastore suitable for a variety ofworkloads to improve storage utilization, easily scale without disruption, anddramatically lower TCO.

• Network virtualization, which reproduces the physical network in software,embedded in the hypervisor layer and abstracted from the underlying physicalhardware. This enables IT to reduce provisioning time from days to seconds,improve operational efficiency with automation, and enable a more secure hybridcloud architecture with policies attached to each workload that ensure they meetsecurity criteria wherever they are.

• Cloud management platform to provide a common approach for building andrunning an enterprise grade hybrid cloud, ensuring agility, efficiency and controlacross both traditional and cloud native, container-based applications.

Initiative Two: Hybrid Cloud

HOL-1945-01-SLN

HOL-1945-01-SLN

Enable the ability to seamlessly extend and scalesoftware-defined data centers to the public cloud

Customers benefit from the ability to deliver dynamic capacity, consolidate or migrateon-premises infrastructure, or develop and test new applications. This flexibility helpsorganizations gain the freedom to choose the best platform, landing spot, or destinationfor their applications, whether they reside on or off premises.

A common approach to both private and public clouds is imperative for a successfulhybrid cloud strategy, specifically one that is consistent and simple to operate,compatible across on and off-premises environments and is ready to deploy VMs,containers and any next-generation application needs.

VMware’s own customers have reinforced the business need for this flexible hybridcloud capability to enable their own digital transformation:

• 92% of VMware enterprise customers say consistency of architecture betweenprivate and public clouds is important

• Many companies say digital transformation is driving many of their IT changes;however, many of transformation plans remain unclear. Some 60% of enterprisesreported that they had no formal transformation strategy in place, and many saidthey face challenges achieving strong IT-business alignment. (451 Research“Voice of the Enterprise”, 2018)

• By the end of 2018, more than half of global enterprises will rely on at least onepublic cloud platform for digital transformation. (Forrester “Predictions 2018:Cloud Computing Accelerates Enterprise Transformation Everywhere” Report,2018)

• 80 % of customers plan to have more than 10 percent of their workloads inpublic-cloud platforms in three years or plan to double their cloud penetration.(McKinsey “Global Cybersecurity Research” Report, 2017)

VMware’s vision for hybrid cloud comes down to three main areas of focus:

1. Make the cloud easy by making it simple to deploy and manage (via lifecyclemanagement capabilities), while providing quick time to value along with anintegrated and easily consumable set of SaaS services to discover resources,track costs and provide full visibility across the entire infrastructure

2. Simplify developer consumption with a single control plane across clouds thatprovides a globally consistent IaaS for cloud APIs to consume native cloudservices on any cloud, along with an integrated self-service catalog and simpleblueprints that enable iterative development capabilities at the speed thatcustomers require.

3. Provide consistent, unified management and operations for all apps,across platforms and private/public clouds, via automatic, real-time monitoringand metrics with integrated app intelligence to help discover new apps, viewoverall health and assist in troubleshooting. Leveraging a single, unified

HOL-1945-01-SLN

HOL-1945-01-SLN

management framework across public and private clouds enables a uniquelyflexible approach to operations consistency.

Initiative Three: Agility by Automation

Broaden business agility via effective IT automation and management toeliminate time-consuming manual processes, siloed workflows, and risky, error-pronetasks for more consistent delivery and management of IT resources. Organizations thatembrace this strategy will be able to automate the IT services lifecycle to rapidlyconfigure, provision, test, deploy, migrate, update, and decommission infrastructure andapplications. They can even turn infrastructure templates into blueprints that includenetworking and security profiles to create and deliver standardized services no matterwhere they deploy their workloads.

To enable this next-generation of business success, organizations need to embrace theprinciples of agility across multiple teams. For the line-of-business, it is important toleverage new applications that drive competitive advantage and enable new businessopportunities, while eliminating the barriers and complexities that often coincide withbusiness growth and expansion. For development teams, a proper approach to agilityshould shorten their release cycles and enable a much more flexible and nimbledevelopment process, that is not stagnated by manual processes and challenginginfrastructure. For IT teams, a proper execution of an agility initiative ensures that theycan keep up with increased business demand to meet faster delivery expectations,while also creating a culture of business enablement and forward-thinking innovationwithout the traditional risks and complexities that often accompany that progression.

The key technical component of this initiative is to provide a single control plane acrossclouds, with access to native Cloud APIs that enable customers to consume nativeservices on any cloud, while also ensuring the ability for continuous integration,development and delivery of their key apps and services.

HOL-1945-01-SLN

HOL-1945-01-SLN

Initiative Four: Next Gen Applications

Ensure the ability to build next-gen apps while maintaining existingapplications by building an agile, flexible, enterprise-grade platform that supportstraditional and cloud-native applications. This gives developers the option to useexisting development methodologies alongside container technologies andmicroservice-based architectures for faster and more frequent development with thesame management, security, reliability, and governance policies across their entiredevelopment ecosystem.

Flexible Approaches to a Modernized Data Center Basedon Choice and Business Need

VMware customers can uniquely leverage a flexible approach and choice of optionsfor how to implement a modern data center, based on business need or unique criteria:

• Automated (with VMware Cloud Foundation): For customers that are lookingfor the fastest, out-of-box approach to implementing a private/hybrid cloudexperience. These customers are looking to leverage a fully software-definedapproach to compute, storage, and networking, delivered in a complete hyper-converged architecture with an emphasis on the value of operational efficiencyover design customization and the complexity of integrating the specific “piecesand parts” of the solution.

Customer Profile:

• Looks for out-of-the-box private/hybrid cloud user experience• Chooses hyper-converged infrastructure as primary storage architecture• Puts greater value on operational efficacy over design customization

Build your own (with VMware Validated Designs): For customers who require theability to design a customized solution, possibly leveraging existing (traditional) externalhardware storage investments instead of full out-of-box integration and automation.This often appeals to customers looking for an incremental, component-based approachto adopting an SDDC.

HOL-1945-01-SLN

HOL-1945-01-SLN

Customer Profile:

• Values design customization over out-of-the-box integration and automation• Wants to use external storage as the primary storage architecture• Prefers an incremental, component-based approach to adopting the SDDC

Custom, do-it-yourself approach: For customers that prefer a completely customand self-validated design and possess a strong technical skillset. This is often thedirection chosen for customers that have unique hardware needs or constraints, withinfrastructure components that have limited compatibility or specific, yet limitedbusiness need.

Customer Profile:

• Prefers a completely custom and self-validated design• Possesses strong technical skillset

HOL-1945-01-SLN

HOL-1945-01-SLN

ConclusionIn this module you learned about different business cases around Modernizingthe Data Center.



There are 2 other modules in this lab:

• Module 1 - Introduction to Modernizing the Data Center (15 minutes)(Basic)


How to End Lab

To end your lab click on the END button.

HOL-1945-01-SLN

HOL-1945-01-SLN

ConclusionThank you for participating in the VMware Hands-on Labs. Be sure to visithttp://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-1945-01-SLN

Version: 20200210-210333

HOL-1945-01-SLN

HOL-1945-01-SLN

http://hol.vmware.com/

table of contents - vmware · modernizing your data center allows you to keep up with the new pace...

Documents