Wednesday, April 30, 2014

vCNS Edge Step by Step - 2/2

Here’s the second and last part of the tutorial on how to configure the vCNS Edge to act as a load balancer for your VMware vCloud implementation.
If you have no idea how we came up to this point, go back and check part 1 of the serie.

Now that we already have the Edge implemented, let’s see how to configure it’s load balance services.

If you are not on the vCNS Admin Page
- On the Home page of vCenter click on vShield Icon

 - Expand the Folder Datacenters and select the Datacenter where the vCNS Edge was deployed

- Select the Network Virtualization tab and double-click on the Edge device we will configure the load balance services.
It will open up the configuration screen for the device.

- Select the Load Balancer tab

- Enable the Load Balancing service

 - Click Publish Changes

 Every change will make on the configurations will show you this Publish Changes option, if you do not publish them, it will not make effect.

 - click the plus sign to create a new load balancing pool

 A load balancing pool is the group of serves that will provide a common service, in our case the vCloud Cells.
 Since we have 2 distinct services on vCloud, HTTPS access and Console Proxy, it makes sense to create controls to manage them separately, so we will create one pool for each service.

The first pool is for the HTTPS access or the Portal itself if you wish.

- Give the pool a name, a description and click Next

- Select the services which will be available, for vCloud it’s 80 and 443 (HTTP and HTTPS) and 
click Next

- Enable the services on port 80 and 443 and add the URI for monitoring of the Cell's health and click Next
Health HTTP URI address: /cloud/server_status

 The URI will tell the load balancer if the cell is healthy and in case not, the cell will stop directing connections to the failed cell.
It helps you during maintenance periods, where you can stop one of the cells without impacting the entirely cloud. The users will be redirected to the remaining and healthy cell.

- Click the plus sign to add the members of this pool

- Type the IP of the cell and click OK

 Since we are creating the HTTPS pool, it’s IP must be the IP designed to provide https services on the cell.

- Repeat the procedure for adding each vCloud cell of your solution

- Once you have your’s members added to the pool, click Next

- If everything is correct, Click Finish

 Now we need to create the pool for Consoly proxy, the procedure is ALMOST the same

- Select the Load Balancer tab click the plus sign to create a new load balancing pool

 - Give the pool a name, a description and click Next

- Select TCP, select LEAST_CONN as a Balancing Method, make sure port is 443 and click Next 

 Despite the fact the port is 443, ConsoleProxy is not a true HTTPs service it runs more a TCP socket session on this port.

- Enable the services on TCP port 443 and add the URI for the monitoring of the health of the cell and click Next
Health ConsoleProxy URI address: /sdk/vimServiceVersions.xml

- Add the same members as we did for HTTP pool above.

Remember: this time as we are creating a pool for ConsoleProxy service, add the IPs of the cells designed to provide consoleproxy services

- Make sure everything is right and click Finish

- Once your pools are created click Publish Changes

Well, that’s only the first step, we just created the pools of servers, now we need to create Virtual Servers, most people knows it as the VIP address.
As we did with the pools, here we will create a VIP for HTTPS and another one for Console Proxy.
Let’s start with the HTTP one.

- To create the Virtual Servers go to the Load Balancer tab, select Virtual Servers and click on the plus sign to create a new one.

 - Give it a Name; as a good practice something descriptive is always good
- type the IP address of the HTTP VIP; it’s the IP resolving your cloud name not the specific cells IPs.
- make sure to pick up the Pool of services configure for HTTP
- Configure the services the same as the screen bellow and click Add

Now let’s create the console Proxy VIP.

- Click on the plus sign to create a new Virtual Server
- Give it a Name
- type the IP address of the ConsoleProxy VIP;
- make sure to pick up the Pool of services configure for Console Proxy
- Configure the services the same as the screen bellow and click Add

- Again, click Publish Changes to make the changes take effect

Not that hard, right…. You can also use this procedure to create a load balance for any service, not just vCloud.

Tuesday, April 22, 2014

VMware not Heartbleeding anymore

I bet by now you have heard about the Heartbleed vulnerability - CVE-2014-0160.

It’s a bug on OpenSSL cryptographic software library which could be exploited to steal information through it’s engine.
Hundreds of softwares and products around the world uses OpenSSL to encrypt and protect the information through the Internet.

Well, VMware is not an exception, several VMware’s products were affected by the bug, (if you are in doubt about what products were affected, this KB2076225 made a list of them) but VMware is also an exception when dealing with customers top priority, as security and risk of it’s assets, so as of April 20th ALL VMware products were remediated.

It’s up to you now, go out there and update your products and eliminate that risk out of your environment.

VMware also provided a Security Advisory (VMSA-2014-0004.6), which contains the links for the updated version of all products.

Here’s also a good video to learn how Heartbleed attack works

Don’t wait until tomorrow to secure your environment !!!

Wednesday, April 9, 2014

Input not an X.509 certificate

Today I want to post a resolution for the certification import process of vCloud Director.

Most of the time it runs smoothly, you can follow KB1026309 and you will have no problems at all.

But sometimes you stumble with a weird issue that takes some time to figure out what went wrong.
I went into one of these situations past week. Then I was wondering why not share with you guys and maybe save some precious minutes of your time.

Let’s clarify a little bit the scenario.

I was implementing a vCloud solution on a client.
The client requested a wildcard certificate from it’s Certificate Authority company. He then sent me back the root, intermediate and wildcard certificates.

As I always do, I took the individual codes and saved them as .CER.
Copied them to the cell and started the import process.

No problem with ROOT and Intermediate certificates, but when I tried to import the wildcard certificate I got the error:
Keytool error: java.lang.Exception: Input not an X.509 certificate

After some troubleshoot I realize there was a space after each end of line on my file.

 After I deleted the space the import process was successfully.
I can only imagine there was something wrong with the format of the file when I saved it.

I hope you don’t cross this issue, but in case you do here’s how to fix it ; )

Thursday, April 3, 2014

vCNS Edge Step by Step - 1/2

To make VMware vCloud Director failure proof and more resilient you would need to install more than one vCloud cell. But to have the best experience you need to put a load balancer in front of them, this way you have just a single cloud name to access and configure it on others systems, leaving the load balancer taking care of directing the connections to each cell.

While most of the load balancer on the marketing are supposed to work with vCloud, as long as they support persistent SSL connections and SSL passthrough mode, there are clients which dont have any Load Balancer or even don’t realize that vCloud comes with a viable option, vCNS Edge, it’s part of vCloud Suite License, so no extra costs associated with this implementation.

Let’s see how we can implement vCNS Edge to work as a Load Balancer for vCloud.

This first post will be how to deploy vCNS Edge, which depends on the vCNS Manager.
If you don’t have vCNS Manager working already, go back to this post and learn how to deploy it.

- On the Home page of vCenter click on vShield Icon

 - Expand the Folder Datacenters and select the Datacenter where vCNS Edge will be deployed

- Select the Network Virtualization tab and the click on the PLUS sign to create a new Edge

 - Give it a Name and a description, also to make it more reliable enable HA and click Next

 Edge HA is NOT the same as Fault Tolerance or vCenter HA, it's more a kind of a clustering solution, if you want to learn more about Edge HA here you can find more information.

 - Set a password for Admin account and click Next

 - Select the Appliance Size, I recommend Large, enable Auto Rule Generation and then click on the plus sign to set up where Edge will be created

If you want more information about Edge Size, check KB2042799

- Specify Cluster, Datastore, Host and Folder than click Add

- Click on the PLUS sign to configure the vCNS Edge interfaces

vCNS Edge can have up to 10 NICs so you can spread your traffic over them, I recommend one for Management and one for the vCloud Load Balanced traffic.

- Give it a Name, click on Change to select what Portgroup it will be connect to and then click on the PLUS sign to attribute it’s IP and Subnet

Remember: the VIP for vCloud HTTP and Remote Console will need to be configure first on the Edge before you can set up your Load Balance rules.
- Click on the plus sign to add the IP information. 

The Primary IP is the one used to manage the appliance.

- Configure it’s Default Gateway and click Next

 - Configure the Firewall, if you choose the default rule to Deny you will need to manually configure the ports allowed later, it’s up to you. Click Next

 Also you could set up a different NIC and IPs for the vCNS Edge HA to communicate.
In favor of simplicity I do not specify anything, this way HA will use the primary NIC for heartbeat.

- If everything is correct, click Finish

Once it’s deployed we can start using it.

Next post I will show you how to configure the Load Balance rules for vCloud Connector…

Stay Tunned ; )

Who am I

My photo
I’m an IT specialist with over 15 years of experience, working from IT infrastructure to management products, troubleshooting and project management skills from medium to large environments. Nowadays I'm working for VMware as a Consulting Architect, helping customers to embrace the Cloud Era and make them successfully on their journey. Despite the fact I'm a VMware employee these postings reflect my own opinion and do not represents VMware's position, strategies or opinions. Reach me at @dumeirell

Most Viewed Posts

Blog Archive