Aug 28

VMworld US Day 1 General Session

VMware CEO Pat Gelsinger, CTO Ray O’Farrell, and their featured guests share how to push past the boundaries of what’s possible during the VMworld US Day 1 general session.

NOTE: This video is roughly 1 hour 45 minutes in length so it would be worth blocking out some time to watch it!

Rating: 5/5


Jun 13

Announcing the What’s New in vSphere 6.7 Whitepaper

By Adam Eckerle

With the recent announcement and general availability of vSphere 6.7 we’ve seen an immense amount of interest. With each new version of vSphere we continue to see customers start their testing of new releases earlier and earlier in the release cycle. vSphere 6.7 brings a number of important new features that vSphere Administrators as well architects and business leaders are excited about.

vSphere 6.7 focuses on simplifying management at scale, securing both infrastructure and workloads, being the universal platform for applications, and providing a seamless hybrid cloud experience. Features such as Enhanced Linked Mode with embedded Platform Services Controllers bring simplicity back to vCenter Server architecture. Support for TPM 2.0 and Virtualization Based Security provide organizations with a secure platform for both infrastructure and workloads. The addition of support for RDMA over Converged Ethernet v2 (RoCE v2), huge pages, suspend/resume for vGPU workloads, persistent memory, and native 4k disks makes shows that the hypervisor is not a commodity and vSphere 6.7 enables more functionality and better performance for more applications.

For those wanting a deep dive into the new features and functionality, I’m happy to announce the availability of the What’s New in vSphere 6.7 whitepaper. This paper is a consolidated resource that discusses and illustrates the key new features of vSphere 6.7 and their value to vSphere customers. The What’s New with vSphere 6.7 whitepaper can be found on the vSphere product page in the Resources section or can be downloaded directly here. After reading through this paper you should have a very good grasp on the key new features and how they will help your infrastructure and business.

Finally, we have a new collection of vSphere 6.7 resources on vSphere Central to make setting up and using these new features even easier. There are also some walkthroughs on upgrading. You can see all of the currently available resources on the vSphere 6.7 Technical Assets page.

Download What’s New in vSphere 6.7 Whitepaper.

About the Author

Adam Eckerle manages the vSphere Technical Marketing team in the Cloud Platform Business Unit at VMware. This team is responsible for vSphere launch, enablement, and ongoing content generation for the VMware field, Partners, and Customers. In addition, Adam’s team is also focused on preparing Customers and Partners for vSphere upgrades through workshops, VMUGs, and other events.

Rating: 5/5


Apr 17

vSAN 6.7 What’s New Technical

vSAN 6.7 introduces a number of key features that help us provide an HCI solution for customers that want to evolve without risk, lower their TCO, and accommodate the demands of IT environments for today, tomorrow, and beyond. To help customers evolve their data center with HCI, the improvements of vSAN 6.7 focused on enabling customers to improve their experience in three key areas: Intuitive Operations Experience, Consistent Application Experience, and Enhanced Support Experience.

Rating: 5/5


Apr 17

Introducing VMware vSphere 6.7!

By Himanshu Singh

We are excited to share that today VMware is announcing vSphere 6.7, the latest release of the industry-leading virtualization and cloud platform. vSphere 6.7 is the efficient and secure platform for hybrid clouds, fueling digital transformation by delivering simple and efficient management at scale, comprehensive built-in security, a universal application platform, and seamless hybrid cloud experience.

vSphere 6.7 delivers key capabilities to enable IT organizations address the following notable trends that are putting new demands on their IT infrastructure:

Explosive growth in quantity and variety of applications, from business critical apps to new intelligent workloads.

  • Rapid growth of hybrid cloud environments and use cases.
  • On-premises data centers growing and expanding globally, including at the Edge.
  • Security of infrastructure and applications attaining paramount importance.

Let’s take a look at some of the key capabilities in vSphere 6.7:

VXLAN Components

vSphere 6.7 Key Capabilities

Simple and Efficient Management, at Scale

vSphere 6.7 builds on the technological innovation delivered by vSphere 6.5, and elevates the customer experience to an entirely new level. It provides exceptional management simplicity, operational efficiency, and faster time to market, all at scale.

vSphere 6.7 delivers an exceptional experience for the user with an enhanced vCenter Server Appliance (vCSA). It introduces several new APIs that improve the efficiency and experience to deploy vCenter, to deploy multiple vCenters based on a template, to make management of vCenter Server Appliance significantly easier, as well as for backup and restore. It also significantly simplifies the vCenter Server topology through vCenter with embedded platform services controller in enhanced linked mode, enabling customers to link multiple vCenters and have seamless visibility across the environment without the need for an external platform services controller or load balancers.

Moreover, with vSphere 6.7 vCSA delivers phenomenal performance improvements (all metrics compared at cluster scale limits, versus vSphere 6.5):

  • 2X faster performance in vCenter operations per second
  • 3X reduction in memory usage
  • 3X faster DRS-related operations (e.g. power-on virtual machine)

These performance improvements ensure a blazing fast experience for vSphere users, and deliver significant value, as well as time and cost savings in a variety of use cases, such as VDI, Scale-out apps, Big Data, HPC, DevOps, distributed cloud native apps, etc.

vSphere 6.7 improves efficiency at scale when updating ESXi hosts, significantly reducing maintenance time by eliminating one of two reboots normally required for major version upgrades (Single Reboot). In addition to that, vSphere Quick Boot is a new innovation that restarts the ESXi hypervisor without rebooting the physical host, skipping time-consuming hardware initialization.

VXLAN Components

vCenter with embedded platform services controller


Another key component that allows vSphere 6.7 to deliver a simplified and efficient experience is the graphical user interface itself. The HTML5-based vSphere Client provides a modern user interface experience that is both responsive and easy to use. With vSphere 6.7, it includes added functionality to support not only the typical workflows customers need but also other key functionality like managing NSX, vSAN, VUM as well as third-party components.
VXLAN Components

HTML5-based vSphere Client

Comprehensive Built-In Security

vSphere 6.7 builds on the security capabilities in vSphere 6.5 and leverages its unique position as the hypervisor to offer comprehensive security that starts at the core, via an operationally simple policy-driven model.

VXLAN Components

Trusted Platform Module


vSphere 6.7 adds support for Trusted Platform Module (TPM) 2.0 hardware devices and also introduces Virtual TPM 2.0, significantly enhancing protection and assuring integrity for both the hypervisor and the guest operating system. This capability helps prevent VMs and hosts from being tampered with, prevents the loading of unauthorized components and enables guest operating system security features security teams are asking for.

Data encryption was introduced with vSphere 6.5 and very well received. With vSphere 6.7, VM Encryption is further enhanced and more operationally simple to manage. vSphere 6.7 simplifies workflows for VM Encryption, designed to protect data at rest and in motion, making it as easy as a right-click while also increasing the security posture of encrypting the VM and giving the user a greater degree of control to protect against unauthorized data access.

vSphere 6.7 also enhances protection for data in motion by enabling encrypted vMotion across different vCenter instances as well as versions, making it easy to securely conduct data center migrations, move data across a hybrid cloud environment (between on-premises and public cloud), or across geographically distributed data centers.

vSphere 6.7 introduces support for the entire range of Microsoft’s Virtualization Based Security technologies. This is a result of close collaboration between VMware and Microsoft to ensure Windows VMs on vSphere support in-guest security features while continuing to run performant and secure on the vSphere platform.
vSphere 6.7 delivers comprehensive built-in security and is the heart of a secure SDDC. It has deep integration and works seamlessly with other VMware products such as vSAN, NSX and vRealize Suite to provide a complete security model for the data center.

Universal Application Platform

vSphere 6.7 is a universal application platform that supports new workloads (including 3D Graphics, Big Data, HPC, Machine Learning, In-Memory, and Cloud-Native) as well as existing mission critical applications. It also supports and leverages some of the latest hardware innovations in the industry, delivering exceptional performance for a variety of workloads.
vSphere 6.7 further enhances the support and capabilities introduced for GPUs through VMware’s collaboration with Nvidia, by virtualizing Nvidia GPUs even for non-VDI and non-general-purpose-computing use cases such as artificial intelligence, machine learning, big data and more. With enhancements to Nvidia GRID™ vGPU technology in vSphere 6.7, instead of having to power off workloads running on GPUs, customers can simply suspend and resume those VMs, allowing for better lifecycle management of the underlying host and significantly reducing disruption for end-users. VMware continues to invest in this area, with the goal of bringing the full vSphere experience to GPUs in future releases.

VXLAN Components

vSphere Persistent Memory


vSphere 6.7 continues to showcase VMware’s technological leadership and fruitful collaboration with our key partners by adding support for a key industry innovation poised to have a dramatic impact on the landscape, which is persistent memory. With vSphere Persistent Memory, customers using supported hardware modules, such as those available from Dell-EMC and HPE, can leverage them either as super-fast storage with high IOPS, or expose them to the guest operating system as non-volatile memory. This will significantly enhance performance of the OS as well as applications across a variety of use cases, making existing applications faster and more performant and enabling customers to create new high-performance applications that can leverage vSphere Persistent Memory.

Also check out the VirtualBlocks Core Storage 6.7 blog where you can find more information about new storage and network features such as Native 4Kn disk support, RDMA support, and Intel VMD for NVMe that further enhance Enterprise Applications running on vSphere.

Seamless Hybrid Cloud Experience

With the fast adoption of vSphere-based public clouds through VMware Cloud Provider Program partners, VMware Cloud on AWS, as well as other public cloud providers, VMware is committed to delivering a seamless hybrid cloud experience for customers.

vSphere 6.7 introduces vCenter Server Hybrid Linked Mode, which makes it easy and simple for customers to have unified visibility and manageability across an on-premises vSphere environment running on one version and VMware Cloud on AWS, running on a different version of vSphere. This ensures that the fast pace of innovation and introduction of new capabilities in VMware Cloud on AWS does not force the customer to constantly update and upgrade their on-premises vSphere environment.

VXLAN Components

vCenter Server Hybrid Linked Mode


vSphere 6.7 also introduces Cross-Cloud Cold and Hot Migration, further enhancing the ease of management across and enabling a seamless and non-disruptive hybrid cloud experience for customers.

As virtual machines migrate between different data centers or from an on-premises data center to the cloud and back, they likely move across different CPU types. vSphere 6.7 delivers a new capability that is key for the hybrid cloud, called Per-VM EVC. Per-VM EVC enables the EVC (Enhanced vMotion Compatibility) mode to become an attribute of the VM rather than the specific processor generation it happens to be booted on in the cluster. This allows for seamless migration across different CPUs by persisting the EVC mode per-VM during migrations across clusters and during power cycles.

Previously, vSphere 6.0 introduced provisioning between vCenter instances. This is often called “cross-vCenter provisioning.” The use of two vCenter instances introduces the possibility that the instances are on different release versions. vSphere 6.7 enables customers to use different vCenter versions while allowing cross-vCenter, mixed-version provisioning operations (vMotion, Full Clone and cold migrate) to continue seamlessly. This is especially useful for customers leveraging VMware Cloud on AWS as part of their hybrid cloud.

Learn More

As the ideal, efficient, secure universal platform for hybrid cloud, supporting new and existing applications, serving the needs of IT and the business, vSphere 6.7 reinforces your investment in VMware. vSphere 6.7 is one of the core components of VMware’s SDDC and a fundamental building block of your cloud strategy. With vSphere 6.7, you can now run, manage, connect, and secure your applications in a common operating environment, across your hybrid cloud.

This article only touched upon the key highlights of this release, but there are many more new features. To learn more about vSphere 6.7, please see the following resources.

Note:

​As part of any new vSphere release, VMware expects to make compatible versions of dependent products available within one quarter of general availability in most cases. At vSphere 6.7 general availability, compatible versions of VMware NSX, VMware Integrated OpenStack and VMware vSphere Integrated Containers will not be available. Moreover, VMware Horizon 7.4 is not compatible with the Instant Clone API used in vSphere 6.7. Instant Clone support for vSphere 6.7 will be available in an upcoming Horizon release. Existing NSX, VIC and VIO customers are advised not to upgrade to vSphere 6.7 until compatible versions become available. For additional information on NSX, VIC and VIO compatibility, please contact your VMware account team or reseller partner.

About the Author

Himanshu Singh is Group Manager of Product Marketing for VMware’s Cloud Platform business, and runs the core product marketing team for the vSphere product line. His extensive past experience in the technology industry includes driving cloud management solutions at VMware, growing the Azure public cloud business at Microsoft, as well as delivering and managing private clouds for large enterprise customers at IBM. Himanshu has been a frequent speaker at VMworld, Dell Technologies World, vForum, VMUG, Microsoft TechEd, and other industry conferences. He holds a B.Eng. (Hons.) degree from Nanyang Technological University, Singapore, and an MBA from Tuck School of Business at Dartmouth College. Follow him on twitter as @himanshuks.

Rating: 5/5


Oct 18

What’s New with VMware Virtual SAN 6.5

Introducing Virtual SAN 6.5

vSAN 6.5VMware Virtual SAN 6.5 is the latest release of the market-leading, enterprise-class storage solution for hyper-converged infrastructure (HCI). Virtual SAN 6.5 builds on the existing features introduced in 6.2 by enhancing automation, further reducing total cost of ownership (TCO), and setting the stage for next-generation cloud native applications.

Virtual SAN continues to see rapid adoption with more than 5000 customers utilizing the solution for a number of use cases including mission-critical production applications and databases, test and development, management infrastructures, disaster recovery sites, virtual desktop deployments, and remote office implementations. Virtual SAN is used by 400+ Fortune-1000 organizations across every industry vertical in more than 100 countries worldwide.

Let’s take a look at the new features included with Virtual SAN 6.5…

Accelerate Responsiveness

The Virtual SAN API and vSphere PowerCLI have been updated in this release. It is now possible to automate the configuration and management of cluster settings, disk groups, fault domains, and stretched clusters. Activities such as maintenance mode and cluster shutdown can also be scripted. This video demonstrates some of the capabilities of of the Virtual SAN API and PowerCLI: Creating a Cluster and Configuring Virtual SAN PowerCLI can be used to monitor the health of a Virtual SAN cluster. Health issue remediation and re-sync activities can be automated with this latest release.

20-50% Additional TCO Savings

Now that flash devices have become the preferred choice for storage, it makes sense to adjust the Virtual SAN licensing model to account for this change in the industry. All Virtual SAN 6.5 licenses include support for both hybrid and all-flash configurations. Please note, however, that deduplication, compression, and erasure coding still require Virtual SAN Advanced or Enterprise licenses. Adding support for the use of all-flash configurations with all licensing editions provides organizations more deployment options and the ability to take advantage of increased performance while minimizing licensing costs.

vSAN 6.5Virtual SAN supports the use of network crossover cables in 2-node configurations. This is especially beneficial in use cases such as remote office and branch office (ROBO) deployments where it can be cost prohibitive to procure, deploy, and manage 10GbE networking equipment at each location. This configuration also reduces complexity and improves reliability.

While we are on the subject of ROBO deployments, it is also important to mention a related Virtual SAN licensing change. previously did not support the use of all-flash Virtual SAN cluster configurations and the corresponding space efficiency features. A new license has been added with the release of Virtual SAN 6.5 and it is called >strong>Virtual SAN for ROBO Advanced. This new license includes support for using deduplication, compression, and erasure coding. Using these features lowers the cost-per-usable-GB of flash storage, which further reduces TCO. Organizations get the best of both worlds: The extreme performance of flash at a cost that is on par with or lower than similar hybrid solutions.

Increased Flexibility

Virtual SAN 6.5 extends workload support to physical servers and clustered applications with the introduction of an iSCSI target service. Virtual SAN continues its track record of being radically simple by making it easy to access Virtual SAN storage using the iSCSI protocol with just a few vSphere Web Client mouse clicks. iSCSI targets on Virtual SAN are managed the same as other objects with Storage Policy Based Management (SPBM). Virtual SAN functionality such as deduplication, compression, mirroring, and erasure coding can be utilized with the iSCSI target service. CHAP and Mutual CHAP authentication is supported.

Enable vSAN iSCSI target service

Enable vSAN iSCSI target service

Utilizing Virtual SAN for physical server workloads and clustered applications can reduce or eliminate the dependency on legacy storage solutions while providing the benefits of Virtual SAN such as simplicity, centralized management and monitoring, and high availability.

Scale To Tomorrow

Photon OS New application architecture and development methods have emerged that are designed to run in today’s mobile-cloud era. For example,“DevOps” is a term that describes how these next-generation applications are developed and operated. “Container” technologies such as Docker and Kubernetes are a couple of the many solutions that have emerged as options for deploying and orchestrating these applications. Cloud native applications naturally require persistent storage just the same as traditional applications. Virtual SAN is an excellent choice for next-generation cloud native applications. Here are a few examples of the efforts that are underway:

vSphere Integrated Containers Engine is a container runtime for vSphere, allowing developers familiar with Docker to develop in containers and deploy them alongside traditional virtual machine workloads on vSphere clusters. vSphere Integrated Containers Engine enables these workloads to be managed through the vSphere GUI in a way familiar to vSphere admins. Availability and performance features in vSphere and Virtual SAN can be utilized by vSphere Integrated Containers Engine just the same as traditional virtual machine environments.

Docker Volume Driver for vSphere enables users to create and manage Docker container data volumes on vSphere storage technologies such as VMFS, NFS, and Virtual SAN. This driver makes it very simple to use containers with vSphere storage and provides the following key benefits:

– DevOps-friendly API for provisioning and policy configuration.
– Seamless movement of containers between vSphere hosts without moving data.
– Single platform to manage – run virtual machines and containers side-by-side

Next-Gen Hardware Support

vSphere 6.5 and Virtual SAN 6.5 also introduce support for 512e drives, which will enable larger capacities to meet the constantly growing space requirements of today’s and tomorrow’s applications. New hardware innovations such as NVMe provide dramatic performance gains for Virtual SAN with up to 150k IOPS per host. This level of performance combined with the ability to scale up to 64 hosts in a single cluster sets the stage for running any app, any scale on Virtual SAN.

Visit Virtual SAN on vmware.com and VMware StorageHub for more details on this exciting new release of Virtual SAN.

To learn more about vSphere 6.5, please see the following resources.

@jhuntervmware on twitter

Rating: 5/5


Oct 18

What’s New in vSphere 6.5: Host & Resource Management and Operations

Posted on October 18, 2016 by Charu Chaubal

vSphere 6.5 brings a number of enhancements to ESXi host lifecycle management as well as some new capabilities to our venerable resource management features, DRS and HA. There are also greatly enhanced developer and automation interfaces, which are a major focus in this release. Last but not least, there are some notable improvements to vRealize Operations, since this product is bundled with certain editions of vSphere. Let’s dig into each of these areas.

Enhanced vSphere Host Lifecycle Management Capabilities

With vSphere 6.5, administrators will find significantly easier and more powerful capabilities for patching, upgrading, and managing the configuration of VMware ESXi hosts.

VMware Update Manager (VUM) continues to be the preferred approach for keeping ESXi hosts up to date, and with vSphere 6.5 it has been fully integrated with the VCSA. This eliminates the additional VM, operating system license, and database dependencies of the previous architecture, and now benefits from the resiliency of vCenter HA for redundancy. VUM is enabled by default and ready to handle patching and upgrading tasks of all magnitudes in your datacenter.

Host Profiles has come a long way since the initial introduction way back in vSphere 4! This release offers much in the way of both management of the profiles, as well as day-to-day operations. For starters, an updated graphical editor that is part of the vSphere Web Client now has an easy-to-use search function in addition to a new ability to mark individual configuration elements as favorites for quick access.

vSphere Host Profile Editor

vSphere Host Profile Editor

Administrators now have the means to create a hierarchy of host profiles by taking advantage of the new ability to copy settings from one profile to one or many others.

Although Host Profiles provides a means of abstracting management away from individual hosts in favor of clusters, each host may still have distinct characteristics, such as a static IP address, that must be accommodated. The process of setting these per-host values is known as host customization, and with this release it is now possible to manage these settings for groups of hosts via CSV file – undoubtedly appealing to customers with larger environments.

Compliance checks are more informative as well, with a detailed side-by-side comparison of values from a profile versus the actual values on a host. And finally, the process of effecting configuration change is greatly enhanced in vSphere 6.5 thanks to DRS integration for scenarios that require maintenance mode, and speedy parallel remediation for changes that do not.

Auto Deploy – the boot-from-network deployment option for vSphere – is now easier to manage in vSphere 6.5 with the introduction of a full-featured graphical interface. Administrators no longer need to use PowerCLI to create and manage deploy rules or custom ESXi images.

Auto Deploy

Auto Deploy


New and unassigned hosts that boot from Auto Deploy will now be collected under the Discovered Hosts tab as they wait patiently for instructions, and a new interactive workflow enables provisioning without ever creating a deploy rule.

Custom integrations and other special configuration tasks are now possible with the Script Bundle feature, enabling arbitrary scripts to be run on the ESXi hosts after they boot via Auto Deploy.

Scalability has been greatly improved over previous releases and it’s easy to design an architecture with optional reverse proxy caches for very large environments needing to optimize and reduce resource utilization on the VCSA. And like VUM, Auto Deploy also benefits from native vCenter HA for quick failover in the event of an outage.

In addition to all of that, we are pleased to announce that Auto Deploy now supports UEFI hardware for those customers running the newest servers from VMware OEM partners.

It’s easy to see how vSphere 6.5 makes management of hosts easier for datacenters of all sizes!

Resource Management – HA, FT and DRS

vSphere continues to provide the best availability and resource management features for today’s most demanding applications. vSphere 6.5 continues to move the needle by adding major new features and improving existing features to make vSphere the most trusted virtual computing platform available. Here is a glimpse of the what you can expect to see when vSphere 6.5 later this year.

Proactive HA

Proactive HA will detect hardware conditions of a host and allow you to evacuate the VMs before the issue causes an outage. Working in conjunction with participating hardware vendors, vCenter will plug into the hardware monitoring solution to receive the health status of the monitored components such as fans, memory, and power supplies. vSphere can then be configured to respond according to the failure.

Once a component is labeled unhealthy by the hardware monitoring system, vSphere will classify the host as either moderately or severely degraded depending on which component failed. vSphere will place that affected host into a new state called Quarantine Mode. In this mode, DRS will not use the host for placement decisions for new VMs unless a DRS rule could not otherwise be satisfied. Additionally, DRS will attempt to evacuate the host as long as it would not cause a performance issue. Proactive HA can also be configured to place degraded hosts into Maintenance Mode which will perform a standard virtual machine evacuation.

vSphere HA Orchestrated Restart

vSphere 6.5 now allows creating dependency chains using VM-to-VM rules. These dependency rules are enforced if when vSphere HA is used to restart VMs from failed hosts. This is great for multi-tier applications that do not recover successfully unless they are restarted in a particular order. A common example to this is a database, app, and web server.

In the example below, VM4 and VM5 restart at the same time because their dependency rules are satisfied. VM7 will wait for VM5 because there is a rule between VM5 and VM7. Explicit rules must be created that define the dependency chain. If that last rule were omitted, VM7 would restart with VM5 because the rule with VM6 is already satisfied.

Orchestrator HA

Orchestrator HA


In addition to the VM dependency rules, vSphere 6.5 adds two additional restart priority levels named Highest and Lowest providing five total. This provides even greater control when planning the recovery of virtual machines managed by vSphere HA.

Simplified vSphere HA Admission Control

Several improvements have been made to vSphere HA Admission Control. Admission control is used to set aside a calculated amount of resources that are used in the event of a host failure. One of three different policies are used to enforce the amount of capacity is set aside. Starting with vSphere 6.5, this configuration just got simpler. The first major change is that the administrator simply needs to define the number of host failures to tolerate (FTT). Once the numbers of hosts are configured, vSphere HA will automatically calculate a percentage of resources to set aside by applying the “Percentage of Cluster Resources” admission control policy. As hosts are added or removed from the cluster, the percentage will be automatically recalculated. This is the new default configuration, but it is possible to override the automatic calculation or use another admission control policy.

Additionally, the vSphere Web Client will issue a warning if vSphere HA detects a host failure would cause a reduction in VM performance based on the actual resource consumption, not only based on the configured reservations. The administrator is able to configure how much of a performance loss is tolerated before a warning is issued.

Admission Control

Admission Control

Fault Tolerance (FT)

vSphere 6.5 FT has more integration with DRS which will help make better placement decisions by ranking the hosts based on the available network bandwidth as well as recommending which datastore to place the secondary vmdk files.

There has been a tremendous amount of effort to lower the network latency introduced with the new technology that powers vSphere FT. This will improve the performance to impact to certain types of applications that were sensitive to the additional latency first introduced with vSphere 6.0. This now opens the door for even a wider array of mission critical applications.

FT networks can now be configured to use multiple NICs to increase the overall bandwidth available for FT logging traffic. This is a similar configuration to Multi-NIC vMotion to provide additional channels of communication for environments that required more bandwidth than a single NIC can provide.

DRS Advanced Options

Three of the most common advanced options used in DRS clusters are now getting their own checkbox in the UI for simpler configuration.

  • VM Distribution: Enforce an even distribution of VMs. This will cause DRS to spread the count of the VMs evenly across the hosts. This is to prevent too many eggs in one basket and minimizes the impact to the environment after encountering a host failure. If DRS detects a severe imbalance to the performance, it will correct the performance issue at the expense of the count being evenly distributed.
  • Memory Metric for Load Balancing: DRS uses Active memory + 25% as its primary metric when calculating memory load on a host. The Consumed memory vs active memory will cause DRS to use the consumed memory metric rather than Active. This is beneficial when memory is not over-allocated. As a side effect, the UI show the hosts be more balanced.
  • CPU over-commitment: This is an option to enforce a maximum vCPU:pCPU ratios in the cluster. Once the cluster reaches this defined value, no additional VMs will be allowed to power on.
DRS settings

DRS settings

Network-Aware DRS

DRS now considers network utilization, in addition to the 25+ metrics already used when making migration recommendations. DRS observes the Tx and Rx rates of the connected physical uplinks and avoids placing VMs on hosts that are greater than 80% utilized. DRS will not reactively balance the hosts solely based on network utilization, rather, it will use network utilization as an additional check to determine whether the currently selected host is suitable for the VM. This additional input will improve DRS placement decisions, which results in better VM performance.

SIOC + SPBM

Storage IO Control configuration is now performed using Storage Policies and IO limits enforced using vSphere APIs for IO Filtering (VAIO). Using the Storage Based Policy Management (SPBM) framework, administrators can define different policies with different IO limits, and then assign VMs to those policies. This simplifies the ability to offer varying tiers of storage services and provides the ability to validate policy compliance.

VM Storage Policy

VM Storage Policy

Content Library

Content Library with vSphere 6.5 includes some very welcome usability improvements. Administrators can now mount an ISO directly from the Content Library, apply a Guest OS Customization during VM deployment, and update existing templates.

Performance and recoverability has also been improved. Scalability has been increased, and there is new option to control how a published library will store and sync content. When enabled, it will reduce the sync time between vCenter Servers are not using Enhanced Linked Mode.

The Content Library is now part of the vSphere 6.5 backup/restore service, and it is part of the VC HA feature set.

Developer and Automation Interfaces

The vSphere developer and automation interfaces are receiving some fantastic updates as well. Starting with the vSphere’s REST APIs, these have been extended to include VCSA and VM based management and configuration tasks. There’s also a new way to explore the available vSphere REST APIs with the API Explorer. The API Explorer is available locally on the vCenter server itself and will include information like what URL the API tas is available to be called by, what method to use, what the request body should look like, and even a “Try It Out” button to perform the call live.

API explorer

API explorer


Moving over to the CLIs, PowerCLI is now 100% module based! There’s also some key improvements to some of those modules as well. The Core module now supports cross vCenter vMotion by way of the Move-VM cmdlet. The VSAN module has been bolstered to feature 13 different cmdlets which focus on trying to automate the entire lifecycle of VSAN. The Horizon View module has been completely re-written and allows users to perform View related tasks from any system as well as the ability to interact with the View API.

The vSphere CLI (vCLI) also received some big updates. ESXCLI, which is installed as part of vCLI, now features several new storage based commands for handling VSAN core dump procedures, utilizing VSAN’s iSCSI functionality, managing NVMe devices, and other core storage commands. There’s also some additions on the network side to handle NIC based commands such as queuing, coalescing, and basic FCOE tasks. Lastly, the Datacenter CLI (DCLI), which is also installed as part of vCLI, can make use of all the new vSphere REST APIs!

Check out this example of the power of DCLI’s interactive mode with features like tab complete:

DCLI interactive

DCLI interactive

Operations Management

There’s been some exciting improvements on the vSphere with Operations Management (vSOM) side of the house as well. vRealize Operations Manager (vR Ops) has been updated to version 6.4 which include many new dashboards, dashboard improvements, and other key features to help administrators get to the root cause that much faster and more efficient. Log Insight for vCenter has been also updated, and will be on version 4.0. It contains a new user interface (UI) based on our new Clarity UI, increased API functionality around the installation process, the ability to perform automatic updates to agents, and some other general UI improvements. Also, both of these products will be compatible with vSphere 6.5 on day one.

Digging a little further into the vR Ops improvements, let’s first take a look at the three new dashboards titled: Operations Overview, Capacity Overview, and Troubleshoot a VM. The Operations dashboard will display pertinent environment based information such as an inventory summary, cluster update, overall alert volume, and some widgets containing Top-15 VMs experiencing CPU contention, memory contention, and disk latency. The Capacity dashboard contains information such as capacity totals as well as capacity in use across CPU count, RAM, and storage, reclaimable capacity, and a distributed utilization visualization. The Troubleshoot a VM dashboard is a nice central location to view individual VM based information like its alerts, relationships, and metrics based on demand, contention, parent cluster contention, and parent datastore latency.

vROPS Dashboard

vROPS Dashboard

One other improvement that isn’t a dashboard but is a new view for each object, is the new resource details page. It closely resembles the Home dashboard that was added in a prior version, but only focuses on the object selected. Some of the information displayed is any active alerts, key properties, KPI metrics, and relational based information.

vROPS details

vROPS details

Covering some of the other notable improvements, there is now the ability to display the vSphere VM folders within vR Ops. There’s also the ability to group alerts so that it’s easy to see what the most prevalent alert might be. Alert groups also enable the functionality to clear alerts in a bulk fashion. Lastly, there are now KPI metric groups available out of the box to help easily chart out and correlate properties with a single click.

To learn more about vSphere 6.5, please see the following resources.

Rating: 5/5


Oct 18

What’s new in vSphere 6.5: Security

Posted on October 17, 2016 by Mike Foley

vSphere 6.5 is a turning point in VMware infrastructure security. What was mostly an afterthought by many IT folks only a few short years ago is now one of the top drivers of innovation for vSphere. Security has become a front and center focus of this release and I think you’ll like what we’ve come up with.

Our focus on security is manageability. If security is not easy to implement and manage then the benefit it may bring is offset. Security in a virtual infrastructure must be able to be done “at scale”. Managing 100’s or 1000’s of security “snowflakes” is something no IT manager wants to do. She/He doesn’t have the resources to do that. The key to security at scale is automation and in these new features you’ll see plenty of that.

VM Encryption

Encryption of virtual machines is something that’s been on-going for years. But, in case you hadn’t noticed, it just hasn’t “taken off” because every solution has a negative operational impact. With vSphere 6.5 we are addressing that head on.

Encryption will be done in the hypervisor, “beneath” the virtual machine. As I/O comes out of the virtual disk controller in the VM it is immediately encrypted by a module in the kernel before being send to the kernel storage layer. Both VM Home files (VMX, snapshot, etc) and VMDK files are encrypted.

The advantages here are numerous.

    1. Because encryption happens at the hypervisor level and not in the VM, the Guest OS and datastore type are not a factor. Encryption of the VM is agnostic.
    2. Encryption is managed via policy. Application of the policy can be done to many VM’s, regardless of their Guest OS.
    3. Encryption is not managed “within” the VM. This is a key differentiation to every other solution in the market today! There are no encryption “snowflakes”. You don’t have to monitor whether encryption is running in the VM and the keys are not contained in the VM’s memory.
    4. Key Management is based on the industry standard, KMIP 1.1.
    In vSphere vCenter is a KMIP client and works with a large number of KMIP 1.1 key managers. This brings choice and flexibility to customers. VM Keys do not persist in vCenter.
    5. VM Encryption makes use of the latest hardware advances inherent in the CPU’s today. It leverages AES-NI for encryption.
VM Encryption

VM Encryption

vMotion Encryption

This has been an ask for a long time and with 6.5 we deliver. What’s unique about vMotion encryption is that we are not encrypting the network. There are not certificates to manage or network settings to make.

The encryption happens on a per-VM level. Enabling vMotion encryption on a VM sets things in motion. When the VM is migrated, a randomly generated, one time use 256-bit key is generated by vCenter (it does not use the key manager for this key).

In addition, a 64-bit “Nonce” (an arbitrary number used only once in a crypto operation) is also generated. The encryption key and Nonce are packaged into the migration specification sent to both hosts. At that point all the VM vMotion data is encrypted with both the key and the Nonce, ensuring that communications can’t be used to replay the data.

vMotion encryption can be set on unencrypted VM’s and is always enforced on encrypted VM’s.

Encrypted vMotion

Encrypted vMotion

Secure Boot support

For vSphere 6.5 we are introducing Secure Boot support for virtual machines and for the ESXi hypervisor.

ESXi Secure Boot

ESXi Secure Boot

ESXi SECURE BOOT – With Secure Boot enabled, the UEFI firmware validates the digital signature of the ESXi kernel against a digital certificate in the UEFI firmware. That ensures that only a properly signed kernel boots. For ESXi, we are taking Secure Boot further adding cryptographic assurance of all components of ESXi. Today, ESXi is already made up of digitally signed packages, called VIB’s. (vSphere Installation Bundle) The ESXi file system maps to the content of those packages (the packages are never broken open). By leveraging that digital certificate in the host UEFI firmware, at boot time the already validated ESXi Kernel will, in turn, validate each VIB against the firmware-based certificate. This assures a cryptographically “clean” boot.

Note: If Secure Boot is enabled then you will not be able to forcibly install un-signed code on ESXi. This ensures that when Secure Boot is enabled that ESXi will only be running VMware digitally signed code.

Dramatically Simplified Experience

VIRTUAL MACHINE SECURE BOOT

For VM’s, SecureBoot is simple to enable. Your VM must be configured to use EFI firmware and then you enable Secure Boot with a checkbox. Note that if you turn on secure boot for a virtual machine, you can load only signed drivers into that virtual machine.

Secure Boot for Virtual Machines works with Windows or Linux.

Secure Boot for Virtual Machines

Secure Boot for Virtual Machines

Enhanced Logging

vSphere logs have traditionally been focused on troubleshooting and not “security” or even “IT operations”. This changes in vSphere 6.5 with the introduction of enhanced logging. Gone are the days where you’ll make a significant change to a virtual machine and only get a log that says “VM has been reconfigured”.

We’ve enhanced the logs and made them “actionable” by now sending the complete vCenter event such as “VM Reconfigure” out via the syslog data stream. The events now contain what I like to call “actionable data”. What I mean by that rather than just getting a notice that “something” has changed you now get what changed, what it changed from and what it changed to. This is data that I can “take action” against.

In 6.5, you will get a descriptive log of the action. For example, if I add 4GB of memory to a VM that has 6GB today, I’ll see a log that tells me what the setting was and what the new setting is. In a security context, if you move a VM from the vSwitch labeled “PCI” to the vSwitch labeled “Non-PCI” you will get a clear log describing that change. See the image below for an example.

Actionable Loging

Actionable Loging

Enhanced/Actionable Logging

Solutions like VMware Log Insight will now have a lot more data to display and present but more importantly, more detailed messages mean you can create more prescriptive alerts and remediation’s. More informed solutions help make more informed critical datacenter decisions.

Automation

All of these features will have some level of automation available out of the gate. In future blog articles you’ll see PowerCLI examples for encrypting and decrypting VM’s, enabling Secure Boot for VM’s, setting Encrypted vMotion policies on a VM and a script I used to build an Enhanced Logging demo that you can tweak to show the benefits of Enhanced Logging in your own environment. All of the script example will be released on GitHub.

Wrap Up

That’s it for vSphere 6.5 security! I hope you are as excited as I am about it! More details on each will be forthcoming in blogs and whitepapers. One thing to add is the vSphere 6.5 Security Hardening Guide. This will, as always, come out within 1 quarter after the GA of 6.5. I don’t anticipate major changes to the guide. Features like VM Encryption are not something you should expect in the hardening guide. For more information on the types of information that is now in the guide please reference this blog post.

As always, I appreciate your feedback and questions. You can reach out to me via email (mfoley at vmware dot com) or on Twitter @vspheresecurity or @mikefoley.

mike

To learn more about vSphere 6.5, please see the following resources.

Rating: 5/5