Tag Archives: tenant

vRealize Automation 7 Management Pack for vRealize Operations

If you’re an SDDC administrator, you probably already know about the power and operational visibility that vRealize Operations brings to your environment. With the newly-released vRealize Automation 7 Management Pack for vRealize Operations, that operational visibility can be extended to be tenant-aware and help monitor your vRA environment in a whole new way.

This new Management Pack gives you comprehensive visibility into both performance and capacity metrics of a vRA tenant’s business groups and underlying cloud infrastructure. By combining these new metrics with the custom dashboarding capabilities of vRealize Operations, you gain an unprecedented level of flexibility and insight when monitoring these complex environments.

The purpose of this post is to walk you through the implementation of this new Management Pack – so, let’s get right to it.

You can download the Management Pack from the VMware Solution Exchange here.

Part 1: Enabling vROps as your Metrics Provider

First, let’s review what you’ll see before you integrate vRA and vROps. Looking at the details of any deployed item, you can see the highlighted white space – space that can definitely be put to more productive use.

Item_Details_Before_Integration

Assuming you’re logged in as a vRA Tenant Administrator, click on the Administration tab, then the Reclamation button in the menu at the left. Select Metrics Provider and you’ll see the configuration panel for the vROps endpoint. Fill in the appropriate details for your vROps instance and click Test Connection. Once it succeeds, click Save.

Set_Up_Metrics_Provider

You will probably be prompted to accept the SSL certificate offered up by your vROps instance. Click OK to accept the certificate, provided you trust it!

Accept_vROps_Cert

Now, if you click on the Tenant Machines option to the left, you’ll be presented with a list of all of your provisioned machines. You can see that now there’s a Health status badge for each machine. In my case, the Health is reporting an “Immediate” (orange) status for many of my virtual machines, due to very heavy utilization in my lab. You can also see the average CPU, Memory and Network consumption for each machine – data pulled directly from vROps. This consumption data can be used directly from within this view to initiate reclamation requests. For example, if a VM was identified here as idle, the VM owner could be notified and the resources recovered.

Tenant_Machines_View

Click back to the Items tab and view the same object you looked at earlier. You will see that the white space now contains a vROps-driven Health badge, with information about any possible issues. When you’re ready, log out of your vRA instance.

Item_Details_After_Integration

Part 2: Configuring vRealize Automation

You’ll need to log in as  the default administrator for this next step – administrator@vsphere.local

Log_In_vRA_Default_Administrator

Click on the Administration tab, followed by the Tenants menu button at the left. Locate the Tenant that you plan to link vROps to and Edit it. In this example, I am modifying the vsphere.local Tenant.

Locate_Target_Tenant

Now, select the Local Users tab. Click the +New button to add a new user and fill in the requested details. In this case, my new username is “vropsmp” – and since we are creating this local user in the vsphere.local tenant, the full account is “vropsmp@vsphere.local“. Click OK and then Next.

Add_New_Local_User

This will place you on the Administrators tab. Using the Search boxes, find and add your new local account to both the Tenant Administrators and the IaaS Administrators role. Click Finish when you’re done, and then Log Out of vRA.

Assign_Tenant_Rights

Now you’ll need to log back in as your normal vRA Tenant Administrator to finish the configuration.

Log_In_vRA_Tenant_Admin

Click the Infrastructure tab, then Endpoints from the menu on the left. Select Fabric Groups from the sub-menu and then click to edit your Fabric Group. In this example, the Fabric Group is named Dev Cluster.

Navigate_To_Fabric_Groups

Search for and add your new local user to the list of Fabric Administrators. Remember, in this example the user is named vropsmp@vsphere.local. Click OK to save the Fabric Group.

Edit_Fabric_Group

Now, click on the Administration tab, followed by Users & Groups from  the menu on the left. Select the Directory Users and Groups sub-menu and search for your new local user. Click the user’s name to edit it.

Navigate_To_Directory_Users

In the list to the right titled “Add roles to this User“, scroll down until you find the Software Architect role. Select it and then click Finish to save the account.

Assign_Software_Architect_Role

Part 3: Configuring vRealize Operations

Once you’ve downloaded the new Management Pack (again, found here) you’ll need to import it into vROps and configure it to retrieve data from vRA.

Log in to vROps with an administrative user account.

Log_In_vROps

Click on the Administration tab, and ensure Solutions is selected. Click the + symbol to import a new Solution.

Import_New_Solution

Click the Browse button to select the downloaded Management Pack, then click Upload.

NOTE! If you already had the earlier vROps Management Pack for vRA installed, you may have to do a “force install” by selecting the first checkbox. This is because the version number scheme was changed, and vROps recognizes the NEW MP as being an OLDER version. This is normal, if a bit cumbersome.

Click Next when the upload is verified and you are ready to proceed.

Upload_New_Solution

Accept the EULA (after reading it carefully first, of course) and click Next again.

Accept_EULA

The installation will run for a while. When it shows “Completed”, click Finish.

Complete_Installation

Locate the new Management Pack in the list of Solutions and highlight it. Click the Configure icon (gears) to bring up the configuration dialog. Fill in a Display Name and Description as well as your vRA URL and the name of the Tenant you want to connect to. In this example, the Tenant is vsphere.local. Click the + sign to start setting up credentials next.

Configure_Solution_Basics

Fill in the credential details as shown – your SysAdmin should be the administrator@vsphere.local administrative account, and your SuperUser will be the local user you created at the beginning of these steps. In this example, that local user is vropsmp@vsphere.local. Click OK when you’re done.

Manage_Credential

Click the ‘Test Connection‘ button. You’ll be prompted with two SSL certificate dialogs – accept them both, if you trust the certificates. You see two because the Management Pack is communicating with both your core vRA appliance as well as your IaaS server(s).

Test_Connection_Accept_Cert_1

Accept_Cert_2

If you’ve set everything up properly, you’ll see a message like this one. Click OK.

Test_Successful

Click on Save Settings to save your adapter configuration. You’ll be prompted with a “Save Successful” dialog – click OK here as well – then click Close.

Save_Solution_Settings

If everything’s gone according to plan, you should now see that your Management Pack is configured and receiving data from your vRA instance.

Solution_Details

Part 4: Reviewing Dashboards

Now that all of the configuration is complete, you’re ready to start consuming the rich data exposed by your new integration. Click on the Home tab in vROps, followed by the drop-down arrow for the Dashboard List. Hover over the vRealize Automation sub-menu to see the 4 available default  dashboards.

Navigate_To_vRA_Dashboards

The vRealize Automation Overview dashboard shows information about the entire vRA instance – including component health and a whole host of metrics about each individual component of the instance. This is useful for troubleshooting and analyzing performance across your entire implementation of the vRA stack.

vRealize_Automation_Overview

The vR Automation Tenant Overview dashboard provides exactly that – an overview of the various risk and health metrics pertinent to each configured vRA Tenant.

vR_Automation_Tenant_Overview

The vR Automation Cloud Infrastructure Monitoring dashboard allows you to see what impact infrastructure issues are having on tenant virtual machines, and what outstanding alerts may be present for those machines and infrastructure.

vR_Automation_Cloud_Infrastructure_Monitoring

Finally, the vR Automation Top-N Dashboard provides highlight Top-N metrics, such as the most popular Blueprints, most wasteful Tenants, the Business Group with the most alerts, etc.

vR_Automation_Top-N_Dashboard

And, of course, all of the objects which are exposed by the Management Pack can be viewed in the vRealize Automation Environment view. These objects can all be referenced by Super Metrics, or custom dashboards, or scheduled reports – but those are all beyond the scope of this guide.

vRealize_Automation_Environment

That just about wraps it up – except, of course, for the most important part…

This post was brought to you by New Helvetia Brewing Company’s Mystery Airship 2.0 Imperial Chocolate Porter, brewed with Ginger Elizabeth’s Oaxacan Spicy Chocolate. This is quite possibly the single greatest beer I have ever tried – the darkness of the porter is supplemented by the brightness of the ginger and creamy feel of the chocolate. The flavors dance on your palate and then vanish in a fog of lingering, dark spice. I honestly think I found my desert island beer!

New_Helvetia_Ginger_Elizabeth_Porter

Happy Automating!

An Elephant Named Multitenancy – Multitenancy in vRealize Automation

I had the opportunity recently to spend a few days in sunny Florida with a group of VMware’s Professional Services leaders. The week was spent discussing, demonstrating and teaching them all about the newly released vRealize Automation 7. We focused on how this release could deliver on the promise of truly flexible, extensible automation and enable our customers’ journey to the cloud. But across many of my sessions and discussions, it became obvious that there was a looming question – an elephant in the room.

That elephant’s name? Multitenancy.

I wanted to take a little while and outline what Multitenancy really means, from the formal definition to the way that VMware implements the concept in vRealize Automation, and what that implementation really means for you, my readers, co-workers, customers and friends.

Let’s start with the formal definition, for which I will reach out to Gartner. I chose Gartner as my source for this definition because I believe that this is where many people first saw the term become popular.

According to http://www.gartner.com/it-glossary/multitenancy :

“Multitenancy is a reference to the mode of operation of software where multiple independent instances of one or multiple applications operate in a shared environment. The instances (tenants) are logically isolated, but physically integrated. The degree of logical isolation must be complete, but the degree of physical integration will vary. The more physical integration, the harder it is to preserve the logical isolation. The tenants (application instances) can be representations of organizations that obtained access to the multitenant application (this is the scenario of an ISV offering services of an application to multiple customer organizations). The tenants may also be multiple applications competing for shared underlying resources (this is the scenario of a private or public cloud where multiple applications are offered in a common cloud environment).”

Whew, that’s a mouthful. Let’s break it down a little bit, as it specifically pertains to vRealize Automation (vRA,) starting with an example.

Frank works for the finance department of a large company. He is responsible for deploying a new instance of a SQL-based financial application. The database for this application contains very sensitive company data that must be protected from unauthorized disclosure – both within the company and to external parties.

Andy, on the other hand, is an intern with the application development department of the same company. He needs a new external, forward facing web server to be provisioned. This server will be available to everyone in the world – both external and internal users.

And finally, Isaac is a system administrator with the IT department at our fictional company. He is tasked with configuring and maintaining the vSphere environment, storage systems and vRA instance (busy guy!)

Now, as the management plane for a hybrid cloud solution, vRA positions itself as a manager of managers. It inherently has visibility into all of the resources that it is responsible for managing, allocating and providing access to. These resources, as defined above, are shared – that is the very nature of cloud computing. Things like compute power in the form of vSphere Clusters or vCloud Air blocks, abstracted storage capacity in the form of vSphere Datastores, network access, etc. One of vRA’s many responsibilities is to act as an authentication and authorization solution – ensuring that while Frank and Andy can both log in to the same portal, they can only see the resources that they have been granted access to.

That means that Isaac must guarantee that Andy cannot access that sensitive financial data that Frank is working with. And while Frank may be a skilled DBA and analyst, the last time he wrote any code was back in the Cobol days – what business does he have deploying web services? None, that’s what!

This is a classic multitenancy example in a cloud-oriented world. Apply the same principles to your own organization – you should be able to see the parallels immediately. Replace Finance and Development with Test and Production, or with your Palo Alto and Washington, DC branch offices.

Here’s where the good news starts. vRealize Automation has been designed to account for exactly these principles. Inside the platform, VMware has provided quite a few layers of access control. Let’s explore some of them in greater detail.

  • Tenants – These are logical divisions that set boundaries for all of the stored objects and policies inside of vRA, with the exception of the endpoints and collected fabric groups. Tenants provide the opportunity to apply unique branding to the vRA Portal and login splash screen, have dedicated authentication providers and other Tenant-dedicated services (e.g. a unique vRO instance). A Tenant Administrator can delegate the management of objects and resources within their own tenant to other users inside their organization. While handy for logical separation, vRA’s Tenant construct is not frequently used in production deployments, as the following constructs usually provide more than adequate segregation without increasing administrative overhead. VMware’s best practice is to leverage a single Tenant and multiple Business Groups.
  • Fabric Groups – A Fabric Group is a policy that defines the relationship between heterogeneous compute resources and the authorized administrators who can slice them up into virtual datacenters (VDCs) for consumption, also known as Reservations. This means that an administrator like Isaac can select certain “chunks” of available infrastructure and assign it for use by specific sets of consumers. Examples of an “infrastructure chunk” can include a vSphere Cluster, a vSphere Datastore, an AWS instance or a vCloud Air ovDC. Once these “chunks” are designated as part of a Fabric Group, the responsible Infrastructure Administrator can determine how they are allocated among consumers across Tenants.
  • Reservations – Reservations are a way for the Infrastructure Administrators to determine how much of an “infrastructure chunk” a Business Group can consume. For example, you might have a vSphere Cluster for your Production environment which contains 512GB of pRAM and 5 1TB Datastores. Once you have created a Production Fabric Group, a Reservation can be used to determine that the Finance Business Group gets 64GB of pRAM and 2 of those Datastores, while the Application Development Business Group gets 448GB of pRAM and access to the other Datastore. By doing this, Isaac the Infrastructure Administrator has ensured that the shared cloud infrastructure has been logically segregated, and that Andy can’t over-consume the shared resources and put Frank’s production application at risk.
  • Business Groups – A Business Group is a logical grouping of users, which can contain both standard users as well as Managers. A standard user is able to log in to the vRA portal and select items from the catalog – subject to their Entitlement, which will be covered in a moment. Managers are responsible for configuring the governance of deployed workloads as well as the membership of the Business Group. Managers can also request and manage items on behalf of the users who they manage.
  • Entitlements – Finally, the Entitlement is a way to refine exactly what a user of the platform can see and do in the catalog and with their deployed items. And, the actions granted in an Entitlement can be tied in at any point to vRA’s multi-level Approval engine to add management oversight and governance if desired.  So, for example, a Java developer could be permitted to deploy only Linux servers with an Eclipse IDE pre-installed, while an MSSQL DBA could deploy only Windows servers with SQL Server installed, pending his manager’s approval. Both could be permitted to power cycle their machines, while only the Java developer might have access to destroy his system.  These are just examples – an Entitlement can be configured with virtually limitless combinations of actions. abilities and approvals.

vRA_MT_Example

So, in our scenario, Isaac would use the Default vRA Tenant for his organization – since it’s all the same company, no special branding is needed. He would then create a Fabric Group that encompasses the appropriate computing and storage capacity for his departments – whether public cloud based like vCloud Air or private cloud, like an on-premise vSphere environment. Then, he would make two Business Groups for the Finance and Development departments – each with a Reservation specifying how much of the fabric capacity the department could consume. Finally, he would configure Entitlements that determine which users/Business Groups can deploy and manage which types of Blueprints.  The image above illustrates that while in some cases Blueprints may be shared, the ability to manage workloads provisioned from those shared Blueprints has been limited by the Business Group.

For example, in the scenario pictured, Developers can provision Blueprints 1, 2, and 3 – and Finance users can provision Blueprints 3 and 4. But each resulting object belongs solely to the Business Group that created it – the shared nature of the original Blueprint has no impact on the provisioned server.

vRA_Isolation_Layout

The segregation outlined in this scenario is more than sufficient to meet the multitenancy requirements of virtually every customer. And when you add the incredible power of NSX Micro-Segmentation to your environment, the levels of isolation you can achieve between deployed machines, network segments, organizational units, etc is simply unparalleled.

Now, one potential concern that I have heard customers raise is that an Infrastructure Administrator can “see” the available resources attached to every endpoint. Well, yes and no! In our scenario above, Isaac definitely knows that compute clusters and Datastores dedicated to both Development and Finance exist – that’s his job, after all! But vRA does not enable him to browse those datastores, or manipulate the provisioned servers owned by those Business Group members. Since vRA is positioned to be that manager of managers, owned and maintained by the cloud (or IT) team of an organization, does the simple awareness of the existence of these resources really present any risk?

My argument would be that no, outside of the very rare scenario of a formal carrier-grade service provider – it doesn’t.

I hope this post has helped to clear up some of the confusion around Enterprise Multitenancy in vRealize Automation and helps put some of the FUD around this concept to rest.

Please feel free to leave any feedback you might have in the comments by clicking “Leave a Comment” at the top of the article. I’m very interested in hearing what others think about this topic.

Brewmaster Jack Garden of Grass

And of course… This post was brought to you by Brewmaster Jack’s Garden of Grass American IPA. This fantastic fresh hop beer sports a rare and “experimental” hop varietal known as HBC 452, which imparts a great and juicy watermelon flavor that mixes with the distinct piney-ness of Simcoe hops.

Happy Automating!