On Monday, March 25, IBM Cloud released the latest updates to our VMware Solutions offerings. The enhancements in this release include:
- As we announced at Think 2019, IBM Cloud now offers Caveonix RiskForesight as an add–on service for your VMware vCenter Server (VCS) instance. Caveonix RiskForesight helps you to manage compliance risks with proactive monitoring and automated defense controls to protect against threats and to meet industry and government regulations.
- You now have the option to deploy a VMware vCenter Server (VCS), hybridity bundle, or VMware vSphere Server (VSS) instance using VMware vSphere 6.7u1 and vCenter Server 6.7u1, in addition to version 6.5u2. Note that vSphere 6.7u1 is not available on all hardware combinations.
- You now have the option to deploy a VMware vCenter Server (VCS) or hybridity bundle instance using VMware NSX-T version 2.4, in addition to NSX-V version 6.4.4. We offer NSX-T at this time for proof of concept, test, and sandbox purposes to test drive this exciting new network technology from VMware.
- IBM Cloud has updated the versions of several add–on services available for VCS. F5 BIG–IP Virtual Edition is updated to V126.96.36.199; HyTrust Cloud Control is updated to V5.4.2; Zerto Virtual Replication is updated to V6.5 update 3; and Veeam Backup & Replication is updated to V9.5 update 4.
- The latest version of Veeam now supports IBM Cloud Object Storage as a storage tier, which enables much more cost effective long–term storage for your virtual machine backups.
- IBM Cloud for VMware Solutions now deploys new ESXi servers for your VCS instance with secure shell (SSH) disabled.
- You can now simultaneously add or remove ESXi servers from multiple clusters in a VCS instance.
- You now have the option to add new ESXi servers to their VCS clusters in maintenance mode. This allows you to perform custom configuration on these servers before any virtual machines run on that server.
- IBM Cloud for VMware Solutions now provides a REST API that you can use to deploy and delete VCS instances, clusters, and hosts.
- IBM Cloud increased the maximum size of Endurance file storage for a VCS instance from 12 TB to 24 TB. The larger sizes are available at performance levels of 0.25, 2, and 4 IOPS/GB.
- IBM Cloud’s KMIP for VMware key management service offering is now available in the Sydney multi–zone region (MZR).
- You can now display the VLANs and subnets allocated to your VCS instance on the instance’s Infrastructure view in the IBM Cloud portal.
Additionally, you should be aware of the following announcements:
- Beginning May 13, IBM Cloud will no longer support VMware Cloud Foundation (VCF). IBM Cloud is actively working with existing VCF customers on a transition or migration plan.
- Beginning in August, IBM Cloud for VMware Solutions will no longer support VLAN spanning. If you are using VLAN spanning, you should convert your account to Virtual Routing and Forwarding (VRF) by this time. Additionally, you will be required to enable Service Endpoints for your account by this time.
For details on all of these features and announcements, see the IBM Cloud for VMware Solutions release notes and related documentation.
Happy birthday to IBM Cloud for VMware Solutions! Two years ago today VMware Cloud Foundation and VMware vCenter Server on IBM Cloud became generally available. Sixteen releases later, we’ve come a long way! If you’re in Barcelona for VMworld 2018, stop by our booth and say hi!
IBM Cloud for VMware Solutions deploys VMware vCenter Server (VCS) environments using a network architecture consisting of three VLANs: one private VLAN used for management traffic and for NSX VTEPs, a second private VLAN used for storage traffic and vMotion, and a public VLAN.
Initially a sample NSX configuration is deployed for your use, including a distributed logical router (DLR), and an edge services gateway (ESG) that provides NAT service outbound from a logical switch (VXLAN) to both the IBM Cloud private network (10.0.0.0/8 addresses) and the public Internet.
The simple case is to deploy your virtual machines onto the logical switch and take advantage of the ESG to access the private and public networks. (Note that the ESG is initially configured with the sample NAT rule disabled, so you will need to enable it.) However, in our case study we want to deploy a virtual machine that will be used as part of the management stack to manage vCenter, ESXi hosts, and deploy workloads into vCenter. As a result, we prefer to have our virtual machine live directly on the private management network, but it will still need access to the public network, for example to download updates. This means we will need both to assign a private IP to the VM, and also to reconfigure the ESG to provide NAT from the private network to the public network.
You can discover the management VLAN on which your VCS instance is deployed by logging into the IBM Cloud infrastructure portal, displaying details for your bare metal servers, and identifying the Private interface. This information is important if you later need to order additional private portable IP addresses for your use. IBM Cloud infrastructure provides two different kinds of IP addresses: (1) primary subnets whose allocation IBM Cloud manages for bare metal servers and virtual servers, and (2) portable subnets whose allocation is typically managed by you and not by IBM Cloud. Note however that IBM Cloud for VMware Solutions orders and manages several portable subnets for your VCS instance. The only portable subnets associated with the VCS that are available for your use are those that are attached to the private and public interfaces of the sample ESG deployed in your instance. We will use one of these addresses for our VM’s deployment.
- Establish connectivity to your VCS environment (e.g., using the IBM Cloud VPN)
- Login to your vCenter web client UI
- Click the Home icon and navigate to Networking & Security
- Select NSX Edges and double click on the customer-nsx-edge
- Select the Manage tab, Settings item, and view the list of Interfaces. Note the interface with a 10.x.x.x/26 address. This represents the private portable subnet available to you for your use. One IP address is used by the ESG but the remaining addresses (excluding the network address, gateway address = network+1, broadcast address) are available to you for your use. The ESG can be configured to serve as a NAT for any address in the same subnet as itself. Note well that you will be responsible to manage the assignment of addresses within this subnet to prevent conflict!
- Configure the ESG firewall to allow outbound traffic from the 10.x.x.x/26 network
- Select the Firewall tab and add a new rule after the “All outgoing customer VMs” rule
- Configure this rule to allow outgoing traffic from the management network; the source IP specification should be the same subnet as the ESG, for example 10.123.171.128/26
- Click to Publish Changes
- Configure the ESG to NAT traffic from the private to the public network
- Select the NAT tab and add a new SNAT rule
- Configure this rule to operate on the Public Uplink, for all protocols, for the source IP range matching the ESG subnet (e.g., 10.123.171.128/26), and with a translated IP address matching the public IP address for the ESG (use the same address as the existing NAT rule). Ensure that the rule is enabled.
- Click to Publish Changes
- Deploy and configure your virtual machine
- IBM Cloud maintains a mirror of many popular Linux distributions, available only on the private network.
- Ensure that your VM is attached to the management network. Attach its adapter to the SDDC-DPortGroup-Mgmt port group.
- Configure the network adapter using an address from the ESG subnet. Set its default gateway to point to the ESG rather than to the IBM Cloud backend customer router (BCR). Identify the DNS server(s) for your instance by viewing one of your hosts’ TCP/IP configuration in vCenter. For example, if using RHEL:
- Configure the adapter’s static routes to point to the BCR (i.e., the subnet gateway address) for all private network addresses. Note that IBM Cloud uses both subnets 10.0.0.0/8 and 188.8.131.52/16 for internal traffic. For example, if using RHEL:
10.0.0.0/8 via 10.123.171.129 dev ens192
184.108.40.206/16 via 10.123.171.129 dev ens192
- Configure NTP to point to time.service.networklayer.com
The result is that we can access both the private and public networks from our VM:
[root@localhost ~]# ### Ping vCenter
[root@localhost ~]# ping -c 1 10.123.170.130 | fgrep transmitted
1 packets transmitted, 1 received, 0% packet loss, time 0ms
[root@localhost ~]# ### Ping Google DNS
[root@localhost ~]# ping -c 1 220.127.116.11 | fgrep transmitted
1 packets transmitted, 1 received, 0% packet loss, time 0ms
IBM Cloud offers a VPN service for your account which you can use to access your dedicated IBM Cloud network. The VPN access is available from your browser using a Java applet, but is also available using a standalone VPN application for Windows, Linux, or macOS.
Unfortunately, I’ve found that the version 2.0 update of the MotionPro Plus application for macOS has broken my VPN access. Not only has it lost all of the passwords I had previously saved, but when I do enter my password and attempt to connect to the IBM Cloud, it immediately disconnects.
While we await a fix from Array Networks, it is possible to revert to an older version of MotionPro:
- View the macOS Launchpad and find the MotionPro+ icon
- Click and hold the icon until it begins to jiggle, then release. Note that this will delete your MotionPro configuration.
- Click the X to uninstall MotionPro+
- From the Array Networks support site, download the latest Mac OS MotionPro client corresponding to AG-OS 9.4.0.x
- Open the disk image and run the MotionPro installer package within the image. The installer will also install some command line tools
- Recreate your MotionPro configuration
See also: managing SoftLayer VPN subnet access.
Kurtis Martin and I recently published a tutorial that shows how you can securely connect your VMware workload running in the IBM Cloud to other IBM Cloud services. This enables you to seamlessly extend your VMware application with valuable cognitive, data, and developer services available in the IBM Cloud.
Read more at IBM developerWorks: Securely connect your private VMware workloads in the IBM Cloud.
I presented a brief overview highlighting this tutorial at the IBM booth at VMworld 2017. Watch my overview here:
IBM’s Interconnect conference is March 19-23 this year. There’s quite a few interesting sessions currently lined up related to VMware and IBM Cloud:
- Monday at 2pm, Dream Payments deploys international payment networks with IBM Cloud for VMware Solutions
- Tuesday at 11:30am, Achieving and maintaining security and compliance in a hybrid cloud
- Tuesday at 2:30pm, Networking Magic: Intercontinental vMotion on IBM Bluemix Infrastructure in minutes
- Tuesday at 3:45pm, A deep dive into the cloud transformation journey of a large European bank
- Wednesday at 11:15am, Breaking virtualization beyond datacenter boundaries at CIBC
- Wednesday at 11:15am, Addressing workload / data geo-fencing challenges in cloud by leveraging NIST Publication IR 7904
- Wednesday at 2pm, Next generation digital workplace-as-a-service with Cancom AHP on IBM Bluemix with VMware
- Wednesday at 3:15pm, VMware on IBM Cloud: A Clarient case study on the death of traditional CAPEX
- Wednesday at 3:15pm, ONTAP Select on IBM Cloud: Deploying a validated software-defined storage solution for hybrid cloud
- Wednesday at 4:15pm, Design and deployment of VMware on IBM Cloud: Multiplus case study
- Thursday at 8:30am, IBM and VMware: Connecting it all
- Thursday at 10:30am, DevOps within the hybrid cloud: Deploying to the VMware platform on the IBM Cloud
- Thursday at 10:30am, Puzzled? Learn how IBM solutions complete each other to drive your digital transformation
I hope to see you at Interconnect 2017!
The IBM SoftLayer VPN only supports connection to 64 of your private subnets. If you have more than 64 private subnets in your SoftLayer account, you need to switch your VPN’s subnet management from Automatic to Manual, and select the specific subnets to which you want to connect.
The process for selecting subnets in the UI is not simple, especially if your account has hundreds of subnets. The subnets are not sorted, the dialog is small, and the pagination is slow.
However, it is possible to manage your VPN subnets programmatically using the SoftLayer API. I have created a Python script that allows you to manage your SoftLayer VPN subnet access. The script requires your SoftLayer username, API key, and a list of private IP addresses to which you want to connect. The script locates the subnets in your account that match your selected IP addresses, and assigns exactly these subnets to your SoftLayer VPN account.
You should wait a few minutes after running the script for it to take effect.