Tag Archives: VMC

Resolving VMC – Objects with non-compliant storage policies in SDDC

The Issue

Overnight I received an email from the VMware Cloud Services platform regarding a VMC environment I am an administrator of. The opening paragraph was as below:

Please be advised that you have VMs and or objects in your VMware Cloud on AWS SDDC that do not comply with the VMC SLA i.e. they have non-compliant storage policies.

Well, this doesn’t sound good. The email trailed off with a list of affected virtual machines and snapshots.

The Cause

This message is a flag on not following best practices in the VMC environment. VMC implements a Managed Storage Policy Profiles (MSPP) which integrate with vSphere VM Storage Policy management into SDDC Management. Ensuring that any workload not assigned a custom storage policy always complies with the services SLA requirements.

In short, if your VMs are part of the managed storage profile, they are covered by the SLAs provided by VMC, and if there’s an outage, you are eligible for credits.

You do have the ability to create your own custom policies as you require, but any VMs that are configured in these policies are not subject to the SLA.

The email is simply a pointer to say “hey we recommend you move those objects to a storage policy covered by the SLA”.

Below we have the custom policy (in this case just the default VSAN policy) and then the provided managed policy which takes the format of “VMC Workload Storage Policy – <Cluster-Name>”

VSAN default policy

VSAN managed policy

The Fix

If you want to resolve this, then here is a quick PowerCLI script to do that for you.

$custompolicy = <Custom Storage Policy Name>
$managedpolicy = <Managed Cluster Policy Name>

# To target the VMs home configuration
$vms = get-vm * | Get-SpbmEntityConfiguration | where {$_.StoragePolicy -like $custompolicy}

foreach ($VM in $vms) { $VM | Set-SpbmEntityConfiguration -StoragePolicy $managedpolicy}

# To target the hard drives of VMs
$hds = get-vm -location Compute-ResourcePool | get-harddisk | Get-SpbmEntityConfiguration | where {$_.StoragePolicy -like $custompolicy}

foreach ($hd in $hds) { $hd | Set-SpbmEntityConfiguration -StoragePolicy $managedpolicy }

Below we can see now that the VSAN environment is now resyncing the data to the new storage policy requirements.

VSAN Resync Objects

If you’ve any questions or concerns about the changes to the storage policies for your production workloads, then as always, contact VMware Support to discuss first.

Regards

Dean Lewis

 

Tanzu Mission Control Header

Tanzu Mission Control – TKG Management support and provisioning new clusters

In this blog post, I am going to cover the new support for Tanzu Kubernetes Grid Management clusters on both VMware Cloud on AWS (VMC) and Azure VMware Solution (AVS). This functionality also allows the provisioning of new Tanzu Kubernetes workload clusters (TKC) to the relevant platform, provisioned by the lifecycle management controls within Tanzu Mission Control.

Below are the other blog posts I’ve wrote covering Tanzu Mission Control.

Tanzu Mission Control 
- Getting Started Tanzu Mission Control 
- Cluster Inspections 
- Workspaces and Policies  
- Data Protection 
- Deploying TKG clusters to AWS 
- Upgrading a provisioned cluster 
- Delete a provisioned cluster 
- TKG Management support and provisioning new clusters
- TMC REST API - Postman Collection
Release Notes

Below are the relevant release notes for the features I’ll cover. In this blog post, I’ll just be showing screenshots for a VMC environment, however the same applies to AVS as well.

What's New May 26, 2021

New Features and Improvements

    (New Feature update): Tanzu Mission Control now supports the ability to register Tanzu Kubernetes Grid (1.3 & later) management clusters running in vSphere on Azure VMware Solution.

What's New April 30, 2021

New Features and Improvements

    (New Feature update): Tanzu Mission Control now supports the ability to register Tanzu Kubernetes Grid (1.2 & later) management clusters running in vSphere on VMware Cloud on AWS. For a list of supported environments, see Requirements for Registering a Tanzu Kubernetes Cluster with Tanzu Mission Control in VMware Tanzu Mission Control Concepts.
Prerequisites

This first management cluster deployment is not supported by TMC, nor is it supported for a management cluster to deploy workload clusters across platforms. For example, a management cluster running in AWS does not have the capability to deploy workload clusters to VMC or AVS or Azure.

The following requirements are from the product documentation.

  • The management cluster must be deployed as a production cluster with multiple control plane nodes
    • However, in my demo lab I was able to successfully run this using a development deployment.
  • Tanzu Kubernetes Grid workload clusters need at least 4 CPUs and 8 GB of memory
    • Again, I deployed a small instance type (2 vCPU, 4GB RAM) and this didn’t seem to be an issue.
  • Tanzu Kubernetes Grid management clusters (version 1.3 or later) running in vSphere on Azure VMware Solution (AVS).
  • Tanzu Kubernetes Grid management clusters (version 1.2 or later) running in vSphere, including vSphere on VMware Cloud on AWS (version 1.12 or 1.14).
  • Do not attempt to register any other kind of management cluster with Tanzu Mission Control.
  • Tanzu Mission Control does not support the registration of Tanzu Kubernetes Grid management clusters prior to version 1.2.
Registering our Tanzu Kubernetes Grid Management Cluster
  • Go to Administration> Management Clusters > Register Management Cluster > Tanzu Kubernetes Grid

Tanzu Mission Control - Administration - Register Management Cluster - Tanzu Kubernetes Grid Continue reading Tanzu Mission Control – TKG Management support and provisioning new clusters

VMware AWS Header

How to delete vCenter Roles in VMC

The Issue

Whilst testing in VMC a PowerCLI script to create some vCenter roles, I noticed in the UI, then I deleted them, they remained, even though I was using the CloudAdmin@vmc.local account.

I also tried to delete them using PowerCLI and received the error message;

Remove-VIRole : 07/11/2020 09:00:42 Remove-VIRole Permission to perform this operation was denied. Required privilege 'VApp.PullFromUrls' on managed object with id 'Folder-group-d1'.
At line:1 char:1
+ Remove-VIRole OpenShift-Install
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Remove-VIRole], NoPermission
+ FullyQualifiedErrorId : Client20_InventoryServiceImpl_RemoveRole_VIError,VMware.VimAutomation.ViCore.Cmdlets.Commands.PermissionManagement.RemoveVIRole

You should not create roles with permissions higher than that of the CloudAdmin Account. You can find further information of these permissions here.

If you do this, the only fix is to log a support call with VMware to resolve.

The Fix

VMware have a KB for this issue and how to delete the vCenter roles.

To resolve you use the vCenter Managed Objects Browser (MOB).

Note: When using the MOB to make changes, users will not be prompted for confirmation before making any changes, including removing roles. A custom role can not have privileges higher than the CloudGlobalAdmin role.

First to view all your existing roles in your browser go to;

  • ¬†https://{VMC_VC_FQDN}/mob/?moid=AuthorizationManager&doPath=roleList

This will list all roles, and note the roleId for the role you want to remove.

vCenter MOB AuthorizationRole

To remove a role: Continue reading How to delete vCenter Roles in VMC

Horizon on VMC header

Horizon on VMC – Considerations and setting up a lab environment

A few months back, I setup a Horizon Environment running in our VMC environment used for lab purposes. Since then, I’ve been asked by several people to go through the setup. So, I’ve also decided to create a blog post on the matter.

This blog post will cover the considerations for running VMware Horizon on VMC, and the technical setup itself of the lab environment I created.

Update 4th May: I recorded a session for the London VMUG on this subject, which you can watch here.

Topics covered;

  • Horizon 7 on VMware Cloud on AWS is not DaaS
  • Horizon 7 on VMware Cloud on AWS Deployment Guide and Supportability
  • Feature Support
  • Horizon on VMC architecture
  • Platform Considerations
    • Identity Management
    • File Shares
    • Image management
  • Network Service
    • VMC Network Segments
    • Load Balancing
    • DHCP
  • Firewall Rules
    • Logging
  • Horizon Connection Broker Configuration
  • Some finl considerations
  • Further Resources
Horizon 7 on VMware Cloud on AWS is not DaaS

I will not cover the details of VMware Cloud on AWS (VMC) in this post, but you can read about it here.

Horizon 7 (or later), running on top of VMC, is not a Desktop-as-a-Service offering. For this, we have our Horizon Cloud offering, which currently supports Azure and IBM Cloud.

Horizon on VMC, acts the same as the on-prem offering, i.e. the same considerations and configurations as you would take, if you deployed Horizon in your own private datacentre.

You can stretch existing Horizon environments to also make use of the compute and storage in VMC, and setup Cloud Pod Architecture between the locations as well. Alternatively, you can run a full Horizon environment solely within VMC itself. By running within VMC, you also ensure your desktops are near in proximity to native AWS services, such as file services, global load balancing services to name some examples.

Horizon 7 on VMware Cloud on AWS is not DaaS Continue reading Horizon on VMC – Considerations and setting up a lab environment