Technology on The IT Hollow

Jetstack Cert-Manager

Mon, 02 Dec 2019 15:05:06 +0000

One of my least favorite parts of computers is dealing with certificate creation. In fact, ya know those tweets about what you’d tweet if you were kidnapped and didn’t want to tip off the kidnapers?

Yeah, I’d tweet about how I love working with certificates. They are just not a fun thing for me. So when I found a new project where I needed certificates created, I was not really excited.

ClusterAPI Demystified

Mon, 04 Nov 2019 15:05:05 +0000

Deploying Kubernetes clusters may be the biggest hurdle in learning Kubernetes and one of the challenges in managing Kubernetes. ClusterAPI is a project designed to ease this burden and make the management and deployment of Kubernetes clusters simpler.

The Cluster API is a Kubernetes project to bring declarative, Kubernetes-style APIs to cluster creation, configuration, and management. It provides optional, additive functionality on top of core Kubernetes.

kubernetes-sigs/cluster-api

This post is designed to dive into ClusterAPI to investigate how it works, and how you can use it.

A Kind Way to Learn Kubernetes

Mon, 07 Oct 2019 14:10:13 +0000

I’m not going to lie to you, as of the time of this writing, maybe the biggest hurdle to learning Kubernetes is getting a cluster stood up. Right now there are a myriad of ways so stand up a cluster, but none of them are really straight forward yet. If you’re interested in learning how Kubernetes works, and just want to setup a basic cluster to poke around in, this post is for you.

Kubernetes - Desired State and Control Loops

Mon, 16 Sep 2019 14:05:30 +0000

If you’ve just gotten started with Kubernetes, you might be curious to know how the desired state is achieved? Think about it, you pass a YAML file to the API server and magically stuff happens. Not only that, but when disaster strikes (e.g. pod crashes) Kubernetes also makes it right again so that it matches the desired state.

The mechanism that allows for Kubernetes to enforce this desired state is the control loop. The basics of this are pretty simple. A control loop can be though of in three stages.

Kubernetes Visually - With VMware Octant

Tue, 20 Aug 2019 14:10:35 +0000

I don’t know about you, but I learn things best when I have a visual to reference. Many of my posts in this blog are purposefully built with visuals, not only because I think its helpful for the readers to “get the picture”, but also because that’s how I learn.

Kubernetes can feel like a daunting technology to start learning, especially since you’ll be working with code and the command line for virtually all of it. That can be a scary proposition to an operations person who is trying to break into something brand new. But last week I was introduced to a project from VMware called Octant, that helps visualize whats actually going on in our Kubernetes cluster.

Kubernetes - DaemonSets

Tue, 13 Aug 2019 14:10:04 +0000

DaemonSets can be a really useful tool for managing the health and operation of the pods within a Kubernetes cluster. In this post we’ll explore a use case for a DaemonSet, why we need them, and an example in the lab.

DaemonSets - The Theory

DaemonSets are actually pretty easy to explain. A DaemonSet is a Kubernetes construct that ensures a pod is running on every node (where eligible) in a cluster. This means that if we were to create a DaemonSet on our six node cluster (3 master, 3 workers), the DaemonSet would schedule the defined pods on each of the nodes for a total of six pods. Now, this assumes there are either no taints on the nodes, or there are tolerations on the DaemonSets.

Sysdig Secure 2.4 Announced

Tue, 06 Aug 2019 13:17:20 +0000

Today Sysdig announced a new update to their Cloud Native Visibility and Security Platform, with the release of Sysdig Secure 2.4.

The new version of the Secure product includes some pretty nifty enhancements.

Runtime profiling with machine learning - New containers will be profiled after deployment to give insights into the processes, file system activity, networking and system calls. Once the profiling is complete, these profiles can be used to create policy sets for the expected behavior. Sysdig also offers a confidence level of the profile. Consistent behavior generating a higher confidence level whereas variable behavior would have a lower level.

Kubernetes - Taints and Tolerations

Mon, 29 Jul 2019 14:15:22 +0000

One of the best things about Kubernetes, is that I don’t have to think about which piece of hardware my container will run on when I deploy it. The Kubernetes scheduler can make that decision for me. This is great until I actually DO care about what node my container runs on. This post will examine one solution to pod placement, through taints and tolerations.

Taints - The Theory

Suppose we had a Kubernetes cluster where we didn’t want any pods to run on a specific node. You might need to do this for a variety of reasons, such as:

Test Your Kubernetes Cluster Conformance

Tue, 16 Jul 2019 13:56:08 +0000

You’ve been dabbling in the world of Kubernetes for a while now and have probably noticed there are a whole lot of vendors packaging their own version of Kubernetes.

You might be having a fun time comparing the upstream Kubernetes version vs the packaged versions put out by Redhat, VMware, and others. But how do we know that those packaged versions are supporting the required APIs so that all Kubernetes clusters have the same baseline of features?

Monitoring Kubernetes with Sysdig Monitor

Sun, 23 Jun 2019 14:10:02 +0000

Any system that’s going to be deployed for the enterprise needs to have at least a basic level of monitoring in place to manage it. Kubernetes is no exception to this rule. When we, as a community, underwent the shift from physical servers to virtual infrastructure, we didn’t ignore the new VMs and just keep monitoring the hardware, we had to come up with new products to monitor our infrastructure. Sysdig is building these new solutions for the Kubernetes world.

AWS Account Tagging

Mon, 17 Jun 2019 14:02:18 +0000

We’re getting into the habit of tagging everything these days. It’s been drilled into our heads that we don’t care about names of our resources anymore because we can add our own metadata to resources to later identify them, or to use for automation. But up until June 6th, AWS wouldn’t let us tag one of the most important resources of all, our accounts.

On June 6th though, our cloud world changed when AWS announced that we can now add tags to our accounts through organizations.

Kubernetes - Helm

Mon, 10 Jun 2019 14:02:52 +0000

The Kubernetes series has now ventured into some non-native k8s discussions. Helm is a relatively common tool used in the industry and it makes sense to talk about why that is. This post covers the basics of Helm so we can make our own evaluations about its use in our Kubernetes environment.

Helm - The Theory

So what is Helm? In the most simplest terms its a package manager for Kubernetes.
Think of Helm this way, Helm is to Kubernetes as yum/apt is to Linux. Yeah, sounds pretty neat now doesn’t it?

Kubernetes - Pod Backups

Mon, 03 Jun 2019 14:00:58 +0000

The focus of this post is on pod based backups, but this could also go for Deployments, replica sets, etc. This is not a post about how to backup your Kubernetes cluster including things like etcd, but rather the resources that have been deployed on the cluster. Pods have been used as an example to walk through how we can take backups of our applications once deployed in a Kubernetes cluster.

Should I Feel this Stupid?

Mon, 08 Apr 2019 14:10:28 +0000

Learning new things can be pretty exciting, and lucky for IT Professionals, there is no lack of things to learn. But this exciting world of endless configurations, code snippets, routes, and processes can have a demoralizing effect as well when you’re constantly bombarded with things you don’t know.

Growth Hurts a Little

I’m not immune to the feelings of stupidity. I work with some smart folks in my day job as well as smart customers. I see what people are doing on twitter and realize that no matter what I already know, there is so much more that I could know.

Kubernetes - StatefulSets

Mon, 01 Apr 2019 14:20:48 +0000

We love deployments and replica sets because they make sure that our containers are always in our desired state. If a container fails for some reason, a new one is created to replace it. But what do we do when the deployment order of our containers matters? For that, we look for help from Kubernetes StatefulSets.

StatefulSets - The Theory

StatefulSets work much like a Deployment does. They contain identical container specs but they ensure an order for the deployment. Instead of all the pods being deployed at the same time, StatefulSets deploy the containers in sequential order where the first pod is deployed and ready before the next pod starts. (NOTE: it is possible to deploy pods in parallel if you need them to, but this might confuse your understanding of StatefulSets for now, so ignore that.) Each of these pods has its own identity and is named with a unique ID so that it can be referenced.

Kubernetes - Cloud Providers and Storage Classes

Wed, 13 Mar 2019 14:20:23 +0000

In the previous post we covered Persistent Volumes (PV) and how we can use those volumes to store data that shouldn’t be deleted if a container is removed. The big problem with that post is that we have to manually create the volumes and persistent volume claims. It would sure be nice to have those volumes spun up automatically wouldn’t it? Well, we can do that with a storage class. For a storage class to be really useful, we’ll have to tie our Kubernetes cluster in with our infrastructure provider like AWS, Azure or vSphere for example. This coordination is done through a cloud provider.

Kubernetes - Persistent Volumes

Mon, 04 Mar 2019 15:00:51 +0000

Containers are often times short lived. They might scale based on need, and will redeploy when issues occur. This functionality is welcomed, but sometimes we have state to worry about and state is not meant to be short lived. Kubernetes persistent volumes can help to resolve this discrepancy.

Volumes - The Theory

In the Kubernetes world, persistent storage is broken down into two kinds of objects. A Persistent Volume (PV) and a Persistent Volume Claim (PVC). First, lets tackle a Persistent Volume.

Kubernetes - Secrets

Mon, 25 Feb 2019 15:00:56 +0000

Secret, Secret, I’ve got a secret! OK, enough of the Styx lyrics, this is serious business. In the previous post we used ConfigMaps to store a database connection string. That is probably not the best idea for something with a sensitive password in it. Luckily Kubernetes provides a way to store sensitive configuration items and its called a “secret”.

Secrets - The Theory

The short answer to understanding secrets would be to think of a ConfigMap, which we have discussed in a previous post in this series, but with non-clear text.

Kubernetes - ConfigMaps

Wed, 20 Feb 2019 15:00:40 +0000

Sometimes you need to add additional configurations to your running containers. Kubernetes has an object to help with this and this post will cover those ConfigMaps.

ConfigMaps - The Theory

Not all of our applications can be as simple as the basic nginx containers we’ve deployed earlier in this series. In some cases, we need to pass configuration files, variables, or other information to our apps.

The theory for this post is pretty simple, ConfigMaps store key/value pair information in an object that can be retrieved by your containers. This configuration data can make your applications more portable.

Kubernetes - Ingress

Wed, 13 Feb 2019 15:00:46 +0000

It’s time to look closer at how we access our containers from outside the Kubernetes cluster. We’ve talked about Services with NodePorts, LoadBalancers, etc., but a better way to handle ingress might be to use an ingress-controller to proxy our requests to the right backend service. This post will take us through how to integrate an ingress-controller into our Kubernetes cluster.

Ingress Controllers - The Theory

Lets first talk about why we’d want to use an ingress controller in the first place. Take an example web application like you might have for a retail store. That web application might have an index page at “http://store-name.com/" and a shopping cart page at “http://store-name.com/cart" and an api URI at “http://store-name.com/api". We could build all these in a single container, but perhaps each of those becomes their own set of pods so that they can all scale out independently. If the API needs more resources, we can just increase the number of pods and nodes for the api service and leave the / and the /cart services alone. It also allows for multiple groups to work on different parts simultaneously but we’re starting to drift off the point which hopefully you get now.

Kubernetes - KUBECONFIG and Context

Mon, 11 Feb 2019 15:00:26 +0000

You’ve been working with Kubernetes for a while now and no doubt you have lots of clusters and namespaces to deal with now. This might be a good time to introduce Kubernetes KUBECONFIG files and context so you can more easily use all of these different resources.

KUBECONFIG and Context - The Theory

When you first setup your Kubernetes cluster you created a config file likely stored in your $HOME/.kube directory. This is the KUBECONFIG file and it is used to store information about your connection to the Kubernetes cluster. When you use kubectl to execute commands, it gets the correct communication information from this KUBECONFIG file. This is why you would’ve needed to add this file to your $PATH variable so that it could be used correctly by the kubectl commands.

Kubernetes - Namespaces

Wed, 06 Feb 2019 15:00:13 +0000

In this post we’ll start exploring ways that you might be able to better manage your Kubernetes cluster for security or organizational purposes. Namespaces become a big piece of how your Kubernetes cluster operates and who sees what inside your cluster.

Namespaces - The Theory

The easiest way to think of a namespace is that its a logical separation of your Kubernetes Cluster. Just like you might have segmented a physical server into several virtual severs, we can segment our Kubernetes cluster into namespaces. Namespaces are used to isolate resources within the control plane. For example if we were to deploy a pod in two different namespaces, an administrator running the “get pods” command may only see the pods in one of the namespaces. The pods could communicate with each other across namespaces however.

Kubernetes - Service Publishing

Tue, 05 Feb 2019 16:30:54 +0000

A critical part of deploying containers within a Kubernetes cluster is understanding how they use the network. In previous posts we’ve deployed pods and services and were able to access them from a client such as a laptop, but how did that work exactly? I mean, we had a bunch of ports configured in our manifest files, so what do they mean? And what do we do if we have more than one pod that wants to use the same port like 443 for https?

Kubernetes - Endpoints

Mon, 04 Feb 2019 15:00:02 +0000

It’s quite possible that you could have a Kubernetes cluster but never have to know what an endpoint is or does, even though you’re using them behind the scenes. Just in case you need to use one though, or if you need to do some troubleshooting, we’ll cover the basics of Kubernetes endpoints in this post.

Endpoints - The Theory

During the post where we first learned about Kubernetes Services, we saw that we could use labels to match a frontend service with a backend pod automatically by using a selector. If any new pods had a specific label, the service would know how to send traffic to it. Well the way that the service knows to do this is by adding this mapping to an endpoint. Endpoints track the IP Addresses of the objects the service send traffic to. When a service selector matches a pod label, that IP Address is added to your endpoints and if this is all you’re doing, you don’t really need to know much about endpoints. However, you can have Services where the endpoint is a server outside of your cluster or in a different namespace (which we haven’t covered yet).

Kubernetes - Services and Labels

Thu, 31 Jan 2019 15:00:54 +0000

If you’ve been following the series, you may be thinking that we’ve built ourselves a problem. You’ll recall that we’ve now learned about Deployments so that we can roll out new pods when we do upgrades, and replica sets can spin up new pods when one dies. Sounds great, but remember that each of those containers has a different IP address. Now, I know we haven’t accessed any of those pods yet, but you can imagine that it would be a real pain to have to go lookup an IP Address every time a pod was replaced, wouldn’t it? This post covers Kubernetes Services and how they are used to address this problem, and at the end of this post, we’ll access one of our pods … finally.

Kubernetes - Deployments

Wed, 30 Jan 2019 15:01:37 +0000

After following the previous posts, we should feel pretty good about deploying our pods and ensuring they are highly available. We’ve learned about naked pods and then replica sets to make those pods more HA, but what about when we need to create a new version of our pods? We don’t want to have an outage when our pods are replaced with a new version do we? This is where “Deployments” comes into play.

Kubernetes - Replica Sets

Mon, 28 Jan 2019 15:00:59 +0000

In a previous post we covered the use of pods and deployed some “naked pods” in our Kubernetes cluster. In this post we’ll expand our use of pods with Replica Sets.

Replica Sets - The Theory

One of the biggest reasons that we don’t deploy naked pods in production is that they are not trustworthy. By this I mean that we can’t count on them to always be running. Kubernetes doesn’t ensure that a pod will continue running if it crashes. A pod could die for all kinds of reasons such as a node that it was running on had failed, it ran out of resources, it was stopped for some reason, etc. If the pod dies, it stays dead until someone fixes it which is not ideal, but with containers we should expect them to be short lived anyway, so let’s plan for it.

AWS Native Backups

Tue, 22 Jan 2019 16:00:59 +0000

Amazon Web Services has released yet another service designed to improve the lives of people administering an AWS environment. There is a new backup service, cleverly named, AWS Backup.

This new service allows you to create a backup plan for Elastic Block Store (EBS) volumes, Elastic File System (EFS), DynamoDB, Relational Database Services (RDS), and Storage Gateway.

Now we can build plans to automatically backup, tier and expire old backups automatically based on our own criteria.

Kubernetes - Pods

Mon, 21 Jan 2019 16:30:30 +0000

We’ve got a Kubernetes cluster setup and we’re ready to start deploying some applications. Before we can deploy any of our containers in a kubernetes environment, we’ll need to understand a little bit about pods.

Pods - The Theory

In a docker environment, the smallest unit you’d deal with is a container. In the Kubernetes world, you’ll work with a pod and a pod consists of one or more containers. You cannot deploy a bare container in Kubernetes without it being deployed within a pod.

Deploy Kubernetes Using Kubeadm - CentOS7

Mon, 14 Jan 2019 15:35:36 +0000

I’ve been wanting to have a playground to mess around with Kubernetes (k8s) deployments for a while and didn’t want to spend the money on a cloud solution like AWS Elastic Container Service for Kubernetes or Google Kubernetes Engine . While these hosted solutions provide additional features such as the ability to spin up a load balancer, they also cost money every hour they’re available and I’m planning on leaving my cluster running. Also, from a learning perspective, there is no greater way to learn the underpinnings of a solution than having to deploy and manage it on your own. Therefore, I set out to deploy k8s in my vSphere home lab on some CentOS 7 virtual machines using Kubeadm. I found several articles on how to do this but somehow I got off track a few times and thought another blog post with step by step instructions and screenshots would help others. Hopefully it helps you. Let’s begin.

AWS Security Hub

Mon, 17 Dec 2018 15:00:59 +0000

A primary concern for companies moving to the cloud is whether or not their workloads will remain secure. While that debate still happens, AWS has made great strides to assuage customer’s concerns by adding services to ensure workloads are well protected. At re:Invent 2018 another service named AWS Security Hub was added. Security Hub allows you to setup some basic security guardrails and get compliance information for multiple accounts within a single service. Amazon seems to have realized that enabling customers to very easily see their security recommendations for all environments in a single place has great value to their businesses.

Setup AWS Transit Gateway

Wed, 12 Dec 2018 15:00:07 +0000

Amazon announced a new service at re:Invent 2018 in Las Vegas, called the AWS Transit Gateway. The Transit Gateway allows you to connect multiple VPCs together as well as VPN tunnels to on-premises networks through a single gateway device. As a consultant, I talk with customers often, about how they will plan to connect their data center with the AWS cloud, and how to interconnect all of those VPCs. In the past a solution like Aviatrix or a Cisco CSR transit gateway was used which leveraged some EC2 instances that lived within a VPC. You’d then connect spoke VPCs together via the use of VPN tunnels. With this new solution, there is a native service from AWS that allows you to do this without the need for VPN tunnels between spoke VPCs and you can use the AWS CLI/CloudFormation or console to deploy everything you need. This post takes you through an example of the setup of the AWS Transit Gateway in my own lab environment.

AWS Resource Access Manager

Mon, 10 Dec 2018 15:00:44 +0000

At AWS re:Invent this year in Las Vegas, Amazon announced a ton of services, but one that caught my eye was the AWS Resource Access Manager. This is a service that facilitates the sharing of some resources between AWS accounts so that they can be used or referenced across account boundaries. Typically, an AWS account is used as a control plane boundary (or billing boundary) between environments, but even then resources will need to communicate with each other occasionally. Now with AWS Resource Access Manager (RAM) we can shared Hosted DNS zones, Transit Gateways and other objects. This list will undoubtedly grow over time. This post will show you how you can share another new service, the AWS Transit Gateway, across multiple accounts within your organization.

VMware Cloud on AWS Firewalls Overview

Wed, 28 Nov 2018 16:03:46 +0000

If you’re getting started with VMware Cloud on AWS then you should be aware of all the points in which you can block traffic with a firewall. Or, if you look at it another way, the places where you might need to create allow rules for traffic to traverse your cloud. This post is used to show where those choke points live both within your VMware Cloud on AWS SDDC, as well as the Amazon VPC in which your SDDC lives.

Using AWS CloudFormation Drift Detection

Wed, 14 Nov 2018 15:02:55 +0000

Today, AWS announced the release of the long anticipated drift detection feature for CloudFormation. This feature has been a common feature request for many of the AWS customers that I speak with to ensure their deployments are configured as expected. This post will take you through why this is an important feature and how you can use it.

Whats the Big Deal?

If you’re not familiar with it already, CloudFormation is a free service from AWS that lets you describe your infrastructure through a YAML or JSON file and deploy the configuration. Simply define your desired state and CloudFormation will deploy the resources and arrange them so that dependent services are (usually) deployed in the right order. If you’re familiar with Ansible, Chef, or Puppet, this concept of a desired state shouldn’t be new.

Quality Checking Infrastructure-as-Code

Mon, 05 Nov 2018 14:55:55 +0000

If you’ve been doing application development for long, having tools in place to check the health of your code is probably not a new concept. However, if you’re jumping into something like Cloud and you’ve been an infrastructure engineer, this may be a foreign concept to you. Isn’t it bad enough that you’ve started learning Git, JSON, YAML, APIs etc on top of your existing skill sets? Well, take some lessons from the application teams and you may well find that you’re improving your processes and reducing the technical debt and time to provision infrastructure as code resources as well.

This is Not Fine!

Thu, 25 Oct 2018 17:55:07 +0000

I recently attended the Devops Enterprise Summit in Las Vegas so that I could keep up to date on the latest happenings around integrating devops for companies. This conference was nothing short of amazing, but what I wasn’t anticipating was a theme around IT burnout. The IT Revolutions team who puts on the conference started one of the keynotes on the topic of burnout, from Dr. Christina Maslach who is Professor of Psychology, Emerita University of California, Berkeley. In addition to this powerful session, there was another panel group that happened on Wednesday, that went further into the discussion including the ultimate consequence of burnout, which is suicide.

Restore or Resize an AWS Transit Router

Mon, 22 Oct 2018 14:03:21 +0000

A transit VPC is a pretty common networking pattern in an AWS environment. [Transit VPCs](http://Should I use a Transit VPC in AWS?) can limit the number of peering connections required to connect all your VPCs by switching from a mesh topology of peers to a hub and spoke method with transit. While transit VPCs offer some nice features, it also requires a bit more management overhead since you need to manage your own routers. Cisco makes the deployment of transit routers very easy but sometimes you need to make some changes to the routers after they’re deployed like if you need to resize them. Also, sometimes bad things happen and those routers can be destroyed by accident. This post shows how you can resize your Cisco CSRs and/or restore an old configuration from snapshot.

Upgrade to vRA 7.5

Mon, 08 Oct 2018 14:03:53 +0000

Upgrading your vRealize Automation instance has some times been a painful exercise. But this was in the early days after VMware purchased the product from DynamicOps. It’s taken a while, but the upgrade process has improved for each and every version, in my opinion, and 7.5 is no exception. If you’re on a previous version, here is a quick rundown on the upgrade process from 7.4 to 7.5.

Note: As always, please read the the official upgrade documentation. It includes prerequisites and steps that should always be followed. https://docs.vmware.com/en/vRealize-Automation/7.5/vrealize-automation-7172732to75upgrading.pdf

AWS Session Manager

Mon, 01 Oct 2018 14:05:01 +0000

Amazon has released yet another Simple Systems Manager service to improve the management of EC2 instances. This time, it’s AWS Session Manager. Session Manager is a nifty little service that lets you assign permissions to users to access an instances’s shell. Now, you might be thinking, “Why would I need this? I can already add SSH keys to my instances at boot time to access my instances.” You’d be right of course, but think of how you might use Session Manager. Instead of having to deal with adding SSH keys, and managing access/distribution of the private keys, we can manage access through AWS Identity and Access Management permissions.

Close an AWS Account Belonging to an Organization

Mon, 17 Sep 2018 14:05:24 +0000

Opening an AWS account is very easy to do. AWS makes it possible to create an account with an email address and a credit card. Even better, if you’re setting up a multi-account structure, you can use the API through organizations and you really only need an email address as an input. But closing an account is slightly more difficult. While closing accounts doesn’t happen quite as often as opening new ones, it does happen. Especially if you’re trying to fail fast and have made some organizational mistakes. When you want to clean those accounts up, you’ll need to jump through a couple of small hoops to do so. This post hopes to outline how to remove an account from an AWS Organization and then close it.

Create AWS Accounts with CloudFormation

Mon, 10 Sep 2018 14:05:20 +0000

In a previous post, we covered how to use an AWS Custom Resource in a CloudFormation template to deploy a very basic Lambda function. To expand upon this ability, lets use this knowledge to deploy something more useful than a basic Lambda function. How about we use it to create an AWS account? To my knowledge, the only way to create a new AWS account is to use the CLI or manually through the console. How about we use a custom resource to deploy a new account for us in our AWS Organization? Once this ability is available in a CloudFormation template, we could even publish it in the AWS Service Catalog and give our users an account vending machine capability.

AWS Custom Resources

Tue, 04 Sep 2018 14:00:04 +0000

We love to use AWS CloudFormation to deploy our environments. Its like configuration management for our AWS infrastructure in the sense that we write a desired state as code and apply it to our environment. But sometimes, there are tasks that we want to complete that aren’t part of CloudFormation. For instance, what if we wanted to use CloudFormation to deploy a new account which needs to be done through the CLI, or if we need to return some information to our CloudFormation template before deploying it? Luckily for us we can use a Custom Resource to achieve our goals. This post shows how you can use CloudFormation with a Custom Resource to execute a very basic Lambda function as part of a deployment.

Add AWS Web Application Firewall to Protect your Apps

Mon, 20 Aug 2018 14:02:31 +0000

Some things change when you move to the cloud, but other things are very much the same. Like protecting your resources from outside threats. There are always no-gooders out there trying to steal data, or cause mayhem like in those Allstate commercials. Our first defense should be well written applications, requiring authentication, etc and with AWS we make sure we’re setting up security groups to limit our access to those resources. How about an extra level of protection from a Web Application Firewall. AWS WAF allows us to leverage some extra protections at the edge to protect us from those bad guys/girls.

Using AWS CodeDeploy to Push New Versions of your Application

Mon, 06 Aug 2018 14:04:33 +0000

Getting new code onto our servers can be done in a myriad of ways these days. Configuration management tools can pull down new code, pipelines can run scripts across our fleets, or we could run around with a USB stick for the rest of our lives. With container based apps, serverless functions, and immutable infrastructure, we’ve changed this conversation quite a bit as well. But what about a plain old server that needs a new version of code deployed on it? AWS CodeDeploy can help us to manage our software versions and rollbacks so that we have a consistent method to update our apps across multiple instances. This post will demonstrate how to get started with AWS CodeDeploy so that you can manage the deployment of new versions of your apps.

How to Setup Amazon EKS with Mac Client

Tue, 31 Jul 2018 14:06:02 +0000

We love Kubernetes. It’s becoming a critical platform for us to manage our containers, but deploying Kubernetes clusters is pretty tedious. Luckily for us, cloud providers such as AWS are helping to take care of these tedious tasks so we can focus on what is more important to us, like building apps. This post shows how you can go from a basic AWS account to a Kubernetes cluster for you to deploy your applications.

How to Setup Amazon EKS with Windows Client

Mon, 30 Jul 2018 16:05:09 +0000

Easy Snapshot Automation with Amazon Data Lifecycle Manager

Mon, 23 Jul 2018 14:05:53 +0000

Amazon has announced a new service that will help customers manage their EBS volume snapshots in a very simple manner. The Data Lifecycle Manager service lets you setup a schedule to snapshot any of your EBS volumes during a specified time window.

In the past, AWS customers might need to come up with their own solution for snapshots or backups. Some apps moving to the cloud might not even need backups based on their deployment method and architectures. For everything else, we assume we’ll need to at least snapshot the EBS volumes that the EC2 instances are running on. Prior to the Data Lifecycle Manager, this could be accomplished through some fairly simple Lambda functions to snapshot volumes on a schedule. Now with the new service, there is a solution right in the EC2 console.

Should I use a Transit VPC in AWS?

Mon, 16 Jul 2018 14:05:46 +0000

A common question that comes up during AWS designs is, “Should I use a transit VPC?” The answer, like all good IT riddles is, “it depends.” There are a series of questions that you must ask yourself before deciding whether to use a Transit VPC or not. In this post, I’ll try to help formulate those questions so you can answer this question yourself.

The Basics

Before we can ask those tough questions, we first should answer the question, “What is a Transit VPC?” Well, a transit VPC acts as an intermediary for routing between two places. Just like a transit network bridges traffic between two networks, a transit VPC ferries traffic between two VPCs or perhaps your data center.

Who is Heptio?

Mon, 09 Jul 2018 14:00:53 +0000

There are a dozen new technologies being introduced every day that never amount to anything, while others move on to create completely new methodologies for how we interact with IT. Just like virtualization changed the way data centers operate, containers are changing how we interact with our applications and Kubernetes (K8s in short hand) seems to be a front runner in this space. However, with any new technology hitting the market, there is a bit of a lag before it takes off. People have to understand why it’s needed, who’s got the best solution, and how you can make it work with your own environment. Heptio is a startup company focusing on helping enterprises embrace Kubernetes through their open source tools and professional services. I’ve been hearing great things about Heptio, but when my good friend, Tim Carr, decided to go work for there, I decided that I better look into who they are, and figure out what he sees in their little startup.

The Dark Side of Stress

Mon, 18 Jun 2018 14:06:40 +0000

I took last week off from work to spend some time with my family and just relax. I’d never been to Disney World and have a six year old who is seriously into Star Wars, so this sounded like a great way to take a relaxing week off. During this vacation I found that it took several days before I even started to unwind. I ended the work week on a Friday and still felt the work stress through the weekend and into Monday. Maybe it’s a normal thing to still feel the stress through the weekend, but I had expected to feel an immediate release of tension when I was done with work on Friday when my vacation began. But all weekend I kept noticing that I couldn’t forget about work. In fact, I felt pretty sick one day and believe it was stress related. After a few days I started to pay attention to the activities of the day and didn’t pay as much attention, but it made me think that those two day weekends and how they certainly weren’t recharging me to be prepared for the next week of stress.

Using Hashicorp Consul to Store Terraform State

Mon, 21 May 2018 14:05:16 +0000

Hashicorp’s Terraform product is very popular in describing your infrastructure as code. One thing that you need consider when using Terraform is where you’ll store your state files and how they’ll be locked so that two team members or build servers aren’t stepping on each other. State can be stored in Terraform Enterprise (TFE) or with some cloud services such as S3. But if you want to store your state, within your data center, perhaps you should check out Hashicorp’s Consul product.

Visualizing the Chicago Cubs via Amazon QuickSight

Mon, 14 May 2018 15:01:07 +0000

If you’re interested in visualizing your data in easy to display graphs, Amazon QuickSight may be your solution. Obviously, Amazon has great capabilities with big data, but sometimes even if you have “little” data you just need a dashboard or way of displaying that content. This post shows an example of how you can display data to tell a compelling story. For the purposes of this blog post, we’ll try to determine why the Chicago Cubs are the Major League’s favorite baseball team.

AWS IAM Indecision

Mon, 07 May 2018 14:55:55 +0000

Identity and Access Management (IAM) can be a confusing topic for people that are new to Amazon Web Services. There are IAM Users that could be used for authentication or solutions considered part of the AWS Directory Services such as Microsoft AD, Simple AD, or AD Connector. If none of these sound appealing, there is always the option to use Federation with a SAML 2.0 solution like OKTA, PING, or Active Directory Federation Services (ADFS). If all of these option have given you a case of decision fatigue, then hopefully this post and the associate links will help you to decide how your environment should be setup.

Manage Multiple AWS Accounts with Role Switching

Mon, 30 Apr 2018 14:05:52 +0000

A pretty common question that comes up is how to manage multiple accounts within AWS from a user perspective. Multi-Account setups are common to provide control plane separation between Production, Development, Billing and Shared Services accounts but do you need to setup Federation with each of these accounts or create an IAM user in each one? That makes those accounts kind of cumbersome to manage and the more users we have the more chance one of them could get hacked.

AWS Directory Service - AD Connector

Mon, 23 Apr 2018 14:05:05 +0000

Just because you’ve started moving workloads into the cloud, doesn’t mean you can forget about Microsoft Active Directory. Many customers simply stand up their own domain controllers on EC2 instances to provide domain services. But if you’re moving to AWS there are also some great services you can take advantage of, to provide similar functionality. This post focuses on AD Connector which makes a connection to your on-premises or EC2 installed domain controllers. AD Connector doesn’t run your Active Directory but rather uses your existing active directory intances within AWS. As such, in order to use AD Connector you would need to have a VPN connection or Direct Connect to provide connectivity back to your data center. Also, you’ll need to be prepared to have credentials to connect to the domain. Domain Admin credentials will work, but as usual you should use as few privileges as possible so delegate access to a user with the follow permissions:

AWS Directory Service - Simple AD

Mon, 16 Apr 2018 14:12:58 +0000

Just because you’ve started moving workloads into the cloud, doesn’t mean you can forget about Microsoft Active Directory. Many customers simply stand up their own domain controllers on EC2 instances to provide domain services. But if you’re moving to AWS, there are also some great services you can take advantage of to provide similar functionality. This post focuses on Simple AD is based on Samba4 and handles a subset of the features that the Microsoft AD type Directory Service provides. This service still allows you to use Kerberos authentication and manage users and computers as well as provide DNS services. One of the major differences between this service and Microsoft AD is that you can’t create a trust relationship with your existing domain, so if you need that functionality look at Microsoft AD instead. Simple AD gives you a great way to quickly stand up new domains and cut down on the things you need to manage such as OS patches, etc.

AWS Directory Service - Microsoft AD

Mon, 09 Apr 2018 14:55:20 +0000

Just because you’ve started moving workloads into the cloud, doesn’t mean you can forget about Microsoft Active Directory. Many customers simply stand up their own domain controllers on EC2 instances to provide domain services. But if you’re moving to AWS there are also some great services you can take advantage of, to provide similar functionality. This post focuses on Microsoft AD which is a Server 20012 R2 based domain that provides a pair of domain controllers across Availability Zones and also handles DNS. This service is the closest service to a full blow Active Directory that you’d host on premises. You can even create a trust between the Microsoft AD deployed in AWS and your on-prem domain. You cannot extend your on-premises domain into Microsoft AD at the time of this writing though. If you wish to extend your existing domain, you should consider building your own DCs on EC2 instances and then you have full control over your options.

Protect Your AWS Accounts with GuardDuty

Mon, 02 Apr 2018 14:05:29 +0000

Locking down an AWS environment isn’t really that if you know what threats you’re protecting against. You have services such as the Web Application Firewall, Security Groups, Network Access Control Lists, Bucket Policies and the list goes on. But many times you encounter threats from malicious attackers just trying to probe which vulnerabilities might exist in your cloud. AWS has built a service, called Amazon GuardDuty, to help monitor and protect your environment that is based on AWS machine learning tools and threat intelligence feeds. GuardDuty currently reads VPC Flow Logs (used for network traffic analysis) and CloudTrail Logs (used for control plane access analysis) along with DNS log data to protect an AWS environment. GuardDuty will use threat intelligence feeds to alert you when your workloads may be communicating with known to be malicious IP Addresses and can alert you when privileged escalation occurs as part of its machine learning about suspicious patterns.

Fill Your Skills Tank

Mon, 26 Mar 2018 14:10:55 +0000

Information Technology is a very difficult field to keep up with. Not only does computing power increase year after year, making the number of things we can do with computers increase, but drastic transformations always plague this industry. Complete paradigm shifts are a major part of our recent past such as mainframes, to client/server, to virtualization to cloud computing. In addition to these changes there are also silos of technologies we might want to focus on such as database design, programming, infrastructure or cloud computing. Inside each of these categories there are different platforms to learn, such as if you are a programmer, do you know C++, Java, Python or Cobol?

Woke to IT Age Discrimination

Mon, 12 Mar 2018 14:06:04 +0000

Age discrimination can be an issue in any industry, but this issue is something members of the information technology (IT) industry can specifically identify with. My goal for this post is just to shine some light on the topic and discuss whether or not there is an injustice happening in IT when you reach a certain age, or if there is some less heinous reason why we see so many younger people in tech. I want to make it crystal clear that this is just an off the cuff discussion and not based on any discrimination that I’ve been witness to from my employer or anywhere else. Ageism has been a bit of the elephant in the room where I don’t see many people discussing it publicly, but it’s in the back of people’s mind. It does seem that there are many more young people in the technology industry than older people, but this also may just be a perception and not reality.

Migration to the Cloud with CloudEndure

Mon, 05 Mar 2018 15:07:45 +0000

I’m a big advocate for building your cloud apps to take advantage of cloud features. This usually means re-architecting them so that things like AWS Availability Zones can be used seemlessly. But I also know that to get benefits of the cloud quickly, this can’t always happen. If you’re trying to reduce your data center footprint rapidly due to a building lease or hardware refresh cycle quickly approaching, then you probably need a migration tool to accomplish this task.

AWS Reserved Instance Considerations

Mon, 19 Feb 2018 15:10:10 +0000

Reserved Instances are often used to reduce the price of Amazon EC2 instance on-demand pricing. If you’re not familiar with Reserved Instances, then you’re missing out. Reserved Instances, or RIs, are a billing construct used in conjunction with Amazon EC2 instances (virtual machines). The default usage on the AWS platform is the on-demand pricing in which you get billed by the hour or second with no commitments. Basically, when you decide to terminate an instance you stop paying for it.

Setup MFA for AWS Root Accounts

Mon, 12 Feb 2018 15:07:56 +0000

Multi-Factor Authentication or MFA, is a common security precaution used to prevent someone from gaining access to an account even if an attacker has your username and password. With MFA you must also have a device that generates a time based one time password (TOTP) in addition to the standard username/password combination. The extra time it might take to login is well worth the advantages that MFA provides. Having your AWS account hijacked could be a real headache.

Rubrik Acquires Datos IO

Tue, 06 Feb 2018 14:02:17 +0000

There is news in the backup world today. Rubrik has acquired startup company Datos IO.

Who is Datos IO?

Datos IO was founded in 2014 and focuses on copy data management of distributed scale out databases purpose built for the cloud. The reason Datos IO is different from the common backup solutions we’re accustomed to seeing (Commvault, DataDomain, etc) is that they are building a solution from the ground up that tackles the problems of geo-dispersed scale out database which are becoming commonplace in the cloud world. Think about databases that scale multiple continents, and multiple clouds even.

Add a New AWS Account to an Existing Organization from the CLI

Mon, 05 Feb 2018 15:12:17 +0000

AWS Organizations is a way for you to organize your accounts and have a hierarchy not only for bills to roll up to a single paying account, but also to setup a way to add new accounts programatically.

For the purposes of this discussion, take a look at my AWS lab account structure.

From the AWS Organizations Console we can see the account structure as well.

I need to create a new account in a new OU under my master billing account. This can be accomplished through the console, but it can also be done through the AWS CLI, which is what I’ll do here. NOTE: This can be done through the API as well which can be really useful for automating the building of new accounts.

Using Change Sets with Nested CloudFormation Stacks

Mon, 29 Jan 2018 15:10:20 +0000

In a previous post, we looked at how to use change sets with CloudFormation. This post covers how to use change sets with a nested CloudFormation Stack.

If you’re not familiar with nested CloudFormation stacks, it is just what it sounds like. A root stack or top level stack will call subordinate or child stacks as part of the deployment. These nested stacks could be deployed as a standalone stack or they can be tied together by using the AWS::CloudFormation::Stack resource type. Nested stacks can be used to deploy entire environments from the individual stacks below it. In fact a root stack may not deploy any resources at all other than what comes from the nested stacks. An example of a commons stacking method might be to have a top level stack that deploys a VPC, while a nested stack is responsible for deploying subnets within that stack. You could keep chaining this together to deploy EC2 instances, S3 buckets or whatever you’d like.

An Introduction to AWS CloudFormation Change Sets

Mon, 22 Jan 2018 15:05:12 +0000

If you’ve done any work in Amazon Web Services you probably know the importance of CloudFormation (CFn) as part of your Infrastructure as Code (IaC) strategy. CloudFormation provides a JSON or YAML formatted document which describes the AWS infrastructure that you want to deploy. If you need to re-deploy the same infrastructure across production and development environments, this is pretty easy since the configuration is in a template stored in your source control.

In the Cloud World, It's Cheaper to Upgrade

Tue, 16 Jan 2018 15:10:26 +0000

If you’ve been in technology for a while, you’ve probably had to go through a hardware refresh cycle at some point. These cycles usually meant taking existing hardware, doing some capacity planning exercises and setting out to buy new hardware that is supported by the vendors. This process was usually lengthy and made CIOs break into a cold sweat just thinking about paying for more hardware, that’s probably just meant to keep the lights on. Whenever I first learned of a hardware refresh cycle, my first thoughts were “Boy, this sounds expensive!”

Commit to Infrastructure As Code

Mon, 08 Jan 2018 15:10:30 +0000

Over recent years, Infrastructure as Code (IaC) has become sort of a utopian goal of many organizations looking to modernize their infrastructure. The benefits to IaC have been covered many times so I won’t go into too much detail, but the highlights include:

Reproducibility of an environment
Reduction in deployment time
Linking infrastructure deployments with application deployments
Source control for infrastructure items
Reduction of misconfiguration

The reasoning behind storing all of your infrastructure as code is valid and a worthy goal. The agility, stability, and deployment speeds achieved through IaC can prove to have substantial benefits to the business as a whole.

Use Amazon CloudWatch Logs Metric Filters to Send Alerts

Mon, 11 Dec 2017 16:14:47 +0000

With all of the services that Amazon has to offer, it can sometimes be difficult to manage your cloud environment. Face it, you need to manage multiple regions, users, storage buckets, accounts, instances and the list just keeps going on. Well the fact that the environment can be so vast might make it difficult to notice if something nefarious is going on in your cloud. Think of it this way, if a new EC2 instance was deployed in one of your most used regions, you might see it and wonder what it was, but if that instance (or 50 instances) was deployed in a region that you never login to, would you notice that?

AWS DeepLens - The Nuclear Weapon of Privacy

Wed, 29 Nov 2017 20:07:21 +0000

Today at AWS re:INVENT, Amazon had several new product announcements which is not uncommon for the company but one in-particular raised several eyebrows. Amazon has been working very hard to make machine learning much easier for people to use. Typically, understanding machine learning has taken great expertise and a relatively small number of people even attempted to learn these concepts just because of the complexity. That is all changing thanks to some of Amazon’s more recently announced services such as Amazon Sage Maker.

Use AWS Config Managed Rules to Protect Your Accounts

Mon, 27 Nov 2017 15:10:54 +0000

If you’re an Amazon Web Services customer and you’re not using the built in AWS config rules, you should be. AWS Config is a service that shows you the configuration changes that have happened on your AWS accounts. Whether that’s changes to your user accounts, changes to networks, modifications to S3 buckets or plenty of other configurations. AWS Config will keep this audit log of your changes in a specified S3 bucket which could be used for all sorts of other solutions such as updating your ServiceNow configuration management database. See this post from ServiceNow on some details of the solution.

AWS Dedicated Hosts

Mon, 13 Nov 2017 15:15:46 +0000

Sometimes it’s just not desirable to have your Amazon EC2 instances deployed all willy-nilly across the AWS infrastructure. Sure it’s nice not having to manage the underlying infrastructure but in some cases you actually need to be able to manage the hosts themselves. One example is when you have licensing that is “old-fashioned” and uses physical core counts. With the default tenancy model, host core counts just don’t make sense, so what can we do?

Manage vSphere Virtual Machines through AWS SSM

Mon, 06 Nov 2017 15:15:18 +0000

Amazon Web Services has some great tools to help you operate your EC2 instances with their Simple Systems Manager services. These services include ensuring patches are deployed within maintenance windows specified by you, automation routines that are used to ensure state and run commands on a fleet of servers through the AWS console. These tools are great but wouldn’t be be even better if I could use these tools to manage my VMware virtual machines too? Well, you’re in luck, because EC2 SSM can do just that and better yet, the service itself is free! Now, if you’ve followed along with the " AWS EC2 Simple Systems Manager Reference" guide you’ve probably already seen the goodies that we’ve got available, so this post is used to show you how you can use these same tools on your vSphere, Hyper-V or other on-premises platforms.

VMware Discovery

Mon, 30 Oct 2017 14:20:38 +0000

VMware has been busy over the last year trying to re-invent themselves with more focus on cloud. With that they’ve added some new SaaS products that can be used to help manage your cloud environments and provide some additional governance IT departments. Cloud makes things very simple to deploy and often eliminates the resource request phases that usually slow down provisioning. But once you start using the cloud, you can pretty quickly lose track of the resources that you’ve deployed, and now are paying for on a monthly basis, so it’s important to have good visibility and management of those resources.

Move an EC2 Instance to Another Region

Mon, 23 Oct 2017 14:12:31 +0000

Sometimes, you just need to change the data center where you’re running your virtual machines. You could be doing this for disaster recovery reasons, network latency reasons, or just because you’re shutting down a region. In an on-prem environment, you might move workloads to a different data center by vMotion, VMware Site Recovery Manager, Zerto, Recoverpoint for VMs, Veeam, or one of the other great tools for a virtualized environment. But how about if that VM is running in an AWS region and you want to move it to another region?

Understanding AWS Tenancy

Mon, 16 Oct 2017 15:00:10 +0000

When it comes to deploying EC2 instances within Amazon Web Services VPCs, you may find yourself confused when presented with those tenancy options. This post aims to describe the different options that you have with AWS tenancy and how they might be used.

First and foremost, what do we mean by tenancy? Well, tenancy determines who is the owner of a resource. It might be easiest to think of tenancy in terms of housing. For instance if you have a house then you could consider it a dedicated tenant since only one family presumably lives there. However, if you have an apartment building, there is a good chance that several families have rooms in a single building which would be more like a shared tenancy model.

AWS EC2 Simple Systems Manager Reference

Mon, 02 Oct 2017 14:07:07 +0000

Please use this post as a landing page to get you started with using the EC2 Simple Systems Manager services from Amazon Web Services. Simple Systems Manager or (SSM) is a set of services used to manage EC2 instances as well as on-premises machines (known as managed instances) with the SSM agent installed on them. You can use these services to maintain state, run ad-hoc commands, and configure patch compliance among other things.

AWS EC2 Systems Manager - State Manager

Tue, 26 Sep 2017 14:06:57 +0000

Sometimes you need to ensure that things are always a certain way when you deploy AWS EC2 instances. This could be things like making sure your servers are always joined to a domain when being deployed, or making sure you run an Ansible playbook every hour. The point of the AWS EC2 SSM State Manager service is to define a consistent state for your EC2 instances.

This post will use a fictional use case where I have a an EC2 instance or instances that are checking every thirty minutes to see if they should use a new image for their Apache website. The instance will check against the EC2 Simple Systems Manager Parameter Store, which we’ve discussed in a previous post, and will download the image from the S3 location retrieved from that parameter.

AWS EC2 Simple Systems Manager Documents

Mon, 18 Sep 2017 14:32:16 +0000

Amazon Web Services uses Systems Manager Documents to define actions that should be taken on your instances. This could be a wide variety of actions including updating the operating system, copying files such as logs to another destination or re-configuring your applications. These documents are written in Javascript Object Notation (JSON) and are stored within AWS for use with theother Simple Systems Manager (SSM) services such as the Automation Service or Run command.

EC2 Systems Manager Parameter Store

Mon, 11 Sep 2017 14:15:52 +0000

Generally speaking, when you deploy infrastructure through code, or run deployment scripts you’ll need to have a certain amount of configuration data. Much of your code will have install routines but what about the configuration information that is specific to your environment? Things such as license keys, service accounts, passwords, or connection strings are commonly needed when connecting multiple services together. So how do you code that exactly? Do you pass the strings in at runtime as a parameter and then hope to remember those each time you execute code? Do you bake those strings into the code and then realize that you’ve got sensitive information stored in your deployment scripts?

ServiceNow Streamlines Operations

Tue, 05 Sep 2017 15:00:07 +0000

We focus a lot of time talking about public cloud and provisioning. Infrastructure as code has changed the way in which we can deploy our workloads and how our teams are structured. We’re even allowing other teams to deploy their own workloads through our cloud management portals. But some things haven’t changed all that much.

When I mention ServiceNow the first things that come to your mind are probably “Change Ticketing”, “CMDB”, or “Asset Management”. While ServiceNow certainly does all of those things, the real purpose of ServiceNow is to streamline operations. Many people who work in the enterprise probably think of ServiceNow as something that just gets in their way. No one wants to stop what they’re doing to enter a change ticket, wait for an approval or update a configuration item once deploying new servers, it’s a pain. But ServiceNow really is meant to speed up the operations process.

Are We Really Concerned with Public Cloud Vendor Lock-in?

Tue, 22 Aug 2017 14:05:19 +0000

Recently, I was fortunate enough to attend Cloud Field Day 2, out in Silicon Valley. Cloud Field Day 2 brought a group of industry thought leaders together to speak with companies about their cloud products and stories. I was a little surprised to hear a reoccurring theme from some of the product vendors, which was: customers being so worried about being trapped by a public cloud vendor.

Is It True?

Based on my cloud consulting job, I can say that yes, many times customers are a bit worried about being locked in by a public cloud vendor. But most times this isn’t a crippling fear of being locked in, just a concern that they’d like to mitigate against if possible. But it’s like most things in the industry, you pick a valued partner and move forward with a strategy that makes sense for the business based on the information you know right now and a bet against the future. When virtualization was a new thing, I don’t recall that many conversations about making sure that both vSphere and Hyper-V were both in use in the data center so that lock-in could be prevented. We picked the partner that we saw had the most promise, capabilities, and price and built our solutions on top of those technologies. It’s still like that today, where you’ll pick a hardware vendor and attempt to prevent having multiple vendors because it increases the complexity of your services. You wouldn’t want to hire more people so that you can support two platforms, you’d want to hire the right employees to operate your corporate vision.

NetApp at a Crossroads

Tue, 15 Aug 2017 14:14:48 +0000

It is a pretty fair assumption that the Netapp company that you’re currently familiar with will be a much different company within the next five years. I say this because there isn’t much of a choice for anything else.

Where is Netapp?

When I say Netapp, my guess is the first thing that you think about is a good ole’ storage array that’s been sitting in a data center. Netapp has been around for a pretty long time, and pre-dates virtualization. The storage array has had a pretty good run in the data center and provides all the capabilities that enterprises have been looking for in a storage array. The write anywhere file layout (WAFL) introduced a very performant file system and RAID DP (Dual Parity) are part of the legacy of Netapp. Unfortunately, the legacy of Netapp has started to make them feel like a “legacy” company over the past few years.

Will Killing Net Neutrality End the Public Cloud?

Mon, 07 Aug 2017 14:05:27 +0000

In today’s world, if you can get an Internet connection, you can go anywhere and connect to any service that is publicly available. No restrictions are imposed and you can use the entire amount of bandwidth you purchased from your Internet service provider. This is the world under Net Neutrality. To illustrate this point further take the following example.

If you purchase a 25Mbps circuit from Comcast or AT&T, you can use all of that bandwidth, assuming the service on the other end is also providing 25Mbps or better.

HPE Built Another Cloud - Storage This Time

Tue, 01 Aug 2017 14:05:24 +0000

HPE recently announced that they were getting deeper into the cloud game bin introducing their Nimble Cloud Volumes (NCV) solution. Now while this sounds a lot like a storage array function, it’s really its own separate cloud that is focused only on storage. The idea behind it is that storage in both AWS and Azure isn’t great for enterprises and they want a better option to connect to their EC2 instances or Azure VMs.

Orchestrating Containers with Nirmata

Thu, 27 Jul 2017 15:06:19 +0000

I had high expectations for the sessions being presented during Cloud Field Day 2 hosted by GestaltIT in Silicon Valley during the week of June 26th-28th. The first of the sessions presented was from a company that I hadn’t heard of before called Nirmata. I had no idea what the company did, but after the session I found out the name is an Indo-Aryan word meaning Architect or Director which makes a lot of sense considering what they do.

Welcome to Cloud Field Day 2

Wed, 26 Jul 2017 04:53:25 +0000

Tech Field Day will be presenting Cloud Field Day 2 on July 26th through the 28th in Silicon Valley. If you have the time, please join in on the fun and watch the live stream right here.

The schedule will consist of nine great companies all explaining the ins and outs of their solutions and it’ll get real geeky. The schedule is found below and all times are Pacific US. So be sure to do the conversions.

Patch Compliance with EC2 Systems Manager

Mon, 24 Jul 2017 14:05:31 +0000

Deploying security patches to servers is almost as much fun as managing backup jobs. But everyone has to do it, including companies that have moved their infrastructure to AWS. As we’ve learned with previous posts, Amazon EC2 Systems Manager allows us to use some native AWS tools for management of our EC2 instances, and patch management is no exception.

EC2 Systems Manager allows you to do patch compliance where you can set a baseline and then based on a defined maintenance window a scheduled scan and deployment can be initiated on those EC2 instances. This assumes that you’ve already installed the SSM Agent and setup the basic IAM permissions for the instances to communicate with the Systems Manager service. The details can be found in the previous post.

Run Commands through EC2 Systems Manager

Mon, 17 Jul 2017 14:05:12 +0000

In a previous post we covered the different capabilities and basic setup of EC2 Systems Manager, including the IAM roles that needed to be created and the installation of the SSM Agent. In this post we’ll focus on running some commands through the EC2 Systems Manager Console.

We’ve already got an Amazon Linux instance deployed within our VPC. I’ve placed this instance in a public facing subnet and it is a member of a security group that allows HTTP traffic over port 80.

Amazon EC2 Systems Manager Services

Mon, 10 Jul 2017 14:05:29 +0000

We love Amazon EC2 instances because of how easy they are to deploy and we have a huge catalog of templates (AMIs) to choose from which really speeds up our provisioning. But once those instances are up and running it would be really nice to have some methods of managing those instances. Luckily, Amazon has developed several capabilities to help manage Amazon EC2 instances after they’ve been deployed. These capabilities are used to execute scripts, manage patches and kick off automation routines within an EC2 instance, directly from the AWS console.

Migrate vSphere VMs to Amazon with AWS Server Migration Service

Mon, 26 Jun 2017 14:05:01 +0000

AWS is taking the virtualization world by storm. Workloads that used to get spun up on vSphere are now being deployed in AWS in many cases. But what if you’ve got workloads in vSphere that need to be moved? Sure, it probably makes sense to build new servers in AWS and decommission the old ones but sometimes it’s OK to lift and shift. Amazon has a service that can help with this process called the AWS Server Migration Service.

Setup Amazon Storage Gateway

Tue, 13 Jun 2017 14:10:17 +0000

Amazon’s S3 is a cost effective way to store file but many organizations are used to mapping NFS shares to machines for file storage purposes. Amazon Storage Gateways are a good way to cache or store files on an NFS mount and then back them up to an S3 bucket. This post goes through the setup of an AWS Storage Gateway in an EC2 instance for caching files and storing them in an S3 bucket. This same solution (and a similar but different process) can be used to mount block devices through iSCSI or setup a Tape Gateway for backup products.

vRA 7.3 Component Profiles

Tue, 06 Jun 2017 14:05:22 +0000

Preventing blueprint sprawl should be a consideration if you’re building out a new cloud through vRealize Automation. Too many blueprints and your users will be confused by the offerings and the more blueprints, the more maintenance needed to manage them. We’ve had custom methods for managing sprawl up until vRA 7.3 was released. Now we have some slick new methods right out of the box to cut down on the number of blueprints in use. These new out of the box configurations are called Component Profiles.

vRA 7.3 Endpoints Missing

Tue, 30 May 2017 14:08:58 +0000

vRealize Automation version 7.3 dropped a few weeks ago and you’re really excited about the new improvements that have been made with the platform. Release Notes for version 7.3 You’ve gone through the upgrade process which is constantly improving I might add but once you log in you find out that your endpoints that you spent so much time building are now missing. Kind of like the ones in my screenshot below.

vRA Placement Decisions with a Dynamic Form

Mon, 22 May 2017 14:07:31 +0000

vRA is great at deploying servers in an automated fashion, but to really use the built in functionality for an organization some additional information should be requested to properly place the workloads in the environment. This post covers how to ask users for the correct information to properly determine the placement location of new server workloads.

Cluster Placement

The first placement decision that needs to be made is which cluster the workload should be placed on. This can be done with reservations and reservation policies but often comes with some blueprint sprawl. We’d like to be able to ask the requester which environment the workload should be placed on. To specify a cluster (which could include a cluster on a different vCenter or datacenter) we’ll modify an xml document stored in the IaaS Server(s) which will describe our datacenters. In my example I’ve got two clusters in a single vCenter named “Management” and “Workload”. My clusters are shown below.

Setup ADFS for Amazon Web Services SAML Authentication

Mon, 15 May 2017 14:10:59 +0000

It’s a pretty common design request these days to have a single authentication source. I mean, do you really want to have to manage a bunch of different logins instead of having to remember one? Also, five different accounts give attackers five different avenues to try to exploit. So many times we use our existing Active Directory infrastructure as our single source of authentication. Amazon Web Services (AWS) needs a way for people to login and will allow you to use your own Active Directory credentials through Security Assertion Markup Language (SAML). This post will walk you through the setup of Active Directory Federation Services (ADFS) on Windows Server 2016 and configuring it to be your credentials for AWS.

vRealize Code Stream Management Pack for IT DevOps Unit Testing

Tue, 18 Apr 2017 14:02:02 +0000

vRealize Code Stream Management Pack for IT DevOps (code named Houdini by VMware) allows us to treat our vRealize Automation Blueprints, or other objects, as pieces of code that can be promoted between environments. In previous posts we’ve done just this, but a glaring piece was missing in during those articles. Promoting code between environments is great, but we’ve got to test it first or this process is only good for moving code around. A full release pipeline including unit tests can make your environment much more useful for organizations trying to ensure consistency.

Using vRealize Code Stream Management Pack for IT DevOps

Mon, 10 Apr 2017 14:05:30 +0000

In previous posts we covered how to install, configure and setup vRealize Code Stream Management Pack for IT DevOps (code named Houdini) so that we could get to this point. During this post we’ll take one of our vRA blueprints in the development instance and move it to the production instance. Let’s get started.

To set the stage, here is my development instance where I have several blueprints at my disposal. Some of them even work! (That was a joke) For this exercise, I want to move the “Server2016” catalog from my development instance to my production instance because I have it working perfectly with my vSphere environment.

Configuring vRealize Code Stream Management Pack for IT DevOps Endpoints

Tue, 04 Apr 2017 14:03:50 +0000

In the previous post we covered the architecture and setup of the vRealize Code Stream Management Pack for IT DevOps (also known as Houdini). In this post we’ll cover how we need to setup Houdini’s endpoints so that we can use them to release our blueprints or workflows to other instances.

Remote Content Server Endpoint Setup

To setup our endpoints we can use nicely packaged blueprints right in vRA. It’s pretty nice that our setup deployed some blueprints for us to use, right in the default tenant of our vRA server. Login to the vRA default tenant with your Houdini Administrator that you setup in part 1. Then go to the catalog and request the “Add Remote Content Endpoint” under the “Administration” service. A remote content server (RCS) is a vRA appliance that will cache your packages. It’s a pretty useful thing to have if you’ve got vRA appliances in different sites and you need to move vSphere VMs or other large objects over a WAN. Future releases can be copied from the remote content server instead of always copying from the source.

Installing Code Stream Management Pack for IT DevOps

Mon, 27 Mar 2017 14:02:58 +0000

Deploying blueprints in vRealize Automation is one thing, but with all things as code, we need to be able to move this work from our test instances to development and production instances. It’s pretty important to be sure that the code being moved to a new instance is identical. We don’t want to have a user re-create the blueprints or workflows because it’s prone to user error. Luckily for us, we have a solution. VMware has the vRealize Code Stream Management Pack for IT DevOps which I though about nicknaming vRCSMPITDO but that didn’t really roll off the tongue. VMware previously nicknamed this product “Houdini” so for the purposes of this post, we’ll use that too! This article will kick off a few more posts on using the product but for now we’ll focus on installing it.

Adding an Azure Endpoint to vRealize Automation 7

Mon, 20 Mar 2017 14:03:55 +0000

As of vRealize Automation 7.2, you can now deploy workloads to Microsoft Azure through vRA’s native capabilities. Don’t get too excited here though since the process for adding an endpoint is much different than it is for other endpoints such as vSphere or AWS. The process for Azure in vRA 7 is to leverage objects in vRealize Orchestrator to do the heavy lifting. If you know things like resource mappings and vRO objects, you can do very similar tasks in the tool.

NSX Issues After Replacing VMware Self-Signed Certs

Mon, 13 Mar 2017 14:05:58 +0000

Recently, I’ve been going through and updating my lab so that I’m all up to date with the latest technology. As part of this process, I’ve updated my certificates so that all of my URLs have the nice trusted green logo on them. Oh yeah, and because it’s more secure.

I updated my vSphere lab to version 6.5 and moved to the vCenter Server Appliance (VCSA) as part of my updates. However, after I replaced the default self-signed certificates I had a few new problems. Specifically, after the update, NSX wouldn’t connect to the lookup service. This is particularly annoying because as I found out later, if I’d have just left my self-signed certificates in tact, I would never have had to deal with this. I thought that I was doing the right thing for security, but VMware made it more painful for me to do the right thing. I’m hoping this gets more focus soon from VMware.

Cisco UCS Director Catalog Request

Mon, 23 Jan 2017 15:00:24 +0000

Cisco UCS Director Catalog Requests are the entire reason for having a cloud management platform in the first place. It’s the end user’s store for where they can request machines and services. To request a service, login to the UCS Director Portal with an account that has the “Service End-User” role. This role provides a different portal when logging in that only shows the user’s orders and catalogs and removes all of the administration options.

AWS Step Functions

Tue, 17 Jan 2017 15:01:40 +0000

This year at AWS re:Invent Amazon announced a new service called Step Functions. According to AWS, Step Functions is an easy way to coordinate the components of distributed applications and microservices using visual workflows. That pretty much sums it up! When you’ve got a series of small microservices that need to be coordinated, it can be tricky to write this code into each lambda function to call the next function. Step Functions gives you a visual editor to manage the calls to multiple Lambda functions to make your life easier. I’ve written about this before on the AHEAD blog.

Upgrade from vRA from 7.1 to 7.2

Thu, 24 Nov 2016 15:00:25 +0000

vRealize Automation has had a different upgrade process for about every version that I can think of. The upgrade from vRA 7.1 to 7.2 is no exception, but this time you can see that some good things are happening to this process. There are fewer manual steps to do to make sure the upgrade goes smoothly and a script is now used to upgrade the IaaS Components which is a nice change from the older methods. As with any upgrade, you should read all of the instructions in the official documentation before proceeding.

Creating a Cisco UCS Director Catalog

Mon, 14 Nov 2016 15:05:26 +0000

Creating a Cisco UCS Director Catalog is a critical step because it’s what your end users will request new virtual machines and services from. There are a couple types of catalogs that will deploy virtual machines, advanced and standard. Standard selects a virtual machine template from vSphere. Advanced selects a pre-defined workflow that has been built in UCSD and then published to the catalog.

Create a Standard Catalog

To create a “standard” object go to the Policies drop down and select catalogs. From there click “Add”. Select a catalog type and then click “Submit”. In this example, I’ve chosen the “Standard” catalog type.

Terraform with Cisco UCS Director

Mon, 07 Nov 2016 15:15:58 +0000

I’m a big fan of Terraform from Hashicorp but many organizations are using cloud management platforms like Cisco UCS Director or vRealize Automation in order to deploy infrastructure. If you read my blog often, you’ll know that I’ve got some experience with both of these products and if you’re looking to get up to speed on either of them, check out one of these links: UCS Director 6 Guide or vRealize Automation 7 Guide. But why not use Terraform with Cisco UCS Director and have the best of both worlds?

Assigning Permissions to UCS Director Catalogs

Wed, 02 Nov 2016 14:06:17 +0000

Creating a Cisco UCS Director Catalog is the first step to publishing services to your end users. The second step is to assign permissions. This post will show you how to assign permissions to UCS Director Catalogs.

To allow users to access a catalog item they must be granted permissions. To do this, go to the Administration drop down –> Users and Groups. From there click on the “User Groups” tab and find the group which should be entitled.

Cisco UCS Director End User Self-Service Policy

Mon, 31 Oct 2016 14:02:18 +0000

The Cisco UCS Director end user self-service policy is used to determine which day 2 operations that come out of the box are available on catalogs in a VDC. By “day 2” I mean the types of operations that can be performed on a virtual machine after its been deployed, such as reboot, power on, snapshot, etc.

To configure these, go to the Policies drop down and select Virtual/Hypervisor Policies –> Service Delivery. Then select the “End User Self-Service Policy” and click the Add button.

UCS Director VMware Management Policy

Wed, 26 Oct 2016 15:24:20 +0000

Cisco UCS Director VMware Management Policy is used to determine how virtual machines will behave and more specifically be cleaned up. In the cloud world, the removal of inactive and unnecessary virtual machines may be more important that the deployment of them. The VM Management Policy is used to configure leases, notifications about when leases expire, and determining when a VM is inactive. This policy is very useful to keep your cloud clean, and removing unneeded virtual machines when they’re past their usefulness.

UCS Director Cost Model

Mon, 24 Oct 2016 14:08:29 +0000

Chargeback or at least showback is an important thing for any cloud environment. Cisco UCS Director can provide cost information back to managers but you need to create a UCS Director cost model. This cost model will define how all the costs are calculated.

Add a Cost Model

To create a cost model, go to the Policies drop down and select Virtual/Hypervisor Policies –> Service Delivery. Then select the Cost Model tab.

UCS Director System Policies

Wed, 19 Oct 2016 14:15:23 +0000

UCS Director System Policies are kind of a catch all for any settings that need to be defined prior to a virtual machine being deployed, and that don’t fit into a neat little category like Network, Storage or Compute. This post reviews two types of system policies: VMware and AWS.

VMware System Policy

This policy is used to configure things like the Time Zones, DNS Settings, virtual machine naming conventions and guest licensing information. The policy can be found under the Policies drop down –> Virtual/Hypervisor Policies –> Service Delivery screen and from there you’ll be looking for the VMware System Policy tab.

UCS Director Network Policies

Mon, 17 Oct 2016 14:30:55 +0000

The UCS Director Virtual Data Center construct requires several underlying policies in order to become an item that virtual machine can be deployed on. One of these items is the networking policy which includes IP Pools, VLANs, vNic rules and port group selection.

IP Pool Policy

Before creating any Network Policies it may be necessary to create an IP Pool Policy. The IP Pool is used to distribute IP Addresses from UCS Director instead of an IPAM solution or DHCP. If either of those methods are to be used, this section can be skipped.

UCS Director VMware Storage Policy

Mon, 17 Oct 2016 14:08:10 +0000

The storage policy defines how virtual disks will be deployed on vSphere datastores. This policy will be added to the Cisco UCS Director Virtual Data Center construct to provide a comprehensive policy on how to deploy new virtual machines on VMware vSphere.

VMware Storage Policies

To configure a VMware Storage Policy, go to the Policies drop down “Virtual/Hypervisor Policies” –> Storage. Then click on the “VMware Storage Policy” tab.

You’ll notice that there may be some default storage policies listed here. These can be deleted and you can create your own policies from scratch. VMware storage polices are created by default when you add the cloud. Click “Add”.

Cisco UCS Director 6 Guide

Thu, 13 Oct 2016 14:00:44 +0000

Cisco UCS Director 6 is a cloud management platform that can deploy virtual machines and services across vSphere, KVM, Hyper-V and AWS endpoints. UCS Director will manage the orchestration, lifecycle and governance of virtual machines deployed through it and can also help in the automatic provisioning of hardware resources. Cisco has plenty of documentation on how to click the buttons to create constructs used for deployment, but I was not able to find any great resources on what order they should be performed in and why I’m making the choices in the GUI. If you follow this guide in the order of posts listed, it should help you to get a Cisco UCS Director 6 environment setup and be able to use it to deploy virtual resources. This guide does not cover many of the additional benefits that UCSD can provide when dealing with a physical environment. I hope that this guide can give you a good starting point on how the solution works and what you can do with it.

UCS Director Computing Policy

Thu, 13 Oct 2016 13:55:53 +0000

The Computing Polices determine how vCPUs and vMEM will be assigned to a virtual machine deployed through UCS Director as well as which clusters and hosts can have virtual machines placed on them.

Add a VMware Computing Policy

To add a computing policy got to the Policies drop down and select “Virtual/Hypervisor Polices” –> Computing. Then select the VMware Computing Policy tab.

You’ll notice that there may be some default VMware computing policies listed here. These can be deleted and you can create your own policies from scratch. VMware computing polices are created by default when you add the cloud.

UCS Director Infrastructure Setup

Wed, 12 Oct 2016 14:00:05 +0000

UCS Director is a cloud management platform and thus requires some infrastructure to deploy the orchestrated workloads. In many cases UCS Director can also orchestrate the configuration and deployment of bare metal or hardware as well, such as configuring new VLANs on switches, deploying operating systems on blades and setting hardware profiles etc. This post focuses on getting those devices to show up in UCS Director so that additional automation can be performed.

UCS Director Basic Setup Configurations

Tue, 11 Oct 2016 14:05:15 +0000

The basic deployment of UCS Director consists of deploying an OVF file that is available from the Cisco downloads site. This post won’t go through the deployment of the OVF but this should be a pretty simple setup. The deployment will ask for IP Addressing information and some passwords. Complete the deployment of the OVF in your virtual environment and then continue with this post.

Once the OVF has been deployed, open a web browser and place the IP Address of the appliance in the address bar.

Cisco UCS Director VDCs

Mon, 10 Oct 2016 14:16:44 +0000

Cisco UCS Director utilizes the idea of a Virtual Data Center (VDC) to determine how and where virtual machine should be placed. This includes which clusters to deploy to, networks to use, datastores to live on, as well as the guest customization and cost models that will be used for those virtual machines. According to the UCS Director Administration Guide, a Virtual Data Center is “a logical grouping that combines virtual resources, operational details, rules, and policies to manage specific group requirements”. Cisco UCS Director VDCs are the focal point of a virtual machine deployment.

Scaling in vRealize Automation

Thu, 06 Oct 2016 14:18:06 +0000

One of the new features of vRealize Automation in version 7.1 is the ability to scale out or scale in your servers. This sort of scaling is a horizontal scaling of the number of servers. For instance, if you had deployed a single web server, you can scale out to two, three etc. When you scale in, you can go from four servers to three and so on.

Use Cases

The use cases here could really vary widely. The easiest to get started with would be some sort of a web / database deployment where the web servers have some static front end web pages and can be deployed over and over again with the same configurations. If we were to place the web servers behind a load balancer (yep, think NSX here for you vSphere junkies) then your web applications can be scaled horizontally based on when you run out of resources.

Azure Scale Sets

Mon, 03 Oct 2016 14:10:32 +0000

Azure scale sets are a way to horizontally increase or decrease resources for your applications. Wouldn’t it be nice to provision a pair of web servers behind a load balancer, and then add a third or fourth web server once the load hit 75% of capacity? Even better, when the load on those web servers settles down, they could be removed to save you money? This is what an Azure scale set does. Think of the great uses for this; seasonal demand for a shopping site, event promotions that cause a short spike in traffic, or even end of the month data processing tasks could automatically scale out to meet the demand and then scale in to save money when not needed.

Get Started with Azure Automation

Mon, 19 Sep 2016 14:15:50 +0000

Microsoft Azure has a neat way to store and run code right from within Microsoft Azure called “Azure Automation”. If you’re familiar with Amazon’s Lambda service, Azure Automation is similar in many ways. The main difference is that in Azure, we’re working with PowerShell code instead of Python or Node.js.

Create An Azure Automation Account

To get started, the first thing that we need to do is to setup an Azure Automation Account. In your Azure instance, browse for “Automation Accounts” and then click Add. Give the account a name and a subscription that the PowerShell commands should run under. As with any Azure objects, select a resource group or create your own and then select a location. The last setting is to decide whether or not the account with be an “Azure Run As” account. If you select “Yes” then the account will have access to other Azure Resources within your instance. For our examples, this account should be a “run as” account.

Microsoft Azure Portals

Mon, 12 Sep 2016 14:05:06 +0000

If you’re getting started with Microsoft Azure, you may feel confused about where things are located. One of the reasons for this confusion is the current use of multiple portals. It’s hard enough to learn how subscriptions work, how to access the resources through PowerShell and all of those new concepts without having to navigate different sites. This post should shed some light on what the portals are and how they’re used.

Azure Cloud Services

Wed, 07 Sep 2016 14:00:55 +0000

Azure provides a Platform-as-a-Service offering called a “Cloud Service.” Instead of managing every part of a virtual machine (the middle-wear and the application) it might be desirable to only worry about the application that is being deployed. An Azure cloud service allows you to just focus on the app, but does give you access to the underlying virtual machine if you need to use it.

So what makes up an Azure Cloud Service? There are two main types of virtual machines that are deployed through a cloud service; web roles and worker roles. Web roles are Windows servers with IIS installed and ready to use on them. Worker roles are Windows servers without IIS installed. In addition to the Windows instances that will be deployed, a cloud service also includes a load balancer that will automatically load balance the web roles, and an IP Address will be assigned to the load balancer. One thing to note is that the web server roles have an agent installed on them as well so that the load balancer can determine if the server is working correctly and if it needs to remove a server from the load balancer.

Azure Network Interfaces

Tue, 06 Sep 2016 14:05:44 +0000

Azure allows you to manage network interfaces as an object that can be decoupled from the virtual machine. This is important to note, because when you delete your virtual machine, the Network Interface will still be in the Azure Portal. This NIC and all of it’s settings will still exist for reuse if you wish. This would include keeping the Public IP Address that is associated with it, subnets, and Network Security Groups.

Simple Disaster Recovery Options with Zerto

Wed, 24 Aug 2016 14:05:04 +0000

An issue serious enough to require servers in your data center to be failed over to a secondary site will probably keep you busy enough all on it’s own. You don’t want to have to think about how complicated your disaster recovery tool is. I’ve been impressed with Zerto since the first time that I worked with it. The tool requires a piece of software called the Zerto Virtual Manager, to be installed at each of your sites and connected to your vCenters. This manager will then deploy replication appliances on each of your ESXi hosts to manage the replication. From there on, all the replication settings, orchestration options, and fail over tasks are completed through this manager.

Deploying Virtual Machines in Microsoft Azure

Tue, 23 Aug 2016 14:01:28 +0000

Congratulations! If you’ve made it this far in the Microsoft Azure Series, you’re finally ready to start deploying virtual machines in Microsoft Azure. Let’s face it, the whole series has led up to this post because most of you are probably looking at getting started in Azure with the virtual machine. It’s familiar and can house applications, databases, data or whatever you’ve been housing in in your on premises data center. If you’re trying to benchmark Azure with you’re own data center apps, virtual machines are probably where you’ll spend your time. As you learn more about the the platform, Azure’s PaaS offerings might be more heavily used to prevent you from having to manage those pesky operating systems but for now we’re focusing on the VM.

Install PowerShell on Mac

Mon, 22 Aug 2016 14:10:58 +0000

It’s a weird thing to say, but we can install PowerShell on Mac after the announcement from Microsoft that PowerShell will be available for both Macintosh and Linux. It’s pretty easy to accomplish but having a great scripting language like PowerShell available for Mac is really cool and deserves a blog post. I mean, now I don’t even need to fire up my Windows virtual machine just to run PowerShell!

To get started, download the OSX .pkg file from the github page: https://github.com/PowerShell/PowerShell/releases/

Get Started with Azure PowerShell

Mon, 15 Aug 2016 14:35:02 +0000

Microsoft Azure has its own command line that can be used to script installs, export and import configurations and query your portal for information. Being a Microsoft solution, this command line is accessed through PowerShell.

Install Azure PowerShell

Using PowerShell with Microsoft Azure is pretty simple to get up and going. The first step to getting started is to install the Azure PowerShell modules. Open up your PowerShell console and run both “Install-Module AzureRM” and then “Install-Module Azure”.

Azure Storage Accounts

Thu, 11 Aug 2016 14:05:47 +0000

Azure storage accounts provide a namespace in which to store data objects. These objects could be blobs, file, tables, queues and virtual machine disks. This post focuses on the pieces necessary to create a new storage account for use within Azure Resource Manager portal.

Setup

To setup a storage account go to the Azure Resource Manager Portal, select storage accounts and then click the “Add” button. From there you’ll have some familiar settings that will need to be filled out such as a unique name for the account, a subscription to use for billing, a resource group for management, and a location for the region to be used. The rest of this article explains the additional settings shown in the screenshot below.

Create Azure VPN Connection

Mon, 08 Aug 2016 14:05:37 +0000

Unless you’re starting up a company from scratch, you probably won’t host all of your workloads in a public cloud like Microsoft Azure. If you’re building a hybrid cloud, you probably want to have network connectivity between the two clouds and that means a VPN. Microsoft Azure uses a Virtual Network Gateway to provide this connectivity.

NOTE: As of the writing of this blog post, Microsoft has two portals that can be used to provide cloud resources. The Classic portal and the Azure Resource Manager portal. This post focuses on setting up a VPN tunnel using the new Azure Resource Manager portal.

Azure Network Security Groups

Wed, 03 Aug 2016 14:05:32 +0000

An Azure network security group is your one stop shop for access control lists. Azure NSGs are how you will block or allow traffic from entering or exiting your subnets or individual virtual machines. In the new Azure Resource Manager Portal NSGs are applied to either a subnet or a virtual NIC of a virtual machine, and not the entire machine itself.

NOTE: At the time of this post, Azure has a pair of Azure portals, including the classic portal where NSGs are applied to a virtual machine, or the Resource Manager Portal where NSGs are applied to a VNic of a virtual machine.

Setup Azure Networks

Mon, 01 Aug 2016 14:05:16 +0000

Setting up networks in Microsoft Azure is pretty simple task, but care should be taken when deciding how the address space will be carved out. To get started lets cover a couple of concepts about how Azure handles networking. To start we have the idea of a “VNet” which is the IP space that will be assigned to smaller subnets. These VNets are isolated from each other and the outside world. If you want your VNet to communicate with another VNet or your on-premises networks, you’ll need to setup a VPN tunnel. You might be wondering, how do you do any segmentation between servers without having to setup a VPN then? The answer there is using subnets. Multiple subnets can be created inside of a VNet and security groups can be added to them so that they only allow certain traffic, sort of like a firewall does.

Execute vRO Workflow from AWS Lambda

Tue, 26 Jul 2016 14:00:15 +0000

The use cases here are open for debate, but you can setup a serverless call to vRealize Orchestrator to execute your custom orchestration tasks. Maybe you’re integrating this with an Amazon IoT button, or you want voice deployments with Amazon Echo, or maybe you’re just trying to provide access to your workflows based on a CloudWatch event in Amazon. In any case, it is possible to setup an Amazon Lambda call to execute a vRO workflow. In this post, we’ll actually build a Lambda function that executes a vRO workflow that deploys a CentOS virtual machine in vRealize Automation, but the workflow could really be anything you want.

Azure Resource Groups

Mon, 18 Jul 2016 14:05:36 +0000

An Azure resource group is a way for you to, you guessed it, group a set of resources together. This is a useful capability in a public cloud so that you can manage permissions, set alerts, built deployment templates and audit logs on a subset of resources. Resource groups can contain, virtual machines, gateways, VNets, VPNs and about any other resource Azure can deploy.

Most items that you create will need to belong to a resource group but an item can only belong to a single resource group at a time. Resources can be moved from one resource group to another.

Azure Subscriptions

Mon, 11 Jul 2016 14:12:30 +0000

Azure is a great reservoir of resources that your organization can use to deploy applications upon and the cloud is focused around pooling resources together. However, organizations need to be able to split resources up based on cost centers. The development team will be using resources for building new apps, as well as maybe an e-commerce team for production uses. Subscriptions allow for a single Azure instance to separate these costs, and bill to different teams.

Add Custom Items to vRealize Automation

Tue, 05 Jul 2016 14:14:41 +0000

vRealize Automation lets us publish vRealize Orchestrator workflows to the service catalog, but to get more functionality out of these XaaS blueprints, we can add the provisioned resources to the items list. This allows us to manage the lifecycle of these items and even perform secondary “Day 2 Operations” on these items later.

For the example in this post, we’ll be provisioning an AWS Security group in an existing VPC. For now, just remember that AWS Security groups are not managed by vRA, but with some custom work, this is all about to change.

Setup the Azure AD Connector

Mon, 27 Jun 2016 14:10:04 +0000

The cloud doesn’t need to be a total shift to the way you manage your infrastructure. Sure, it has many differences, but you don’t have to redo everything just to provision cloud workloads. One thing you’ll probably want to do is connect your Active Directory Domain to your cloud provider so that you can continue to administer one group of users. Face it, you’re not going to create a user account in AD, then one in Amazon and then another one in Azure. You want to be able to manage one account and have it affect everything. Microsoft Azure allows you to extend your on-prem domain to the Azure portal. This post focuses on the AD Connector and doing a sync.

Ansible with vRealize Automation Quickstart

Mon, 20 Jun 2016 14:04:51 +0000

If you’re brand new to Ansible but have some vRealize Automation and Orchestration experience, this post will get you started with a configuration management tool.

The goal in this example is to deploy a CentOS server from vRealize Automation and then have Ansible configure Apache and deploy a web page. It assumes that you have no Ansible server setup, but do have a working vRealize Automation instance. If you need help with setting up vRealize Automation 7 take a look at the guide here.

Determine the Number of vSphere Clusters to Use

Mon, 13 Jun 2016 14:15:10 +0000

The number of clusters that should be used for a vSphere environment comes up for every vSphere design. The number of clusters that should be used isn’t a standard number and should be evaluated based on several factors.

Number of Hosts

Let’s start with the basics, if the design calls for more virtual machines than can fit into a single cluster, then it’s obvious that multiple clusters must be used. The same is true for a design that calls for more hosts that can fit into a single cluster or any other cluster maximums.

Add REST to a SQL Database

Mon, 06 Jun 2016 14:06:27 +0000

If you do a lot of work with orchestration, you’re almost certain to be familiar with working with a REST API. These REST APIs have become the primary way that different systems can interact with each other. How about database operations? How about the ability to use a generic database to house CMDB data, change tracking or really anything you can think of.

I came across a nifty program called DreamFactory that allows us to add an API to our databases. The examples in this post are all around MS SQL Server, but it also has support for PostgreSQL, NO SQL, SQL Lite, DB2, Salesforce and even Active Directory or LDAP.

vRealize Code Stream with Artifactory

Mon, 23 May 2016 14:04:37 +0000

vRealize Code Stream now comes pre-packaged with JFrog Artifactory which allows us to do some cool things while we’re testing and deploying new code. To begin this post, lets take a look at what an artifactory is and how we can use it.

An artifactory is a version control repository, typically used for binary objects like .jar files. You might already be thinking, how is this different from GIT? My Github account already has repos and does its own version control. True, but what if we don’t want to pull down an entire repo to do work? Maybe we only need a single file of a build or we want to be able to pull down different versions of the same file without creating branches, forks, additional repos or committing new code? This is where an artifactory service can really shine.

Using Jenkins with vRealize Code Stream

Mon, 09 May 2016 14:05:51 +0000

By now, we’re probably Jenkins experts. So lets see how we can use Jenkins with vRealize Code Stream. To give you a little background, vRealize Code Stream is a release automation solution that can be added to VMware’s vRealize Automation solution. It’s a nifty little tool that will let us deploy a server from blueprint, call some Jenkins jobs and deploy code from an artifactory repository. One of the best features is that you can build your release in stages and have gating rules between them so you can automate going from Development to UAT to Production or whatever else you can think of.

Use vRealize Automation with Jenkins

Mon, 02 May 2016 14:05:35 +0000

If you’ve been following the rest of this series about using Jenkins, you’re starting to see that there are a lot of capabilities that can be used to suit whatever use case you have for deploying and testing code. This post focuses on a great plugin that was recently pushed out by Kris Thieler (aka inkysea) and Paul Gifford. These guys have published a Jenkins Plugin for vRealize Automation.

Just like we’ve done in other posts, the first step is to install the plugin in the Manage Plugins section of Jenkins.

Push Code to GIT and test with Jenkins

Mon, 25 Apr 2016 14:26:57 +0000

in previous posts we discussed how you can use Jenkins to test various pieces of code including Powershell. Jenkins is a neat way to test your code and have a log of the successes and failures but let’s face it, you were probably testing your code as you were writing it anyway right? Well, what if you could push your code to GIT and have that code tested each time a GIT push was executed? Then you can have several people working on the same code and when the code gets updated in your repositories, it will be tested and logged. This makes it really nice to see when the code stopped working and who published the code to GIT. Now we’re really starting to see the power of this CI/CD stuff.

Test PowerCLI Code with Jenkins

Mon, 18 Apr 2016 13:58:25 +0000

In the previous post we discuss how to setup a Windows Node to test PowerShell code. In this post, we’ll configure a new Jenkins project to test some very basic PowerCLI code.

To start, we need to have some basics setup on our Windows Node that we setup previously as a slave. In our case, we need to make sure that we have PowerCLI installed on the host. Let’s think about this logically for a second. Jenkins is going to tell our Windows node to execute some PowerCLI scripts as a test. If the Windows node doesn’t understand PowerCLI, then our tests just won’t work. I would suggest that you install PowerCLI on your Windows node and then do a quick test to make sure you can connect to your vCenter server.

Add a Jenkins Node for Windows Powershell

Mon, 11 Apr 2016 14:17:39 +0000

Not all of your Jenkins projects will consist of “Hello World” type routines. What if we want to run some PowerShell jobs? Or better yet, PowerCLI? Our Jenkins instance was built on CentOS and doesn’t run Windows PowerShell very well at all. Luckily for us, in situations like this, we can add additional Jenkins nodes and yes they can also be Windows hosts!

Create a Jenkins Project

Mon, 04 Apr 2016 14:15:00 +0000

In this post we’ll create a Jenkins project on our brand new shiny server that we just deployed. The project we create will be very simple but should show off the possibilities of using a Jenkins server to test your code.

To get started login to your Jenkins server at the http://jenkinsservername:8080 port and then click the “New Item” link. From there give your new project a name. In this example our project is a Freestyle project which will let us throw code right into the project and run it on the Jenkins server or subsequent Jenkins Nodes.

Jenkins Installation

Mon, 28 Mar 2016 14:32:04 +0000

Installing a Jenkins instance is pretty simple if you’re a Linux guy. But even if you’re not a Linux admin, this isn’t going to make you sweat too much. First, start by deploying yourself a Linux instance. The OS version in this post is based on CentOS 7 if you are interested in following along.

Once you’re up and running, make sure you can ping into the box and have SSH access. If you’re new to this, you can find instructions on setting up an SSH daemon here. Now that it’s setup we can install Jenkins by running the following commands.

AWS Cloud Formation Templates in vRealize Automation

Mon, 14 Mar 2016 14:15:46 +0000

Amazon has a pretty cool service that allows you to create a template for an entire set of infrastructure. This isn’t a template for a virtual machine, or even a series of virtual machines, but a whole environment. You can create a template with servers, security groups, networks and even PaaS services like their relational database service (RDS). Hey, in today’s world, infrastructure as code is the direction things are going and AWS has a pretty good solution for that already.

vRealize Automation 7 - Deploy NSX Blueprints

Wed, 09 Mar 2016 15:10:20 +0000

In the previous post we went over how to get the basics configured for NSX and vRealize Automation integration. In this post we’ll build a blueprint and deploy it! Let’s jump right in and get started.

Blueprint Designer

Login to your vRA tenant and click on the Design Tab. Create a new blueprint just like we have done in the past posts. This time when you are creating your blueprint, click the NSX Settings tab and select the Transport zone. I’ve also added a reservation policy that can help define with reservations are available for this blueprint.

vRealize Automation 7 - NSX Initial Setup

Mon, 07 Mar 2016 15:01:03 +0000

Its time to think about deploying our networks through vRA. Deploying servers are cool, but deploying three tiered applications in different networks is cooler. So lets add VMware NSX to our cloud portal and get cracking.

The first step is to have NSX up and running in your vSphere environment. Once this simple task is complete, a Distributed Logical Router should be deployed with an Uplink interface configured. The diagram below explains what needs to be setup in vSphere prior to doing any configurations in vRealize Automation. A Distributed Logical Router with a single uplink to an Edge Services Gateway should be configured first, then any new networks will be built through the vRealize Automation integration. While the section of the diagram that is manual, will remain roughly the same throughout, the section handled by vRealize Automation will change often, based on the workloads that are deployed. Note: be sure to setup some routing between your Provider Edge and the DLR so that you can reach the new networks that vRA creates.

vRealize Automation 7 – XaaS Blueprints

Mon, 29 Feb 2016 15:03:07 +0000

XaaS isn’t a made up term, well maybe it is, but it supposed to stand for “Anything as a Service.” vRealize Automation will allow you to publish vRO workflows in the service catalog. This means that you can publish just about any thing you can think of, and not just server blueprints. If you have a workflow that can order your coffee and have it delivered to you, then you can publish it in your vRA service catalog. Side note, if you have that workflow, please share it with the rest of us.

vRealize Automation 7 - Load Balancer Rules

Wed, 24 Feb 2016 15:15:32 +0000

In a previous post we went over installing an Enterprise Install of vRealize Automation behind a load balancer. This install required us to setup a Load Balancer with three VIPs but also required that we only had one active member in each VIP. A load balancer with a single member doesn’t really balance much load does it?

After the installation is done, some modifications need to be made on the Load Balancer. The instructions on this can be found in the official vRealize Automation Load Balancing Configuration Guide if you want to learn more. There are several examples on how to setup load balancing on an F5 load balancer and NSX for example. This post will focus on a KEMP load balancer which is free for vExperts and it will all be shown through with GUI examples.

vRealize Automation 7 – Enterprise Install

Mon, 22 Feb 2016 15:09:48 +0000

OK, You’ve done a vRealize Automation 7 simple install and have the basics down. Now it’s time to put your grown up pants on, and get an enterprise install done. This is a pretty long process, so be ready, but trust me, this is much better in version 7 than in the past.

Load Balancer

To start with, you will want to configure your load balancer. An enterprise install means that you’ll want at least two of each type of service so that you can protect yourself from a failure. There are three Virtual IPs (VIPs) that should be created prior to starting your install. The table below lists an example list of VIPs with their associated members and ports.

vRealize Automation 7 – Custom Actions

Mon, 15 Feb 2016 15:31:16 +0000

We’ve deployed a virtual machine from a vRA blueprint, but we still have to manage that machine. One of the cool things we can do with vRealize Automation 7 is to add a custom action. This takes the virtual machine object and runs a vRealize Orchestration blueprint against that input. We call these actions “Day 2 Operations” since they happen post provisioning.

To create a new custom resource action go to the Design Tab –> Design –> Resource Actions. Click the “New” button to add a new action.

vRealize Automation 7 - Custom Properties

Wed, 10 Feb 2016 15:09:39 +0000

Custom Properties are used to control aspects of machines that users are able to provision. For example, memory and CPU are required information that are necessary for users to deploy a VM from a blueprint. Custom properties can be assigned to a blueprint or reservation to control how memory and CPU should be configured.

Custom properties are really powerful attributes that can vastly change how a machine behaves. I like to think of custom properties as the “Windows Registry” of vRealize Automation. Changing one property can have a huge effect on deployments.

vRealize Automation 7 – Subscriptions

Mon, 08 Feb 2016 15:05:14 +0000

In vRealize Automation 7 a new concept was introduced called a “Subscription.” A subscription is a way to allow you to execute a vRealize Orchestrator workflow based on some sort of event that has taken place in vRA. Simple idea huh? Well some of you might be thinking to yourself, “Yeah, this is called a stub, Duh!” The truth is that stubs are still available in vRealize Automation 7 but are clearly being phased out and we should stop using them soon because they are likely to not be around in future versions. The idea of an event subscription is a lot like a stub when in the context of machine provisioning, but there are a lot more events that can be triggered than the stubs that have been around in previous versions. Let’s take a look.

vRealize Automation 7 – Manage Catalog Items

Tue, 02 Feb 2016 15:05:37 +0000

You’ve created your blueprints and entitled users to use them. How do we get them to show up in our service catalog? How do we make them look pretty and organized? For that, we need to look at managing catalog items.

Log in as a tenant administrator and go to the Administration Tab –> Catalog Management –> Catalog Items. From here, we’ll need to look for the blueprint that we’ve previously published. Click on the blueprint.

vRealize Automation 7 – Entitlements

Mon, 01 Feb 2016 15:01:13 +0000

An entitlement is how we assign users a set of catalog items. Each of these entitlements can be managed by the business group manager or a tenant administrator can manage entitlements for all business groups in their tenant.

To create a new entitlement go to Administration tab –> Catalog Management –> Entitlements. Click the “New” button to add a new entitlement.

Under the General tab, enter a name for the entitlement and a description. Change the status to “Active” and select a Business Group. Note: If only a single business group has been created, this will not be selectable since it will default to the only available group. Then select the users who will be part of this entitlement.

vRealize Automation 7 – Blueprints

Thu, 28 Jan 2016 15:10:13 +0000

Blueprints are arguably the thing you’ll spend most of your operational time dealing with in vRealize Automation. We’ve finally gotten most of the setup done so that we can publish our vSphere templates in vRA.

To create a blueprint in vRealize Automation 7 go to the “Design” tab. Note: If you’re missing this tab, be sure you added yourself to the custom group with permissions like we did in a previous post, and that you’ve logged back into the portal after doing so.

vRealize Automation 7 – Custom Groups

Thu, 28 Jan 2016 15:05:40 +0000

If you’ve been reading the whole series of posts on vRealize Automation 7, then you’ll know that we’ve already been setting up roles in our cloud portal, but we’re not done yet. If you need any permissions besides just requesting a blueprint, you’ll need to be added to a custom group first.

To create a custom group, login as a tenant administrator and go to the Administration Tab –> Users and Groups –> Custom Groups. From there click the “New” button to add a new custom group.

vRealize Automation 7 – Services

Tue, 26 Jan 2016 15:05:21 +0000

Services might be a poor name for this feature of vRealize Automation 7. When I think of a service, I think of some sort of activity that is being provided but in the case of vRA a service is little more than a category or type. For example, I could have a service called “Private Cloud” and put all of my vSphere blueprints in it and another one called “Public Cloud” and put all of my AWS blueprints in it. In the screenshot below you can see the services in a catalog. If you highlight the “All Services” service, it will show you all blueprints regardless of their service category. Otherwise, selecting a specific service will show you only the blueprints in that category.

vRealize Automation 7 – Reservations

Mon, 25 Jan 2016 15:16:53 +0000

vRealize Automation 7 uses the concept of reservations to grant a percentage of fabric group resources to a business group. To add a reservation go to Infrastructure –> Reservations. Click the “New” button to add a reservation and then select the type of reservation to be added. Since I’m using a vSphere Cluster, I selected Virtual –> vCenter. Depending on what kind of reservations you’ve selected, the next few screens may be different, but I’m assuming many people will use vSphere so I’ve chosen this for my example.

vRealize Automation 7 – Business Groups

Thu, 21 Jan 2016 15:15:27 +0000

The job of a business group is to associate a set of resources with a set of users. Think of it this way, your development team and your production managers likely need to deploy machines to different sets of servers. I should mention that a business group doesn’t do this by itself. Instead it is combined with a reservation which we’ll discuss in the next post. But before we can build those out, lets setup our business groups as well as machine prefixes.

vRealize Automation 7 – Fabric Groups

Tue, 19 Jan 2016 15:09:39 +0000

In the last post we setup an vCenter endpoint that defines how our vRealize Automation solution will talk to our vSphere environment. Now we must create a fabric group. Fabric Groups are a way of segmenting our endpoints into different types of resources or to separate them by intent. These groups are mandatory before you can build anything so don’t think that since you don’t need to segment your resources, that you can get away with not creating one.

vRealize Automation 7 – Endpoints

Mon, 18 Jan 2016 15:06:46 +0000

Now that we’ve setup our new tenant, lets login as an infrastructure admin and start assigning some resources that we can use. To do this we need to start by adding an endpoint. An endpoint is anything that vRA uses to complete it’s provisioning processes. This could be a public cloud resource such as Amazon Web Services, an external orchestrator appliance, or a private cloud hosted by Hyper-V or vSphere.

vRealize Automation 7 – Create Tenants

Thu, 14 Jan 2016 16:10:08 +0000

Now it’s time to create a new tenant in our vRealize Automation portal. Let’s login to the portal as the system administrator account as we have before. Click the Tenants tab and then click the “New” button.

Give the new tenant a name and a description. Then enter a URL name. This name will be appended to this string: https://[vraappliance.domain.name]/vcac/org/ and will be the URL that users will login to. In my example the url is https://vra7.hollow.local/vcac/org/labtenant. Click “Submit and Next”.

vRealize Automation 7 - Authentication

Wed, 13 Jan 2016 15:03:15 +0000

In order to setup Active Directory Integrated Authentication, we must login to our default tenant again but this time as our “Tenant Administrator” (we setup in the previous post) instead of the system administrator account that is created during initial setup.

Once you’re logged in, click the Administration tab –> Directories Management –> Directories and then click the “Add Directory” button. Give the directory a descriptive name like the name of the ad domain for example. Then select the type of directory. I’ve chosen the “Active Directory (Integrated Windows Authentication)” option. This will add the vRA appliance to the AD Domain and use the computer account for authentication. Note: you must setup Active Directory in the default (vsphere.local) tenant before it can be used in the subtenants.

vRealize Automation 7 - Base Setup

Tue, 12 Jan 2016 15:07:46 +0000

We’ve got vRA installed and thats a good start. Our next step is to login to the portal and start doing some configuration. Go to https://vra-appliance-name-orIP and enter the administrator login that you specified during your install. Unlike prior versions of vRealize Automation, no domain vsphere.local domain suffix is required to login.

To start, Lets add some local users to our vSphere.local tenant. Click on the vsphere.local tenant.

Click on the “Local users” tab and then click the “New” button to add a local account. I’ve created a vraadmin account that will be a local account only used to manage the default tenant configurations.

vRealize Automation 7 Guide

Mon, 11 Jan 2016 15:45:35 +0000

If following the posts in order, this guide should help you setup vRealize Automation 7 from start to finish. This is a getting started guide that will hopefully get you on the right path, answer any questions you might have, and give you tips on deploying your own cloud management portal.

Part 1 - Simple Installation

Part 2 -Base Setup

Part 3 - Authentication

Part 4 - Tenants

Part 5 - Endpoints

Part 6 - Fabric Groups

Part 7 - Business Groups

Part 8 - Reservations

Part 9 - Services

Part 10 - Custom Groups

Part 11 - Blueprints

Part 12 - Entitlements

Part 13 - Manage Catalog Items

Part 14 - Event Subscriptions

Part 15 - Custom Properties

Part 16 - XaaS Blueprints

Part 17 - Resource Actions

Part 18 - Enterprise Install

Part 19 - Load Balancer Settings

Part 20 - NSX Initial Setup

Part 21 - NSX Blueprints

Part 22 - Code Stream and Jenkins Setup

Part 23 - Code Stream and Artifactory Setup

Part 24 - Add Custom Items to vRA7

Part 25 - Upgrade vRA from 7.1 to 7.2

Part 26 - Adding an Azure Endpoint

Part 27 - Installing vRealize Code Stream for IT DevOps

Part 28 - Configuring Endpoints for vRealize Code Stream for IT DevOps

Part 29 - Using vRealize Code Stream for IT DevOps

Part 30 - Unit Testing with vRealize Code Stream for IT DevOps

Part 31 - Containers on vRealize Automation

Part 32 - vRA 7.3 Component Profiles

Part 33 - vRA 7.5 Upgrade

If you’re looking for a getting started video, check out this P luralsight course for a quick leg up on vRA 7.

vRealize Automation 7 Simple Installation

Mon, 11 Jan 2016 15:00:21 +0000

This is our first stop in our journey to install vRealize Automation 7 and all of it’s new features. This post starts with the setup of the environment and assumes that you’ve deployed a vRealize Automation appliance from an OVA and that you’ve also got a Windows Server deployed so that we can install the IAAS components on it.

After you’ve deployed the vRA7 OVA, login to the appliance with the root login and password supplied during your OVA deployment.

Veeam Package for vRealize Orchestrator

Mon, 07 Dec 2015 15:00:10 +0000

Veeam is a popular backup product for virtualized environments but who wants to spend their days adding and removing machines to backup jobs?

Now available on github is a Veeam package for vRealize Orchestrator. This is my gift to you, just in time for the Hollow-days.

Available Features

The following features are available with the plugin for it’s initial release.

Add a VM to an existing backup job
Remove a VM from a backup job
Start a backup job immediately
Add a Build Profile to vRealize Automation
Add a VM to a backup job from vRA
Remove a VM from a backup job from vRA

Some additional functionality could easily be added to your environment using the existing worfklows such as start a backup as a Day 2 operation in vRA, or change backup jobs etc. The world is your oyster.

vRealize Automation 6 with NSX – Firewall

Mon, 30 Nov 2015 15:08:27 +0000

So far we’ve talked a lot about using our automation solution to automate network deployments with NSX. But one of the best features about NSX is how we can firewall everything! Lucky for us, we can automate the deployment of specific firewall rules for each of our blueprints as well as deploying brand new networks for them.

Use Case: There are plenty of reasons to firewall your applications. It could be for compliance purposes or just a good practice to limit what traffic can access your apps.

Create a Day 2 Operations Wrapper

Mon, 16 Nov 2015 15:08:30 +0000

Just deploying virtual machines in an automated fashion is probably the most important piece of a cloud management platform, but you still need to be able to manage the machines after they’ve been deployed. In order to add more functionality to the portal, we can create post deployment “actions” that act on our virtual machine. For instance an action that snapshots a virtual machine would be a good one. We refer to these actions that take place after the provisioning process a “Day 2 Operation”, probably because it’s likely to happen on the second day or later. Clever huh?

vRealize Automation 6 with NSX – Load Balancing

Mon, 09 Nov 2015 15:19:10 +0000

If you’re building a multi-machine blueprint or multi-tiered app, there is a high likelihood that at least some of those machines will want to be load balanced. Many apps require multiple web servers in order to provide additional availability or to scale out. vRealize Automation 6 coupled with NSX will allow you to put some load balancing right into your server blueprints.

Just to set the stage here, we’re going to deploy an NSX Edge appliance with our multi-machine blueprint and this will load balance both HTTPs and HTTP traffic between a pair of servers.

vRealize Automation 6 with NSX - NAT

Mon, 02 Nov 2015 15:10:54 +0000

You’re network isn’t fully on IPv6 yet? Ah, well don’t worry you’re certainly not alone, in fact you’re for sure in the majority. Knowing this, you’re probably using some sort of network address translation (NAT). Luckily, vRealize Automation can help you deploy translated networks as well as routed and private networks with a little help from NSX.

A quick refresher here, a translated network is a network that remaps an IP Address space from one to another. The quickest way to explain this is a public and a private IP Address. Your computer likely sits behind a firewall and has a private address like 192.168.1.50 but when you send traffic to the internet, the firewall translates it into a public IP Address like 143.95.32.129. This translation can be used to do things like keeping two servers on a network with the exact same IP Address.

vRealize Automation 6 with NSX - Routed Networks

Mon, 26 Oct 2015 14:00:28 +0000

Any corporate network thats larger than a very small business is likely going to have a routed network already. Segmenting networks improves performance and more importantly used for security purposes. Many compliance regulations such as PCI-DSS state that machines need to be segmented from each other unless there is a specific reason for them to be on the same network. For instance your corporate file server doesn’t need to communicate directly with your CRM database full of credit card numbers. The quickest way to fix this is to put these systems on different networks but this can be difficult to manage in a highly automated environment. Developers might need to spin up new applications which may need to be on different network segments from the rest of the environment. Its not very feasible to assume we can now spin up test and delete hundred of machines each day, but need the network team to manually create new network segments and tear them down each day. That wouldn’t be a nice thing to do to your network team.

vRealize Automation 6 with NSX - Private Networks

Mon, 19 Oct 2015 14:05:45 +0000

Of the types of networks available through NSX, private networks are the easiest to get going because they don’t require any NSX edge routers to be in place. Think about it, the NSX edge appliance is used to allow communication with the physical network which we won’t need for a private network.

A quick refresher here, a private network is a network that is not connected to the rest of the environment. Machines that are on the private network can communicate with each other, but nothing else in the environment. Its simple, think of some machines connected to a switch and the switch isn’t connected to any routers. The machines connected to the switch can talk to each other, but thats it.

vRealize Automation 6 with NSX - Initial Setup of NSX

Mon, 12 Oct 2015 14:00:22 +0000

Before we can start deploying environments with automated network segments, we need to do some basic setup of the NSX environment.

NSX Manager Setup

It should be obvious that you need to setup NSX Manager, deploy controllers and do some host preparation. These are basic setup procedures just to use NSX even without vRealize Automation in the middle of things, but just as a quick review:

Install NSX Manager and deploy NSX Controller Nodes

NSX Manager setup can be deployed from an OVA and then you must register the NSX Manager with vCenter. After this is complete, deploy three NSX Controller nodes to configure your logical constructs.

vRealize Automation Entity Properties

Mon, 05 Oct 2015 14:19:16 +0000

A common task that comes up during an automation engagement relates to passing values from vRealize Automation blueprints over to vRealize Orchestrator. There is a workflow that I use quite frequently that will list the properties available for further programming and you can download the plugin at github.com if you’d like to use it as well.

How it works

The workflow takes several inputs that are provided by vRealize Automation during a stub like Building Machine, Machine Provisioned or Machine Disposing. These inputs include the vRA Virtual Machine instance, the vCenter Virtual Machine ID, the vRealize Automation Host, the stubs used and most importantly the vRealize Automation VM properties.

vRealize Automation Load Balancer Settings

Mon, 28 Sep 2015 13:56:30 +0000

I found some conflicting information about setting up load balancers for vRealize Automation in a Distributed installation, specifically around Health Checks. The following health checks were found to work for a fully distributed installation of vRA 6.2.2.

vRealize Automation Appliances

This is the pair of vRealize Automation Linux appliances that are deployed via OVA file.

Type: HTTPS

Interval: 5 seconds

Timeout: 9 seconds

Send String: GET /vcac/services/api/statusrn

Load Balancing Method: Round Robin

vRealize Automation and vCloud Air Integration

Mon, 21 Sep 2015 14:07:42 +0000

vRealize Automation is at its best when it can leverage multiple infrastructures to provide a hybrid cloud infrastructure. One of the things we might want to do is to set up VMware vCloud Air integration with your vRA instance.

To start, we need to have a vCloud Air account which you can currently sign up for with some initial credits to get you started for free. Once you’ve got an account you’ll be able to setup a VDC and will have some catalogs that you can build VMs from. If you’re concerned about these steps, don’t worry a default VDC including some storage and a network will be there for you by default.

Assign a VM to a Rubrik slaDomain

Mon, 14 Sep 2015 14:00:16 +0000

This last post in the series shows you how Nick Colyer and I to tie everything together. If you want to just download the plugins and get started, please visit Github.com and import the plugins into your own vRealize Orchestrator environment.

Download the Plugin from Github

NOTE: The first version of this code has been refactored and migrated to Github in Rubrik’s Repository since the time of this initial writing

To recap where we’ve been, we:

Get Rubrik VM through vRealize Orchestrator

Thu, 10 Sep 2015 14:07:51 +0000

Part four of this series will show you how to lookup a VM in the Rubrik Hybrid Cloud appliance through the REST API by using vRealize Orchestrator. If you’d rather just download the plugin and get using it, check out the link to Github to get the plugin and don’t forget to check out Nick Colyer’s post over at systemsgame.com about how to use it.

Download the Plugin from Github

NOTE: The first version of this code has been refactored and migrated to Github in Rubrik’s Repository since the time of this initial writing

Rubrik API Logins through vRealize Orchestrator

Tue, 08 Sep 2015 14:00:17 +0000

Part three of this series focuses on how Nick Colyer and I built the authentication piece of the plugin so that we could then pass commands to the Rubrik appliance. An API requires a login just like any other portal would. Since this is a a REST API, we actually need to do a “POST” on the login resource to get ourselves an authentication token.

Download the Plugin from Github

NOTE: The first version of this code has been refactored and migrated to Github in Rubrik’s Repository since the time of this initial writing

UCS Director Dynamic List of Values

Mon, 10 Aug 2015 13:55:47 +0000

When you execute a Cisco UCS Director workflow you’re usually prompted to enter in some information. Usually this is something like a virtual machine name, or an IP Address, even some credentials possibly. The values that you enter can be formatted so that they come from a list and the user just has to select the right value. This helps immensely in the amount of troubleshooting you have to do because only specific verified values can be displayed.

VCDX Vision Quest and Mea Culpa

Mon, 20 Jul 2015 14:07:44 +0000

Long is the way and hard, that out of hell leads up to light - Milton

Apparently, Milton has been through the VCDX process. It is a challenge that will test your resolve and you will probably learn a lot along the way. You’ll also be glad when its over.

I’ve been good at many things in my life, but never felt like I was great at anything. I’ve succeeded at most things I’ve attempted, but the VCDX was a goal I truly didn’t think I was capable of achieving. Chris Colotti mentioned in one of his posts that you need to decide why you’re going for the VCDX in the first place. In my case, I was doing it to prove to myself that I could do it. The process really taught me something about myself that I didn’t know. It was my own personal Vision Quest. (Queue Lunatic Fringe them song here)