VMware on AWS Quick Hits

vSphere plus SDDC Manager (VMware Cloud Foundation) plus NSX-V hosted on bare-metal at   AWS.

VMware manages hardware account and bills you (separate from any AWS account you have)

4 nodes to start – each 2 socket/36 core, 512GB RAM, 10.7TB storage (all flash)

Scales to 16 nodes currently

Just US (east and west regions) for now.

NSX-V with two IPSec VPN tunnels (one mgmt one compute) back to your data center (not required, but intended as hybrid)

Likes NSX on your DC but works with many hardware vendors for an IPSec endpoint.

One ESG, one DLR.

AWS services provided via direct connect (from compute Edge via a ENI) or internet connectivity.

Can connect to a AWS VPC Endpoint.

Includes routing table updates when connecting direct to AWS networks.

Gives a whole new meaning to “It’s not the cloud – it’s just someone else’s computer”

Posted in Cloud, Computing, Network, NSX, Security, Virtualization, VMware | Tagged , , , | Leave a comment

VMware AppDefense Quick Hits

Brought to you by the NSBU at VMware, home of NSX-V, NSX-T, VRNI.

Cloud-based with a local “proxy” (assuming local need).

Developer-focuses with tie-ins to development stream to track changes.

Supports Windows 2012, 2012R2, 2016 with *nix support coming.

Loads a “module” into the guest, which is protected in memory by the host

Watches a ton of “things” to determine proper operation and flags on improper

One “thing” : Creates hash of running executables and checks that hash periodically

Posted in Security, Virtualization, VMware | Tagged , | Leave a comment

VMware NSX-T Quick Hits

NSX-T(ransformers) is a multi-hypervisor (ESX/KVM) cousin of NSX-V.

Same SKU (if you own NSX-V 6.x, you own NSX-T 2.x).

One NSX-T Manager can have multiple vCenters as “Compute endpoints”

Standalone HTML5 client (not WebClient)

NSX-T Edges can be VMs or run on bare metal

Supports 8-way Edge ECMP but limited services on the Edge (vs V)

More/better BGP support/options/settings incl BFD

Uses Geneve instead of VXLAN for overlay due to extensible header

Protects cloud-native apps and container-level microsegmentation. The Google/Kubernetics project is protected by NSX-T

Posted in Network, NSX, Security, Virtualization, VMware | Tagged , , | Leave a comment

Migrate VMs between portgroups/virtual switches/vSS/vDS

I wrote this to help a client migrate to VXLAN from portgroups.

It pulls from a CSV file named c:\scripts\ImportPortGroups.csv which is structured:

123,dVLAN 123,

and accepts the initial number (VLAN) as a commandline parameter such as:
changeportgroups 123

The CSV file needs: identifier, portgroup name, virtual switch name

If you don’t enter a initial parameter it will remind you and exit.

Entering an initial parameter, the script grabs the line from the CSV where the first value matches your input.

It will then:
Pull the PG and VS from vcenter and verify that is what you are looking to work with.
Pull the number of VMs on the PG and VS and display and ask which way the move should go (all to VS or all to PG)
Migrate the VMs and display the # of VMs on the PG and VS.

You can get the script here.

FYI the one-liner version of the script is:

get-vm | get-networkadapter |where {$_.networkname -eq “OldPortGroup”} | set-networkadapter -networkname “NewPortGroup” -Confirm:$false

Posted in NSX, PowerShell, Scripting, Virtualization, VMware | Tagged , , , | Leave a comment

VMware Cloud Foundation Quick Hits

VMware Cloud Foundation consists of VMware vSphere, vSAN, NSX and “SDDC Manager”.

SDDC Manager will manage the lifecycle of the different components of VCF and can also manage the lifecycle of “add-ons” like VMware Horizon, VMware vRealize Suite, vRealize Operations and vRealize Log Insight.

Licensing is per-CPU but you’ll need to contact your reseller about how to buy it as while you can’t buy “SDDC manager” on its own you can reuse existing licenses for VCF – and vCenter isn’t included in VCF.

You can buy VCF pre-installed on VxRack or just buy vSAN Ready hardware and roll your own. You’ll want to check your switches against the VCF HCL also.

Who should buy VCF: anyone who wants vSphere/vSAN/NSX but doesn’t want to install the components themselves or manage patching them.

Posted in Cloud, Virtualization, VMware | Tagged , , | Leave a comment

Free NSX books from VMware

VMware NSX Micro-segmentation: Day 1 Guide

VMware NSX Micro-segmentation: Day 2 Guide

VMware Operationalizing NSX

Automating NSX for vSphere with PowerNSX

Posted in Network, Scripting, Security, Virtualization, VMware | Tagged , | 1 Comment

VMware badges – 2017 edition (vROps / vSAN)

[Edit: Added time/#Qs to vSAN after someone tried it and responded to me]

VMware certification has announced a series of “badges” that existing VCPs can add to demonstrate knowledge in either vROps or vSAN.

vSAN was announced last week

Right now the portal claims the exams are only available during VMworld US (Aug 27-29). My guess would be the price will go up after VMworld with a new date range.

Key points:
VCP required
$250 for vSAN or $125 at VMworld
$125 for vROps until 8/29 then ??

  • (note: I was told vROps has a 40% discount for the next few months, but that is not reflected at checkout, so YMMV)

at a Pearson center for vSAN
online for vROps

vSAN time: 110min plus 30min time extension for ESL.
vSAN quesitons: 60

vROps: The number of questions and time allowed are not currently posted. if anyone pays the $125 and finds out please let me know!

Note that vSAN claims a “high score” is required to pass but generally

Prep Guides (with sample questions and outline)
VMware vRealize Operations 2017 Specialist

VMware vSAN 2017 Specialist

If you are interested in taking an exam just as expensive and time consuming as a VCP that only counts as a “badge” let me know in the comments.

Posted in Certification, Virtualization, VMware | Tagged | 3 Comments

Get your VMware certification URL and PDFs

After all that hard work, it’s time to show off.  You can obtain PDFs of your VMware certifications or a URL listing all of them in the VMware Certification Manager.

The URL will look like https://www.certmetrics.com/vmware/public/transcript.aspx?transcript=V5C8E3G22MVQ1VJX and can be send to prospective employers, or added to LinkedIn as a verification of your skill set.

URL steps:
Step 1:
Login to VMware Education.

Step 2:
Click on the Certification Manger link.

Step 3:
Click Manage your Transcripts.

Step 4:
If you don’t have a transcript listed, create a new one.

Step 4a:
Leave all the defaults and enter an expiration for the transcript.  Note that the URL won’t work after this date.


Step 5:
Click the Link icon and copy the URL listed.

Step 6:


PDF Steps:

Step 1:
Login to VMware Education.

Step 2:
Click on the Certification Manger link.

Step 3:
Click Track your certification status.

Step 4:
Each certification (note that VCIX is a “badge” and doesn’t have a PDF) will have a PDF link next to it.

Step 5:
Print and hang on the fridge for all to see.

Posted in Certification, VMware | Tagged | Leave a comment

NSX, BGP, ECMP quick hits

When configuring NSX, BGP and ECMP there are a few configuration requirements you need to keep in mind:

BGP neighbors
ESG Firewall must be disabled
BGP Timers
BGP Graceful Restart
Static Routes on the ESGs
Static Routes on the DLR

Anti-Affinity Rules
iBGP vs eBGP

BGP neighbors
Equal Cost Multi-Pathing allows a router to choose from multiple paths to forward packets to.  So a DLR with four ESGs configured with ECMP will see four paths it can spread traffic across.

The DLR will see routes for all possible paths for each ESG.

B [20/0] via
B [20/0] via
B [20/0] via
B [20/0] via
B [20/0] via
B [20/0] via
B [20/0] via
B [20/0] via

You will need to create Neighbors for each adjacent IP Pair – in the example above each ESG sees each router twice, which requires a neighbor configuration for each of the router IPs the ESG can see.

If the ESG has only one neighbor configured for a router it can access with two IPs, the connection might not become established as the router could use either IP to establish the neighbor adjacency.

ESG Firewall must be disabled

When ECMP is enabled on an Edge you must disable the firewall on that Edge.  Previous version (<6.1.2 I believe) disabled the ESG firewall when ECMP was enabled.

If you have four ESGs and have the firewalls enabled even with a default allow, only one of the ESGs will pass traffic.

BGP Graceful Restart
If you’re using BGP with ECMP you need to disable Graceful Restart or the BGP timers you just set won’t do any good – you’ll have a ~2 minute / 125 second failover.

BGP Timers
Best practice is to reduce the BGP keep alive and hold down timers from their default.  You can find VMware resources suggesting 1 second/3 seconds (especially between DLR/ESG) but you’ll want to decide the trade-offs between possible route flapping and time-to-fail for your environment.  As you’ll want to set the same value for each side of a BGP neighbor pair, you should check with your hardware vendor for their recommendation also.

Static Routes on the ESGs
If the Control VM fails over or is redeployed, when the ESGs see it drop they will remove all routes to the networks behind the DLR.  Creating a static route on the ESGs will prevent lost of connectivity in the event the Control VM goes offline.

Setting a weight/distance of 61 (or whatever your neighbor-configured weight is plus “1”) will ensure the static route is only used if the redistributed routes are  unavailable.

Static Routes on the DLR
Don’t create static routes to the ESGs on the DLR or in the event of a ESG+Control VM failure (like both are on the same host) the DLR on the hosts can keep routing traffic to the dead ESG.

Anti-Affinity Rules
Rules should be created to ensure ESGs and Control VMs don’t run on the same hosts.   This will prevent losing multiple ESGs at once and will prevent losing a ESG and Control VM at the same time, which will result in hosts still sending traffic to the down ESG.

Note that you’ll need to either delete the NSX-created control-VM-HA rule and add those VMs to the new rule, or add your ESGs to the NSX-created rule.  You’ll also need to check it periodically as redeploying Edges will rename them and break your rules.

iBGP vs eBGP
BGP between different AS areas is called eBGP, BGP between routers with the same AS area is iBGP.  The options are pretty limited for NSX so the differences are minimal, but now you know what your network guy is talking about.


Posted in Network, NSX, Virtualization, VMware | Tagged , , | Leave a comment

Checking NSX DFW rules and rule sets

The new VMware Docs page has a cheatsheet of CLI commands but here’s what you need to list the rules enforced on a VMs vnic.

SSH to NSX Manager

{Note that you can enable SSH if needed from the “Summary” page of the appliance config page – but not from the Web Client.}

show cluster all (to get the cluster IDs)

manager> show cluster all
No. Cluster Name Cluster Id Datacenter Name Firewall Status
1 NSXCluster domain-c7 Datacenter Enabled

show cluster <cluster-id> (to get the host IDs)

manager> show cluster domain-c7
Datacenter: Datacenter
Cluster: NSXCluster
No. Host Name Host Id Installation Status
1 esxitwo.corp.local host-21 Enabled
2 esxione.corp.local host-10 Enabled

show host <host-id> to get the VM IDs

manager> show host host-21
Datacenter: Datacenter
Cluster: NSXCluster
Host: esxitwo.corp.local
No. VM Name VM Id Power Status
1 VMware vRealize Network Insight Platform vm-144 off
2 TinyOne vm-52 off
3 VMware vRealize Network Insight Proxy vm-145 off
4 Tiny10 vm-203 off
5 NSX_Controller_5d671e3b-91ca-4351-9c1b-e13277d873f7 vm-124 on

show vm <vm-id> to get the filters list

manager> show vm vm-60
Datacenter: Datacenter
Cluster: NSXCluster
Host: esxione.corp.local
Host-ID: host-10
VM: Tiny10
Virtual Nics List:
Vnic Name Tiny10 - Network adapter 1
Vnic Id 5039be1d-ac25-cdda-5d37-2f5435146776.000
Filters nic-650978-eth0-vmware-sfw.2

what you want is the Filters nic-650978-eth0-vmware-sfw.2 as that with the host ID will get you the rules.

show dfw host <host-ID filter <filterID> rules

manager> show dfw host host-10 filter nic-650978-eth0-vmware-sfw.2 rules
ruleset domain-c7 {
 # Filter rules
 rule 1006 at 1 inout protocol tcp from addrset ip-securitygroup-13 to addrset ip-securitygroup-10 port 443 accept;
 rule 1006 at 2 inout protocol tcp from addrset ip-securitygroup-13 to addrset ip-securitygroup-10 port 80 accept;
 rule 1005 at 3 inout protocol tcp from any to addrset ip-securitygroup-10 port 22 accept;
 rule 1003 at 4 inout protocol ipv6-icmp icmptype 136 from any to any accept;
 rule 1003 at 5 inout protocol ipv6-icmp icmptype 135 from any to any accept;
 rule 1002 at 6 inout protocol udp from any to any port 68 accept;
 rule 1002 at 7 inout protocol udp from any to any port 67 accept;
 rule 1001 at 8 inout protocol any from any to any accept;
ruleset domain-c7_L2 {
 # Filter rules
 rule 1004 at 1 inout ethertype any from any to any accept;

show dfw host <host-ID filter <filterID> addrsets

manager> show dfw host host-10 filter nic-650978-eth0-vmware-sfw.2 addrsets
addrset ip-securitygroup-10 {
addrset ip-securitygroup-13 {
ip fe80::250:56ff:feb9:db4d,

Note that powered off VMs won’t be included in the addrsets, neither will the VM’s own IP address even if its in the group.

Posted in CLI, Firewall, Network, NSX, Virtualization, VMware | Tagged , , | Leave a comment