How to use Reservation Policy to place VMDKs across different datastores

Reservation policy is often unused feature and to some extend not fully understood. Primary reason could be that reservation policy creation process very simple and during policy creation we don’t glue pieces together. That being said there are very valid use cases for using reservation policy and comes very handy in VM Placement. One of the core principles of Software Defined Datacenter (SDDC) suggests we need to have policy based automation and common management platform across the entire infrastructure.

With reservation policy we address this requirement. It is my personal belief that features in any products are aimed to solve some or other business problems. All we should attempt is to find those relevant business case or help someone find them. In this blog I aim for later.

Continue here

vCloud Automation Center 6.0 (vCAC 6.0) Creating and Configuring Approval Policies

Approval policies has changed significantly compared to previous releases of vCloud Automation Center. Approval policies provides a key control over your Infrastructure. It forms core component of Cloud governance. Below is schematic view of approval policy. Approval policy is ruled by policy type and directly influences approval phases.

image

There are two Approval phases -Post-Approval and Pre-Approval phases. For every phase there are levels to define. These levels are approval levels can be seen as Business steps. At each level you have to select how approval proceeds. Approval steps/levels is influenced by two options 1).Is Approval Required, 2). Who are the approvers . In first option we decide if approval is needed (always required/based on condition) and second option we define approvers (single/group, All must approve/anyone approve).

Creating Approval Policies

As tenant administrator go to Administration tab => Approval Policies and select fat green button to create a new approval policy

 

image

 

Select the approval Policy Type from the drop down menu. Most relevant for me is Service Catalog –Catalog Item Request (Virtual Machines)

image

Approval level can be designated as always required for strict governance or you can keep it flexible by defining condition. e.g. end user is requesting a machine of 16 GB RAM. For uses cases of this kind a condition must be defined -whenever user request a machine memory more than 4 GB, approval policy must be invoked.

image

 

You can designate single person an approver or you can add group of users as approvers. You also have option to decide if approval is needed from any one person from the group or all the group members must approve it.

Sometime it does happen, user requests VM with 16 GB RAM, IT manager explains it is not possible now however once we have adequate capacity we can meet you requirement. End user agrees. So instead of asking him to re-sent another provisioning request IT manager can edit the memory to level which is possible with current utilization and approval process proceeds further.

image

 

image

If you wish to update approval policy you must make a copy of the policy. It is not possible to edit the existing policy. Reason is not explained why one cannot edit but I could think it could be that once entitlement gets associated with approval policy it might be difficult to break the relationship.

To understand how the approval level works, I went ahead and added another level (Business approval stage), press Big fat green tab

image

Fill in the details, repeat all inputs we did to add L1 approver except the approver must be fabric admin

image

Below you can see each approval policy has at least one phase and each phase can have multiple level. I have seen only two phases in the screen below i.e Pre Approval and Post Approval.  Phases includes level of approvals. e.g. In Pre Approval phase I have created two levels of approval. Phases are clearly controlled by the approval policy type. In Pre Approval phase all approval are needed before service provisioning can start, while in Post Approval phase approval is needed when service is provisioned but before it is released to the owner.

image

As per above screen Level 1 (L1) needs approval from manager and Level 2 (L2) needs approval from Finance controller. L2 is dependent on L1, unless L1 approves L2 cannot approve. You can also change sequence of approval shown in the screen above.

Assigning Approval Policy to Entitlements

Now that approval policy is created we must assign it with entitlements. Go the Administration => Catalog Management =>Entitlements page.  Select the entitlement you wish to applying approval policy

image

Please note some Approval policy can be applied only to new catalog item requests, while other policies can be applied only to post provisioning actions on provisioned items. In our case we created a simple pre-provisioning policy which will invoke approval when you initiate request for new VM (Service catalog –Catalog item Request (Virtual Machine). You can apply this policy only to catalog item as could be seen above. Though this relation is automatically established you probably do not have to memorize this relation. Reason I say this is because If you try to associate such policy with incorrect entitlement it won’t show. Since this policy is not applicable to Entitled services and Actions, In below screen I observed they are not visible at all

image

 

image

All previous post of vCloud Automation Center 6.0 (vCAC 6.0)

Next post I will be focusing on build profiles

Creating & Configuring Tenant/s in vCloud Automation Center 6.0 (vCAC 6.0)

Mutli-tenancy is built into vCAC6.0. What it means? It simply means for every tenant you do not need to install vCAC. You can have multi-tenant on single vCAC. Each tenant can have its own branding, Active Directory Authentication source, group, Business policies, Catalog offering and dedicated infrastructure. Tenants in vCAC are an organizational unit. Tenant represent business unit within an organization or can be organization itself.

In vCAC each tenants gets

  • Dedicated URL
  • Identity Stores
  • Branding
  • Notification Providers (email alerts)
  • Business Policies
  • Service Catalog offering (small VM, Big VM, Web service, Apache Service)
  • Infrastructure Resources (virtual. Physical, Cloud)

    vCAC gets a default tenant vSphere.local (cannot be changed/avoided) and can be accessed via http://vCACApplianceFQDN/shell-ui-app

     

    image_thumb3

    1) To create a new tenant click on green Icon encircled above. New window opens up. When all details are entered, press Submit and Next

    image_thumb5[1]

    2) Lets add the identity source. In my case I’m using my own AD.

    image_thumb15

    Here you as Administrator create two very important roles.

  • Tenant Administrators

  • Infrastructure Administrators (I have referred it as IaaS Admin in this post)

    image_thumb19

    Parameters

    Explanation

    Name Name by which you wish to identify the Identity source
    Type You’ve option to choose from Active Directory or LDAP. Native AD option is available only for vsphere.local
    URL Provide the LDAP format even if you are using AD. It is referred as accessing AD over LDAP connection
    Domain Name of your domain
    Alias You can put any name here which is easier to remember and it helps to use to login this alias. In my case I can use spreetam@vZare.com or just spreetam@vZare . Both works.
    Login user DN User who has read only permissions on Active directory
    Password Password for Login user
    User search base DN Place in AD/LDAP where you wish to search the Users. I have put my Favorite company OU as a location to search users. Effectively I will be adding users only in my Favorite OU
    Group search base DN Same as above except that it will be used to search groups

    Branding and other parameters in tenant creation I left it default as there isn’t much to learn

     

    Configuring Tenant

     

    Below is the workflow we should follow to configure Tenants

    image

     

     


    IaaS Administrator is created by administrator and is responsible to perform

    • Management of endpoints, endpoints credentials and virtualization proxy agent
    • Management of cloud service accounts as well as physical machines and storage devices
    • Monitoring of IaaS system logs

image

  • Here in below screen I have logged in using IaaS Admin (userid:iAdmin). Go to the myfavoritecompany tenant in the infrastructure tab (9 out of 10 times you will be in infrastructure tab).

     

    Credentials

    Let’s first create the credentials. This credential is like a template of credential which can be used several times without typing every time same credential or if credential of vCenter/endpoint cannot be shared with vCAC admins.Enter the Name for credential. I recommend to put FQDN name of the vCenter so that you’re aware of connection details. Put some short meaningful Description, Username and Password. Press the green check box.

    NB: I always keep searching for image Button. That green button should be on right hand side not left hand side.

    EndPoints

    Go to the endpoints tab. Now here Name is the most important field. This name must match to the name you have selected while installing the vSphere Endpoint.

  • Just for reference purpose I’m pasting that screen here.
  • SNAGHTML562d69b

    imageSo now we need to put the same name as we have configured in above screen. It is case sensitive.

    imageAddress of vCenter. This is the address of end point. For vCenter it has to be https://vCenterFQDN/sdk format

    imageNow select the credentials you had created earlier. You can use integrated authentication If you have selected integrated credentials while installing vSphere agent.

    imageSelect the checkbox for Specify manager for network and security platform If  you have vShield manager (vCNS Manager) or NSX Instance in your environment. After you select checkbox you get need to put the URL and credentials for it (not shown & explored by me here. It is topic which I will deal with vCloud Director endpoint).

    imagePress OK and we are done configuring vSphere Endpoint

    At this point if vSphere endpoint is configured correctly you should see compute resources e.g. clusters are discovered. Quickest way to check this is to go to Agents tab and in the description tab from the drop down menu you should see vSphere agent. It confirms agent and endpoint are communicating

    image

     

    Below depicts how data collection works out using end points and what kind of data is collected

    image

    Organize Compute Resource

    In order to organize resources we must create fabric group. Fabric group manages resources within their group. e.g. if you create a fabric group just for virtual resource then it cannot manage anything outside this assignment. Below I have create a fabric group and assigned a vCluster (later on I renamed this cluster to Gold cluster to make sense). So VirtualFabgroup will be able to manage only resources inside vCluster. However these resources are restricted to Memory and Storage as we will see it during creation of reservation.

    This where vCloud Director must more superior product. You can configure things at much more granular level

  • image

  • Type name for Fabric Admins as VirtualFabgroup. This name should reflect type of fabric this group is going to manage. It helps a lot. Assign administrator to manage this Fabric as shown below. Select the resource it will manage.

    Now that we have organize resource and appointed fabric admin. Let’s use fabric admin credential to login. It is worth noting all configuration till has been done by IaaS admin

    Fabric Administrator Role

    Machine Prefix

    You cannot create business group before creating Machine Prefix. It is must parameter for business group. You need at least one machine prefix. As mentioned above machine prefix are created by Fabric admin. Using Fabric admin lets create some meaningful prefix

    image

    I have created another two prefix offline just in case we need it and named them starting with CC-UAT and CC-DEV as seen below

    image

    Business Group

    Now that machine prefix is sorted out, let’s do business group. Business group represents BU within a organization. It could represent sales BU, Marketing BU or HR BU. In below example I considered  Sales BU. So if tenant is organization then BU becomes part of Tenant.

    test

  • You get an option within business group to create Business group administrator, support user and end user.

    Business group manager Role 

    1. Approves machines and lease requests.
    2. Manages machines created by all users in the business group.

    Business Support Role: Support user helps you to request resources on behalf of the user. User role can request/self-provision machines/services from the catalog

    Name for the Business group. Ensure it reflects Business group name.

  • Business group admins group/user name.
  • Email id of business group admin.
  • Support Role.
  • User Role.

    Active directory container is optional, I left it unfilled.

    image

    Only Tenant Administrators can create business group

    image

    Create Reservation and Reservation Policy

    Using fabric admin credentials lets create a simple reservation

    Click Infrastructure tab, –>> Click Reservations, –>> select Reservations, –>> click New Reservation, –>> vSphere (vCenter)

    image

    image

    I have not configured reservation policy. I left machine quota and Priority to default values.

    Lets move to Resources tab. Actual reservation is done here. You choose to reserve memory & storage. In Memory section you get to know how much of is available i.e. Physical, How much is reserved and how much is allocated out of this reservation.

    image

    Similar way I have reserved 27 GB out of 40 GB on Gold cluster. None is allocated.

    Finally select network label by moving into Network tab. I have just one network label. But you can have as many as. But remember you must plan about it in advance.

    image

    I think I’ll pause my post here as I see it is already very big. But I’ll continue in next post. That being said lot of configuration of tenant is still pending.