VMware Cloud Foundation Home Page Networking (NSX) Technical VCF Platform

VCF 5.2.1 – Virtual Private Cloud latest enhancements

Full Autonomy for the Developers when using VCF Private Cloud (compute / storage / network / security)



Summary

  • VCF 5.2.1 enhances Virtual Private Clouds (VPCs): This allows developers to self-provision their applications, including compute, storage, network, and security, without submitting IT tickets.
  • VPCs simplify network setup: They provide an abstraction layer for creating self-contained virtual networks with their security policies, making it easier for developers to manage their applications.
  • Improved developer autonomy: Developers can now define their networks, subnets, and security rules (North/South and East/West traffic) within their VPCs.
  • Centralized control for admins: Network administrators still manage IP addressing, and security administrators define overall security policies, ensuring compliance and control.
  • Automation through scripting: The blog post provides example scripts for automating tasks like creating Active Directory groups, VPCs, and assigning vCenter permissions, showcasing VCF’s orchestration capabilities.

Presentation

Developers require the capability to deploy their applications.

For years, vCenter Administrators have been able to grant developers permission to self-provision the compute (VMs) and storage for their applications.

However, developers have not had the autonomy to manage their applications’ network and security aspects.

So the developers’ workflow has always been:

  1. Developer opens IT ticket to get subnets (and optionally open firewall)
  2. Developer creates workload (VMs)

VCF 5.2.1 release closes the gap, granting developers full autonomy over the deployment of their applications, including compute, storage, network, and security thanks to its latest enhancements in Virtual Private Clouds (VPCs).

VPCs are an abstraction layer that simplifies setting up self-contained virtual private cloud networks and security in a self-service consumption model.

VPCs were introduced as part of its NSX network and security component.

And VCF 5.2.1 integrates those VPCs into its vCenter compute component.

Key points to note about this self-service VPC consumption model for developers include:

  • Network Administrators maintain complete ownership of the IP addressing for the self-service VPC networks.
  • Security Administrators retain full control over security, determining which traffic is permitted North/South (between the physical network and VPCs) and East/West (within VPCs).

Developers have the capability to create:

  • Specific networks and subnets for their applications.
  • Tailored North/South and East/West security rules for their applications

Demo

In the demo below, you can see how the developers of a Finance application and those of a Marketing application have independently deployed their applications (including compute, storage, network, and security) without having to open a single IT ticket:


Annex

The whole demo could have been done using VCF UI.

However to speed up things and to show the orchestration capabilities of VCF, different scripts have been used in the demo:

  • Creation of Microsoft Active Directory Groups
    Actually, this script has nothing to do with VCF and is a Microsoft Active Directory script to create Microsoft AD Groups and add specific developer users in them.
    Those AD Groups are later used by VCF to allow those AD Groups to use its VCF Compute component (vCenter) and its VCF Network and Security component (NSX).
  • Creation of Virtual Private Clouds (VPCs)
    Specific VPCs are created for the application of Finance and of Marketing.
    VPC Admin rights are granted to specific AD Group (Finance / Marketing).
  • Creation of vCenter Permissions for each application
    Specific permissions are created in vCenter to allow each Microsoft AD Group (Finance / Marketing) to be fully autonomous in the creation of its application.

Here is the explanation of each script:


Creation of Microsoft Active Directory Groups

Root (.bat) script “create-Microsoft-AD-Group_Marketing.bat”

  • C:\Program Files\PowerShell\7\pwsh.exe
    Location of PowerShell executable.
  • code\Microsoft-AD-Group-Creation.ps1
    Location of the PowerShell script
  • -user_name developer2 -ad_group Group_Dev_Marketing
    Script parameters:
    • user_name = developer AD User who will develop the Marketing application
    • ad_group = AD Group name
PowerShell script “Microsoft-AD-Group-Creation.ps1”


Creation of Virtual Private Clouds (VPCs)

Root (.bat) script “create-Project_Marketing-VPC_Mar.bat”

  • code\create_project.py and code\create_vpc.py
    Location of the python scripts 
  • -nsx_manager lm-vi1-paris.corp.vmbeans.com -nsx_user admin -nsx_password VMware1!VMware1! -project_name Marketing -vpc_name VPC_Mar -ad_group Group_Dev_Marketing
    Script parameters:
    • nsx_manager = VCF NSX Component (IP or FQDN)
    • nsx_user = NSX Admin account
    • nsx_password = NSX Admin password
    • project_name = Project name to create
    • vpc_name = VPC name to create
    • ad_group = AD Group name to add as VPC Admin
Python script “create_project.py””

Python script “create_vpc.py”

The following settings in the scripts above will have to be updated to match your environment:

  • In both files:
    • Update Tier-0 information with yours
      "/infra/tier-0s/ef4c052c-dbcc-4750-a706-d71a21e5bcf9"
      You can find your Tier-0 ID from NSX Mgr UI

    • Update Edge Cluster information with yours
      "/infra/sites/default/enforcement-points/default/edge-clusters/7a7c5b8a-e8f2-47b9-9017-bc5d66e8cb24"
      You can find your Edge Cluster ID from NSX Mgr UI

Creation of vCenter Permissions for each application

Root (.bat) script “create-Microsoft-AD-Group_Marketing.bat”

  • C:\Program Files\PowerShell\7\pwsh.exe
    Location of PowerShell executable.
  • code\vcenter-permissions.ps1
    Location of the PowerShell script
  • -ad_group VMware_VCF_VPC_Mar_Admins -folder_name VM_Marketing -vpc_name VPC_Mar
    Script parameters:
    • ad_group = AD Group name
    • folder_name = vCenter VM folder name to create
    • vpc_name = VPC name
PowerShell script “vcenter-permissions.ps1”