VMware Cloud on AWS brings VMware’s enterprise class Software-Defined Data Center software to the AWS Cloud, and enables customers to run production applications across vSphere-based private, public and hybrid cloud environments. Delivered, sold and supported by VMware as an on-demand service, customers can also leverage AWS’s breadth of services including storage, databases, analytics and more.
IT teams manage their cloud-based resources with familiar VMware tools – without the hassles of learning new skills or utilizing new tools. However, administrative responsibilities for the vSphere cluster deployed as part of the Cloud Software-Defined Data Center (SDDC) will be shared between the VMware Cloud on AWS service and the on-premises administrator.
This blog series will describe the differences between running the VMware SDDC software on-premises vs. in VMware Cloud on AWS, and will go over the new operation model that administrators will need to adopt when using this service.
VMware Cloud on AWS Operations: Part 1, Host Configuration
Vmware Cloud on AWS Operations: Part 3, Virtual Machine Deployment and Service Lifecycle
PART 2 OF BLOG SERIES: ADMINISTRATION
Permissions Management Overview
The VMware Cloud on AWS service retains administrator rights on the vCenter server deployed as part of the Cloud SDDC. This is required to allow the service to monitor and manage the lifecycle of the Cloud SDDC software stack. The VMware Cloud on AWS service also retains the administrative rights on the SDDC to deploy and configure the AWS infrastructure and the SDDC software deployment. It is responsible for adding and removing hosts and networks due to a failure or if cluster-scaling operations require more or fewer resources. The VMware Cloud on AWS service is responsible for Cloud SDDC software patching and applying updates.
VMware Cloud on AWS services introduce new roles to the traditional vCenter user model and extend the roles and permissions scheme. This is to ensure that the Cloud SDDC infrastructure is configured in a prescriptive deployment architecture and that the customer cloud administrator cannot reconfigure the management appliances. Within this model, the customer cloud administrator has full control over their workload while having a read-only view of management workloads and infrastructure.
Role-Based Access Control
In order to support the adjusted role based access control, a new CloudAdmins User Group is created that contains a new user named CloudAdmin. The Cloud SDDC contains new role definitions:
The CloudAdmin group is granted the GlobalCloudAdmin role on all global permissions. The CloudAdmin group granted CloudAdmin permissions on:
The CloudAdmin user is granted a read-only global permission, enabling this user to view all physical resources and management infrastructure components. The appendix contains a detailed overview of the role privileges of the CloudAdmin user and the GlobalCloudAdmin user group.
Identity Sources
VMware Cloud on AWS initial availability supports both OpenLDAP server or an Active Directory as LDAP server as an identity source. Multiple identity sources are supported. Ensure the DNS is configured for your management gateway so that it can resolve the FQDN for the identity source.
Hybrid Cloud Linked Mode
Hybrid Linked Mode allows you to link your VMware Cloud on AWS vCenter Server instance with an on-premises vCenter Server instance.
Using Hybrid Linked Mode, you can:
Figure 7: Hybrid Cloud Linked Mode
Due to the adjusted operational model, Hybrid Linked Mode will not replicate all objects and permissions from the on-premises SDDC to the Cloud SDDC. For example:
At initial availability, Hybrid Cloud Linked Mode only supports embedded vCenter on-premises. If the on-premises workload is distributed across multiple vSphere SSO domains, it is recommended to consolidate these workloads into an infrastructure managed by one vSphere SSO domain.
Initial availability supports a single embedded on-premises deployment of VCSA 6.5 patch d and above and using hybrid linked mode establishing a connection to an embedded VCSA in VMware Cloud on AWS. Hybrid Linked Mode extends the on-premises vSphere Single Sign-On domain to the VMware Cloud on AWS. It provides the ability to use the same identity used on-premises. The maximum latency supported is 100 milliseconds.
Command Line Interface
Management of the Cloud SDDC can be done via the user-interface using Application Programming Interface (API) or PowerCLI. Due to the adjusted role– based access control, the customer cloud administrator cannot configure infrastructure components such as hosts or vCenter via API calls or PowerCLI commands. It can only use the API calls to retrieve information about these components.
However, the cloud administrator is able to use API calls or PowerCLI commands to deploy new VM workload in the SDDC.
Due to the DRS resource pool structure, virtual machines folder structure and vSAN datastore structure it is necessary to specify these elements during virtual machines focused commands. Please review existing scripts and adjust them accordingly.
Read-only host operations are mediated through vCenter such as vSphere API calls and the execution of PowerCLI and ESXCLI commands. NSX Manager APIs are not exposed at initial availability of VMware Cloud on AWS. Read-only host operations are mediated through vCenter such as vSphere API calls and the execution of PowerCLI and ESXCLI commands. The vSphere API Explorer is operational through the vCenter Server. Access the vSphere Automation API methods through API Explorer, Datacenter CLI, PowerCLI (Get-CisService), vSphere Automation SDKs (Python, Ruby, Perl, .NET, Java, REST). In addition, the vSphere SOAP APIs are functional, along with the SOAP based SDKs and Managed Object Browser. Please note that the API is limited to basic operational tasks including inventory operations focused on cluster/datastore/folder/host/network, basic virtual machines administration (create, delete, modify, power on/off).
The VMware Cloud on AWS service REST API endpoint exists at vmc.vmware.com/rest/api. Functionality includes:
Table 4: VMware Cloud on AWS Service Operations
Audit Quality Logging
VMware is the internal operator with the administrator ownership and is responsible for audit, compliance, and troubleshooting the infrastructure. The customer cloud administrator is responsible for virtual machine troubleshooting and auditing of operations they perform on the Cloud SDDC.
