Now that we have discussed some of the key features and architecture of vCloud Availability, it is time to install the service. In this blog we will discuss the provider installation of vCloud Availability by breaking the installation down into the following steps:
- 1. Deploying Appliances
- 2. Configuration
- 2.1 Cloud Manager
- 2.2 Replicators
- 2.3 Tunnels
- 3. Verify
vCloud Availability can be deployed in two ways. First, there is a consolidated appliance that contains all of the services. This method is good for labs or proof of concepts, but is not recommended for production environments. For production deployments, vCloud Availability will require three separate appliances with associated DNS entries. In this blog, we will focus on the production installation.
For simplicity, all of the appliances deployed in this guide will be deployed on the same VLAN, but it is important to ensure all communications paths are open between the appropriate appliances. See the the graphic below for port requirements:
1. Deploying Appliances
To begin the provider installation of vCloud Availability deployment, download the provider ova from my.vmware.com. Once you have downloaded the latest ova, log into vCenter and install the ova. During the installation wizard, you will select which appliance will be installed. This will need to be completed three times, once for each appliance (cloud replication manager, replicator, and tunnel). It is important to note that although Cloud Replication Management is a single appliance, it is actually composed of two services: Replication Manager and vApp Replication Manager (which includes the UI).
During the customization phase, the first options is to provide a password. This password is a temporary password and will be reset during the initial login and configuration. Select something simple and easy to remember. For most installations I use “1234.” Next, it is important to provide an NTP service to keep the appliances in sync so you will want to provide an NTP server. For the network configuration, this section can be left blank if using DHCP, but static IP assignments are preferred since we will be using DNS for the configuration and don’t want IP addresses changing and breaking the service.
2. Configuration
Once the provider installation of the appliances is complete, the next step is to configure the solution. As of vCloud Availability 3.0.1, a new feature, an installation checklist, has been introduced that will assist with the setup and configuration of the service. To access the checklist, start by logging into the vApp Replication Manager at https://<manager hostname>/ui/admin.
After logging in, the first thing you will be greeted with is a modal to change the password. Once the password has been changed, you will have the option of selecting the installation checklist or the setup wizard. The installation checklist will walk you through each step to install and configure the service. There are two checklists available. One for a consolidated deployment and one for production deployment. In a consolidated deployment where all services are running on the same appliance, all steps are validated as they are checked off. For a production deployment, this validation is currently not in place for all steps. Some steps will have to be manually checked off.
2.1. Cloud Manager (Replication Manager / vApp Replication Manager)
Once the appliances have been deployed and powered on ( steps 1, 2, and 3 ), the next step will be to configure the appliances. The first appliance to configure will be the Replication Manager. Open a new tab or window and browse to https://<manager hostname>:8441/ui/admin. If not using the checklist, this will be the first time logging into the appliance so you use the password that was used during deployment. Once logged in, you will be greeted with a modal to change the current password. If you are using the checklist and have already changed the password, you will use the configured password to log in.
Once logged in, the next step will be to configure the lookup service. Click on the link to configure the lookup service and provide the URL for the vCenter or PSC running the lookup service. If unsure, log into vCloud Director and navigate to Administration → Federation and there will be an option for vSphere Services. Under this option, you will see the hostname to use for the lookup service that will need to be configured for vCloud Availability. If, for some reason, vCloud Director does not have lookup services configured, you can also log into one of the vCenters that is registered with vCloud Director and run the following command:
root@vc-01 [ /usr/lib/vmware-vmafd/bin ]# ./vmafd-cli get-ls-location --server-name localhost |
You can type in the hostname ( i.e. vcenter.local.net ) and the value will be converted to the correct URL, or you can type in the full lookup service URL ( https://vcenter.local.net/lookupservice/sdk ). It is important that the full URL be present before clicking okay. Keep this information as it will be required by all appliances. Also note that for vCenter 6.5 and newer, port 443 is acceptable. If you happen to be running vCenter 6.0 and earlier, you will have to use port 7444 when configuring the lookup service.
Once this is complete, the next step is to configure the vApp Replication Manager. To do this, browse to the same host as the previous step but without the 8441 ( https://<manager hostname>/ui/admin ). Once logged in, click on the link to run the initial setup wizard. This will guide you through the steps to configure the vApp Replication Manager. First, you will give the installation a site name. This is how this installation will be referenced in vCloud Director and vSphere. On this page, you will also set the Public API URL. This is NOT the hostname of the appliance. This is the public URL that users external to the environment will use to access the service from an external connection.
Example values:
Site name: CloudProvider
Public API endpoint: https: https://drass.provider.net ( FQDN that will be used to access the service remotely )
An important issue that needs to be pointed out here is the Public API endpoint. This URL is the URL that users will use to access the service. If you reference the port design earlier in the document, you will notice that although we are pointing to port 443, the service is actually running on port 8048. This means that there will need to be a destination NAT rule in the firewall that converts all traffic to the Public API endpoint from port 443 to port 8048. This was done intentionally to minimize the changes required on the client side to access the service.
Once this has been defined, next you will configure the lookup service. This will be the same lookup service we configured in the previous step.
Example values:
Lookup service address: https://vcenter.local.net/lookupservice/sdk ( should be the same lookup service from earlier steps )
SSO Admin Username: [email protected]
Password: password
Once the lookup service has been configured and authenticated, the next step is to configure the connection to vCloud Director. If vCloud Director has been properly configured in the lookup service, then it can be auto-configured. In this step, I prefer to enter the details manually to ensure I am pointing to the correct URL. When configuring, the URL must have /api appended. If this is left off, you will get an error. The username must follow the prescribed format of <user>@system. System is the root tenant and tells vCloud Director where the account resides.
Example values:
vCloud Director URL: https;//vcdlb.provider.net/api ( you will want to ensure you are pointing the requests to the vCD load balancer and not a single cell )
vCloud Director Username: administrator@system
vCloud Director Password: password
After authenticating to vCloud Director, the final few steps will be to apply a license key, configure CEIP, and click finish.
2.2. Replicators
Once the the Cloud Manager has been configured, the next step is to configure the replicator(s). Replicators are a scalable component. This means multiple replicators can be deployed to scale performance. With this in mind, this step will have to be repeated for each replicator. To do this browse to https://<tunnel hostname>/ui/admin. Since this is the first time logging into this appliance, use the password that was configured during deployment. As before, when you first log in, you will be greeted by a modal to change the password. Once the password has been changed, the next step will be to configure the lookup service. Clicking on the appropriate link and configure the lookup service.
Once the lookup service has been configured on each of the replicators, each replicator will have to be registered to the replication manager. Log into https://<manager hostname>:8441/ui/admin and select replicators in the navigation menu. Once on the replicator page, select new. A new modal will pop up to configure the replicator. Site should be populated with your current site information that was configured when deploying the vApp Replication Manager. The API URL is the hostname or IP address of the replicator. Make sure to append :8043 ( you can also type in just the IP address and hit <tab> and the https and port will be added ). This is the port that the replicator runs on. For the appliance password, this will be the password that was set when configuring the replicator. Finally, enter the SSO credentials.
Example values:
Site: CloudProvider ( repopulated from previous step )
API URL: https://172.16.251.96:8043 ( IP address of current replicator )
Appliance Password: password
SSO Admin Username: [email protected]
SSO Password: password
Once the replicator has been configured, it should show up in the Replicators view with a green check next two it. It will also show up on the System Monitoring page.
2.3. Tunnels
Once all of the replicators have been configured and registered with the replication manager, the final steps are to configure and register the tunnel. The first step in configuring the tunnel is to browse to the tunnel at https://<tunnel hostname>/ui/admin. After setting the password, click edit next to the lookup service and enter the appropriate URL. Once the lookup service has been configured, the next step will be to log back into the vApp Replication Manager ( https://<manager hostname>/ui/admin ) and select Configuration from the navigation menu. Once on the configuration page, select Edit next to Tunnel Address. Next, click the checkbox to enable the tunnel. In the tunnel address enter the URL for the tunnel ( https://<tunnel hostname>:8047 ). Internally, the tunnel appliance communicates over port 8047, so please ensure the port is properly configured ( you can also type in just the IP address and hit <tab> and the https and port will be added ). Finally enter the appliance password that was configured.
Example values:
Tunnel address: https://172.16.251.97:8047
Password: password
Now that the tunnel has been configured, the final step will be to go back through each of the appliances and restart the services. To do this, log into each appliance and select System Monitoring in the menu on the left. In the pane on the right select Restart Service
Although it is not part of the core service a configuration step that often gets missed is the final step of configuring the inbound NAT on the firewall. This is required for customers to access the service. The recommendation is to create a destination NAT that translates port 443 to 8048. Once this is complete, the configuration of the service is complete and ready to be verified.
3. Verify
After the provider installation has been configured, there are a couple of things that can be done to validate the installation. First, log into the vApp Replication Manager at https://<manager hostname>/ui/admin and navigate to the System Monitoring page. On this page you should see green checks next to everything. If you see red checks, those issues will need to be addressed.
The other thing that can be done to test the configuration, specifically the tunneling, is to navigate to the tunnel on port 8048 ( https://<tunnel hostname>:8048 ). If everything is configured properly and working as expected, you should get the login page for the vCloud Availability portal. Assuming this is working as expected, the last thing to check is the destination NAT. To do this open a browser and navigate to https://<Public API URL>. If the destination NAT is working, you should get the same login page as you did when accessing the tunnel internally.
The final step is to test access from vCloud Director. To do this, log into the vCloud Director H5. In the main menu, you will see the, newly installed, Availability plugin. Selecting this option will redirect you to vCloud Availability.
Conclusion
Now that we have the environment up and running, there are still a few more things that need to be configured before going into production. In the next blog, we will focus on the post deployment configuration options where we will address areas such as certificates, policies, and access.
Please feel free to review other articles related to the vCloud Availability blogs series:
1. vCloud Availability 3.0 Blog Series: Introduction
2. vCloud Availability 3.0 Blog Series: Provider Installation
3. vCloud Availability 3.0 Blog Series: Provider Post Deployment Configuration
4. vCloud Availability 3.0 Blog Series: Tenant Installation
5. vCloud Availability 3.0 Blog Series: Tenant Post Deployment Configuration
6. vCloud Availability 3.0 Blog Series: Managing vCloud Availability Access
7. vCloud Availability 3.0 Blog Series: Cloud Access, Ownership, and Visibility
Additional Resources
- Download vCloud Availability 3.0 here: https://my.vmware.com/en/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vcloud_availability/3_0_1
- Release notes: https://docs.vmware.com/en/VMware-vCloud-Availability/3.0.1/rn/VMware-vCloud-Availability-301-Release-Notes.html
- Documentation: https://docs.vmware.com/en/VMware-vCloud-Availability/
- API reference: https://code.vmware.com/apis/441
- Rerefence architecture: https://cloudsolutions.vmware.com/reference-architectures/vcloud-availability-3-0-deployment-reference-architecture
