Home > Blogs > VMware Hands-On Lab (HOL) Blog

VMworld 2017 Labs – VMware NSX Day!

It is hard to top yesterday when we released well over half the catalog of Hands-on Labs we presented at VMworld this year, but we will give it a go as we still have more awesome content for you!

Yesterday, we released the HOL-1803 series of labs.  The three labs in the series offer a great way to get started with NSX.  Today, we will focus on more advanced NSX and Network Virtualization labs.  The topics covered include integrating Site Recovery Manager or Horizon with NSX (and Trend Micro!), multi-site configurations and one around the newly announced AppDefense.  Finally, there are labs showing integration with VMware Integrated OpenStack and our first set of labs focusing on NSX-T.

That’s all for today, but be sure to check back tomorrow to see what new labs will be released!

Lab SKU / Name Link to PDF/HTML Archived 2017 Lab
HOL-1805-01-SDC – Site Recovery Manager – Data Center Migration and Disaster Recovery PDF / HTML HOL-1705-SDC-1
HOL-1820-01-EMT – VMware Integrated OpenStack (VIO) – Getting Started PDF / HTML HOL-1720-SDC-1
HOL-1825-01-NET – VMware NSX – Advanced Consumption PDF / HTML HOL-1725-SDC-1
HOL-1825-02-NET – VMWare NSX and SRM – Active-Standby Solution PDF / HTML HOL-1725-USE-2
HOL-1826-01-NET – VMware NSX-T – Getting Started PDF / HTML New!
HOL-1826-02-NET – VMware NSX-T with Kubernetes PDF / HTML New!
HOL-1841-01-NET – Secure Horizon with Trend Micro and NSX PDF / HTML HOL-1741-USE-1
HOL-1842-01-NET – VMware AppDefense – Secure Datacenter Endpoints PDF / HTML New!

Releasing the VMworld 2017 Hands-on Labs

It all starts today! We are pleased to announce we are releasing the VMworld 2017 Hands-on Labs. We will continue to release these on a daily basis until all 81 are available! If you don’t see your favorite lab, be sure to check back as all labs **should** be released by the end of next week.

Before we get started, just a couple of reminders. First, once we release a new lab, the current one will be placed in the HOL Archive catalog and will eventually be removed December 1st, 2017. For example, we are releasing the HOL-1803 series of labs today, so the HOL-1703 series will be placed in the HOL Archive catalog. The labs in the archive catalog will take longer to start and be sure you wait until the Lab Status indicator says Ready before you start. If you would like more information or how the new labs map to the existing labs, you can review my previous post, Transitioning to the 2018 Hands-on Labs. You may also notice that the catalogs look a bit different and you may be confused on where to find the lab you are looking for. You can review the post, Upcoming Changes to the Catalogs and Tips on How to Find Things for all the details.

The first release of new labs has typically been the top performers from VMworld and this year is no exception. Below are the labs we are releasing today. You can click on the lab SKU and name to be taken directly to the lab. One question we receive quite often is if the manuals are available in other formats, so in the second column you will find a link to the PDF and HTML version of the manual. These links are from our Hands-on Labs Documents site, where you can find manuals for all the labs dating back to 2014. Finally, the last column shows which lab the new one is replacing.

Lab SKU / Name Link to PDF/HTML Archived 2017 Lab
HOL-1801-01-CMP – vRealize Suite Standard – Cloud Planning and Optimization PDF / HTML HOL-1701-USE-2
HOL-1801-02-CMP – vRealize Suite Standard – Automated and Proactive Management PDF / HTML New!
HOL-1801-03-CMP – vRealize Suite Standard – Manage the SDDC PDF / HTML HOL-1701-USE-3
HOL-1801-04-CMP – vRealize Operations – Advanced Topics PDF / HTML HOL-1706-USE-4
HOL-1801-05-CHG – vRealize Operations Application Monitoring – Challenge Lab PDF / HTML HOL-1701-CHG-5
HOL-1801-06-CMP – Introduction to vRealize Operations Assessment and Hybrid Cloud Assessment PDF / HTML HOL-1701-USE-1
HOL-1803-01-NET – VMware NSX – Getting Started PDF / HTML HOL-1703-SDC-1
HOL-1803-02-NET – VMware NSX – Distributed Firewall and Micro-Segmentation PDF / HTML HOL-1703-SDC-2
HOL-1803-03-NET – VMware NSX – Operations and Visibility PDF / HTML HOL-1703-SDC-3
HOL-1806-01-CMP – vRealize Suite – Getting Started PDF / HTML HOL-1706-SDC-1
HOL-1806-02-SLN – Automate IT – Make Private Cloud Easy PDF / HTML New!
HOL-1806-03-CMP – vRealize Business for Cloud – Getting Started PDF / HTML New!
HOL-1808-01-HCI – vSAN v6.6 – Getting Started PDF / HTML HOL-1708-SDC-1
HOL-1808-02-CHG – vSAN v6.6 – Challenge Lab PDF / HTML HOL-1708-CHG-3
HOL-1811-01-SDC – vSphere v6.5 – What’s New PDF / HTML HOL-1710-SDC-6
HOL-1811-02-SDC – vSphere with Operations Management – Getting Started PDF / HTML HOL-1710-USE-2
HOL-1811-03-SDC – vSphere with Operations Management – Advanced Topics PDF / HTML HOL-1710-USE-4
HOL-1811-04-SDC – vSphere Security – Getting Started PDF / HTML New!
HOL-1811-05-SDC – vSphere Automation – PowerCLI PDF / HTML HOL-1721-SDC-6
HOL-1811-06-SDC – vSphere Automation and Development – API and SDK PDF / HTML HOL-1710-SDC-5
HOL-1811-07-SDC – vSphere HTML Client SDK – Build a Plugin PDF / HTML New!
HOL-1821-01-CMP – vRealize Automation 7 – Getting Started PDF / HTML HOL-1721-USE-1
HOL-1821-02-CMP – vRealize Automation 7 – Advanced Topics PDF / HTML HOL-1721-USE-2
HOL-1821-03-CMP – vRealize Automation 7 – Advanced Extensibility PDF / HTML HOL-1721-USE-3
HOL-1821-04-CMP – vRealize Code Stream – DevOps Solutions PDF / HTML HOL-1721-USE-4
HOL-1821-05-CMP – vRealize Orchestrator – Getting Started PDF / HTML HOL-1721-SDC-5
HOL-1844-01-SLN – Modernize Infrastructure – VMware Cloud Foundation PDF / HTML HOL-1706-SDC-5
HOL-1844-02-SLN – VMware Cloud Foundation – Hybrid Cloud PDF / HTML New!
HOL-1845-01-SLN – Modernize Infrastructure – Build Your Own SDDC PDF / HTML New!
HOL-1851-01-ADV – Horizon 7.1 Enterprise – Getting Started PDF / HTML HOL-1751-MBL-1
HOL-1851-02-ADV – Horizon 7.1 Instant Clones PDF / HTML New!
HOL-1851-03-ADV – VMware App Volumes – Getting Started PDF / HTML HOL-1751-MBL-2
HOL-1851-04-ADV – VMware User Environment Manager – Getting Started PDF / HTML New!
HOL-1851-05-ADV – VMware Workspace ONE and VMware Horizon 7.1 PDF / HTML New!
HOL-1851-06-ADV – VMware Horizon 7 for Linux Desktops PDF / HTML HOL-1751-MBL-6
HOL-1851-07-ADV – Horizon 7.1 – Advanced Operational Concepts PDF / HTML New!
HOL-1851-08-ADV – Horizon 7.1 – Advanced Architectural Concepts PDF / HTML HOL-1751-MBL-4
HOL-1851-09-ADV – Horizon 7.1 Security – Advanced Topics PDF / HTML HOL-1751-MBL-5
HOL-1851-10-ADV – Horizon 7.1 – Graphics Acceleration for 3D workloads and vGPU PDF / HTML New!
HOL-1857-01-UEM – VMware AirWatch – Getting Started PDF / HTML HOL-1757-MBL-1
HOL-1857-02-UEM – VMware AirWatch – Unified Endpoint Management for Windows 10 PDF / HTML New!
HOL-1857-03-UEM – VMware AirWatch with Workspace ONE PDF / HTML HOL-1757-MBL-3
HOL-1857-04-UEM – VMware AirWatch – Productivity Apps PDF / HTML HOL-1757-MBL-4
HOL-1857-05-UEM – VMware AirWatch – Mobile Application Management and Developer Tools PDF / HTML HOL-1757-MBL-5
HOL-1857-06-UEM – VMware AirWatch – Directory and Certificate Authority Integration PDF / HTML HOL-1757-MBL-2
HOL-1857-07-UEM – VMware AirWatch – Android Management PDF / HTML New!
HOL-1857-08-UEM – VMware AirWatch – Technology Partner Integration PDF / HTML HOL-1757-MBL-6
HOL-1884-01-HBD – VMware Cloud Services – Getting Started PDF / HTML New!
HOL-1887-01-EMT – VMware Cloud on AWS – Getting Started PDF / HTML New!

Upcoming Changes to the Catalogs and Tips on How to Find Things

As we return from a record breaking VMworld Europe in Barcelona, I wanted to take a minute to talk about some of the new catalogs you will be seeing in the Hands-on Lab Online Portal in the coming weeks as we start to release the new labs.

This year we have over 80 new labs in the 2017 Hands-on Labs Catalog and based on feedback we received from you, our users, we still needed a better way to break up the content in the catalog listings to make things easier to find.  For example, we have 44 labs in the Software Defined Data Center catalog.  Searching through that catalog and trying to find the bit of content you are looking for can be a daunting task!  For those that are not familiar with what the catalog structure looks like today, here is how we have things laid out.

We have four main catalogs, SDDC, Hybrid Cloud, Mobility and Challenge.  There is a fifth catalog, Focus Labs, we populate with the latest and most popular labs.  You can start to see the difficulty in finding 80+ labs in only four very generic catalogs.

We tested the new catalog listings at VMworld and from the feedback we received from attendees, it made finding labs around specific products or features much easier.  So here are the new catalogs and what contents you may expect to find in them:

New Catalog Name High Level Products Included Existing Catalog
Application and Desktop Virtualization Horizon Suite, FLEX, Mirage, Horizon Cloud Mobility
Challenge Labs Test your knowledge on VMware Products Challenge Labs
Cloud Management Platform vRealize Suite, vRealize Automation and vRealize Operations Software Defined Data Center
Cloud Native Applications PhotonOS, vSphere Integrated Containers Software Defined Data Center
Emerging Technologies VMware Cloud, vSphere Integrated OpenStack, Network Functions Virtualization and VMware Learning Platform Hybrid Cloud, Software Defined Data Center
Hybrid Cloud Hybrid Cloud Services, Cloud Services and VMware Cloud Provider Program Hybrid Cloud
Hyper-Converged Infrastructure vSAN, Virtual Volumes and VxRail Software Defined Data Center
Network Virtualization NSX, NSX-T, NSX Cloud and Partner Solutions Software Defined Data Center
Software Defined Data Center vSphere with Operations Management, Site Recovery Manager and vSphere Performance Software Defined Data Center
Solution Labs Labs focused on solving business challenges with VMware Solutions Software Defined Data Center, Mobility, Hybrid Cloud
Unified Endpoint Management VMware AirWatch Mobility

I also wanted to share a couple of additional tips that may come in handy.  The first is the search feature.  You can use the search box to find a lab by SKU (i.e. HOL-1810-01-SDC) or by product or keyword.  Be sure to click the ‘ALL LABS’ link first, so your search will be across all the catalogs.

In this example, after clicking on the ALL LABS link, I searched for ‘firewall’.  This will bring up any labs that include the term ‘firewall’ in the lab title, description or module listing.  This can also be used to search for product names, like NSX or a lab SKU.

If you have taken a lab and would like to find other labs that are based on the same product, you can use the ‘Lab Details’ section.

In the Products section, you will see the major products featured in the lab.  Click on the product you are interested in and you will be shown all the other labs that include that product.  By clicking on vRealize Log Insight, I’m given this listing of labs:

When you find a lab that interests you, just click on the link and you will be brought right to the lab details page for the lab, where you can enroll to take the lab.

That’s all for now, but stay tuned for updates!  The new labs will be here before you know it!

Transitioning to the 2018 Hands-on Labs

We had another record breaking year at VMworld US last week and are on our way to VMworld Europe for next week’s show, which will hopefully be just as exciting!  We debuted lots of new content and we cannot wait to share it with you.

As we prepare to get the latest labs out to you after VMworld, we want to make sure you are prepared for what’s to come. The process is what we have done in year’s past and we will start rolling out the labs after VMworld Europe.  Since VMworld Europe is a month earlier this year, that means we will be delivering the labs that much sooner to you!

As the new labs in the 2018 catalog get released, their 2017 counterparts will be placed in the HOL Archives catalog. The catalog can be found at the bottom of the list.  We will also be restructuring the catalog listings, very similar to what we are using at VMworld, to make things easier to find.  More details to come in the next post.








One thing to note is that once the 2017 labs are placed in the archive catalog, you will likely need to wait a bit longer for your lab to start and make sure the Lab Status indicates ‘Ready’ in green before proceeding with your lab.







As a reminder, in order to make room for all this great new content, we will have to retire the 2017 catalog and that will happen on December 1st, 2017.  For those of you that may be planning to use our HOL-in-a-Box service for upcoming events, make sure you keep those dates in mind and transition any events to the 2018 labs prior to that date!

Finally, to help you find the lab replacing the 2017 SKU, you can use the HOL 2017 to 2018 Lab Listing PDF.  For the most part, the 2018 SKU lined up to identical content that was in the 2017 SKU.  For example, HOL-1703-SDC-01 (NSX) has been updated and replaced with HOL-1803-01-NET.  In cases where there was no direct match, you can review the Notes column to see where the content is now or if it has been removed.

Stay tuned over the next few weeks for further updates on some of the changes we have implemented this year and to see which labs are released!

Use our Browser / Network Compatibility Test tool before you start your lab experience ..


Some great news !

The VMware Learning Platform engineering team put together a very cool Tool to help you do a little sanity check before you take a Hands-on Lab. It will check your browser compatibility, and some basic network sanity checks to make sure your lab experience is as best as can be.

Be sure to send us your feedback and if you think its useful tell a friend.

Link: http://www.vmwlp.com/HOL/compatibility/

Join us for Americas vForum Online June 28th – Tons of great Sessions and Hands-on Labs


We will be hosting another vForum Online event this June 28th and have great Sessions and Hands-on Labs lined up to make your learning experience even better. These events are exciting as we engage with users from all of the Americas. We will be online monitoring the infrastructure and answering questions from you.

We look forward to seeing you there !

See Agenda 


Congratulations Brian W – DJI Drone Raffle Contest Winner


Thank you for participating in our Raffle Drawing for the very cool DJI Drone – we had a lot of fun putting it together for you.  We thought it would be great to get to know our winner and did a little write up to introduce him to our readers.

Tell us about your professional career background and interests ?

 I work in healthcare specializing in virtualization technology and strategy. I’ve been working in IT for over 20 years, and working with VMware solutions for over 15. My current interests involve Cloud Management and Automation, and Network Virtualization. I also enjoy attending my local VMUG meetings to understand how other people are addressing problems in Healthcare with technology.

 How was your Hands-on Lab Experience? Anything we can do to improve the experience?  

I’m a huge proponent of the HOL’s. I used them frequently to study for VMware Certification exams, especially to get to bits that aren’t generally available… Additionally, many of the labs give you free reign to go off of the lab manual, and do other tasks. For me, this is much easier than a home lab. Everything is properly configured, consistent, and there’s no consequence for making changes that would break a home lab configuration. Over the years, the HOL environment has gotten better and the catalog broader, there’s really nothing else like it out there.

 Advice to users out there on using the Hands-on Labs

 Get out there and try them! Don’t be afraid to use a HOL environment for other tasks than the lab, such as performing tasks on a certification blueprint. I rarely find that there are things I cannot perform in the HOL’s, short of complex multisite configurations. The HOL’s are great training if you’re lacking budget, offering the latest content and products.


New Hands-on Labs and Chance to win a DJI Mavic Pro Drone

New Hands-on Labs released and chance to win a cool DJI Drone

New Hands-on Labs released and chance to win a cool DJI Drone


We are incredibly happy to announce our latest release of Hands-on Labs and a very cool DJI Drone Raffle Giveaway for taking any of our eligible Hands-on Labs. Please visit our official contest site for more details Contest runs from April 19th to May 19th 2017 Giveaway is for US residents only, sorry no VMware employees.

Below is a list of our recently released Hands-on Labs for our Spring Release. We would also like to thank our entire team for making this happen. You can take any of these labs from our Hands-on Labs site http://labs.hol.vmware.com

Newly released Hands-on Labs

      • HOL-1731-SDC-1 – What’s New: Virtual SAN v6.5
      • HOL-1731-SDC-2 – Advanced vSAN 6.5: Operations
      • HOL-1733 – What’s New: vRealize Automation v7.2
      • HOL-1810-01-SDC – Virtualization 101: Introduction to vSphere

Updates to existing Hands-on Labs

      • HOL-1701 (all lab codes) – Updated to vROps v6.5 and Log Insight v4.  Includes updates to VOA Hands-on Labs
      • HOL-1706-SDC-5 – VMware Cloud Foundation
      • HOL-1710  – Updating to the GA release of vSphere v6.5.  Log Insight content
      • HOL-1728-SDC-1  – General updates
      • HOL-1730-USE-1 – Updated to Cloud Native GA code
      • HOL-1751-MBL-1 – New module to include Instant Clones
      • HOL-1756-MBL-1 – New interactive simulation lab and renamed to Horizon Cloud-Hosted Infrastructure – Explore and Manage
      • HOL-1757   Updated to AirWatch v9.0
      • HOL-1787-USE-1 – New features of vCD
      • HOL-1790-CHG-1 – Updated for vRA 7.2

Thank you for your support and enjoy your Hands-on Labs –

VMware Hands-on Labs Team


HOL Three-Tier Application, Part 5 – Use Cases

If you have been following along in this series, first of all, thank you! Here is a summary of our work so far:

Next, you should have a basic three-tier application created:


A Simple Three-Tier Application

I tried to use simple components to make it usable in either a home lab or a nested environment, so they should perform exceedingly well in a real environment.

Virtual Machine Profile

The component Photon OS machines boot in a few seconds, even in our nested environment, and their profiles are fairly conservative:

  • 1 vCPU
  • 2 GB RAM
  • 15.625 GB disk

Once configured as indicated in this series, these VMs will export as OVAs that are around 300 MB each, making them reasonably portable.

The storage consumed after thin-provisioned deployment is less than 650 MB for each virtual machine. At runtime, each consumes an additional 2 GB for the swapfile. During boot, in my environment, each VM’s CPU usage is a little over 600 MHz and the active RAM reports 125 MB, but those normalize quickly to nearly 0 MHz and 20 MB active RAM (+23 MB virtualization overhead). You may be able to reduce their RAM allocations, but I have not tried this.

So, what can I do with this thing?

It is nice to have tools, but without a reason to use them, they’re not that much fun. We use tools like this in our labs to demonstrate various functionality of our products and help our users understand how they work. Here are a few ideas, just to get you thinking:

vMotion, Storage vMotion, SRM Protection and Recovery

The virtual machines that you created can be used as a set, but the base Photon OS template also makes a great single VM for demonstrating vMotion or Site Recovery Manager (SRM) recovery in a lab environment. They are small, but they have some “big VM” characteristics:

  • The VMware Tools provide appropriate information up to vCenter
  • They respond properly to Guest OS restart and power off actions
  • Photon OS handles Guest Customization properly, so you can have the IP address changed during template deployment and SRM recovery.
  • You can ping and SSH into them
  • You can use them to generate load on your hosts and demonstrate Distributed Resource Scheduler (DRS) functionality


We use a previous version of this application in several of our NSX labs that debuted at VMworld 2016. For a good micro-segmentation use case, you can look at HOL-1703-USE-2 – VMware NSX: Distributed Firewall with Micro-Segmentation. The manual is available for download here, or you can take the lab here.

For a more complicated use case using a similar application to demonstrate SRM and NSX integration, look at HOL-1725-USE-2 – VMware NSX Multi-Site DR with SRM. For that lab, the manual is available here and the lab is here.

Each of the tiers must communicate with the others using specific ports

  • Client to Web = 443/tcp
  • Web to App = 8443/tcp
  • App to DB = 80/tcp

You can use this application to test firewall rules or other network restrictions that you are planning to implement. If a restriction breaks the application, you can determine where and why, then try again. If you want to change the port numbers to match your needs, you can do that as well. Keeping the application simple means that modifications should also be simple.

Load Balancing (Distribution)

The basic idea here is that you can create clones of the web-01a machine as many times as you like and pool them behind a load balancer. In your lab, if you have it, you may want to use NSX as a load balancer. If you want to do that, I suggest checking out Module 3 – Edge Services Gateway in the HOL-1703-SDC-1 – VMware NSX: Introduction and Feature Tour lab, which covers how to set that up. The manual is here and the lab is here.

If you want to use another vendor’s solution, feel free to do that as well. This application is REALLY simple. Some free load balancing solutions can be implemented using nginx or haproxy. Fortunately, we already know about nginx from the build of our web servers, so I will cover that later in this post. First, though, I want to cover a DNS round robin configuration since understanding that makes the nginx load balancing simpler for the lab.

Example 1 – Load Distribution via DNS Round Robin

If you don’t have the resources for another VM, you can implement simple load distribution via DNS round robin as long as you understand a few limitations:

  1. You must have access to change DNS for your lab environment.
  2. Using only DNS, you get load distribution but not really balancing; there is no awareness of the load on any particular node. Rather, you simply get the next one in the list.
  3. There is no awareness of the availability of any node in the pool. DNS simply provides the next address, whether it is responding or not.
  4. Connecting from a single client may not show balancing since optimizations in modern web browsers may keep existing sockets open.

In this first example, I have 3 web servers (web-01a, web-02a, web-03a) with IP addresses, 31, and 32. My SSL certificate contains the name webapp.corp.local and it is loaded onto each of the web servers. The picture looks something like this:


Create the VMs

To create web-02a and web-03a, I simply clone my web-01a VM then reset the hostnames and IP addresses of each clone to the new values:

  • web-02a –
  • web-03a –

Alternatively, I can make a template from the web-01a VM and deploy the copies using Guest Customization to reconfigure them. Just make sure to populate the /etc/hosts file on the customized machines since the process wipes out and rebuilds that file.

Configure DNS

The required DNS changes are not complicated. You basically assign the name webapp.corp.local to the IP addresses of your web servers and set the time-to-live (TTL) to a low, non-zero value.

Using PowerShell against my lab DNS server called controlcenter.corp.local that manages the corp.local zone, I add DNS records with a 1 second TTL, associating all of the web server IP addresses to the name webapp.corp.local:

$ttl = New-TimeSpan -Seconds 1

Add-DnsServerResourceRecordA -ComputerName 'controlcenter.corp.local' -ZoneName 'corp.local' -name 'webapp' -IPv4Address '' -TimeToLive $ttl

Add-DnsServerResourceRecordA -ComputerName 'controlcenter.corp.local' -ZoneName 'corp.local' -name 'webapp' -IPv4Address '' -TimeToLive $ttl

Add-DnsServerResourceRecordA -ComputerName 'controlcenter.corp.local' -ZoneName 'corp.local' -name 'webapp' -IPv4Address '' -TimeToLive $ttl

If you use a BIND DNS server, just create multiple A records pointing to the same name. BIND 4.9 or higher will automatically rotate through the records. In my case, I have a Windows 2012 DNS server, and it cycles through the addresses when the webapp.corp.local name is requested.

Testing the Rotation

Here is a simple example of what this looks like from an ESXi host in my lab. A simple ping test shows the rotation occurring as intended:

[root@esx-03a:~] ping -c 1 webapp.corp.local
PING webapp.corp.local ( 56 data bytes
64 bytes from icmp_seq=0 ttl=64 time=1.105 ms

--- webapp.corp.local ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.105/1.105/1.105 ms

[root@esx-03a:~] ping -c 1 webapp.corp.local
PING webapp.corp.local ( 56 data bytes
64 bytes from icmp_seq=0 ttl=64 time=1.142 ms

--- webapp.corp.local ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.142/1.142/1.142 ms

[root@esx-03a:~] ping -c 1 webapp.corp.local
PING webapp.corp.local ( 56 data bytes
64 bytes from icmp_seq=0 ttl=64 time=1.083 ms

--- webapp.corp.local ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.083/1.083/1.083 ms

Accessing the Application

Use the https://webapp.corp.local/cgi-bin/app.py URL from your web browser to access the application. Within the three-tier application, the script on the app server displays which web server made the call to the application.


The script will show the IP address of the calling web server unless it knows the name you would like it to display instead. You provide a mapping of the IPs to the names you would like displayed at the top of the app.py script on the app server:

webservers = {

Simply follow the syntax and replace or add the values which are appropriate for your environment.

A Challenge Showing Load Distribution from a Single Host

Hmm… while the ping test shows that DNS is doing what we want, clicking the Refresh button in your web browser may not be switching to a different web server as you expect.

A refresh does not necessarily trigger a new connection and DNS lookup, even if the TTL has expired. Modern web browsers implement optimizations that will keep an existing connection open because odds are good that you will want to request more data from the same site. If a connection is already open, the browser will continue to use that, even if the DNS TTL has expired. This means that you will not connect to a different web server.

You can wait for the idle sockets to time out or force the sockets closed and clear the web browser’s internal DNS cache before refreshing the web page, but that is not really convenient to do every time you want to demonstrate the distribution functionality. If you want to be able to click Refresh and immediately see that you have connected to a different web server in the pool, you can use NSX or a third-party load balancer. If you want to use the tools that we have currently available, the next example works around this issue.

Example 2 – Implementing a (Really) Basic Load Balancer

Making a small change to the nginx configuration on one of the web server machines and adjusting DNS can provide a simple demonstration load balancer for your lab. This requires a slight deviation from our current architecture to inject the load balancer VM in front of the web server pool:


Three-Tier Application with Load Balancer

Note that there are better, more feature-rich ways to do this, but we are going for quick and simple in the lab.

Create the Load Balancer

Create the load balancer VM. You can deploy a new one from a Photon OS base template and go through the configuration from there, but conveniently, the difference between the load balancer configuration and that of our web servers is just one line!

So, make a copy of the web-01a VM and update its address and hostname:

  • lb-01a –

Change the nginx Configuration

On the lb-01a VM, edit the /etc/nginx/nginx.conf file

# vi +130 /etc/nginx/nginx.conf

Change line 130 from

proxy_pass https://app-01a.corp.local:8443/;


proxy_pass https://webpool.corp.local/;

This will allow us to leverage DNS round-robin to rotate through the list of web servers and distribute the load. Nginx has advanced configurations to handle load balancing, but this will get the job done for a lab or demonstration. Terminating SSL on the load balancer while using plain HTTP on the web servers allows a lot more flexibility, but the configuration changes are beyond the scope of what I want to do here.

Restart nginx

# systemctl restart nginx

Adjust DNS

Finally, adjust DNS to move the webapp.corp.local name to point at the load balancer and put the web servers into webpool.corp.local instead.

If you are using Windows DNS, you can use PowerShell. For BIND, edit and create the records as needed.

  1. Remove the existing webapp.corp.local pool by deleting all of the A records that point to the individual web servers:
$rec = Get-DnsServerResourceRecord -ComputerName 'controlcenter.corp.local' -ZoneName 'corp.local' -Name 'webapp' -RRType A
if( $rec ) { 
  $rec | % { Remove-DnsServerResourceRecord -InputObject $_ -ZoneName 'corp.local' -Force }

2. Create a new webapp.corp.local A record that points to the lb-01a machine:

Add-DnsServerResourceRecordA -ComputerName 'controlcenter.corp.local' -ZoneName 'corp.local' -name 'webapp' -IPv4Address ''

3. Create the new webpool.corp.local that contains the individual web servers:

$ttl = New-TimeSpan -Seconds 1

Add-DnsServerResourceRecordA -ComputerName 'controlcenter.corp.local' -ZoneName 'corp.local' -name 'webpool' -IPv4Address '' -TimeToLive $ttl

Add-DnsServerResourceRecordA -ComputerName 'controlcenter.corp.local' -ZoneName 'corp.local' -name 'webpool' -IPv4Address '' -TimeToLive $ttl

Add-DnsServerResourceRecordA -ComputerName 'controlcenter.corp.local' -ZoneName 'corp.local' -name 'webpool' -IPv4Address '' -TimeToLive $ttl

Access the Application

Now, point your web browser to the https://webapp.corp.local/cgi-bin/app.py URL. Each time you click Refresh in your web browser or enter a new search string in the Name Filter box and click the Apply button, the data refresh and the Accessed via: line should update with a different web server from the pool:


Rotating through web servers in the pool

Because the web browser’s connection is to the load balancer VM, which controls which web server receives the request, we eliminate the issue experienced when using only DNS round robin. This very basic implementation does not handle failed servers in the pool and is not something that would be used in production, but, hey, this is a lab!

It is possible to extend this idea to put a load balancer in front of a pool of application servers as well: replace line 130 in each web server’s /etc/nginx/nginx.conf file with the URL of an app server pool instead of pointing them directly at the app-01a VM.

That’s a Wrap!

That concludes the series on building a minimal three-tier application. I am hopeful that you have found this interesting and can use these tools in your own environment.

Thank you for reading!

HOL Three-Tier Application, Part 4 – Web Server

This is the fourth post in the series about building a three-tier application for demonstration, lab, and education purposes. If you have been following along, you have created the base Photon template as well as simple database and application servers.

This post covers the final layer of our stack, the web presentation tier. I have said it before, but the configuration of the web server here is really simple, and if you have made it this far, you’re golden.

The Web Server (web-01a)

All of the hosts in this application run “web server” software, but this one has the web server designation because it is the one that the user directly accesses. The entire back end could be replaced with real application middleware and an RDBMs, but the user expects this one to present an SSL-encrypted web page on port 443. This time, I have chosen not to use Apache, and there is no need for Python. There is no CGI, and minimal configuration is required aside from issuing another certificate for the SSL. This tier is mostly interesting because it will support the virtual name of the application in addition to the real name(s) of your web server(s).

The red box in the following diagram highlights the component that we are building in this post.


Again, the first steps look quite a bit like the steps we performed for the application and database servers as we assign the personality to the template. I will again outline the steps here as a reminder. Details can be found in my post about the database server.

Let’s get started!

  1. Deploy a copy of the base Photon template you created by following the steps in my first post.
  2. Name it something that makes sense to you for your web server. I called mine web-01a
  3. Power it up and log in as the root user
  4. Change the hostname in /etc/hostname and in /etc/hosts
  5. Change the IP address in /etc/systemd/network/10-static-eth0.network
  6. Use a SSH client to access the machine as root (makes pasting possible)

Instead of installing Apache again, we are going to use nginx. You can do the same thing with Apache, but I wanted to try something a little more lightweight and the nginx configuration for this use case is really simple.

Install nginx to be used as a reverse proxy

The web server machine will function as a reverse proxy, sending user requests bound for port 443 on this server to the application server at https://app-01a.corp.local:8443

# tdnf install nginx

The nginx install is less than 6 MB and takes a few seconds:


Configure the reverse proxy

Edit the configuration file, /etc/nginx/nginx.conf

# vi +116 /etc/nginx/nginx.conf

by adding the following at the bottom of the file, at line 116, just before the closing “}” in the file.

   # HTTPS server
   server {
      listen 443;
      server_name webapp.corp.local;

      ssl on;
      ssl_certificate     /etc/nginx/ssl/webapp.pem;
      ssl_certificate_key /etc/nginx/ssl/webapp.key;

      ssl_session_cache shared:SSL:1m;
      ssl_session_timeout 2m;

      location / {
         proxy_pass https://app-01a.corp.local:8443/;
         proxy_set_header Host $host;
         proxy_redirect http:// https://;

Notice that we need an SSL certificate and a key to make this work. We have done this before, so let’s create those now.

Make the ssl directory and switch into it

Let’s just create the certificates in the place that the server expects them to be.

# mkdir -p /etc/nginx/ssl
# cd /etc/nginx/ssl

Build the configuration file

It is common for multiple web servers to be configured in a pool, behind a load balancer. I create the certificate here using a name, webapp.corp.local. This name can be assigned to the load balancer’s VIP. If there is only one web server, as in my example here, this name can also be an alias that resolves to the one web server. For simplicity, and possibly for other use cases, the certificate configuration we build here includes the names of three web servers: web-01a, web-02a and web-03a.

Create the file webapp.conf

# vi webapp.conf

with the following contents, modified as needed for your environment:

distinguished_name = req_distinguished_name
x509_extensions = v3_req
default_md = sha256
prompt = no
C = US
ST = California
L = Palo Alto
O = VMware
OU = Hands-on Labs
CN = webapp.corp.local
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
DNS.1 = webapp.corp.local
DNS.2 = web-01a.corp.local
DNS.3 = web-02a.corp.local
DNS.4 = web-03a.corp.local

Save and close the file.

Generate the key and certificate

Note that this is a long command and you may need to scroll to the right to get all of it. Ensure it ends with “webapp.conf”

# openssl req -x509 -nodes -days 1825 -newkey rsa:2048 -keyout webapp.key -out webapp.pem -config webapp.conf

(optional) Validate that the PEM file “looks right”

I put this command here for those who want to look at the certificate. It is a good command to know in case you have a certificate file and want to know what information it contains. That can help you match the certificate to the proper host without needing to install it and then find out it is not the right one.

# openssl x509 -in webapp.pem -noout -text

Start the nginx server and configure it to startup when the VM boots

# systemctl start nginx
# systemctl enable nginx


With the other components (db-01a, app-01a) online, reachable and tested, you can test the whole solution with curl from the console of the web server

# curl -k https://web-01a/cgi-bin/app.py

This should return the data from the database in HTML format by executing the script on the application server.

You can filter the results by appending a querystring. Try this one:

# curl -k https://web-01a/cgi-bin/app.py?querystring=science

That query should return a single entry with a name containing the word science. It may be difficult to read on the command line since it is HTML. These look nicer via a GUI web browser anyway, and you can modify the filter using the form at the top of the table:


That’s it!

You now have the components of a rudimentary three-tier web application that you can use in your lab. I hope this build has provided some useful tools for you. In the final post, I will use this set of VMs and cover an example of how to implement a pool of webservers in front of the application and database tier.

Thank you for reading!

Oh, just one more thing…

Notice the pretty green lock next to the URL in my web browser in the previous screen shot?

SSL Certificate Trust

In this application, we have a self-signed SSL certificate. It should be created with the name webapp.corp.local, or whatever you selected for your environment. To get rid of the web browser security warnings and have the shiny green lock show up, you need to do two things:

Configure DNS Records

The only record you need from the client side is one that points to webapp.corp.local.

If you have a Windows-based DNS server, you can create the records using PowerShell. The following 2 lines create a DNS host (A) record for web-01a.corp.local and then a DNS alias (CNAME) record for webapp.corp.local that points to it.

PS> Add-DnsServerResourceRecordA -ComputerName 'dns.corp.local' -ZoneName 'corp.local' -name 'db-01a' -IPv4Address '' -CreatePtr

PS> Add-DnsServerResourceRecordCName -ComputerName 'dns.corp.local' -ZoneName 'corp.local' -Name 'webapp' -HostNameAlias 'web-01a.corp.local.'

This configuration allows the virtual name webapp to be separate from the web-01a name and enables the addition of other web servers to a pool, followed by the reassignment of the webapp name to a load balancer IP.

If you don’t have Windows-based DNS, you can edit your /etc/hosts file on the client or add the DNS records to your nameserver using the procedures required for your environment.

Trust the Self-Signed Certificate

Once you have name resolution knocked out, you need to trust the certificate on your client. You can really trust the certificate, or you can sometimes create an exception in the web browser. Do whichever works for you and makes you happy. Without trust, this is what the connection looks like in Chrome:


In our labs, we download the web server’s certificate to the client machine and add it to the Windows Trusted Root Certification Authorities store or one of the subtrees within Keychain Access on MacOS. That will handle IE on Windows, and Chrome browsers on Windows and MacOS.

If you save the certificate file to your desktop in Windows and double-click it, the bold text pretty much sums up what you need to do.


There are a variety of ways to get this done, and there are some shortcuts, but the process has not changed in many years and this Microsoft Windows Blog article covers a process that works.

Firefox manages its own trust store, so you need to import it separately if you want to use that browser. Check the Mozilla Wiki for detailed instructions about how to do this. Note that newer versions of Firefox have implemented more strict checking. Basically, they refuse to accept a “leaf” certificate that is specified as a Certificate Authority certificate (why is your web server using the CA certificate??) and will not allow a non-CA certificate to be added to its trusted root CA certificate store. Getting this to look nice requires additional hoops that are beyond the scope of this article. We have a Microsoft CA implemented in our labs and generally issue certificates from there. Since that CA is trusted by all clients within the environment, there is no issue.

Thank you again for reading!

You can finish the series with the last post: Use Cases.