The deployments in vRealize Automation Cloud (vRA Cloud) can be easily managed by policies defined in Service Broker. Each Service Broker policy is a set of rules or parameters that are applied to deployments within a defined scope. This allows cloud administrator to focus on other tasks while ensuring that the resource limits are enforced. It is important to note that policies in vRA are defined in Service Broker but enforced in both Service Broker (via the catalog) and in Cloud Assembly (via the VMware Cloud Templates).
vRA Cloud already supports three types of policies for setting guardrails:
With the latest release of vRA Cloud, VMware is introducing a new type of policy called “Resource Quota Policy” which provides cloud administrators to limit the consumption of their precious cloud resources (VM, CPU, memory, and storage). This policy can be configured to set a limit on resource usage. When a user requests a new deployment, the resource quota policy kicks in and will not allow the deployment to go through if the limits of the resources set in the policy are reached. The request fails and an appropriate error message is displayed in the deployment history.
Configuring Resource Quota Policy
To set a new resource quota policy, select Content and Policies -> Policies -> Definitions. Click on the “NEW POLICY” button.
The next screen shows all Policy Types offered in vRA Cloud. Click on the new tile for the Resource Quota Policy.
The first step in configuration is to provide a name followed by an optional description of this policy. The next two fields – “Scope” and Resource quota” – are mandatory.
We have enhanced the “Scope” functionality to include an option for multiple projects. Previously, you could only configure a policy at Organization level or Project level. With this change, you have the option to select multiple projects. When you select “Organization / Multiple Projects”, you can choose to specify the names of projects by clicking the “+” button and either providing specific names or a regular expression which would apply to all projects that meet this criterion. If you do not include project names, by default, the policy is applied at the org level.
You can also choose to apply this policy to a specific Project. For that, select the radio button for “Project” and select the project in the field that appears.
The final step is to add resource quota limits by clicking the “ADD” button. In the Add Resource Quota” pop up, you select the type of limit, the name of the resource and set its limits.
This is where vRA Cloud provides you with finer controls. You have the option to choose the “Type” of limits at organization, organization user, project or project user level. Here’s what each type means.
- Organization Limits: The resource quota is applied at the org level as an aggregate of resources consumed by all users.
- Organization User Limits: The resource quota is applied at the org level per user in that org. A user could belong to multiple projects in which case the aggregate of resources in all such projects is considered before enforcing a limit as long as the projects belong to that org.
- Project Limits: The resource quota is applied at the project level as an aggregate of resources consumed by all users.
- Project User Limits: The resource quota is applied at the project level per user in that project.
When you select the scope as Project, the “Scope level” is restricted to Project Limits and Project User Limits.
The “Resource” field gives you an option to apply the limit to one of CPU, VM Count, Memory or Storage.
Depending on the resource selection, the format of the value that you provide in the “Limit” field will be enforced. For “CPU” and “VM Count”, it is an absolute number. For “Memory” and “Storage”, it is the size in GB.
As an example, if you select the Type as “Organizational Limits” and the Resource as “CPU” with a limit of 5, this is how the resource quota will look like this:
After providing all the necessary details, click Create to save the new policy. Now you can verify that the new policy has been successfully created.
Key Points to Consider
In case of similar policies, the more restrictive policy will be applied. What it means is that if you have configured two policies with the same type and resource but different limits, the policy with the most restrictive quota will be applied to the deployment.
Furthermore, we only consider the completed requests for aggregating the resource usage. Any in-progress requests are not considered either, as the resource policy logic is checked only when a new deployment request is submitted.
Closing Thoughts
Policies are processed based on the policy definition. In particular, the scope and the enforcement level determine which policy is valid when you have multiple policies that might apply to a single deployment. Click here to learn more about how Service Broker policies are processed.
Our free 45-day trial for vRealize Automation Cloud is the best way to explore the solution yourself or with a little help from our experts.
Feel free to leave a comment below on what other features you would like to see in policies & governance in vRA Cloud.
