Cloud Foundation Holodeck: vRealize Automation - Fixed Networks

Overview

This module introduces consumption of a VCF based VMware Cloud using vRealize Cloud Assembly.  Participants will gain experience with using vRealize Automation Cloud Assembly to deploy application workloads onto preconfigured NSX Segments and firewall policies.

It is anticipated that this module will take 60-90 minutes to complete.

This module consists of the following exercises

1. Create NSX Segments with DHCP services, and connect to OC-T1 Tier-1 router
2. Create Cloud Assembly Network Profile for OC-DB-Auto-Seg
3. Create Cloud Assembly Network Profile for OC-Web-Auto-Seg
4. Review vRealize Cloud Template
5. Deploy OpenCart from Cloud Template
6. Review Provisioning Diagram
7. Review Deployed Application
8. Delete Deployed Application

This module relies on:

• Holodeck OpenCart SDN lab completed (This lab consumes The T1 Router, Tagging and Distributed Firewall rules from the SDN lab)
• Holodeck VRA initial setup complete including Quick Start

Deploying OpenCart to pre-existing NSX Segments – Holodeck Config

Exercise 1: Create NSX Segments with DHCP Server

In this exercise we will create two new NSX segments to host OpenCart web and database servers.  Each segment will use a /24 subnet and reserve a part of the address space for VRA deployed services like load balancers and the remainder for DHCP boot of hosts. Note that this step requires admin level privileges to NSX and in a live datacenter environment this might be carried out by the network team or a consolidated operations team.

[Step 1] Logging in to the environment

1. Open a new tab in the Chrome browser
2. Click the Management NSX-T shortcut in the bookmark bar (click advanced / proceed to nsx-mgmt.vcf.sddc.lab, if required to accept the certificate)
3. Log into NSX Manager as user: admin with the password: VMware123!VMware123!
4. From the NSX-T Manager interface click the Networking tab
5. Select Network Topology

 

In the topology view you should see the OC-T1 router and OC-DB-Segment and OC-Web-Segment from the previous module.  We are going to add additional segments to this Tier-1 router for use by vRealize Cloud Assembly.  The next steps will create the following networks

• OC-DB-Auto-Seg
  • 10.1.3.0/24
  • Gateway 10.1.3.1/24
  • DHCP Server 10.1.3.254/24
  • DHCP Range 10.1.3.100-10.1.3.253
• OC-Web-Auto-Seg
  • 10.1.4.0/24
  • Gateway 10.1.4.1/24
  • DHCP Server 10.1.4.254/24
  • DHCP Range 10.1.4.100-10.1.4.253

[Step 2] Create OC-Holodeck DHCP Profile

1. From the NSX-T Manager interface click the Networking tab at the top of the screen
2. Click DHCP in the left pane.
3. Click Add DHCP Profile

4. Name the profile Holodeck-DHCP
5. Leave the Server IP Address blank as we will assign segment specific DHCP addressing later
6. Click Edge Cluster and select EC-01
7. Click Save

[Step 3a] Create the OC-DB-Auto-Seg

1. From the NSX-T Manager interface click the Networking tab at the top of the screen
2. Click Segments in the left pane.
3. Click ADD SEGMENT button

 

4. In the Segment Name field, enter OC-DB-Auto-Seg
5. Set Connected Gateway to OC-T1
6. In the Transport Zone dropdown, select mgmt-domain-tz-overlay01
7. Add IPv4 gateway 10.1.3.1/24

8. Click SET DHCP CONFIG
9. Set DHCP Type to Local DHCP Server
10. Select Holodeck DHCP profile
11. Set DHCP Server Address 10.1.3.254/24
12. Set DHCP Ranges 10.1.3.100-10.1.3.253
13. Set DNS to 10.0.0.221

14. Leave all IPv6 settings Not Set
15. Click Apply

8. At bottom of the Segments screen, click Save
9. You will see your segment has been successfully created.  Click NO on the Want to continue configuring this segment?

[Step 3B] Create the OC-Web-Auto-Seg

1. From the NSX-T Manager interface click the Networking tab at the top of the screen
2. Click Segments in the left pane.
3. Click ADD SEGMENT button
4. In the Segment Name field, enter OC-Web-Auto-Seg
5. Set Connected Gateway to OC-T1
6. In the Transport Zone dropdown, select mgmt-domain-tz-overlay01
7. Add IPv4 gateway 10.1.4.1/24

8. Click SET DHCP CONFIG
9. Set DHCP Type to Local DHCP Server
10. Select Holodeck DHCP profile
11. Set DHCP Server Address 10.1.4.254/24
12. Set DHCP Ranges 10.1.4.100-10.1.4.253
13. Set DNS to 10.0.0.221

 

 

14. Leave all IPv6 settings Not Set
15. Click Apply
16. At bottom of the Segments screen, click Save
17. You will see your segment has been successfully created.  Click NO on the Want to continue configuring this segment?

[Step 3c] Review the network topology

1. From the NSX-T Manager interface click the Networking tab at the top of the screen
2. Click Network Topology in the left pane.
3. Locate the OC-T1 Tier-1 Gateway on the topology
4. Your topology should look like the following

5. Click on 1 Service on OC-DB-Auto-Seg. Notice the DHCP service

6. Note the time taken to complete this exercise.  In 10-15 minutes, you created 2 new networks, with router connectivity. How long would this take in your current environment?

Exercise 2: Create OC-DB-Auto-Seg Cloud Assembly Network Profile

In this exercise we will configure a new Network Profile in Cloud Assembly for the OC-DB-Auto-Seg segment that was created earlier.  Cloud Assembly Network Profiles configure how VRA consumes or creates NSX networks.  In this example we are configuring VRA to consume an existing NSX segment, along with existing security policies

[Step 1] Connect to vRealize Cloud Assembly (if necessary)

1. Click + in the Chrome browser to open a new window
2. Click the vRealize bookmark folder and select vra.vcf.sddc.lab
3. Click GO TO LOGIN PAGE
4. Login: Username:  configadmin Password:  VMware123!
5. Click Cloud Assembly

[Step 2] Create OC-DB-Auto-Seg Network Profile

1. Click Infrastructure -> Network Profiles

2. Click New Network Profile
3. On the Summary tab, Click on Account/Region and enter VLC. 
4. Select VLC-Holodeck-Mgmt / mgmt-datacenter-01
5. Set the name to OC-DB-Auto-Seg
6. Add the tag oc-fixed-network:oc-db by entering it into the Capability Tags field and pressing enter
7. Add the tag DeploymentType:Holodeck by entering it into the Capability Tags field and pressing enter

[Step 2.1] Add Networks on Networks Tab

1. Click on Networks tab, then Add Network
2. Click in the filter area and type OC-
3. Select the OC-DB-Auto-Seg

4. Click Add.  Your output should look like this

5. Click Manage IP Ranges -> New IP Range

6. Set Source Internal
7. Name OC-DB-Auto-IP
8. Network OC-DB-Auto-Seg should already be selected
9. Start address 10.1.3.2
10. End IP address 10.1.3.99

11. Click Add.
12. Your output should look like this

13. Click Close

[Step 2.2] Add Network Policy on Network Policies Tab

1. Click Network Policies
2. Leave Isolation Policy setting default as ‘None’. 
3. Set Tier-0 to VLC-Tier-0 and Edge Cluster to EC-01

[Step 2.3] Load Balancers Tab

1. Leave Load Balancers tab empty

[Step 2.4] Security Groups Tab

1. Click on Security Groups tab, then Add Security Group
2. Click on Filter, properties Any and type OC-DB

3. Select OC-DB-Group and then click Add

Note: This will add anything deployed on this network to the OC-DB-Group NSX security group, which will make VM’s deployed subject to NSX security rules set for that group

4. Click Create
5. Your result should look like

Exercise 3: Create OC-Web-Auto-Seg Cloud Assembly Network Profile

In this exercise we will configure a new Network Profile in Cloud Assembly for the OC-Web-Auto-Seg segment, load balancer and associated DHCP Server that was created earlier

[Step 1] Connect to vRealize Cloud Assembly (if necessary)

1. Click + in the Chrome browser to open a new window
2. Click the vRealize bookmark folder and select vra.vcf.sddc.lab
3. Click GO TO LOGIN PAGE
4. Login: Username:  configadmin Password:  VMware123!
5. Click Cloud Assembly

[Step 2] Create OC-Web-Auto-Seg Network Profile

1. Click Infrastructure -> Network Profiles
2. Click New Network Profile
3. On the Summary tab, Click on Account/Region and select VLC-Holodeck-Mgmt / mgmt-datacenter-01
4. Set the name to OC-Web-Auto-Seg
5. Add the tag oc-fixed-network:oc-web
6. Add the tag DeploymentType:Holodeck

[Step 2.1] Add Networks on Networks Tab

1. Click on Networks tab, then Add Network
2. Filter for OC-

3. Click Add.  Your output should look like this

4. Click Manage IP Ranges -> New IP Range

5. Set Source Internal
6. Name OC-Web-Auto-IP
7. Network OC-Web-Auto-Seg should already be selected
8. Start address 10.1.4.2
9. End IP address 10.1.4.99

10. Click Add. 
11. Your output should look like this

12. Click Close

[Step 2.2] Add Network Policy on Network Policies Tab

1. Click Network Policies
2. Set Tier-0 to VLC-Tier-0 and Edge Cluster to EC-01

[Step 2.3] Add Load Balancer on Load Balancers Tab

1. Click Load Balancers
2. Click Add Load Balancer
3. Scroll down and select OC-LB

4. Click Add

[Step 2.4] Add Security Group on Security Groups Tab

1. Click on Security Groups tab, then Add Security Group
2. Click on Filter, properties Any and type OC-

3. Select OC-Web-Group and then click Add

Note: This will add anything deployed on this network to the OC-Web-Group NSX security group, which will make VM’s deployed subject to NSX security rules set for that group

4. Click Create

Exercise 5: Upload and Review “Holodeck-OC-Fixed Network” Cloud Template

This exercise will upload the cloud template that will deploy an instance of the OpenCart demo application to the networks you created in the previous exercises.

[Step 1] Connect to vRealize Cloud Assembly (if necessary)

1. Click + in the Chrome browser to open a new window
2. Click the vRealize bookmark folder and select vra.vcf.sddc.lab
3. Click GO TO LOGIN PAGE
4. Login: Username:  configadmin Password:  VMware123!
5. Click Cloud Assembly

[Step 2] Upload Cloud Template

1. Click Design
2. Click New From -> Upload

3. Name the template Holodeck-OC-Fixed-Network
4. Select VLC-Holodeck for project

5. Click Select File
6. Select C:\VLC\VLC-Holo-Site-1\Holo-Build\Holo-VRA-Lab-File directory
7. Select Holodeck Opencart Fixed Network Lab v2.yaml file then click Open

8. Click upload

[Step 3] Review Cloud Template

Prior to deployment, we will take a quick look at what the template will deploy.  As this is now an active template, please be careful to not make any changes.

1. Click on the link for the Holodeck-OC-Fixed-Network template uploaded in the previous step

2. Note we have five resources. 

• 2 Network resources which connect deployed virtual machines to the correct networks
• A Cloud NSX Load Balancer which configures the virtual server for this instance of OpenCart on the existing OC-LB load balancer specified as part of the
• 1 or more Apache web servers (number of servers set when the user deploys the template)
• An instance of MySQL for this OpenCart application

3. Click on the OC-Web-Auto-Seg resource on the canvas

This highlights the relevant part of the yaml file for this cloud template

Note the OC-Web-Auto-Seg resource is looking for an existing network with a capability tags of oc-fixed-network:oc-web and DeploymentType:Holodeck. These are known as “constraints”. Cloud Assembly needs to find a Network Profile with Capabilities that meet these Constraints when deploying this template

4. Click on the OC-DB-Auto-Seg resource

The DB_NSX-Network has constraints of oc-fixed-network:oc-db and DeploymentType:Holodeck.

5. Click on the OC-Auto-LB load balancer resource.

The Load balancer resource will create virtual server resources on the OC-Web-Auto-Seg segment, with members of the server pool (instances) based on the number of OC-Apache-Auto web servers this template deploys. The load balancer is configured to listen on Port 80 Protocol and Port), and talk to the backend Apache server on Port 80 (InstanceProtocol and InstancePort)

6. Click on the OC-Apache-Auto resource

This resource creates an Apache server from a basic Ubuntu template using extensive “Cloud Init” functionality built into Cloud Assembly. Notice this resource uses both Flavor and Image mapping.

The remainder of the Apache resource definition will add needed Linux packages, configure users, and then configure the Apache Webserver for our OpenCart application

Feel free to review the entire OC-Apache-Auto Cloud.Machine resource definition.

7. Click on the OC-MySQL-Auto resource

This resource creates the MySQL database server from a basic Ubuntu template

• For additional info on Cloud Init see https://cloudinit.readthedocs.io/en/latest/
• For more information on vRealize Cloud Assembly see https://docs.vmware.com/en/vRealize-Automation/index.html

Exercise 6: Deploy Holodeck-OC-Fixed-Network Cloud Template

This exercise will deploy an instance of the OpenCart demo application to the networks you created in the previous exercises.

[Step 1] Connect to vRealize Cloud Assembly (if necessary)

1. Click + in the Chrome browser to open a new window
2. Click the vRealize Suite bookmark folder and select VMware Cloud Services
3. Click GO TO LOGIN PAGE
4. Login: Username:  configadmin Password:  VMware123!
5. Click Cloud Assembly

[Step 2] Test Cloud Template

1. If necessary, click Design
2. Click on the Holodeck-OC-Fixed-Network link

3. Click Test

4. Leave node size and front end cluster size at default
5. Click Test.

6. Your result should be

7. Click the X to close the test window

[Step 3] Deploy Cloud Template

1. Click Deploy

2. Leave as Create a new deployment
3. Name the deployment OC Fixed Network
4. Leave Cloud Template Version as Current Draft
5. Click Next

6. Leave Node Size and Front End Cluster Size at default
7. Click Deploy

9. Observe the deployment process beginning. In about 10-15 minutes you should see a Create Successful status

10. Notice that this deployment took approximately 7 minutes
11. Click History
12. Scroll back and review the sequence of resource creation

Exercise 7: Review Provisioning Diagram

This exercise will review the Cloud Assembly Provisioning Diagram following a deployment. This is one of the best troubleshooting tools available for diagnosing failing deployments. This exercise will only show the initial network allocation to familiarize you with navigating the provisioning diagram

[Step 1] Access Provisioning diagram

1. If your deployment history is still on screen, simply click on the Provisioning diagram link

2. Alternately access the diagram from Resources->Deployments, and selecting your deployment

3. Then click History and Provisioning Diagram

[Step 2] Review Network Allocation for OC-Web-Auto-Seg

1. The initial screen presented will default to the first network provisioned, which in this lab is OC-Web-Auto-Seg
2. The top most box describes the item to be created. In this case we are allocating network space from an existing segment
3. The second box shows the project that this template is a part of.  Access to resources can be controlled with projects
4. The bottom row shows the process Cloud Assembly walks through to choose where to allocate this network. In effect, Cloud Assembly chooses the first Network Profile it finds that meets the constraints of the object being provisioned. 
5. Network Profile OC-Web-Auto-Seg meets the constraints of this resource
6. The remaining two Network Profiles do not meet the constraints and are ineligible

[Step 3] Review Network Allocation for OC-DB-Auto-Seg

1. Click on the blue Network Allocation box and select the OC-DB-Auto-Seg

2. Notice how the Network Profile that meets the constraints for OC-DB-Auto-Seg changes

Exercise 8: Review deployed Opencart application

This exercise will review the components deployed by the Cloud Template.

[Step 1] Test web servers

1. Select Resources-> Deployments
2. Click the > next to Opencart Fixed Network
3. Note the following

• Two deployed OC-Apache-Auto-XXX web servers on the 10.1.4.x network, with IP addresses in the range controlled by NSX for DHCP on the OC-Web-Auto-Seg. (Note: The numeric suffix after the resources name is set by Cloud Assembly to keep resource names unique. This naming mechanism was chosen during initial Cloud Assembly setup in this environment).
• An OC-MySQL-Auto-XXX resource in the 10.1.3.x network
• An NSX Load Balancer on the 10.1.4.x network, with IP address in the range controlled by Cloud Assembly on the OC-Web-Auto-Seg

4. Double click on the OC-Auto-LB-XXX IP and go to that IP address (or open a new browser window to that IP address

5. You should open a page that looks like this

[Step 2] Review in vCenter Server

1. Click + in the Chrome browser to open a new window if necessary
2. Click the Mgmt Domain Folder then vCenter bookmark in the bookmark bar
3. Login: Username:  administrator@vsphere.local Password:  VMware123!
4. From Hosts and Clusters view, Select one of the OC-Apache-Auto webservers identified in the Cloud Assembly Deployment Summary.  In this example the machines are OC-Apache-Auto-056 and  OC-Apache-Auto-057
5. Note the following:

 

• CPU and Memory sizes match “Flavor = Small” from Cloud Assembly Flavor Mapping
• The VM is connected to OC-Web-Auto-Seg based on the OC-Web-Auto-Seg Network Profile selected for this VM. This was selected by the constraint oc-fixed-network:oc-web being matched in the network profile

 

[Step 3] Review in NSX Manager

1. Open a new tab in the Chrome browser (If needed)
2. Click the Mgmt Domain folder and Mgmt NSX shortcut in the bookmark bar (click advanced / proceed to nsx-mgmt.vcf.sddc.lab, if required to accept the certificate)
3. Log into NSX Manager as user: admin with the password: VMware123!VMware123!
4. From the NSX-T Manager interface click the Networking tab
5. Select Load Balancing

6. Click on the Virtual Servers link for OC-LB. Notice where Cloud Assembly has created a second Virtual Server for this instance of OpenCart

7. Click on the Server Pool link for this Virtual Server. Notice the two Apache servers deployed by Cloud Assembly

8. Click Close -> Close
9. Click Networking -> Network Topology
10. Scroll the view to the right to expand OC-T1
11. Expand virtual machines under the OC-DB-Auto-Seg and OC-Web-Auto-Seg.  Notice the Virtual Machines placed on these segments by Cloud Assembly

Exercise 8: Delete deployed Opencart application

This exercise will delete the components deployed by Cloud Assembly.

[Step 1] Connect to vRealize Cloud Assembly (if necessary)

1. Click + in the Chrome browser to open a new window
2. Click the vRealize bookmark folder and select vra.vcf.sddc.lab
3. Click GO TO LOGIN PAGE
4. Login: Username:  configadmin Password:  VMware123!
5. Click Cloud Assembly

Module summary

In the previous Software Defined Networking module we introduced the capabilities of Overlay Networking and Distributed Firewall, while still operating everything manually.  In this module, we have moved to automated deployment of applications from a template that consume existing NSX network and security assets. In this configuration, then networking and security team retain full control of the infrastructure, and the application team can automatically consume those resources.  In the next module we will explore dynamically configuring networking and security as a part of the application deployment.