vSphere+: Technical Frequently Asked Questions.

Introduction

VMware vSphere+ is the multi-cloud workload platform that brings the benefits of cloud to on-premises workloads. vSphere+ combines industry-leading virtualization technology, an enterprise-ready Kubernetes environment, and high-value cloud services to transform existing on-premises deployments into SaaS-enabled infrastructure that centralizes management, supercharges productivity, and accelerates innovation. 

We recognize that in the path to the Multi-Cloud, you will face some challenges and interesting use cases that will generate questions for which you do not have answers. That is why, we have decided to come up with a collection of the most common technical queries we have received, and, most importantly, their answers. 

In case you haven't got your hands on vSphere+ yet, we have created this one minute overview video to help you get familiarized with the general service console. If you have more time, the whole series will take about 10 minutes to complete. Having a quick look at the console will create a baseline to understand the topic and the answers provided in this post. 

 

 

Architecture.

As an image is worth a thousand words, let's start with a simplified architecture diagram.

Figure 1. Vsphere+ Simplified implementation diagram. 

As you can notice, workloads are still hosted in the local datacenter.  vCenter Server and all the ESXi hosts remain in the same spot they are placed today. The only infrastructure change is the addition of one (or more) VMware Cloud Gateway™ appliance(s).  This also means, there is no workload migration to the cloud.  

Therefore, all the current infrastructure and security recommendations that apply to your current implementation of vSphere ESXi/vCenter apply to vSphere+, as well as the features available with the version that is deployed. 

We can see vSphere+ as an extra layer that adds more capabilities and provides a single pane of glass for all your hybrid cloud SDDCs, through VMware Cloud Services.

 

How many vCenters can I pair to a VMware Cloud Gateway?

A single vCenter Cloud Gateway supports 8 vCenters at this time. The location of vCenters can be distributed in your network, as long as they can be reached by the gateway and the latency is below 300ms. If the environment has more that 8 vCenters, you can deploy more VMware Cloud Gateways. You can also use other architectures such as a one VMware Cloud Gateways per site. 

Is there a maximum number of VMware Cloud Gateways that can be deployed to a single subscription?

No, there is not limit on the number of appliances deployed.

Is there a need to change vCenter networking configuration? 

No. There is no need to change any networking configuration for your vCenter or vSphere hosts. vCenter is not directly connected to VMware Cloud. There is no need to build VPNs.

A troubleshooting network will be required for the vCenter Server Reduce Downtime Upgrade functionality. You may want to consider creating a new port group for this use case. Using any existing port group is completely acceptable as well, as long as is not the current vCenter management network. 

Do I need to establish a VPN to the VMware Cloud Services ?

No, the VMware Cloud Gateway appliance will establish a tunnel between itself and the VMware Cloud Services.

What is the maximum latency supported between the VMware Cloud Gateway and the VMware Cloud Services?

No more than 300ms.

What is the maximum latency supported between the VMware Cloud Gateways and the VCenter Server(s)?

No more than 300ms.

 Will my vCenter implemented on a vCenter High Availability architecture be supported?

Yes, it is supported. Make sure that your implementation complies with all the requirements listed in the current documentation.

I have two vCenter Servers configured in enhanced linked mode. Can I convert one vCenter Server to vSphere+ and leave the other vCenter Server on perpetual licensing?

No. In this scenario, you will need to convert both vCenter Servers to vSphere+.

If the only port required from Cloud Gateway appliance to VMware Cloud services is 443 outbound, how can we get actions executed from the cloud, such as creating virtual machines?

The Cloud Gateway appliance is the only entity that will establish the connection. The commands destined to on-premises will be queued in the cloud. The gateway will be constantly querying for new messages.

Will my virtual machine backup tool be compatible with vSphere+?

Your vCenter Server implementation will remain as is, with the exception of licensing model. Any tool that was working before moving to vSphere+ will keep working after the conversion. In the case of a greenfield implementation, check compatibility with the version of vSphere being installed.

Will my automation/orchestration tool be compatible with vSphere+?

Your vCenter Server implementation will remain as is, with the exception of licensing model. Any tool that was working before moving to vSphere+ will keep working after the conversion. In the case of a greenfield implementation, check compatibility with the version of vSphere being installed.

Will other VMware products be compatible?

If it works with vSphere on-premises, it will work with vSphere+. The big exception being when trying to link vCenters subscribed to vSphere+ with vCenters/VCFs that are not in configurations such as ELM or VCF domains.

This means compatibility with other products depends mostly on the version of vCenter/ESXi you have installed. As you already know, always check the VMware interoperability matrix before applying any change on your environment. 

Can I use Site Recovery Manager (SRM) to protect one vCenter subscribed to vSphere+ if the recovery site is using a different type of licensing?

Yes, assuming all product configuration requirements are met.

 

Service Availability.

General information about the service, and its service continuity.  This section talks about both the availability of vSphere+ Console and the availability of the VMware Cloud Gateway.

IMPORTANT: The vCenter Server and ESXi services on your datacenters will continue to work as usual even if the vSphere+ console or the VMware Cloud Gateways are downgraded or unavailable.  Your workloads will continue to run with no impact, and so will do all the functionality such has HA or DRS. 

 

Which infrastructure is being used for providing vSphere+ console services?

VMware on VMware. This service is running on VMC on AWS infrastructure.

From which location is the service being provided?

At this time, the service is provided from within the United States of America, West region. 

Is vSphere+ being provided from other locations, such as within Europe?

Not at the time of publication. Expansion to other Geos including Europe is on the roadmap and we expect it to be available in the near future.

There are no general technical limitations for clients in locations outside the United States to convert to vSphere+ and utilize their full potential. We know however that there could be  concerns on terms of latency or other local limitations, and this is why we are working on the expansion. 

Is the infrastructure dedicated to VMware Cloud Services?

Yes.

How to enable VMware Cloud Gateway High Availability?

Currently, there is a one-to-many VMware Cloud Gateway-vCenter relationship. This means, only one VMware Cloud Gateway can be connected to a single vCenter Server at a time. Therefore, no high availability capabilities have been included. We recommend utilizing vSphere high availability capability to protect the VMware Cloud Gateway appliance.

How to backup and restore the Cloud Gateway appliance?

The VMware Cloud Gateway Appliance is a stateless appliance which means that it doesn’t contain any data that needs to be backed up or restored.  If something goes wrong with the appliance, administrators are encouraged to engage support. Our support team will run procedures to fix the appliances. As a last resource a replacement appliance may need to be deployed.

Take note of all your configuration details such as IP address, DNS, appliance name and store that in a safe place; as these information may be needed in the case of a redeployment.

What happens if VMware Cloud Gateway loses cloud connectivity? Will vSphere environments go offline?

No. vSphere, vCenter and Virtual Machines continue to run. There is no impact to vSphere environments in the case of Gateway disconnection. In VMware Cloud Services console, the Cloud Gateway will appear as disconnected. vCenter data will not be updated on the cloud console. Deleted and disconnected Cloud Gateway instances are removed from the cloud after 30 days.

After approximately 7 days, administrators will start seeing some errors while connecting to vCenter server to perform administrative tasks. In order to login they must follow the procedure to generate an emergency token described in the KB Article 83798. Connectivity should be restored as soon as possible.

Will there be downtime to vSphere environments when connecting to vSphere+?

No. The only action happening is the connection being established between the vCenter Cloud Gateway and the cloud;  and then another connection betweening the vCenter Cloud Gateway against each respective vCenter Server. 

 

Reduced Downtime Upgrade & Desired State Configuration.

Desired State Configuration is about keeping all your vCenters compliant with a base profile, whereas Reduced Downtime Upgrade (shown in the Maintenance tab of the vSphere+ console), provides a new way to maintain your vCenter up-to-date, with a very minimal downtime, and very minimal effort from the administrator. 

We considered that these two cool features needed a section on their own.

Can Desired state configuration upgrade ESXi from the cloud console?

No, only vCenter Server lifecycle can be managed from the cloud console at this moment.

Can we manage ESXi certificates from the cloud console?

Not at the moment.

Can administrators rollback vCenter upgrade through the cloud console?

If the orchestration detects that vCenter server upgrade failed, it will rollback automatically to the latest version. However, if for any reason you  need access to the pre-upgrade appliance, you can manually turn off the new vCenter and turn back on the old (pre-upgrade) vCenter that will remain in the inventory.

Will my vCenter be automatically upgraded after every new release?

The upgrade process is very simple, and requires almost no effort from the administrators, but it won't be initialized without owner's command. We recommend taking advantage of this reduced downtime upgrade to keep your deployements on the latest release

 

Security.

Probably the largest topic. It is so important that we already have another entry talking only about vSphere+ security.  However, we considered that a technical FAQ without a security section would be incomplete.

Which data is being transmitted?

The data sent to VMware cloud is the inventory of vCenters cluster, hosts, virtual machines; performance characteristics of vCenter, vSphere hosts, virtual machines, datastores, events etc. 

Can we customize the data that is transmitted to the cloud, in order to exclude any particular field?

No. such option is not available. 

Is the data encrypted in rest?

Yes, data is encrypted both in rest and in transit. Data stored is encrypted using server-side encryption.

Is the data encrypted in transit?

Yes, Data is transmitted over standard TLS-encrypted connections.

Do vCenter server need to have access to internet?

No. Only to the vMware Cloud Gateway appliance.

Can I place the Cloud Gateway in a DMZ?

Yes. You can place the Cloud Gateway appliance in any network as long as it accomplishes the requirements listed in the documentation.

Which OS does the Cloud Gateway appliance run?

Photon OS.

Can I create local OS accounts on the appliance?

We strongly recommend against making any modification of the appliance unless it is documented  or prescribed by VMware.

Can I install a third party agent on the appliance?

You should avoid any modification of the appliance unless it is documented or prescribed by VMware.

Does the VMware Cloud Gateway need to have a public IP?

Not at all. It only needs to be able to reach the sites listed in the Cloud Gateway requirement documentation.

Which is the minimum privilege required to connect the Cloud Gateway appliance to vCenter?

The administrator account is required. However, credentials are used only at the time of configuration to stablish the first connection. 

How is vSphere+ Account management done?

As vSphere+ is accessed through VMware Cloud Service, all the topics concerting to authentication, federation, MFA, and RBAC are managed through VMware Cloud Services portal. Refer to its documentation to learn more.

Administrative actions such as cluster, datastore, network, workload management are still done from the vCenter Server console in your local datacenter; therefore the same authentication and authorization principles and features will apply. 

 

Miscellaneous.

Things that just didn't fall into the other categories.

We will be installing a greenfield environment and will use vSphere+ licensing. Where can I find licenses keys for the installation?

vSphere comes with a evaluation period. You can install and configure vSphere as usual and connect to vSphere+ immediately after deployment. 

 

Conclusion

We hope that after reading these sections, you feel more confident on the knowledge of vSphere+. We recognize that it is impossible to cover all potential scenarios. We would love to have feedback from you. We encourage you to contact your VMware account team with any further questions. We will update this document as we receive more queries from our community. 

 

Disclaimer:

 VMware is constantly improving their products. As a result, the naming, functionality, specifications  or requirements might vary over time. The specific architecture required for a particular use case must be carefully planned. 

This set of documents is intended to provide guidance for organizations that are considering VMware solutions to help them address compliance requirements. The information contained in this document is for educational and informational purposes only. This document is not intended to provide regulatory advice and is provided “AS IS.” VMware makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of the information contained herein. Organizations should engage appropriate legal, business, technical, and audit expertise within their specific organization for review of security and regulatory compliance requirements.