Wednesday, 14 December 2016

VCSA New Features



vCenter Server Appliance (VCSA):
vcsa-appliance
  • VMware Update Manager (VUM) for the vCenter Server Appliance (VCSA). VUM is integrated by default in the VCSA and uses the internal embedded database.
  • Native High Availability for the vCenter Server Appliance (VCSA only). Create a High Available VCSA environment and eliminate the single point of failure. The HA configuration is active/passive with a witness in between and looks like:
vcsa-high-available
  • Improved Appliance Management.
    • Monitoring: Built in monitoring for CPU, memory and network interface
    • vPostgres database visibility
    • Remote Syslog configuration
    • vMon: Enhanced watchdog functionality. Watch the vCenter Server services
    • Client Integration Plugin (CIP) for the vSphere Web Client is no longer required anymore
    • vSphere Management Interfaces such as the vSphere Client (HTML 5 Web Client):
management-interfaces
  •  Native Backup & Restore of the VCSA. Removes dependency on 3rd party backup solutions. Easily restore the backup to a new VCSA. The following protocols are supported:
    • HTTP(S)
    • SCP
    • FTP(S)
  • VCSA Installer improvements:
    • Run the VCSA depolyment installeren on Windows, Mac and Linux
    • The installer supports install, upgrade, migrate and restore
  • VCSA Migration: Migrate from vCenter 5.5 or 6.0 tot 6.5 with the options to migrate the:
    • Configuration only
    • Configuration, events and tasks
    • Configuration, events, task and performance metrics
Host Profiles:
  • Manageability
    • Editor enhancements: filter and favorites
    • Bulk edit host customization using CSV files
    • Copy settings between profiles
    • Streamlined remediation wizard
  • Operational
    • Pre-check proposed changes
    • Detailed compliance results
    • DRS integration – rolling remediation
    • Parallel remediation
Auto Deploy:
  • Operational
    • GUI for Image Builder, Deploy rules
    • Interactive deployment of new hosts
    • Post-boot scripts for advanced configs
    • EUFI and IPv6 support
  • Performance and Resiliency
    • Scalabillity improvements 300+ hosts
    • VCSA HA & backup support
    • Round robin reverse proxy caching
    • Backup and restore state with PowerCLI
vSphere Security:
  • Enhanced Logging.  Expose vCenter events to a Syslog server (such as vRealize Log Insight) without turning on verbose logging in vCenter Server and blowing up the database.
  • VM Encryption. Encrypt the VM virtual disk(s) and VM files  by using an encryption policy. The VM guest is not modified. The encryption is done at the hypervisor level.
  • Encrypted vMotion. Virtual  Machine vMotion data is encrypted during a vMotion on a per VM basis.
  • Secure Boot for ESXi and Virtual Machines. Requires hardware that support EUFI and a secure Boot firmware.
vSphere HA:
  • Admission Control. Simplified configuration workflow. It automatically calculates the % of resources to reserve.
  • Restart Priorities: Additional restart priorities added such as highest and lowest for more flexibility and greater control.
  • HA Orchestrated Restart. Enforce VM to VM dependency chains. This is great for multi-tier applications the require VMs to restart in a particular order.
  • Proactive HA. vCenter plugin that connects to the hardware vendor monitoring solution (Dell Open Manage, HP Insight Manager or Cisco UCS). When there is for example a memory failure detected by the hardware vendor monitoring tools, the VMs from that hosts are migrated using vMotion to another hosts.
vSphere Fault Tolerance (FT):
  • Improved DRS integration. DRS will better place the secondary VM
  • Performance Improvements:
    • Host level network latency reduction. Allows to run more applications with FT.
    • Multi-NIC Aggregation. It is possible to pack more NICs like (vMotion for FT) for better performance.
vSphere DRS:
  • Network-Aware DRS. Adds network bandwidth calculations in DRS. This avoids an over-subscribing host network link.
  • Advanced DRS Policies exposed in the UI.
Storage IO Control (SIOC):
  • Setting IO limits in Storage Policy Based Management (SPBM) and apply the policy to the VMs.
Content Library:
  • Mount an ISO file from the Content Library
  • OS Customization during VM deployments from the library.
  • Update an existing template with a new version
  • Optimized HTTP sync between vCenter Servers
Virtual SAN 6.5
  • 2-node Direct Connect and Witness traffic separation. Ability to connect two nodes directly using ethernet cables. Stretchen VSAN with Direct Connect is not supported at the moment. Benefits:
    • Reducing costs (no need for 10 GbE switches).
    • Simplicity.
    • Separate VSAN data traffic from witness traffic.
vsan
  • Licensing:
    • The VSAN standard license includes the All-Flash option
    • New VSAN advanced for ROBO licensing
  • Virtual SAN iSCSI access. iSCSI access is built for supporting MSCS with shared storage and physical workloads that needs to have storage. There is no support in this release to targeting the VSAN storage to other ESXi clusters.
vSphere Operations Management:
  • vSOM is a combines of vSphere Enterprise plus with vRealize Operations Manager standard edition as a single offer.
  • New Home dashboard
vrops-new-dashboard
  • New DRS Dashboard
  • Update Workload Utilization Dashboard
vrops-utilization
  • Other improvements are:
vrops-additional
vRealize Log Insight version 4
  • New Clarity User Interface. This new interface looks much better and cleaner
log1
  • Alert enhancements
log2
  • Other Enhancements
3
PowerCLI
  • No more snapins are used, it’s now fully module based.
powercli
  • Module improvements. Here are some examples:
    • Added cross vCenter storage vMotion support
    • The VSAN module is extended with 13 additional cmdlets
    • Complete new Horizon View module. It is now possible to run from it from anywhere, in earlier releases it was only possible to run it from a Connection Server. On this release are only 2 cmdlets available (Connect and Disconnect). Once connected you can use the API.
  • Microsoft open sourced PowerShell. It possible to run PowerShell from Windows, a MAC and Linux. VMware will release a PowerCLI Core version as fling.
  • The vSphere Management Assistent is being deprecated. Use the vCLI. It has support for different OSes. Use vCLI for:
    • ESXCLI commands
    • vicfg- commands
    • Other Perl Commands
    • Datacenter CLI

vSphere 6.5 what’s new – VMFS 6 / Core Storage

 what is new with VMFS 6:
  • Support for 4K Native Drives in 512e mode
  • SE Sparse Default
  • Automatic Space Reclamation
  • Support for 512 devices and 2000 paths (versus 256 and 1024 in the previous versions)
  • CBRC aka View Storage Accelerator
Lets look at them one by one, I think support for 4K native drives in 512e mode speaks for itself. Sizes of spindles keep growing and these new “advanced format” drives come with a 4K byte sector instead of the usual 512 byte sector, which is primarily for better handling of media errors. As of vSphere 6.5 this is now fully supported but note that for now it is only supported when running in 512e mode! The same applies to Virtual SAN in the 6.5 release, only supported in 512e mode. This basically means that 512 byte sectors is being emulated on a 4k drive. Hopefully we will have more on full support for 4Kn for vSphere/VSAN soon.
From an SE Sparse perspective, right now SE Sparse is used primarily View and for LUNs larger than 2TB. When on VMFS 6 the default will be SE Sparse. Not much more to it than that. If you want to know more about SE Sparse, read this great post by Cormac.
Automatic Space Reclamation is something that I know many of my customers have been waiting for. Note that this is based on VAAI Unmap which has been around for a while and allows you to unmap previously used blocks. In other words, storage capacity is reclaimed and released to the array so that when needed other volumes can use these blocks. In the past you needed to run a command to reclaim  the blocks, now this has been integrated in the UI and can simply be turned on or off. Oh, you can find this in the UI when you go to your datastore object and then click configure, you can set it to “none” which means you disable it, or you set it to low in the UI as shown in the screenshot below.

If you prefer “esxcli” then you can do the following to get the info of a particular datastore (sharedVmfs-0 in my case) :
esxcli storage vmfs reclaim config get -l sharedVmfs-0
   Reclaim Granularity: 1048576 Bytes
   Reclaim Priority: low
Or set the datastore to a particular level, note that using esxcli you can also set the priority to medium and high if desired:
esxcli storage vmfs reclaim config set -l sharedVmfs-0 -p high
Next up, support for 512 Devices and 2000 Paths. In previous versions the limit was 256 devices and 1024 paths and some customers were hitting this limit in their cluster. Especially when RDMs are used or people have a limited number of VMs per datastore, or maybe 8 paths to each device are used it becomes easy to hit those limits. Hopefully with 6.5 that will not happen anytime soon. On the other hand, personally I would hope more and more people are considering moving towards either VSAN or Virtual Volumes.
This is one I accidentally ran in to and not really directly related to VMFS but I figured I would add it here anyway otherwise I would forget about it. In the past CBRC aka View Storage Accelerator was limited to 2GB of memory cache per host. I noticed in the advanced settings that it now is set to 32GB, which is a big difference compared to the 2GB in previous releases. I haven’t done any testing, but I assume our EUC team has and hopefully we will see some good performance data on this big increase soon.

Thursday, 8 December 2016



What’s new in vSphere 6.5: Security

vSphere 6.5 is a turning point in VMware infrastructure security. What was mostly an afterthought by many IT folks only a few short years ago is now one of the top drivers of innovation for vSphere. Security has become a front and center focus of this release and I think you’ll like what we’ve come up with.
Our focus on security is manageability. If security is not easy to implement and manage then the benefit it may bring is offset. Security in a virtual infrastructure must be able to be done “at scale”. Managing 100’s or 1000’s of security “snowflakes” is something no IT manager wants to do. She/He doesn’t have the resources to do that. The key to security at scale is automation and in these new features you’ll see plenty of that.

VM Encryption

Encryption of virtual machines is something that’s been on-going for years. But, in case you hadn’t noticed, it just hasn’t “taken off” because every solution has a negative operational impact. With vSphere 6.5 we are addressing that head on.
Encryption will be done in the hypervisor, “beneath” the virtual machine. As I/O comes out of the virtual disk controller in the VM it is immediately encrypted by a module in the kernel before being send to the kernel storage layer. Both VM Home files (VMX, snapshot, etc) and VMDK files are encrypted.
The advantages here are numerous.
    1. Because encryption happens at the hypervisor level and not in the VM, the Guest OS and datastore type are not a factor. Encryption of the VM is agnostic.
    2. Encryption is managed via policy. Application of the policy can be done to many VM’s, regardless of their Guest OS.
    3. Encryption is not managed “within” the VM. This is a key differentiation to every other solution in the market today! There are no encryption “snowflakes”. You don’t have to monitor whether encryption is running in the VM and the keys are not contained in the VM’s memory.
    4. Key Management is based on the industry standard, KMIP 1.1.
    In vSphere vCenter is a KMIP client and works with a large number of KMIP 1.1 key managers. This brings choice and flexibility to customers. VM Keys do not persist in vCenter.
    5. VM Encryption makes use of the latest hardware advances inherent in the CPU’s today. It leverages AES-NI for encryption.
VM Encryption
VM Encryption

vMotion Encryption

This has been an ask for a long time and with 6.5 we deliver. What’s unique about vMotion encryption is that we are not encrypting the network. There are not certificates to manage or network settings to make.
The encryption happens on a per-VM level. Enabling vMotion encryption on a VM sets things in motion. When the VM is migrated, a randomly generated, one time use 256-bit key is generated by vCenter (it does not use the key manager for this key).
In addition, a 64-bit “Nonce” (an arbitrary number used only once in a crypto operation) is also generated. The encryption key and Nonce are packaged into the migration specification sent to both hosts. At that point all the VM vMotion data is encrypted with both the key and the Nonce, ensuring that communications can’t be used to replay the data.
vMotion encryption can be set on unencrypted VM’s and is always enforced on encrypted VM’s.

Encrypted vMotion
Encrypted vMotion

Secure Boot support

For vSphere 6.5 we are introducing Secure Boot support for virtual machines and for the ESXi hypervisor.

ESXi Secure Boot
ESXi Secure Boot
ESXi SECURE BOOT – With Secure Boot enabled, the UEFI firmware validates the digital signature of the ESXi kernel against a digital certificate in the UEFI firmware. That ensures that only a properly signed kernel boots. For ESXi, we are taking Secure Boot further adding cryptographic assurance of all components of ESXi. Today, ESXi is already made up of digitally signed packages, called VIB’s. (vSphere Installation Bundle) The ESXi file system maps to the content of those packages (the packages are never broken open). By leveraging that digital certificate in the host UEFI firmware, at boot time the already validated ESXi Kernel will, in turn, validate each VIB against the firmware-based certificate. This assures a cryptographically “clean” boot. Note: If Secure Boot is enabled then you will not be able to forcibly install un-signed code on ESXi. This ensures that when Secure Boot is enabled that ESXi will only be running VMware digitally signed code.

Dramatically Simplified Experience

VIRTUAL MACHINE SECURE BOOT
For VM’s, SecureBoot is simple to enable. Your VM must be configured to use EFI firmware and then you enable Secure Boot with a checkbox. Note that if you turn on secure boot for a virtual machine, you can load only signed drivers into that virtual machine.
Secure Boot for Virtual Machines works with Windows or Linux.

Secure Boot for Virtual Machines
Secure Boot for Virtual Machines

Enhanced Logging

vSphere logs have traditionally been focused on troubleshooting and not “security” or even “IT operations”. This changes in vSphere 6.5 with the introduction of enhanced logging. Gone are the days where you’ll make a significant change to a virtual machine and only get a log that says “VM has been reconfigured”.
We’ve enhanced the logs and made them “actionable” by now sending the complete vCenter event such as “VM Reconfigure” out via the syslog data stream. The events now contain what I like to call “actionable data”. What I mean by that rather than just getting a notice that “something” has changed you now get what changed, what it changed from and what it changed to. This is data that I can “take action” against.
In 6.5, you will get a descriptive log of the action. For example, if I add 4GB of memory to a VM that has 6GB today, I’ll see a log that tells me what the setting was and what the new setting is. In a security context, if you move a VM from the vSwitch labeled “PCI” to the vSwitch labeled “Non-PCI” you will get a clear log describing that change. See the image below for an example.

Actionable Loging
Actionable Loging

Enhanced/Actionable Logging

Solutions like VMware Log Insight will now have a lot more data to display and present but more importantly, more detailed messages mean you can create more prescriptive alerts and remediation’s. More informed solutions help make more informed critical datacenter decisions.

Automation

All of these features will have some level of automation available out of the gate. In future blog articles you’ll see PowerCLI examples for encrypting and decrypting VM’s, enabling Secure Boot for VM’s, setting Encrypted vMotion policies on a VM and a script I used to build an Enhanced Logging demo that you can tweak to show the benefits of Enhanced Logging in your own environment. All of the script example will be released on GitHub.

Wrap Up

That’s it for vSphere 6.5 security! I hope you are as excited as I am about it! More details on each will be forthcoming in blogs and whitepapers. One thing to add is the vSphere 6.5 Security Hardening Guide. This will, as always, come out within 1 quarter after the GA of 6.5. I don’t anticipate major changes to the guide. Features like VM Encryption are not something you should expect in the hardening guide

Universal App Platform

vSphere is a universal app platform that supports both traditional and next-generation apps. While these two worlds are vastly different, both require infrastructure with the scale, performance, and availability to meet key business objectives.
vSphere has always been pushing the limits on what apps it can support. Initially it was all about test/dev but then quickly expanded coverage business critical apps as well. Later, it included Desktop Virtualization and 3D graphics. Now we are seeing more modern apps being virtualized including Hadoop, Spark, Machine Learning, HPC and cloud native apps.
To run any app, vSphere 6.5 expands its workload coverage model by focusing on both scale-up and scale-out next-gen apps that are increasingly built using evolving technology building blocks, such as containers. In this release, VMware delivers vSphere Integrated Containers, the easiest way for vSphere users to bring containers into an existing vSphere environment. vSphere Integrated Containers delivers an enterprise container infrastructure that provides the best of both worlds for the developers and vSphere operations teams. Containers are now just as easy to enable and manage as virtual machines. No process or tool changes are required.
VMware vSphere Integrated Containers helps customers to transform their businesses with containers without re-architecting their existing infrastructure. It is comprised of three components – the Engine which provides the core container run-time, Harbor which is an enterprise registry for container images, and Admiral which is a portal for container management by dev teams. vSphere Integrated Containers enables IT operations teams to provide a Docker compatible interface to their app teams, running on their existing vSphere infrastructure and features tight integration with VMware NSX and VMware Virtual SAN to support best-in-class network automation and scale out, high performance persistent storage, respectively.

http://vmware360.com/files/jpg/VIC.jpg
vSphere Integrated Containers: Delivering the best of both worlds for IT and Developers
vSphere 6.5 also lets you run apps from any cloud, including your data center or in public cloud environments. vSphere 6.5 is not only the heart of the Software-Defined Data Center, it’s also the foundation of VMware’s cloud strategy. vSphere 6.5 is available in both the private cloud and as a service through a public cloud. The newly announced VMware Cloud Foundation and VMware Cloud on AWS are both built on vSphere 6.5.
As the ideal platform for apps, cloud, and business, vSphere 6.5 reinforces the customer’s investment in VMware. vSphere 6.5 is one of the core components of VMware’s SDDC and a fundamental building block for VMware’s cloud strategy. With vSphere 6.5, customers can now run, manage, connect, and secure their applications in a common operating environment, across clouds and devices.

Learn More

This article only touched upon the key highlights of this release, but there are many, many more new features. To learn more about vSphere 6.5, please see the following resources.


VMware vSphere 6.5 – VM Encryption Details


VMware vSphere 6.5 brings also VM encryption. VM encryption will work by applying a new Storage policy to a VM. It is Policy driven. You’ll be able to encrypt the VMDK and the VM home files.
There is no modification within the guest OS. It does not matter which OS you’re running (Linux, Windows, DOS, iOS) or on which storage the VMs files are located (NFS, block storage, VSAN….). The encryption is happening outside of the Guest OS. The guest does not have an access to the keys.
The encryption works also for vMotion but both the source and the destination hosts must support it. .
VMware vSphere 6.5 - VM Encryption details
It will get a key from the default key manager. It will be per-VM policy application model. It is easy to manage and also scalable.

The example within vSphere Web client bellow – apply encryption policy to two sample VMs…
VMware vSphere 6.5 - VM encryption - Apply policy to some VMs

VM encryption – How it works?

You have an encrypted VM after you have applied an encryption policy too. Then, a randomly generated  key is created for each VM, and that key is encrypted with the key from the key manager.
When you power On the VM which has the Encryption Storage policy applied to, vCenter retrieves the key from the Key Manager, sends that down to the VM encryption Module and unlocks that key in the ESXi hypervisor.
So all IO coming out from the virtual SCSI device goes through the encryption module before it hits the storage module within the ESXi hypervisor.
All IO coming directly from a VM is encrypted.
VMware vSphere 6.5 VM encryption details
The workflow on activating the VM encryption would look like this:
VMware vSphere 6.5 - VM encryption workflow

To Decrypt a VM?

You may ask: How do I decrypt a VM then? It is very simple. By changing the Storage Policy back to a Datastore default. The VM’s files, the VMDKs will be decrypted.

PowerCLI anyone?

Yes, there will be a PowerCLI cmdlet which will be able to apply a policy, but also to report on which VMs are currently encrypted….
You’ll be able to encrypt VMDKs only, OR also The VMs home files.

Who Manages encryption?

It is not vCenter server, which is only a client. The 3rd party Key management Server (KMS) is the one responsible for the encryption of the key and the management.
With that you may ask who will be able to manage encryption of your VMs? Does all your vSphere admins needs to have access to encryption? Possibly. But possibly NOT. VMware has created a new default role ”
VMware has created a new default role “No Cryptography Administrator“.
VMware vSphere 6.5 - New role called "No Cryptography Administrator"
You’ll find this new role within the Roles, as usually. The new role will have still all the other privileges like a “standard” admin, but less the Encryption rights.
There Power ON, Off, shut down, vMotion etc…
No operations like:
  • Manage key servers
  • Manage keys
  • Manage encryption policies
  • No console access to encrypted VMs
  • No upload/download encrypted VMs

All permissions are customization.
And perhaps there are some gotchas?

VMware vSphere 6.5 VM encryption -Features 

  • The default KMS isn’t from VMware – yes, this might be a showstopper for some. But there are many other KMS managers out there and VMware vSphere will be able to use those other KMS managers for the job….
  • SAN Backup not supported – backup proxy backup type is supported but the backup proxy appliance has to be encrypted, and also the user account which is performing the backup has to have the Cryptographer.DirectAccess permission.
  • Backup data is not backed up encrypted – the backup solution may provide its own encrypted mechanism. After restoring you have to have a policy in place to re-encrypt the restored VM.
  • vCenter cannot be encrypted – At least on the same infrastructure. Logical, as, if vCenter cannot start-up and get the keys, then you’re kind of in trouble.
  • Not supported – some things are unsupported:
    • Suspend/resume
    • Encrypting VM with existing snapshots (if VM is already encrypted, you can’t created snapshot)
    • Serial/Parallel port
    • Content library
    • vSphere Replication
A Key management protocol 1.1 has to be implemented in order for the Key manager to be compatible with vSphere 6.5. Here is a list (not exhaustive) of the principal key managers supported.
VMware vSphere 6.5 - Key managers supported (not exhausted list)

Encrypted vMotion

There are 3 settings which are possible on the per-VM basis:
  • Disabled – do not use encrypted vMotion
  • Opportunistic – use encrypted vMotion if source and destination hosts support it. If not it will do a normal vMotion.
  • Required – allow only encrypted vMotion. If the source or destination does not support encrypted vMotion, then the vMotion fails.
VMware vSphere 6.5 - New role called "No Cryptography Administrator"VMware vSphere 6.5 - encrypted vMotion
How the encrypted vMotion works? The randomly generated key is created and added to the migration spec.
Then pushed to each hosts participating in the vMotion process, where the data going across the network are encrypted with the randomly generated key only for the migration process.
It is one-time generated random key, which is generated by vCenter (not the KMS).
vSphere Encryption looks pretty good by adding an additional layer of security to your data, but things should be discussed first. Who has and who has not the rights to encrypt VMs? How to proceed when the admin leaves the company? How to proceed when the admin account (with rights to encrypt) password is lost?
Then everything shall be thoroughly tested first, starting with simple (not production VMs). Keep in mind that this is a v 1.0 feature and that there can be some gotchas

VMware vSphere 6.5 – Native vCenter High Availability (VCSA 6.5 only

vSphere 6.0, VMware pushes the VCSA appliance further forward. In the past, the appliance has had limited scalability, limited support, or limited features. Not all architectural options were supported, so as a result, users were forced to used Windows based vCenters in order to be able to have features which they needed for their enterprise environments. The 6.5 release changes everything.
Not only that the features/functions parity is now equal with Windows based vCenter, but we have new features appearing in the VCSA based vCenter, which will not benefit the Windows-based deployments. We have now the VUM built-in, but also, the VCSA 6.5 supports Native vCenter High Availability.

VMware vSphere 6.5 also brings Virtual Hardware 13 allowing you to create and run VMs with up to 6TB of memory, UEFI secure boot for guest OS.
Let’s get back to Native vCenter High Availability (HA). As you know, previously there has been several options whether you wanted to assure an HA for your vCenter Server. Some of them were not easy to implement, like MSCS. To do a quick recap on those solutions, they were basically four of them
  • vSphere High Availability (HA) – vCenter server VM gets restarted on another host within your cluster. Traditional.
  • vSphere Fault Tolerance (FT) – only in 6.0 (4.x, 5.0, 5.1 or 5.5 were not supported)
  • Microsoft clustering – WSFC/MSCS – Windows Server Failover Clustering or Microsoft Server Failover Clustering to protect a Windows-based vCenter Server. There was a support for using Microsoft SQL Cluster Service for use as a back-end database.
  • vCenter server Heartbeat – separate solution from VMware. A Paid product. This solution wasn’t a real commercial success. VMware has announced end of Availability for all vCenter Server Heartbeat versions.

Native vCenter High Availability (HA) – for VCSA only!!

This year, with vSphere 6.5, VMware introduces new, simplified Native vCenter server High Availability (HA) for VCSA 6.5. As being said, only vCenter server appliance (VCSA) based architectures will be supported.
What’s in and how it works?
  • Active-Passive deployments with Witness – synchronous DB replication, and file-based replication.
  • Requirements – there will be a new, second vNIC added (eth1) during the configuration (wizard based). A private network as an only requirement to have a subnet of the primary network.
You can see the schema below….
VMware vSphere 6.5 - Native VCSA 6.5 HA
There is no need for L2 network requirements or VXLAN.

For which scenarios?

You can have one VCSA in one datacenter (active) and passive VCSA in another datacenter. The VCSA vPostgress DB will have synchronous replication. VMware uses native vPostgres replication mechanism.
There are some latency requirements. (will be added here later).
File-based replication is near real-time based replication for some files that lays outside of VCSA. (Witness).

Two ways to enable VCSA HA:

There is two configuration options, two workflows, within the assistant:
  • Basic – minimum info is required through a wizard, like IP information, if you have DRS/storage DRS and then the system will create for you active and passive nodes for you, and create affinity and anti-affinity rules. Or you can manually select nodes where you want to two VCSAs to run. The system will create the eth1 vNIC interfaces and you’ll also need to provide port groups where you want to attach this vNICs, and setup the replication.
  • Advanced – a bit more complex. You have to manually clone the VMs (active, passive and witness), provide IP information. But the advanced workflow allows you to place the VM for example, into another datacenter, or another site, with different IP addresses etc… We don’t have further details on this just yet, but we’ll update the post when the product will be GA.


What’s new in vSphere 6.5?

Let’s begin with the Configuration maximums:
  • Virtual Hardware v.13
  • RAM per VM has been enhanced to 4TB to 6TB.
  • Maximum powered on machines from a vCenter has been increased to 10,000 to 20,000.

vCenter:

  • vCenter Server Appliance 6.5 (VCSA) – vSphere 6.5 makes the vCenter Server Appliance the fundamental building block of a vSphere environment.
  • The VCSA appliance runs on top of Photon OS now.
  • File-based backup and recovery
  • Native VCSA high availability
  • VMware Update Manager is now integrated with vCSA. – no need of a separate VM.
  • Enhanced vCenter Install, Upgrade, Migrate and restore – Pervious versions don’t have Migrate and restore and this features is now available in 6.5. Also it has some inbuilt backups as well.
  • No Client integration plugin required for vSphere web Client.
  • HTML5 web client
VCSA-highlights
VMware HA and DRS improvements:
  • HA – Admission Control – Admission Control is a feature that watches over the vSphere Cluster to ensure that ample demand remains in the event of a failure. Specifically, it blocks the power on operations for VMs that would violate the needed resources for a cluster.
  • HA Orchestrated Restart – vSphere 6.5 now allows creating dependency chains using VM-to-VM rules.  These dependency rules are enforced if when vSphere HA is used to restart VMs from failed hosts.  This is great for multi-tier applications that do not recover successfully unless they are restarted in a particular order.  A common example to this is a database, app, and web server.
  • Proactive HA – This is most awaited feature. Its proactively move VMs to another host if the current host start experiencing partial failure.
  • Network-aware DRS – This feature looks at host network saturation for the physical uplinks and avoids placing VMs on a host that has an over-subscribed network. DRS will not reactively balance the hosts solely based on network utilization, rather, it will use network utilization as an additional check to determine whether the currently selected host is suitable for the VM. This additional input will improve DRS placement decisions, which results in better VM performance.

vSphere Web Client:

Here is a list of few high-impact improvements will help with the overall user experience with the vSphere Web Client while development continues with the HTML5-based vSphere Client:
  • Inventory tree is the default view
  • Home screen reorganized
  • Renamed “Manage” tab to “Configure”
  • Removed “Related Objects” tab
  • Performance improvements (VM Rollup at 5000 instead of 50 VMs)
  • Live refresh for power states, tasks, and more!
web-client

vSphere Client:

vSphere client is fully supported version of the HTML5-based vSphere Client that will run alongside the vSphere Web Client. The vSphere Client is built right into vCenter Server 6.5 (both Windows and Appliance) and is enabled by default.
Below are some of the benefits to the new vSphere Client:
  • Clean, consistent UI built on VMware’s new Clarity UI standards (to be adopted across our portfolio)
  • Built on HTML5 so it is truly a cross-browser and cross-platform application
  • No browser plugins to install/manage
  • Integrated into vCenter Server for 6.5 and fully supported
  • Fully supports Enhanced Linked Mode
  • Users of the Fling have been extremely positive about its performance
h5-client

Storage:

There is some enhancement on the core storage side as well. I will explain all the new features in my upcoming posts. Please standby.
  • VMFS-6
  • UNMAP
  • Linux Guest OS SPC-4 support
  • NFS 4.1 Improvements
  • iSCSI Improvements
  • SIOC version 2
  • VM Encryption

Security :

  • VMDK Encryption Manageability
  • Encrypted vMotion
  • Secure Boot Support for ESXi Host and Guest VM