vRA & SovLabs: Infoblox IPAM Module

An IP address is an integral part of the server architecture and is required by all servers, LB VIPs, NATs etc. Many customers still make use of spreadsheets, which is very difficult to automate when you have to manually enter data, and this eventually leads to inconsistencies due to the file not getting updated when a IP address is assigned, changed or deleted.

What you need is a robust high performance, highly available IP solution that you can manage from a single interface and provides  features like:

  • Manage a large pool of IP addresses
  • Improve availability, and simplified administration.
  • User based roles and permissions.
  • Provide vital operational and troubleshooting data:
    • IP address history, MAC address, Owner, Location, OS, etc.
  • Reports summarizing IP address resources and utilization.

There are many IPAM solutions out there with SovLabs support for the following:

I will be using the SovLabs Infoblox module in my example but if you have read this far you probably asked yourself “Infoblox has native integration with vRealize Automation, why use the SovLabs Infoblox module?”  I did some research and hopefully this information is useful in your decision making:

Differentiators between SovLabs Infoblox IPAM and Infoblox native integration vRA:

  • SovLabs do not require the Infoblox cloud adapter
  • SovLabs has different modules, which seamlessly integrates with each other and enhances the IPAM functionality:
    • Separate DNS and IPAM modules to allow each to be driven independently even between different providers.
    • Ability to create multiple independent DNS profiles that can drive DNS for multiple different providers independent of IPAM.  DNS is able to register against multiple domains out of the box and drive host records, CNAMEs, PTR and A records independently.
  • SovLabs has pre-validation logic for IP and DNS forward/reverse duplication detection.
  • SovLabs Template engine can be used for custom comments, fields in Infoblox based on vRA metadata.
  • SovLabs is design for ease of use.  No Infoblox schema changes or lengthy install and upgrade process.
  • SovLabs is completely policy driven, no need for custom workflow development.

The SovLabs module also has many other features which can viewed on the website here, but some of the highlights are:

  • Obtain and reserve unique IP address(es) and release automatically during appropriate machine lifecycle
  • Reserves unique IP address(es) and assigns to the VM NIC(s) based on IPAM profile(s)
  • IPAM profiles can span multiple networks, each consisting of a network name, subnet CIDR block and gateway address
  • IPAM configurations are interchangeable between endpoint providers; avoid lock-in by easily adding additional IPAM providers with other IPAM modules from SovLabs
  • No custom workflows required, completely policy driven
  • SovLabs IPAM configurations may also be used with SovLabs network load balancer modules

Prerequisites:

  1. Infoblox user on (all) Infoblox appliance(s) with the following permissions:
    • API and GUI access configured
    • Add/remove Host Records, A Records and/or PTR Records
  2. Infoblox WAPI version must be 1.2+

    Access https://{infoblox-fqdn}/wapidoc/ and look in the upper-left corner

  3. Login to the vRA tenant
    1. Add license for Infoblox IPAM module
    2. Validate the following show up on the Catalog page:
      1. Add Infoblox Endpoint
      2. Add IPAM Profile

 

Configuration:

  1. Add InfoBlox Endpoint
    1. Login to vRA Tenant
    2. Select Catalog -> SovLabs vRA Extensibility
    3. Screen Shot 2017-05-10 at 6.09.35 PM.png
    4. Click Request button on “Add Infoblox Endpoint”
    5. Screen Shot 2017-05-10 at 6.10.29 PM.png
    6. Infoblox Endpoint
    7. Enter Configuration label
      • Only AlphaNumeric characters, no spaces or special characters except: - and _
    8. Enter hostname
      • FQDN of Infoblox server
    9. HTTPS = yes
    10. Port – 443
    11. WAPI version = pick from dropdown box based the version your found through prerequisites
    12. DNS View = optional, which DNS views this endpoint supports
      • Not using Infoblox for DNS in this example
    13. Network View = optional, which Network views this endpoint supports
      • All my networks are crated under the default view
    14. Credential Configuration
    15. Enter username
      • Username should have API access and permissions to add/remove records to/from Infoblox
    16. Enter password
    17. Click Next
    18. Advanced Options
      • These are optional and can be left blank which will populate with default value.
    19. Host record template
    20. A record template
    21. PTR record template
    22. Fixed Address template
    23. Click Submit
  2. Add IPAM profile
    1. Select Catalog -> SovLabs vRA Extensibility
    2. Screen Shot 2017-05-11 at 8.05.34 AM.png
    3. Click Request on Add IPAM Profile
    4. Screen Shot 2017-05-11 at 8.06.10 AM.png
    5. Enter configuration label
      • Only AlphaNumeric characters, no spaces or special characters except: - and _
    6. Enter Description
      • I like to add the name of the network and subnet information here.
    7. Type = Infoblox
      • Since we are using Infoblox, that is what i picked.
    8. Provider host = select configuration label for previously created Infoblox endpoint
    9. Nic number = 0
      • On which NIC do you want to assign the IP address for the VM
    10. Subnets, Gateways and Network names
      1. The network name should match the vDS port group name.
      2. Enter values subnet, gateway and network name with comma separated and click on green + Sign
    11. Excluded IPs
      1. If you want to exclude some IP address, then enter them here individually.
    12. DNS Configuration
    13. Enter Primary DNS
    14. Enter Secondary DNS
    15. Enter DNS Suffix
    16. Enter DNS search Suffix
    17. Wins Configuration
    18. Enter WINS Server if necessary
    19. Click Submit

Enable the module:

Now we need to enable the custom properties module on our blueprint

  1. Login to vRA
  2. Click on the Infrastructure -> Reservations -> Network Profiles
  3. Edit the network profile that best matches the IPAM profile created above
  4. Click DNS tab
    1. Verify that the DNS suffix is set.
  5. Click on the Infrastructure -> Reservations
  6. Edit the reservation associated with the network profile review above in step 3.
    1. Click network tab
    2. Uncheck the network paths
    3. Also clear out the network paths dropdown value.
  7. Click OK
  8. Now we need to enable the custom properties module on our blueprint
  9. Click on Design -> Blueprint
  10. Edit Blueprint
  11. Click on the blueprint vSphere machine on the Design Canvas.
  12. Click on properties tab
  13. In the properties group section click +Add
  14. Check the box for:
    • SovLabs-EnableLifecycleStubs
    • Check the appropriate IPAM property group (starts with SovLabs-IPAM- and ends with -nic#)
    • Do not attach more than 1 IPAM profile property group to a blueprint VM object
  15. Click OK
  16. Repeat these steps for all blueprints that should get an IP address through IPAM.

Now deploy a VM and verify in Infoblox that the IP address is assigned to the network in the default view.

vRA & SovLabs: ServiceNow CMDB module

Having a centralize management database (CMDB) is crucial to provide insight into your environment especially with IT service management architectures becoming a lot more complex.  Some of the benefits of a CMDB are:

  • Increase control with asset management
  • Make systems more reliable by quickly identifying configuration drift like unplanned changes and improper configs that can cause performance issues
  • Maintain service levels through faster troubleshooting and identify key components, owners and dependencies

The CMDB contains valuable in-depth data about maintenance, repair histories, problems, changes, but this is all pretty much useless if the CMDB is not kept up to date and consistent.  There are many ways to achieve the necessary consistency, but the SovLabs ServiceNow CMDB modules for vRA provides a lot of additional benefits over something like auto-discovery with features which can viewed on the website here, but some of the highlights are:

  • Flexible mapping via JSON-based templates which can utilize dynamic or static values and vRA metadata, e.g. using vRA custom properties like business groups, catalog item owner, software installed,
  • Multiple operations permitted (insert/update/delete) on multiple related or independent tables using the direct to table method
  • CMDB configurations can be applied generically at the compute resource or business group level or more specifically at the blueprint level
  • Compatible with ServiceNow Discovery
  • Instantaneous CMDB inserts/updates occur during time of provisioning/de-provisioning/re-configure
  • Flexible de-provisioning/clean options
  • Supports import set or direct to table

Prerequisites:

  1. ServiceNow CMDB is properly configured
  2. ServiceNow CMDB service user account must have Web Service admin rights and rights to add/update/delete records
  3. If you are using VMware’s ITSM plug-in, set the “u_vra_uid” column to read/write from read only:
    1. In ServiceNow, navigate to System Definition
    2. Under Column name, search for u_vra_uid
    3. Click the cmdb_ci table from the results
    4. Uncheck Read only and Check Read/Write
    5. Click Update
  4. Login to the vRA tenant
    1. Add license for ServiceNow CMDB module
    2. Validate the following show up on the Catalog page:
      1. Add ServiceNow Endpoint
      2. Add ServiceNow CMDB

Configuration:

  1. Add DNS configuration
    • If you want the VIP host name to be automatically registered with DNS then you need to have the SovLabs DNS module installed and configured.  This was covered in my previous post which can be viewed here.
  2. Add ServiceNOW Endpoint

    1. Select Catalog -> SovLabs vRA Extensibility
    2. Screen Shot 2017-05-23 at 2.08.45 PM.png
    3. Click Request on “Add ServiceNow Endpoint – SovLabs Modules”
    4. Screen Shot 2017-05-23 at 2.10.00 PM.png
    5. ServiceNow Endpoint
    6. Enter Configuration label
      • Only AlphaNumeric characters, no spaces or special characters except: - and _
    7. Enter ServiceNow host URL
    8. Select Current ServiceNow version
    9. Credential Configuration
    10. Create credential = yes
    11. Enter Configuration label
      • Only AlphaNumeric characters, no spaces or special characters except: - and _
    12. Enter username and password
    13. Click Submit
  3.  Add ServiceNow CMDB Configuration
    1. Select Catalog -> SovLabs vRA Extensibility
    2. Screen Shot 2017-05-23 at 2.18.37 PM.png
    3. Click Request on “Add ServiceNow CMDB Endpoint – SovLabs Modules”
    4. Screen Shot 2017-05-23 at 2.18.46 PM.png
    5. ServiceNow CMDB Configuration
    6. Enter Configuration label
      • Only AlphaNumeric characters, no spaces or special characters except: - and _
    7. Select ServiceNow Endpoint previously created
    8. Use import set?
      • Selecting no will make of use import direct to table
    9. Select template name
      • I am using the default linux and windows templates provided by SovLabs so will be creating two separate CMDB configurations associated to each.
    10. Enter JSON template
      • This should be populate with the default template but additional information can be added within the template for instance the owner and the business group the owner belongs too.

Enable the module:

Now we need to enable the custom properties module on our blueprint

  1. Click on Design -> Blueprint
  2. Edit Blueprint
  3. Click on the blueprint vSphere machine on the Design Canvas.
  4. Click on properties tab
  5. In the properties group section click +Add
  6. Check the box for:
    • SovLabs-EnableLifecycleStubs
    • ServiceNow CMDB property group (starts with SovLabs-SnowCMDB-)
  7. Do not attach more than 1 ServiceNow CMDB property group to a blueprint
  8. Click OK
  9. Repeat these steps for all blueprints that should use this custom naming.

 

SovLabs ServiceNOW CMDB module     VS    VMware’s vRA plugin for ITSM:

VMware’s vRA plugin for ITSM provides a way to expose vRA’s Catalog items to ServiceNOW for machine provisioning with an approval process workflow that run in SNOW instead of vRA.

SovLabs CMDB module will automatically update the SNOW CMDB with the valuable information obtained from vRA after a Catalog Item request and successful deployment, either direct to table or through import sets.

Here are some limitations for each of the solutions that I think everyone needs to take into consideration.

VMware’s  vRA plugin for ITSM feature limitation: (base on my v1 experience)

  1. Only community supported!
  2. Only ADFS 2.0 is supported for authentication.
    Note: ADFS 2.0 comes with Windows 2008 R2 where as ADFS 3.0 comes with Windows 2012 R2. ADFS 2.0 is single point of failure.  ADFS 3.0 supports farms with primary and secondary servers.

    • Email address must match in both SNOW and the AD connection used by ADFS
  3. Custom properties of the following types are not supported- slider, spinner, yes/no, hyperlink, and SecureString as well as any properties using external values from vRealize Orchestrator.
    • Encrypted vRA custom properties not supported
  4. Only the vSphere.local tenant is supported (this might be fixed in v2 which I have not yet had a chance to test)
  5. Requesting XaaS blueprints or composite blueprints that contain dynamic form inputs from vRealize Orchestrator is not supported.
  6. Requesting machines from AWS or Azure or any other non-vCenter endpoint not supported.
  7. Resource mapping only on the vSphere virtual vRA inventory type which is limiting if you have OS-level CIs defined.
  8. Once configured, newly provisioned resources are imported into a new CMDB class while existing resources are available in the old CMDB class and would have to be imported into new.

SovLabs ServiceNOW CMDB module limitations:

  1. VM re-configure (should be available soon)
  2. Resource mappings for resources other than for machines except where they can be derived via machine properties

 

Links:

https://sovlabs.com/products/servicenow-cmdb/

http://docs.sovlabs.com/vRA7x/current.html#servicenow-cmdb

https://marketplace.vmware.com/vsx/solutions/vmware-vrealize-automation-plug-in-for-itsm-2-0-0

 

vRA & SovLabs: Snapshot management module

If you are a VMware administrator you know what a pain it is to manage snapshots.  Virtualization makes it easy to snapshot a VM before a patch or an upgrade is applied to an application or OS and gives you that peace of mind that you can revert back if it fails.   The reality is that users never clean up there snapshots and it starts getting used as a backup method in environments which places the burden on VMware admins to manage the clean up efforts.  VMware recommends not using snapshots for more than 3 days since it can cause serious performance, storage and corruption problems in your environment.

So how you do you handle snapshots?  A lot of customers just give up and take the chance of nothing going wrong, or they end up disabling this very valuable feature so users cannot use it all.  None of these methods are good.

SovLabs modules provides policies that control the expiration and deletion of VM snapshots as well as the ability to provide notifications to the VM owner. The VM owner is not given the option to extend the time of how long the snapshot lives and it will be automatically removed based on the lifespan in days set by the vRA administrator.

Configuration:

  1. Add SovLabs vCenter Endpoint
    1. This configuration was covered in my previous post which can be viewed here.
  2. Add SovLabs vRA CAFE Endpoint
    1. Select Catalog -> SovLabs vRA Extensibility
    2. Screen Shot 2017-04-20 at 8.44.15 AM.png
    3. Click Request on “Add SovLabs vRA CAFE Endpoint”
    4. Screen Shot 2017-04-20 at 8.44.47 AM.png
    5. Enter Configuration label
      • Only AlphaNumeric characters, no spaces or special characters except: - and _
    6. Version and Hostname are  auto-generated and based on querying vRA CAFE, verify that the information is correct
    7. If you have not configure this endpoint module then you need to create credentials.
    8. Click Submit
  3. Add SovLabs vRA IaaS Endpoint
    1. Select Catalog -> SovLabs vRA Extensibility
    2. Screen Shot 2017-04-20 at 8.51.06 AM.png
    3. Click Request on “Add SovLabs IaaS CAFE Endpoint”
    4. Screen Shot 2017-04-20 at 8.51.27 AM.png
    5. Enter Configuration label
      • Only AlphaNumeric characters, no spaces or special characters except: - and _
    6. Version, Hostname  and Domain are auto-generated and based on querying vRA CAFE, verify that the information is correct
    7. If you have not configure this endpoint module then you need to create credentials.
    8. Click Submit
  4. Add Notification Configuration
    1. Select Catalog -> SovLabs vRA Extensibility
    2. Screen Shot 2017-04-20 at 8.55.27 AM.png
    3. Click Request on “Add Notification Configuration”
    4. Screen Shot 2017-04-20 at 8.55.36 AM.png
    5. New message server = yes
      1. new fields will appear
    6. Screen Shot 2017-04-20 at 8.58.39 AM.png
    7. Enter Configuration label
      • Only AlphaNumeric characters, no spaces or special characters except: - and _
    8. Enter message server address
    9. Enable SSL if required
    10. Enter message port
    11. Select message type
    12. Select message server protocol
    13. Select yes from drop down box if your SMTP requires authentication.
      1. Select yes from new credentials
      2. Enter configuration label
      3. Enter username and password
    14. Enable STARTTLS if required
    15. Set network timeout
    16. Since I selected message type as email, you need to setup your email groups.
      1. Select yes to create new group
      2. Enter email group configuration label
      3. Enter To and/or CC and BCC addresses
    17. Click Next
    18. Screen Shot 2017-04-20 at 9.10.04 AM.png
    19. Enter notification configuration label
      • Only AlphaNumeric characters, no spaces or special characters except: - and _
    20. Select type = SNAPSHOT
    21. Select state = Whether or not to send notifications when a new snapshot is found (NEW), when a snapshot is about to be deleted (WARNING), and/or when a snapshot has been deleted (DELETE)
    22. Select format
    23. Enter From address
    24. Enter Title
    25. Enter Body
      • In the documentation they have some notification examples which you can just copy/paste and customize, which is very helpful.
    26. Screen Shot 2017-04-20 at 9.19.44 AM.png
    27. Click Submit
  5. Add Notification Group Configuration
    1. Select Catalog -> SovLabs vRA Extensibility
    2. Screen Shot 2017-04-20 at 4.08.11 PM.png
    3. Click Request on “Add Notification Group Configuration”
    4. Screen Shot 2017-04-20 at 4.08.56 PM.png
    5. Enter Configuration label
      • Only AlphaNumeric characters, no spaces or special characters except: - and _
    6. Select Type = snapshot
    7. Select Notification = previously create notification configuration.
  6. Add Snapshot Configuration
    1. Select Catalog -> SovLabs vRA Extensibility
    2. Screen Shot 2017-04-20 at 9.45.42 AM.png
    3. Click Request on “Add Snapshot Configuration”
    4. Screen Shot 2017-04-20 at 9.46.15 AM.png
    5. Enter Configuration label
      • Only AlphaNumeric characters, no spaces or special characters except: - and _
      • sovlabs_snapshot_config_BG_all_2days
    6. Select SovLabs vRA CAFE Endpoint from dropdown.  This was configured earlier.
    7. Select SovLabs vRA IaaS Endpoint from dropdown. This was also configured earlier.
    8. Select Notification Group.  Make sure you have a notification group of type snapshot define. This was also configured earlier.
    9. Select if you want to manage snapshots for all business groups = yes
    10. Enter snapshot lifespan in days
      1. Per VMware’ recommendation try to stay within less than 3 days
    11. Enter the days before expiration a warning notification should be send out.
    12. Screen Shot 2017-04-20 at 4.14.42 PM.png
    13. Click Next
    14. Set the snapshot scheduler.  So the scheduler you set here goes out and checks each VM if they have a snapshot that might be expiring or is expired and needs to be deleted.  Once create, a vRO schedule task is created which runs every 15min to make sure that the snapshot scheduler sends out the notification at the specified time.
    15. Screen Shot 2017-04-20 at 4.36.03 PM.png
    16. Leave schedule as active
    17. Set schedule type = daily
      • most customers would pick daily
    18. Set the time to run in military format
    19. Can leave schedule end date blank to run forever.
    20. Click Submit

Enable the module:

  1. Based on the set scheduler, an inventory update will automatically run and send notifications.
    • If a snapshot’s age has met the expiration day, it will automatically get deleted.
  2. The last SovLabs Snapshot Configuration deleted, deletes the vRealize Orchestrator scheduled task for Snapshot Management.  It automatically creates it again if a snapshot configuration is created and scheduled task is not found.

Disable the module:

  1. Login to the vRA tenant
  2. Select Catalog -> SovLabs vRA Extensibility
  3. Click Request on “Manage Snapshot Scheduler”
    1. Select Suspend from the Action dropdown list.
    2. Click Submit
    3. (if you want to resume this module again you can perform the same actions as above but select Action “resume” from dropdown list.

 

vRA & SovLabs: vSphere DRS

This modules allows you to make use of VMware’s DRS to sub-divide your vSphere clusters for consumption by defining DRS groups, affinity and anti-affinity rules. A good use case for this would the deployment of a VM that needs to be tied to specific host due to licensing or hardware constraints, or VMs behind load balancers that you want to make sure run on different ESXi hosts.

The module has many features which can viewed on the website here, but some of the highlights are:

  • Create and manage vSphere DRS profile configurations directly in vRA and tie them to existing blueprints to enable affinity or anti-affinity relationships between VMs provisioned and existing DRS host groups.
  • Automatic cleanup of appropriate linked VM rules and groups during VM de-provisioning lifecycles
  • Allows for VM provisioning into specific pre-defined DRS host groups
  • Dynamically creates VM group(s) and rule(s) during VM provisioning based on the corresponding SovLabs DRS profile configuration

Prerequisites:

  • vCenter Server is properly configured
  • vCenter cluster is properly configured and the host groups defined

Configuration:

  1. Add vCenter Endpoint
    1. Login to vRA Tenant
    2. Select Catalog -> SovLabs vRA Extensibility
    3. Screen Shot 2017-04-18 at 5.08.40 PM.png
    4. Click Request button for “Add SovLabs vCenter Endpoint”
    5. Screen Shot 2017-04-18 at 5.10.07 PM.png
    6. Enter configuration label
      • Only AlphaNumeric characters, no spaces or special characters except: - and _
    7. Select vCenter version
    8. Enter PSC FQDN
    9. Embedded PSC = yes/no
    10. Enter vCenter Server FQDN
      • this should get populated
    11. Create credentials = yes
      1. This is not the vRA credentials so if you have not set this up through the catalog item request then you have to do so first.
    12. Enter username
    13. Enter password
    14. Click Submit
  2. Add DRS Profile
    1. Login to vRA Tenant
    2. Select Catalog -> SovLabs vRA Extensibility
    3. Screen Shot 2017-04-18 at 5.24.17 PM.png
    4. Click Request on “Add DRS Profile”
    5. Screen Shot 2017-04-18 at 5.24.51 PM.png
    6. Enter configuration label
      • Only AlphaNumeric characters, no spaces or special characters except: - and _
    7. Select vCenter Endpoint
    8. Select Cluster
      • If the clusters do not show up, make sure you have Host groups defined in DRS or that the credentials are entered correctly.  Credentials can be updated through the SovLabs Catalog “Manage Credential Configuration”
    9. Select host group
      • I create 2 hosts groups within the cluster, with separate hosts in each, which will be assignment to each blueprint.
    10. Select Rule
      • I selected should run on hosts in group
    11. Click Submit

 

Enable the module:

Now we need to enable the custom properties module on our blueprint

  1. Click on Design -> Blueprint
  2. Edit Blueprint
  3. Click on the blueprint vSphere machine on the Design Canvas.
  4. Click on properties tab
  5. In the properties group section click +Add
  6. Check the box for:
    • Check the appropriate vSphere DRS property group (starts with SovLabs-DRS-)
    • Do not attach more than 1 vSphere DRS property group to a vSphere machine blueprint
  7. Click OK
  8. Repeat these steps for all blueprints that should use this custom naming.

 

 

vRA & SovLabs: DNS module

DNS plays a very important role in making sure your deployed VMs are accessible, and if this is not configured correctly you can run into problems that can sometime be difficult to diagnose.

SovLabs modules make sure that no stale, duplication or orphaned DNS records exist which is great since we have all had those days where we are to lazy to unregister a VM from AD before we delete it, right!?

SovLabs also supports DNS integration with Infoblox, Bluecat and BT Diamond IP which is very helpful since these might be used for different departments and give you that flexibility to accommodate those scenarios.

For this blog I am focusing on using just the regular old Microsoft Active Directory.

The module has many features which can viewed on the website here, but some of the highlights are:

  • Handles simple to complex globally distributed multi-zone, multi-site MS DNS environments
  • Employs several methods to improve DNS data integrity and mitigate issues from stale, duplicate or orphaned DNS records, such as retry logic, record availability and DNS propagation/post validation checks
  • DNS configurations are interchangeable between endpoint providers; avoid lock-in by easily adding additional DNS providers with other DNS modules from SovLabs
  • Allows for independent configurations for forward and reverse records, if desired
  • Supports up to 10 network interfaces per machine

 

Prerequisites:

  1. Identify the Domain Controllers to be used, or if policy dictates no direct connections are allowed then identify a proxy server.
    • If using a proxy server then make sure the environment setup is complete by following these steps
  2. If you are not using the SovLabs IPAM module, then you need to make you sure you set the DNS suffix within your network profiles that will be used.
  3. Setup WinRM
    • WinRM must be enabled for SovLabs modules utilizing any Windows servers in the environment (for AD, DNS, IPAM, Puppet and etc.)
    • Follow these steps
  4. Install AD Webservices on all the DC’s that will be used.
  5. Verify NTP settings

 

Configuration:

  1. Add Microsoft Endpoint
    1. This configuration was covered in my previous post which can be viewed here.
  2. Add DNS configuration
    1. Select Catalog -> SovLabs vRA Extensibility
    2. Screen Shot 2017-04-18 at 3.54.05 PM.png
    3. Click Request on “Add DNS Configuration – SovLabs Modules”
    4. Screen Shot 2017-04-18 at 3.54.56 PM.png
    5. Enter Configuration label
      • Only AlphaNumeric characters, no spaces or special characters except: - and _
    6. Domains
      • Add all the domains for this DNS config
      • Enter name
      • Press Green plus sign
    7. Networks
      • Add all the networks for this DNS config
      • Enter name
      • Press Green plus sign
    8. DNS server type
      • MS DNS in my case
    9. DNS server endpoints
      • Select the one that was previously created
    10. Create A record = yes
    11. Create PTR record = yes
    12. Use a default server
      • Can specify this server if no match on domain and network.
    13. Screen Shot 2017-04-18 at 4.08.46 PM.png
    14. Click Submit

 

Enable the module:

Now we need to enable the custom properties module on our blueprint

  1. Click on Design -> Blueprint
  2. Edit Blueprint
  3. Click on the blueprint vSphere machine on the Design Canvas.
  4. Click on properties tab
  5. In the properties group section click +Add
  6. Check the box for:
    • SovLabs-EnableLifecycleStubs
  7. Click OK
  8. Repeat these steps for all blueprints that should use this custom naming.

Now deploy a VM and watch the magic happen.  The provisioned VM will automatically attempt to register with Microsoft DNS only if the VM is in the configured domain and network defined for Microsoft DNS.

Disable the module:

If you have the DNS module installed but for some reason are not using it or need to disable it then following the steps below:

  • If you do not have the DNS module configured, and try to deploy a catalog item, you will get an error like “Error: DNS Registeration could not find a DNS Configuration for the Hostname and/or IP of <servername> / 192.168.1.10 (Workflow:DNS machineBuilding / Add DNS (item10)#65)”
  1. Click on Design -> Blueprint
  2. Edit Blueprint
  3. Click on the blueprint vSphere machine on the Design Canvas.
  4. Click on properties tab
  5. Click on Custom Properties tab
  6. Click +New
    • Name = “SovLabs_DisableDNS”
    • Value = “true”
  7. Click OK
  8. Click Save
  9. Repeat these steps for all blueprints that should use this custom naming.

Links:

http://docs.sovlabs.com/vRA7x/current.html#microsoft-dns

http://docs.sovlabs.com/vRA7x/current.html#infoblox-dns

http://docs.sovlabs.com/vRA7x/current.html#bluecat-dns

http://docs.sovlabs.com/vRA7x/current.html#bt-diamond-ip-dns

 

SovLabs: Microsoft Active Directory module

Windows servers require Microsoft AD, it is an integral part of the server architecture. I am not going to get into much detail on the directory service since this blog is focused on how SovLabs interacts with it.

The module has many features which can viewed on the website here, but some of the highlights are:

  • Handles simple to complex globally distributed multi-domain, multi-site MS AD environments
  • Registers/cleans computer account with Active Directory
  • Supports placement in a “build OU” during provisioning in order to facilitate software deployments/configurations that require a less restrictive Group Policy
  • Supports dynamic creation and removal of OUs
  • Employs several methods to improve reliability of registration/cleanup to mitigate failures, such as retry logic and post validation checks

 

Prerequisites:

  1. Identify the Domain Controllers to be used, or if policy dictates no direct connections are allowed then identify a proxy server.
    • If using a proxy server then make sure the environment setup is complete by following these steps
    • Windows 2012 R2 required
  2. Setup WinRM
    • WinRM must be enabled for SovLabs modules utilizing any Windows servers in the environment (for AD, DNS, IPAM, Puppet and etc.)
    • Follow these steps
  3. Install AD Webservices on all the DC’s that will be used.
  4. Verify NTP settings
  5. “Shell access type” for the user account with permissions must be set to Command Prompt.

 

Active Directory Example:

I am going to initially deploy the computer object in the following OU which is used for pen testing: (BUILD OU)

  • OU=vra_BuildDeployment,OU=Servers,OU=Lab,DC=sovsys,DC=com

Then after pen testing is completed, I will move the computer object to the following OU:

  • OU=vra_Deployment,OU=Servers,OU=Lab,DC=sovsys,DC=com

Since I have production and development(lab) environment I would like create the computer object in different OUs.  This I can handle through a custom property and SovLabs Template engine.

SovLabs.AD.Environment.OU        –       defined on Business group

This will update my OU to following:

  • OU=vra_BuildDeployment,OU=Servers,OU={{SovLabs.AD.Environment.OU}},DC=sovsys,DC=com
  • OU=vra_Deployment,OU=Servers,OU={{SovLabs.AD.Environment.OU}},DC=sovsys,DC=com

 

Configuration:

  1. Add Microsoft Endpoint
    1. Login to vRA Tenant
    2. Select Catalog -> SovLabs vRA Extensibility
    3. Screen Shot 2017-04-18 at 2.41.33 PM.png
    4. Click Request button on “Add Microsoft Endpoint”
    5. Screen Shot 2017-04-18 at 2.41.53 PM.png
    6. Enter Configuration label
      • Only AlphaNumeric characters, no spaces or special characters except: - and _
    7. Select connection method
      • Select how the SovLabs modules will connect to the target or proxy Microsoft server
    8. Enter hostname
      • FQDN of AD server
    9. Use non-standard ports = no
    10. Is a proxy host = no
      • for my instance I am connecting directly to the AD server.
    11. Enter username and password
    12. Advanced configuration is only necessary when local administrator access cannot be given to the service account.
      • temporary directory = blank
      • share path = blank
    13. Click Submit
  2. Add Active Directory Configuration
    1. Select Catalog -> SovLabs vRA Extensibility
    2. Screen Shot 2017-04-18 at 2.52.13 PM.png
    3. Click Request on Add ActiveDirectory Configuration
    4. Screen Shot 2017-04-18 at 2.53.03 PM.png
    5. Enter configuration label
      • Only AlphaNumeric characters, no spaces or special characters except: - and _
    6. Select Microsoft Endpoint
      • created earlier
    7. Select Computer name case
      • Choose whether or not the computer name added in AD is all uppercase or lowercase
      • If you are using the Puppet module set this to lowercase since it will cause problems with authentication due the certificates created for the Puppet agent is always in lowercase.
    8. Use Build OU
      • Select yes if computer needs to be placed in an interim OU.
      • If yes, fill in create and remove OU, otherwise leave those blank.
      • OU=vra_BuildDeployment,OU=Servers,OU={{SovLabs.AD.Environment.OU}},DC=sovsys,DC=com
    9. OU
      • ActiveDirectory Organizational Unit (OU) in DN format for computer/VM to join
      • OU=vra_Deployment,OU=Servers,OU={{SovLabs.AD.Environment.OU}},DC=sovsys,DC=com
    10. Security Group
      • List all AD security groups the server should join
    11. Delete computer account
      • If you select yes it will try to find computer account and delete it, regardless of which OU it is in.
    12. Screen Shot 2017-04-18 at 3.23.05 PM.png
    13. Click Submit

 

Enable the module:

Now we need to enable the custom properties module on our blueprint:

  1. Click on Design -> Blueprint
  2. Edit Blueprint
  3. Click on the blueprint vSphere machine on the Design Canvas.
  4. Click on properties tab
  5. In the properties group section click +Add
  6. Check the box for:
    • SovLabs-EnableLifecycleStubs
    • Microsoft Active Directory property group (starts with SovLabs-AD-)
    • Do not attach more than 1 Microsoft Active Directory property group to a blueprint vSphere machine object.
  7. Click OK
  8. Repeat these steps for all blueprints that should use this custom naming.

 

Now deploy a VM and watch the magic happen. Effortless, predictable, consistent and best of all no manual input of placing the created computer object in a specific OU.

vRA & SovLabs: BIG-IP F5 load balancer

In a previous life I had to setup a lot of VM’s with Load Balancer connectivity for development, QA testing and production.  This was always a slow painful process because even though I was able to quickly deploy the VM’s, I had to open a ticket with the network team and provided lots of detailed information to create the Pool and VIP entries, and then wait to receive the IP address so that I could ask the AD team to create the DNS entry. Fun times!

With the F5 load balancer SovLabs module, this is no longer the case and you can automatically perform the following tasks, all within the same catalog request for your application through vRA:

  • Create the F5 Pool
    • The Pool name is created with the SovLabs custom naming module, so it can match the current naming standards of your networking team.
  • Add the pool members
    • Automatically add all the vSphere machines within the blueprint as pool members
  • Create the VIP
    • Automatically retrieve the VIP IP Address from your IPAM solution
    • The VIP name is created with the SovLabs custom naming module, so it can match the current naming standards of business and/or application.
    • Automatically create the DNS A-record for the VIP name

Screen Shot 2017-05-17 at 9.52.31 AM.png

The module has many features which can viewed on the website here, but some of the highlights are:

  • First-class citizen design; drag directly into vRA Blueprint Canvas  (This is awesome)
  • Associate machine components by linking to the F5 Virtual component in the vRA Blueprint Canvas
  • Option to reuse an existing F5 BIG-IP virtual server or create a new one
  • Supports nested vRA Blueprints
  • Supports vRA scale in, scale out for deployments
  • SovLabs Restipes can create/delete F5 BIG-IP VIP/Pool/Nodes and assign Nodes to/from Pool
  • Ability to specify F5 BIG-IP VIP name, IP address, and port at request time
  • Option to integrate IPAM and/or DNS for F5 BIG-IP VIP assignment and DNS registration with Infoblox, BlueCat, Microsoft, SolarWinds, Men and Mice, BT Diamond IP at request time
  • Supports multiple DNS domains for optional DNS registration at request time
  • Option to integrate naming standard/sequence definitions for F5 BIG-IP VIPs and Pools at request time
  • When a Catalog item is destroyed, F5 entries will automatically be cleaned up.

 

Prerequisites:

  1. A user account configured in F5 BIG-IP® that has Administrator role/access:
    • Add/Remove F5 BIG-IP Virtual Servers
    • Add/Remove F5 BIG-IP Pools
    • Add/Remove F5 BIG-IP Nodes and Pool node members
    • Optional: Add F5 BIG-IP Virtual Server iRules, Add F5 BIG-IP Server/Client SSL Profiles, Add F5 BIG-IP Pool Health Monitors
  2. Login to the vRA tenant
    1. Add license for F5 module
    2. Validate the following show up on the Catalog page:
      • Add F5 Endpoint
      • F5 Virtual
      • Manage Credential Configurations
      • Manage Restipe Configurations

 

Configuration:

  1. Add F5 Endpoint
    1. Login to vRA Tenant
    2. Select Catalog -> SovLabs vRA Extensibility
    3. Screen Shot 2017-05-11 at 11.21.34 AM.png
    4. Click Request button on “Add F5 Endpoint”
    5. Screen Shot 2017-05-11 at 11.22.02 AM.png
    6. F5 Endpoint
    7. Enter Configuration label
      • Only AlphaNumeric characters, no spaces or special characters except: - and _
    8. Enter hostname
      • FQDN or IP address of the F5 management address
    9. HTTPS = yes
    10. Port = 443
    11. Credential Configuration
    12. Create credentials = yes
      • If you have not setup any yet which is the case for me
    13. Enter Configuration label
      • Only AlphaNumeric characters, no spaces or special characters except: - and _
    14. Enter username and password
      • I am using the build it admin account
    15. Screen Shot 2017-05-11 at 11.27.05 AM.png
    16. Click Submit
  2. Manage Restipe configuration
    1. What is a restipe you might ask, well I had the same question or should I say look on my face?  The documentation states the following ““infrastructure as code” approach for defining the steps used to create, reuse, remove and scale F5 BIG-IP structures, such as VIPs, Pools, and Nodes/Member”
    2. You do not have to create or update a recipe and will be used for specific use case, so for now you can skip this, but I did want to provide information below on how to access it.
    3. Select Catalog -> SovLabs vRA Extensibility
    4. Screen Shot 2017-05-11 at 11.28.44 AM.png
    5. Click Request on Manage Restipe configuration
    6. Screen Shot 2017-05-11 at 11.29.09 AM.png
    7. You can either create a new restipe, or update/delete respites.
      • Screen Shot 2017-05-11 at 11.59.19 AM.png
      •  If you select action = update it will populate the restipe field with the default functional restipe that SovLabs provides.  Bonus!
      • If you do make an update, I would recommend copy out the restipe text and save a file to have a backup.
    8. If you need to create a custom restipe, then read the SovLabs Restipe guide here.

F5 example:

I have a blueprint with 2 x vSphere machine objects.  Each VM has a Puppet Node group assigned which installs Apache through the SovLabs Puppet enterprise module.

Screen Shot 2017-05-17 at 9.54.04 AM.png

  • I created a new Naming standard for the F5 VIP names, which will also be assigned automatically to MS DNS.
  • I created a new Naming standard for the F5 Pool names

 

Enable the module:

The F5 plugin is a first class citizen in vRA which allows for it to be dragged into a blueprint through the design canvas, sweet!   This is a first for SovLabs and makes this plugin very easy to consume.

Screen Shot 2017-05-11 at 12.23.39 PM.png

  1. Login to the vRA tenant
  2. Click on the Design tab > Blueprints
  3. Create a new blueprint or select an existing blueprint name and click Edit
    1. Under Categories (on left pane), click on Other Components
    2. Drag and drop F5 Virtual – SovLabs Modules onto the Design Canvas
    3. Tie the F5 Virtual  VIP canvas item to the vSphere Machine canvas item by dragging the arrow FROM F5 Virtual  VIP TO the vSphere Machine.
    4. Screen Shot 2017-05-17 at 9.52.31 AM.png
    5. Click on the F5_Virtual canvas item and a window pane will appear on the bottom
    6. Click Step tab
    7. Screen Shot 2017-05-17 at 9.56.34 AM.png
    8. Modify fields as desired by setting the default values for fields and other advanced settings and clicking on Apply for each field
      By setting default fields or having advanced settings on the fields, what a requester sees and can select is controlled upon request time of the vRA blueprint

      1. General
      2. Select F5 Endpoint, which we created earlier in this blog
      3. Select the Restipe F5Config-Default.
        • I did not have to make any changes to the default restipe provide by SovLabs.
      4. Virtual Server
      5. Create new VIP = yes
      6. Screen Shot 2017-05-11 at 12.35.05 PM.png
      7. Select Partition
        • In my case I selected Common
      8. Register VIP in DNS using Virtual name and IP = yes
        • So easy with just a checkbox!
      9. Automatically assign Virtual name = yes
        • This requires that you have a naming standard created using the SovLabs custom naming module.
        • Select Naming Standard for Virtual Machine = select custom naming label from drop down box.
      10. Enter domain name for DNS registration
      11. Automatically assign Virtual IP = yes
        • This requires that you have an IPAM profile created using the SovLabs IPAM module.
        • Select IPAM Profile for Virtual IP = select from the drop down box.
      12. Virtual port = 0
      13. Select SSL Profile (Client)
        • This will populate with the SSL profiles that your networking team has configured on the selected F5 endpoint, which means they do not have worry about loosing control of these important configuration.
      14. Select SSL Profile (Server)
        • This will populate with the SSL profiles that your networking team has configured on the selected F5 endpoint, which means they do not have worry about loosing control of these important configuration.
      15. Select Virtual iRules
        • This will populate with the iRules that your networking team has configured on the selected F5 endpoint, which means they do not have worry about loosing control of these important configuration.
      16. Pool
      17. Automatically assign pool name = yes
        • This requires that you have a naming standard created using the SovLabs custom naming module.
      18. Select Naming Standard for Virtual Machine = select custom naming label from drop down box.
      19. Load Balancing method = round-robin
      20. Screen Shot 2017-05-11 at 1.18.18 PM.png
      21. Assign Health Monitors = yes
        • I added http for my test
      22. Health Monitor Availability Requirement
        • Pick if you want a single health monitor to match or multiple.
  4. Click Save
  5. Click Finish

To add additional node level settings during request time:

  1. Click on Design -> Blueprint
  2. Edit Blueprint
  3. Click on the blueprint vSphere machine on the Design Canvas.
  4. Click on the Properties tab
  5. In the Property Groups section:
    •  Check the SovLabs-F5NodeConfigurations property group
  6. Click OK

 

Manage the vRA users ability to make changes to the virtual F5 configuration during request:

By default, when a user requests a blueprint, which has the F5 module added, they will only see blank fields where the Blueprint Architect previously configured the F5 settings.  These settings can then be altered by the user.

Screen Shot 2017-05-17 at 10.31.23 AM.png

But what if you do not want to user to make any changes and just want them to use all the settings of the F5 that was configured in the blueprint.

  1. Click on Design -> Blueprint
  2. Edit Blueprint
  3. Click on the F5_Virtual on the Design Canvas.
  4. Select the Step tab
  5. For any of the configuration settings that you want to set a permanently for this blueprint, or even make invisible, follow these steps
  6. Select the settings field which could either be a dropdown box, text field or check box. This will display additional information on the right hands side.
    1. Screen Shot 2017-05-17 at 10.35.17 AM.png
    2.  Set required yes or no
    3. Set the default value to display.
    4. Click on Advanced settings
      • Screen Shot 2017-05-17 at 10.40.49 AM.png
      • Set required = constant = no
      • Set read only = constant = yes
      • Set visible = constant = no
        1. If you do not want to users to see the field during the request.
    5. Click Apply
  7. Click Save
  8. Click Finish

 

Scale out and Scale in capabilities:

One last cool part is the automatic scale-out and scale-in of your deployed application.  As you can see I have a deployed Catalog item which consists of two CentOS Web servers, which I deployed Apache on through the Puppet Enterprise SovLabs module, as well as the F5 load balancer configuration.

Screen Shot 2017-05-17 at 10.47.14 AM.png

Screen Shot 2017-05-17 at 10.47.38 AM.png

  1. Select on the top level catalog item
  2. Click Actions
  3. Screen Shot 2017-05-17 at 10.49.26 AM.png
  4. Click Scale Out
  5. Screen Shot 2017-05-17 at 10.50.47 AM.png
  6. Select the virtual machine
  7. Screen Shot 2017-05-17 at 10.52.09 AM.png
  8. Select the number of instance that you want to scale out to.
  9. Click Submit.
  10. Click OK to confirm the number of scale out instance and total number of instances.

This request will now automatically perform the following tasks:

  • Add a new VM
    • Pull IP address from SovLabs IPAM endpoint
    • Create custom name from SovLabs custom naming module
    • Add the DNS a-record to MS DNS through SovLabs DNS module
    • Install Apache on the VM through SovLabs Puppet Enterprise module
  • Add server to F5 pool
    • Add the custom name and IP Address associated to the newly created VM object to the F5 pool through the SovLabs F5 module.

Screen Shot 2017-05-17 at 11.47.24 AM.png

Scale out was successful and only took just over 10minutes to complete with an application installation.

Screen Shot 2017-05-17 at 11.07.04 AM.pngScreen Shot 2017-05-17 at 11.07.34 AM.png

The new VM was added to catalog item in vRA as well as to the existing F5 pool.  Awesome, and same can be done for Scale in!

As you can see the configuration of this module is super simple and it provides a big relief from the mundane work of manual provisioning, not just for the VMware admins and application owners but also for the network team, while still keeping control of the F5 configuration.