WilliamLam.com

Easily try out vSAN 6.6 Encryption feature using KMIP Docker Container

by // 4 Comments

One of biggest feature introduced in the upcoming vSAN 6.6 release is the native vSAN Data-at-Rest Encryption capability. My good friend Duncan Epping even posted a video recently demo'ing the feature and showing how easy it is to enable with just a couple of clicks. Just like VM Encryption which was introduced in vSphere 6.5, vSAN Encryption also requires a Key Management Interoperability Protocol (KMIP) Server which needs to be associated with your vCenter Server.

The really nice thing about this is that because both VM Encryption and vSAN Encryption uses the exact same encryption library, as long as you have a supported KMS (which you can find over on the VMware KMS HCL here, more are being certified and added), you can actually leverage the same KMS for both types of encryption across different vSphere Clusters with different requirements. For the ultra paranoid, you could even "double" encrypt by running Encrypted VMs on top of a vSAN Encrypted Datastore 😉

As with any feature that relies on 3rd party tools, it can take some time to acquire evaluational licenses. For those of you who would like to try out either vSAN or VM Encryption from a functional standpoint, you can quickly get started in under a few minutes by using the KMIP Docker Container that I had built last year. This is a great way to familiarize yourself with the workflow or even try out some of the new vSphere and vSAN APIs if you plan to automate the KMIP configuration or even deployment of encrypted VMs. Another great use case for this is doing live demos and all you need is just a couple of Nested ESXi VMs and a Docker Container Host like Photon OS or even just your laptop for example. Below are the instructions on how to get started.

Disclaimer: It is also very important to note that you should NOT be using this for any production workloads or any VMs that you care about. For actual production deployments of VM Encryption or vSAN Encryption, you should be leveraging a production grade KMIP Server as PyKMIP stores the encryption keys in memory and will be lost upon a restart. This will also be true even for the virtual appliance, so this is really for quick evaluational purposes, do NOT run anything important that you care about due to the risks mentioned earlier.

[Read more...]

Project USB to SDDC - Part 2

by // 1 Comment

In the previous article, I provided some background on the origin of the project. In this article, we will now focus on the technical details and how the solution actually works.

Hardware

This solution was originally developed against an Intel NUC but I had designed it to be generic so that it could run on any system which meets the minimum requirements which is just having two disks (HDD & SSD or two SSDs) which is used to create a vSAN datastore.

Here is the BOM for the Intel NUC that we had used:

During the Sydney VMUG, we had did a live demo using an Intel NUC. Prior to the Melbourne VMUG, fellow VMware colleague Tai Ratcliff reached out and offered to let us borrow his Supermicro kit for the demo which was great as the hardware was much beefier than the NUC. Thanks Tai!


I had already been hearing great things about E200-8D platform but I had not had the opportunity to get my hands on the system to play with. After only spending a little bit of time with the platform while prepping for the VMUG event, I can see why is a pretty slick system for a vSphere/vSAN based home lab, especially if you need to go beyond 32GB of memory which is where the Intel NUCs currently max out at.

The other appealing features for this platform is that it comes with 2x10GbE, 2x1GBe and an IPMI interface for remote management which is a huge benefit for not needing to connect an external monitor and keyboard. The system is also Xeon based w/6-Cores and can go all the way up to 128GB of memory. Tai had also recently published a blog article comparing the Supermicro E200-8D and the Intel NUC, which I think is worth a read if you are deciding between these two platforms.

Note: If you are considering purchasing the Supermicro E200-8D or any other system for that matter, check out this exclusive vGhetto discount here.

[Read more...]

Native VCSA bootstrap installer in vSAN 6.6

by // 5 Comments

Graphic courtesy of Emad Younis

Almost four years ago, I documented a really cool vSAN capability here and here, which demonstrates how to bootstrap a vSAN datastore onto a single ESXi host. This powerful capability, which was by design, enables customers to easily standup new infrastructure including the vCenter Server Appliance (VCSA) in a pure greenfield environment where you only had bare-metal hardware to start with and no existing vCenter Server.

As you can probably guess, I am a huge advocate for this capability and I think it enables some really interesting use cases for being able to quickly and easily stand up a complete vSphere environment without having to rely on an external storage array or playing games with Storage vMotion'ing the VCSA between local VMFS and the vSAN datastore for initial provisioning.

Over time, this vSAN capability has gone mainstream not only from a customer standpoint but also internal to VMware. In fact, the use of this feature has made its way into several VMware implementations including but not limited to VMware Validated Designs (VVD), VxRail, VMware Cloud Foundation (VCF) and even in the upcoming VMware Cloud on AWS. This really goes to show how useful and critical of a feature this has become for standing up brand new VMware infrastructure which runs on top of vSAN. Huge thanks goes out to the original vSAN Architects who had envisioned such use cases and designed vSAN to include this functionality natively within the product and not have to rely or depend on vCenter Server.

[Read more...]