WilliamLam.com

Managing Distributed Firewall Rules in VMC using PowerShell & NSX-T Policy API

01.04.2019 by William Lam // Leave a Comment

Back in November 2018, VMware Cloud on AWS (VMC) SDDC 1.5 Patch 1 was released and it was one of the most highly anticipated release by our customers. Although this was a "patch" release, it included a ton of new features and also brought the full power of the NSX-T platform to VMC as a generally available feature!

With NSX-T, customers also now have access to the highly requested Distributed Firewall (DFW) capability which enables granular control over East-West traffic between application workloads. In addition to enabling micro-segmentation in VMC, customers can now easily manage DFW rules using a number of grouping constructs (Tags, Virtual Machines & Conditional Statements) to create dynamic policies which follow their workloads.

Customers can configure DFW (as well as Edge Firewall) rules using the VMC Console UI but many of you have been asking for an automated method, especially if you need to create a large number of policies for more than a couple of workloads. After returning from the holiday, I spent the last couple of days updating my NSX-T Policy PowerShell Module which now includes basic support for managing DFW. For those of you who are new to using the NSX-T Policy API and PowerCLI, be sure to give these two articles a read here and here before proceeding further.

[Read more...]

Supermicro Home Lab Group Buy

01.02.2019 by William Lam // 35 Comments

Happy New Years everyone! I was supposed to get this out right before the holidays but #babylam got really sick and I had to put this on hold.

Back in November I threw out an idea on Twitter to see if the #vCommunity would be interested in doing a group buy for some Supermicro kits, especially for those looking to upgrade their personal home labs to take advantage of all the new VMware goodies such as vSAN, NSX and PKS for example.

Just thinking out loud … but would the #VMware Home Lab Community be interested in a potential Group Buy for Supermicro gear? Could be bare-bones chassis or some package configuration with memory + storage?

— William Lam (@lamw.bsky.social | @*protected email*) (@lamw) November 14, 2018

Within minutes, I had several dozen replies and it was clear that folks were definitely interested in refreshing their lab, especially with a smaller and more modern platform. Over the last few weeks, I have been working with MITXPC (who I have worked with before) on putting together some packages that would appeal to the majority of the community. Initially, I was thinking about three options: system-only (no memory/storage), system with memory (no storage) and system with memory and storage. To be clear, system means complete chassis with CPU and motherboard included. Please see the product links below for more details.

Disclaimer: I am not affiliated with MITXPC nor am I receiving any referral bonus/compensation for the discounts listed below.

[Read more...]

Is a DNS server still required when using a Static IP for VCSA?

12.20.2018 by William Lam // 7 Comments

When deploying a vCenter Server Appliance (VCSA), customers have two options for setting up a static network address: using either a hostname (Fully Qualified Domain Name) or just a static IP Address (e.g. no DNS). In the first option when using an FQDN, it should be no surprise that you need to also specify a valid DNS Server which the VCSA UI/CLI Installer will automatically validate both the forward and reverse address. This is the most common deployment model for customers in both production as well as for development environments such as a vSphere home lab.

In the second scenario, where a static IP Address is used, a DNS server is not required because we are NOT using an FQDN for the hostname but rather an IP Address. Having said that, if you have ever used the VCSA UI or CLI, you will find that the DNS Server entry is actually a required field and you can not proceed without providing an address.

VCSA UI Installer:

VCSA CLI Installer:

"network": {
    "ip_family": "ipv4",
    "mode": "static",
    "ip": "192.168.30.151",
    "dns_servers": [
        "192.168.30.1"
    ],
    "prefix": "24",
    "gateway": "192.168.30.1",
    "system_name": "192.168.30.151"
}

As mentioned earlier, we know that it should not be required but currently the VCSA Installer is a bit overly cautious in its pre-checks and does require a value today. This is something that has already been shared internally and the team will be relaxing this requirement in the future.

With that said, this leads us back to the original question posed in the blog title, do we need a valid DNS server when using a static IP for the VCSA?

[Read more...]