vSAN 6.7 Encryption

In vSphere 6.5 VMware introduced the possibility to encrypt Virtual Machine data on a per VM basis. This is achieved by using VAIO filtering and a specific policy is used to indicate whether a VM needs to be encrypted or not.

With vSAN 6.6 another way of encryption was introduced which means that the entire vSAN datastore is encrypted and as a result every VM that is stored on the vSAN datastore gets encrypted (and hence no specific policy is required).

For both encryption methodologies a KMS server (or cluster of KMS servers for production environments) that supports the KMIP protocol needs to be installed and configured in vCenter. Although both vSphere and vSAN encryption can use the same configured KMS server/cluster there is a small but important difference in the way the keys that are required for encrypting the data are communicated to the ESXi hosts.

In the case of vSphere (VM) encryption, ESXi needs to be able to communicate to vCenter to get the specific Key Encryption Key (KEK) for a VM when this VM needs to start (or is created). So when vCenter is not available, such actions possibly cannot be initiated.

For vSAN encryption however, an ESXi host only needs to communicate with vCenter when vSAN encryption is enabled. At that moment the KEK ID’s required to store the Data Encryption Keys (DEK) that are used to encrypt the disks are sent from vCenter to the ESXi hosts. Using these KEK ID’s the host will communicate directly with the KMS server to get the actual KEK.

To show this mechanism I have created a little demo video. For my own educational purpose I have used the vSphere (and vSAN) 6.7 version which allows me to use the new vSphere (HTML5) client functionality.

Read morevSAN 6.7 Encryption

Upgrading my vSAN Cluster

Some time ago I decided to upgrade my home lab environment running vSphere (from 6.0 U3 to 6.5 U1) and vSAN (from 6.2 to 6.6.1).

I started with upgrading the vCenter appliance which is quite a smooth upgrade process. The only problem I had is that initially the upgrade wizard did not give me a choice to select “Tiny” as the size for the new appliance. This appeared to be an issue with the disk usage of the existing appliance. After deleting a bunch of old log files and dump files from the old vCenter appliance I retried the upgrade wizard and this time the “Tiny” option was available – which is a better fit for my “tiny” lab ūüôā – and the upgrade process went just fine.

Next up was the ESXi upgrade (I have three hosts). First try was doing an in-place upgrade using Update Manager.

Read moreUpgrading my vSAN Cluster

VMware vSAN Specialist exam experience

Recently VMware Education announced the availability of the “vSAN Specialist” exam which entitles those who pass it to receive the “vSAN Specialist 2017” badge. The badge holder is a “technical professional who understands the vSAN 6.6 architecture and its complete feature set, knows how to conduct a vSAN design and deployment exercise, can implement a live vSAN hyper-converged infrastructure environment based on certified hardware/software components and best practices, and can administer/operate a vSAN cluster properly“.

As I consider myself to be a vSAN specialist I thought this one should be rather easy to achieve, so after I read about it last week, I immediately scheduled my exam at Pearson VUE and took it today.

Read moreVMware vSAN Specialist exam experience

Creating a new vSAN 6.6 cluster

Last month VMware released vSAN version 6.6 as a patch release of vSphere (6.5.0d). New features included Data-at-Rest encryption,  enhanced stretched clusters with local protection, change of vSAN communication from multicast to unicast and many more.
Perhaps al ittle less impressive but yet very useful change is the (simple) way a new vSAN cluster is configured. To illustrate this I have recorded a short demo of the configuration of a new vSAN 6.6 cluster.

Read moreCreating a new vSAN 6.6 cluster

Deleting a vSAN datastore

I am a big vSAN fan and use it in my own Home Lab for most of my VM’s (main exception being¬† VM’s used for backing up … they are on my QNAP fileserver connected via iSCSI). My vSAN cluster configuration is quite static and the only thing that might change in the near future is increasing the capacity by adding an additional ESXi host to the cluster.

Currently I am running with vSAN version 6.2 and since the environment is very stable and it is my “production” environment I don’t plan to upgrade to the latest and greatest version yet. Still, I do want to work with the newer versions and functions (like iSCSI target) to become familiar with them and stay up-to-date with my vSAN knowledge, so I have a test (virtual) vSphere 6.5 Cluster with vSAN 6.5 installed, currently in a 2-node (ROBO) setup with an additional witness appliance.

With the release of vSAN 6.6 (check out the release notes here) I wanted to upgrade my vSAN 6.5 environment. Actually I decided to create a new vSAN 6.6 cluster from scratch with my existing ESXi hosts, which means I first had to delete my existing vSAN 6.5 datastore.

Read moreDeleting a vSAN datastore

Cisco joins the HCI club

This week Cisco has introduced their Hyperconverged infrastructure (HCI) solution called HyperFlex (aka the HX Data Platform). The solution is a combination of Cisco UCS hardware (both server and networking components), VMware vSphere software as the hypervisor layer and the Springpath Data Platform software as the (converged) storage layer.

The latter is a relatively new player in the HCI market and only recently came out of stealth (I wrote about it last year). Since currently the Springpath software only supports VMware, both HX models that were announced come with ESXi pre-installed. In the future Springpath is expected to also support other hypervisors (Hyper-V and KVM were already mentioned), so probably other HX models will be available in the future as well.

Although based on the existing UCS hardware, the Cisco HyperFlex solution exists only as a completely pre-configured system. It is not possible to “build-you-own” HyperFlex system. Of course with a combination of Cisco UCS, VMware vSphere and Springpath you can create a system that is very similar to the pre-built configurations, but the advantage of the¬† Cisco HyperFlex solution is that you only need to deal with a single support contact. Also by only supporting the pre-built configuration Cisco is better able to guarantee performance levels. This approach looks similar to Nutanix, which basically is a software product, but only sells it as a solution packaged with server and storage components.

Cisco differentiates itself however by also including the networking stack into the solution. Again this is mainly an advantage with regard to ease of support, as I guess that in many environments where HCI is installed, the networking part is also taken care of by Cisco components.

Read moreCisco joins the HCI club

VMware Virtual SAN Announcements

This week was an exciting week for VMware Virtual SAN enthusiasts (of which I am one). I’m looking forward to checking out the new features and functions as they become available with version 6.2 (VMware stated this would be by the end of the quarter). With these features the Virtual SAN solution becomes quite a mature storage solution comparable in feature set with many traditional (SAN/NAS) midrange storage systems. Among the features that will become available with the core product are :

  • Checksumming … making data integrity more robust
  • IOPS limits per object … improving Storage based QoS
  • Deploying thin swap objects … decreasing the overhead required for swapping (which you would want to prevent anyway)
  • Improved Virtual SAN management capabilities in the WebClient … removing the need for additional (RVC based) tools

Read moreVMware Virtual SAN Announcements

VMware Advanced Professional (VCAP) certification not going away

With the introduction of vSphere 6.0 VMware introduced a new level of certification called VCIX6-DCV (with “IX” standing for “Implementation eXpert”). In order to achieve this certification one needs to take two exams, focusing on Deployment and Design respectively. VMware has announced these two exams to be available early 2016 and they would be comparable to the former VCAP5-DCA and VCAP5-DCD exams.

Initially VMware had planned to retire these individual two certifications, replacing them with the single VCIX6-DCV certifications. Recently however VMware has announced that people will still be able to achieve these two Advanced Professional certifications for vSphere 6. Achieving both certifications will grant individuals the right to carry the VCIX6-DCV badge.

Anyone who already holds one of the two advanced certifcations for vSphere 5 can upgrade to VCIX6-DCV by taking the vSphere 6 version of the “other” exam (so take the Design exam if you hold the VCAP5-DCD or the Deployment exam if you hold the VCAP5-DCA).

VCIX6-DCV will be a requirement to move to the highest VMware certification level : VCDX6-DCV.

Springpath Hyperconverged Infrastructure

HyperConverged Infrastructure (HCI) is a hot topic these days.¬†It’s promise is increased flexibility (agility) and¬†scalability¬†at a lower cost than infrastructures¬†based on traditional shared storage (SAN/NAS) while retaining the functionality that we have become¬†accustomed¬†to (like snapshots, cloning and replication) and supporting most enterprise application environments.
Creating a hyperconverged infrastructure can be achieved very easily with the building block concept of companies like Nutanix and Simplivity. You can start very simple by creating a cluster of (usually) only 3 nodes and gradually increase the size of your infrastructure when required by simply adding nodes to the existing environment. The potential disadvantage of this (hardware) appliance-based approach is that you are usually limited in your choice of appliance configuration (amount of CPU, memory and type/capacity of storage devices). This means that you could end up with an infrastructure with too much CPU, too much memory or too much storage capacity (so too much investment …).