In this blog we discuss preparing for the administration of your VMware Cloud on AWS SDDC. This includes the management options to consider, the decisions to make and the information to collect in order to hit the ground running with your new cloud environment the day you deploy it.
Organizational Users and Roles
VMware Cloud on AWS accounts are based on an Organization, which corresponds to a group or line of business subscribed to VMware Cloud on AWS services. Your MyVMware account is used to create the Organization and will make you an Organization Owner, allowing you to invite new users. New users can be assigned the Organization Owner role or the Organization Member role. Both types of users can manage the SDDC cloud, but only Organization Owners can invite more users.
Both users will have access to all the resources and services of the Organization and can create, manage, and access SDDCs belonging to the Organization. The major tasks performed by organization users include, but are not limited to:
– Adding and removing hosts to the SDDC
– Configuring the management network for vCenter access/administration: VPN, DNS, Firewall rules
– Configuring and maintaining the compute network for workloads: logical networks, firewall rules, NAT, VPN, DNS, Public IPs
vCenter Users, Roles and Administration
In the cloud SDDC, VMware performs numerous administration tasks for you. This includes, but is not limited to, managing the lifecycle of the cloud SDDC software stack (deployment, configuration, patching, etc.), configuring the AWS infrastructure, and adding/removing hosts and networks during failure scenarios or cluster-scaling operations. Because the service is doing all of this for you, a Cloud Administrator in the SDDC requires fewer privileges than an Administrator on an on-premises data center.
To better maintain the separation between the service and the customer, VMware Cloud on AWS introduced two new roles to the traditional vCenter user model: CloudAdmin and CloudGlobalAdmin. These new roles and associated privileges ensure that the Cloud SDDC infrastructure is configured in a prescriptive deployment architecture and the customer cloud administrators cannot adversely reconfigure the management component or appliances. With this model, the customer cloud administrator has full control over their workloads while having a read-only view of management workloads and infrastructure.
– CloudAdmin Role: The CloudAdmin role has the necessary privileges for you to create and manage workloads on your SDDC. However, you cannot access or configure certain management components that are supported and managed by VMware, such as hosts, clusters, and management virtual machines.
– CloudGlobalAdmin Role: The CloudGlobalAdmin role is associated with global privileges and allows you to perform only certain global tasks like create and manage Content Library objects.
A new vCenter user group called CloudAdminGroup will also be created and given the privileges associated with both roles.
For a detailed chart of all of the privileges mapped to these 2 roles you can review the Privileges Reference for CloudAdmin and CloudGlobalAdmin on VMware docs.
Discrete vCenter Administration
Discrete administration refers to separate management platforms and processes of on-premises and cloud SDDC workloads. One of the benefits of a hybrid cloud is the ability to connect your public and on-premise clouds and to have unified management between the two environments. This, as you will see below, is easy to do with VMware Cloud on AWS. However, some customers may wish to manage their VMware Cloud on AWS separately from their on-premise environment and will not want to connect them together. This is possible with VMware Cloud on AWS, though you will be missing out many of the benefits of a true hybrid cloud. To do this, you will need to manage vCenter users directly in the SDDC vCenter console, create new users you want to give cloud administrator rights to and add them to the CloudAdminGroup described above.
Unified administration refers to a unified management platform that spans across your on-premise and cloud SDDC environments creating a cohesive management strategy. Hybrid Linked Mode (HLM) is a brand-new feature available only for VMware Cloud on AWS that provides the ability to extend an administrator’s management view from on-premises to VMware Cloud on AWS. This may sound familiar if you are using Enhanced Linked Mode (ELM) in your on-premises environment. There are differences between ELM and HLM in their requirements, how they work, and what problem each is solving, which you can read more about in the blog article Enhanced Linked Mode (ELM) vs Hybrid Linked Mode (HLM).
Before jumping into the configuration of HLM, it’s good to have an understanding of the feature and its requirements. When a Cloud SDDC is deployed and configured it is setup as its own stand-alone vSphere Single Sign-On domain. In order to manage both a Cloud SDDC and your on-premises vSphere SSO domain together, these two separate SSO domains need to establish a trust. They also need to continue to retain their autonomy so that the SDDC has the flexibility to be created and destroyed as needed. For example, if we create HLM between a Cloud SDDC and an on-premises vSphere environment, we don’t want the two environments to become fundamentally dependent on each other. Maintaining this separation gives us the ability to tear down HLM without breaking permissions and creating a huge mess.
HLM is a flexible solution that allows us to jointly manage both the VMware Cloud on AWS and on-premises SSO domains. HLM provides a one-way trust from on-premises to VMware Cloud on AWS (i.e. VMware Cloud on AWS trusts the on-premises users) and gives us the option to link and unlink as needed. It also retains the separation between on-premises and VMware Cloud on AWS permissions if we need to break the two environments apart. Once HLM is established, on-premises workloads can be migrated to VMware Cloud on AWS. The bonus is that the migration works both ways and workloads can be migrated back from VMware Cloud on AWS to on-premises.
– Supports both embedded vCenter Server and external Platform Service Controller (PCS) deployment models for on-premises
– Easy to set up with an option to link and unlink as needed
– Configuration done in the VMware Cloud on AWS vSphere Client (HTML5)
– Both environments are managed by logging in to the VMware Cloud on AWS vSphere Client using an on-premises account
– One way trust from on-premises to Cloud SDDC
– Supports round-trip workload mobility via cold migration
For more information on Hybrid Link Mode you can watch this video: Hybrid Linked Mode for VMware Cloud on AWS
This is just a portion of the work you should undertake when preparing for a VMware Cloud on AWS deployment. For more details on this and other topics please read the Preparing for VMware Cloud on AWS white paper. By following the guidance in this technical document, you will be ready to use your VMware Cloud on AWS the day you deploy it.