Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Table of ContentsLab Overview - HOL-1781-HBD-1 - vCloud Air: Jumpstart for vSphere Admins .................2
Lab Guidance and Introduction ............................................................................... 3Module 1 - vCloud Air, Architecture and Consumption Principles......................................9
What is vCloud Air? ............................................................................................... 10vCloud Air Student Check-In ................................................................................. 21
Module 2 - Deploying Workloads in vCloud Air................................................................ 25vCloud Air User Interface ...................................................................................... 26Virtual Data Centers.............................................................................................. 28Edge Gateways in vCloud Air ................................................................................ 32Creating a New VM in vCloud Air........................................................................... 34Backup and Restore of vCloud Air Virtual Machines .............................................. 46Creating a Simple Firewall and NAT Rule in vCloud Air..........................................56
Module 3 - Object Storage .............................................................................................. 67Google Object Storage Overview .......................................................................... 68
Module 4 - Hybrid Cloud Manager................................................................................... 71Hybrid Cloud Manager Overview........................................................................... 72
Module 5 - HyTrust DataControl ...................................................................................... 76Introduction to HyTrust DataControl...................................................................... 77Tour of HyTrust DataControl .................................................................................. 78Encrypt Windows Virtual Machine Data................................................................. 89Encrypt Linux Virtual Machine Data .................................................................... 125
HOL-1781-HBD-1
Page 1HOL-1781-HBD-1
Lab Overview -HOL-1781-HBD-1 - vCloud
Air: Jumpstart forvSphere Admins
HOL-1781-HBD-1
Page 2HOL-1781-HBD-1
Lab Guidance and IntroductionHOL-1781-HBD-1 - vCloud Air Jump Start for vSphere Admins
This lab will provide you with the basic skills necessary to successfully navigate thevCloud Air User Interface (UI). After completing this lab, you will be able to:
• Understand the different service tiers that vCloud Air offers• Navigate your way around the vCloud Air user interface• Deploy and Backup your first virtual machine inside the vCloud Air portal• Understand the basic network and security principles required to connect a
virtual machine to an external network• Learn about encryption using HyTrust DataControl
The tasks above are split up into 5 Lightning Lab modules, each is designed to takebetween 5-45 minutes to complete. You will have a total of 90 minutes to complete thislab sitting. Depending on how much time you have available, you can go through thislab all at once, or choose to break them up over several lab sittings.
The tasks are broken up into the following modules:
Module 1: vCloud Air, Architecture and Consumption Principles (30 mins)
• What is vCloud Air?• vCloud Air Student Check-In
Module 2: Deploying Workloads in vCloud Air (45 mins)
• vCloud Air User Interface• Virtual Data Centers• Edge Gateways in vCloud Air• Creating a New VM in vCloud Air• Backup and Restore of vCloud Air Virtual Machines• Creating a Simple Firewall and NAT Rule in vCloud Air
Module 3: Object Storage (15 mins)
• Google Object Storage Overview
Module 4: Hybrid Cloud Manager (15 mins)
• Hybrid Cloud Manager Overview
Module 5: HyTrust DataControl (45 mins)
• Introduction to HyTrust DataControl• Tour of HyTrust DataControl
HOL-1781-HBD-1
Page 3HOL-1781-HBD-1
• Encrypt Windows Virtual Machine Data• Encrypt Linux Virtual Machine Data
_____________________________________________________________________________________
Lab Captains:
• Module 1 - Roberto Canton, Sr. Systems Engineer, vCloud Air -Southeast, USA
• Module 2 - Roberto Canton, Sr. Systems Engineer, vCloud Air -Southeast, USA
• Module 3 - Roberto Canton, Sr. Systems Engineer, vCloud Air -Southeast, USA
• Module 4 - Roberto Canton, Sr. Systems Engineer, vCloud Air -Southeast, USA
• Module 5 - Michael Federman, Sr. Technical Account Manager, USA
Next Steps: Upon completion of this lab, you may consider taking one of the followinglabs for additional guidance on vCloud Air:
• HOL-1782-HBD-1– VMware vCloud Air: Data Center Extension• HOL-1783-HBD-2– vCloud Air Manage Your Cloud• HOL-1783-USE-1 - vCloud Air Manage Your Hybrid Cloud• HOL-1784-HBD-1 - vCloud Air Disaster Recovery
IMPORTANT! Please note that in this lab you are working in a "LIVE" vCloud Airinstance. External access from the lab environment to the internet will be providedthrough the browser.
_____________________________________________________________________________________
This lab manual can be downloaded from the Hands-on Labs Document site found here:
http://docs.hol.vmware.com
This lab may be available in other languages. To set your language preference and havea localized manual deployed with your lab, you may utilize this document to help guideyou through the process:
http://docs.hol.vmware.com/announcements/nee-default-language.pdf
Please feel free to ask questions and enjoy the experience!
Location of the Main Console
1. The area in the RED box contains the Main Console. The Lab Manual is on the tabto the Right of the Main Console.
HOL-1781-HBD-1
Page 4HOL-1781-HBD-1
2. A particular lab may have additional consoles found on separate tabs in the upperleft. You will be directed to open another specific console if needed.
3. Your lab starts with 90 minutes on the timer. The lab can not be saved. All yourwork must be done during the lab session. But you can click the EXTEND toincrease your time. If you are at a VMware event, you can extend your lab timetwice, for up to 30 minutes. Each click gives you an additional 15 minutes.Outside of VMware events, you can extend your lab time up to 9 hours and 30
minutes. Each click gives you an additional hour.
Alternate Methods of Keyboard Data Entry
During this module, you will input text into the Main Console. Besides directly typing itin, there are two very helpful methods of entering data which make it easier to entercomplex data.
HOL-1781-HBD-1
Page 5HOL-1781-HBD-1
Click and Drag Lab Manual Content Into Console ActiveWindow
You can also click and drag text and Command Line Interface (CLI) commands directlyfrom the Lab Manual into the active window in the Main Console.
Accessing the Online International Keyboard
You can also use the Online International Keyboard found in the Main Console.
1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.
<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=xS07n6GzGuo" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>
HOL-1781-HBD-1
Page 6HOL-1781-HBD-1
Click once in active console window
In this example, you will use the Online Keyboard to enter the "@" sign used in emailaddresses. The "@" sign is Shift-2 on US keyboard layouts.
1. Click once in the active console window.2. Click on the Shift key.
Click on the @ key
1. Click on the "@" key.
Notice the @ sign entered in the active console window.
Activation Prompt or Watermark
When you first start your lab, you may notice a watermark on the desktop indicatingthat Windows is not activated.
HOL-1781-HBD-1
Page 7HOL-1781-HBD-1
One of the major benefits of virtualization is that virtual machines can be moved andrun on any platform. The Hands-on Labs utilizes this benefit and we are able to run thelabs out of multiple datacenters. However, these datacenters may not have identicalprocessors, which triggers a Microsoft activation check through the Internet.
Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoftlicensing requirements. The lab that you are using is a self-contained pod and does nothave full access to the Internet, which is required for Windows to verify the activation.Without full access to the Internet, this automated process fails and you see this
watermark.
This cosmetic issue has no effect on your lab.
Look at the lower right portion of the screen
Please check to see that your lab is finished all the startup routines and is ready for youto start. If you see anything other than "Ready", please wait a few minutes. If after 5minutes you lab has not changed to "Ready", please ask for assistance.
HOL-1781-HBD-1
Page 8HOL-1781-HBD-1
Module 1 - vCloud Air,Architecture and
Consumption Principles
HOL-1781-HBD-1
Page 9HOL-1781-HBD-1
What is vCloud Air?VMware vCloud® Air™ is a public cloud service that enables you to quickly and securelytake advantage of the benefits of the cloud while extending and maximizing the value ofyour existing on-premises IT investments. vCloud Air leverages the same tools,technologies and skills that you already have while delivering new cloud capabilitiesthat allow your organization to drive business innovation.
What vCloud Air delivers:
• Infrastructure-as-a-Service - Computing power, storage options, and advancednetworking that integrates with your vSphere environment.
• Robust Hybrid Capabilities - Workload portability, seamless networking, andcommon management make it easy to extend to the cloud from on-premisesenvironments.
• A Platform for Enterprise IT - With app modernization, dev/test, and disasterrecovery, you can address business needs without changing processes.
• Advanced Security - Broad compliance certifications, secure private networkingconnections, data protection, disaster recovery, and dedicated cloud options.
vCloud Air helps you combine on-premises vSphere investments with theagility of public cloud.
The first public cloud to integrate with both VMware NSX and vRealize CloudManagement Platform, vCloud Air was designed specifically with enterprise needs inmind. vCloud Air delivers a true hybrid cloud experience, and is uniquely positioned tosolve critical IT challenges-whether you need an affordable disaster recovery option, anefficient way to extend your data center, or a complete data center replacement.
• Data Center Replacement
"Lift and shift" data center infrastructure from on-premises quickly and efficiently toimplement a secure public cloud architecture. With the scalability, performance, andreliability you require for different workloads, vCloud Air provides consistency with youron-premises environment.
• Data Center Extension
Seamlessly extend your data center infrastructure by adding compute, storage, andnetworking resources from the public cloud. With common management, seamlessnetworking, and unified support, vCloud Air provides a true hybrid experience for thevSphere data center and the next natural step in your virtualization journey.
• Disaster Recovery
Providing a simple and cost-effective portfolio of availability services built on the trustedand secure foundation of vSphere, vCloud Air enables you to safeguard and maximize
HOL-1781-HBD-1
Page 10HOL-1781-HBD-1
your on-premises vSphere investment by keeping your IT operations up and running inthe event of a disaster.
Consumption Models
There are currently three classes of compute service. Dedicated Cloud, Virtual PrivateCloud (Subscription and On Demand), and Disaster Recovery.
HOL-1781-HBD-1
Page 11HOL-1781-HBD-1
Dedicated Cloud Details
Dedicated Cloud provides a single-tenant private cloud with dedicated computingservers (air-gapped), layer-2 network isolation for workload traffic, dedicated storagevolumes, and a dedicated cloud management instance. Infrastructure capacity may besubdivided into multiple logically-isolated virtual data centers, each with their ownnetworking edge gateway and resource reservation models.
The Dedicated Cloud baseline offering starts with 35GHz of Compute (vCPU) capacity,240GB of vRAM, and 6TB of Storage. 3 public IP addresses are also provided, as well asa 50 Mbps internet bandwidth that is burstable to 1 Gbps. Direct Connect options areavailable that can provide 1Gbps and 10Gbps of point-to-point connectivity. Customerscan increase the capacity of their dedicated clouds by purchasing additional blocks ofstorage and compute in the increments you see above (35GHz vCPU and 240 GB vRAMfor Compute and 6TB increments for Storage).
Dedicated Cloud is offered on a monthly subscription basis today.
Virtual Private Cloud Details
Virtual Private Cloud
Virtual Private Cloud provides a multi-tenant environment with logically isolatedresources on a shared physical infrastructure, configured as a single virtual data center("VDC") with networking resources.
HOL-1781-HBD-1
Page 12HOL-1781-HBD-1
The Virtual Private Cloud offering starts at 10Ghz of Compute (vCPU), 20GB of vRAM,and 2TB of Storage. In addition, 2 public IP addresses are provided, as well as a 10 Mbpsnetwork link, burstable to 50 Mbps. Direct Connect options are available that canprovide 1Gbps of point-to-point connectivity.
As with the Dedicated Cloud, customers can increase capacity of their Virtual PrivateClouds by purchasing additional resources in the block sizes reflected above.
Virtual Private Cloud is offered on a monthly subscription basis today.
HOL-1781-HBD-1
Page 13HOL-1781-HBD-1
Virtual Private Cloud OnDemand
Virtual Private Cloud OnDemand provides a multi-tenant environment with logicallyisolated resources on a shared physical infrastructure, but instead of a subscription itallows customers to consume specific CPU, RAM, and Storage as incremental pay-as-you-go services. Charges are incurred as the resources are consumed (metered byminute) and billed in arrears on a monthly basis.
Virtual Private Cloud OnDemand can be purchased via credits through the SubscriptionPurchasing Program (SPP).
VMware vCloud Air Disaster Recovery
VMware vCloud Air Disaster Recovery is a recovery-as-a-service (RaaS) solution thatintroduces native cloud-based disaster recovery capabilities for VMware vSphere virtualenvironments. Built on VMware's hypervisor-based replication engine, vSphereReplicationTM, vCloud Air Disaster Recovery includes:
• Self-service disaster recovery protection for virtual machines• Recovery point objectives (RPO) from 15 minutes to 24 hours• Readily facilitates failover, failback, and planned migration as needed• Retention of multiple recovery points - up to 24 point-in-time instances• Elastic cloud compute and storage capacity• Support for offline data seeding
HOL-1781-HBD-1
Page 14HOL-1781-HBD-1
• Private leased line network option• Flexible failover testing
Additional vCloud Air Service Offerings
vCloud Air provides all of the cloud infrastructure required, including all areas ofcompute, storage, networking, security and infrastructure but with enough flexibility toallow customers to bring their own tools, VMs, and third-party licenses. Additionally, thisis entirely seamless with the customer’s own vCloud infrastructure. Customers can bringtheir own tools, VMs, and existing licenses to vCloud Air, and we take care of the rest.This adds to the value proposition of the Hybrid cloud as future expenditures can turnCapEx into OpEx
HOL-1781-HBD-1
Page 15HOL-1781-HBD-1
VMware vCloud Air Data Protection
VMware vCloud® Air™ Data Protection offers secure, policy-based backup and recoveryin the cloud for virtual machines hosted exclusively on vCloud Air. Available across bothDedicated Cloud and Virtual Private Cloud infrastructure-as-a-service types, DataProtection includes the following feature highlights:
• Backup policy affinity controls per Virtual Data Center (VDC) or per vApp• Daily (24-hour) Recovery Point Objective (RPO) guarantee• Virtual machine (image-level) Restore Granularity Objective (RGO)• Custom backup window scheduling• Configurable data retention• On-demand backups• Synthetic-full backup images• Intelligent consumption tracking and activity reports
vCloud Air Object Storage powered by Google CloudPlatform
VMware vCloud® Air™ Object Storage offers an extremely scalable, cost-effective, anddependable cloud-based storage solution for unstructured data. The service is simple touse, easy to setup, provides global scale and has built-in resiliency. Easily scale up topetabytes and generate real-time intelligence from custom meta-data with vCloud AirObject Storage.
Object Storage powered by Google Cloud Platform provides three storage options:
• Standard Storage• Durable Reduced Availability (DRA) Storage• Nearline Storage
HOL-1781-HBD-1
Page 16HOL-1781-HBD-1
Object Storage powered by Google Cloud Platform is Generally Available in US, EMEAand APJ.
VMware vCloud Air Advanced Networking Services
VMware vCloud® Air™ Advanced Networking Services offers a set of networking andsecurity services that improves overall network manageability and acceleratesapplication time-to-market by delivering an agile and cost-efficient platform for zero-trust security in the cloud. Built on VMware NSX®technology, these services offercustomers a path towards true hybrid networking.
Key Benefits
• Granular Network Security: vCloud Air Advanced Networking Services re-inventcloud security with micro-segmentation, providing granular network securitywithout sacrificing manageability or flexibility at scale. Microsegmentation
HOL-1781-HBD-1
Page 17HOL-1781-HBD-1
implemented through fully-stateful kernel based firewall isolate and secure eachvirtual machine (VM) and application down to the Layer 2 level.
• Instant Time to Value: Move to the cloud without having to re-architectapplications or retrain staff. Streamline “as-is” workload portability and networkmirroring in the cloud, allowing the same networking constructs and knowledgeto be applied to the public cloud.
• Cost-Efficient Scaling: Scale security and networks while minimizingadministration costs. Organizations can drive down network administration hassleand costs while enabling new ways to quickly secure, scale, and connect to theircloud workloads.
HOL-1781-HBD-1
Page 18HOL-1781-HBD-1
vCloud Air Hybrid Cloud Manager
vCloud Air Hybrid Cloud Manager offers vSphere users a seamless option for extendingtheir on-premises data center into vCloud Air. Customers can extend their environmentsto include vCloud Air with L2-WAN network extension. More importantly, customers areable to take advantage of bi-directional workload portability, using zero downtime or lowdowntime replication-based, WAN accelerated application migration. These capabilitiessimplify workload management and enable users to extend their environmentseffectively for a true hybrid cloud experience
HOL-1781-HBD-1
Page 19HOL-1781-HBD-1
vCloud Air Identity Federation
Identity Federation will align your company directory to granular vCloud Air roles andpermissions.
SAML 2.0 broadly integrates with ADFS, VMware Identity Manager, and many other IdPsto integrate with your preferred solution. Can support two-factor authentication throughIdP. Single Sign-On with your preferred Identity Provider via SAML 2.0. Direct access tovCloud Director Org. Access to higher granularity of permissions.
HOL-1781-HBD-1
Page 20HOL-1781-HBD-1
vCloud Air Student Check-InAs you will be using a live vCloud Air account for this lab, you first need a username andpassword for login. This account will be specific to this lab. You cannot use an exitingvCloud Air login. The password for this account will be reset after you complete the labor the time expires.
Start Google Chrome
Start Google Chrome from the taskbar.
HOL Student Check-In
The default home page will be http://checkin.vcahol.com Note: http, not https.
If you by accident navigate away from that URL, click the bookmark in the bookmarksbar.
1. Locate Your vCloud Air Account
1. Enter your email address and click Search.2. The username is your login account and StudentID for this lab. Highlight and click
Ctrl+C or Command+C to copy. You will need this later.3. Make note of your password, you will need it to login to a live vCloud Air
environment.4. Cloud URL - This is the link to login to your vCloud Air environment. Make note of
it, or leave the tab open to simply click on it whenever you need to log in tovCloud Air.
HOL-1781-HBD-1
Page 21HOL-1781-HBD-1
Only email addresses with an Active vCloud Air Hands-on-lab will be shown.
HOL-1781-HBD-1
Page 22HOL-1781-HBD-1
2. Login to vCloud Air
Click Sign In
Enter your assigned username and password.
Click Login
Please note: This password will be reset after exiting this lab.
HOL-1781-HBD-1
Page 23HOL-1781-HBD-1
3. Let The Learning Begin
You now have access to vCloud Air until this lab has been completed or expires.
Please Note: If you receive the error "Service not available message", refreshing yourbrowser should resolve this.
HOL-1781-HBD-1
Page 24HOL-1781-HBD-1
Module 2 - DeployingWorkloads in vCloud Air
HOL-1781-HBD-1
Page 25HOL-1781-HBD-1
vCloud Air User InterfaceIn this module you will begin using the new vCloud Air UI.
In an effort to provide the end user easier navigation with advanced capabilities VMwareis introducing a new vCloud Air Portal. This will authenticate users and provideauthorized services from a single page. From this landing page vCloud Director will belaunched for the common administrative tasks. The vCloud Director UI provides a richset of capabilities ranging from quick vApp creation to advanced networkadministration.
vCloud Air Student Check-In
If not already logged in, click on the Cloud URL link in your Chrome browser using theinstructions provided in the vCloud Air Student Check-In step in Module 1.
New vCloud Air User Interface
Welcome to the new vCloud Air User Interface!
The vCloud Air User Interface is comprised of 2 panes:
1. Left Pane - Allows you to access the different Options and/or Services your accounthas been subscribed to such as:
HOL-1781-HBD-1
Page 26HOL-1781-HBD-1
• Virtual Datacenters - This is where you will manage/create different Virtual DataCenters (VDC) within your Organization
• Networking - This is where you will gain access to all Networking aspects of yourvCloud Air environment, Edge Gateway Services as well as the creation/management of Networks
• Data Protection - This is where you will be able to set backup policies for thoseVM's/vApps created in your vCloud Air environment
• Disaster Recovery - This is where you will be able to manage your vCloud AirDisaster Recovery Virtual Data Centers (This link is disabled for this lab).
• Google Storage - This is where you can manage your Object Storage consumption(This link is disabled for this lab).
2. Right pane - This pane will display the different options based on items selected onthe Left Pane, in the following steps we'll be taking a closer look at each of the differentoptions.
HOL-1781-HBD-1
Page 27HOL-1781-HBD-1
Virtual Data CentersIn this step you will be looking at a Virtual Data Center in vCloud Air. This step is part ofModule 2 of this lab.
vCloud Air Student Check-In
If not already logged in, click on the Cloud URL link in your Chrome browser using theinstructions provided in the vCloud Air Student Check-In step in Module 1.
HOL-1781-HBD-1
Page 28HOL-1781-HBD-1
vCloud Director
Firstly, a quick tutorial on the vCloud Director constructs.
VMware vCloud Director orchestrates the provisioning of software-defined data centerservices as complete virtual data centers that are ready for consumption in a matter ofminutes. Virtual data centers provide virtualized compute, networking, storage, andsecurity that can be provisioned to make relevant workloads operational in minutes.Software-defined data center service and the virtual data centers fundamentally simplifyinfrastructure provisioning, and enable IT to move at the speed of business.
HOL-1781-HBD-1
Page 29HOL-1781-HBD-1
Organizations
Isolated Multi-tenant Organizations – Administrators can group users into organizationsthat can represent any policy group such as a business unit, division or subsidiarycompany. Each has isolated virtual resources, independent LDAP-authentication, specificpolicy controls, and unique catalogs. These features enable a multi-tenant environmentwith multiple organizations sharing the same infrastructure.
In this lab you are provided a pre-built Organization e.g student501. Within anOrganization is a Organization Virtual Data Center (VDC) that has specific CPU, Memoryand Storage limits assigned. This VDC becomes your isolated resource pool for futurevApps, VMs and the required network services.
Please do not create additional VDCs in this lab. Only use the VDC created for you.
Organization Virtual Data Centers
1. Click on "Virtual Datacenters" in the left pane.2. Click the "Organization VDCs" tab in the right pane.3. Click the "student***" already created for you automatically. We will not be
adding new Virtual Data Centers in this lab
Virtual Data Center Summary
1. You can highlight your "student***" Virtual Data Center2. You have the choice of Creating, Editing, and Deleting VDC's.
You are free to click and examine these options but please do not Create, Edit, or DeleteVDC's so you can keep moving forward with this lab.
HOL-1781-HBD-1
Page 30HOL-1781-HBD-1
Allocation Models
There are 2 allocation models:
• Reservation Pool - The Reservation Pool Model is useful if you knowyour applications well enough to optimize your own provisioning. This model hasFull Resource Management Controls (reservations, limits, shares) available.Organizations using the Reservation Pool model are charged for vDC capacity.With this model, customers cannot over-commit resources. This modelguarantees 100% commitment of the vDC Allocation.
• Pay-As-You-Go - With this method (also referred to as the Allocation vApp Model) ,you are charged for each vApp virtual machine that is running. The over-commitis controlled by the Customer and the Percentage of Resource Guaranteed controlis available but the Customer can set this to unlimited (Expandable Reservation).This model facilitates an unlimited option similar to Expandable Reservations.
VDC Default Sizes
vCloud Air provides the following default sizes when creating a VDC:
• Small (CPU:10 GHZ, Memory:30 GB, Storage: 500 GB)• Medium (CPU:20 GHZ, Memory:60 GB, Storage: 1024 GB)• Large (CPU:50 GHZ, Memory:150 GB, Storage: 2560 GB)
These default sizes are just for simplicity, customers can custom-size their VDC's asthey deem appropriate.
Storage Types
vCloud Air offers 2 types of Storage:
• Standard• SSD-Accelerated
In this lab we use Standard Storage for all activities.
HOL-1781-HBD-1
Page 31HOL-1781-HBD-1
Edge Gateways in vCloud AirIn this step you will now learn about Edge Gateways in vCloud Air. This step is part ofModule 2 of this lab.
vCloud Air Student Check-In
If not already logged in, click on the Cloud URL link in your Chrome browser using theinstructions provided in the vCloud Air Student Check-In step in Module 1.
Exploring an Edge Gateway
Edge Gateway – Integrated NSX capabilities such as perimeter protection, port-levelfirewall, and NAT and DHCP services, offer virtualization-aware security, simplifyapplication deployment and enforce boundaries required by compliance standards.
Integration with NSX offerings adds advanced services such as VXLAN, VPN, firewallhigh availability, network isolation, and web load balancing.
On the left pane, clicking on Networking (1) will display your organizations EdgeGateways and Networks in the right pane.
You can manage both your Organization's Edge Gateways (2) and Networks (3) byclicking on them respectively.
HOL-1781-HBD-1
Page 32HOL-1781-HBD-1
An Edge Gateway has automatically been created for you with your "student***" name,together with both an Isolated and Routed Network.
Make sure you make a note of the Public IP of your Edge Gateway (5) which you will beusing in a later step.
Gateway Management
1. The Gateway Management tab allows you to Create a new Gateway2. You can also highlight any existing Gateway and Edit that Gateway.3. You can also delete an existing Gateway from your Organization's Virtual Data
Center.4. Clicking on the name of an existing Gateway will open an additional tab in your
browser that will expose the advanced Gateway options which we will beexamining in a later module in this lab.
You are free to examine these options if you wish but please do not Create, Edit orDelete Gateways so you can keep moving forward with this lab.
HOL-1781-HBD-1
Page 33HOL-1781-HBD-1
Creating a New VM in vCloud AirIn this step you will be creating a new Windows VM in vCloud Air. This step is part ofModule 2 of this lab.
vCloud Air Student Check-In
If not already logged in, click on the Cloud URL link in your Chrome browser using theinstructions provided in the vCloud Air Student Check-In step in Module 1.
Create a Virtual Machine
1. Click on Virtual Datacenters on the left pane.2. Click the "Organization VDCs" tab.3. Click on your "student***" Virtual Data Center.
HOL-1781-HBD-1
Page 34HOL-1781-HBD-1
vCloud Director User Interface
Click on the newly opened VMware vCloud Director tab in your Chrome browser.
Create New vApp
1. Click the "My Cloud button.2. Ensure "vApps" is selected on the left pane.3. Click the + sign.
HOL-1781-HBD-1
Page 35HOL-1781-HBD-1
Select vApp Template
1. Select "Public Catalogs" in the "Look In" drop down box.2. Click the "All Templates" button.3. Select the W2K8-STD-R2-64BIT Windows template.4. Click "Next".
HOL-1781-HBD-1
Page 36HOL-1781-HBD-1
Select Name and Location
Type "Student***-WinVM" as the Name of your Windows VM, where *** represents yourstudent number, leave all other defaults and click "Next".
HOL-1781-HBD-1
Page 37HOL-1781-HBD-1
Configure Resources
Type "Student***-WinVM in the Virtual Machine name box and click "Next".
HOL-1781-HBD-1
Page 38HOL-1781-HBD-1
Configure Networking
1. Enter "***WinVM" for ComputerName where *** is your Student number.2. Select "student***-RoutedNetwork" from drop down box for NIC 0 Network3. Click "Next"
HOL-1781-HBD-1
Page 39HOL-1781-HBD-1
Customize Hardware
Leave all defaults and click "Next".
HOL-1781-HBD-1
Page 40HOL-1781-HBD-1
Ready to Complete
Click on "Power on vApp after this wizard is finished" and click the "Finish" button.
VM Creation In Progress
Allow time for VM to complete creating.
HOL-1781-HBD-1
Page 41HOL-1781-HBD-1
VM Creation Completed
Once VM creation is completed, the Status column reads "Running".
Once the status is "Running" click on the Console to open up a console to this machine.
HOL-1781-HBD-1
Page 42HOL-1781-HBD-1
Open Console for Newly Created VM
Once this Console opens you will be able to log in to this Windows VM directly from thisinterface.
Later you will be creating Firewall and NAT rules to allow this VM to be accessed fromthe Public internet utilizing a Remote Desktop Client application.
Please Note: You will not be logging into the VM, you are just validating it is up andrunning.
Examining your VM's Properties
1. Click on VMs
2. Right-click anywhere on your VM once highlighted
HOL-1781-HBD-1
Page 43HOL-1781-HBD-1
3. Select Properties
HOL-1781-HBD-1
Page 44HOL-1781-HBD-1
VM Properties
Once the Virtual Machine Properties window appears:
1. Click on the Hardware tab
2. Scroll down using the side bar
3. Make a note of your Virtual Machine's IP Address as you will need it in a later step.
Feel free to browse the different tabs. Click Ok to return to the previous window.
HOL-1781-HBD-1
Page 45HOL-1781-HBD-1
Backup and Restore of vCloud AirVirtual MachinesWhat is Data Protection?
Data Protection is an optional data backup and recovery feature for VMware vCloud Airthat enables self-service, policy-based protection of business-critical data by backing upvApps and their associated virtual machines within Dedicated or Virtual Private Cloudservice types. Compared to traditional file-based backup and recovery solutions, image-level backups are used in Data Protection to ensure all operating system, file systemand application data encapsulated within a virtual machine are captured as a snapshotimage before being committed to backup media.
VMware vCloud® Air™ Data Protection offers secure, policy-based backup and recoveryin the cloud for virtual machines hosted exclusively on vCloud Air. Available across bothDedicated Cloud and Virtual Private Cloud infrastructure-as-a-service types, DataProtection includes the following feature highlights:
• Backup policy affinity controls per Virtual Data Center (VDC) or per vApp
• Daily (24-hour) Recovery Point Objective (RPO) guarantee
• Virtual machine (image-level) Restore Granularity Objective (RGO)
• Custom backup window scheduling
• Configurable data retention
• On-demand backups
• Synthetic-full backup images
• Intelligent consumption tracking and activity reports
This step is part of Module 2 of this lab.
HOL-1781-HBD-1
Page 46HOL-1781-HBD-1
vCloud Air Student Check-In
If not already logged in, click on the Cloud URL link in your Chrome browser using theinstructions provided in the vCloud Air Student Check-In step in Module 1.
HOL-1781-HBD-1
Page 47HOL-1781-HBD-1
Data Protection User Interface
1. Click on Data Protection on the left pane in order to display the Dashboard for theData Protection service. The Data Protection Dashboard shows you at a highlevel, usage dashboards of how many Virtual Data Centers you are protectingwith the service as well as the consumption per Virtual Data Center.
2. Ensure the Dashboard tab is selected.3. This area of the dashboard shows you the amount of Virtual Data Centers that are
being protected. You can set backup and retention policies at the Virtual DataCenter level so that any VM you create in this Virtual Data Center, inherits thosepolicies and will be backed up and the intervals you set for the Virtual DataCenter.You can also click on the Virtual Data Centers tab to view your DataProtection activity on a per Virtual Data Center basis.
4. This area shows you the amount of vApps you are protecting. Remember, vAppscan be comprised of one or more VM's.
5. This shows you the amount of Storage your backups are consuming.6. This area shows you the amount of vApps that have been deleted but are still
kept in the Data Protection service based on your policies.7. Shows you the trend in Storage consumption for the Data Protection service.8. Shows you the amount of Storage your deleted vApps are consuming.
Create a Data Protection Policy at the Virtual Data CenterLevel
1. Click on "Data Protection" in the left pane.2. Click the "Virtual Datacenters" tab on the right pane.3. Make sure your Virtual Data Center (Student***) is selected.
HOL-1781-HBD-1
Page 48HOL-1781-HBD-1
4. Click on the arrow next to "Actions" for the drop down menu to appear.5. Select Configure Policy.
Configure Policy
1. Select Weekly for Frequency.2. Select 03:00 (3 AM) for the Schedule and leave "Every Sunday" selected.3. Select Pacific Time (PST) for the TimeZone.4. Type 5 for the amount of days in the Retention Period box.5. Click "Apply" button.
HOL-1781-HBD-1
Page 49HOL-1781-HBD-1
Configure Email Address
1. Click on "Data Protection" in the left pane.2. Click the "Virtual Datacenters" tab on the right pane.3. Make sure your Virtual Data Center (Student***) is selected.4. Click on the arrow next to "Actions" for the drop down menu to appear.5. Select "Configure Email Address". The Data Protection service will notify you at
this email address every time your Policy runs successfully or fails. You can alsonotice that since we established a Virtual Data Center policy in the previous step,you can now Edit or Remove that Policy.
Configure Email Address for VDC
Enter your email address in the box provided and click Save. You can enter more thanone email address separated by a comma, for the purpose of this lab, just enter one.
Create a Data Protection Policy at the vApp Level
1. Click on "Data Protection" in the left pane.2. Click the "Virtual Datacenters" tab on the right pane.3. Make sure your Virtual Data Center (Student***) is selected.4. Click on your VM (Student***-WinVM).
HOL-1781-HBD-1
Page 50HOL-1781-HBD-1
5. Click on the icon with the "+" sign to add a policy at the vApp level. The otheroptions are Remove a policy ("-" negative sign icon), Edit a Policy (the icon withthe little Pencil), Run Adhoc Backup (the icon with the check mark), and ConfigureEmail Address icon.
Apply Policy for vApp
1. Select Daily for Frequency.2. Select 03:00 for Schedule (3 AM).3. Select Pacific Time for TimeZone.4. Select 2 days for Retention Period.5. Click "Apply" button.
HOL-1781-HBD-1
Page 51HOL-1781-HBD-1
Data Protection Policy Setup Conclusion
You have successfully created 2 Data Protection Policies, one at the Virtual Data CenterLevel and one at the vApp level.
1. Virtual Data Center level backup policy - Any vApp you create from this point onwill automatically inheret this backup policy created at the vDC level.
2. vApps Level Policy - Because your vApp policy requires more frequent backupsthan your vDC policy, it will run Daily versus the Weekly requirement at the vDClevel.
Restoring from Backups
Once you have successfully backed up your vApps, the Data Protection User Interfacewill display the amount of Restore Points you can recover from. Clicking on the numberunderlined under the Restore Points column will allow you to restore from thosebackups. We will examine those options next.
KEEP IN MIND THAT THESE STEPS MAY NOT BE ABLE TO BE DONE BY YOU AS NOTENOUGH TIME HAS GONE BY FOR RESTORE POINTS TO BE READY TO PERFORM THESEACTIONS. THESE STEPS ARE FOR REFERENCE SO YOU CAN FOLLOW THE INTERFACE ASTO WHERE YOU WOULD FIND THEM.
HOL-1781-HBD-1
Page 52HOL-1781-HBD-1
Restore Points
Clicking on the underlined number of Restore Points takes you to the Restore Points foryour vApp as shown above.
You can highlight any of the Restore Points and do an "In Place Restore", "Out of PlaceRestore", or "Delete All Restore Points".
HOL-1781-HBD-1
Page 53HOL-1781-HBD-1
In Place Restores
In Place Restore option allows you restore the Entire vApp or Select a specific VirtualMachine(s) to restore. Remember that a vApp can be comprised of one or multiple VM's.Because our vApp only has one VM, we can Select Entire vApp or click on the SelectSpecific Virtual Machines to restore button and select our VM under Virtual Machines.You are free to click on the Restore button, but in the interest of time please continuewithout waiting for the vApp/VM to restore.
Keep in mind that an In Place Restore will replace the VM currently running.
HOL-1781-HBD-1
Page 54HOL-1781-HBD-1
Out of Place Restore
Out of Place Restore allows you to Restore a VM backed up with Data Protection to a VMthat does not replace the currently running VM. Just like with an In Place Restore, youcan restore the Entire vApp or a Select VM from within the vApp.
Congratulations you have completed this Module.
HOL-1781-HBD-1
Page 55HOL-1781-HBD-1
Creating a Simple Firewall and NATRule in vCloud AirIn this step you will be creating a NAT (Network Address Translation) and a Firewall ruleto allow your currently creating VM to be accessed via an RDP (Remote DesktopProtocol) client from the public internet without the need of a VPN or Direct Connectprivate connection. This step is the last step of Module 2 of this lab.
vCloud Air Student Check-In
If not already logged in, click on the Cloud URL link in your Chrome browser using theinstructions provided in the vCloud Air Student Check-In step in Module 1.
HOL-1781-HBD-1
Page 56HOL-1781-HBD-1
Create NAT Rule for RDP
1. Click on "Networking".2. Click on "Gateway Management".3. Click on your Gateway "student***". This will open another tab in your browser.
Create NAT Rule (Cont...)
1. Click on "Student***" tab in your browser.2. Click the "NAT" tab.3. Click the "+" plus sign and select "Add DNAT Rule".
Add DNAT Rule
1. Select "student***-RoutedNetwork" from the drop down box. This is the routedNetwork attached to your Edge Gateway that the Virtual Machine you created isattached to.
HOL-1781-HBD-1
Page 57HOL-1781-HBD-1
2. Type the Public IP of your Student*** Edge Gateway.3. Choose "tcp" from the drop down box for Protocol.4. Choose "Any" for "Original Port/Range".5. Type the IP address of your Windows VM you created in your previous step for
"Translated IP/Range".6. Type "3389" for "Translated Port/Range".7. Make sure "Enabled" is selected.8. Click the "OK" button.
HOL-1781-HBD-1
Page 58HOL-1781-HBD-1
Publish Changes
Make sure you click on "Publish Changes" for your changes to take effect.
HOL-1781-HBD-1
Page 59HOL-1781-HBD-1
Create Firewall Rule for RDP
1. Click on the "Firewall" tab.2. Click the green "+" plus sign.3. Above the "Default Rule" a blank rule appears, place your cursor over the right
top of the Name field and look for the plus sign (Not visible on picture) and click itto Name the Rule, name it "My RDP Rule".
HOL-1781-HBD-1
Page 60HOL-1781-HBD-1
Select Source
Click on the "+" plus sing in the Source field (not visible) to add the source for yourFirewall rule.
HOL-1781-HBD-1
Page 61HOL-1781-HBD-1
Specify Source
1. Select "vNIC Group" from the drop down box under Object Type.2. Select "external" from the Available Objects.3. Click on the arrow to move your selection to the Select Objects Pane.4. Click "OK" button.
HOL-1781-HBD-1
Page 62HOL-1781-HBD-1
Select Destination
Click on the "+" plus sing in the Destination field (not visible) to add the destination foryour Firewall rule.
HOL-1781-HBD-1
Page 63HOL-1781-HBD-1
Specify Destination
1. Select "Virtual Machine" from the drop down box for the Object Type.2. Under Available Objects select your "Student***-WinVM" VM you created earlier.3. Click on the arrow to move your VM to the Selected Objects Pane.4. Click "OK" button.
HOL-1781-HBD-1
Page 64HOL-1781-HBD-1
Select Service
Under the service field, look for the "+" plus sign to select the service for your FirewallRule.
1. In the search field type "rdp" and press Enter.2. Select the RDP selection as shown.3. Click the "OK" button.
HOL-1781-HBD-1
Page 65HOL-1781-HBD-1
Publish Changes
Click the "Publish" button to publish your changes.
You are now ready to access your VM from the Public Internet utilizing an RDP client.Although for this lab exercise this will not be possible, you have just created a NAT andFirewall rule to allow Remote Desktop Client access to your VM from the Public Internet.
Congratulations, you have completed this module.
HOL-1781-HBD-1
Page 66HOL-1781-HBD-1
Module 3 - Object Storage
HOL-1781-HBD-1
Page 67HOL-1781-HBD-1
Google Object Storage OverviewVMware vCloud® Air™ Object Storage offers an extremely scalable, cost-effective, anddependable cloud-based storage solution for unstructured data. The service is simple touse, easy to setup, provides global scale and has built-in resiliency. Easily scale up topetabytes and generate real-time intelligence from custom meta-data with vCloud AirObject Storage.
Object Storage powered by Google Cloud Platform provides three storage options:
• Standard Storage
• Durable Reduced Availability (DRA) Storage
• Nearline Storage
Object Storage powered by Google Cloud Platform is Generally Available in US, EMEAand APJ.
HOL-1781-HBD-1
Page 68HOL-1781-HBD-1
What is Object Storage?
Objects are stored in buckets in a flat namespace in Object Storage, eliminatingcomplexity and scalability challenges of traditional hierarchical file systems. Granularobject-level security, lifecycle management and versioning features simplify and reducemanagement overhead.
Key Benefits
• Extremely scalable storage with the power of analytics: Get instant and self-service access to storage capacity on-demand that scales up to Petabytes. Buildapplications that are scalable and stop worrying about running out of storagespace. Choose a service and region, to optimize cost, maximize speed, or toassist with regulatory requirements.
• Built-in redundancy with global coverage: Object Storage reduces the need fordata protection with built-in redundancy. Select a storage type based on yourdurability and budget requirements. Object Storage supports global access usecases by providing easy access from any device, anywhere, anytime.
• Cost-effective storage for traditional and new age use cases: Implement ascalable and cost-effective storage solution to free up your valuable resourcesfrom mundane tasks like backup administration. Only pay for resources in use,with no minimum commitments or up-front fees. The economics of ObjectStorage combined with flexible payment options delivers a true elastic pay-as-you-go cloud storage solution for traditional use cases such as backup and fileshare, and new age use cases such as Web 2.0, Big Data, Internet of Things.
HOL-1781-HBD-1
Page 69HOL-1781-HBD-1
Use Cases
Backup and Archiving: Object Storage is a cost effective way to store data long term.Backup on-premises workloads on Object Storage with leading backup appliances.Object Storage is a lower-cost Disaster Recovery solution (for Tier2/3 workloads) andcan be used to store VMDK snapshots.
Shared Files: Object Storage provides a scalable and cost-effective way set up sharedfile repository. Built-in redundancy and versioning in Object Storage eliminates the needfor backup and recovery. Integrate with storage gateway solutions to create a costeffective file share.
Imaging, Media, Web 2.0: Set up a website containing static web pages, images, orother media files, in a few simple steps. Speed up website rendering with the help ofContent Delivery Networks (CDN) if the website contains large media files such asvideos and high resolution images.
HOL-1781-HBD-1
Page 70HOL-1781-HBD-1
Module 4 - Hybrid CloudManager
HOL-1781-HBD-1
Page 71HOL-1781-HBD-1
Hybrid Cloud Manager OverviewThis module contains the following lessons:
• Hybrid Cloud Manager Introduction
Hybrid Cloud Manager Introduction
This is an overview of Hybrid Cloud Manager (HCM). To learn more see theHOL-1782-HBD-1 VMware vCloud Air: Data Center Extension.
Make the cloud an extension of on-premises data centers by seamlessly extendingexisting networks to the cloud and moving live workloads to and from the cloud withzero downtime. VMware vCloud® Air™ Hybrid Cloud Manager™ improves on the hybridbenefits of VMware vCloud® Air™ by adding workload migration, data center networkextension and hybrid management features within the vSphere Web Client. vCloud AirHybrid Cloud Manager uses software defined WAN (SD-WAN) technologies to virtuallyshorten the distance between private data centers and public cloud, allowing vCloud Airnetworks to perform as if they were truly just another part of the private data center, allfrom within the familiar interfaces of vSphere.
HOL-1781-HBD-1
Page 72HOL-1781-HBD-1
What's New with HCM
• Live, zero downtime, long distance migration of vSphere workloads to the cloud• Seamless network integration between private & public data centers• Ability to migrate NSX security policies to vCloud Air for security & compliance• Software-defined WAN (SD-WAN) technology to make the WAN perform more like
a LAN• Bi-directional workload portability• Compatibility with on-premises vSphere workloads
vMotion to vCloud Air
<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=91w3952iiqY" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>
HOL-1781-HBD-1
Page 73HOL-1781-HBD-1
Here you can see a vMotion from a local vCenter Server to vCloud Air (no audio).
vMotion From vCloud Air
Here you can see a vMotion from vCloud Air back to the local vCenter Server (no audio).
<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=57MByAMfHVA" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>
HOL-1781-HBD-1
Page 74HOL-1781-HBD-1
HCM Components
Hybrid Cloud Manager is a single install that delivers on a number of hybrid use cases:
• A seamless hybrid experience to administer, consume, and manage yourresources across private and public clouds.
• Manage migration of workloads between clouds with zero to low downtime usingreplication-based technology and WAN acceleration
• Extend your security & networking policies from your data center to vCloud Air,including the ability to stretch multiple Layer 2 network segments from on-premises to the cloud
To learn more see the HOL-1782-HBD-1 VMware vCloud Air: Data Center Extension.
HOL-1781-HBD-1
Page 75HOL-1781-HBD-1
Module 5 - HyTrustDataControl
HOL-1781-HBD-1
Page 76HOL-1781-HBD-1
Introduction to HyTrust DataControlHyTrust has worked closely with VMware and the vCloud Air team to develop encryptionand key management software for vCloud Air. With HyTrust DataControl you can takeadvantage of the cost effective agility you get with the cloud while being confident thatnobody can read your data because it is encrypted and you control the encryption keys.Best of all, it’s fast and easy to deploy and manage, and the encryption travels withyour VMs. This step is part of Module 5 of this lab.
HyTrust DataControl Architecture
HyTrust DataControl encrypts data from within the OS of a virtual machine. Keymanagement is policy-based and easy to deploy on premises or in the cloud.
HOL-1781-HBD-1
Page 77HOL-1781-HBD-1
Tour of HyTrust DataControlWe will start by investigating the features and functions of HyTrust DataControl in thisstep. This step is part of Module 2 of this lab.
Start Google Chrome
Start Chrome by clicking the shortcut in the taskbar or on the desktop.
Go to HyTrust DataControl
Click the HyTrust DataControl bookmark in the bookmarks toolbar.
Log in to DataControl
Sign-in using the credentials:
User name: secrootPassword: VMware1!
HOL-1781-HBD-1
Page 78HOL-1781-HBD-1
System Recovery
If you don't see this on the screen, then continue from this step: Security
If you see this on the screen, you have triggered a HyTrust security feature, whichprotects HyTrust DataControl from being moved to new hardware in attempt tocompromise the key controller.
The reason behind this, is that the Hands-On Labs run on a number of different cloudsaround the world, where the underlying hardware is different from the environment onwhich this lab was built.
Click "Recovery using Keypart Upload"
HOL-1781-HBD-1
Page 79HOL-1781-HBD-1
Recover Master Key
1. Click "Browse"
HOL-1781-HBD-1
Page 80HOL-1781-HBD-1
Select AdminKey.txt
We have placed a copy of the admin key on the desktop.
1. Go to the Desktop2. Select "AdminKey.txt"3. Click "Open"
HOL-1781-HBD-1
Page 81HOL-1781-HBD-1
Upload file
1. Click "Upload file"
Wait a moment while the master key is being restored, and you should be taken back tothe Sign-in screen.
HOL-1781-HBD-1
Page 82HOL-1781-HBD-1
Log in to DataControl
Sign-in using the credentials:
User name: secrootPassword: VMware1!
HOL-1781-HBD-1
Page 83HOL-1781-HBD-1
Security
1. Go to the Security tab2. Select the secroot user
Scroll down to the bottom of the page.
HOL-1781-HBD-1
Page 84HOL-1781-HBD-1
Security Roles
Select "Privileges & Groups"
HyTrust KeyControl supports three distinct administrator roles, each with distinctprivileges. Roles can be combined in any manner. A small organization may have anadministrator with all roles. A Cloud Service Provider who manages multiple customersmay have different VM Set administrators for different customers. The three types ofroles are:
Security Administrator: Manages users and groups, master key management and auditlogs.
Domain Administrator: Manages KeyControl nodes, KeyControl backup and restore.
Cloud Administrator: Manages VM sets, encryption of disks, control VM key access
Cluster
1. Scroll back to the top of the page and click on the "Cluster" tab
In every production system there is an active-active cluster of KeyControl servers thatmanage encryption within individual virtual/physical machines. All administration takesplace from a standard web browser to any node in the KeyControl cluster or from a setof REST-based APIs. KeyControl servers typically reside in your data center but could berun out of the public cloud as well.
HOL-1781-HBD-1
Page 85HOL-1781-HBD-1
This, however, is not a production environment, so we only have a single KeyControlnode.
2. Click on "Servers" to explore the single cluster node.
HOL-1781-HBD-1
Page 86HOL-1781-HBD-1
Cluster nodes
Here you can see the KeyController cluster nodes. In this case only one node has beeninstalled. Select cluster node to explore details about it.
HOL-1781-HBD-1
Page 87HOL-1781-HBD-1
Cloud
Click on the "Cloud" tab.
Here you will manage your inventory of virtual machines. By using VM Sets, you cancreate "encryption groups" that use the same encryption key, and therefore canexchange encrypted objects.
HOL-1781-HBD-1
Page 88HOL-1781-HBD-1
Encrypt Windows Virtual Machine DataIn this step you will encrypting a Windows VM's Data. This step is part of Module 5 ofthis lab.
Create VM Sets
Still in the HyTrust KeyControl web interface, do the following.
1. Click the "Cloud" tab2. Click "Actions"3. Click "Create New Cloud VM Set"
HOL-1781-HBD-1
Page 89HOL-1781-HBD-1
Create Windows VM Set
Create a VM Set named Windows
1. Type "Windows"2. Click "Create"
Create another VM Set
Click "Create More"
HOL-1781-HBD-1
Page 90HOL-1781-HBD-1
Create Linux VM Set
Create a VM Set named Linux
1. Type "Linux"2. Click "Create"
Close the dialog
Click "Close"
Agent Download
Notice that you can download a Policy Agent from the Actions menu.
You don't need to do that, as we have already placed the agents on the VMs that we willencrypt.
HOL-1781-HBD-1
Page 91HOL-1781-HBD-1
The Policy Agent is an in-guest agent, that handles the encryption of data andpotentially the boot drive. More on that later.
Select Windows VM Set
1. Select the Windows VM Set and scroll to the bottom of the page2. Click "5 minutes"
Set Heartbeat Interval
1. Enter "30"
HOL-1781-HBD-1
Page 92HOL-1781-HBD-1
2. Select "Seconds"3. Click "Save"
Select Linux VM Set
1. Select the Linux VM Set and scroll to the bottom of the page2. Click "5 minutes"
HOL-1781-HBD-1
Page 93HOL-1781-HBD-1
Set Heartbeat Interval
1. Enter "30"2. Select "Seconds"3. Click "Save"
Connect to the Windows VM
On the Desktop, double click the RDP shortcut
This establishes an RDP connection to windows-01a.
HOL-1781-HBD-1
Page 94HOL-1781-HBD-1
Install Policy Agent
1. Double Click the "Data (E)" shortcut on the desktop2. Right click the "hcs-client-agent-3.1.2-8695" file3. Click "Run as administrator"
In this lab, we will install the policy agent using the GUI, but it is also possible to fullyautomate the installation and configuration of the policy agent.
HOL-1781-HBD-1
Page 95HOL-1781-HBD-1
Welcome to the Hytrust Setup Wizard
Click "Next"
HOL-1781-HBD-1
Page 96HOL-1781-HBD-1
License Agreement
Click "I Agree"
HOL-1781-HBD-1
Page 97HOL-1781-HBD-1
Choose Install Location
Leave the default location and click "Next"
HOL-1781-HBD-1
Page 98HOL-1781-HBD-1
Choose Components
Make sure that "HT Bootloader" is selected as default and click "Next"
The HyTrust Bootloader for Windows is a tool that is required to encrypt the Windowsboot partition using keys that are retrieved, as needed, from the HyTrust KeyControlserver.
HOL-1781-HBD-1
Page 99HOL-1781-HBD-1
Drive and Network Configuration
Leave the defaults and click "Install"
HOL-1781-HBD-1
Page 100HOL-1781-HBD-1
Installing
The installation will take a few minutes.
Click on "Show Details" to see the text output from the installation process as shown onthis picture.
Note how the installer shrinks the boot partition to make space for the bootloader.
The bootloader is added as an SRP of roughly 100 MB on Windows 7 and Windows 2008R2, and 350 MB on Windows 2012 and above.
HOL-1781-HBD-1
Page 101HOL-1781-HBD-1
Backup of key file
You are instructed to make a backup copy of the key file id_rsa aYer the installaPon ofthe bootloader. This is used to access the bootloader via SSH should you run into anyproblems (it can also be accessed via VM console). The C: drive is now encrypted, andyou will need the key to access it.
However, we are working in a non production lab environment, so we don't care toomuch about that.
Click "OK" to continue.
Format Disk
If this dialog appears, click "Cancel" and continue.
HOL-1781-HBD-1
Page 102HOL-1781-HBD-1
Reboot
Click "Finish" to reboot the windows VM.
Reboot
Click "Yes" to log off the console session.
Log in to the ESXi host
While the windows VM is rebooting, we will log in to esx-04a to follow the boot process.
1. Click the "+" sign to open up a new browser tab
HOL-1781-HBD-1
Page 103HOL-1781-HBD-1
2. Click the "VMware ESXi - Log in" bookmark3. Enter the root credentials and click "Log in"
Credentials are:
User name: rootPassword: VMware1!
Select the windows VM
1. Select "windows-01a"2. Enter the root credentials and click "Log In"
Credentials are:
HOL-1781-HBD-1
Page 104HOL-1781-HBD-1
User name: rootPassword: VMware1!
Access the console
Click on the console preview
Bootloader configuration
Monitor the boot process. The VM will restart again as the HyTrust bootloader is installedand configured.
HOL-1781-HBD-1
Page 105HOL-1781-HBD-1
This will take a few minutes.
HOL-1781-HBD-1
Page 106HOL-1781-HBD-1
Back to windows
When the installation of the HyTrust bootloader has completed, the VM will bootWindows again.
HOL-1781-HBD-1
Page 107HOL-1781-HBD-1
Connect to the Windows VM
Return to the desktop.
On the Desktop, double click the RDP shortcut
This establishes an RDP connection to windows-01a.
HOL-1781-HBD-1
Page 108HOL-1781-HBD-1
Launch HyTrust GUI
1. Right-click the Windows button in the start menu, and start typing "hytrust"2. HyTrust GUI will apear in the search field3. Click "HyTrust GUI"
HOL-1781-HBD-1
Page 109HOL-1781-HBD-1
HyTrust GUI
As you can see, the HyTrust GUI is not registered with the KeyController. You can alsosee, that "Cipher" is none on all devices, which means that nothing is encrypted yet.
Click "Register"
HOL-1781-HBD-1
Page 110HOL-1781-HBD-1
Register with KeyController server
Fill in the following data:
KeyControl Name/IP: 192.168.110.90Username: secrootPassword: VMware1!Cloud VM Set: Windows
Leave the rest as default.
Click "Register"
Registration Successful
Click "OK"
HOL-1781-HBD-1
Page 111HOL-1781-HBD-1
Encrypt Data drive
Now we want to encrypt our data drive, the E-drive.
1. Right click on the E: drive2. Click "Add and Encrypt"
Disk Status
Click "Yes" to start the encryption.
The encryption will not take more than a minute or so, as we have very little data on theData drive. Note that the data on the drive will remain available during the encryptionprocess.
HOL-1781-HBD-1
Page 112HOL-1781-HBD-1
Encryption has started
Click "OK"
Monitor the encryption process
You can monitor the encryption process.
HOL-1781-HBD-1
Page 113HOL-1781-HBD-1
Drive Encrypted
After the encryption process has completed, you can see that the cipher has changedfrom none to AES-XTS-512 and that the device is attached (available).
HOL-1781-HBD-1
Page 114HOL-1781-HBD-1
Start an elevated command prompt
1. In the RDP session, right-click the Windows button in the start menu2. Click "Command Prompt (Admin)"
HOL-1781-HBD-1
Page 115HOL-1781-HBD-1
Changing Encryption Key
Type the following to change the encryption key:
hcl rekey status e:
A new encrypPon key is generated by the KeyController and the data is re-encryptedwith the new key, while keeping the data available to users.
In this case, you can see that the encryption process took 61 seconds and that it hascompleted.
HOL-1781-HBD-1
Page 116HOL-1781-HBD-1
AES-NI offload
Type the following:
hccmd check
This command detects if AES-NI is available on the CPUs that the OS is running on. AES-NI speeds up the encryption process dramatically, as the encryption is offloaded tospecific hardware features. Due to AES-NI, encryption and decryption of e.g. a bootdevice will have no perceptible overall performance impact.
Leave the RDP session open.
HOL-1781-HBD-1
Page 117HOL-1781-HBD-1
Return to the KeyController
Return to the KeyController web UI.
You can see, that the windows VM has been registered, and added to the Windows VMSet.
1. Select the "Cloud" tab2. Select the "VMs" tab3. Select "windows-01a"
Revoke Authentication
1. Click on "Actions"2. Click "Revoke Authentication"
HOL-1781-HBD-1
Page 118HOL-1781-HBD-1
Revoke VM
Click "Proceed"
Unauthenticated VM
The page automatically changes the "Unauthenticated VMs" tab, and you can see thatwindows-01a is listed as being unreachable.
HOL-1781-HBD-1
Page 119HOL-1781-HBD-1
Detached
Return to the RDP session. You can see that the E-drive is in a detached state.
Access E-drive
Return to the command prompt and type:
e:
The E-drive is no longer accessible to the operating system.
HOL-1781-HBD-1
Page 120HOL-1781-HBD-1
Status
Issue the command:
hcl status
This gives you the same information as what is available in the HyTrust GUI.
HOL-1781-HBD-1
Page 121HOL-1781-HBD-1
Re-authenticate
Issue the following command:
hcl auth -a
Enter credentials:
Username: secrootPassword: VMware1!
The VM is now again authenticated to the KeyController.
HOL-1781-HBD-1
Page 122HOL-1781-HBD-1
Status
Issue the following commands:
hcl statuse:dir
You can see that the E-drive is now attached again, and that the E-drive is accessibleand data can be read from it.
HOL-1781-HBD-1
Page 123HOL-1781-HBD-1
Back Online
Return to the KeyController, and see that windows-01a is now back online.
You might have to refresh the page or wait for 30 seconds.
HOL-1781-HBD-1
Page 124HOL-1781-HBD-1
Encrypt Linux Virtual Machine DataEncryption of data on a Linux VM is much like what you will find in Windows, with evenmore features available. One major difference, is that it's much more command linedriven.
In this step you will encrypting a Linux VM's Data. This step is the last step of Module 5of this lab.
Launch Putty
Click the Putty icon in the taskbar
SSH to ubuntu-01a
Double click on "ubuntu-01a.corp.local"
HOL-1781-HBD-1
Page 125HOL-1781-HBD-1
Launch the Policy Agent installer
The Putty session should log in using public key authentication. In case it doesn't, usethese credentials:
Username: rootPassword: VMware1!
The installer file is located in /root folder.
In the Putty session, issue the following commands:
ls./hcs-client-agent-3.1.2-8695.run
HOL-1781-HBD-1
Page 126HOL-1781-HBD-1
Installing the Policy Agent
Verify that the installation is successful.
HOL-1781-HBD-1
Page 127HOL-1781-HBD-1
Check status
Enter the following command:
hcl status
Like on Windows, you can see that the VM has not been registered yet.
Register with KeyController
To register the linux VM, enter the following command:
hcl register -a 192.168.110.90
Fill in the details, see the arrows:
HOL-1781-HBD-1
Page 128HOL-1781-HBD-1
Username: secrootPassword: VMware1!VM Set: Linux
Leave the Putty session running.
HOL-1781-HBD-1
Page 129HOL-1781-HBD-1
Return to the KeyController
Verify that ubuntu-01a has been registered with the KeyController, and that it has nodrives encrypted yet.
You might have to refresh the page or wait 30 seconds before it appears.
HOL-1781-HBD-1
Page 130HOL-1781-HBD-1
Encrypt data drive
Now we want to encrypt the partition sdb1, as this partition has our data files on it. Weneed to unmount the data mount point, encrypt the data partition, remount the mountpoint and verify that data is accessible.
Issue the following commands:
umount /datahcl encrypt sdb1
Answer yes "y" to both questions, see the arrows.
To remount the data partition and verify that data is accessible, issue the followingcommands:
mount -acd /datals
Verify that some pdf-files are available in the /data folder.
Check status
Issue the command:
HOL-1781-HBD-1
Page 131HOL-1781-HBD-1
hcl status
You can see that the disk sdb1 is now encrypted.
Like for the Windows policy agent, the installation and configuration of the agent, canbe fully automated by using command line parameters. In this lab, we use an interactiveprocess for illustrational purposes.
HOL-1781-HBD-1
Page 132HOL-1781-HBD-1
Return to the KeyController
On the KeyController, verify that one disk is now encrypted.
You might have to refresh the page or wait 30 seconds before it appears.
HOL-1781-HBD-1
Page 133HOL-1781-HBD-1
ConclusionThank you for participating in the VMware Hands-on Labs. Be sure to visithttp://hol.vmware.com/ to continue your lab experience online.
Lab SKU: HOL-1781-HBD-1
Version: 20170503-090718
HOL-1781-HBD-1
Page 134HOL-1781-HBD-1