Table of Contents - VMware · 2017. 5. 3. · vCloud Air User Interface ... • Deploy and Backup your first virtual machine inside the vCloud Air portal • Understand the basic

Table of ContentsLab Overview - HOL-1781-HBD-1 - vCloud Air: Jumpstart for vSphere Admins .................2

Lab Guidance and Introduction ............................................................................... 3Module 1 - vCloud Air, Architecture and Consumption Principles......................................9

What is vCloud Air? ............................................................................................... 10vCloud Air Student Check-In ................................................................................. 21

Module 2 - Deploying Workloads in vCloud Air................................................................ 25vCloud Air User Interface ...................................................................................... 26Virtual Data Centers.............................................................................................. 28Edge Gateways in vCloud Air ................................................................................ 32Creating a New VM in vCloud Air........................................................................... 34Backup and Restore of vCloud Air Virtual Machines .............................................. 46Creating a Simple Firewall and NAT Rule in vCloud Air..........................................56

Module 3 - Object Storage .............................................................................................. 67Google Object Storage Overview .......................................................................... 68

Module 4 - Hybrid Cloud Manager................................................................................... 71Hybrid Cloud Manager Overview........................................................................... 72

Module 5 - HyTrust DataControl ...................................................................................... 76Introduction to HyTrust DataControl...................................................................... 77Tour of HyTrust DataControl .................................................................................. 78Encrypt Windows Virtual Machine Data................................................................. 89Encrypt Linux Virtual Machine Data .................................................................... 125

HOL-1781-HBD-1

Page 1HOL-1781-HBD-1

Lab Overview -HOL-1781-HBD-1 - vCloud

Air: Jumpstart forvSphere Admins

HOL-1781-HBD-1


Lab Guidance and IntroductionHOL-1781-HBD-1 - vCloud Air Jump Start for vSphere Admins

This lab will provide you with the basic skills necessary to successfully navigate thevCloud Air User Interface (UI). After completing this lab, you will be able to:

• Understand the different service tiers that vCloud Air offers• Navigate your way around the vCloud Air user interface• Deploy and Backup your first virtual machine inside the vCloud Air portal• Understand the basic network and security principles required to connect a

virtual machine to an external network• Learn about encryption using HyTrust DataControl

The tasks above are split up into 5 Lightning Lab modules, each is designed to takebetween 5-45 minutes to complete. You will have a total of 90 minutes to complete thislab sitting. Depending on how much time you have available, you can go through thislab all at once, or choose to break them up over several lab sittings.

The tasks are broken up into the following modules:

Module 1: vCloud Air, Architecture and Consumption Principles (30 mins)

• What is vCloud Air?• vCloud Air Student Check-In

Module 2: Deploying Workloads in vCloud Air (45 mins)

• vCloud Air User Interface• Virtual Data Centers• Edge Gateways in vCloud Air• Creating a New VM in vCloud Air• Backup and Restore of vCloud Air Virtual Machines• Creating a Simple Firewall and NAT Rule in vCloud Air

Module 3: Object Storage (15 mins)

• Google Object Storage Overview

Module 4: Hybrid Cloud Manager (15 mins)

• Hybrid Cloud Manager Overview

Module 5: HyTrust DataControl (45 mins)

• Introduction to HyTrust DataControl• Tour of HyTrust DataControl

HOL-1781-HBD-1


• Encrypt Windows Virtual Machine Data• Encrypt Linux Virtual Machine Data

_____________________________________________________________________________________

Lab Captains:

• Module 1 - Roberto Canton, Sr. Systems Engineer, vCloud Air -Southeast, USA




• Module 5 - Michael Federman, Sr. Technical Account Manager, USA

Next Steps: Upon completion of this lab, you may consider taking one of the followinglabs for additional guidance on vCloud Air:

• HOL-1782-HBD-1– VMware vCloud Air: Data Center Extension• HOL-1783-HBD-2– vCloud Air Manage Your Cloud• HOL-1783-USE-1 - vCloud Air Manage Your Hybrid Cloud• HOL-1784-HBD-1 - vCloud Air Disaster Recovery

IMPORTANT! Please note that in this lab you are working in a "LIVE" vCloud Airinstance. External access from the lab environment to the internet will be providedthrough the browser.

_____________________________________________________________________________________

This lab manual can be downloaded from the Hands-on Labs Document site found here:

http://docs.hol.vmware.com

This lab may be available in other languages. To set your language preference and havea localized manual deployed with your lab, you may utilize this document to help guideyou through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf

Please feel free to ask questions and enjoy the experience!

Location of the Main Console

1. The area in the RED box contains the Main Console. The Lab Manual is on the tabto the Right of the Main Console.

HOL-1781-HBD-1


http://docs.hol.vmware.com

http://docs.hol.vmware.com/announcements/nee-default-language.pdf

2. A particular lab may have additional consoles found on separate tabs in the upperleft. You will be directed to open another specific console if needed.

3. Your lab starts with 90 minutes on the timer. The lab can not be saved. All yourwork must be done during the lab session. But you can click the EXTEND toincrease your time. If you are at a VMware event, you can extend your lab timetwice, for up to 30 minutes. Each click gives you an additional 15 minutes.Outside of VMware events, you can extend your lab time up to 9 hours and 30

minutes. Each click gives you an additional hour.

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing itin, there are two very helpful methods of entering data which make it easier to entercomplex data.

HOL-1781-HBD-1


Click and Drag Lab Manual Content Into Console ActiveWindow

You can also click and drag text and Command Line Interface (CLI) commands directlyfrom the Lab Manual into the active window in the Main Console.

Accessing the Online International Keyboard

You can also use the Online International Keyboard found in the Main Console.

1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=xS07n6GzGuo" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>

HOL-1781-HBD-1


Click once in active console window

In this example, you will use the Online Keyboard to enter the "@" sign used in emailaddresses. The "@" sign is Shift-2 on US keyboard layouts.

1. Click once in the active console window.2. Click on the Shift key.

Click on the @ key

1. Click on the "@" key.

Notice the @ sign entered in the active console window.

Activation Prompt or Watermark

When you first start your lab, you may notice a watermark on the desktop indicatingthat Windows is not activated.

HOL-1781-HBD-1


One of the major benefits of virtualization is that virtual machines can be moved andrun on any platform. The Hands-on Labs utilizes this benefit and we are able to run thelabs out of multiple datacenters. However, these datacenters may not have identicalprocessors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoftlicensing requirements. The lab that you are using is a self-contained pod and does nothave full access to the Internet, which is required for Windows to verify the activation.Without full access to the Internet, this automated process fails and you see this

watermark.

This cosmetic issue has no effect on your lab.

Look at the lower right portion of the screen

Please check to see that your lab is finished all the startup routines and is ready for youto start. If you see anything other than "Ready", please wait a few minutes. If after 5minutes you lab has not changed to "Ready", please ask for assistance.

HOL-1781-HBD-1


Module 1 - vCloud Air,Architecture and

Consumption Principles

HOL-1781-HBD-1


What is vCloud Air?VMware vCloud® Air™ is a public cloud service that enables you to quickly and securelytake advantage of the benefits of the cloud while extending and maximizing the value ofyour existing on-premises IT investments. vCloud Air leverages the same tools,technologies and skills that you already have while delivering new cloud capabilitiesthat allow your organization to drive business innovation.

What vCloud Air delivers:

• Infrastructure-as-a-Service - Computing power, storage options, and advancednetworking that integrates with your vSphere environment.

• Robust Hybrid Capabilities - Workload portability, seamless networking, andcommon management make it easy to extend to the cloud from on-premisesenvironments.

• A Platform for Enterprise IT - With app modernization, dev/test, and disasterrecovery, you can address business needs without changing processes.

• Advanced Security - Broad compliance certifications, secure private networkingconnections, data protection, disaster recovery, and dedicated cloud options.

vCloud Air helps you combine on-premises vSphere investments with theagility of public cloud.

The first public cloud to integrate with both VMware NSX and vRealize CloudManagement Platform, vCloud Air was designed specifically with enterprise needs inmind. vCloud Air delivers a true hybrid cloud experience, and is uniquely positioned tosolve critical IT challenges-whether you need an affordable disaster recovery option, anefficient way to extend your data center, or a complete data center replacement.

• Data Center Replacement

"Lift and shift" data center infrastructure from on-premises quickly and efficiently toimplement a secure public cloud architecture. With the scalability, performance, andreliability you require for different workloads, vCloud Air provides consistency with youron-premises environment.

• Data Center Extension

Seamlessly extend your data center infrastructure by adding compute, storage, andnetworking resources from the public cloud. With common management, seamlessnetworking, and unified support, vCloud Air provides a true hybrid experience for thevSphere data center and the next natural step in your virtualization journey.

• Disaster Recovery

Providing a simple and cost-effective portfolio of availability services built on the trustedand secure foundation of vSphere, vCloud Air enables you to safeguard and maximize

HOL-1781-HBD-1


your on-premises vSphere investment by keeping your IT operations up and running inthe event of a disaster.

Consumption Models

There are currently three classes of compute service. Dedicated Cloud, Virtual PrivateCloud (Subscription and On Demand), and Disaster Recovery.

HOL-1781-HBD-1


Dedicated Cloud Details

Dedicated Cloud provides a single-tenant private cloud with dedicated computingservers (air-gapped), layer-2 network isolation for workload traffic, dedicated storagevolumes, and a dedicated cloud management instance. Infrastructure capacity may besubdivided into multiple logically-isolated virtual data centers, each with their ownnetworking edge gateway and resource reservation models.

The Dedicated Cloud baseline offering starts with 35GHz of Compute (vCPU) capacity,240GB of vRAM, and 6TB of Storage. 3 public IP addresses are also provided, as well asa 50 Mbps internet bandwidth that is burstable to 1 Gbps. Direct Connect options areavailable that can provide 1Gbps and 10Gbps of point-to-point connectivity. Customerscan increase the capacity of their dedicated clouds by purchasing additional blocks ofstorage and compute in the increments you see above (35GHz vCPU and 240 GB vRAMfor Compute and 6TB increments for Storage).

Dedicated Cloud is offered on a monthly subscription basis today.

Virtual Private Cloud Details

Virtual Private Cloud

Virtual Private Cloud provides a multi-tenant environment with logically isolatedresources on a shared physical infrastructure, configured as a single virtual data center("VDC") with networking resources.

HOL-1781-HBD-1


The Virtual Private Cloud offering starts at 10Ghz of Compute (vCPU), 20GB of vRAM,and 2TB of Storage. In addition, 2 public IP addresses are provided, as well as a 10 Mbpsnetwork link, burstable to 50 Mbps. Direct Connect options are available that canprovide 1Gbps of point-to-point connectivity.

As with the Dedicated Cloud, customers can increase capacity of their Virtual PrivateClouds by purchasing additional resources in the block sizes reflected above.

Virtual Private Cloud is offered on a monthly subscription basis today.

HOL-1781-HBD-1


Virtual Private Cloud OnDemand

Virtual Private Cloud OnDemand provides a multi-tenant environment with logicallyisolated resources on a shared physical infrastructure, but instead of a subscription itallows customers to consume specific CPU, RAM, and Storage as incremental pay-as-you-go services. Charges are incurred as the resources are consumed (metered byminute) and billed in arrears on a monthly basis.

Virtual Private Cloud OnDemand can be purchased via credits through the SubscriptionPurchasing Program (SPP).

VMware vCloud Air Disaster Recovery

VMware vCloud Air Disaster Recovery is a recovery-as-a-service (RaaS) solution thatintroduces native cloud-based disaster recovery capabilities for VMware vSphere virtualenvironments. Built on VMware's hypervisor-based replication engine, vSphereReplicationTM, vCloud Air Disaster Recovery includes:

• Self-service disaster recovery protection for virtual machines• Recovery point objectives (RPO) from 15 minutes to 24 hours• Readily facilitates failover, failback, and planned migration as needed• Retention of multiple recovery points - up to 24 point-in-time instances• Elastic cloud compute and storage capacity• Support for offline data seeding

HOL-1781-HBD-1


• Private leased line network option• Flexible failover testing

Additional vCloud Air Service Offerings

vCloud Air provides all of the cloud infrastructure required, including all areas ofcompute, storage, networking, security and infrastructure but with enough flexibility toallow customers to bring their own tools, VMs, and third-party licenses. Additionally, thisis entirely seamless with the customer’s own vCloud infrastructure. Customers can bringtheir own tools, VMs, and existing licenses to vCloud Air, and we take care of the rest.This adds to the value proposition of the Hybrid cloud as future expenditures can turnCapEx into OpEx

HOL-1781-HBD-1


VMware vCloud Air Data Protection

VMware vCloud® Air™ Data Protection offers secure, policy-based backup and recoveryin the cloud for virtual machines hosted exclusively on vCloud Air. Available across bothDedicated Cloud and Virtual Private Cloud infrastructure-as-a-service types, DataProtection includes the following feature highlights:

• Backup policy affinity controls per Virtual Data Center (VDC) or per vApp• Daily (24-hour) Recovery Point Objective (RPO) guarantee• Virtual machine (image-level) Restore Granularity Objective (RGO)• Custom backup window scheduling• Configurable data retention• On-demand backups• Synthetic-full backup images• Intelligent consumption tracking and activity reports

vCloud Air Object Storage powered by Google CloudPlatform

VMware vCloud® Air™ Object Storage offers an extremely scalable, cost-effective, anddependable cloud-based storage solution for unstructured data. The service is simple touse, easy to setup, provides global scale and has built-in resiliency. Easily scale up topetabytes and generate real-time intelligence from custom meta-data with vCloud AirObject Storage.

Object Storage powered by Google Cloud Platform provides three storage options:

• Standard Storage• Durable Reduced Availability (DRA) Storage• Nearline Storage

HOL-1781-HBD-1


Object Storage powered by Google Cloud Platform is Generally Available in US, EMEAand APJ.

VMware vCloud Air Advanced Networking Services

VMware vCloud® Air™ Advanced Networking Services offers a set of networking andsecurity services that improves overall network manageability and acceleratesapplication time-to-market by delivering an agile and cost-efficient platform for zero-trust security in the cloud. Built on VMware NSX®technology, these services offercustomers a path towards true hybrid networking.

Key Benefits

• Granular Network Security: vCloud Air Advanced Networking Services re-inventcloud security with micro-segmentation, providing granular network securitywithout sacrificing manageability or flexibility at scale. Microsegmentation

HOL-1781-HBD-1


implemented through fully-stateful kernel based firewall isolate and secure eachvirtual machine (VM) and application down to the Layer 2 level.

• Instant Time to Value: Move to the cloud without having to re-architectapplications or retrain staff. Streamline “as-is” workload portability and networkmirroring in the cloud, allowing the same networking constructs and knowledgeto be applied to the public cloud.

• Cost-Efficient Scaling: Scale security and networks while minimizingadministration costs. Organizations can drive down network administration hassleand costs while enabling new ways to quickly secure, scale, and connect to theircloud workloads.

HOL-1781-HBD-1


vCloud Air Hybrid Cloud Manager

vCloud Air Hybrid Cloud Manager offers vSphere users a seamless option for extendingtheir on-premises data center into vCloud Air. Customers can extend their environmentsto include vCloud Air with L2-WAN network extension. More importantly, customers areable to take advantage of bi-directional workload portability, using zero downtime or lowdowntime replication-based, WAN accelerated application migration. These capabilitiessimplify workload management and enable users to extend their environmentseffectively for a true hybrid cloud experience

HOL-1781-HBD-1


vCloud Air Identity Federation

Identity Federation will align your company directory to granular vCloud Air roles andpermissions.

SAML 2.0 broadly integrates with ADFS, VMware Identity Manager, and many other IdPsto integrate with your preferred solution. Can support two-factor authentication throughIdP. Single Sign-On with your preferred Identity Provider via SAML 2.0. Direct access tovCloud Director Org. Access to higher granularity of permissions.

HOL-1781-HBD-1


vCloud Air Student Check-InAs you will be using a live vCloud Air account for this lab, you first need a username andpassword for login. This account will be specific to this lab. You cannot use an exitingvCloud Air login. The password for this account will be reset after you complete the labor the time expires.

Start Google Chrome

Start Google Chrome from the taskbar.

HOL Student Check-In

The default home page will be http://checkin.vcahol.com Note: http, not https.

If you by accident navigate away from that URL, click the bookmark in the bookmarksbar.

1. Locate Your vCloud Air Account

1. Enter your email address and click Search.2. The username is your login account and StudentID for this lab. Highlight and click

Ctrl+C or Command+C to copy. You will need this later.3. Make note of your password, you will need it to login to a live vCloud Air

environment.4. Cloud URL - This is the link to login to your vCloud Air environment. Make note of

it, or leave the tab open to simply click on it whenever you need to log in tovCloud Air.

HOL-1781-HBD-1


http://checkin.vcahol.com

Only email addresses with an Active vCloud Air Hands-on-lab will be shown.

HOL-1781-HBD-1


2. Login to vCloud Air

Click Sign In

Enter your assigned username and password.

Click Login

Please note: This password will be reset after exiting this lab.

HOL-1781-HBD-1


3. Let The Learning Begin

You now have access to vCloud Air until this lab has been completed or expires.

Please Note: If you receive the error "Service not available message", refreshing yourbrowser should resolve this.

HOL-1781-HBD-1


Module 2 - DeployingWorkloads in vCloud Air

HOL-1781-HBD-1


vCloud Air User InterfaceIn this module you will begin using the new vCloud Air UI.

In an effort to provide the end user easier navigation with advanced capabilities VMwareis introducing a new vCloud Air Portal. This will authenticate users and provideauthorized services from a single page. From this landing page vCloud Director will belaunched for the common administrative tasks. The vCloud Director UI provides a richset of capabilities ranging from quick vApp creation to advanced networkadministration.

vCloud Air Student Check-In

If not already logged in, click on the Cloud URL link in your Chrome browser using theinstructions provided in the vCloud Air Student Check-In step in Module 1.

New vCloud Air User Interface

Welcome to the new vCloud Air User Interface!

The vCloud Air User Interface is comprised of 2 panes:

1. Left Pane - Allows you to access the different Options and/or Services your accounthas been subscribed to such as:

HOL-1781-HBD-1


• Virtual Datacenters - This is where you will manage/create different Virtual DataCenters (VDC) within your Organization

• Networking - This is where you will gain access to all Networking aspects of yourvCloud Air environment, Edge Gateway Services as well as the creation/management of Networks

• Data Protection - This is where you will be able to set backup policies for thoseVM's/vApps created in your vCloud Air environment

• Disaster Recovery - This is where you will be able to manage your vCloud AirDisaster Recovery Virtual Data Centers (This link is disabled for this lab).

• Google Storage - This is where you can manage your Object Storage consumption(This link is disabled for this lab).

2. Right pane - This pane will display the different options based on items selected onthe Left Pane, in the following steps we'll be taking a closer look at each of the differentoptions.

HOL-1781-HBD-1


Virtual Data CentersIn this step you will be looking at a Virtual Data Center in vCloud Air. This step is part ofModule 2 of this lab.



HOL-1781-HBD-1


vCloud Director

Firstly, a quick tutorial on the vCloud Director constructs.

VMware vCloud Director orchestrates the provisioning of software-defined data centerservices as complete virtual data centers that are ready for consumption in a matter ofminutes. Virtual data centers provide virtualized compute, networking, storage, andsecurity that can be provisioned to make relevant workloads operational in minutes.Software-defined data center service and the virtual data centers fundamentally simplifyinfrastructure provisioning, and enable IT to move at the speed of business.

HOL-1781-HBD-1


Organizations

Isolated Multi-tenant Organizations – Administrators can group users into organizationsthat can represent any policy group such as a business unit, division or subsidiarycompany. Each has isolated virtual resources, independent LDAP-authentication, specificpolicy controls, and unique catalogs. These features enable a multi-tenant environmentwith multiple organizations sharing the same infrastructure.

In this lab you are provided a pre-built Organization e.g student501. Within anOrganization is a Organization Virtual Data Center (VDC) that has specific CPU, Memoryand Storage limits assigned. This VDC becomes your isolated resource pool for futurevApps, VMs and the required network services.

Please do not create additional VDCs in this lab. Only use the VDC created for you.

Organization Virtual Data Centers

1. Click on "Virtual Datacenters" in the left pane.2. Click the "Organization VDCs" tab in the right pane.3. Click the "student***" already created for you automatically. We will not be

adding new Virtual Data Centers in this lab

Virtual Data Center Summary

1. You can highlight your "student***" Virtual Data Center2. You have the choice of Creating, Editing, and Deleting VDC's.

You are free to click and examine these options but please do not Create, Edit, or DeleteVDC's so you can keep moving forward with this lab.

HOL-1781-HBD-1


Allocation Models

There are 2 allocation models:

• Reservation Pool - The Reservation Pool Model is useful if you knowyour applications well enough to optimize your own provisioning. This model hasFull Resource Management Controls (reservations, limits, shares) available.Organizations using the Reservation Pool model are charged for vDC capacity.With this model, customers cannot over-commit resources. This modelguarantees 100% commitment of the vDC Allocation.

• Pay-As-You-Go - With this method (also referred to as the Allocation vApp Model) ,you are charged for each vApp virtual machine that is running. The over-commitis controlled by the Customer and the Percentage of Resource Guaranteed controlis available but the Customer can set this to unlimited (Expandable Reservation).This model facilitates an unlimited option similar to Expandable Reservations.

VDC Default Sizes

vCloud Air provides the following default sizes when creating a VDC:

• Small (CPU:10 GHZ, Memory:30 GB, Storage: 500 GB)• Medium (CPU:20 GHZ, Memory:60 GB, Storage: 1024 GB)• Large (CPU:50 GHZ, Memory:150 GB, Storage: 2560 GB)

These default sizes are just for simplicity, customers can custom-size their VDC's asthey deem appropriate.

Storage Types

vCloud Air offers 2 types of Storage:

• Standard• SSD-Accelerated

In this lab we use Standard Storage for all activities.

HOL-1781-HBD-1


Edge Gateways in vCloud AirIn this step you will now learn about Edge Gateways in vCloud Air. This step is part ofModule 2 of this lab.



Exploring an Edge Gateway

Edge Gateway – Integrated NSX capabilities such as perimeter protection, port-levelfirewall, and NAT and DHCP services, offer virtualization-aware security, simplifyapplication deployment and enforce boundaries required by compliance standards.

Integration with NSX offerings adds advanced services such as VXLAN, VPN, firewallhigh availability, network isolation, and web load balancing.

On the left pane, clicking on Networking (1) will display your organizations EdgeGateways and Networks in the right pane.

You can manage both your Organization's Edge Gateways (2) and Networks (3) byclicking on them respectively.

HOL-1781-HBD-1


An Edge Gateway has automatically been created for you with your "student***" name,together with both an Isolated and Routed Network.

Make sure you make a note of the Public IP of your Edge Gateway (5) which you will beusing in a later step.

Gateway Management

1. The Gateway Management tab allows you to Create a new Gateway2. You can also highlight any existing Gateway and Edit that Gateway.3. You can also delete an existing Gateway from your Organization's Virtual Data

Center.4. Clicking on the name of an existing Gateway will open an additional tab in your

browser that will expose the advanced Gateway options which we will beexamining in a later module in this lab.

You are free to examine these options if you wish but please do not Create, Edit orDelete Gateways so you can keep moving forward with this lab.

HOL-1781-HBD-1


Creating a New VM in vCloud AirIn this step you will be creating a new Windows VM in vCloud Air. This step is part ofModule 2 of this lab.



Create a Virtual Machine

1. Click on Virtual Datacenters on the left pane.2. Click the "Organization VDCs" tab.3. Click on your "student***" Virtual Data Center.

HOL-1781-HBD-1


vCloud Director User Interface

Click on the newly opened VMware vCloud Director tab in your Chrome browser.

Create New vApp

1. Click the "My Cloud button.2. Ensure "vApps" is selected on the left pane.3. Click the + sign.

HOL-1781-HBD-1


Select vApp Template

1. Select "Public Catalogs" in the "Look In" drop down box.2. Click the "All Templates" button.3. Select the W2K8-STD-R2-64BIT Windows template.4. Click "Next".

HOL-1781-HBD-1


Select Name and Location

Type "Student***-WinVM" as the Name of your Windows VM, where *** represents yourstudent number, leave all other defaults and click "Next".

HOL-1781-HBD-1


Configure Resources

Type "Student***-WinVM in the Virtual Machine name box and click "Next".

HOL-1781-HBD-1


Configure Networking

1. Enter "***WinVM" for ComputerName where *** is your Student number.2. Select "student***-RoutedNetwork" from drop down box for NIC 0 Network3. Click "Next"

HOL-1781-HBD-1


Customize Hardware

Leave all defaults and click "Next".

HOL-1781-HBD-1


Ready to Complete

Click on "Power on vApp after this wizard is finished" and click the "Finish" button.

VM Creation In Progress

Allow time for VM to complete creating.

HOL-1781-HBD-1


VM Creation Completed

Once VM creation is completed, the Status column reads "Running".

Once the status is "Running" click on the Console to open up a console to this machine.

HOL-1781-HBD-1


Open Console for Newly Created VM

Once this Console opens you will be able to log in to this Windows VM directly from thisinterface.

Later you will be creating Firewall and NAT rules to allow this VM to be accessed fromthe Public internet utilizing a Remote Desktop Client application.

Please Note: You will not be logging into the VM, you are just validating it is up andrunning.

Examining your VM's Properties

1. Click on VMs

2. Right-click anywhere on your VM once highlighted

HOL-1781-HBD-1


3. Select Properties

HOL-1781-HBD-1


VM Properties

Once the Virtual Machine Properties window appears:

1. Click on the Hardware tab

2. Scroll down using the side bar

3. Make a note of your Virtual Machine's IP Address as you will need it in a later step.

Feel free to browse the different tabs. Click Ok to return to the previous window.

HOL-1781-HBD-1


Backup and Restore of vCloud AirVirtual MachinesWhat is Data Protection?

Data Protection is an optional data backup and recovery feature for VMware vCloud Airthat enables self-service, policy-based protection of business-critical data by backing upvApps and their associated virtual machines within Dedicated or Virtual Private Cloudservice types. Compared to traditional file-based backup and recovery solutions, image-level backups are used in Data Protection to ensure all operating system, file systemand application data encapsulated within a virtual machine are captured as a snapshotimage before being committed to backup media.

VMware vCloud® Air™ Data Protection offers secure, policy-based backup and recoveryin the cloud for virtual machines hosted exclusively on vCloud Air. Available across bothDedicated Cloud and Virtual Private Cloud infrastructure-as-a-service types, DataProtection includes the following feature highlights:

• Backup policy affinity controls per Virtual Data Center (VDC) or per vApp

• Daily (24-hour) Recovery Point Objective (RPO) guarantee

• Virtual machine (image-level) Restore Granularity Objective (RGO)

• Custom backup window scheduling

• Configurable data retention

• On-demand backups

• Synthetic-full backup images

• Intelligent consumption tracking and activity reports

This step is part of Module 2 of this lab.

HOL-1781-HBD-1




HOL-1781-HBD-1


Data Protection User Interface

1. Click on Data Protection on the left pane in order to display the Dashboard for theData Protection service. The Data Protection Dashboard shows you at a highlevel, usage dashboards of how many Virtual Data Centers you are protectingwith the service as well as the consumption per Virtual Data Center.

2. Ensure the Dashboard tab is selected.3. This area of the dashboard shows you the amount of Virtual Data Centers that are

being protected. You can set backup and retention policies at the Virtual DataCenter level so that any VM you create in this Virtual Data Center, inherits thosepolicies and will be backed up and the intervals you set for the Virtual DataCenter.You can also click on the Virtual Data Centers tab to view your DataProtection activity on a per Virtual Data Center basis.

4. This area shows you the amount of vApps you are protecting. Remember, vAppscan be comprised of one or more VM's.

5. This shows you the amount of Storage your backups are consuming.6. This area shows you the amount of vApps that have been deleted but are still

kept in the Data Protection service based on your policies.7. Shows you the trend in Storage consumption for the Data Protection service.8. Shows you the amount of Storage your deleted vApps are consuming.

Create a Data Protection Policy at the Virtual Data CenterLevel

1. Click on "Data Protection" in the left pane.2. Click the "Virtual Datacenters" tab on the right pane.3. Make sure your Virtual Data Center (Student***) is selected.

HOL-1781-HBD-1


4. Click on the arrow next to "Actions" for the drop down menu to appear.5. Select Configure Policy.

Configure Policy

1. Select Weekly for Frequency.2. Select 03:00 (3 AM) for the Schedule and leave "Every Sunday" selected.3. Select Pacific Time (PST) for the TimeZone.4. Type 5 for the amount of days in the Retention Period box.5. Click "Apply" button.

HOL-1781-HBD-1


Configure Email Address

1. Click on "Data Protection" in the left pane.2. Click the "Virtual Datacenters" tab on the right pane.3. Make sure your Virtual Data Center (Student***) is selected.4. Click on the arrow next to "Actions" for the drop down menu to appear.5. Select "Configure Email Address". The Data Protection service will notify you at

this email address every time your Policy runs successfully or fails. You can alsonotice that since we established a Virtual Data Center policy in the previous step,you can now Edit or Remove that Policy.

Configure Email Address for VDC

Enter your email address in the box provided and click Save. You can enter more thanone email address separated by a comma, for the purpose of this lab, just enter one.

Create a Data Protection Policy at the vApp Level

1. Click on "Data Protection" in the left pane.2. Click the "Virtual Datacenters" tab on the right pane.3. Make sure your Virtual Data Center (Student***) is selected.4. Click on your VM (Student***-WinVM).

HOL-1781-HBD-1


5. Click on the icon with the "+" sign to add a policy at the vApp level. The otheroptions are Remove a policy ("-" negative sign icon), Edit a Policy (the icon withthe little Pencil), Run Adhoc Backup (the icon with the check mark), and ConfigureEmail Address icon.

Apply Policy for vApp

1. Select Daily for Frequency.2. Select 03:00 for Schedule (3 AM).3. Select Pacific Time for TimeZone.4. Select 2 days for Retention Period.5. Click "Apply" button.

HOL-1781-HBD-1


Data Protection Policy Setup Conclusion

You have successfully created 2 Data Protection Policies, one at the Virtual Data CenterLevel and one at the vApp level.

1. Virtual Data Center level backup policy - Any vApp you create from this point onwill automatically inheret this backup policy created at the vDC level.

2. vApps Level Policy - Because your vApp policy requires more frequent backupsthan your vDC policy, it will run Daily versus the Weekly requirement at the vDClevel.

Restoring from Backups

Once you have successfully backed up your vApps, the Data Protection User Interfacewill display the amount of Restore Points you can recover from. Clicking on the numberunderlined under the Restore Points column will allow you to restore from thosebackups. We will examine those options next.

KEEP IN MIND THAT THESE STEPS MAY NOT BE ABLE TO BE DONE BY YOU AS NOTENOUGH TIME HAS GONE BY FOR RESTORE POINTS TO BE READY TO PERFORM THESEACTIONS. THESE STEPS ARE FOR REFERENCE SO YOU CAN FOLLOW THE INTERFACE ASTO WHERE YOU WOULD FIND THEM.

HOL-1781-HBD-1


Restore Points

Clicking on the underlined number of Restore Points takes you to the Restore Points foryour vApp as shown above.

You can highlight any of the Restore Points and do an "In Place Restore", "Out of PlaceRestore", or "Delete All Restore Points".

HOL-1781-HBD-1


In Place Restores

In Place Restore option allows you restore the Entire vApp or Select a specific VirtualMachine(s) to restore. Remember that a vApp can be comprised of one or multiple VM's.Because our vApp only has one VM, we can Select Entire vApp or click on the SelectSpecific Virtual Machines to restore button and select our VM under Virtual Machines.You are free to click on the Restore button, but in the interest of time please continuewithout waiting for the vApp/VM to restore.

Keep in mind that an In Place Restore will replace the VM currently running.

HOL-1781-HBD-1


Out of Place Restore

Out of Place Restore allows you to Restore a VM backed up with Data Protection to a VMthat does not replace the currently running VM. Just like with an In Place Restore, youcan restore the Entire vApp or a Select VM from within the vApp.

Congratulations you have completed this Module.

HOL-1781-HBD-1


Creating a Simple Firewall and NATRule in vCloud AirIn this step you will be creating a NAT (Network Address Translation) and a Firewall ruleto allow your currently creating VM to be accessed via an RDP (Remote DesktopProtocol) client from the public internet without the need of a VPN or Direct Connectprivate connection. This step is the last step of Module 2 of this lab.



HOL-1781-HBD-1


Create NAT Rule for RDP

1. Click on "Networking".2. Click on "Gateway Management".3. Click on your Gateway "student***". This will open another tab in your browser.

Create NAT Rule (Cont...)

1. Click on "Student***" tab in your browser.2. Click the "NAT" tab.3. Click the "+" plus sign and select "Add DNAT Rule".

Add DNAT Rule

1. Select "student***-RoutedNetwork" from the drop down box. This is the routedNetwork attached to your Edge Gateway that the Virtual Machine you created isattached to.

HOL-1781-HBD-1


2. Type the Public IP of your Student*** Edge Gateway.3. Choose "tcp" from the drop down box for Protocol.4. Choose "Any" for "Original Port/Range".5. Type the IP address of your Windows VM you created in your previous step for

"Translated IP/Range".6. Type "3389" for "Translated Port/Range".7. Make sure "Enabled" is selected.8. Click the "OK" button.

HOL-1781-HBD-1


Publish Changes

Make sure you click on "Publish Changes" for your changes to take effect.

HOL-1781-HBD-1


Create Firewall Rule for RDP

1. Click on the "Firewall" tab.2. Click the green "+" plus sign.3. Above the "Default Rule" a blank rule appears, place your cursor over the right

top of the Name field and look for the plus sign (Not visible on picture) and click itto Name the Rule, name it "My RDP Rule".

HOL-1781-HBD-1


Select Source

Click on the "+" plus sing in the Source field (not visible) to add the source for yourFirewall rule.

HOL-1781-HBD-1


Specify Source

1. Select "vNIC Group" from the drop down box under Object Type.2. Select "external" from the Available Objects.3. Click on the arrow to move your selection to the Select Objects Pane.4. Click "OK" button.

HOL-1781-HBD-1


Select Destination

Click on the "+" plus sing in the Destination field (not visible) to add the destination foryour Firewall rule.

HOL-1781-HBD-1


Specify Destination

1. Select "Virtual Machine" from the drop down box for the Object Type.2. Under Available Objects select your "Student***-WinVM" VM you created earlier.3. Click on the arrow to move your VM to the Selected Objects Pane.4. Click "OK" button.

HOL-1781-HBD-1


Select Service

Under the service field, look for the "+" plus sign to select the service for your FirewallRule.

1. In the search field type "rdp" and press Enter.2. Select the RDP selection as shown.3. Click the "OK" button.

HOL-1781-HBD-1


Publish Changes

Click the "Publish" button to publish your changes.

You are now ready to access your VM from the Public Internet utilizing an RDP client.Although for this lab exercise this will not be possible, you have just created a NAT andFirewall rule to allow Remote Desktop Client access to your VM from the Public Internet.

Congratulations, you have completed this module.

HOL-1781-HBD-1


Module 3 - Object Storage

HOL-1781-HBD-1


Google Object Storage OverviewVMware vCloud® Air™ Object Storage offers an extremely scalable, cost-effective, anddependable cloud-based storage solution for unstructured data. The service is simple touse, easy to setup, provides global scale and has built-in resiliency. Easily scale up topetabytes and generate real-time intelligence from custom meta-data with vCloud AirObject Storage.

Object Storage powered by Google Cloud Platform provides three storage options:

• Standard Storage

• Durable Reduced Availability (DRA) Storage

• Nearline Storage

Object Storage powered by Google Cloud Platform is Generally Available in US, EMEAand APJ.

HOL-1781-HBD-1


What is Object Storage?

Objects are stored in buckets in a flat namespace in Object Storage, eliminatingcomplexity and scalability challenges of traditional hierarchical file systems. Granularobject-level security, lifecycle management and versioning features simplify and reducemanagement overhead.

Key Benefits

• Extremely scalable storage with the power of analytics: Get instant and self-service access to storage capacity on-demand that scales up to Petabytes. Buildapplications that are scalable and stop worrying about running out of storagespace. Choose a service and region, to optimize cost, maximize speed, or toassist with regulatory requirements.

• Built-in redundancy with global coverage: Object Storage reduces the need fordata protection with built-in redundancy. Select a storage type based on yourdurability and budget requirements. Object Storage supports global access usecases by providing easy access from any device, anywhere, anytime.

• Cost-effective storage for traditional and new age use cases: Implement ascalable and cost-effective storage solution to free up your valuable resourcesfrom mundane tasks like backup administration. Only pay for resources in use,with no minimum commitments or up-front fees. The economics of ObjectStorage combined with flexible payment options delivers a true elastic pay-as-you-go cloud storage solution for traditional use cases such as backup and fileshare, and new age use cases such as Web 2.0, Big Data, Internet of Things.

HOL-1781-HBD-1


Use Cases

Backup and Archiving: Object Storage is a cost effective way to store data long term.Backup on-premises workloads on Object Storage with leading backup appliances.Object Storage is a lower-cost Disaster Recovery solution (for Tier2/3 workloads) andcan be used to store VMDK snapshots.

Shared Files: Object Storage provides a scalable and cost-effective way set up sharedfile repository. Built-in redundancy and versioning in Object Storage eliminates the needfor backup and recovery. Integrate with storage gateway solutions to create a costeffective file share.

Imaging, Media, Web 2.0: Set up a website containing static web pages, images, orother media files, in a few simple steps. Speed up website rendering with the help ofContent Delivery Networks (CDN) if the website contains large media files such asvideos and high resolution images.

HOL-1781-HBD-1


Module 4 - Hybrid CloudManager

HOL-1781-HBD-1


Hybrid Cloud Manager OverviewThis module contains the following lessons:

• Hybrid Cloud Manager Introduction

Hybrid Cloud Manager Introduction

This is an overview of Hybrid Cloud Manager (HCM). To learn more see theHOL-1782-HBD-1 VMware vCloud Air: Data Center Extension.

Make the cloud an extension of on-premises data centers by seamlessly extendingexisting networks to the cloud and moving live workloads to and from the cloud withzero downtime. VMware vCloud® Air™ Hybrid Cloud Manager™ improves on the hybridbenefits of VMware vCloud® Air™ by adding workload migration, data center networkextension and hybrid management features within the vSphere Web Client. vCloud AirHybrid Cloud Manager uses software defined WAN (SD-WAN) technologies to virtuallyshorten the distance between private data centers and public cloud, allowing vCloud Airnetworks to perform as if they were truly just another part of the private data center, allfrom within the familiar interfaces of vSphere.

HOL-1781-HBD-1


http://labs.hol.vmware.com/HOL/console/lab/HOL-HBD-1681-HOL/NEE-1137922195938026/#tag/l434156

56420?data-resolve-url=true&data-manual-id=56420


What's New with HCM

• Live, zero downtime, long distance migration of vSphere workloads to the cloud• Seamless network integration between private & public data centers• Ability to migrate NSX security policies to vCloud Air for security & compliance• Software-defined WAN (SD-WAN) technology to make the WAN perform more like

a LAN• Bi-directional workload portability• Compatibility with on-premises vSphere workloads

vMotion to vCloud Air

<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=91w3952iiqY" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>

HOL-1781-HBD-1


Here you can see a vMotion from a local vCenter Server to vCloud Air (no audio).

vMotion From vCloud Air

Here you can see a vMotion from vCloud Air back to the local vCenter Server (no audio).

<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=57MByAMfHVA" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>

HOL-1781-HBD-1


HCM Components

Hybrid Cloud Manager is a single install that delivers on a number of hybrid use cases:

• A seamless hybrid experience to administer, consume, and manage yourresources across private and public clouds.

• Manage migration of workloads between clouds with zero to low downtime usingreplication-based technology and WAN acceleration

• Extend your security & networking policies from your data center to vCloud Air,including the ability to stretch multiple Layer 2 network segments from on-premises to the cloud

To learn more see the HOL-1782-HBD-1 VMware vCloud Air: Data Center Extension.

HOL-1781-HBD-1




Module 5 - HyTrustDataControl

HOL-1781-HBD-1


Introduction to HyTrust DataControlHyTrust has worked closely with VMware and the vCloud Air team to develop encryptionand key management software for vCloud Air. With HyTrust DataControl you can takeadvantage of the cost effective agility you get with the cloud while being confident thatnobody can read your data because it is encrypted and you control the encryption keys.Best of all, it’s fast and easy to deploy and manage, and the encryption travels withyour VMs. This step is part of Module 5 of this lab.

HyTrust DataControl Architecture

HyTrust DataControl encrypts data from within the OS of a virtual machine. Keymanagement is policy-based and easy to deploy on premises or in the cloud.

HOL-1781-HBD-1


Tour of HyTrust DataControlWe will start by investigating the features and functions of HyTrust DataControl in thisstep. This step is part of Module 2 of this lab.

Start Google Chrome

Start Chrome by clicking the shortcut in the taskbar or on the desktop.

Go to HyTrust DataControl

Click the HyTrust DataControl bookmark in the bookmarks toolbar.

Log in to DataControl

Sign-in using the credentials:

User name: secrootPassword: VMware1!

HOL-1781-HBD-1


System Recovery

If you don't see this on the screen, then continue from this step: Security

If you see this on the screen, you have triggered a HyTrust security feature, whichprotects HyTrust DataControl from being moved to new hardware in attempt tocompromise the key controller.

The reason behind this, is that the Hands-On Labs run on a number of different cloudsaround the world, where the underlying hardware is different from the environment onwhich this lab was built.

Click "Recovery using Keypart Upload"

HOL-1781-HBD-1


Recover Master Key

1. Click "Browse"

HOL-1781-HBD-1


Select AdminKey.txt

We have placed a copy of the admin key on the desktop.

1. Go to the Desktop2. Select "AdminKey.txt"3. Click "Open"

HOL-1781-HBD-1


Upload file

1. Click "Upload file"

Wait a moment while the master key is being restored, and you should be taken back tothe Sign-in screen.

HOL-1781-HBD-1


Log in to DataControl

Sign-in using the credentials:

User name: secrootPassword: VMware1!

HOL-1781-HBD-1


Security

1. Go to the Security tab2. Select the secroot user

Scroll down to the bottom of the page.

HOL-1781-HBD-1


Security Roles

Select "Privileges & Groups"

HyTrust KeyControl supports three distinct administrator roles, each with distinctprivileges. Roles can be combined in any manner. A small organization may have anadministrator with all roles. A Cloud Service Provider who manages multiple customersmay have different VM Set administrators for different customers. The three types ofroles are:

Security Administrator: Manages users and groups, master key management and auditlogs.

Domain Administrator: Manages KeyControl nodes, KeyControl backup and restore.

Cloud Administrator: Manages VM sets, encryption of disks, control VM key access

Cluster

1. Scroll back to the top of the page and click on the "Cluster" tab

In every production system there is an active-active cluster of KeyControl servers thatmanage encryption within individual virtual/physical machines. All administration takesplace from a standard web browser to any node in the KeyControl cluster or from a setof REST-based APIs. KeyControl servers typically reside in your data center but could berun out of the public cloud as well.

HOL-1781-HBD-1


This, however, is not a production environment, so we only have a single KeyControlnode.

2. Click on "Servers" to explore the single cluster node.

HOL-1781-HBD-1


Cluster nodes

Here you can see the KeyController cluster nodes. In this case only one node has beeninstalled. Select cluster node to explore details about it.

HOL-1781-HBD-1


Cloud

Click on the "Cloud" tab.

Here you will manage your inventory of virtual machines. By using VM Sets, you cancreate "encryption groups" that use the same encryption key, and therefore canexchange encrypted objects.

HOL-1781-HBD-1


Encrypt Windows Virtual Machine DataIn this step you will encrypting a Windows VM's Data. This step is part of Module 5 ofthis lab.

Create VM Sets

Still in the HyTrust KeyControl web interface, do the following.

1. Click the "Cloud" tab2. Click "Actions"3. Click "Create New Cloud VM Set"

HOL-1781-HBD-1


Create Windows VM Set

Create a VM Set named Windows

1. Type "Windows"2. Click "Create"

Create another VM Set

Click "Create More"

HOL-1781-HBD-1


Create Linux VM Set

Create a VM Set named Linux

1. Type "Linux"2. Click "Create"

Close the dialog

Click "Close"

Agent Download

Notice that you can download a Policy Agent from the Actions menu.

You don't need to do that, as we have already placed the agents on the VMs that we willencrypt.

HOL-1781-HBD-1


The Policy Agent is an in-guest agent, that handles the encryption of data andpotentially the boot drive. More on that later.

Select Windows VM Set

1. Select the Windows VM Set and scroll to the bottom of the page2. Click "5 minutes"

Set Heartbeat Interval

1. Enter "30"

HOL-1781-HBD-1


2. Select "Seconds"3. Click "Save"

Select Linux VM Set

1. Select the Linux VM Set and scroll to the bottom of the page2. Click "5 minutes"

HOL-1781-HBD-1


Set Heartbeat Interval

1. Enter "30"2. Select "Seconds"3. Click "Save"

Connect to the Windows VM

On the Desktop, double click the RDP shortcut

This establishes an RDP connection to windows-01a.

HOL-1781-HBD-1


Install Policy Agent

1. Double Click the "Data (E)" shortcut on the desktop2. Right click the "hcs-client-agent-3.1.2-8695" file3. Click "Run as administrator"

In this lab, we will install the policy agent using the GUI, but it is also possible to fullyautomate the installation and configuration of the policy agent.

HOL-1781-HBD-1


Welcome to the Hytrust Setup Wizard

Click "Next"

HOL-1781-HBD-1


License Agreement

Click "I Agree"

HOL-1781-HBD-1


Choose Install Location

Leave the default location and click "Next"

HOL-1781-HBD-1


Choose Components

Make sure that "HT Bootloader" is selected as default and click "Next"

The HyTrust Bootloader for Windows is a tool that is required to encrypt the Windowsboot partition using keys that are retrieved, as needed, from the HyTrust KeyControlserver.

HOL-1781-HBD-1


Drive and Network Configuration

Leave the defaults and click "Install"

HOL-1781-HBD-1


Installing

The installation will take a few minutes.

Click on "Show Details" to see the text output from the installation process as shown onthis picture.

Note how the installer shrinks the boot partition to make space for the bootloader.

The bootloader is added as an SRP of roughly 100 MB on Windows 7 and Windows 2008R2, and 350 MB on Windows 2012 and above.

HOL-1781-HBD-1


Backup of key file

You are instructed to make a backup copy of the key file id_rsa aYer the installaPon ofthe bootloader. This is used to access the bootloader via SSH should you run into anyproblems (it can also be accessed via VM console). The C: drive is now encrypted, andyou will need the key to access it.

However, we are working in a non production lab environment, so we don't care toomuch about that.

Click "OK" to continue.

Format Disk

If this dialog appears, click "Cancel" and continue.

HOL-1781-HBD-1


Reboot

Click "Finish" to reboot the windows VM.

Reboot

Click "Yes" to log off the console session.

Log in to the ESXi host

While the windows VM is rebooting, we will log in to esx-04a to follow the boot process.

1. Click the "+" sign to open up a new browser tab

HOL-1781-HBD-1


2. Click the "VMware ESXi - Log in" bookmark3. Enter the root credentials and click "Log in"

Credentials are:

User name: rootPassword: VMware1!

Select the windows VM

1. Select "windows-01a"2. Enter the root credentials and click "Log In"

Credentials are:

HOL-1781-HBD-1


User name: rootPassword: VMware1!

Access the console

Click on the console preview

Bootloader configuration

Monitor the boot process. The VM will restart again as the HyTrust bootloader is installedand configured.

HOL-1781-HBD-1


This will take a few minutes.

HOL-1781-HBD-1


Back to windows

When the installation of the HyTrust bootloader has completed, the VM will bootWindows again.

HOL-1781-HBD-1


Connect to the Windows VM

Return to the desktop.

On the Desktop, double click the RDP shortcut

This establishes an RDP connection to windows-01a.

HOL-1781-HBD-1


Launch HyTrust GUI

1. Right-click the Windows button in the start menu, and start typing "hytrust"2. HyTrust GUI will apear in the search field3. Click "HyTrust GUI"

HOL-1781-HBD-1


HyTrust GUI

As you can see, the HyTrust GUI is not registered with the KeyController. You can alsosee, that "Cipher" is none on all devices, which means that nothing is encrypted yet.

Click "Register"

HOL-1781-HBD-1


Register with KeyController server

Fill in the following data:

KeyControl Name/IP: 192.168.110.90Username: secrootPassword: VMware1!Cloud VM Set: Windows

Leave the rest as default.

Click "Register"

Registration Successful

Click "OK"

HOL-1781-HBD-1


Encrypt Data drive

Now we want to encrypt our data drive, the E-drive.

1. Right click on the E: drive2. Click "Add and Encrypt"

Disk Status

Click "Yes" to start the encryption.

The encryption will not take more than a minute or so, as we have very little data on theData drive. Note that the data on the drive will remain available during the encryptionprocess.

HOL-1781-HBD-1


Encryption has started

Click "OK"

Monitor the encryption process

You can monitor the encryption process.

HOL-1781-HBD-1


Drive Encrypted

After the encryption process has completed, you can see that the cipher has changedfrom none to AES-XTS-512 and that the device is attached (available).

HOL-1781-HBD-1


Start an elevated command prompt

1. In the RDP session, right-click the Windows button in the start menu2. Click "Command Prompt (Admin)"

HOL-1781-HBD-1


Changing Encryption Key

Type the following to change the encryption key:

hcl rekey status e:

A new encrypPon key is generated by the KeyController and the data is re-encryptedwith the new key, while keeping the data available to users.

In this case, you can see that the encryption process took 61 seconds and that it hascompleted.

HOL-1781-HBD-1


AES-NI offload

Type the following:

hccmd check

This command detects if AES-NI is available on the CPUs that the OS is running on. AES-NI speeds up the encryption process dramatically, as the encryption is offloaded tospecific hardware features. Due to AES-NI, encryption and decryption of e.g. a bootdevice will have no perceptible overall performance impact.

Leave the RDP session open.

HOL-1781-HBD-1


Return to the KeyController

Return to the KeyController web UI.

You can see, that the windows VM has been registered, and added to the Windows VMSet.

1. Select the "Cloud" tab2. Select the "VMs" tab3. Select "windows-01a"

Revoke Authentication

1. Click on "Actions"2. Click "Revoke Authentication"

HOL-1781-HBD-1


Revoke VM

Click "Proceed"

Unauthenticated VM

The page automatically changes the "Unauthenticated VMs" tab, and you can see thatwindows-01a is listed as being unreachable.

HOL-1781-HBD-1


Detached

Return to the RDP session. You can see that the E-drive is in a detached state.

Access E-drive

Return to the command prompt and type:

e:

The E-drive is no longer accessible to the operating system.

HOL-1781-HBD-1


Status

Issue the command:

hcl status

This gives you the same information as what is available in the HyTrust GUI.

HOL-1781-HBD-1


Re-authenticate

Issue the following command:

hcl auth -a

Enter credentials:

Username: secrootPassword: VMware1!

The VM is now again authenticated to the KeyController.

HOL-1781-HBD-1


Status

Issue the following commands:

hcl statuse:dir

You can see that the E-drive is now attached again, and that the E-drive is accessibleand data can be read from it.

HOL-1781-HBD-1


Back Online

Return to the KeyController, and see that windows-01a is now back online.

You might have to refresh the page or wait for 30 seconds.

HOL-1781-HBD-1


Encrypt Linux Virtual Machine DataEncryption of data on a Linux VM is much like what you will find in Windows, with evenmore features available. One major difference, is that it's much more command linedriven.

In this step you will encrypting a Linux VM's Data. This step is the last step of Module 5of this lab.

Launch Putty

Click the Putty icon in the taskbar

SSH to ubuntu-01a

Double click on "ubuntu-01a.corp.local"

HOL-1781-HBD-1


Launch the Policy Agent installer

The Putty session should log in using public key authentication. In case it doesn't, usethese credentials:

Username: rootPassword: VMware1!

The installer file is located in /root folder.

In the Putty session, issue the following commands:

ls./hcs-client-agent-3.1.2-8695.run

HOL-1781-HBD-1


Installing the Policy Agent

Verify that the installation is successful.

HOL-1781-HBD-1


Check status

Enter the following command:

hcl status

Like on Windows, you can see that the VM has not been registered yet.

Register with KeyController

To register the linux VM, enter the following command:

hcl register -a 192.168.110.90

Fill in the details, see the arrows:

HOL-1781-HBD-1


Username: secrootPassword: VMware1!VM Set: Linux

Leave the Putty session running.

HOL-1781-HBD-1



Verify that ubuntu-01a has been registered with the KeyController, and that it has nodrives encrypted yet.

You might have to refresh the page or wait 30 seconds before it appears.

HOL-1781-HBD-1


Encrypt data drive

Now we want to encrypt the partition sdb1, as this partition has our data files on it. Weneed to unmount the data mount point, encrypt the data partition, remount the mountpoint and verify that data is accessible.

Issue the following commands:

umount /datahcl encrypt sdb1

Answer yes "y" to both questions, see the arrows.

To remount the data partition and verify that data is accessible, issue the followingcommands:

mount -acd /datals

Verify that some pdf-files are available in the /data folder.

Check status

Issue the command:

HOL-1781-HBD-1


hcl status

You can see that the disk sdb1 is now encrypted.

Like for the Windows policy agent, the installation and configuration of the agent, canbe fully automated by using command line parameters. In this lab, we use an interactiveprocess for illustrational purposes.

HOL-1781-HBD-1



On the KeyController, verify that one disk is now encrypted.

You might have to refresh the page or wait 30 seconds before it appears.

HOL-1781-HBD-1


ConclusionThank you for participating in the VMware Hands-on Labs. Be sure to visithttp://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-1781-HBD-1

Version: 20170503-090718

HOL-1781-HBD-1


http://hol.vmware.com/

Documents

Table of Contents - VMware · 2017. 5. 3. · vCloud Air User Interface ... • Deploy and Backup your first virtual machine inside the vCloud Air portal • Understand the basic