Scribd
Upload
85 views156 pages

Laboratorio Vsphere 6.7

Uploaded by

Daniel
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
85 views156 pages

Laboratorio Vsphere 6.7

Uploaded by

Daniel
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 156

HOL-1911-01-SDC

Table of Contents
What's New in vSphere 6.7 - HOL-1911-SDC .................................................................... 2
Lab Guidance .......................................................................................................... 3
Module 1 - vSphere 6.7 Overview (15 minutes) ................................................................ 9
Introduction........................................................................................................... 10
Simple and Efficient Management at Scale ........................................................... 11
Comprehensive Built-in Security ........................................................................... 14
Universal Application Platform .............................................................................. 16
Seamless Hybrid Cloud ......................................................................................... 19
Conclusion............................................................................................................. 21
Module 2 -Simple & Efficient Management at Scale (60 minutes) .................................. 23
Introduction........................................................................................................... 24
Enhanced vCenter Server Appliance ..................................................................... 25
Lifecycle Management Operations ........................................................................ 34
Getting Started with Update Manager .................................................................. 39
Embedded Linked Mode ........................................................................................ 51
Conclusion............................................................................................................. 52
Module 3 - Comprehensive Built-in Security (60 minutes) .............................................. 55
Introduction........................................................................................................... 56
Support for New Security Technologies ................................................................. 57
VM Encryption ....................................................................................................... 59
Configure Hytrust KMS Server in vCenter Server .................................................. 62
Encrypt VMs Using HyTrust KMS Server ................................................................ 83
Set VM to Encrypted vMotion Mode ...................................................................... 94
Configure Windows 10 for VBS............................................................................ 103
FIPS 140-2 Validated Cryptographic Modules by Default ................................... 121
Conclusion........................................................................................................... 122
Module 4 - Universal Application Platform (15 minutes) ............................................... 124
Introduction......................................................................................................... 125
NVIDIA Grid: Optimize GPU Usage For VM on vSphere 6.7 Servers ..................... 126
Persistent Memory .............................................................................................. 127
Cloning a Virtual Machine with Instant Clone ...................................................... 131
Conclusion........................................................................................................... 133
Module 5 - Seamless Hybrid Cloud Experience (15 minutes) ........................................ 135
Introduction......................................................................................................... 136
Migrating Virtual Machines from vCenter to vCenter .......................................... 137
Enhanced vMotion Capability .............................................................................. 150
VMware Cloud (VMC) on AWS.............................................................................. 152
Conclusion........................................................................................................... 154

HOL-1911-01-SDC Page 1
HOL-1911-01-SDC

What's New in vSphere


6.7 - HOL-1911-SDC

HOL-1911-01-SDC Page 2
HOL-1911-01-SDC

Lab Guidance
Note: It may take more than 90 minutes to complete this lab. You don't need
to complete every module during this time; the modules are independent of
each other. You can use the Table of Contents to access any module of your
choosing.

The Table of Contents can be accessed in the upper right-hand corner of the
Lab Manual.

This lab will detail the new features of vSphere 6.7. You will be able to determine if your
business would benefit from any of the vSphere 6.7 enhancements after taking this lab.
Some of the features will be delivered via videos due to the nature of the features.
There is also some hands on work. There are other labs that will give you a more in
depth, hands on experience for each of the four pillars discussed in this lab.

Feel free to explore and look around! This lab contains two vCenter servers which
allows you to experience Enhanced Linked Mode.

• vSphere 6.7 Overview - Highlights New Features


• Simple & Efficient Management at Scale - vSphere & vCenter Server
Enhancements
• Comprehensive Built-in Security - Virtual Based Security (VBS), Trusted Platform
Module 2.0, (TPM), Virtual Trusted Platform Module (vTPM)
• Universal App Platform - Persistent Memory (PMEM), NVIDIA GRID, Remote Direct
Memory Access (RDMA),
• Seamless Hybrid Cloud Experience (Hot & Cold Migration, Hybrid Linked Mode)

Lab Module List:

• Module 1 - vSphere 6.7 Overview (15 minutes) (Basic) Brief overview of


what’s new in the vSphere 6.7 release.
• Module 2 -Simple & Efficient Management at Scale (60 minutes) (60
minutes) (Basic) Explore improvements and new features in ESXi and vCenter
Server management and lifecycle.
• Module 3 - Comprehensive Built-in Security (60 minutes)(Basic)
Experience the improved VM Encryption workflow as well as added support for
TPM 2.0, vTPM, and Virtualization Based Security.
• Module 4 - Universal Application Platform (15 minutes) (Basic) Discover
new vSphere capabilities that make it the platform for all applications including
the most mission critical.
• Module 5 - Seamless Hybrid Cloud (15 minutes)(Basic) Learn how vSphere
6.7 and VMware Cloud on AWS creates a seamless hybrid cloud experience with
easy visibility, migration and management of workloads between on-premises
and public cloud.

HOL-1911-01-SDC Page 3
HOL-1911-01-SDC

Lab Captains:

• Module 1 - 5 - Julie Roman, TAM, USA

Content Leads:

• Module 1 -Himanshu Singh, Sr. Product Line Marketing Manager, USA


• Module 2 - Emad Younis & Eric Gray, Technical Marketing, USA
• Module 3 - Mike Foley, Technical Marketing, USA
• Module 4 - Sudhir Balasubramanian, Vas Mitra, Duncan Epping
• Module 5 - Hybrid Cloud Team

This lab manual can be downloaded from the Hands-on Labs Document site found here:

PDF - http://docs.hol.vmware.com/HOL-2019/hol-1911-01-sdc_pdf_en.pdf

HTML - http://docs.hol.vmware.com/HOL-2019/hol-1911-01-sdc_html_en/

This lab may be available in other languages. To set your language preference and have
a localized manual deployed with your lab, you may utilize this document to help guide
you through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf

Location of the Main Console

HOL-1911-01-SDC Page 4
HOL-1911-01-SDC

1. The area in the RED box contains the Main Console. The Lab Manual is on the tab
to the Right of the Main Console.
2. A particular lab may have additional consoles found on separate tabs in the upper
left. You will be directed to open another specific console if needed.
3. Your lab starts with 90 minutes on the timer. The lab can not be saved. All your
work must be done during the lab session. But you can click the EXTEND to
increase your time. If you are at a VMware event, you can extend your lab time
twice, for up to 30 minutes. Each click gives you an additional 15 minutes.
Outside of VMware events, you can extend your lab time up to 9 hours and 30
minutes. Each click gives you an additional hour.

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing it
in, there are two very helpful methods of entering data which make it easier to enter
complex data.

Click and Drag Lab Manual Content Into Console Active


Window

You can also click and drag text and Command Line Interface (CLI) commands directly
from the Lab Manual into the active window in the Main Console.

Accessing the Online International Keyboard

HOL-1911-01-SDC Page 5
HOL-1911-01-SDC

You can also use the Online International Keyboard found in the Main Console.

1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

Click once in active console window

In this example, you will use the Online Keyboard to enter the "@" sign used in email
addresses. The "@" sign is Shift-2 on US keyboard layouts.

1. Click once in the active console window.


2. Click on the Shift key.

Click on the @ key

1. Click on the "@ key".

Notice the @ sign entered in the active console window.

HOL-1911-01-SDC Page 6
HOL-1911-01-SDC

Activation Prompt or Watermark

When you first start your lab, you may notice a watermark on the desktop indicating
that Windows is not activated.

One of the major benefits of virtualization is that virtual machines can be moved and
run on any platform. The Hands-on Labs utilizes this benefit and we are able to run the
labs out of multiple datacenters. However, these datacenters may not have identical
processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft
licensing requirements. The lab that you are using is a self-contained pod and does not
have full access to the Internet, which is required for Windows to verify the activation.
Without full access to the Internet, this automated process fails and you see this
watermark.

This cosmetic issue has no effect on your lab.

Look at the lower right portion of the screen

HOL-1911-01-SDC Page 7
HOL-1911-01-SDC

Please check to see that your lab is finished all the startup routines and is ready for you
to start. If you see anything other than "Ready", please wait a few minutes. If after 5
minutes your lab has not changed to "Ready", please ask for assistance.

HOL-1911-01-SDC Page 8
HOL-1911-01-SDC

Module 1 - vSphere 6.7


Overview (15 minutes)

HOL-1911-01-SDC Page 9
HOL-1911-01-SDC

Introduction
vSphere 6.7 delivers key capabilities to enable IT organizations to address the following
notable trends that are putting new demands on their IT infrastructure:

• Explosive growth in quantity and variety of applications, from business critical


apps to new intelligent workloads.
• Rapid growth of hybrid cloud environments and use cases.
• On-premises data centers growing and expanding globally, including at the Edge.
• Security of infrastructure and applications attaining paramount importance.

This module will provide an overview of What's New in vSphere 6.7. In later modules
and other labs you can dive futher into the technology. This introductory module
provides the foundation. We will start using the lab in later modules.

Key Features

Simple and Efficient Management at Scale

• Enhanced vCenter Server Appliance Performance


• vSphere Quick Boot
• Single Reboot Upgrade
• Support for 4k Native Storage

Comprehensive Built-in Security

• Integration with Trusted Platform Modules 2.0 (TPM) and vTPM


• Virtual Based Security (VBS)
• Encrypted, Cross vCenter vMotion (xVC vMotion)

Universal App Platform

• Enhancements for Nvidia GRID vGPUs


• vSphere Persistent Memory (PMEM)
• Instant Clone

Seamless Hybrid Cloud Experience

• Hybrid Linked Mode


• Per-VM EVC

HOL-1911-01-SDC Page 10
HOL-1911-01-SDC

Simple and Efficient Management at


Scale
vSphere 6.7 builds on the technological innovation delivered by vSphere 6.5, and
elevates the customer experience to an entirely new level. It provides exceptional
management, simplicity, operational efficiency, and faster time to market, all at scale.

vCenter Server Appliance

vSphere 6.7 delivers an exceptional experience for the user with an enhanced vCenter
Server Appliance (vCSA). It introduces several new APIs that improve the efficiency
and experience to deploy vCenter, to deploy multiple vCenters based on a template, to
make management of vCenter Server Appliance significantly easier, as well as for
backup and restore. It also significantly simplifies the vCenter Server topology through
vCenter with an embedded platform services controller in enhanced linked
mode, enabling customers to link multiple vCenters and have seamless visibility across
the environment without the need for an external platform services controller or load
balancers.

vSphere 6.7 vCSA delivers phenomenal performance improvements (all metrics


compared at cluster scale limits, versus vSphere 6.5):

• 2X faster performance in vCenter operations per second


• 3X reduction in memory usage
• 3X faster DRS-related operations (e.g. power-on virtual machine)

HOL-1911-01-SDC Page 11
HOL-1911-01-SDC

These performance improvements ensure a blazing fast experience for vSphere users,
and deliver significant value, as well as time and cost savings in a variety of use cases,
such as VDI, Scale-out apps, Big Data, HPC, DevOps, distributed cloud native apps, etc.

vSphere - Quick Boot

vSphere 6.7 improves efficiency at scale when updating ESXi hosts, significantly
reducing maintenance time by eliminating one of two reboots normally required for
major version upgrades (Single Reboot). In addition to that, vSphere Quick Boot is a
new innovation that restarts the ESXi hypervisor without rebooting the physical host,
skipping time-consuming hardware initialization. This allows for faster upgrades and
patching.

HTML 5 vSphere Client

Another key component that allows vSphere 6.7 to deliver a simplified and efficient
experience is the graphical user interface itself. The HTML5-based vSphere

HOL-1911-01-SDC Page 12
HOL-1911-01-SDC

Client provides a modern user interface experience that is both responsive and easy to
use. With vSphere 6.7, it includes added functionality to support not only the typical
workflows customers need but also other key functionality like managing NSX, vSAN,
VUM as well as third-party components.

Support for 4k Native Storage

Storage Vendors are moving towards cost-efficient 4K Native (4Kn) drives. The migration
to 4K-sized sectors will provide a shorter path to higher densities and hard drive
capacities as well as more robust error correction. The HDD vendors have been
manufacturing 4K sectored drives by using emulation (a.k.a 512e) in the firmware to
reduce the impact of the format change to the host clients. 512e drives were introduced
to enable the transition to 4Kn drives. Vendors expect mass adoption of 4Kn within the
next few years. Subsequently, VMware has been working to enable 4Kn drives in
vSphere to ensure utilization of the latest technology.

4Kn drives have various benefits over 512 sector size drives. Higher capacity and
improved performance from the more optimized placement of data on the drive.
Efficient space utilization with optimized meta-data giving up to 10% more available
data. Improved drive reliability and error correction with larger meta-data by increasing
the ECC block from 50 to 100 bytes. This provides a much-needed improvement in error
correction efficiency.

The release of vSphere 6.7 4Kn direct attached drives are now supported natively via
4Kn Software Emulation (SWE). The software emulation layer allows the use of 4Kn
drives while still allowing legacy OS, applications, and existing VMs to run on newer 4Kn
drives.

There are some limitations for 4Kn drives; only local SAS, SATA HDDs are supported,
they must use VMFS6, and booting from 4Kn drives requires UEFI. Also, 4Kn SSD, NVMe,
and Raw Device Mapping (RDM) disks for Guest Operating System (GOS) are not
supported. vSAN and VVOL may declare themselves as 512e if they can handle both
512 byte and 4K I/Os without any atomicity issues. Third party multi-pathing plugins are
not supported.

HOL-1911-01-SDC Page 13
HOL-1911-01-SDC

Comprehensive Built-in Security


vSphere 6.7 builds on the security capabilities in vSphere 6.5 and leverages its unique
position as the hypervisor to offer comprehensive security that starts at the core, via an
operationally simple policy-driven model.

Integration with Trusted Platform Modules

A Trusted Platform Module (TPM) is a computer chip/microcontroller that can securely


store artifacts used to authenticate the platform (your PC or laptop). These artifacts can
include measurements, passwords, certificates, or encryption keys. A TPM can also be
used to digitally sign content and store platform measurements that help ensure that
the platform remains trustworthy. The Trusted Computing Group has a detailed overview
of what a TPM is and does.

Since ESXi 5.x, ESXi has had support for TPM 1.2. Prior to 6.7 the APIs and functionality
of TPM 1.2 was limited to 3rd party applications created by VMware partners.

In 6.7 we have introduced support for TPM 2.0. TPM 2.0 and TPM 1.2 are two entirely
different implementations and there is no backwards compatibility. For all intents and
purposes, they are considered two different devices to ESXi.

If you are running 6.5 on a server with TPM 2.0 you will not see the TPM 2.0 device
because there is no support in 6.5 for TPM 2.0. New features in 6.7 do not use the TPM
1.2 device.

At a high level, TPM 2.0 is used to store measurements of a known good boot of ESXi.
This measurement is then compared by vCenter with what ESXi reports.

In other words, the TPM provides a mechanism that provides assurance that ESXi has
booted with Secure Boot enabled. By confirming that Secure Boot is enabled we can
then ensure that ESXi has booted using only digitally signed code.

This is an excellent example of the iterative approach to security we are delivering on.
In 6.5 we delivered Secure Boot support. In 6.7 we built upon that by delivering TPM 2.0
to provide assurance that Secure Boot is turned on.

Virtualization Based Security

vSphere 6.7 introduces support for the entire range of Microsoft's Virtualization Based
Security technologies. This is a result of close collaboration between VMware and
Microsoft to ensure Windows VMs on vSphere support in-guest security features while
continuing to run performant and secure on the vSphere platform.

HOL-1911-01-SDC Page 14
HOL-1911-01-SDC

vSphere 6.7 delivers comprehensive built-in security and is the heart of a secure SDDC.
It has deep integration and works seamlessly with other VMware products such as vSAN,
NSX and vRealize Suite to provide a complete security model for the data center.

Data Encryption

Data encryption was introduced with vSphere 6.5 and very well received. With vSphere
6.7, VM Encryption is further enhanced and more operationally simple to manage.
vSphere 6.7 simplifies workflows for VM Encryption, designed to protect data at rest
and in motion, making it as easy as a right-click while also increasing the security
posture of encrypting the VM and giving the user a greater degree of control to protect
against unauthorized data access. vSphere 6.7 also enhances protection for data in
motion by enabling encrypted vMotion across different vCenter instances as well
as versions, making it easy to securely conduct data center migrations, move data
across a hybrid cloud environment (between on-premises and public cloud), or across
geographically distributed data centers.

HOL-1911-01-SDC Page 15
HOL-1911-01-SDC

Universal Application Platform


vSphere 6.7 is a universal application platform that supports new workloads (including
3D Graphics, Big Data, HPC, Machine Learning, In-Memory, and Cloud-Native) as well as
existing mission critical applications. It also supports and leverages some of the latest
hardware innovations in the industry, delivering exceptional performance for a variety of
workloads.

Enhancements to Nvidia GRID™ vGPU

vSphere 6.7 further enhances the support and capabilities introduced for GPUs through
VMware's collaboration with Nvidia, by virtualizing Nvidia GPUs even for non-VDI and
non-general-purpose-computing use cases such as artificial intelligence, machine
learning, big data and more. With enhancements to Nvidia GRID vGPU technology in
vSphere 6.7, instead of powering off workloads running on GPUs, customers can simply
suspend and resume those VMs, allowing for better lifecycle management of the
underlying host and significantly reducing disruption for end-users. VMware continues to
invest in this area, with the goal of bringing the full vSphere experience to GPUs in
future.

HOL-1911-01-SDC Page 16
HOL-1911-01-SDC

vSphere Persistent Memory (PMEM)

vSphere 6.7 continues to showcase VMware's technological leadership and fruitful


collaboration with our key partners by adding support for a key industry innovation
poised to have a dramatic impact on the landscape, which is persistent memory. With
vSphere Persistent Memory, customers using supported hardware modules, such as
those available from Dell-EMC and HPE, can leverage them as super-fast storage with
high IOPS, or expose them to the guest operating system as non-volatile memory. This
will significantly enhance performance of the OS as well as applications across a variety
of use cases, making existing applications faster and more performant and enabling
customers to create new high-performance applications that can leverage vSphere
Persistent Memory.

Instant Clone

You can use the Instant Clone technology to create powered on virtual machines from
the running state of another powered on virtual machine. The result of an Instant Clone
operation is a new virtual machine that is identical to the source virtual machine. With

HOL-1911-01-SDC Page 17
HOL-1911-01-SDC

Instant Clone you can create new virtual machines from a controlled point in time.
Instant cloning is very convenient for large scale application deployments because it
ensures memory efficiency and allows for creating numerous virtual machines on a
single host.

HOL-1911-01-SDC Page 18
HOL-1911-01-SDC

Seamless Hybrid Cloud


With the fast adoption of vSphere-based public clouds through VMware Cloud Provider
Program partners, VMware Cloud on AWS, as well as other public cloud providers,
VMware is committed to delivering a seamless hybrid cloud experience for customers.

vCenter Server Hybrid Linked Mode

vSphere 6.7 introduces vCenter Server Hybrid Linked Mode, which makes it easy for
customers to have unified visibility and manageability across an on-premises vSphere
environment running a different version of vSphere than a vSphere-based public cloud
environment, such as VMware Cloud on AWS. This ensures that the fast pace of
innovation and introduction of new capabilities in vSphere-based public clouds does not
force the customer to constantly update and upgrade their on-premises vSphere
environment.

HOL-1911-01-SDC Page 19
HOL-1911-01-SDC

Cross-Cloud Cold and Hot Migration

vSphere 6.7 also introduces Cross-Cloud Cold and Hot Migration, further enhancing
the ease of management across and enabling a seamless and non-disruptive hybrid
cloud experience for customers.

As virtual machines migrate between different data centers or from an on-premises data
center to the cloud and back, they likely move across different CPU types. vSphere 6.7
delivers a new capability that is key for the hybrid cloud, called Per-VM EVC. Per-VM
EVC enables the EVC (Enhanced vMotion Compatibility) mode to become an attribute of
the VM rather than the specific processor generation it happens to be booted on in the
cluster. This allows for seamless migration across different CPUs by persisting the EVC
mode per-VM during migrations across clusters and during power cycles.

Previously, vSphere 6.0 introduced provisioning between vCenter instances. This is often
called cross-vCenter provisioning. The use of two vCenter instances introduces the
possibility that the instances are on different release versions. vSphere 6.7 enables
customers to use different vCenter versions while allowing cross-vCenter, mixed-
version provisioning operations (vMotion, Full Clone and cold migrate) to continue
seamlessly. This is especially useful for customers leveraging VMware Cloud on AWS as
part of their hybrid cloud.

HOL-1911-01-SDC Page 20
HOL-1911-01-SDC

Conclusion
VMware vSphere 6.7 is the efficient and secure platform for the hybrid cloud. It provides
a powerful, flexible, and secure foundation for business agility that accelerates the
digital transformation to the hybrid cloud as well as success in the digital economy.
vSphere 6.7 supports both existing and next-generation workloads through its 1) simple
and efficient management at scale, to elevate the customer experience to an entirely
new level; 2) comprehensive built-in security that starts at the core, via an operationally
simple, policy-driven model; 3) universal application platform that supports new
workloads and leverages hardware innovations for enhanced performance; and 4)
seamless hybrid cloud experience with easy visibility, migration, and management of
workloads between on-premises data centers and the public cloud. With vSphere 6.7,
you can now run, manage, connect, and secure applications in a common operating
environment, across their hybrid cloud.

You have finished Module 1!

Congratulations on completing Module 1!

To review more info on the new features please use the links below:

• What's New in vSphere 6.7 Whitepaper


• vSphere 6.7 On YouTube
• Mike Foley's Blog - ESXi &TPM
• Or use your smart device to scan the QRC Code.

Proceed to any module below which interests you most.

HOL-1911-01-SDC Page 21
HOL-1911-01-SDC

• Module 2 - Simple and Efficient Management at Scale(60 minutes) (Basic)


Explore improvements and new features in ESXi and vCenter Server management
and lifecycle.
• Module 3 - Comprehensive Built-in Security (60 minutes) (Basic) Experience
the improved VM Encryption workflow as well as added support for TPM 2.0,
vTPM, and Virtualization Based Security.
• Module 4 - Universal Application Platform (15 minutes) (Basic) Discover new
vSphere capabilities that make it the platform for all applications including the
most mission critical.
• Module 5 - Seamless Hybrid Cloud (15 minutes) (Basic) Learn how vSphere
6.7 and VMware Cloud on AWS creates a seamless hybrid cloud experience with
easy visibility, migration and management of workloads between on-premises
and public cloud.

How to End Lab

To end your lab click on the END button.

HOL-1911-01-SDC Page 22
HOL-1911-01-SDC

Module 2 -Simple &


Efficient Management at
Scale (60 minutes)

HOL-1911-01-SDC Page 23
HOL-1911-01-SDC

Introduction
vSphere 6.7 builds on the technological innovation delivered by vSphere 6.5, and
elevates the customer experience to an entirely new level. It provides exceptional
management simplicity, operational efficiency, and faster time to market, all at scale.
This Module contains the following lessons:

• Enhanced vCenter Server Appliance (VCSA)


• Lifecycle Management Operations
• Enhanced Linked Mode

HOL-1911-01-SDC Page 24
HOL-1911-01-SDC

Enhanced vCenter Server Appliance


In vSphere 6.7 all of the new features and enhancement were developed around the
vCenter Server Appliance. This is the last release of VMware vCenter that will offer a
Windows install of vCenter. The new appliance has a new, cleaner user interface,
enhanced monitoring of services, file-based backup and is simpler to display.

Install

One significant change for the vCenter Server Appliance is around simplifying the
architecture. Going back to running all vCenter Server services on a single instance with
all the benefits. We can now do exactly that with the vCenter Server Appliance 6.7.
Introducing vCenter Server with Embedded PSC with Enhanced Linked Mode. Let's take
a look at the benefits this deployment model brings:

• No load balancer required for high availability and fully supports native vCenter
Server High Availability.
• SSO Site boundary removal provides flexibility of placement.
• Supports vSphere scale maximums.
• Allows for 15 deployments in a vSphere Single Sign-On Domain.
• Reduces the number of nodes to manage and maintain.

Migrate

vSphere 6.7 is also the last release to include vCenter Server for Windows. Customers
can migrate to the vCenter Server Appliance with the built-in Migration Tool. In vSphere
6.7 we can now select how to import the historical and performance data during a
migration:

• Deploy & import all data


• Deploy & import data in the background

Customers will also get an estimated time of how long each option will take when
migrating. Estimated time will vary based on historical and performance data size in
your environment. While importing data in the background customers have the option to
pause and resume. This new ability is available in the vSphere Appliance Management
Interface. Another improvement to the migration process is support of custom ports.
Customers who changed the default Windows vCenter Server ports are no longer
blocked.

HOL-1911-01-SDC Page 25
HOL-1911-01-SDC

HOL-1911-01-SDC Page 26
HOL-1911-01-SDC

Monitoring & Management

A lot of investment went into improving monitoring for the vCenter Server Appliance. We
saw these improvements starting in vSphere 6.5, and vSphere 6.7 is adding several new
enhancements. Lets first log in to the vSphere Appliance Management Interface (VAMI)
on port 5480. The first thing we notice is the VAMI has received an update to the Clarity
UI. We also notice there are several new tabs on the left-hand side compared to vSphere
6.5. There is now a tab dedicated to monitoring. Here we can see CPU, memory,
network, and database utilization. A new section of the monitoring tab called disks is
now available. Customers can now see each of the disk partitions for the vCenter Server
Appliance, space available, and utilization.

HOL-1911-01-SDC Page 27
HOL-1911-01-SDC

A new section of the monitoring tab called disks is now available. Customers can now
see each of the disk partitions for the vCenter Server Appliance, space available, and
utilization.

Embedded Linked Mode (ELM)

vCenter Embedded Linked Mode is enhanced linked mode support for vCenter Server
Appliance with an embedded Platform Services Controller. This lab is configured using
vSphere 6.7 Embedded Linked Mode. With vCenter Embedded Linked Mode, you can
connect a vCenter Server Appliance with an embedded Platform Services Controller
together to form a domain. vCenter Embedded Linked Mode is not supported for
Windows vCenter Server installations. vCenter Embedded Linked Mode is supported
starting with vSphere 6.5 Update 2 and suitable for most deployments. Other features of
vCenter Embedded Linked Mode include: No external Platform Services Controller,
providing a more simplified domain architecture than enhanced linked mode. A
simplified backup and restore process. A simplified HA process, removing the need for
load balancers. Up to 15 vCenter Server Appliances can be linked together using
vCenter Embedded Linked Mode and displayed in a single inventory view. For a vCenter
High Availability (vCenter HA) cluster, three nodes are considered one logical vCenter
Server node. This represents ten times the vCenter HA clusters in a vCenter Embedded
Linked Mode for a total of 30 VMs.

File-Based Backups

File-Based Backup was first introduced in vSphere 6.5 under the summary tab and now
it has its own backup tab. The first available option front and center when going to the

HOL-1911-01-SDC Page 28
HOL-1911-01-SDC

backup tab is a scheduler. Now customers can schedule the backups of their vCenter
Server Appliances and select how many backups to retain. Another new section for File-
Based backup is Activities. Once the backup job is complete it will be logged in the
activity section with detailed information. We can't talk backup without mentioning
restore. The Restore workflow now includes a backup archive browser. The browser
displays all your backups without having to know the entire backup path.

Click on the video to watch a video on scheduling a backup.

HOL-1911-01-SDC Page 29
HOL-1911-01-SDC

Services

Another new tab called Services is also within the VAMI. Once located within the
vSphere Web Client and now in VAMI for out of band troubleshooting. All the services
that make up the vCenter Server Appliance, their startup type, health, and state are
visible here. We are also given the option to start, stop, and restart services if needed.

While the Syslog and Update tabs are not new to the VAMI, there are improvements in
these areas as well. Syslog now supports up to three syslog forwarding targets. Prior,
vSphere 6.5 only supported forwarding to one. There is now more flexibility in patching
and updating. From the Update tab, we will now have the option to select which patch or
update to apply. Customers will also have more information including type, severity, and
if a reboot is necessary. Expanding a patch or update in the view will display more
information about what is included. Finally, we can now stage and install a patch or
update from the VAMI. This capability was previously only available from the CLI.

vSphere Client (HTML5)

Another area where there has been significant investment in the vSphere Client. With
vSphere 6.5 VMware introduced a supported version of the vSphere Client (HTML5).
Included in the vCenter Server Appliance it only had partial functionality. The vSphere
team has been working hard on getting the vSphere Client to feature parity. Based on

HOL-1911-01-SDC Page 30
HOL-1911-01-SDC

customer feedback, the team has been optimizing and improving workflows. The release
of vSphere 6.7 also marks the final release of the vSphere Web Client (Flash). Some of
the newer workflows in the updated vSphere Client release include:

• vSphere Update Manager


• Content Library
• vSAN
• Storage Policies
• Host Profiles
• vDS Topology Diagram
• Licensing

Some of the workflows mentioned above are not all feature complete. VMware will
continue updating the vSphere Client in future vSphere maintenance(patch/update)
releases. We are almost there!

There is also one less client, The Platform Services Controller (PSC) UI (/psc)
functionality is now part of the vSphere Client. Now located under the Administration
menu, the PSC options are divided between two tabs. Certificate management has its
own tab and all other management is under the configuration tab.

HOL-1911-01-SDC Page 31
HOL-1911-01-SDC

CLI Tools

The vCenter Server Appliance 6.7 CLI also has some new enhancements. The first is the
repointing enhancements using cmsso-util. While not a new feature, it was not available
in vSphere 6.5 and makes a return in vSphere 6.7. We are talking about repointing an
external vCenter Server Appliance across SSO Sites within a vSphere SSO domain.
That's not all you can do with repointing.

Customers can now repoint their vCenter Server Appliance across vSphere SSO
domains. Can you say consolidation? The domain repoint feature only supports external
deployments running vSphere 6.7. Built-in the domain repoint feature has a pre-check
option, which I cannot stress enough to use. The pre-check compares the two vSphere
SSO domains and lists any discrepancies in a conflict JSON file. This is your opportunity
resolve any of the discrepancies before running the domain repoint tool. The repoint tool
can migrate licenses, tags, categories, and permissions from one vSphere SSO Domain
to another.

CLI Tools (Cont)

Another CLI enhancement is around using the cli installer to manage the vCenter Server
Appliance lifecycle. The vCenter Server Appliance ISO comes with JSON template
examples. These JSON templates are a way to ensure consistency across installs,
upgrades, and migrations. Usually, we would have to run one JSON template from the cli
installer at a time in the correct order. This manual per-node deployment is now a thing

HOL-1911-01-SDC Page 32
HOL-1911-01-SDC

of the past with batch operations. With batch operations, several JSON templates can be
run in sequence from a single directory without intervention. Before running use pre-
checks option on the directory to verify the templates including sequence.

HOL-1911-01-SDC Page 33
HOL-1911-01-SDC

Lifecycle Management Operations


VMware vSphere 6.7 includes several improvements that accelerate the host lifecycle
management experience to save administrators valuable time.

New vSphere Update Manager Interface

1. Launch the Google Chrome Browser

1. Select Use Windows session authentication

HOL-1911-01-SDC Page 34
HOL-1911-01-SDC

2. Click on Login

On the home page for vCenter Server:

1. Click on Menu

HOL-1911-01-SDC Page 35
HOL-1911-01-SDC

2. Click on Update Manger

1. Click on Updates

2. Filter on the ID

3. Enter 2018

The results will be filtered for any patches released in 2018. You can also filter by the
version, under releases, category, type etc...

Update Manager with Embedded Linked Mode

With the introduction of embedded linked mode in vSphere 6.7, you can now manage
Update Manager instances through the same interface.

HOL-1911-01-SDC Page 36
HOL-1911-01-SDC

Upgrades from 6.5 to 6.7

Hosts that are currently on ESXi 6.5 will be upgraded to 6.7 significantly faster than ever
before. This is because several optimizations have been made for that upgrade path,
including eliminating one of two reboots traditionally required for a host upgrade. In the
past, hosts that were upgraded with Update Manager were rebooted a first time in order
to initiate the upgrade process, and then rebooted once again after the upgrade was
complete. Modern server hardware, equipped with hundreds of gigabytes of RAM,
typically take several minutes to initialize and perform self-tests. Doing this hardware
initialization twice during an upgrade really adds up, so this new optimization will
significantly shorten the maintenance windows required to upgrade clusters of vSphere
infrastructure.

These new improvements reduce the overall time required to upgrade clusters,
shortening maintenance windows so that valuable efforts can be focused elsewhere.

Recall that, because of DRS and vMotion, applications are never subject to downtime
during hypervisor upgrades VMs are moved seamlessly from host to host, as needed.

vSphere Quick Boot

What is the Quick Boot functionality? Quick Boot functionality allows restarting only the
hypervisor instead of going through a full reboot of the host hardware including
POSTing, etc. This functionality is utilized with vSphere Update Manager so that
patching and upgrades are completed much more quickly. A note here before getting
excited about potential backwards compatibility, this functionality is only available for
hosts that are running ESXi 6.7. Even if your hardware is compatible with the new Quick
Boot, if you are running a legacy version of ESXi, this won't be available.

Host reboots occur infrequently but are typically necessary after activities such as
applying a patch to the hypervisor or installing a third-party component or driver.
Modern server hardware that is equipped with large amounts of RAM may take many
minutes to perform device initialization and self-tests.

Quick Boot eliminates the time-consuming hardware initialization phase by shutting


down ESXi in an orderly manner and then immediately re-starting it. If it takes several
minutes, or more, for the physical hardware to initialize devices and perform necessary
self-tests, then that is the approximate time savings to expect when using Quick Boot!
In large clusters, that are typically remediated one host at a time, it's easy to see how
this new technology can substantially shorten time requirements for data center
maintenance windows.

Due to the nature of our lab, we can't demonstrate Quick Boot because ESXi running on
ESXi! Click on this video to watch Quick Boot in action!

HOL-1911-01-SDC Page 37
HOL-1911-01-SDC

HOL-1911-01-SDC Page 38
HOL-1911-01-SDC

Getting Started with Update Manager


VMware vSphere Update Manager is a tool that simplifies and centralizes automated
patch and version management for VMware vSphere and offers support for VMware ESX
hosts, virtual machines, and virtual appliances.

With Update Manager, you can perform the following tasks:

1. Upgrade and Patch ESXi hosts.


2. Upgrade virtual machine hardware, VMware Tools, and Virtual Appliances.

vSphere Update Manager is installed and running by default in the vCenter Server
Appliance. Each vCenter Appliance will have a single vSphere Update Manager paired
with it.

Log into the vSphere Web Client

Using the Chrome web browser, navigate to the URL for the Web client. For this lab, you
can use the shortcut in the address bar.

1. Click the RegionA bookmark folder

HOL-1911-01-SDC Page 39
HOL-1911-01-SDC

2. Click on bookmark for RegionA vSphere Client (HTML)


3. Check the Use Windows session authentication box
4. Click Login

Alternatively, you could use these credentials

1. User name: corp\Administrator


2. Password: VMware1!

Please Note: All of the user credentials used in this lab are listed in the README.TXT file
on the desktop.

Gain screen space in Chrome by zooming out

The lab desktop is limited to 1280x800 screen resolution. It might be helpful to zoom
out the browser for better readability.

1. Select the Options menu in Chrome.


2. Click the '-' button to zoom out to 90%

This will provide more viewing space while still allowing you to read the text.

HOL-1911-01-SDC Page 40
HOL-1911-01-SDC

Navigate to Update Manager

Navigate to the Update Manager interface

1. Click the Menu icon


2. Click Update Manager

Select vcsa-01b.corp.local

We are going to create a baseline on the vcsa-01b vCenter Server.

1. Ensure vcsa-01b.corp.local is selected in the host drop down menu.

HOL-1911-01-SDC Page 41
HOL-1911-01-SDC

Baselines and Baseline Groups

Baselines can be upgrade, extension, or patch baselines. Baselines contain a collection


of one or more patches, extensions, or upgrades.

Baseline groups are assembled from existing baselines, and might contain one upgrade
baseline per type of upgrade baseline, and one or more patch and extension baselines.
When you scan hosts, virtual machines, and virtual appliances, you evaluate them
against baselines and baseline groups to determine their level of compliance.

By default, Update Manager contains two predefined dynamic patch baselines.

• Critical Host Patches - Checks ESXi hosts for compliance with all critical
patches
• Non-Critical Host Patches - Checks ESXi hosts for compliance with all optional
patches

We are going to create a new baseline, which we will then use to scan a vSphere host so
that we can make sure that it has the latest patches.

1. Select the Baselines tab.


2. Click the New icon
3. Click New Baseline

HOL-1911-01-SDC Page 42
HOL-1911-01-SDC

New Baseline

1. Type the name HOL Host Baseline and a description of the baseline.
2. Under description type Host Baseline
3. Use the scrollbar to the right to access the rest of this screen

Baseline Definition (con't)

1. Select the Patch radio button


2. Click Next to continue.

HOL-1911-01-SDC Page 43
HOL-1911-01-SDC

Select Patches Automatically

This screen gives the baseline the ability to continually update itself based on the
criteria you select. You can use these options to narrow the scope of the patches added
to this baseline (selecting embeddedExi 6.5.0 would limit this baseline to only those
patches relevant to ESXi 6.5).

Some areas you can refine the baseline patches to are:

• Vendor
• Product
• Severity (Critical, Important, Moderate, Low)
• Category (Security, BugFix, Enhancement, Other)

1. For our example, we will leave the default setting to automatically update the
baseline as new patches become available. We will also leave the default Criteria
settings of Any for all options.
2. Click Next

HOL-1911-01-SDC Page 44
HOL-1911-01-SDC

Select Patches Manually

From this screen you have the ability to manually select patches for the baseline to
include. Since we have selected the option to have this baseline automatically updated,
this screen will appear without patches to select. If you disable the automatic option in
the previous screen, you would now be presented with a listing of all patches available
which you could manually select to include in this baseline.

1. Click Next

Ready to complete

Review the settings of the patch baseline you created before finishing the wizard

1. Click Finish to complete the Patch Baseline

HOL-1911-01-SDC Page 45
HOL-1911-01-SDC

Return to Clusters and Hosts

Next, we are going to attach the baseline we just created to a host. This makes sure that
scanning and remediation happens for the host.

1. Click on the Menu Icon


2. Select Hosts and Clusters

Attach Patch Baseline to Host

HOL-1911-01-SDC Page 46
HOL-1911-01-SDC

1. Expand vcsa-01b.corp.local vCenter Server --> RegionB01 Datacenter -->


RegionB01-COMP01 Cluster
2. Click on the esx-01b.corp.local Host
3. Select the Updates tab.
4. Click on Attach

Select the Baseline

In the new window that opens,

1. Click on HOL Host Baseline - this is the new Baseline that we just created
2. Click on OK to continue

HOL-1911-01-SDC Page 47
HOL-1911-01-SDC

Verify the Baseline is Attached

Before we scan the host for compliance with our new baseline, let's verify the new
baseline is attached and see what the current status of its compliance is.

1. Verify HOL Host Baseline is listed in the Attached Baselines


2. Notice that the current status indicates Unknown, this is a normal status when
you attach a new baseline. Update Manager has not yet scanned this host and
compared its current state to the baseline state.

In the next step, we will scan the host and see if it is in compliance with the attached
baseline.

HOL-1911-01-SDC Page 48
HOL-1911-01-SDC

Scan the Host

We will now scan this host to see if it is compliant with the baseline.

1. Click the CHECK COMPLIANCE button


2. You may receive a message in a blue bar at the top of your screen indicating a
refresh is needed, click the Refresh link to update the screen. After you click
Refresh, you can safely close the message window with the "X"
3. Notice the new status of this host. It is now Compliant. This indicates that the
host meets the patch criteria selected in this baseline.

Had this host been missing any patches identified in the baseline criteria, the status
would have indicated Not Compliant indicating the host is missing a patch identified in
the baseline, you could then remediate this host using the Remediate option on this
screen.

Note: pre-check is now a separate operation, allowing administrators to verify that a


cluster is ready for an upgrade before initiating the workflow.

HOL-1911-01-SDC Page 49
HOL-1911-01-SDC

Video: Upgrading vSphere Hosts Using Update Manager

vSphere Update Manager can also be used to update the VMware tools on a virtual
machine. The following video outlines the process.

HOL-1911-01-SDC Page 50
HOL-1911-01-SDC

Embedded Linked Mode


vCenter Embedded Linked Mode is enhanced linked mode support for vCenter Server
Appliance with an embedded Platform Services Controller. This lab is configured using
vSphere 6.7 Embedded Linked Mode.

With vCenter Embedded Linked Mode, you can connect multiple vCenter Server
Appliances with embedded Platform Services Controllers together to form a domain.
vCenter Embedded Linked Mode is not supported for Windows vCenter Server
installations. vCenter Embedded Linked Mode is supported starting with vSphere 6.5
Update 2 and suitable for most deployments.

Other features of vCenter Embedded Linked Mode include:

• No external Platform Services Controller, providing a more simplified domain


architecture than enhanced linked mode.
• A simplified backup and restore process.
• A simplified HA process, removing the need for load balancers.
• Up to 15 vCenter Server Appliances can be linked together using vCenter
Embedded Linked Mode and displayed in a single inventory view.
• For a vCenter High Availability (vCenter HA) cluster, three nodes are considered
one logical vCenter Servernode. This represents ten times the vCenter HA
clusters in a vCenter Embedded Linked Mode for a total of 30 VMs.

Embedded Linked Mode (Demo)

HOL-1911-01-SDC Page 51
HOL-1911-01-SDC

Conclusion
vSphere 6.7 builds on the technological innovation delivered by vSphere 6.5, and
elevates the customer experience to an entirely new level. It provides exceptional
management simplicity, operational efficiency, and faster time to market, all at scale.

6.7 delivers an exceptional experience for the user with an enhanced vCenter Server
Appliance (vCSA). It introduces several new APIs that improve the efficiency and
experience to deploy vCenter, to deploy multiple vCenters based on a template, to
make management of vCenter Server Appliance significantly easier, as well as for
backup and restore. It also significantly simplifies the vCenter Server topology through
vCenter with embedded platform services controller in enhanced linked mode,
enabling customers to link multiple vCenters and have seamless visibility across the
environment without the need for an external platform services controller or load
balancers.

Moreover, with vSphere 6.7 vCSA delivers phenomenal performance improvements:

• 2X faster performance in vCenter operations per second


• 3X reduction in memory usage
• 3X faster DRS-related operations (e.g. power-on virtual machine)

These performance improvements ensure a blazing fast experience for vSphere users,
and deliver significant value, as well as time and cost savings in a variety of use cases,
such as VDI, Scale-out apps, Big Data, HPC, DevOps, distributed cloud native apps, etc.

vSphere 6.7 improves efficiency at scale when updating ESXi hosts, significantly
reducing maintenance time by eliminating one of two reboots normally required for
major version upgrades (Single Reboot). In addition to that, vSphere Quick Boot is a
new innovation that restarts the ESXi hypervisor without rebooting the physical host,
skipping time-consuming hardware initialization.

Another key component that allows vSphere 6.7 to deliver a simplified and efficient
experience is the graphical user interface itself. The HTML5-based vSphere
Client provides a modern user interface experience that is both responsive and easy to
use. With vSphere 6.7, it includes added functionality to support not only the typical
workflows customers need but also other key functionality like managing NSX, vSAN,
VUM as well as third-party components.

HOL-1911-01-SDC Page 52
HOL-1911-01-SDC

You've finished Module 2!

Congratulations on completing Module 2!

To review more info on the new management features please use the links below:

• Upgrading from vSphere 6.5 to 6.7


• Or use your smart device to scan the QRC Code.

Proceed to any module below which interests you most.

• Module 1 - vSphere 6.7 Overview(15 minutes) (Basic) Brief overview of what's


new in the vSphere 6.7 release.
• Module 2 - Simple and Efficient Management at Scale(60 minutes) (Basic)
Explore improvements and new features in ESXi and vCenter Server management
and lifecycle.
• Module 3 - Comprehensive Built-in Security (60 minutes) (Basic) Experience
the improved VM Encryption workflow as well as added support for TPM 2.0,
vTPM, and Virtualization Based Security.
• Module 4 - Universal Application Platform (15 minutes) (Basic) Discover new
vSphere capabilities that make it the platform for all applications including the
most mission critical.
• Module 5 - Seamless Hybrid Cloud (15 minutes) (Basic) Learn how vSphere
6.7 and VMware Cloud on AWS creates a seamless hybrid cloud experience with
easy visibility, migration and management of workloads between on-premises
and public cloud.

HOL-1911-01-SDC Page 53
HOL-1911-01-SDC

How to End Lab

To end your lab click on the END button.

HOL-1911-01-SDC Page 54
HOL-1911-01-SDC

Module 3 -
Comprehensive Built-in
Security (60 minutes)

HOL-1911-01-SDC Page 55
HOL-1911-01-SDC

Introduction
vSphere 6.7 builds on the security capabilities in vSphere 6.5 and leverages its unique
position as the hypervisor to offer comprehensive security that starts at the core, via an
operationally simple policy-driven model.

This module will highlight:

• Support for TPM 2.0 for ESXi Ensures hypervisor integrity and enables remote
host attestation.
• Virtual TPM 2.0 Provides the necessary support for guest operating system
security features while retaining operational features such as vMotion and
disaster recovery.
• Enhanced VM Encryption & cross-vCenter encrypted vMotion Secures against
unauthorized data access both at rest and in motion, across the hybrid cloud.
• Support for VBS Supports Windows 10 and Windows 2016 security features, like
Credential Guard, on vSphere.

HOL-1911-01-SDC Page 56
HOL-1911-01-SDC

Support for New Security Technologies


The goals of security in 6.7 are twofold. Introduce more easy to use security features
and meet requirements set by customers IT and Security teams. With vSphere 6.7 we
have achieved both goals. Let's dive into some of the new features and changes.
vSphere 6.7 includes support for the latest security features on the market.

TPM 2.0 Support for ESXi

TPM (Trusted Platform Module) is a device on your laptop, desktop or server system. It is
used to store encrypted data (keys, credentials, hash values). TPM 1.2 support has been
around for many years on ESXi but was primarily used by partners. TPM 2.0 is not
backwards compatible with 1.2 and required all new device drivers and API
development. The Trusted Computing Group has a great overview on what a TPM is and
does.

ESXi's use of TPM 2.0 builds upon our work in 6.5 with Secure Boot. We validate that the
system has booted with Secure Boot enabled and we take measurements and store
them in the TPM. vCenter reads those measurements and compares them with values
reported by ESXi itself. If the values match, then the host has booted with Secure Boot
enabled and all the good stuff such as only running signed code and the inability to
install unsigned code is assured. vCenter will provide an attestation report in the
vCenter web client showing you the status of each host.

Virtual TPM 2.0 for VMs

In order to support TPMs for virtual machines our engineers created a virtualized TPM
2.0 device. It shows up in Windows as a normal TPM 2.0 device. Like a physical TPM, it
can do crypto operations and store credentials. But how do we secure data stored IN the
virtual TPM? We write that data to the VMs nvram file and secure that file with VM
Encryption. This keeps the data in the vTPM secured and it travels with the VM. If I
copy that VM to another datacenter and that datacenter is not configured to talk to my
KMS then the data in that vTPM is secured. All the same VM Encryption rules apply.

Note: only VM home files are encrypted, not VMDKs unless you choose to encrypt them.

Why didn't we use the hardware TPM?

A hardware TPM has many limitations. It is a serial device so it's slow. It has a secured
nvram storage size measured in bytes. It's not designed for accommodating 100+ VMs
on a host. It won't be able to store all their TPM data on the physical TPM. It would need
a scheduler for the crypto operations it does. Imagine 100 VMs trying to encrypt
something and depending on a serial device that can only do one at a time?

HOL-1911-01-SDC Page 57
HOL-1911-01-SDC

Even if I could physically store the data, consider a vMotion. I would have to securely
remove the data from one physical TPM and copy it to another. And re-sign data with
the new TPMs keys. All of these actions are very slow in practice and fraught with
additional security issues and requirements.

Note: In order to run virtual TPMs, you will need VM Encryption. That means you
will need a 3rd party key management infrastructure in place.

Support for Microsoft Virtualization Based Security

Back in 2015, Microsoft introduced Virtualization Based Security. We have worked very
closely with Microsoft to provide support for these features in vSphere 6.7. Let's do a
quick overview of what is going on under the covers to make this happen.

When you enable VBS on your laptop running Windows 10 the system will reboot and
instead of booting Windows 10 directly the system will boot Microsoft's hypervisor. For
vSphere, this means the virtual machine that was running Windows 10 directly is now
running Microsoft's hypervisor which is now running Windows 10. This is called nested
virtualization and it is something that VMware has a HUGE amount of experience with.
We have been using nested virtualization in our Hands-On Labs for years.

When you enable VBS at the vSphere level that one checkbox is turning on a number of
features.

• Nested virtualization
• IOMMU
• EFI firmware
• Secure Boot

What this will NOT do is enable VBS within the VMs Guest OS. For that, you would follow
Microsoft guidance. This can be done with PowerShell scripts, Group Policies, etc.

The point being is that vSphere's role is to provide the virtual hardware to support
enablement of VBS. Combined with a virtual TPM you can now enable VBS and turn on
features such as Credential Guard.

HOL-1911-01-SDC Page 58
HOL-1911-01-SDC

VM Encryption
VMware vSphere® virtual machine encryption (VM encryption) is a feature introduced in
vSphere 6.5 to enable the encryption of virtual machines. VM encryption provides
security to VMDK data by encrypting I/Os from a virtual machine (which has the VM
encryption feature enabled) before it gets stored in the VMDK.

How to Enable VM Encryption for vSphere 6.7

Creating an encrypted virtual machine is faster and uses fewer storage resources than
encrypting an existing virtual machine. Encrypt the virtual machine as part of the
creation process if possible. (Please see HOL-1911-04-SDC - vSphere 6.7 Security
Getting Started, Module 3 for additional hands-on training.)

Prerequisites

• Establish a trusted connection with the KMS and select a default KMS.
• Create an encryption storage policy, or use the bundled sample, VM Encryption
Policy.
• Ensure that the virtual machine is powered off.
• Verify that you have the required privileges:
◦ Cryptographic operations > Encrypt new
◦ If the host encryption mode is not Enabled, you also need Cryptographic
operations > Register host.

Procedure

HOL-1911-01-SDC Page 59
HOL-1911-01-SDC

1. Connect to vCenter Server by using the vSphere HTML 5 Client.


2. Select an object in the inventory that is a valid parent object of a virtual machine,
for example, an ESXi host or a cluster.
3. Right-click the object, select New Virtual Machine > New Virtual Machine, and
follow the prompts to create an encrypted virtual machine.

Enabling VM Encryption

Check out this video to see how you enable VM encryption on a VM in vSphere 6.7

HOL-1911-01-SDC Page 60
HOL-1911-01-SDC

HOL-1911-01-SDC Page 61
HOL-1911-01-SDC

Configure Hytrust KMS Server in


vCenter Server
In this lesson, we will add (2) HyTrust KMS servers which allows us to encrypt virtual
machines as well as use encrypted vMotion. Without a trust established between the
vCenter server and a KMS server, we would not be able to take advantage of the new
vSphere 6.7 encryption capabilities.

Launch Google Chrome

If Google Chrome is not already open, perform the following step, otherwise skip this
step:

1. Click the Google Chrome icon on the Quick Launch bar.

RegionA

Do the below step If you are opening a new Google Chrome browser window, otherwise,
you can skip this step:

1. Click on the RegionA folder in the Bookmark Toolbar.


2. Then click on RegionA vSphere Client (HTML).

HOL-1911-01-SDC Page 62
HOL-1911-01-SDC

Log into RegionA vCenter Server

If already logged into the RegionA vCenter server, you can skip the below steps. If you
aren't, complete the following steps:

1. Type administrator@corp.local in the the User name: text field.


2. Type VMware1! into the Password: text field.
3. Click on the Login button.

HOL-1911-01-SDC Page 63
HOL-1911-01-SDC

Menu Drop-down

1. Click on the Menu drop-down icon at the top of the screen.


2. Then select Global Inventory Lists from the Menu drop-down menu.

HOL-1911-01-SDC Page 64
HOL-1911-01-SDC

Select vCenter Server

1. Click on vCenter Servers from the Global Inventory List.

vcsa-01a.corp.local

1. Click on the vcsa-01a.corp.local vCenter Server.

HOL-1911-01-SDC Page 65
HOL-1911-01-SDC

Add HyTrust Key Manager (KMS) Server

In order to use any type of encryption in vSphere, we must first have a Key Management
Server (KMS) server up and running. Then we have to add at least (1) KMS server to
vCenter server and configure the trust relationship between the KMS and vCenter
servers. So the first thing we need to do is add a KMS server to vCenter, perform the
following tasks to accomplish this:

1. Click on the Configure tab in the content pane.


2. Click on Key Management Servers under the More category.
3. Click ADD in the content pane to add a KMS server.

HOL-1911-01-SDC Page 66
HOL-1911-01-SDC

vcsa-01a.corp.local - Add KMS

1. Type HOL-KMS-01a in the New cluster name text field.


2. Type kms-01a in the Server name text field.
3. Type kms-01a.corp.local in the Server address text field.
4. then type 5696 in the Server port text field.
5. Now click the ADD button.

HOL-1911-01-SDC Page 67
HOL-1911-01-SDC

kms-01a.corp.local - Trust

1. Click on the TRUST button in the Make vCenter Trust KMS pop-up window.

Make KMS Trust vCenter

We see that the HyTrust KMS server is showing its Connection State with nothing in it, so
at this point we need to finish setting up the trust between the vCenter server and the
HyTrust KMS server.

To create the trust relationship between the HyTrust KMS Server and the vCenter server:

1. Select the radius button next to the kms-01a KMS server name.
2. Click on the MAKE KMS TRUST VCENTER link.

HOL-1911-01-SDC Page 68
HOL-1911-01-SDC

KMS Certificate and Private Key

1. Select the radius button next to KMS certificate and private key.
2. Click on the NEXT button.

HOL-1911-01-SDC Page 69
HOL-1911-01-SDC

Import KMS Certificate and Private Key

1. Click on the Upload file button at the top half of the pop-up window.

Select Certificate

HOL-1911-01-SDC Page 70
HOL-1911-01-SDC

We have already downloaded this certificate PEM file from the HyTrust KMS server web
interface.

1. Browse to the following path "C:\LabFiles\HOL-1911\KMIPvcsa01a\"


2. Select the KMIPvcsa01a.pem file.
3. Click on the Open button.

NOTE: Be sure that you selected the KMIPvcsa01a.pem file from the KMIPvcsa01a
folder and not from the KMIPvcsa01b folder!

Upload Certificate

1. Click on the Upload file button.

HOL-1911-01-SDC Page 71
HOL-1911-01-SDC

Select Certificate

We have already downloaded this certificate PEM file from the HyTrust KMS server web
interface.

1. Browse to the following path "C:\LabFiles\HOL-1911\KMIPvcsa01a\"


2. Select the KMIPvcsa01a.pem file.
3. Click on the Open button.

NOTE: Be sure that you selected the KMIPvcsa01a.pem file from the KMIPvcsa01a
folder and not from the KMIPvcsa01b folder!

HOL-1911-01-SDC Page 72
HOL-1911-01-SDC

Establish Trust

1. Click on the ESTABLISH TRUST button.

Confirm Trust and Connection Status

To validate a trust relationship has been established between the HyTrust KMS Server
and the vCenter server:

1. Verify that it shows the HyTrust KMS server with a status of Connected under
Connection State column and it says Valid under vCenter Certificate Status
column.

HOL-1911-01-SDC Page 73
HOL-1911-01-SDC

Select vcsa-01b.corp.local

Now we will add the kms-01b.corp.local HyTrust KMS server to the


vcsa-01b.corp.local vCenter server.

1. In the left Navigation pane, click on the vcsa-01b.corp.local vCenter server.

Add HyTrust Key Manager (KMS) Server

We will not repeat the same process to add this second HyTrust KMS server as we just
did earlier in this lesson.

1. Click on the Configure tab in the content pane.


2. Click on Key Management Servers under the More category.
3. Click ADD in the content pane to add a KMS server.

HOL-1911-01-SDC Page 74
HOL-1911-01-SDC

vcsa-01b.corp.local - Add KMS

1. Type HOL-KMS-01b in the New cluster name text field.


2. Type kms-01b in the Server name text field.
3. Type kms-01b.corp.local in the Server address text field.
4. then type 5696 in the Server port text field.
5. Now click the ADD button.

kms-01b.corp.local - Trust

HOL-1911-01-SDC Page 75
HOL-1911-01-SDC

1. Click on the TRUST button in the Make vCenter Trust KMS pop-up window.

Make KMS Trust vCenter

We see that the HyTrust KMS server is showing its Connection State with nothing in it, so
at this point we need to finish setting up the trust between the vCenter server and the
HyTrust KMS server.

To create the trust relationship between the HyTrust KMS Server and the vCenter server:

1. Select the radius button next to the kms-01b KMS server name.
2. Click on the MAKE KMS TRUST VCENTER link.

HOL-1911-01-SDC Page 76
HOL-1911-01-SDC

KMS Certificate and Private Key

1. Select the radius button next to KMS certificate and private key.
2. Click on the NEXT button.

HOL-1911-01-SDC Page 77
HOL-1911-01-SDC

Import KMS Certificate and Private Key

1. Click on the Upload file button at the top half of the pop-up window.

Select Certificate

HOL-1911-01-SDC Page 78
HOL-1911-01-SDC

We have already downloaded this certificate PEM file from the HyTrust KMS server web
interface.

1. Browse to the following path "C:\LabFiles\HOL-1911\KMIPvcsa01b\"


2. Select the KMIPvcsa01b.pem file.
3. Click on the Open button.

NOTE: Be sure that you selected the KMIPvcsa01b.pem file from the KMIPvcsa01b
folder and not from the KMIPvcsa01a folder!

Upload Certificate

1. Click on the Upload file button.

HOL-1911-01-SDC Page 79
HOL-1911-01-SDC

Select Certificate

We have already downloaded this certificate PEM file from the HyTrust KMS server web
interface.

1. Browse to the following path "C:\LabFiles\HOL-1911\KMIPvcsa01b\"


2. Select the KMIPvcsa01b.pem file.
3. Click on the Open button.

NOTE: Be sure that you selected the KMIPvcsa01b.pem file from the KMIPvcsa01b
folder and not from the KMIPvcsa01a folder!

HOL-1911-01-SDC Page 80
HOL-1911-01-SDC

Establish Trust

1. Click on the ESTABLISH TRUST button.

Confirm Trust and Connection Status

To validate a trust relationship has been established between the HyTrust KMS Server
and the vCenter server:

1. Verify that it shows the HyTrust KMS server with a status of Connected under
Connection State column and it says Valid under vCenter Certificate Status
column.

HOL-1911-01-SDC Page 81
HOL-1911-01-SDC

Configure HyTrust KMS Server in vCenter Server -


Complete

You have completed the first lesson "Configure HyTrust KMS Server in vCenter Server" in
this module!

We have completed this lesson of adding (2) HyTrust KMS servers and creating and the
associated trusts between it and the vCenter server. We also see that the first HyTrust
KMS server that is added is always automatically selected as the Default KMS server
for the cluster.

HOL-1911-01-SDC Page 82
HOL-1911-01-SDC

Encrypt VMs Using HyTrust KMS Server


In this lesson, we will encrypt a virtual machine using a HyTrust KMS server that is
already installed. We will use the vSphere Web Client (HTML5) to do the encrypting and
decrypting of the virtual machine.

Menu Drop-down

Lets first look at the Policies and Profiles section of vCenter to look at the default VM
Encryption Policies:

1. Click on the Menu icon at the top of the page.


2. Select Policies and Profiles from the Menu drop-down.

HOL-1911-01-SDC Page 83
HOL-1911-01-SDC

Default VM Encryption Policies

1. Click on VM Storage Policies from the Navigation pane.


2. We see that there are already (2) VM Encryption Policies, where there is one
on each of the vCenter servers by default.

NOTE: Although VMware creates the default VM Encryption Policies for us, you can also
create your own policies if you wish.

Default Encryption Properties

1. Click on the Storage Policy Components in the Navigation pane.


2. We see both Default encryption properties components listed, one for each
vCenter server.
3. We also see a description in the bottom of the Content pane.

HOL-1911-01-SDC Page 84
HOL-1911-01-SDC

Menu Drop-down

At this point, lets return to the Hosts and Clusters view so we can start the process of
encrypting the core-01a virtual machine:

1. Click on the Menu icon at the top of the page.


2. Select Hosts and Clusters from the Menu drop-down.

HOL-1911-01-SDC Page 85
HOL-1911-01-SDC

Select core-01a

We are now going to encrypt the core-01a virtual machine, to do this, perform the
following steps:

1. Right-click on the core-01a virtual machine in the left Navigation Pane.


2. Click on VM Policies from the drop-down menu.
3. Then click on Edit VM Storage Policies from the VM Policies drop-down menu.

HOL-1911-01-SDC Page 86
HOL-1911-01-SDC

core-01a - Edit VM Storage Policies

Here we see there are a few default policies that VMware has created already, but we
will be selecting the VM Encryption Policy specifically by doing the following:

1. Click on the arrow in the VM storage policy drop-down menu and select VM
Encryption Policy.
2. Then click on the Configure per disk slider to enable it.

NOTE: In this lab exercise, we are encrypting all the components of the virtual machine.
But as we can see, we have the option to select to encrypt just the VM Home folder or
the Hard disk 1. In order to encrypt just one item, you must click on the slider in the
upper right-hand corner of the window to allow you to select an individual item.

HOL-1911-01-SDC Page 87
HOL-1911-01-SDC

core-01a - Configure Per Disk

We see that once we enabled the Configure per disk option, the VM Home folder
and Hard disk 1 are no longer grayed out and we can manage policies individually.

1. Temporarily click on the drop-down for Hard disk 1 and select VM Encryption
Policy. We now see how to individual assign policies for both components of the
virtual machine. After reviewing the options, return it to the Datastore Default
option.

NOTE: In this lab exercise, we are encrypting all the components of the virtual machine.
But as we can see, we have the option to select to encrypt just the VM Home folder or
the Hard disk 1.

HOL-1911-01-SDC Page 88
HOL-1911-01-SDC

core-01a - Edit VM Storage Policies

1. Click on the slider to turn off Configure per disk


2. Click on the arrow in the VM storage policy drop-down menu and select VM
Encryption Policy if it isn't already selected.
3. Then click on the OK button.

core-01a - Verify VM Storage Policy Compliance

HOL-1911-01-SDC Page 89
HOL-1911-01-SDC

While still having core-01a selected in the Navigation pane, perform the following steps:

1. In the content pane for core-01a, use the scroll bar to get to the bottom of the
page until you see the VM Storage Policies widget.
2. If need be, click on the arrow in the upper right-hand corner of the VM Storage
Policies widget to open it up.
3. We should now see that the VM Encryption Policy has been assigned to the
virtual machine and is also compliant which is represented by a green check
mark.

core-01a - Not Compliant (if needed)

If for any reason the VM Storage Policy widget has no information in it after a minute
or two or says that it is not compliant, perform the following step:

1. Click on the Check Compliance link to update the compliance information.

NOTE: Now after clicking on the Check Compliance link, it should update the
information in less than a minute and show complaint. If the status doesn't change, try
refreshing the web browser window. After that, if it still hasn't updated to reflect
correctly, raise your hand for assistance either in the Hands On Lab interface or
physically raise your hand to get a proctors attention.

HOL-1911-01-SDC Page 90
HOL-1911-01-SDC

Select core-01a

We are now going to dycrypt the core-01a virtual machine, to do this, perform the
following steps:

1. Right-click on the core-01a virtual machine in the left Navigation Pane.


2. Click on VM Policies
3. Select Edit VM Storage Policies

HOL-1911-01-SDC Page 91
HOL-1911-01-SDC

core-01a - Edit VM Storage Policies

1. Click on the arrow in the VM storage policy drop-down menu and select
Datastore Default.
2. Then click on the OK button.

core-01a - Verify VM has been Decrypted

1. Click on the Check Compliance link to update the compliance information.


2. We should now see that the VM Encryption Policy is no longer listed.

HOL-1911-01-SDC Page 92
HOL-1911-01-SDC

NOTE: Now after clicking on the Check Compliance link, it should update the
information in less than a few minutes and show the VM Storage Policy widget empty
now. If the status doesn't change, REFRESH the web browser window and recheck the
VM Storage Policies widget. If still showing an encryption policy, raise your hand for
assistance either in the Hands On Lab interface or physically raise your hand to get a
proctors attention.

Encrypt VM Using HyTrust KMS Server - Complete

In this lesson, we applied the VM Encryption Policy to the core-01a virtual machine using
the vSphere Web Client. After we applied the policy, it showed that the virtual machine
was compliant with the VM Encryption Policy. Then we went through the same steps to
remove the encryption policy from the core-01a virtual machine. Once we completed
that task, we could see the VM Storage Policy widget went back to a blank widget. This
was an expected behavior and means we successfully removed the encryption on the
virtual machines files.

Using the vSphere Web Client is not the only method to encrypting or decrypting a
virtual machine. We can also use PowerCLI commands to do the same actions to a single
or numerous virtual machines at once and in a more efficient manner. If changing the
encryption status of a large amount at virtual machines at once, the best practice would
to be use the PowerCLI commands to do so.

In an upcoming lesson, we will discuss the use of PowerCLI for the various encryption
related tasks in more detail. Also, later in this module, we will actually encrypt and
decrypt virtual machines using the PowerCLI commands.

HOL-1911-01-SDC Page 93
HOL-1911-01-SDC

Set VM to Encrypted vMotion Mode


In this lesson, we will walk through the steps to setup a virtual machine to use
Encrypted vMotion Mode. We will show the process of configuring it from within the
vSphere Web Client. However, we will NOT be actually performing a vMotion action in
the lab environment due to resource limitations. Not to mention, we can't actually "see"
that the virtual machine does a vMotion action and is encrypted.

core-01a - Edit Settings

1. Right-click on the virtual machine named core-01a.


2. Select Edit Settings from the drop-down menu.

NOTE: The list of virtual machines may be slightly different in the lab environment from
what is in the screen capture.

HOL-1911-01-SDC Page 94
HOL-1911-01-SDC

core-01a - VM Options

In the following lab steps, we will go through the steps of setting up Encrypted vMotion,
but we won't actually go through with completing the steps since we can't actually see
that a vMotion action is encrypted. Not to mention, this helps reduce the amount of
required resources in the labs.

1. Click on the VM Options tab in the pop-up window.


2. Click on the arrow next to Encryption to expand it and show the Encrypt VM and
Encrypted vMotion settings.
3. We see that either select None or VM Encryption Policy from here which shows
us another way to set the encryption on a virtual machine other than in the
Policies and Profiles section.

HOL-1911-01-SDC Page 95
HOL-1911-01-SDC

core-01a - Encrypted vMotion

As a side note, if the virtual machine settings are already set to encrypted, then it will
automatically use encrypted vMotion. But we see that we have (3) options for
Encrypted vMotion.

1. Since the VM was previously encrypted, the Encrypted vMotion setting is


already set to Required but can be changed.
2. Click on the CANCEL button since we don't need to actually make the changes
since we won't be doing an actual vMotion action.

HOL-1911-01-SDC Page 96
HOL-1911-01-SDC

core-01a - Migrate

In the next few steps, we won't actually complete the vMotion action since we can't
actually see that a vMotion action is encrypted. Not to mention, this helps reduce the
amount of required resources in the lab environment.

1. Right-click on the virtual machine named core-01a.


2. Select Migrate from the drop-down menu.

HOL-1911-01-SDC Page 97
HOL-1911-01-SDC

core-01a - Select a Migration Type

1. Keep the default setting Change compute resource only radius button, then
click on the NEXT button.

HOL-1911-01-SDC Page 98
HOL-1911-01-SDC

core-01a - Select a compute resource

Currently, the core-01a virtual machine should be on esx-02a.corp.local, so we would


migrate it to esx-01a.corp.local.

1. Select the esx-01a.corp.local host to migrate to.


2. Verify it says Compatibility checks succeeded under Compatibility.
3. Then click on the Next button.

HOL-1911-01-SDC Page 99
HOL-1911-01-SDC

core-01a - Select Networks

1. Verify it says Compatibility checks succeeded under Compatibility.


2. Keep the default network selected and click on the Next button.

HOL-1911-01-SDC Page 100


HOL-1911-01-SDC

core-01a - Ready to Complete

NOTE: We are not actually performing the vMotion action for following reasons:

• Being a lab environment, we want to reduce the resources used for actions like
vMotion.
• And finally, we can't really see that the vMotion is encrypted unless we were
using a packet sniffer in between the hosts. So essentially there is no point in
performing the encrypted vMotion activity.

To finish the last step:

1. We would then review the information to ensure all of the selections we selected
are correct.
2. Normally we would select the Finish button, but since this is a lab environment,
we will select the Cancel button so we don't initiate the vMotion task.

Set VM to Encrypted vMotion Mode - Complete

That completes this lesson on setting virtual machines to enable encrypted vMotion. We
learned that no matter if a virtual machine is already encrypted or not, the virtual
machine can be encrypted on the source host and then decrypted on the destination
host. We also learned that Encrypted vMotion requires no additional settings when the
virtual machine is already encrypted. However, when the virtual machine is not

HOL-1911-01-SDC Page 101


HOL-1911-01-SDC

encrypted already, we can manually select to encrypt it just to perform a vMotion from
one host to another if we wish.

HOL-1911-01-SDC Page 102


HOL-1911-01-SDC

Configure Windows 10 for VBS


In this lesson, we will show how to enable Virtualized-Based Security (VBS) on a
Windows 10 virtual machine.

Launch Google Chrome

If Google Chrome is not already open, perform the following step, otherwise you can
skip this step if already open:

1. Or click the Google Chrome icon on the Quick Launch bar.

RegionA

Do the below step If you are opening a new Google Chrome browser window, otherwise,
you can skip this step:

1. Click on the RegionA folder in the Bookmark Toolbar.


2. Then click on RegionA vSphere Client (HTML).

HOL-1911-01-SDC Page 103


HOL-1911-01-SDC

Log into RegionA vCenter Server

If already logged into the RegionA vCenter server, you can skip the below steps. If you
aren't, complete the below steps:

1. Type administrator@corp.local in the the User name: text field.


2. Type VMware1! into the Password: text field.
3. Click on the Login button.

HOL-1911-01-SDC Page 104


HOL-1911-01-SDC

Hosts and Clusters

1. Click on the Hosts and Clusters icon in the Navigation pane.


2. If need be, click on the arrow next to vcsa-01a.corp.local vCenter server and
expand everything until you see the list of virtual machines.

HOL-1911-01-SDC Page 105


HOL-1911-01-SDC

win10 - Edit Settings

1. Right-click on the win10 virtual machine in the Navigation pane.


2. The click on Edit Settings.

HOL-1911-01-SDC Page 106


HOL-1911-01-SDC

win10 - Verify Secure Boot

We are now going to verify that Secure Boot is enabled for the win10 virtual machine. If
it isn't, make sure you select the check box to enable Secure Boot.

1. Click on VM Options in the Edit Settings pop-up window.


2. Verify that the check box is checked meaning Secure Boot is enabled, if it isn't,
read the note below.
3. Then click on the OK button.

NOTE: If for any reason Secure Boot WAS NOT already enabled, we will have to power
down the win10 virtual machine and then go into the options to enable it. The setting
won't hold unless the virtual machine is powered off at the time it is either enabled or
disabled.

HOL-1911-01-SDC Page 107


HOL-1911-01-SDC

win10 - VMs

1. Click on the VMs and Templates icon in the Navigation pane.


2. Click on the vcsa-01b.corp.local vCenter server in the Navigation pane.
3. Then click on the VMs tab in the Content pane.

HOL-1911-01-SDC Page 108


HOL-1911-01-SDC

win10 - Show/Hide Columns

1. Click on the down-arrow in the column heading.


2. Click on the vShow/Hide Columns.
3. Then scroll all the way to the bottom of the list using the scroll bar.
4. Check the box to enable the TPM and VBS columns.
5. Click anywhere in the blank area to get rid of the drop-down menu so you can see
the TPM column now.

HOL-1911-01-SDC Page 109


HOL-1911-01-SDC

win10 - VBS Column

1. We now see that in the VBS column the win10 virtual machine reflects it is Not
Present.

win10 - Launch Web Console

1. Click on the Hosts and Clusters icon in the Navigation pane.


2. Click on the win10 virtual machine in the Navigation pane.

HOL-1911-01-SDC Page 110


HOL-1911-01-SDC

3. Then click on the Launch Web Console link to open a console window for the
virtual machine.

win10 - Desktop

1. Click anywhere on the desktop to bring up the Login screen.

win10 - Login

1. Type in VMware1! for the Password text field.

HOL-1911-01-SDC Page 111


HOL-1911-01-SDC

2. Then click on the arrow icon to log into the virtual machine.

win10 - Launch PowerShell (Admin)

1. Click on the Windows icon in the lower left-hand corner of the desktop.
2. Then click on Windows PowerShell (Admin) in the menu.

PowerShell - Set-ExecutionPolicy

We need to first set the execution policy to allow us to run the


DG_Readiness_Tool_v3.5.ps1 script.

1. Type the following command in the PowerShell to change directory location.

Set-ExecutionPolicy Unrestricted

1. Type the following command in the PowerShell to run the DG Readiness Tool
script.

HOL-1911-01-SDC Page 112


HOL-1911-01-SDC

PowerShell - Change Directory & Run Script

1. Type the following command in the PowerShell to change directory location.

cd C:\DG_Readiness_Tool_v3.5\

1. Type the following command in the PowerShell to run the DG Readiness Tool
script.

./DG_Readiness_Tool_v3.5.ps1 -Capable -DG -CG -HVCI

HOL-1911-01-SDC Page 113


HOL-1911-01-SDC

PowerShell - Script Output

1. We see from the output of running the DG Readiness Tool script that Secure
Boot for the win10 virtual machine is not enabled for it. This is a requirement to
enable VBS.

vCenter Server Tab

1. Click on the vSphere web client Google Chrome tab.

HOL-1911-01-SDC Page 114


HOL-1911-01-SDC

win10 - Shut Down Guest OS

1. Right-click on the win10 virtual machine in the Navigation pane.


2. Click on Power in the drop-down menu.
3. Then click on the Shut Down Guest OS in the Power drop-down menu.

NOTE: Wait until the win10 virtual machine is completely shut down before moving to
the next step.

HOL-1911-01-SDC Page 115


HOL-1911-01-SDC

win10 - Edit Settings

1. Right-click on the win10 virtual machine in the Navigation pane.


2. The click on Edit Settings.

HOL-1911-01-SDC Page 116


HOL-1911-01-SDC

win10 - VM Options

1. Click on the VM Options tab in the pop-up window.


2. Click on the Enabled check box next to Secure Boot to enable it.
3. Then click on the OK button.

HOL-1911-01-SDC Page 117


HOL-1911-01-SDC

win10 - Power On

1. Right-click on the win10 virtual machine in the Navigation pane.


2. Click on Power from the drop-down menu.
3. Then click on Power On from the Power drop-down menu.

win10 Virtual Machine Tab

1. Click on the win10 Google Chrome tab.

NOTE: We may have to refresh the win10 browser tab in case it has timed out. Then we
will also have to log back into the user account using the "VMware1!" password again.

HOL-1911-01-SDC Page 118


HOL-1911-01-SDC

win10 - Launch PowerShell (Admin)

1. Click on the Windows icon in the lower left-hand corner of the desktop.
2. Then click on Windows PowerShell (Admin) in the menu.

HOL-1911-01-SDC Page 119


HOL-1911-01-SDC

PowerShell - Change Directory & Run Script

1. Type the following command in the PowerShell to change directory location.

cd C:\DG_Readiness_Tool_v3.5\

2. Type the following command in the PowerShell to run the DG Readiness Tool
script.

./DG_Readiness_Tool_v3.5.ps1 -Capable -DG -CG -HVCI

3. We see that now everything shows green as good and it now says "Machine is
Device Guard / Credential Guard Ready" to be enabled which we will do in
the next lesson.

Configure Windows 10 for VBS - Complete

In this lesson, we verified the win10 virtual machine's settings that EFI Firmware,
Secure Boot, and the Virtual Based Security (VBS) was enabled.

HOL-1911-01-SDC Page 120


HOL-1911-01-SDC

FIPS 140-2 Validated Cryptographic


Modules by Default
Within vSphere (vCenter Server and ESXi) systems, two modules are used for
cryptographic operations. The VMware Kernel Cryptographic Module is used by the VM
Encryption and Encrypted vSAN features; the OpenSSL module is used for functions
such as certificate generation and TLS connections. These two modules have passed
FIPS 140-2 validation. Customers have asked whether vSphere is FIPS Certified. FIPS
Certified applies to a full solution of hardware and software that is tested and configured
together. VMware has made it much easier for our partners to certify vSphere systems
for FIPS operations. Cryptographic operations in vSphere systems are performed using
the highest standards because all FIPS 140-2 cryptographic operations are enabled by
default.

HOL-1911-01-SDC Page 121


HOL-1911-01-SDC

Conclusion
vSphere 6.7 enables organizations to implement new security features and makes it
easier to comply with regulatory requirements and secure your environment from
threats. Please check out the lab HOL-1911-04-SDC - vSphere 6.7 Security -
Getting Started for a deeper dive into all the new features.

You've finished Module 3!

Congratulations on completing Module 3!

To review more info on the security features please use the links below:

• vSphere 6.7 Security Guide


• Encrypting and Decrypting a Virtual Machine
• Configuring TPM 2.0
• Prepping an ESX Host for Secure Boot
• Mike Foley's Blog - ESXi &TPM
• Or use your smart device to scan the QRC Code.

Proceed to any module below which interests you most.

• Module 1 - vSphere 6.7 Overview(15 minutes) (Basic) Brief overview of what's


new in the vSphere 6.7 release.
• Module 2 - Simple and Efficient Management at Scale(60 minutes) (Basic)
Explore improvements and new features in ESXi and vCenter Server management
and lifecycle.

HOL-1911-01-SDC Page 122


HOL-1911-01-SDC

• Module 3 - Comprehensive Built-in Security (60 minutes) (Basic) Experience


the improved VM Encryption workflow as well as added support for TPM 2.0,
vTPM, and Virtualization Based Security.
• Module 4 - Universal Application Platform (15 minutes) (Basic) Discover new
vSphere capabilities that make it the platform for all applications including the
most mission critical.
• Module 5 - Seamless Hybrid Cloud (15 minutes) (Basic) Learn how vSphere
6.7 and VMware Cloud on AWS creates a seamless hybrid cloud experience with
easy visibility, migration and management of workloads between on-premises
and public cloud.

How to End Lab

To end your lab click on the END button.

HOL-1911-01-SDC Page 123


HOL-1911-01-SDC

Module 4 - Universal
Application Platform (15
minutes)

HOL-1911-01-SDC Page 124


HOL-1911-01-SDC

Introduction
vSphere 6.7 can run any type of enterprise workload, anywhere. Not every company
can make the transition from legacy to modern as quickly as they would like. VMware
can support modern applications such as machine learning, artificial intelligence, big
data, cloud-native, in memory, and 3-D graphics on the same platform as traditional
business critical applications.

HOL-1911-01-SDC Page 125


HOL-1911-01-SDC

NVIDIA Grid: Optimize GPU Usage For


VM on vSphere 6.7 Servers
Learn how to optimize GPU usage for virtual machines on vSphere Servers. When you
enable 3D graphics, you can select a hardware or software graphics renderer and
optimize the graphics memory allocated to the virtual machine. You can increase the
number of displays in multi-monitor configurations and change the video card settings
to meet your graphics requirements.

HOL-1911-01-SDC Page 126


HOL-1911-01-SDC

Persistent Memory
With vSphere Persistent Memory, customers using supported hardware servers, can get
the benefits of ultra-high-speed storage at a price point closer to DRAM-like speeds at
flash-like prices. The following diagram shows the convergence of memory and storage.

Technology at the top of the pyramid (comprised of DRAM and the CPU cache and
registers) have the shortest latency (best performance) but this comes at a higher cost
relative to the items at the bottom of the pyramid. All of these components are
accessed directly by the application also known as load/storage access.

Technology at the bottom of the pyramid represented by Magnetic media (HDDs and
tape) and NAND flash (represented by SSDs and PCIe Workload Accelerators) have
longer latency and lower costs relative to the technology at the top of the pyramid.
These technology components have block access meaning data is typically
communicated in blocks of data and the applications are not accessed directly.

PMEM is a new layer called Non-Volatile Memory (NVM) and sits between NAND flash
and DRAM, providing faster performance relative to NAND flash but also providing the
non-volatility not typically found in traditional memory offerings. This technology layer
provides the performance of memory with the persistence of traditional storage.

HOL-1911-01-SDC Page 127


HOL-1911-01-SDC

Enterprise applications can be deployed in virtual machines which are exposed to


PMEM datastores. PMEM datastores are created from NVM storage attached locally to
each server. Performance benefits can then be attained as follows:

• vSphere can allocate a piece of the PMEM datastore and present it to the virtual
machine as a disk -virtual persistent memory disk which is used as an ultra-fast
disk. In this mode, no guest-OS or application change is required.
• vSphere can allocate a piece of the PMEM datastore in a server and present it to a
virtual machine as a virtual NVDIMM. This type of virtual device exposes a byte
addressable persistent memory to the virtual machine.
◦ Virtual NVDIMM is compatible with latest Guest Operating Systems which
support persistent memory. Applications do not change and experience
faster file access as the modified OS filesystem bypasses the buffer cache.
◦ Applications can be modified to take advantage of PMEM and experience
the highest increase in performance via direct and uninterrupted access to
hardware.

Applications deployed on PMEM backed datastores can benefit from live migration
(VMware vMotion) and VMware DRS this is not possible with PMEM in physical
deployments.

Remote Directory Memory Access

vSphere 6.7 introduces new protocol support for Remote Direct memory Access (RDMA)
over Converged Ethernet, or RoCE (pronounced rocky) v2, a new software Fiber Channel
over Ethernet (FCoE) adapter, and iSCSI Extension for RDMA (iSER). These features
enable customers to integrate with even more high-performance storage systems
providing more flexibility to use the hardware that best compliments their workloads.

HOL-1911-01-SDC Page 128


HOL-1911-01-SDC

RDMA support is enhanced with vSphere 6.7 to bring even more performance to
enterprise workloads by leveraging kernel and OS bypass reducing latency and
dependencies. This is illustrated in the diagram below.

When virtual machines are configured with RDMA in a pass thru mode, the workload is
basically tied to a physical host with no DRS capability i.e. no ability to vMotion.
However customers who want to harness the power vMotion and DRS and still
experience the benefits of RDMA , albeit at a very small performance penalty can do so
with para virtualized RDMA software (PVRDMA). With PVRDMA, applications can run
even in the absence of an Host Channel Adapter (HCA) card. RDMA-based applications
can be run in ESXi guests while ensuring virtual machines can be live migrated.

Use cases for this technology include distributed databases, financial applications, and
Big Data.

Summary

vSphere 6.7 continues to showcase VMwares technological leadership and fruitful


collaboration with our partners by adding support for a key industry innovation to
significantly enhance performance for existing and new apps.

HOL-1911-01-SDC Page 129


HOL-1911-01-SDC

HOL-1911-01-SDC Page 130


HOL-1911-01-SDC

Cloning a Virtual Machine with Instant


Clone
You can use the Instant Clone technology to create powered on virtual machines from
the running state of another powered on virtual machine. The result of an Instant Clone
operation is a new virtual machine that is identical to the source virtual machine. With
Instant Clone you can create new virtual machines from a controlled point in time.
Instant cloning is very convenient for large scale application deployments because it
ensures memory efficiency and allows for creating numerous virtual machines on a
single host.

The result of an Instant Clone operation is a virtual machine that is called a destination
virtual machine. The processor state, virtual device state, memory state, and disk state
of the destination virtual machine are identical to those of the source virtual machine.
To avoid network conflicts, you can customize the virtual hardware of the destination
virtual machine during an Instant Clone operation. For example, you can customize the
MAC addresses of the virtual NICs or the serial and parallel port configurations of the
destination virtual machine. vSphere 6.7 does not support customization of the guest
OS of the destination virtual machine. For information about manual guest OS
customization, see the vSphere Web Services SDK Programming Guide.

During an Instant Clone operation, the source virtual machine is stunned for a short
period of time, less than 1 second. While the source virtual machine is stunned, a new
writable delta disk is generated for each virtual disk and a checkpoint is taken and
transferred to the destination virtual machine. The destination virtual machine then
powers on by using the source's checkpoint. After the destination virtual machine is fully
powered on, the source virtual machine also resumes running.

Instant Cloned virtual machines are fully independent vCenter Server inventory objects.
You can manage Instant Cloned virtual machines like regular virtual machines without
any restrictions.

HOL-1911-01-SDC Page 131


HOL-1911-01-SDC

HOL-1911-01-SDC Page 132


HOL-1911-01-SDC

Conclusion
vSphere 6.7 further improves the support and capabilities introduced for graphics
processing units (GPUs) through the VMware collaboration with NVIDIA. Persistent
Memory and Instant Clone technology allow for a universal application platform that
supports new workloads and leverages hardware innovations for enhanced
performance.

You've finished Module 4!

Congratulations on completing Module 4!

To review more info on the features covered in this module, please use the links below.

• Add an NVIDIA GRID vGPU to a Virtual Machine


• Instant Clone in vSphere 6.7 Rocks!
• New Instant Clone Architecture in vSphere 6.7 Part 1
• Or use your smart device to scan the QRC Code.

Proceed to any module below which interests you most.

• Module 1 - vSphere 6.7 Overview(15 minutes) (Basic) Brief overview of what's


new in the vSphere 6.7 release.
• Module 2 - Simple and Efficient Management at Scale(60 minutes) (Basic)
Explore improvements and new features in ESXi and vCenter Server management
and lifecycle.
• Module 3 - Comprehensive Built-in Security (60 minutes) (Basic) Experience
the improved VM Encryption workflow as well as added support for TPM 2.0,
vTPM, and Virtualization Based Security.

HOL-1911-01-SDC Page 133


HOL-1911-01-SDC

• Module 4 - Universal Application Platform (15 minutes) (Basic) Discover new


vSphere capabilities that make it the platform for all applications including the
most mission critical.
• Module 5 - Seamless Hybrid Cloud (15 minutes) (Basic) Learn how vSphere
6.7 and VMware Cloud on AWS creates a seamless hybrid cloud experience with
easy visibility, migration and management of workloads between on-premises
and public cloud.

How to End Lab

To end your lab click on the END button.

HOL-1911-01-SDC Page 134


HOL-1911-01-SDC

Module 5 - Seamless
Hybrid Cloud Experience
(15 minutes)

HOL-1911-01-SDC Page 135


HOL-1911-01-SDC

Introduction
VMware vSphere 6.7 is the efficient and secure platform for hybrid clouds, fueling digital
transformation by delivering simple and efficient management at scale, comprehensive
built-in security, a universal application platform, and seamless hybrid cloud experience.

HOL-1911-01-SDC Page 136


HOL-1911-01-SDC

Migrating Virtual Machines from


vCenter to vCenter
Cross vCenter vMotion

The use of Cross vCenter vMotion (x-vC-vMotion) allows for migration of VM's between
vCenters that are in the same or different datacenters. This feature allows
administrators to easily move VM's between vCenters without downtime. The vCenters
can be in the same data center or another data center with no more than 150
milliseconds of latency between the datacenters.

Requirements for Migration Between vCenter Server Instances

• The source and destination vCenter Server instances and ESXi hosts must be 6.0
or later.
• The cross vCenter Server and long distance vMotion features require an
Enterprise Plus license. For more information, see: https://www.vmware.com/
products/vsphere.html#compare
• Both vCenter Server instances must be time-synchronized with each other for
correct vCenter Single Sign-On token verification.
• For migration of compute resources only, both vCenter Server instances must be
connected to the shared virtual machine storage.
• When using the vSphere Web Client, both vCenter Server instances must be in
Enhanced Linked Mode and must be in the same vCenter Single Sign-On domain
so that the source vCenter Server can authenticate to the destination vCenter
Server.

Open Chrome Browser from Windows Quick Launch Task


Bar

1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.

HOL-1911-01-SDC Page 137


HOL-1911-01-SDC

Login to vCenter Server

Log into RegionA vCenter

1. Click on the RegionA folder in the Bookmark toolbar.


2. Click on RegionA vSphere Client (HTML) link in the bookmark toolbar.
3. Check the Use Windows session authentication checkbox.
4. Click the Login button.

HOL-1911-01-SDC Page 138


HOL-1911-01-SDC

Gain screen space in Chrome by zooming out

1. Select the Options menu in Chrome.


2. Click the '-' button to zoom out to 90%

Note that this will provide more viewing space while still allowing you to read the
text. This is necessary because of the lower than normal resolution we must use
in the lab environment to support various devices and to accomodate large-scale
events.

HOL-1911-01-SDC Page 139


HOL-1911-01-SDC

Navigate to Hosts and Clusters

1. Click on the Menu icon


2. Select Hosts and Clusters

HOL-1911-01-SDC Page 140


HOL-1911-01-SDC

Make sure the VM to be Migrated is Running

As you work through this lab, you will notice there are two vCenters you see. You will
vMotion a running VM between these two vCenters as part of this lab. If it is not already
running, start the "core-01a" VM by performing the following steps:

1. Expand the navigation tree in the left pane exposing all of the virtual machines,
and check to see if the core-01a is running (it will have a green arrow on the
icon if it is). If it is running, skip the rest of the steps below. If it is not running,
please go through the steps below.
2. Right click core-01a.
3. Hover over Power.
4. Select Power On.

HOL-1911-01-SDC Page 141


HOL-1911-01-SDC

Start the Migration Wizard

1. Right click core-01a.


2. Select Migrate... from the context menu that appears.

This will start the migration wizard where we can select where we want to place our VM.
Also note that the list of VMs you see may vary based on which other labs you have
done. Also, note that this is the same option you would use if you were performing a
vMotion with a vCenter or cluster. You use the same regardless of what your vMotion
destination is.

HOL-1911-01-SDC Page 142


HOL-1911-01-SDC

Select a migration type

1. Select Change both compute resource and storage option.


2. Click Next

HOL-1911-01-SDC Page 143


HOL-1911-01-SDC

Select a compute resource

1. Expand the tree under vcsa-01b.corp.local, RegionB01, and


RegionB01-COMP01
2. Select host esx-01b.corp.local
3. NOTE: The wizard will check the compatibility of the host to verify that it meets a
set of requirements to migrate. Additional information on what is being checked
can be found in the VMware vSphere 6.7 Documentation Center.
4. Click Next

HOL-1911-01-SDC Page 144


HOL-1911-01-SDC

Select storage

1. Select the storage RegionB01-iSCSI01-COMP01


2. Click Next

The vMotion will migrate the VM to a new datastore that is available on the new host.
This allows VM's to be moved between clusters, vCenters, or datacenters that do not
have shared storage.

HOL-1911-01-SDC Page 145


HOL-1911-01-SDC

Select folder

1. Select RegionB01
2. Click Next

HOL-1911-01-SDC Page 146


HOL-1911-01-SDC

Select networks

1. Select the VM-RegionB01-vDS-COMP network.


2. Click Next

This will change the port group the VM is associated with. There are no changes within
the VM to the IP or network configuration. Your network must be setup in a way that
allows the VM to move to this new port group without these changes. Network
Virtualization is a way to extend the layer 2 network across Layer 3 boundaries. Please
see the NSX Labs “HOL-1903-01-NET Getting Started with VMware NSX” and
“HOL-1925-02-NET VMware NSX Multi-Site and SRM in an Active-Standby Setup” for
more information.

Note that depending on which other modules you may have done, you may see an
additional screen in the wizard asking you to set a vMotion Priority. If you see this
screen, leave the default settings and click Next.

HOL-1911-01-SDC Page 147


HOL-1911-01-SDC

Ready to complete

1. Review the settings that vCenter will use to perform the vMotions, and click
Finish

Watch Progress in Recent Tasks

We can view the progress of the operation in the Recent Tasks pane at the bottom of
the screen.

Note that if you do not see the Recent Tasks pane, you may need to expand it by
clicking on Recent Tasks on the right side of the screen.

HOL-1911-01-SDC Page 148


HOL-1911-01-SDC

Migration Complete

That's all there is to it. In the left navigation pane you can now see the core-01a VM
has been moved to the RegionB01-COMP01 Cluster, which is in the
vcsa-01b.corp.local vCenter. As with any other vMotion, this is done with no
downtime. The ability to vMotion VMs between hosts, clusters, vCenters, and virtual
switches give you even greater flexibility than you had before when managing your
workloads.

Note: If you plan on continuing and taking other modules in this lab, please use the
same process to vMotion the VM back to the RegionA vCenter. Use the following
information to assist with this:

• Compute Resource: esx-02a.corp.local


• Storage: RegionA01-ISCSI01-COMP01
• Folder: RegionA01
• Network: ESXi-RegionA01-vDS-COMP

Conclusion

Migrating VM's between vCenters is a very simple process. Cross vCenter vMotion allows
an Administrator to easily move workloads between vCenters that are in the same data
center or different data centers without down time. This reduces the amount of time
spent during migrations and consolidations. Storage is also migrated allowing for
migrations between different types of storage and removing the need for storage
replication and downtime. The network must be available on both ends of the migration
to prevent the VM from losing its network connection. This can be done through Layer 2
stretching or Network Virtualization.

HOL-1911-01-SDC Page 149


HOL-1911-01-SDC

Enhanced vMotion Capability


Let's say your manager tells you that the company has purchased a competitor and
they would like to migrate all the VMs from the acquisition's data center to your
company's data center over the next few months. What do you need to know to plan
this migration? With vSphere 6.7 you can do this using Per VM-EVC to migrate machines
from one hardware platform to another.

Per VM-EVC

Cluster-level EVC ensures CPU compatibility between hosts in a cluster, so that you can
seamlessly migrate virtual machines within the EVC cluster. In vSphere 6.7, you can also
enable, disable, or change the EVC mode at the virtual machine level. The per-VM EVC
feature facilitates the migration of the virtual machine beyond the cluster and across
vCenter Server systems and datacenters that have different processors.

The EVC mode of a virtual machine is independent from the EVC mode defined at the
cluster level. The cluster-based EVC mode limits the CPU features a host exposes to
virtual machines. The per-VM EVC mode determines the set of host CPU features that a
virtual machine requires in order to power on and migrate.

By default, when you power on a newly created virtual machine, it inherits the feature
set of its parent EVC cluster or host. However, you can change the EVC mode for each
virtual machine separately. You can raise or lower the EVC mode of a virtual machine.
Lowering the EVC mode increases the CPU compatibility of the virtual machine. You can
also use the API calls to customize the EVC mode further.

Cluster-based EVC and Per-VM EVC

There are several differences between the way the EVC feature works at the host cluster
level and at the virtual machine level.

• Unlike cluster-based EVC, you can change the per-VM EVC mode only when the
virtual machine is powered off.
• With cluster-based EVC, when you migrate a virtual machine out of the EVC
cluster, a power cycle resets the EVC mode that the virtual machine has. With
Per-VM EVC, the EVC mode becomes an attribute of the virtual machine. A power
cycle does not affect the compatibility of the virtual machine with different
processors.
• When you configure EVC at the virtual machine level, the per-VM EVC mode
overrides cluster-based EVC. If you do not configure per-VM EVC, when you power
on the virtual machine, it inherits the EVC mode of its parent EVC cluster or host.
• If a virtual machine is in an EVC cluster and the per-VM EVC is also enabled, the
EVC mode of the virtual machine cannot exceed the EVC mode of the EVC cluster
in which the virtual machine runs. The baseline feature set that you configure for

HOL-1911-01-SDC Page 150


HOL-1911-01-SDC

the virtual machine cannot contain more CPU features than the baseline feature
set applied to the hosts in the EVC cluster. For example, if you configure a cluster
with the Intel "Merom" Generation EVC mode, you should not configure a virtual
machine with any other Intel baseline feature set. All other sets contain more CPU
features than the Intel "Merom" Generation feature set and as a result of such
configuration, the virtual machine fails to power on.

HOL-1911-01-SDC Page 151


HOL-1911-01-SDC

VMware Cloud (VMC) on AWS


VMware Cloud on AWS is an integrated cloud offering jointly developed by AWS and
VMware delivering a highly scalable, secure and innovative service that allows
organizations to seamlessly migrate and extend their on-premises VMware vSphere-
based environments to the AWS Cloud running on next-generation Amazon Elastic
Compute Cloud (Amazon EC2) bare metal infrastructure. VMware Cloud on AWS is ideal
for enterprise IT infrastructure and operations organizations looking to migrate their on-
premises vSphere-based workloads to the public cloud, consolidate and extend their
data center capacities, and optimize, simplify and modernize their disaster recovery
solutions. VMware Cloud on AWS is delivered, sold, and supported globally by VMware
and its partners with availability in the following AWS Regions: US West (Oregon), US
East (N. Virginia), Europe (London), and Europe (Frankfurt).

VMware Cloud on AWS brings the broad, diverse and rich innovations of AWS services
natively to the enterprise applications running on VMware's compute, storage and
network virtualization platforms. This allows organizations to easily and rapidly add new
innovations to their enterprise applications by natively integrating AWS infrastructure
and platform capabilities such as AWS Lambda, Amazon Simple Queue Service (SQS),
Amazon S3, Elastic Load Balancing, Amazon RDS, Amazon DynamoDB, Amazon Kinesis
and Amazon Redshift, among many others.

With VMware Cloud on AWS, organizations can simplify their Hybrid IT operations by
using the same VMware Cloud Foundation technologies including vSphere, vSAN, NSX,
and vCenter Server across their on-premises data centers and on the AWS Cloud without
having to purchase any new or custom hardware, rewrite applications, or modify their
operating models. The service automatically provisions infrastructure and provides full
VM compatibility and workload portability between your on-premises environments and
the AWS Cloud. With VMware Cloud on AWS, you can leverage AWS's breadth of
services, including compute, databases, analytics, Internet of Things (IoT), security,
mobile, deployment, application services, and more.

Onboarding VMware Cloud on AWS

Joining the VMware Cloud on AWS (VMC) service is not like deploying vCenter or other
VMware products. Because VMC is a managed service operated by VMware, you need
on onboard to the service and create what we call an Organization which is the key
tenant construct within VMC.

In the video below, we show this process from beginning to end.

HOL-1911-01-SDC Page 152


HOL-1911-01-SDC

Migration from On-prem to VMC on AWS - NSX Hybrid


Connect

HOL-1911-01-SDC Page 153


HOL-1911-01-SDC

Conclusion
The primary benefit of the hybrid cloud model is flexibility and freedom, but it also
creates a seamless experience such that end users are completely indifferent as to
whether an application is running in a public or private cloud. IT has the ability to deploy
and run applications anywhere without the risk of getting locked in to the APIs of a
specific cloud provider and can access infrastructure on demand using a consistent set
of tools and skillsets. Cross vCenter vMotion, Enhance vMotion Capability with Per-VM
EVC, and VMware Cloud on AWS all help deliver the Seamless Hybrid Cloud Experience.

You've finished Module 5!

Congratulations on completing Module 5!

To review more info on the features covered in this module, please use the links below:

• Configuring Per-VM EVC with PowerCLI


• VMware Hybrid Cloud Extension
• Or use your smart device to scan the QRC Code.

Proceed to any module below which interests you most.

• Module 1 - vSphere 6.7 Overview(15 minutes) (Basic) Brief overview of what's


new in the vSphere 6.7 release.
• Module 2 - Simple and Efficient Management at Scale(60 minutes) (Basic)
Explore improvements and new features in ESXi and vCenter Server management
and lifecycle.

HOL-1911-01-SDC Page 154


HOL-1911-01-SDC

• Module 3 - Comprehensive Built-in Security (60 minutes) (Basic) Experience


the improved VM Encryption workflow as well as added support for TPM 2.0,
vTPM, and Virtualization Based Security.
• Module 4 - Universal Application Platform (15 minutes) (Basic) Discover new
vSphere capabilities that make it the platform for all applications including the
most mission critical.
• Module 5 - Seamless Hybrid Cloud (15 minutes) (Basic) Learn how vSphere
6.7 and VMware Cloud on AWS creates a seamless hybrid cloud experience with
easy visibility, migration and management of workloads between on-premises
and public cloud.

How to End Lab

To end your lab click on the END button.

HOL-1911-01-SDC Page 155


HOL-1911-01-SDC

Conclusion
Thank you for participating in the VMware Hands-on Labs. Be sure to visit
http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-1911-01-SDC

Version: 20190415-150729

HOL-1911-01-SDC Page 156

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy