Getting Started with VMware Cloud Director

Table of Contents

1. Introduction
   • Prerequisites
2. Virtual Machine Creation and Management with Cloud Director
   • Working with VMs
     • Creating a VM
     • Deleting a VM
   • Working with vApps
     • Creating a vApp
     • Deleting a vApp
     • Adding an existing VM to a vApp
     • Converting a vApp to a VM
     • Importing and Exporting vApps
3. Working with Networks
   • Creating an organization VDC Network
   • Deleting an organization VDC Network
   • Edge Gateway Configuration
     • NAT Rules
     • Firewall Rules
     • Non-Distributed Routing
4. Working with Snapshots
   • Creating a snapshot
   • Reverting to a snapshot
   • Deleting a snapshot
5. Working with Backups
6. Access Control
   • Users
   • Roles
   • Identity Providers
7. External VMware Documentation

---

1. Introduction

This guide will help you getting started with VMware Cloud Director at GleSYS, previously known as vCloud. It is a Software-Defined Data Centers (SDDC) management platform that offers highly advanced workload management features, allowing you to access your virtual data center efficiently. Instead of paying for individual virtual servers, you get a predefined pool of CPU, memory, storage, and network resources to allocate to your workloads. Additionally, you can expand or reduce the pool according to your needs.

Prerequisites

1. Login URL and credentials from the GleSYS VMware Team.
2. Access to a web browser.

2. Virtual Machine Creation and Management with Cloud Director

In Cloud Director, virtual machines are organized into collections called vApps. Although it is possible to configure a VM without a vApp, a vApp provides additional functionality.

For example, you can configure your networks so VMs can communicate with each other but not with different collections of virtual machines. vApps are easy to duplicate, which is convenient if you have a group of VMs that you always deploy together.

Working with VMs

Creating a VM

1. Navigate to Compute > Virtual Machines and click New VM.
2. Enter a Name and a Computer Name (hostname).
3. Select Type:
   • New if you want to perform a clean operating system install using an ISO file.
   • From Template if you want to use an existing template.
4. Click OK to create the VM.
5. Click Details to make additional configuration changes after creating the machine.
6. If you deployed the VM using a GleSYS template, you can now set the server's root or administrator password:
   • Navigate to Guest OS Customization and click Edit.
   • Uncheck Auto generate a password and type in a secure password for the account.
   • Click Save.
   • Power on and apply the customizations by clicking All Actions > Power On, Force Recustomization.

Deleting a VM

1. First, shut down the existing VM.
2. Now it is possible to delete it by clicking All Actions > Delete.

Working with vApps

Creating a vApp

1. Navigate to Compute > vApps and click New > New vApp.
2. Enter a Name for the new vApp.
3. If you need to add new VMs to this vApp, click Add Virtual Machine. However, this step is optional and can be performed later.
4. Click Create.

Deleting a vApp

1. To delete a vApp, click All Actions followed by Delete. Keep in mind that deleting a vApp will also delete all VMs associated with it.

If you plan to keep any VMs, move them to a new vApp. If you have only one VM left in the vApp and wish to keep it, convert it into a standalone VM by selecting All Actions > Convert to VM.

Adding an existing VM to a vApp

1. Navigate to Compute > Virtual Machines and locate the VM.
2. Click Actions > Move.
3. Choose your destination vApp.
4. Adjust the resources as necessary and click Next.
5. Review the information and click Done. The VM now belongs to the specified vApp.

Converting a vApp to a VM

1. Converting a vApp to a VM is done under All Actions > Convert to VM.

This option is only available when a single VM is in the vApp. If there are multiple VMs, you must move them to another vApp before conversion.

Importing and Exporting vApps

It is possible to import and export vApps from VMware Cloud Director either directly in the Tenant Portal or by using the VMware OVF Tool. The OVF Tool is a command-line utility that helps you import and export OVF packages to and from many VMware products.

If you want to export a VM, converting it to a vApp before exporting is necessary. It is also required that it's powered off during the export.

Using the Tenant Portal:

1. Export: Power off the vApp. Navigate to Compute > vApps. Choose the specific vApp and click Actions > Download.
2. Import: Navigate to Compute > vApps and click the New button. Click Add vApp From OVF.
   
   

Using the OVF Tool:

1. To download the tool from VMware, navigate to this URL: Open Virtualization Format (OVF) Tool
   
2. Here is the OVF Tool User Guide if you need further guidance.
   

To view the help output, you can run the following command: ovftool --help

Below are two practical examples using OVF Tool:

Command syntax to import a vApp:

ovftool --X:progressSmoothing=10 --X:vCloudTimeout=60000 --X:vCloudKeepAliveTimeout=60000 "C:\temp\import.ova" "vcloud://username@vcd.dc-fbg1.glesys.net?org=<vdo-xxxxx>&vdc=<vdc-xxxxx>&vapp=<vApp name>"

Command syntax to export a vApp:

ovftool --X:progressSmoothing=10 --X:vCloudTimeout=60000 --X:vCloudKeepAliveTimeout=60000 "vcloud://username@vcd.dc-fbg1.glesys.net?org=<vdo-xxxxx>&vdc=<vdc-xxxxx>&vapp=<vApp name>" "C:\temp\export.ova"

3. Working with Networks

For security reasons, a new Cloud Organization has no preconfigured networks. As a result, when you create a virtual machine, it will be isolated from the outside world.

Your Cloud Organization has an Edge Gateway for internet access, firewall, NAT, and VPN functionality for virtual machines.

A network can either be used in the scope of an Edge Gateway or outside it, creating an isolated network between VMs.

Creating an organization VDC Network

The first network to create is an organization-level Virtual Datacenter (VDC) network.

1. Navigate to Networking > Networks and click New button to start the VDC network creation process.
2. Then, walk through the following steps in the Wizard to create a new network:

Scope

Choose the Scope of the network, i.e. whether it should only apply to a specific organization Virtual Data Center or an entire VDC Group (several VDCs). Click Next to proceed.

Network Type

Select the type of network you want to create:

1. Choose Routed as type if the network should go through an existing Edge Gateway, or
2. Isolated as type if the network should only be reachable within the current VDC. Click Next to proceed.

Edge Connection

Create the Edge Connection. Your organization will have the Edge Gateway deployed, which shows up on the list. Here is also an option to turn off Distributed Routing. Select the Edge Gateway (t1-vdc-xxxxx…) from the list and click Next.

General

The General step contains general information about the network. The following fields are available:

• Name. Create any name you want to use to reference this network in the future.
• Description (optional). A description of this network.
• Dual-Stack Mode (optional). The switch enables the network to have both IPv4 and IPv6 subnets.
• Gateway CIDR. The CIDR includes the IP address of the gateway, e.g. 192.168.1.1/24 represents the gateway address 192.168.1.1 and its associated routing prefix 192.168.1.0, or equivalently, its subnet mask 255.255.255.0. The CIDR value cannot be changed once it is provided.
• Guest VLAN Allowed (optional). Virtual Guest tagging.

Fill out the general information for the network. When ready, click Next to proceed.

Static IP Pools

The Static IP Pools page allows reserving a pool of IPs that will be static. The step is optional.

To add an entry, enter a static IP address (e.g. 192.168.1.2) or range (e.g. 192.168.1.2 to 192.168.1.100) and click Add. The entry appears on the Allocated IP Ranges list, and the total reserved IP addresses are displayed below the list.

DNS

The DNS enables adding a primary and secondary DNS and the DNS suffix for the VMs.

Setting up a DNS is optional. Set the IPs of the DNS servers if you wish to use them, and click Next.

Finally, review the information and click Finish to create the network. If you also want to enable DHCP for a network, follow these steps:

Enable DHCP (optional)

Enabling DHCP can be done after creating the network.

1. Navigate to Networking > Networks.
2. Select the Network you want to edit.
3. Navigate to IP Management > DHCP and click Activate.
4. Enter the following required information:
   • DHCP Mode: Network
   • Listener IP address: The IP address of the DHCP service (e.g. 192.168.1.254)
5. Click Next to proceed.
6. Click Add to create a DHCP Pool. Please note that this pool must be outside any previously created Static IP Pool. For example, if you have a Static IP Pool with the IP addresses 192.168.1.2-192.168.1.100, you could use 192.168.1.101–192.168.1.253 for the DHCP Pool. Click Next to proceed.
7. Optional. Enter the DNS Servers connected VMs should obtain from the DHCP service. Click Next to proceed.
8. Review the configuration and click Finish to activate DHCP.

Deleting an organization VDC Network

1. Navigate to Networking > Networks.
2. Select a network and click Delete.

Note that this procedure will only work when there's no longer an existing relation to the network, for example, a connected VM.

Edge Gateway Configuration

To access the Edge Gateway configuration screen, open the Edge Gateways tab from the Networks page.

NAT Rules

Network Address Translation (NAT) is a technique that allows the translation of public IP addresses to private ones. Using NAT makes connecting multiple servers in an internal network to the same public IP address possible. Moreover, NAT is also the only method to assign a public IP address to a VM connected to an Edge Gateway.

We recommend starting with the NAT rules, as no NAT rules are set up by default. Here are the different types of NAT rules available to choose from:

• DNAT: This rule translates a public IP address and all or specific ports to a private IP address. You can, for example, send all HTTPS traffic to a public IP to VM1, while RDP traffic to the same IP instead is sent to VM2.
• SNAT: This rule is used for outbound traffic and translates a private IP address to a public IP address.
• No DNAT: If you have specified an IP range, you can use this rule to exclude specific IP addresses from existing DNAT rules. Make sure any No DNAT rule has higher priority than the DNAT rule, or it will not work.
• No SNAT: The same as above but for SNAT rules.
• REFLEXIVE NAT (sometimes called stateless NAT): For Reflexive, to egress traffic, the firewall is applied to the translated source address after NAT is done. For Reflexive, to ingress traffic, the firewall is applied to the original destination address before NAT is done.

Firewall Rules

The firewall rules can be accessed and edited by clicking the Edge Gateway. There is a default rule added automatically, which drops all traffic. You can add new rules above this to allow specific traffic to and from your networks.

To define Firewall rules, start by setting up Static Groups (whole networks including connected VMs) and/or IP Sets (predefined IP addresses) under Security in the left-hand menu. These can then be used in the Firewall rules.

Non-Distributed Routing

By default, no segmentation occurs between the internal networks connected to an Edge Gateway. The firewall is thus only applied for North-South traffic (ingoing and outgoing) and not East-West (between VMs and networks).

Turning off Distributed Routing on the specific network forces all VM traffic through the service router and makes segmentation between different internal networks possible. It's important to remember that there will be an extra hop when routing traffic through the service router instead of the Distributed Routers on each ESXi host. This extra hop can result in higher latency compared to using Distributed Routing.

To turn off Distributed Routing on your network, you must allow it on the Edge Gateway first. This option may in some cases not be enabled by default, but GleSYS Support can assist with it.

If you did not turn off Distributed Routing when creating the network, you can adjust it later. However, it is essential to note that the change will take effect immediately. Therefore, adjusting the firewall rules beforehand is crucial, especially if the network is in active use.

To deactivate Distributed Routing, do the following:

1. Navigate to Networking > Networks.
2. Choose the network you want to edit. Under the General section, click Edit.
3. Click on the Connection tab, uncheck Distributed Routing, and click Save.

4. Working with Snapshots

Creating a snapshot allows you to save one or more restore points of a VM temporarily. This feature comes in handy when upgrading the operating system or software. In case of an error, you can revert the server to a snapshot. However, it's important to note that a snapshot should not replace a backup since it is stored in the same folder as the original VM and relies on the original disk.

In addition, it is best practice to save a snapshot for at most three days, as it can affect the virtual machine's performance. So remember to delete it as soon as it is no longer needed, and limiting the number of active snapshots to a maximum of three per server is also good.

If you need further details on how to work with snapshots, please read the documentation in VMware Cloud Director Tenant Guide.

Creating a snapshot

1. Navigate to All actions > Snapshot.
2. To create a snapshot, click Create Snapshot.

Reverting to a snapshot

1. Navigate to All actions > Snapshot.
2. To revert to a snapshot, click Revert to Snapshot.

Deleting a snapshot

1. Navigate to All actions > Snapshot.
2. To delete a snapshot, click Remove Snapshot.

5. Working with Backups

Our Cloud Director tenant portal has a built-in integration with Veeam, which you can access by purchasing our backup service. It provides a self-service portal that enables you to manage your backup tasks and execute restores more effortlessly. If you back up a VM or vApp running in Falkenberg, it will automatically be stored in our Stockholm data center, and vice versa.

6. Access Control

Users

We initially hand over credentials for an administrator account to our customers. Still, we strongly recommend setting up personal user accounts for each individual who needs access to the portal.

Roles

Each user is assigned a role. For example, the Organization Administrator role has complete rights in the portal. In contrast, the Console Access Only role only has access to open the console and view the properties of VMs.

It is possible to create your custom roles with any necessary permissions.

Identity Providers

Using an external Identity Provider, e.g. Google Workspace, for Single Sign-On capabilities in the portal is possible. That is also currently the only way to achieve two-factor authentication to the Cloud Director portal.

Read more here about adding a SAML Identity Provider to VMware Cloud Director in the VMware Cloud Director Service Provider Admin Portal Guide.

7. External VMware Documentation

Our environment supports VMware Cloud Director Availability, which can be used for replication and migration to and from our environment or between our data centers. It is not enabled by default but can be enabled by contacting GleSYS Support.

Read the VMware Cloud Director Availability documentation

The VMware Cloud Director Tenant Portal Guide provides information about administrating your organization and creating and configuring virtual machines, vApps, and networks within vApps. You can also configure advanced networking capabilities that VMware NSX provides for vSphere within a VMware Cloud Director environment. You can also create and manage catalogues, vApp and VDC templates, and create and manage cross-virtual data center networks.

Read the VMware Cloud Director Tenant Portal Guide