vCloud Air enhancements: Hybrid Cloud Manager, Advanced Networking Capabilities and cross-Cloud vMotion

On June 24th I did a presentation and live demo of vCloud Air at our annual ITQ Technical Update Session (TUS2015). If you attended, you may recall that I told you guys of some awesome vCloud Air enhancements that were coming soon. At VMworld 2015 these enhancements became more clear and today two new vCloud Air features went GA. I will also fill you in on Project SkyScraper – aka cross-cloud vMotion!

vCloud Air Advanced Networking Services
If you have used vCloud Air up to this point, you might have noticed that the network Edge Gateway device VMware supplied, was a vShield Networking and Security Edge Gateway. Todays GA announcement delivers NSX powered edge gateways for Dedicated Cloud customers. They supply some cool new features:

  • Distributed Firewall (micro-segmentation)
  • Dynamic routing using BGP or OSPF
  • Network scaling (up to 200 router interfaces)
  • High capacity Point-to-Site SSL VPN for high speed and secure client access
  • Enhanced Load Balancing (scalable https load balancing with SSL offloading and log visibility)

Hybrid Cloud Manager
I was very disappointed that there was no vCloud Air web client plugin available for vSphere 6.0. At VMworld, VMware announced a new product: Hybrid Cloud Manager which went GA today. This explains why no effort was put into making the web client plugin compatible with vSphere 6.0.

Hybird Cloud Manager provides vSphere users a seamless solution for extending their on-premises data center into vCloud Air. The Hybrid Cloud Manager offers hybrid networking and bi-directional workload migration capabilities, simplifying workload migration between on premises and vCloud Air.


Hybrid Networking Service is available as an optional add-on service that provide enhanced migration and network extension capabilities from within vCloud Air Hybrid Cloud Manager. It provides the following capabilities:

  • Secure and encrypted channel between on-prem and vCloud Air with intelligent routing that overlay on top of IPsec VPN and Direct Connect
  • Low downtime migration between on-premises data center and vCloud Air
  • Accelerated migration using inbuilt WAN optimization for improved performance
  • Seamless Layer 2 Network Extension to vCloud Air, whereby user can stretch multiple L2 segments in one tunnel from your vSphere environment to vCloud Air so you can migrate VMs to vCloud Air while retaining the same IP and MAC address.

Technology Preview Project SkyScraper – ala cross-Cloud vMotion

For vCloud Air, VMware is targeting customers who are currently running vSphere in their datacenters. I have to say that I am getting more and more excited about vCloud Air and all the capabilities it brings for creating a true hybrid cloud environment. To be honest, VMware was late to the cloud game but I feel that vCloud Air is too hard to ignore if you are a vSphere shop and looking at cloud computing. The cross-cloud vMotion that was demonstrated at VMworld as part of the ‘Technology Preview of Project SkyScraper’ was simply amazing. Doing an online migration of a VM into the cloud! Now how is that for a seamless extension of your datacenter. With the vSphere 6.0 vMotion enhancements, I had high hopes that a vMotion to vCloud Air would be possible in the future but would have never expected that VMware could release a Technology Preview on such short notice. Big applause to the vCloud Air team!

Of course I will try out these new features in my lab as soon as I can get my hands on the bits. More to come soon hopefully!

VMware’s EUC acquisitions; does it still make sense? Yes it does!

Last week, I presented at our annual Technical Update Session. An event with a couple of sessions about the main pillars of the VMware proposition. My session was all about End User Computing. It was called “Beyond the Virtual Desktop” and was about the (near) future of End User Computing. During the session I presented a couple of products and explained the recent acquisitions made by VMware.

After the session, I still got some questions about all these products that are all doing something completely different, but still are part of the VMware EUC pillar. This post is about explaining the links between the products and the missing links in End User Computing.

So let’s start explaining the acquired and newly created functionality that VMware announced recently:

Just-In-Time Desktops

Last year during VMworld, Kit Colbert announced Just-In-Time desktops (also knows as VMFork and Project Fargo). A technology to fork running VM’s. It will create an in-memory clone of a VM in a few seconds including a little bit of customization. From a server workload perspective, it is nice tech to for instance scale out a running containerized app to another VM without a time-consuming provisioning process.
When putting it in an EUC perspective, imagine not having to provision all your linked clones anymore because all your desktops are forked from a golden image in memory. Pretty cool, isn’t it?
By the way, in the project Enzo movie later in this post, this tech is called VMware Instantclone.

App Volumes

During the same VMworld (2014), VMware showed a first version of App Volumes (the former CloudVolumes product). In this post, I explained some more about this awesome tech.
So think what will happen if VMware Instantclone and App Volumes are combined? A user logs on to the Horizon Connection Server, an InstantClone is created within seconds and as soon as the user is logged on to the desktop, his apps are provisioned in another second by App Volumes. More details about this combination is explained in this post.

User Environment Management

This is where it get’s more confusing I guess. Why did VMware acquire Immidio last year? The answer is fairly simple.
My colleague Frank Nijman wrote a blogpost explaining how User Environment Management (UEM, former Flex+) works.
So what facts do we have around User Environment Management in general?

– Roaming Profiles are mostly used at our customers, but maintaining them is a real burden (corruption, slow login, compatilibity throughout multiple OS’s).
– Persona Management is a better solution, but lacks serious support on an application-basis.
– When using normal (read-only) appstacks with App Volumes, user customization to an application isn’t possible (i.e. an Outlook Signature).

So this is where VMware UEM will fit in perfectly!
When specifically looking at the App Volumes use case, imagine creating an Appstack. During that process, an Application Profile for UEM is automatically created. The Application Profile contains all settings that are user-dependent and saves them to a shared folder on the network. So when a user logs on to an InstantClone desktop, gets the Appstacks he is permitted to use and his application settings are injected in his local profile. The next time he will log on to the Horizon Connection Server, a new Instantclone desktop is created and his applications and settings will follow him wherever he goes. Get the picture?


So what about this one? Why would VMware acquire a Mobile Device Management product? Again, the answer is fairly simple.
Let’s start explaining what AirWatch MDM does. It has some main features:

– Mobile Device Managent: Manage, deploy, control and secure all of the devices used by your mobile workforce (including applications).
– Secure Content collaboration: See it as a secure mix of Dropbox and Sharepoint (but cooler).
– Email management: Secure your company’s email services (Exchange, Office 365, Google Apps for Work, Lotus).

All these features are manageable through a pretty good UI:

AirWatch UI

A lot of companies are introducing BYOD to their mobile workforce. VMware’s Workspace Portal is great solution for provisioning all of their applications to the end user. But BYOD isn’t just about the applications, it’s mostly about devices. And the IT department still needs to control devices. “But it’s BYOD, why do you need control?”, I hear you say..
Think about a couple of situations:

– You offer a Mail Service, but you don’t want users to store attachments on a BYOD device.
– You would like to allow users to connect to your infrastructure, but only if their device isn’t compromised (jailbroken/rooted).
– You would like to force users to use encryption when they store files on their device.

These use cases and many more can be solved by using AirWatch MDM.

Last year, VMware announced the discontinuation of Horizon Files, the dropbox-like file sharing solution for the enterprise. This is where AirWatch Secure Content Locker fits in. Basically, it doesn’t matter where you are and with which device, your files are always with you. Secure Content Locker was developed for a couple of airlines so pilots could bring their documents on a mobile device in a secure way without having an internet connection in the aircraft.

Combining Workspace Portal with Secure Content Locker will let you use all of your applications and your files on all your devices in a secure, controllable manner.

Project Enzo

This is the one solution that brings all tech together. Please watch the movie before reading:

What did you see?

– Automated forking of Desktops based on Just-In-Time Desktops/VMware InstantClone
– Automated application provisioning based on App Volumes
– Customization by the user with UEM
– Recognize the UI? Right, that looks a lot like AirWatch if you ask me!

Add these features to Workspace Portal, Horizon DaaS integration, an automated setup of the control plane and hosts and what do we have?
Right, the (near) future of End User Computing. A single portal for the end user and a single portal for the administrators. Pretty sweet if you ask me..

The puzzle isn’t finished yet though.

Self Support

When adopting BYOD, one of the use cases we see a lot at customers is giving back control to the end user.
Let the user decide what kind of device they prefer to work on without having your admins lose control of the business-content that’s on it.
Also, the administrative burden will be smaller because your admins don’t have to purchase, deploy and manage all of the devices anymore.

But is that enough? In my honest opinion, I don’t think so. The one thing missing in VMware’s End User Computing proposition is a true workflow-based self service solution. Do you really want your admins to be busy resetting passwords, adding fileshares and printers, requesting approvals for software deployments, solving application problems, etc, etc for the end user? No, I don’t think so.
Bring Your Own Device isn’t just a about the device or applications, it’s about the user. And nowadays users know how to fix things on their device because they are adopting technology as they were taught to ride a bike or tie shoe laces.

So please VMware, let the next acquisition be Self Service related. The current EUC proposition is the best one around, and will be even more awesome when Project Enzo will be released. But I think that when Self Service is added to the proposition, it will be complete.

If you want to know more about self support and what it could bring to the EUC proposition, please read this post on my personal blog.

Do you want to know more about AirWatchAppVolumesEnd User ComputingHorizon 6InstantCloneProject EnzoUEMVMware, email me or add a comment to this blogpost as I am happy to get in touch!

Disaster Recovery to the Cloud blog series – Part 3: vSphere Replication

As of March 16th, vCloud Air Disaster Recovery got some much needed enhancements. You can read the release notes here but I’ll focus on the most important new feature (at least for my demo): native failback. Before this new feature, you would be able to recover your failed datacenter in vCloud Air but getting your workloads back into your own datacenter involved shutting down your VMs and using vCloud Connector to do an offline copy. vCloud Connector cannot copy running VMs. This made the entire service obsolete in my opinion. You could tell your boss that you had successfully saved the business by recovering your failed datacenter in the cloud … but that you had to turn everything off again for an extensive period in order to get stuff back into your own datacenter. But let bygones be bygones, VMware realized this and introduced Native Failback. You do need vSphere Replication 6.0, which essentially means that you should run vSphere 6.0, but that is a requirement that you should be able to work with if native failback is important to you.

Setting up vSphere Replication is pretty easy. The appliance is supplied as an OVF. You just put in your networking details and off you go. Once the appliance is deployed you need to finalize the setup through the Virtual Appliance Management Interface (VAMI), which runs on port 5480 of the appliance. The most important step is registering the appliance with Single Sign-On. The vSphere Replication plugin is then automatically installed in the vSphere Web Client.

Web Client

I deployed a single MicroCore Linux based VM. This is a pretty small Linux distribution which contains the open source VMware Tools. Before I could replicate it to vCloud Air DR I needed to register my cloud instance with vSphere Replication. VMware provides a vSphere Replication instance inside vCloud Air for you so you don’t have to configure or deploy anything there. Registering the vCloud Air DR instance as a target site is done using the vSphere Web Client:


Once my vCloud Air DR instance was registered, I could initiate an outgoing replication for my MicroCore Linux VM from my Ravello based “datacenter” to vCloud Air. I can imagine that all these cloud instances and VPN tunnels can get a bit confusing so I drew up a small infrastructure drawing in Visio:


Mind you that the vCloud Air instances are provided from UK based datacenters and that the Ravello powered vSphere datacenter is running in an AWS datacenter in Virginia, USA. We are actually replicating this virtual machine to the other side of the Atlantic!

In my next and final blog in this series I will demonstrate a test DR, a planned migration and a real disaster recovery by turning of the Ravello environment with a single mouse click.

(Read the first and second part of the series)

Getting started with Lattice

In April, Pivotal released Lattice, a platform for hosting cloud native applications which is aimed at being accessible and convenient for developers. However, it’s not just that: it’s also a testbed for the new elastic runtime codename ‘Diego’ which we will likely see incorporated in the next version of Lattice’s big – enterprise ready – brother Pivotal Cloud Foundry in due time. This new runtime comes with the ability to run Docker workloads which makes it very interesting.

In this post, I’ll describe the minimal steps required to set up a machine in which we create another VM using vagrant and virtualbox which will run Lattice and host its first containerized workloads. Note: in case you already run VMware fusion/workstation and the VMware integration for vagrant, you don’t need the initial hosting VM, so you can skip the first steps and go directly to ‘Get Lattice’.

Create a virtual machine

In fact, it doesn’t have to be virtual, just get a x64 machine, either physical or using your hypervisor of choice. Since this machine will run its own virtualized workload, it’s essential it has virtualization instructions, either hardware based or virtualized. For example in VMware Workstation this option shows as:

Virtualize VTx

Install Ubuntu

Install the latest stable Ubuntu (desktop), and make sure it’s updated.

Install vagrant and virtualbox

In order to spin up the lattice machine, we’ll use virtualbox, and to provision it lattice depends on vagrant. For vagrant we need a version (>1.6) which is not by default in the ubuntu repos, so we install it via direct download:

sudo apt-get install virtualbox
sudo dpkg -i vagrant_1.7.2_x86_64.deb

Get lattice

Install git and clone the lattice repository:

sudo apt-get install git
git clone
cd lattice
git checkout <VERSION>

Here <VERSION> is the version you find in the file ‘Version’.

Next provision the virtual machine with
vagrant up

Of course we could ssh to the lattice VM now, but the idea is to access it via API calls. The lattice CLI wraps the API and offers a convenient interface.

Get/build the lattice CLI

You can build the lattice CLI from source, or download a binary. If you take the download option you can skip the following paragraph.

Building the CLI from source

In order to do this we need Go, and again the version in the ubuntu repos is too old (<1.4):

wget --no-check-certificate --no-verbose
tar -C /usr/local -xzf go1.4.2.linux-amd64.tar.gz

And to setup the build environment:

export GOROOT=/usr/local/go
export GOPATH=$HOME/go
export PATH=$PATH:$GOROOT/bin:$GOPATH/bin

If you want this to persist, add the exports to ~/.bashrc

Now build the CLI binary:

go get -d

You can check if the CLI has been build successfully by typing: ltc

Connecting to the lattice

Point the CLI to the lattice instance:
ltc target <system_ip_from_Vagrantfile>

If you run into errors or timeouts at this stage, try to ping the lattice VM, or (re)start the lattice VM directly from VirtualBox which will usually tell you what’s wrong.

Running a test workload

A Docker container hosting a simple test web application is available in the Docker hub. You can spin up your first instance with:
ltc create lattice-app cloudfoundry/lattice-app

Check it’s status with
ltc status lattice-app

Next, spin up a few more with
ltc scale lattice-app 4

When this is done, point a browser at lattice-app.<system_ip_from_Vagrantfile> and refresh a couple of times to see the built in load balancing and router in action.

What’s new in Horizon 6.1.1


In the last couple of months VMware released 2 versions of it’s Horizon Suite: 6.1 and 6.1.1. Both releases mostly consist of new functionality.

To view some of the new Horizon 6.1 features, click here.

This post sums up some of the new functionality in Horizon 6.1.1 I think are really cool or worth mentioning:

Published Application support in HTML5

As “it’s all about the App”, VMware put published application support in Blast for HTML5 supported browsers. With Blast it is now possible to directly start an application without the need for a complete desktop. Did I mention that tablets and most smartphones also support HTML5? 🙂

Full support for Chrome OS

With a newly released Horizon client for Chrome OS, the lightweight operating system is now fully supported to use as a device for an end user. Imagine running your complete office suite on a device that’s really portable and ready to use within seconds. During the Technical Update Session 2015 we brought a Chromebook to demonstrate the potential of the Horizon support in Chrome OS. Would you like to have a demonstration? Please contact us here.

Linux Desktop support

Every big company has developers use an Operating System other than Windows to develop on. Most of the times, normal VM’s need to be created for that purpose and a separate tool is needed to let the user connect to it’s developing machine. VMWare announced to support Linux as a guest operating system. How nice is that? Full clones with Ubuntu, Redhat and CentOS can be deployed with an Horizon Agent so the end user can connect with it through the Horizon Client, Blast and through the Workspace Portal. And one of the best things is, ITQ is early access partner!
Would you like to know how to implement Linux as Guest OS? Our consultants can help you.

Client Drive redirection

Finally, for both Windows and Mac OSX devices running the latest version of the RDP client, redirection of local drives is available in the Horizon client. It is now possible to edit local Microsoft Office documents without having the Office Suite on your local device.

Serial Port redirection

With Serial Port redirection it is possible to use a local serial port from within a remote desktop or published application. Use cases would be a Point of Sales device with a serial printer and cash drawer. Instead of having to use extra serial-to-ethernet converters for the PoS software.

Multimedia Redirection for RDS

As mentioned, HTML5 is now fully supported for published apps. Imagine one of those apps uses video sites like Youtube (is happening more often). The RDP protocol now supports the offloading of the multimedia stream to the local device of the end user. That will save you a lot of bandwidth in the datacenter. Also, running high-res video’s from within the remote desktop could be resource intensive. So it will also save you on resources.

Need help in upgrading to Horizon 6.1.1? Contact us!

Besides newly released features, VMware also announced Project Enzo. This will be the EVO:Rail equivalent for the End User Computing productrange. In a later post, I will explain more about Project Enzo and what the recent acquisitions have to do with it.

Disaster Recovery to the Cloud blog series – Part 2: vCloud Air VPC OnDemand and vCloud Air Disaster Recovery setup

In Part 1 of this blog series I explained how I used Ravello Systems to set up a nested vSphere 6.0 lab on top of Amazon AWS and how I connected it to the internet using a pfSense virtual firewall appliance. In this blog I will tell you how I set up the public cloud side of the demo. But first I have to explain why I also used a vCloud Air OnDemand Virtual Private Cloud instance.

vCloud Air VPC OnDemand
vCloud Air Disaster Recovery is a core service offering of vCloud Air. You can buy this service as a subscription, which means that you pay upfront for a certain amount of resources. There is no pay-as-you-go with vCloud Air DR. You are allowed to run your recovered VMs for 30 days, which should give you a fair amount of time to recover your failed datacenter. Of course these 30 days can be extended at a cost. And finally – and most importantly for my demo setup – vCloud Air DR only provides so-called warm standby resources. This means that it is not possible to spin up an active VM inside a DR cloud instance. The only way to get VMs to run in a DR instance is by replicating them into the cloud and performing a DR. I cannot replicate my primary domain controller using vSphere Replication because that seriously breaks AD. So I have to provide supporting infrastructure services such as AD, DNS and NTP myself … somewhere. A vCloud Air Virtual Private Cloud OnDemand is an ideal place to run these services. This OnDemand offering is billed on a pay-as-you-go basis and running one or two VMs for infrastructure services shouldn’t cost a lot. My 1 vCPU, 2GB vRAM domain controller costs about € 0,12 per hour.

Basically this cloud instance is just another datacenter, so I set up my basic networking, my DNS and my AD Sites and Services. I hooked up the Edge Gateway -that VMware provides in every cloud instance- to my Ravello site using IPSec VPN and finally, I opened all my firewall ports. My AD was replicating and I had successfully added a vCloud Air VPC OnDemand instance to my datacenter infrastructure:


vCloud Air Disaster Recovery
Setting up the DR instance itself was very easy. To be quite honest, the biggest struggle was buying the service. vCloud Air DR is a pretty new offering, especially here in The Netherlands, so not all VMware resellers and distributers were familiar with the delivery of a vCloud Air DR instance. Because vCloud Air DR is a subscription based service, you buy it through regular VMware reseller channels. You cannot buy vCloud Air DR directly from VMware! Check out VMware’s Purchasing Programs page for more information.
Back to the lab setup: remember we now have a local datacenter running in Ravello and an OnDemand cloud instance running as a second site for AD, DNS and NTP. The recovered workloads in vCloud Air DR must be able to access these services so we need a VPN between the OnDemand instance and the DR instance. Setting up this VPN was really easy because both VPN endpoints are VMware provided Edge Gateways:


The first VPN is the VPN between the pfense firewall in Ravello and the OnDemand instance’s Edge Gateway. The second VPN entry is the VPN between the vCloud Air DR and OnDemand instances. For some reason the Status icon of the VPN to Ravello occasionally shows a red sign which should indicated that the tunnel is down. I can verify however that the tunnel is up and passing traffic. This must be a glitch in the interface or maybe a non-critical anomaly between both VPN endpoints. I choose to leave it alone.
In my next blog I will delve into setting up vSphere Replication and how to actually replicate a workload into the cloud.

Disaster Recovery to the Cloud blog series – Part 1: Introduction and on-premises setup

DR to the Cloud introduction
I showed a live demo of a disaster recovery of a test workload from a vSphere 6.0 environment to a VMware vCloud Air Disaster recovery instance at our Technical Update Session (TUS2015) on June 24th. What I showed in roughly 20 minutes was a non-disruptive test of a disaster recovery and a planned migration of a small MicroCore Linux VM. Because the user interface is pretty intuitive and setting up and actually using vSphere Replication with vCloud Air DR is so easy, I feel the significance of what the demo was actually showing – what was happening on a global scale in a matter of minutes – was lost a bit. Therefore, I am writing a blog series about my demo setup and disaster recovery to vCloud Air in general. This is the first part where I will elaborate in some more detail on my demo setup. I will break down the blog series in the major parts that make up my demo infrastructure:
• Part 1. DR to the Cloud introduction and on-premises setup (this blog)
• Part 2: vCloud Air VPC OnDemand and vCloud Air Disaster Recovery setup
• Part 3: vSphere Replication
• Part 4: Disaster Recovery

On-premises setup
As part of a DR to the cloud I first needed a vSphere environment to pose as a local datacenter. I needed a reliable internet connection over which I could setup an IPSec VPN tunnel to my cloud instance. My colleague Arjan Timmerman introduced me to Ravello Systems. Ravello runs a distributed, nested virtualization engine called HVX on top of either Amazon Web Services or Google Compute Engine. Ravello also uses Software defined networking and a storage overlay to fully encapsulate workloads so they are independent from the underlying cloud infrastructure. There are a number of excellent blogs already out there about this awesome product so I won’t go into the underlying details of Ravello much further. I do recommend checking out the Ravello website and sign-up for a FREE 14 day trial. The folks at Ravello are very helpful and are eager to work with you to set up your proof of concept. Also worth noting is that Ravello is presenting at Virtualization Field Day 5 #VFD5 on June 26th. There will be a live webstream available on

Using Ravello I deployed a basic 3-node ESXi 6.0 VSAN cluster. I tried to keep my setup as clean and simple as possible. My main purpose with this demo was to replicate a VM to vCloud Air and perform a disaster recovery of that VM. Nothing more. So I kept everything very plain and very simple: one /24 subnet for my entire “on premises” datacenter, a single standard vSwith with a single uplink and one VMkernel port for just about everything. I know, not very scalable and resilient but hey, it’s just a demo. I deployed a Windows 2012 R2 based Domain Controller directly on Ravello and I added another Windows based machine which I used as a RDP jumphost and to install vCenter 6.0 for Window on. The number of disks that come with the Linux based vCenter 6.0 appliance exceed the number of supported disks per controller on Ravello. It is actually a limitation of the underlying cloud infrastructure and Ravello gives you an error when you try to upload VCSA6.0 as an OVF. I spent some time trying to alter the VCSA harddisk layout in Fusion on my local workstation but decided it would be just easier to install vCenter 6.0 for Windows on my jumphost. Thinking of it, it’s pretty funny that – as a real Windows guy – I was actually really trying to NOT use the Windows version of vCenter. I think that says a lot about the quality of the recent Linux based vCenter appliances!

Finally, I needed something to set up a VPN to vCloud Air with. Ravello provides a nice step-by-step guide on how to deploy and set up a pfSense virtual firewall appliance, so I went with that. Of course I could also have set up vShield Networking and Security or even NSX-v, but the resource overhead and added complexity outweighed the benefits. Deploying and setting up pfSense was very easy but getting the IPSec tunnel to vCloud Air up and running was a pain. Making sure that both sides of the VPN are using the exact same settings can be a challenge when you are using different products. In the end I got the IPSec tunnel to pass traffic successfully using these settings:

phase 1 phase 2
Because not all of these detailed settings are available in the vCloud Air Edge Gateway GUI, it was difficult to find the right settings. In the end this VMware KB article helped me to complete the setup.

Because it is just a demo setup (and because I couldn’t get the tunnel up and running at first) I decided to allow all traffic through the firewalls. I also port forwarded RDP traffic on TCP3389 from the WAN interface of the firewall to my jumphost so I could RDP to it directly.

To summarize, I now have a 3 node ESXi6.0 VSAN cluster, a Windows based jumphost which was running vCenter 6.0, a domain controller and a firewall appliance with an IPSec VPN tunnel to my cloud instance. In the Ravello interface the network setup looks like this:

ravello overview

All instances connect to the network and the pfSense firewall is also connected to the internet through a Ravello supplied router. The Ravello network settings of the pfSense appliance are:

Ravello nw settings

In my next blog I will tell you in detail how I set up my vCloud Air instances. Yes, plural. I’ll explain why…