Trending Topics

VMware on AWS - How to restore NSX DFW firewall rules to previous state

Customers who uses NSX day-in, day-out would like to have a point-in time restore functionality of DFW firewall rules. Many customer have a large footprints in VMC and make changes to DFW quite often. This feature was missing for long time and we could see its included in recent versions . Let's see how DFW configuration roll back works  NSX DFW configuration has versioning, and it is stored in the NSX Manager.  Every time when someone update DFW configuration, NSX creates one more version but keep storing the previous ones. You can rollback for previous config but reapplying it once again.  You can find the options under Networking & Security tab , > Security > Distributed Firewall . In the right side we see an Actions drop down. Choose View to get to the below screen.  Let’s go through the use case:  1. Original state- default config with no custom rules:  a. There are no saved configurations during last 30 days: In my existing test setup, with the current setting

Automated deployment of Virtual Container Host (VCH) using vRealize Automation (vRA)

In our previous posts, we saw the option to deploy the VCH using CLI utility, vSphere client etc. In this post, we see an option to automate the VCH deployment using vRealize Automation ( vRA)


The current automated world requires the seamless and fastest deployment of its infrastructure. VMware vSphere Integrated Containers gives developers an essential tool for streamlining the process of building and running containerized applications in production.  The deployment of VCH is done through various methods as we see in our previous posts. But in this post, we are going to see how to automate the VCH deployment and the first VCH in few mouse clicks. By using the service catalog in vRealize Automation to provision Virtual Container Hosts on-demand as a ticketless offer, you can make your developers self-sufficient.

The vRealize Automation 7.4 and later versions support provisioning and management of Virtual Container Hosts(VCH) for running vSphere Integrated Containers (VIC).  Here below are the step-by-step procedure on how to use the XaaS blueprint in vRealize Automation to create a fast, self-service offering of Virtual Container Hosts while ensuring compliance with business policies.

Step 1: Download the "" package from the link

Step 2: Extract the package

Step 3: Login to the Orchestrator and you land in the page

Step 4: Click on "Import  package" tab and choose the downloaded file "com.vmware.vra.vic.package"

Step 5:  You get the signature verification window. Choose one "Import once or Import and trust provider" and proceed

Step 6: In this step, you get the configuration summary and the items which are imported as part of the package

Step 7: Click Import selected elements and you should see the progress bar

Step 8:  Once imported successfully, we should see the package and its workflows in the inventory. Go to the workflows tab and verify that you see the workflows as below.

 Step 9: Go to the Configurations tab and select the configuration element found under the path –  VMware->VIC Deploy->vRealize Automation->Targets

Edit the element as per your environment settings. You can change the name of the element too matching the syntax. (Syntax Reference)

Note – If you are using multiple clusters in your environment then you need to add an additional attribute named ‘compute-resource’ and the name of the cluster as its value

Step 10:  Make sure to keep the same name for another configuration element which is found under the path – VMware->VIC Deploy->vRealize Automation->Deployments

Procedure to setup VIC in vRA Orchestrator appliance:

a. Download the VIC bundle by accessing the admiral portal

b. Log in to vRealize Orchestrator appliance or vRA appliance ( if it's embedded) and copy the VIC v1.5.4.tar file to the location /etc/vco/app-server/

c. Untar the file using the command "tar -xvzf vic1.5.4.tar" and a folder will be created as vic.
d. Change the permission of VIC folder by running the command "chown -R vco:vco vic"
e. Verify the permissions are set properly inside the folder

f. Edit the /etc/vco/app-server/properties and add the following property to the bottom of the file:  com.vmware.js.allow-local-process=true
g.  Close the editor and restart the vco service using the following command: /etc/init.d/vco-server restart (Note: If you have a high available implementation of vRealize Automation, steps b - f must be performed on every vRealize Automation appliance node).

Step 11: Create a catalog item. In order to create it, we need to import the blueprint using the tool called "CloudClient". Run below command in cloudclient.

Import the blueprint using the following command — vra content import –path “path_to extracted_files”\desktop\users\downloads\ –resolution OVERWRITE –precheck WARN –verbose

Once we import the blueprint, we should see them under the design, select the imported XaaS blueprint, we can edit the details as required

Choose the option to be presented to users. Go to the Blueprint Form tab and select the field named – Select vSphere / ESXi Host.  Make sure that the ‘Default Value’ matches the name of the configuration element specified in step 9.

Step 12: Publish this blueprint. Add it to a vRA service and create entitlements for the users who will be requesting this blueprint. Publish this blueprint. Add it to a vRA service and create entitlements for the users who will be requesting this blueprint

Step 13: Go to the vRA Catalog tab and you should see ‘Deploy Virtual Container Host’ as a catalog item.

Step 14: Users can request the vms, check the status of your request in the Requests tab. Once the request is completed, the VCH will be visible in the vCenter.

Once the VCH is deployed, the URL of the VCH can be made available to the developers who can start deploying vSphere Integrated Container using the Docker Client OR from vRA using the vRA-Containers provisioning feature. ( refer post for adding VCH to projects/vRA containers tab)

Popular posts from this blog

What is a Sysvol?


AD LDS – Syncronizing AD LDS with Active Directory