VMWare Hol 2111 91 SDC - PDF - en
VMWare Hol 2111 91 SDC - PDF - en
Table of Contents
HOL-2111-91-SDC - VMware vSphere - Lightning Lab ....................................................... 2
Lab Guidance .......................................................................................................... 3
vSphere Overview............................................................................................................. 4
Introduction............................................................................................................. 5
vSphere Lifecycle .................................................................................................... 7
Intrinsic Security ................................................................................................... 15
Application Acceleration........................................................................................ 23
vSphere with Tanzu ............................................................................................... 26
Lightning Lab Conclusion ..................................................................................... 29
Appendix - Lab Guidance ................................................................................................ 30
Appendix - New User Guide .................................................................................. 31
HOL-2111-91-SDC Page 1
HOL-2111-91-SDC
HOL-2111-91-SDC -
VMware vSphere -
Lightning Lab
HOL-2111-91-SDC Page 2
HOL-2111-91-SDC
Lab Guidance
Welcome to the VMware Cloud on AWS Lightning Lab
We have developed Lightning Labs to help you learn about VMware products in
small segments of time. This lab is an overview of the new features in vSphere 7.
We will go over the new features around installs, upgrades, backups, user
interface, and the CLI.
If you are new to the VMware Learning Platform (VLP), please read the
New User Guide located in the appendix. Click below to go directly to the
new user console walkthrough before continuing:
Lab Captain:
Content Leads:
This lab manual can be downloaded from the Hands-on Labs Document site found
here:
http://docs.hol.vmware.com
This lab may be available in other languages. To set your language preference
and have a localized manual deployed with your lab, you may utilize this
document to help guide you through the process:
http://docs.hol.vmware.com/announcements/nee-default-language.pdf
HOL-2111-91-SDC Page 3
HOL-2111-91-SDC
vSphere Overview
HOL-2111-91-SDC Page 4
HOL-2111-91-SDC
Introduction
This lab is an overview of the new features in vSphere 7. After completing this
module, you should get a good understanding of which of the next 4 modules are
of interest to you. The remaining modules will use videos and the lab environment
to demonstrate new features in the below categories.
We will go over the new features around installs, upgrades, backups, user
interface, and the CLI.
When sizing your server environment, careful consideration should be applied to the
types of workloads the cluster is intending to run. Some applications require higher CPU
clock frequencies while other applications better utilize more CPU cores. It is also worth
considering that some applications are licensed per CPU core resulting in a business
desire to opt for a CPU with a lower core count. The lower number of cores can be
effectively offset with a higher frequency on some of these applications. Remember to
include overhead for any other software or hypervisor services that may be utilized in
the environment; for example, VMware NSX.
Processor features that accelerate functions should be considered to improve
workload performance. Intel® Deep Learning Boost accelerate analytic
workloads in 2nd Gen Intel® Xeon® Scalable processors, while Intel®
Virtualization Technology (Intel® VT), built into and enhanced in five successive
generations of Intel® Xeon® processors, enables live migration of VMs across
Intel Xeon processor generations.
HOL-2111-91-SDC Page 5
HOL-2111-91-SDC
HOL-2111-91-SDC Page 6
HOL-2111-91-SDC
vSphere Lifecycle
vSphere 7 greatly improved lifecycle management. The new innovations for
lifecycle management in vSphere 7 make it easy for customers to have consistent
and up-to-date systems. The major lifecycle management improvements in
vSphere 7 are vCenter Server Profiles, vCenter Server Update Planner, and
vSphere Lifecycle Manager (vLCM)
vSphere Lifecycle Manager accounts for a number of the new vSphere 7 features,
bringing a suite of capabilities to make lifecycle operations better. With vSphere
Lifecycle Manager, we have a paradigm shift in both vCenter Server and ESXi host
configuration management. Using a desired state configuration model, vSphere
Administrators can create configurations once, apply them, and continue to monitor that
desired state through new tools called vCenter Server Profiles and Cluster Image
Management. vCenter Server Profiles enable administrators to standardize on a
configuration for all of their vCenter Servers and monitor to protect against
configuration drift.
Inside vSphere Lifecycle Manager, we have vCenter Server Update Planner. vCenter
Server Update Planner provides native tooling to help plan, discover, and upgrade
customer environments successfully. Receive notifications when an upgrade is available
directly in the vSphere Client. Update Planner can easily monitor the VMware product
interoperability matrix to ensure that the available upgrade is compatible with other
VMware software in the environment. Run a suite of available prechecks to assist with
version compatibility prior to beginning an upgrade. Everything is good? You’ll have a
successful upgrade, with no surprises.
It is important to note that the vCenter Server Update Planner only works with vSphere
7 and onwards. Update Planner cannot help plan your upgrade from vSphere 6.x to
vSphere 7, but it will drastically simplify your upgrades once you are running vSphere 7.
HOL-2111-91-SDC Page 7
HOL-2111-91-SDC
vSphere 7 offers a much simpler software architecture with a single upgrade workflow.
With vSphere 7, the only requirement is to upgrade vCenter Server; there is no need to
upgrade other external components such as the external PSC (Platform Services
Controller) or load balancers. This results in a more efficient upgrade process, given the
fewer nodes that need to be managed.
Also, vSphere 7 enables the upgrades of entire ESXi clusters (versus a single ESXi host
at a time) using the desired state model with cluster image management. The desired
state model of the upgrade validates each host’s configuration until it matches the
desired state. Note that customers would have to upgrade to vSphere 7 to take
advantage of the desired state model for future upgrades.
VM Compatibility 17
vSphere 7 introduces VM Compatibility 17. This version adds new functionalities as new
EVC modes for additional processors, a virtual watchdog timer to assist clustering
software, selective latency sensibility, and a precision clock in improving timekeeping in
the guest OS. VM Compatibility 17 is only supported on ESXi 7 (and later) hosts.
HOL-2111-91-SDC Page 8
HOL-2111-91-SDC
In vSphere 7, you create VMs using hardware version 17 by default. However, you can
select older versions and upgrade the hardware on existing VMs if needed. Customers
might want to perform this operation to access a feature that is only available on the
newer ESXi compatibility version.
Now we will connect to the vcsa-01a machine and retrieve the VM hardware
compatibility on VM and Host for the virtual machine core-A.
1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.
HOL-2111-91-SDC Page 9
HOL-2111-91-SDC
Using the Chrome web browser, navigate to the URL for the Web client. For this lab, you
can use the shortcut in the address bar.
Please Note: All of the user credentials used in this lab are listed in the README.TXT file
on the desktop.
HOL-2111-91-SDC Page 10
HOL-2111-91-SDC
The lab desktop is limited to 1280x800 screen resolution. It might be helpful to zoom
out the browser for better readability.
This will provide more viewing space while still allowing you to read the text.
HOL-2111-91-SDC Page 11
HOL-2111-91-SDC
Navigate to VM core-A
HOL-2111-91-SDC Page 12
HOL-2111-91-SDC
HOL-2111-91-SDC Page 13
HOL-2111-91-SDC
HOL-2111-91-SDC Page 14
HOL-2111-91-SDC
Intrinsic Security
vSphere 7 builds on the security capabilities in vSphere 6.7 and leverages its
unique position as the hypervisor to offer comprehensive security that starts at
the core, via an operationally simple policy-driven model.
Identity Federation
One of the biggest ways that customers can improve their security is through good
password policies, and one of the easiest ways to do that is to implement multifactor
authentication (MFA). The problem, then, is that there are so many ways to implement
MFA, and it’s nearly impossible to extend vCenter Server with all of them. Furthermore,
even if VMware implements some of them, it's duplicating what many customers
already have in their corporate identity management systems, and that doesn’t mesh
with the desire to make life better for users and especially the vSphere Admins.
The solution is federation using open authentication & authorization standards like
OAUTH2 and OIDC.
HOL-2111-91-SDC Page 15
HOL-2111-91-SDC
With vSphere 7 and Identity Federation, vCenter Server can talk to an enterprise identity
provider and get the vSphere Admins and vCenter Server out of the process. This
simplifies the vSphere Admin’s job and reduces helps reduce compliance audit scope. It
also opens the door to lots of different MFA methods because they already know how to
plug into things like Active Directory Federation Services (ADFS).
vSphere 7 supports ADFS out of the box and will build support for more providers over
time.
vSphere 7 also enables vSphere admins to protect the integrity of their virtual
infrastructure with remote attestation by a trusted computing base. This capability is
delivered by vSphere Trust Authority.
With vSphere Trust Authority, vSphere admins conduct security checks on a few strongly
trusted hosts, validating the operating system, firmware, credentials, etc. These
trusted systems are then compared to other running systems, with any differences
being identified, so they can be evaluated for security vulnerabilities.
vSphere Trust Authority (vTA) helps to make it easier to establish trust throughout the
entire stack – from bare metal all the way through the workloads. vSphere Trust
Authority creates a hardware root of trust using a small, separately-managed cluster of
ESXi hosts which takes over the task of attestation.
HOL-2111-91-SDC Page 16
HOL-2111-91-SDC
Host attestation is where the UEFI Secure Boot process, a server’s Trusted Platform
Module (TPM), and an external service work together to verify that the host is running
authentic software, in a good configuration.
When added to an ESXi host, a Trusted Platform Module 2.0 compatible chip
attests the integrity of the platform. You can view the attestation status of the
host in the vSphere Client. You can also view the Intel Trusted Execution
Technology (TXT) status.
If a server has UEFI Secure Boot and its TPM enabled, vCenter Server can collect these
security measurements and determine if the system booted with authentic software,
and in a configuration we trust : that is attestation.
In vSphere 7, vTA gives attestation the ability to enforce the rules by having the trusted
hosts take over the communications with the key management systems (KMSes).
This simplifies the connections to the KMSes, which simplifies risk auditing, as well as
ensuring that a host that fails attestation doesn’t get access to secrets. Without those
secrets the host can’t run an encrypted VM, thus preventing a secured VM on an
untrusted server.
1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.
HOL-2111-91-SDC Page 17
HOL-2111-91-SDC
Using the Chrome web browser, navigate to the URL for the Web client. For this lab, you
can use the shortcut in the address bar.
Please Note: All of the user credentials used in this lab are listed in the README.TXT file
on the desktop.
HOL-2111-91-SDC Page 18
HOL-2111-91-SDC
The lab desktop is limited to 1280x800 screen resolution. It might be helpful to zoom
out the browser for better readability.
This will provide more viewing space while still allowing you to read the text.
HOL-2111-91-SDC Page 19
HOL-2111-91-SDC
HOL-2111-91-SDC Page 20
HOL-2111-91-SDC
HOL-2111-91-SDC Page 21
HOL-2111-91-SDC
The VMware Certificate Authority (VMCA) provisions your environment with certificates.
Certificates include machine SSL certificates for secure connections, solution user
certificates for authentication of services to vCenter Single Sign-On, and certificates for
ESXi hosts. These default certificates are not signed by a commercial certificate
authority (CA), you can replace default vCenter Server certificates with certificates
signed by a commercial CA.
vSGX/Secure Enclaves
When an application has a secret, like an encryption key or the location of secret bases,
the secret is visible to a lot of layers. First, it’s stored in system memory and in the
CPUs. Second, the hypervisor can see it. Third, the guest OS can see it. And last, of
course, the application.
Intel Software Guard Extensions allows an application to conspire with the CPU to keep
secrets from the guest OS and the hypervisor, and thereby eliminate them from the risk
equation. In vSphere 7, some applications are starting to use this functionality, exposed
to VMs running hardware version 17.
HOL-2111-91-SDC Page 22
HOL-2111-91-SDC
Application Acceleration
vSphere 7 is a universal application platform that supports broad variety of
workloads (including 3D Graphics, Big Data, HPC, Machine Learning, In-Memory,
and Cloud-Native) as well as existing mission-critical applications. It also supports
and leverages some of the latest hardware innovations in the industry, delivering
exceptional performance for a variety of workloads.
Intel has introduced Intel® Deep Learning Boost (Intel® DL Boost) technology,
a new set of features in their 2nd Generation Intel® Xeon® Scalable processor.
This feature set includes new Vector Neural Network Instructions (VNNI).
vSphere 7 supports the VNNI instructions, which allows VNNI to run on the
vSphere hypervisor. Intel's AI strategy offers the most diverse portfolio of
highly performant and efficient compute solutions for every industry.
vSphere 7 further enhances the support and capabilities introduced for GPUs through
VMware's collaboration with NVIDIA by virtualizing NVIDIA GPUs for non-VDI and use
cases such as artificial intelligence, machine learning, big data and more. Since vSphere
6.7, the co-developed NVIDIA vGPU solution already allows for workload portability,
even live-migrations using vMotion as of vSphere 6.7 Update 1 or suspend and resume
VMs running on GPUs instead of powering off these workloads as of vSphere 6.7 Update
2.
Assignable Hardware
vSphere 7 introduces a new framework called Assignable Hardware that was developed
to extend support for vSphere features when customers utilize hardware accelerators. It
introduces vSphere DRS (for initial placement of a VM in a cluster) and vSphere High
Availability (HA) support for VM’s equipped with a passthrough PCIe device or a NVIDIA
vGPU. Related to Assignable Hardware is the new Dynamic DirectPath I/O which is a
new way of configuring passthrough to expose PCIe devices directly to a VM. The
HOL-2111-91-SDC Page 23
HOL-2111-91-SDC
Together, Dynamic DirectPath I/O, NVIDIA vGPU, and Assignable Hardware are a
powerful new combination unlocking some great new functionality. For example, let’s
look at a VM that requires an NVIDIA V100 GPU. Assignable Hardware will now interact
with DRS when that VM is powered on (initial placement) to find an ESXi host that has
such a device available, claim that device, and register the VM to that host. If there is a
host failure and vSphere HA kicks in, Assignable Hardware also allows for that VM to be
restarted on a suitable host with the required hardware available.
Improved DRS
vSphere DRS has been reimagined to better serve both containers and VMs. DRS used
to focus on the cluster state and the algorithm would recommend a vMotion when it
would benefit the balance of the cluster as a whole. This meant that DRS used to
achieve cluster balance by using a cluster-wide standard deviation model.
But, what about individual VMs? How would that vMotion impact the VM that was moved
or it’s old or new neighbors? The new DRS logic takes a very different approach that
addresses these questions. It computes a VM DRS score on the hosts and moves the
VM to a host that provides the highest VM DRS score. The biggest difference from the
old DRS version is that it no longer balances host load. This means DRS cares less about
the ESXi host utilization and prioritizes the VM “happiness”. The VM DRS score is
also calculated every minute and this results in a much more granular optimization of
resources.
HOL-2111-91-SDC Page 24
HOL-2111-91-SDC
As with DRS, we needed to review the vMotion process and look closely at how we could
improve vMotion to support today’s workloads. VMs with a large memory & CPU
footprint, like SAP HANA and Oracle database backends, had challenges being live-
migrated using vMotion. The performance impact during the vMotion process and the
potentially long stun-time during the switchover phase meant that customers were not
comfortable using vMotion for these large workloads. With vSphere 7, we are bringing
back that capability as we have greatly improved the vMotion logic.
At a high level, vMotion is comprised of several processes. For most VMs these
processes can execute very quickly, often fast enough to not be noticed. For VMs that
have large CPU and memory allocations these processes can become noticeable, and
even last long enough for the application running within the VM to think there is a
problem. So, several of those processes have been improved to mitigate vMotion issues
for those larger VMs. One such process uses page tracers where vMotion keeps track of
memory paging activity during a migration. Prior to vSphere 7, page tracing occurred on
all vCPUs within a VM, which could cause the VM and its workload to be resource
constrained by the migration itself. With vSphere 7, a dedicated vCPU is used for page
tracing which means that the VM and its applications can keep working while the
vMotion processes are occurring.
Improve data center efficiency and reliability to handle any workload. Intel®
Xeon® processors support vMotion across several generations.
HOL-2111-91-SDC Page 25
HOL-2111-91-SDC
Kubernetes is now built into vSphere which allows developers to continue using the
same industry-standard tools and interfaces they’ve been using to create modern
applications. vSphere Admins also benefit because they can help manage the
Kubernetes infrastructure using the same tools and skills they have developed around
vSphere. To help bridge these two worlds we’ve introduced a new vSphere construct
called Namespaces, allowing vSphere Admins to create a logical set of resources,
permissions, and policies that enable an application-centric approach.
We are introducing a lot of value in vSphere with Tanzu for the VI admin. We deliver a
new way to manage infrastructure, called ‘application-focused management’ for
containerized applications. This enables admins to apply policies to an entire group of
objects and organize multiple objects into a logical group and then apply policies to the
entire group. For example, an administrator can apply security policies and storage
limits to a group of containers and Kubernetes clusters that represent an application,
rather than to each of the objects individually. This helps improve productivity and
reduce errors that can be costly to identify and correct.
HOL-2111-91-SDC Page 26
HOL-2111-91-SDC
vSphere with Tanzu is available through VMware Cloud Foundation 4 with Tanzu. One key
innovation available only in VMware Cloud Foundation is a set of developer-facing
services and a Kubernetes API surface that IT can provision, called VMware Cloud
Foundation Services.
It consists of two families of services: Tanzu Runtime Services and Hybrid Infrastructure
Services.
• Hybrid Infrastructure Services– include full Kubernetes and REST API access
that spans creating and manipulating virtual machines, containers, storage,
networking, and other core capabilities. It includes the following services today:
◦ vSphere Pod Service – extends Kubernetes with the ability to run pods
directly on the hypervisor. When developers deploy containers using the
vSphere Pod Service, they get the same level of security isolation,
performance guarantees, and management capabilities that VMs enjoy.
◦ Storage service – allows developers to manage persistent disks for use
with containers, Kubernetes, and virtual machines.
HOL-2111-91-SDC Page 27
HOL-2111-91-SDC
HOL-2111-91-SDC Page 28
HOL-2111-91-SDC
Interested in learning what else you can do with vSphere 7? Explore the full lab:
VMware vSphere - What's New
Below are the lab modules included in the complete VMware vSphere - What's New
lab:
HOL-2111-91-SDC Page 29
HOL-2111-91-SDC
HOL-2111-91-SDC Page 30
HOL-2111-91-SDC
1. The area in the RED box contains the Main Console. The Lab Manual is on the tab
to the Right of the Main Console.
2. A particular lab may have additional consoles found on separate tabs in the upper
left. You will be directed to open another specific console if needed.
3. Your lab starts with 90 minutes on the timer. The lab can not be saved. All your
work must be done during the lab session. But you can click the EXTEND to
increase your time. If you are at a VMware event, you can extend your lab time
twice, for up to 30 minutes. Each click gives you an additional 15 minutes.
Outside of VMware events, you can extend your lab time up to 9 hours and 30
minutes. Each click gives you an additional hour.
HOL-2111-91-SDC Page 31
HOL-2111-91-SDC
During this module, you will input text into the Main Console. Besides directly typing it
in, there are two very helpful methods of entering data which make it easier to enter
complex data.
You can also click and drag text and Command Line Interface (CLI) commands directly
from the Lab Manual into the active window in the Main Console.
You can also use the Online International Keyboard found in the Main Console.
1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.
HOL-2111-91-SDC Page 32
HOL-2111-91-SDC
In this example, you will use the Online Keyboard to enter the "@" sign used in email
addresses. The "@" sign is Shift-2 on US keyboard layouts.
HOL-2111-91-SDC Page 33
HOL-2111-91-SDC
When you first start your lab, you may notice a watermark on the desktop indicating
that Windows is not activated.
One of the major benefits of virtualization is that virtual machines can be moved and
run on any platform. The Hands-on Labs utilizes this benefit and we are able to run the
labs out of multiple datacenters. However, these datacenters may not have identical
processors, which triggers a Microsoft activation check through the Internet.
Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft
licensing requirements. The lab that you are using is a self-contained pod and does not
have full access to the Internet, which is required for Windows to verify the activation.
Without full access to the Internet, this automated process fails and you see this
watermark.
HOL-2111-91-SDC Page 34
HOL-2111-91-SDC
Please check to see that your lab has finished all the startup routines and is ready for
you to start. If you see anything other than "Ready", please wait a few minutes. If after
5 minutes your lab has not changed to "Ready", please ask for assistance.
HOL-2111-91-SDC Page 35
HOL-2111-91-SDC
Conclusion
Thank you for participating in the VMware Hands-on Labs. Be sure to visit
http://hol.vmware.com/ to continue your lab experience online.
Version: 20201209-134429
HOL-2111-91-SDC Page 36