Transcript vRealize Orchestrator provides a workflow that

vRealize ACI Plugin
Provision Network and VMWare
Compute resources simultaneously
Bringing the Compute (VMWare) team
closer to the Network (ACI) team
Value For Customers
• Integrate with existing vRealize installs
• Speed up deployment time of ACI network
• Offer tiered service levels
• Faster application deployment times
• Consistent, orchestrator driven policy
• Compute provision networking dynamically
What Is vRealize?
What Is vRealize?
Two products bundled together in a suite
•
vRealize Orchestrator
•
vRealize Automation
vRealize Orchestrator (vRO)
•
The work horse of the suite
•
Plugins integrate 3rd party devices
•
No tenancy model
•
Terminology: Workflows
•
Similar to Cisco UCSD
vRealize Automation (vRA)
•
Catalog service layered over vRO workflows
•
Provides Multi-Tenancy
•
Previously known as vCAC
•
Terminology: Blueprints
•
Similar to Prime Services Catalog
vRO workflows
work without
vRA
vRealize Orchestrator
provides a workflow that
vRealize Automation
consumes
vRA Blueprint
vRO
Workflow
vRealize Suite
vRealize Automation (vRA 6.x)
vRealize Orchestrator (vRO 6.x)
Level
Of
Abstraction
vCenter Plugin
APIC Plugin
vSphere SDK
APIC REST API
Compute
Network &
Services
Workflow Trace – APIC Plugin
•
APIC Plugin
INPUT – Create Network
• Network Name
• Subnet
• DVS/VMM-Domain Name
Workflow Trace – APIC Policies
• INPUT – Create Network
• Network Name
• Subnet
• DVS/VMM-Domain Name
APIC Plugin
APIC
• POLICIES CREATED in APIC by plugin
• Tenant
• Application Profile (AP)
• End Point Group (EPG)
• Subnet
• L3 Context/VRF (CTX)
• L2 Bridge Domain (BD)
• Association of EPG to DVS/VMM-Domain
Workflow Trace – APIC Policies
APIC Plugin
• INPUT – Create Network
• Network Name
• Subnet
• DVS/VMM-Domain
Name
APIC
• POLICIES CREATED in APIC by plugin
• Tenant
• Application Profile (AP)
• End Point Group (EPG)
• Subnet
• L3 Context/VRF (CTX)
• L2 Bridge Domain (BD)
• Association of EPG to DVS/VMM-Domain
vCenter
• Resources created by APIC
• PortGroup for Tenant
Network/EPG in specified
DVS
Network Plans
Similar to Amazon VPC
• Bring your own IP address space
• Extend your private cloud to public
Similar to Default Plan in Amazon
• You need network service but don’t
care about what IP addresses.
Features
Shared Network
Virtual Private Network
Isolated Networks
✓
✓
Firewall
✓
✓
Shared Load Balancer
✓
✓
Shared Services
✓
✓
Public Internet Access
✓
✓
Private Address Space
✓
In Practice
Shared
• Bridge Domain is in common
VPC
• Bridge Domain is in Tenant
Shared Network Plan
• vRealize Tenant user can create EPG(Network) and Security Policy (Contract).
• All EPGs are in the BD default in common tenant.
VRF: default (in common tenant)
Tenant-Coke
Tenant-Pepsi
Tenant-Common
L3out:
default
BD1
Web
App
C
DB
C
192.168.100.1/24
Web
App
C
DB
C
BD: default
192.168.1.1/24
Virtual Private Network Plan
• vRealize Tenant user can create Bridge Domain in addition to EPG and Contract.
• For L3out connectivity, the EPG needs to be leaked into the common BD.
Tenant-Pepsi
Tenant-Coke
VRF
VRF
BD: vpcDefault
192.168.101.1/24
192.168.101.1/24
App
C
VRF: vpcDefault
BD-Coke
BD-Pepsi
Web
Tenant-Common
DB
C
Web
App
C
DB
C
192.168.1.1/24
L3out:
vpcDefault
C
C
Service Blueprints
Service Blueprints act on
the Network (ACI) only
Service Blueprints
Admin:
Tenant:
• Create APIC Handles
• Create EPGs
• Create VMM Domains
• Create Contracts
• Create Tenants
• Provide Contracts
• Create Subnets in Common
• Consume Contracts
• Create L4-7 Devices
• Consume L3Outs
• Consume L4-7 Devices
Create Network - Shared
Example logical
topology
Bridge Domain: default
Primary Gateway
10.100.1.1/24
web-host1
10.100.1.75
EPG: web-hosts
ANP: default
VRF: default
Tenant: coke
Tenant: Common
Attach L3
Example logical toplogy
External Host
10.100.100.1/24
Outside
Bridge Domain: default
web-host1
10.100.1.75
EPG: web-hosts
Node-101/eth1/5
Contract = Allow Communication
Primary Gateway
10.100.1.1/24
ANP: default
VRF: default
Tenant: coke
Tenant: Common
EPG: defaultInstP
Node-102/eth1/5
Machine Blueprints
Machine Blueprints
create Compute and
Network resources
simultaneously
No more placing the NIC
into the right portgroup
Admin:
Tenant:
• Create Machine Blueprint Web
• Deploy Machine Web
• Create Machine Blueprint App
• Deploy Machine App
• Create Machine Blueprint DB
• Deploy Machine DB
• Deploy Multi-Machine
Web-App-DB
Single Machine – Web Tier
Example logical topology
Bridge Domain: default
Primary Gateway
10.2.0.1/24
web-XX
10.2.0.XX
EPG: web-XX
ANP: default
VRF: default
Tenant: green
Tenant: Common
Multi-Machine – 3 Tier
Example logical topology
Outside
Bridge Domain: default
Contract = Allow
Communication
Contract = Allow
Communication
Node-101/eth1/5
Node-101/eth1/5
Contract = Allow Communication
EPG: db-xx
EPG: app-xx
EPG: web-xx
EPG: defaultInstP
ANP: default
Primary Gateway
10.100.1.1/24
VRF: default
Tenant: green
Tenant: Common
vRA IPAM
vRealize Can Provide IPAM Using
Network Profiles
Installation
Prerequisites ie. Day 0 Operations
• Fabric bring-up
• Access Policies
• L3 Out Configuration
• Service Graph Templates/Devices
• Security Domains/Tenant User
• AEP
Fabric Bring-Up and Access Policies
• Brazos based image required (1.2+)
• Bring up the fabric as usual – all topologies are supported
• Configure access policies between Leaf switches and ESXi Hosts – as usual ensure
there is CDP/LLDP enabled between leaf and host.
L3 Out Configuration
• Create any L3 Out configurations in the Common Tenant that you
wish to be consumed in User Tenants
• Name the L3 Out policy anything you like
• Critical: External EPG must be named “[L3OutName]InstP”
• Create two policies “default” for shared plan, “vpcDefault” for
VPC plan
Security Domains / Users
• vRealize plugin will require TWO user accounts
• Account ONE needs administrative privileges i.e. can create/read/update/destroy
objects in the Common Tenant, Access Policies, and VMM Domains.
• Account TWO needs restricted Tenant privileges i.e. can only read Common Tenant and
VMM Domains, but can CRUD objects in their own tenant.
• RBAC rules are enforced through APIC not the Plugin
The Plugin Package
vRealize Automation
(vRA) Plugin
vRealize Orchestrator
(vRO) Plugin
Utils
Gets Troubleshooting
logs
Installs restart/rmapic on
Automation Appliance
Services
Builds setup specific
Templates
Push templates to
APIC
vRO Plugin - Install
• Follow the install guide in the documentation
Tips:
• Make sure services are all running on vRealize appliance
• Enabling vco configuration server
− By default the server is stopped – SSH to application VM and ‘service
vco-configurator start’
• Plugin Upload
− Browser issues: Chrome and Safari won’t allow upload of .dar
• Does plugin say “Installation ok”
− Version Mismatch: Need to reset plugin numbering
− Corrupted Installation: Full plugin removal using script
vRO Plugin – Install (cont.) Verification
Cisco APIC Plugin appears on left hand tab
Orchestrator Client
• Switch to Design mode
• Under packages check com.cisco.apic package is present
• Under workflows check Cisco APIC workflows folder and
workflows are present
Troubleshooting
vRO Troubleshooting - Running
Must add at least TWO APIC handles
vRO Inventory View
• ONLY Tenants that have been “Added” via vRO will show in the inventory – even if
they already exist on APIC you need to add them again
• Inventory is collected using permissions of APIC handle – if you can’t see it on APIC
then vRO can’t see it
Run Workflow by Clicking green arrow
• String inputs are case sensitive (e.g. make sure to spell VMM domain correctly)
• Logs are available for each run
• APIC exceptions are passed up to vRO (e.g. user does not have RBAC permission)
vRO Troubleshooting – Running (cont.)
Collecting Logs:
Handy script included with package
apic-vrealize-1.0.1.<build>/utilsl/get_logs.sh
Collects
/var/lib/vco/configuration/logs/catalina.out
/var/lib/vco/app-server/logs/catalina.out
/var/lib/vco/app-server/logs/server.log
vRA Troubleshooting – Running
Must add at least TWO APIC handles (can be done in vRO)
Must add at least one Tenant (can be done in vRO)
Request Blueprint:
•
String text boxes are case sensitive again
•
View Request state via “Requests”
− Click view details to see parameters
− Status should read “Successful” – if it says “Failed” check out the vRO logs
vRA Troubleshooting – Running (cont.)
• The vRA blueprint calls a vRO workflow
− If the vRA blueprint fails check the corresponding workflow
•
Connection between vRA – vRO can fail
− “Failed to retrieve form from provider” – refresh connection
between vRA and vRO using Advanced Services
vRA Troubleshooting – Running (cont.)
Machine Prefixes:
• These MUST be equal for the multi-machine workflow to work
• If you provision a single machine it will increment and cause an issue
• Go to Infrastructure > Blueprints > Machine Prefixes