Enterprise Hybrid Cloud 3.5 For Business and IT Agility

GENERAL RELEASE - ENTERPRISE
HYBRID CLOUD 3.5 FOR

BUSINESS AND IT AGILITY
General Release - Enterprise Hybrid Cloud 3.5 for Business and IT Agility
Table of Contents
Introduction.................................................................................................................................................. 5
Company Profile...............................................................................................................................................6
Solution ...........................................................................................................................................................8
Key Components......................................................................................................................................... 10
Enterprise Hybrid Cloud - Solution Overview and Additional Capabilities .......................................................11
Data Center Virtualization and Cloud Management.........................................................................................17
Storage and Storage Virtualization Components.............................................................................................19
Enterprise Hybrid Cloud Data-Protection Components ....................................................................................22
EMC and VMware Integration..........................................................................................................................23
Modular Add-On Components ........................................................................................................................27
Lab Overview .............................................................................................................................................. 28

Lab Environment ............................................................................................................................................29
Lab Credentials ..............................................................................................................................................33
Lab Scenario ..................................................................................................................................................35
Labs...............................................................................................................................................................38
Lab A.1 - Storage Provisioning with EMC ViPR (15-20 minutes).................................................................... 45

Exercise A.1.1 - Introduction to Cloud Management and Services ...................................................................46
Exercise A.1.2 - Provision New Cloud Storage .................................................................................................63
Exercise A.1.3 - Enable the New Storage for Business Use ..............................................................................75
Lab A.2 - Import a Pre-Existing VM into vRealize Automation (10-15 minutes) ............................................. 85
Exercise A.2.1 - Locate the Target VM in VMware vCenter ...............................................................................86
Exercise A.2.2 - Import the Target VM into vRealize Automation ....................................................................101
Lab A.3 - Add a vCloud Air Site to vRealize Automation (15-20 minutes).................................................... 115
Exercise A.3.1 - Connect to the Cloud Experience Center and launch the demo .............................................116
Exercise A.3.2 - Create a vCloud Air Endpoint ...............................................................................................118
Exercise A.3.3 - Create a vCloud Air Reservation ...........................................................................................138
Exercise A.3.4 - Create a vCloud Air vApp Blueprint ......................................................................................150
Exercise A.3.5 - Provision a vCloud Air Virtual Machine.................................................................................171
Lab B.1 - Create a New IaaS Blueprint and Approval Policy (20-30 minutes) .............................................. 180
Exercise B.1.1 - Create a New IaaS Blueprint ................................................................................................181
Exercise B.1.2 - Enable the New Item for the Self-Service Catalog .................................................................200
Exercise B.1.3 - Create a New Approval Policy...............................................................................................210
Exercise B.1.4 - Assign the Approval Policy to the New VM Blueprint ............................................................217
Exercise B.1.5 - Validate the New Blueprint and Approval Policy...................................................................224
Lab B.2 - Integrated Data-Protection Management (5-10 minutes) ............................................................ 239

Exercise B.2.1 - Creating a New Backup Service Level ...................................................................................240
Exercise B.2.2 - Verifying the New Backup Service Level ...............................................................................251
Lab B.3 - Integrated CMDB Management with ServiceNow (10-15 minutes)............................................... 257
Exercise B.3.1 - Connect to the Cloud Experience Center and launch the demo.............................................258
Exercise B.3.2 - Create a ServiceNow Build Profile ........................................................................................260
Exercise B.3.3 - Attach the ServiceNow Build Profile to an Existing IaaS Blueprint.........................................272
Exercise B.3.4 - Deploy a VM from the ServiceNow IaaS blueprint.................................................................277
Lab C.1 - Virtual Machine Lifecycle Management (30-35 minutes)............................................................. 298

Exercise C.1.1 - Log in to vRealize Automation as the Business Analyst ........................................................299
Exercise C.1.2 - Provision a New VM from the Catalog...................................................................................302
Exercise C.1.3 - Self-Service VM Snapshot Management...............................................................................309
Exercise C.1.4 - Self-Service Data Protection.................................................................................................317
Exercise C.1.5 - Reconfigure the VM's Hardware ...........................................................................................327

Exercise C.1.6 - Delete the Virtual Machine...................................................................................................335
Lab C.2 - Deploy Applications and Services with VMware NSX (35-40 minutes) ......................................... 339
Exercise C.2.1 - Deploy a Simple Two-Tier Application ..................................................................................340
Exercise C.2.2 - Review NSX Security Policies ...............................................................................................347
Exercise C.2.3 - Test NSX Security Policies and Application Functionality......................................................354
Exercise C.2.4 - Deploy a Scaleable Multi-Tier NSX Application .....................................................................378
Exercise C.2.5 - Writing and Validating Test Data to Application Database ....................................................403
Exercise C.2.6 - Add New Web Servers to Application and Test NSX Load Balancing......................................430
Lab C.3 - Deploy a Puppet VM (10-15 minutes) ......................................................................................... 446

Exercise C.3.1 - Deploy a Tomcat web server using Puppet ...........................................................................447
Lab C.4 - Securing VM Data Using CloudLink ............................................................................................. 466

Exercise C.4.1 - Connect to the Cloud Experience Center and launch the demo .............................................467
Exercise C.4.2 - Provisioning a New VM with CloudLink Encryption ...............................................................468
Exercise C.4.3 - Add a New Volume to a VM ..................................................................................................484
Troubleshooting ....................................................................................................................................... 497

Troubleshooting and Tips.............................................................................................................................498
Resetting Avamar Services in the Lab Environment.......................................................................................508
Launching the Avamar Administrative Console .............................................................................................513
Restarting the Mail Server ............................................................................................................................518
Restarting the Puppet Master Server ............................................................................................................522
Deleting failed requests from the vRealize Automation history .....................................................................526
Conclusion ............................................................................................................................................... 535

Summary .....................................................................................................................................................536
Introduction
General Release - Enterprise Hybrid Cloud 3.5 for Business and IT Agility Page 5
Company Profile
RainPole Systems is a manufacturer of weather metering and monitoring appliances that are used in the agriculture
industry. RainPoles solutions collect weather data across a wide variety of geographies and climates, and then
aggregate the resulting datasets into big-data models. The information produced from these models gives RainPole's
customers an inside edge that helps them make smarter decisions in their farming and harvesting practices.
Company Background
RainPole's software is a primary differentiator for them in their agriculture-focused market, and their customers have
recognized RainPole's unique ability to both collect and rationalize data from many sources, and see the value of
RainPole's software solutions. This has led to a welcome, but somewhat unexpected growth model for RainPole.
As a result of their sudden increase in demand, RainPole products have expanded beyond their small customer base
in the southwestern United States to the international market. This rapid expansion has hit their manufacturing teams,
who struggle to keep up with demand for their products, as well as the R&D teams that are working to add new
software features. The addition of international customers has also added strain to their financial operations, which
has seen an increase in their workload due to the need to keep up with all of the new ordering, distribution, and
commissioning systems.
In order to streamline operations, development, and testing capabilities at RainPole, the IT team is now offering their
internal customers a new service, in which IT collects and aggregates data for them within the RainPole data center.
This has increased the workload on the IT team as they start to act like a service provider for their customers, well
beyond the scope of their original service of providing hardware and software solutions.
Business Challenge
Like many other organizations, RainPole is trying to do the same three things at all levels of their business:
Lower operational costs
Increase revenue
Reduce risk
While RainPole has had significant success with their Enterprise Hybrid Cloud solution, business units are asking for a
broader portfolio of cloud-enabled services, delivered quickly and reliably, and consumable by developers and
business customers alike.
In the past, difficulty in meeting these challenges has given rise to public cloud providers who have built technology
and business specifically tailored to meet organizational business units' need for end-user agility and control, while
also providing clear resource utilization and cost information directly to the business. RainPole is under pressure to
provide the same service levelsagility, reliability, and cost transparencybut within the secure boundaries of their
own data center.
As a result, RainPole's IT department has added new capabilities to its Enterprise Hybrid Cloud environment, which
continues to provide a cost-effective alternative to public cloud,, but which do not compromise RainPole's
requirements for enterprise features such as integrated security, data protection, and guaranteed service levels.
Solution
To satisfy the demand for both public-cloud-level functionality and enterprise-class performance and security,
RainPole has upgraded their Enterprise Hybrid Cloud environment to include VMware's vRealize suite of cloud
management tools, delivering an integrated, automated stack of virtualization, storage, management, and data-
protection products and services from EMC and VMware.
The solution that RainPole has deployed empowers their IT organization to accelerate implementation and adoption of
automated cloud services, while still enabling customer choice for compute and networking infrastructure within the
existing RainPole data center. The solution provides opportunities to customers who want to build out dedicated
infrastructure for cloud services, as well as to those who want to add integrated cloud capabilities to their existing
infrastructure.
Solution Benefits
This solution takes advantage of powerful integration points that have been developed by EMC and VMware
engineering and services teams. This includes the use of EMC scalable storage arrays, integrated management and
monitoring tools and data-protection products, to ensure that RainPole's cloud solution delivers traditional IaaS
capabilities that customers are familiar with, as well as introducing application services models to the own
organization with this release.
RainPole's IT department benefits from the rapid, automated resource provisioning and management features offered
by their Enterprise Hybrid Cloud. RainPole's users benefit from being able to spin up new processes and services
simply and quickly, and from having transparent access to resource utilization and cost information.
By simplifying the resource-request process, and by automating resource-provisioning processes through a user-
aware, self-service approach, the IT team is able to deliver services to end users quickly, securely, and effectively.
Together, these components, features, and services combine to produce a secure, high-performance, enterprise-class
service catalog that enables an agile, responsive business. The benefits of the Enterprise Hybrid Cloud solution give
RainPole the ability to deliver products to market more quickly, and to compete more effectively in a global
environment.
Solution Components
Key components of RainPole's Enterprise Hybrid Cloud solution include:
VMware vRealize Suite vRealize Automation, vRealize Operations Manager, vRealize Business Standard,
vRealize Log Insight
VMware NSX for vSphere
EMC ViPR Software-Defined Storage
EMC VNX, Symmetrix VMAX, Scale IO, VPLEX, Isilon, and XtremIO storage platforms
EMC RecoverPoint (DR only)
EMC Avamar and Data Domain data protection platforms
EMC ViPR Storage Resource Management
EMC Data Protection Advisor
EMC and VMware integration features and cloud-enabled, automated workflows
More information about the solution layout is provided in the Lab Overview section of the lab guide.
Key Components
Enterprise Hybrid Cloud - Solution Overview and Additional Capabilities
The Enterprise Hybrid Cloud is an engineered solution that offers a simplified approach to IT functionality for IT
organizations, developers, end users, and line-of-business owners. In addition to delivering baseline infrastructure as
a service (IaaS), built on the software-defined data center architecture, an Enterprise Hybrid Cloud also delivers
feature-rich capabilities to expand from IaaS to business-enabling IT as a service (ITaaS).
Solution Approach and Features
The Enterprise Hybrid Cloud is built on an Infrastructure-as-a-Service foundation. The Foundation solution leverages
an ecosystem of components and features to deliver IT and customer value:
Software-defined networking
Software-defined storage
Automation and orchestration
Metering
Security
Log management
EMC and VMware integration
Foundation Functionality
The Enterprise Hybrid Cloud is an engineered solution, with automated workflows that have been developed, tested,
validated, and supported by EMC. The solution offers seamless, portal-based integration to private (on-premises) and
public cloud services, offering rapid access to both.
A Foundation-level Enterprise Hybrid Cloud includes the following features as part of a standard deployment:
Self-Service Portal and Catalog

Catalog: The user-aware, role-based web portal that enables the request,
consumption, and management of cloud infrastructure and services. You'll work with the self-service portal
and catalog throughout the entire vLab.
Automated VM and Application Provisioning
Provisioning: Cloud users - administrators and customers - can use the
Catalog to request the deployment of virtual machines and complex, multi-tier application stacks for their own
use. The Catalog's user-aware management capabilities let administrators control what VM and application
options are presented to each user or group of users. You can use the Catalog to provision a new VM in Lab
C.1
C.1. You can also deploy applications using NSX (to demonstrate application security and application scaling)
in Lab C.2
C.2, and Puppet Enterprise (to demonstrate automated application deployment) in Lab C.3 C.3.
Automated Storage Tier Provisioning
Provisioning: Designated cloud and storage administrators can be given the ability to
request new storage directly from EMC ViPR through the self-service portal. By providing a few basic
parameters using a wizard-based configuration process, new storage volumes can be provisioned, mounted
to the underlying vSphere host cluster as a new datastore, and added to the available storage inventory in
vRealize Automation. In Lab A.1A.1, you can use the Catalog and the request wizard to configure and provision a
new datastore for cloud usage.
Intelligent, Automated Monitoring
Monitoring: The solution leverages vRealize Operations Manager and EMC storage
analytical tools to provide a platform-aware management stack that can identify capacity, performance, and
availability issues.
Usage Metering and Transparency
Transparency: Cloud and business administrators can identify and track cloud
infrastructure usage, both in real time and historically, and use that information to determine the cost of
providing services.
Self-Service Backup and Recovery
Recovery: Cloud users can use the self-service catalog to request new VMs that are
automatically configured for scheduled backups. Through the self-service portal, cloud users can also initiate
on-demand backup jobs, and restore their own VMs in the event of data loss. (NOTE: Organizations that
already leverage EMC Avamar, Data Domain, and/or Data Protection Advisor prior to deploying an Enterprise
Hybrid Cloud will have this modular add-on capability included as part of their Foundation deployment).
Hands-on experience with self-service backup and recovery is offered in Lab C.1C.1.
Secure Multi-tenancy
Multi-tenancy: Lets cloud admins define secure pools of cloud resources per tenant, ensuring that
tenant resources and data are effectively isolated to authorized tenant users only.
Virtual Resource Elasticity
Elasticity: Users are enabled to manage their own cloud resource allocations: adding
resources (CPU, memory, storage) on demand, even to existing virtual machines. You can reconfigure a VM by
adding more resources to it in Lab C.1C.1.
Physical Resource Elasticity
Elasticity: The Enterprise Hybrid Cloud solution includes custom workflows and
integrations that enable cloud administrators to easily add compute and storage capacity in response to
increased resource demands.
Workload-Optimized Storage
Storage: Through the flexibility of EMC ViPR, as well as the cost reporting capabilities of
the solution, administrators and users are motivated to ensure that workloads are matched to the appropriate
storage tier, and to use the Enterprise Hybrid Cloud's native functionality to manage workload placement.
Modular Add-On Functionality
In addition to the base capabilities found in the Foundation implementation, EMC has created a catalog of available
modular add-ons that customers can choose to implement to extend the capabilities of their hybrid cloud solutions.
The available add-ons can be categorized as follows:
Disaster Recovery with EMC RecoverPoint

RecoverPoint: Incorporates storage replication using RecoverPoint, DR-enabled
storage provisioning using ViPR, and integration with VMware Site Recovery Manager to support DR services
for applications and virtual machines deployed in the cloud environment.
Continuous Availability with EMC VPLEX
VPLEX: Offers cloud administrators the ability to enable VPLEX-enabled VM-
provisioning blueprints to the self-service catalog. End users can request "always-on" applications that
leverage VPLEX-enabled, continuous-availability storage that spans multiple sites.
Data Protection with EMC Avamar, Data Protection Advisor, and Data Domain
Domain: Cloud users can use the self-
service catalog to request new VMs that are automatically configured for scheduled backups. Through the
self-service portal, cloud users can also initiate on-demand backup jobs, and restore their own VMs in the
event of data loss. (NOTE: Organizations that already leverage EMC Avamar, Data Domain, and/or Data
Protection Advisor prior to deploying an Enterprise Hybrid Cloud will have this modular add-on capability
included as part of their Foundation deployment). You can create an Avamar-based backup policy for
automated, scheduled VM backups in Lab C.2 C.2.
Encryption Services with CloudLink SecureVM
SecureVM: The cloud administrator can enable the optional or mandatory
encryption of VMs and/or data to protect sensitive information. Hands-on experience with CloudLink
SecureVM is offered in Lab C.4
C.4.
Big Data Services with EMC VNX and Isilon
Isilon: Deploy Hadoop-as-a-Service (HDaaS) to build Big Data analytics
platforms rapidly and/or on demand.
Enterprise Applications - Microsoft
Microsoft: Templated and automated provisioning of Microsoft Exchange Server,
SharePoint Server, and SQL Server through the self-service portal.
Enterprise Applications - SAP
SAP: Enables the secure, multi-tenant deployment of highly available SAP
landscapes, and automated SAP management and operations.
Enterprise Applications - Oracle
Oracle: Optimized self-service provisioning of Oracle databases; Oracle database
Day 2 operations, and Oracle database monitoring.
Third-party Add-On Functionality
For organizations that required additional enterprise-management and deployment capabilities, the flexibility of the
Enterprise Hybrid Cloud platform enables them to integrate select third-party platforms and tools into their cloud
environments. Some large-scale enterprise customers have used some or all of the following management and
automation tools in their Enterprise Hybrid Cloud solution:
Puppet Enterprise automated application-deployments

application-deployments. Application deployment and configuration scripts can
be automated and integrated directly with vRealize Automation IaaS blueprints and vRealize Orchestrator,
enabling cloud administrators, application architects, and cloud customers to reliably install and configure
enterprise applications directly from the Service Catalog. You can experience automated application
deployment using Puppet Enterprise services in Lab C.3C.3.
ServiceNow CMDB integration
integration. For cloud customers that use ServiceNow as their Configuration Management
Database provider of record, an Enterprise Hybrid Cloud can be configured to provide automatic record
insertions and modifications as cloud-based, business-critical VMs and workloads are brought online from
the service catalog. A set of preconfigured workflows can be added to select IaaS blueprints and to vRealize
Orchestrator to ensure that enterprise VMs are visible at an enterprise level. For a demonstration on how to
create and validate a ServiceNow VM blueprint, take a hands-on tour of Lab B.3 B.3.
Remote site addition through select cloud service providers
providers. vRealize Automation includes native support for
integrating a number of cloud service provider platforms, including Amazon Web Services, OpenStack, and
vCloud Director, as managed endpoints. Adding a second site in this manner offers new opportunities for
both IT and business: the ability to rapidly add compute capacity means that IT can scale out services quickly
and easily using an OpEx cost model. It also offers the flexibility of new tiers of service that enable customers
to align workload costs with business value. You can step through the process of adding vCloud Air as a
managed endpoint to vRA in Lab A.4
A.4.
Add-On Features in this vLab environment
In this vLab, applications and services are presented to demonstrate some of the capabilities and features that the
Enterprise Hybrid Cloud solution provides. The service catalog enables role-based customization, so it can be
different for every customer.
Within the scope of this vLab Guide, we are attempting to showcase a variety of applications and services in the
catalog that may go beyond what the default Foundation installation would provide out of the box.
Data Center Virtualization and Cloud Management
The following VMware components are included in an Enterprise Hybrid Cloud Solution:
Note: The lab environment is a fully functional cloud solution, and users are encouraged to explore beyond the
exercises laid out in this lab guide.
VMware vRealize Automation
vRealize Automation (vRA) enables customized, self-service provisioning and lifecycle management of cloud services
that comply with established business policies. vRA provides a secure portal where authorized administrators,
developers, and business users can request new IT services and manage existing computer resources from
predefined, user-specific menus.
VMware vSphere ESXi and VMware vCenter Server
VMware vSphere ESXi is a virtualization platform for building cloud infrastructures. vSphere enables you to run
business-critical applications confidently to meet your most demanding service level agreements (SLAs) at the lowest
total cost of ownership (TCO). vSphere combines this virtualization platform with the award-winning management
capabilities of VMware vCenter Server. This solution gives you operational insight into the virtual environment for
improved availability, performance, and capacity utilization.
VMware vCenter Orchestrator
VMware vCenter Orchestrator (vCO) is an IT-process-automation engine that helps automate cloud services, and
integrates the vCloud Suite with the rest of your management systems. vCO enables administrators and architects to
develop complex automation tasks within the workflow designer. The vCenter Orchestrator library - pre-built activities,
workflows, and plug-ins - helps accelerate the customization of vRA's standard capabilities.
VMware NSX for vSphere
VMware NSX is the next generation of software-defined network virtualization, offering additional functionality and
improved performance over traditional network and security devices. This additional functionality includes distributed
logical routing, distributed firewalling, logical load balancing, and support for routing protocols such as Border
Gateway Protocol (BGP), Intermediate System-to-Intermediat System (IS-IS), and Open Shortest Path First (OSPF).
Where workloads on different subnets share the same host, the distributed logical router optimizes traffic flows by
routing locally. This enables substantial performance improvements in throughput, with distributed logical routing and
firewalling providing line-rate performance distributed across multiple hosts, instead of being limited to a single
virtual machine or physical host. NSX also introduces Service Composer, which integrates with third-party security
services.
VMware vRealize Operations
VMware vRealize Operations (vROps) is the key component of the vRealize Operations Management Suite. It provides
a simplified approach to operations management of vSphere, physical, and cloud infrastructures. Using patented,
self-learning analytics and an open, extensible platform, vROps provides operational dashboards that enable you to
gain deep insights and visibility into the health, risk, and efficiency of your infrastructure, performance management,
and capacity optimization capabilities.
vROps is extensible, and allows for the inclusion of "solution packs" that enable EMC to include data collection and
analysis of data from VMAX and VNX storage arrays.
VMware vRealize Business Standard
VMware vRealize Business Standard (vRB) provides transparency and control over the cost and quality of IT services.
By providing a business context to the services that IT offers, vRB helps IT organizations shift from a technology
orientation to a service-broker organization, delivering a portfolio of IT services that align with the needs of business
stakeholders.
VMware vRealize Log Insight
VMware vRealize Log Insight delivers automated log management through log aggregation, analytics, and search
capabilities. With an integrated cloud operations-management approach, it provides the operational intelligence and
enterprise-wide visibility needed to proactively enable service level compliance and operational efficiency in dynamic
cloud environments.
VMware vCloud Connector
The Enterprise Hybrid Cloud enables IT organizations to broker public cloud services, and has been validated with
VMware vCloud Air as a public-cloud option that can be accessed directly from the solution's self-service portal by
administrators and users. End users can provision virtual machines, while IT administrators can perform virtual
machine migration (offline) from the on-premises component of their hybrid cloud to vCloud Air using VMware vCloud
Connector.
Storage and Storage Virtualization Components
The EMC storage and storage virtualization components of the Enterprise Hybrid Cloud Solution include:
EMC ViPR
EMC ViPR is a lightweight, software-only solution that transforms existing storage into a simple, extensible, and open
platform. ViPR extends current storage investments to meet new cloud-scale workloads, and enables simple data and
application migration out of public clouds and back under the control of IT (or vice versa). ViPR gives IT departments
the ability to deliver on-premises, fully automated storage services at price points that are at or below those of public
cloud providers.
EMC ViPR Storage Resource Management
EMC ViPR SRM provides comprehensive monitoring, reporting, and analysis for heterogeneous block, file, and
virtualized storage environments. It enables you to visualize applications to storage dependencies, monitor and
analyze configurations and capacity growth, as well as optimize your environment to improve return on investment.
Workload-optimized storage
The Enterprise Hybrid Cloud solution enables customers to take advantage of the proven benefits of EMC storage in a
cloud-enabled environment. Using EMC ViPR storage services and EMC XtremIO, EMC ScaleIO, EMC VNX, and EMC
VMAX capabilities, this solution provides policy-based, software-defined storage management of EMC block and file
storage.
With a scalable storage architecture that uses the latest flash and tiering technologies, EMC storage arrays enable
customers to satisfy any workload requirements with maximum efficiency and performance, in the most cost-effective
way. With EMC ViPR, the storage configuration is abstracted and presented as a single storage control point, enabling
cloud administrators to access all heterogeneous storage resources within a data center as if they were a single large
array.
Storage administrators maintain control of storage resources and policies while enabling the cloud administrator to
automatically provision to the cloud infrastructure.
EMC VNX and EMC Symmetrix VMAX (VNX only in this lab environment)
EMC VNX and EMC Symmetrix VMAX are powerful, trusted, and smart storage array platforms that provide the highest
level of performance, availability, and intelligence in on-premises cloud environments. EMC VNX and VMAX storage
systems offer a broad array of functionality and tools, such as Fully Automated Storage Tiering for Virtual Pools (FAST
VP), which enable multiple storage service levels to support ViPR-driven storage-as-a-service offerings in RainPole's
hybrid-cloud environment.
EMC Fully Automated Storage Tiering for Virtual Pools
EMC FAST VP for VNX optimizes array performance across all drive types in the array to improve system performance
while reducing cost. FAST VP technology dynamically allocates workloads based on the configured service level, and
nondisruptively moves workloads across storage types to optimize overall system performance.
EMC XtremIO
EMC XtremIO is an all-flash scale-out enterprise storage array that provides substantial improvements to I/O
performance. Purpose-built to leverage flash media, XtremIO delivers new levels of real-world performance,
administrative ease, and advanced data services for applications.
EMC ScaleIO
EMC ScaleIO is a software-only server-based storage area network (SAN) that converges storage and compute
resources to form a single-layer, enterprise-grade storage product. ScaleIO storage is elastic and delivers linearly
scalable performance. Its scale-out server SAN architecture can grow from a few to thousands of servers.
EMC Isilon
EMC Isilon is a scale-out network-attached storage (NAS) storage platform that provides a powerful, simple and
efficient way to consolidate and manage enterprise data and applications. Its OneFS Operating System intelligently
combines file system, volume manager, and data protection across all nodes within a cluster.
EMC RecoverPoint
EMC RecoverPoint is an advanced data protection, replication, and disaster recovery solution designed with the
performance, reliability, and flexibility required for enterprise applications in heterogeneous storage and server
environments. It provides local replication and bidirectional remote replication for physical, virtual, and cloud
environments.
EMC VPLEX
The EMC VPLEX family removes physical barriers within, across, and between data centers. VPLEX Local provides
simplified management and nondisruptive data mobility for heterogeneous arrays. VPLEX Metro and VPLEX Geo
provide data access and mobility between two VPLEX clusters within synchronous and asynchronous distances
respectively. With a unique scale-out architecture, VPLEX advanced data caching and distributed cache coherency
provide:
Workload resiliency
Automating sharing, balancing, and failover of storage domains
Local and remote data access with predictable service levels
Enterprise Hybrid Cloud Data-Protection Components
EMC Avamar Backup and Recovery
EMC Avamar backup and recovery is a fast, efficient system that is provided through a complete software and
hardware solution. Equipped with integrated, variable-length deduplication technology, Avamar backup and recovery
software provides integrated-source and global data deduplication, which facilitates fast, daily full backups for cloud
environments.
EMC Data Protection Advisor
With EMC Data Protection Advisor (DPA), you can automate and centralize the collection and analysis of all data across
backup applications, replication technologies, the virtual environment, and supporting infrastructure. This provides a
single, comprehensive view of your data-protection environment and activities. In addition, when integrated with vCO
workflows, DPA can be used to provide on-demand reporting of backup statistics and status.
EMC Data Domain System
For additional data-protection support, although it is not included in this hybrid-cloud solution, consider using EMC
Data Domain as the target repository for Avamar backups instead of an Avamar server. Data Domain storage systems
deduplicate data in-line, so that it lands on disk already deduplicated, requiring less disk space than the original
dataset. With the Data Domain system, you can retain backup and archive data onsite longer, to enable quick and
reliable data recovery from disk.
EMC and VMware Integration
The solution takes advantage of the strong integration between EMC technologies and the VMware vRealize Suite. The
solution, developed by EMC and VMware product and services teams, includes EMC scalable storage arrays,
integrated EMC and VMware monitoring, and data protection suites to provide the foundation for enabling cloud
services within the customer environment.
Integration Overview
The Enterprise Hybrid Cloud solution contains many integration points between EMC and VMware products, tying
virtualization to automation to orchestration to network to storage to data protection to management to monitoring.
Storage Services
Though managed by EMC ViPR, both VNX and VMAX support VMware vSphere Storage APIs for Array Integration (VAAI),
which offloads virtual machine operation to the storage array controller to optimize server performance.
Both platforms also support VMware vSphere Storage APIs for Storage Awareness (VASA), which enables vCenter to
collect and report the storage capabilities of ViPR-provisioned datastores. Administrators use VASA to make intelligent
placement decisions, as well as to automate workload placement where appropriate using virtual machine and
datastore service-level storage policies.
All VMware vSphere ESXi servers in the solution run EMC PowerPath/VE for automatic path management and I/O load
balancing in the SAN. EMC PowerPath/VE automates failover and recovery, and optimizes load balancing of data paths
in virtual environments to ensure availability, performance, and the ability to scale out mission-critical applications.
EMC ViPR Storage Provider
The EMC ViPR Storage Provider plays a key role in this solution in identifying the capabilities of the storage presented
to ESXi servers managed by vCenter. A VASA-integrated storage profile is created in vCenter for each class, or tier, of
storage presented to the ESXi host by ViPR. These storage profiles are used by ITBM to classify and charge for each tier
of storage presented and consumed in vCAC.
Orchestration
The ViPR plug-in for vCenter Orchestrator provides an orchestration interface to the EMC ViPR software platform. It
includes pre-packaged workflows, used through the vCO client and other clients that support vCO integration. The
prepackaged workflows contain sets for common ViPR operations and sets of building block workflows intended for
detailed ViPR operations, such as Virtual Machine File System (VMFS) or Network File System (NFS) datastore
provisioning.
The EMC ViPR plug-in is installed in the vCenter Orchestrator configuration interface.
Operational Management and Monitoring
Powered by vRealize Operations Management, the EMC Storage Analytics adapter provides a powerful management
tool for VMware and storage administrators to access realtime intelligent analytics for the individual VNX, VMAX,
VPLEX, and XtremIO platforms. Administrators can get detailed statistics through preconfigured, customizable
dashboards, heat maps, and alerts and access topology mappings in a VMware environment.
EMC also provides storage and data protection content packs for use with VMware vRealize Log Insight. Content packs
for VNX and VMAX provide dashboards and user-defined fields specifically for those EMC products that enable
administrators to conduct problem analysis.
Metering
EMC ViPR Storage Provider plays a key role in this solution in identifying the capabilities of the storage presented to
ESXi servers managed by vCenter. A storage profile is created in vCenter for each class, or tier, of storage presented by
ViPR. These storage profiles are used by VMware vRealize Business to classify and charge for each tier of storage
presented and consumed in vRealize Automation.
Data Protection
Using the vRealize Automation application program interface (API) and extensibility toolkits, this solution implements
custom functionality to provide Avamar-based, image-level backup Modular add-on components EMC and VMware
integration services for applications and file systems within a single organization or multiorganization hybrid cloud
environment.
With this solution, enterprise administrators can offer IaaS with EMC backup to end users who want a flexible, on-
demand, automated backup infrastructure without having to purchase, configure, or maintain it.
Data protection capabilities for the solution are covered in further detail in the Enterprise Hybrid Cloud Data-Protection
Components section of the Guide. These components and features are integrated with vRealize, vCenter, vCenter
Orchestrator, and other VMware components through the following mechanisms:
EMC Storage Replication Adapters
EMCs Storage Replication Adapters (SRAs) ensure tight integration between vCenter Site Recovery Manager and the
RecoverPoint and ViPR products. The SRAs automate the replication and data-sync operations for coordinated disaster
recovery failover and planned-migration operations.
The EMC RecoverPoint Storage Replication Adapter for VMware vCenter Site Recovery Manager enables Site Recovery
Manager to implement disaster recovery using RecoverPoint. The RecoverPoint SRA supports Site Recovery Manager
functions, such as failing over, failing back, and failover testing, using RecoverPoint as the replication engine.
The EMC ViPR Storage Replication Adapter for VMware vCenter Site Recovery Manager provides the same functionality
for protected storage provisioned using EMC ViPR.
EMC Data Protection Workflows for vCenter Orchestrator
With vCO, cloud administrators can use the data-protection workflows created by EMC to automate Avamar and Data
Domain protection of virtual machines. These workflows are added to the vRA virtual-machine provisioning blueprints
so that users can easily set up protection at provisioning time. In addition, workflows can be used to enable simple
restore of the last good backup for a specific virtual machine.
Administrators can also use workflows that carry out the complete protection policy setup on Avamar and vCenter
systems, to facilitate quick and easy deployment of the infrastructure needed to support all of the end-user protection
needs.
Additional data-protection components for the Enterprise Hybrid Cloud are described in the next section.
Data Protection Content Packs for VMware Log Insight
The Enterprise Hybrid Cloud solution stack also includes storage and data protection content packs for use with
VMware vCenter Log Insight. EMC content packs for Avamar, VNX, and VMAX provide dashboards and user-defined
fields specifically for those EMC products that enable administrators to successfully analyze and resolve cloud
infrastructure issues.
Modular Add-On Components
Using the vRealize Automation application program interface (API) and extensibility toolkits, this solution implements
custom functionality to provide Avamar-based, image-level backup Modular add-on components EMC and VMware
integration services for applications and file systems within a single organization or multiorganization hybrid cloud
environment.
With this solution, enterprise administrators can offer IaaS with EMC backup to end users who want a flexible, on-
demand, automated backup infrastructure without having to purchase, configure, or maintain it.
Application Services
The Enterprise Hybrid Cloud uses VMware vRealize Application Services to optimize application deployment and
release management through logical application blueprints in vRealize Automation. A drag-and-drop user interface
lets you quickly and easily deploy blueprints for applications and databases such as Microsoft Exchange, Microsoft
SQL Server, Microsoft SharePoint, Oracle, SAP, and Cloud Foundry.
Public Cloud Services
This Enterprise Hybrid Cloud solution enables IT organizations to broker public cloud services. This solution has been
validated with VMware vCloud Air as a public cloud option that can be accessed directly from the solution's self-
service portal by administrators and users. End users can provision virtual machines while IT administrators can
perform virtual machine migration (offline) from the on-premises component of their hybrid cloud to .vCloud Air using
VMware vCloud Connector
Lab Overview
Lab Environment
The environment for this vLab includes the following:
EMC Cloud Solution Components
1 x EMC VNX Unified virtual storage array
1 x EMC vVNX virtual array (providing NFS datastore services)
1 x EMC Avamar virtual appliance
1 x EMC Data Protection Advisor (DPA) virtual machine
1 x EMC Avamar Proxy virtual appliance
1 x EMC ViPR appliance
VMware Cloud Solution Components
4 x VMware ESXi host servers: two hosts for cloud infrastructure virtual machines, and two hosts for the collective
business groups' various resource pools
1 x VMware vCenter Server on a Microsoft Windows Server 2012 virtual server
1 x VMware vRealize Automation management appliance
1 x VMware vCenter Orchestrator workflow-management appliance
1 x vRealize Automation Infrastructure-as-a-Service virtual machine
1 x VMware vRealize Operations (vROps) virtual appliance
1 x VMware NSX Manager virtual appliance
1 x VMware NSX Controller virtual appliance
1 x VMware NSX Distributed Logical router virtual appliance
1 x VMware NSX Edge Services Gateway virtual appliance
1 x VMware vRealize Business Standard virtual appliance
1 x VMware vRealize Automation Application Services virtual appliance
Additional Management Infrastructure
1 x Microsoft Windows Server 2012 Domain Controller virtual machine
1 x Microsoft Windows Server 2008/ R2 Launchpad server
1 x Zimbra email server
1 x Puppetmaster automated-application deployment server
You will access the environment and perform all tasks from the Launchpad server. Specific connection instructions
and login credentials will be provided for each component within the body of this Guide as necessary.
Note: Lab Performance
This vLab attempts to create a functional Enterprise Hybrid Cloud solution stack in the smallest footprint possible.
You'll find that the solution's component virtual machines, hosts, and management appliances have all been
minimized beyond the normal sizing guidance for an Enterprise Hybrid Cloud environment.
This lab environment uses a VNX Virtual Storage Appliance (VSA) and virtual Avamar appliance, rather than physical
storage and backup hardware. The performance of these virtual appliances may be significantly slower than on
physical equipment. As a result, you may find that some tasks run longer in the lab environment using the VSAs than
you would see on real storage and virtualization hardware.
Lab Credentials
Within the scope of the lab guide, you will log in to three management consoles: vRealize Automation, vCenter Server,
and vRealize Operations Manager.
Due to the multi-persona nature of this vLab, you will use several sets of credentials to connect to vRA.
vRealize Automation
To log in to vRA as the Cloud Administrator (Labs

Labs A.1-A.4
A.1-A.4; Labs B.1-B.3
B.1-B.3), use the following credentials:
User name: cloud_admin@vlab.local

Password: Password123!
Business Analyst Credentials
To log in to vRA as the Business Analyst (Lab

Lab C.1
C.1), use the following credentials:
User name: business_analyst@vlab.local

Developer Credentials
To log in to vRA as the Developer (Lab

Lab B.1
B.1), use the following credentials:
User name: devops_user@vlab.local

vRealize Orchestrator
To log in to the vRealize Orchestrator client (Lab

Lab C.2
C.2), use the following credentials:
User name: cloud_admin@vlab.local

vCenter Server
You will log in to vCenter in Lab A.2 using your Windows user ID.
User name: vlab\administrator
vCenter Server - Network Administrator
In Lab C.2
C.2, you'll use the following credentials to log in to vCenter and review its NSX security policies:
User name: ehc_nsx_ent_admin@vlab.local

Additional credentials
The above list includes all the login credentials you will need to complete the steps outlined in the lab guide. If you
need to access any of the component-level systems that make up the Enterprise Hybrid Cloud solution - e.g.: the
domain controller; the Mail server; Log Insight, vRealize Operations, etc. - additional credentials and systems
connectivity information have been included in the lab's Collateral page as a separate download.
Lab Scenario
This vLab demo has been arranged to support several personas that represent normal users of an Enterprise Hybrid
Cloud. The use of the personas is meant to help guide vLab participants toward the parts of the solution that are the
most relevant to their users and their use cases.
Lab Roles
The personas that have been created for this lab are
Cloud Administrator
This user represents the team that manages and monitors the on and off-prem cloud infrastructure to ensure that the
hybrid cloud is meeting the demands of the cloud users. In addition to having responsibility for the more traditional
aspects of a virtualized environment (capacity, performance, data protection, etc.), this team ensures that members of
RainPole's various business and IT groups are able to create, manage, and monitor their own cloud-enabled
workloads.
The cloud administrator doesnt have to be a storage, server, or virtualization administrator. Most of the work is
performed in the self-service portal or the associated hybrid cloud management portals.
Some of the tasks that are common to the cloud administrator
Monitoring and reporting on cloud resource consumption

Distributing virtual and physical resources between business groups
Approving requests for additional services and large resource requests
Managing connections to infrastructure endpoints, like vSphere, vCloud Air, and other public cloud providers
Business Analyst
This user focuses on the applications that make the business run, and acts as an intermediary between the business
and IT. The business analyst engages directly with the end-users and the lines of business to satisfy the IT
requirements of business initiatives and programs.
Some examples of how a business analyst helps the business
Translating the requirements of a new application into the blueprints and templates available from the self-
service portal
Working directly with the Cloud Administrators and Business Group Administrators to proactively create new
services and offerings to place into the self-service portal
Helps to manage existing applications in the cloud by supporting upgrades, ensuring performance, and end
user functionality
Developer
The developer is a very broad term for a user who is using the agile and on-demand attributes of the hybrid cloud to
quickly create new development and test environments, and to work with the business analysts to provision QA and
production environments as applications move through their lifecycle. The developer persona is all about reducing
the time to value, and benefits from a quick turnaround of IT resources all in an effort to focus on their development
activities.
Functionality provided by the hybrid cloud solution for developers that they would tend to focus on includes
Self-service deployment of virtual servers and pre-configured development environments

Easy configuration and consumption of advanced services, such as databases and data lake repositories
On-demand backup, restore, and snapshot functionality built right into the self-service portal
Development and consumption of standardized services as repeatable building blocks.
Lab Tasks - Cloud Administrator Persona
The Cloud Administrator manages the infrastructure of the environment. In this role, the cloud administrator ensures
that resources are being consumed and distributed properly, and that enough resources are available to support the
cloud users and their requirements.
Some responsibilities fulfilled by a Cloud Administrator role may include:
Provisioning and entitling cloud resources, such as compute, storage, and data protection
Managing cloud infrastructure in enterprise environments - adding and managing sites, applying enterprise-
class best practices to management and monitoring, working in conjunction with security teams to ensure
compliance with corporate data protection standards
Creating new cloud services, such as data-protection policies, blueprints, and applications, for end-user
consumption
Approving cloud resource requests
Lab Tasks - Business Analyst Persona
The Business Analyst creates new virtual environments for the end users and lines of business. This includes
requesting new backup polices as they are needed by the business, provisioning resources, and also performing
administrative tasks as needed on the existing applications.
Some responsibilities specific to the Business Analyst role may include:
Provisioning and managing VMs using the self-service portal
Self-service data protection (backup and restore operations, snapshot instantiation and management)
Expanding existing virtual machine resources
Deleting or expiring no-longer-needed VMs
Lab Tasks - Developer Persona
The Developer in this vLab will be used as a test account. The Cloud Administrator will create a new IaaS blueprint and
approval policy, which will then be enabled for Developer access. The Developer account will request a new VM based
on this blueprint, which will in turn trigger an approval request for the Cloud Administrator to review and approve.
Potential additional responsibilities for the Developer may include:
Requesting, configuring, and maintaining simple and complex Application environments, ranging in size from
one to many application/service tiers per Application instance.
Provisioning new development and test virtual machines on a regular basis to meet customer and business
initiatives.
Labs
This Enterprise Hybrid Cloud lab is organized into three distinct Sections, each of which is further divided into between
two and four Labs, each of which is intended to provide a technical overview of a distinct cloud solution component,
service, or use case.
Labs are divided up by persona and scope:
1. Section A Labs are targeted toward the operational scope of a cloud-infrastructure administrator.
2. Section B Labs
Labs, while performed by the Cloud Administrator in this vLab, might in reality be delegated to
specific service administrators and architects, as these Labs focus on creating and publishing new services to
Enterprise Hybrid Cloud environments.
3. Section C Labs show how some of these cloud services can be experienced and consumed by cloud
customers.
Section A - Provisioning and Managing Cloud Infrastructure Resources
This section of the Enterprise Hybrid Cloud v3.5 lab focuses on cloud administrative tasks, such as provisioning and
adding cloud infrastructure resources, creating and entitling cloud infrastructure resource pools, and managing
infrastructure sites and components.
In order to show some of the advanced features that an Enterprise Hybrid Cloud offers, but which are not supported in
a vLab environment, this section includes two labs that leverage the Cloud Experience Center's interactive demo
capabilities to show you a full simulation of additional use cases: adding a vCloud Air virtual data center to vRealize
Automation as a managed endpoint; and managing your VCE converged infrastructure from the vRealize Automation
self-service portal using VCE integrated workflows.
In this section, as the Cloud Administrator, you'll perform the following labs:
Lab A.1 - Storage Provisioning with EMC ViPR
This Lab will show how a Cloud Administrator can leverage the integration of EMC ViPR and VMware vRealize
Automation to rapidly and easily deploy new storage, and then provision it into cloud resource pools for consumption
by business groups.
In this Lab, as the Cloud Administrator, you will use the vRealize Automation self-service portal to add more capacity
to an existing storage tier in the cloud environment. You will then assign that new storage to two different business
groups, thereby enabling them to provision new cloud workloads and VMs using that storage.
Estimated time required to complete this lab: 15-20 minutes
Lab A.2 - Import a Pre-Existing VM into Cloud Environment (Cloud Administrator)
After deploying an Enterprise Hybrid Cloud solution, organizations sometimes find it necessary to expand the scope of
cloud-managed resources to include elements, components, services, and workloads that were created outside the
cloud environment. Importing pre-existing resources can enable cloud administrators to provide continuity of service -
i.e. maintain existing services and support critical business processes - while bringing those applications and
resources into the Enterprise Hybrid Cloud's centrally-managed, user-enabled services catalog.
In this Lab, in the role of the Cloud Administrator, you will import a pre-existing virtual machine into vRealize
Automation and assign the Developer user as the new owner.
Lab A.3 - Add a vCloud Air Site to vRealize Automation
With an Enterprise Hybrid Cloud, you can manage resources and workloads across multiple sites - both public and
private cloud infrastructure - from within the same vRealize Automation self-service portal.
In this Lab, you will use the Cloud Experience Center to see how to connect your Enterprise Hybrid Cloud to a vCloud
Air site, and how to configure your environment with a new reservation and vCloud Air-based blueprint. Finally, you'll
deploy a new VM to your vCloud Air data center from the vRealize Automation self-service portal.
Section B - Provisioning and Enabling Cloud Services
In this section of the Enterprise Hybrid Cloud v3.5 lab, we've compiled a series of use cases and demos that show how
a cloud administrator, backup administrator, or application architect would create an initial set of cloud services, or
expand an existing service catalog with new applications and workloads to meet evolving business needs.
To show some of the advanced features that an Enterprise Hybrid Cloud offers, but which are not supported in a vLab
environment, this section includes one lab that leverages the Cloud Experience Center's interactive demo capabilities.
In Lab B.3, you'll see a full simulation of how to integrate a VM blueprint with a ServiceNow CMDB management
platform to integrate self-service VM provisioning with an enterprise management system.
In this section, as the Cloud Administrator, you'll perform the following labs:
Lab B.1 - Creating a New Infrastructure-as-a-Service Blueprint (Cloud Administrator)
This Lab will walk you through the process of creating, configuring, and publishing a new VM-provisioning blueprint to
the catalog. You'll also see how catalog items are enabled for access by specific cloud customers. You will then create
an approval policy and attach it to the catalog item to require Cloud Administrator approval for users wishing to use
the blueprint for new VMs. Finally, you'll test the blueprint and approval policy by requesting a new VM as the
Developer user.
Estimated time necessary to complete this Lab: 20-30 minutes
Lab B.2 - Manage Data Protection Services (Cloud Administrator)
As the Cloud Administrator, you can create multiple backup service levels for your cloud environment, based on your
organization's requirements for backup scheduling, data retention, and archiving. These service levels are presented
to your customers during the VM request process, and are supported behind the scenes by EMC Avamar and
(optionally) Data Domain. Backups are automatic according to the configured schedule, or can be initiated manually if
necessary.
In this Lab, as the Cloud Administrator, you will create and verify a new backup service level.
Lab B.3 - Integrated CMDB Management with ServiceNow
While the self-service capabilities and business agility offered by an Enterprise Hybrid Cloud means rapid delivery of
new VMs and application stacks to cloud customers, it can present new challenges to IT administrators and staff
focused on IT configuration and service management. CMDB management often assumes that items in its inventory
are fairly static in lifecycle, so CMDB records are often updated by manual processes. In dynamic environments (e.g.
an Enterprise Hybrid Cloud platform) where workloads are rapidly spun up and then retired, a CMDB can quickly go
stale, jeopardizing IT service levels and diminishing its value.
In this Lab, you'll see how the Enterprise Hybrid Cloud's self-service and automated VM-deployment capabilities can
be configured to work seamlessly with a ServiceNow CMDB environment. To demonstrate this third-party integration
features of an Enterprise Hybrid Cloud, you'll use the Cloud Experience Center to experience the process.
Section C - Deploying and Accessing Cloud-Based Services
This section of the Enterprise Hybrid Cloud vLab shows some of the ways in which a cloud consumer could deploy,
access, and use cloud-based services from the vRealize Automation self-service portal. Through service blueprints and
automation, cloud and application administrators can enable the deployment of both large-scale applications and
niche workloads within a hybrid-cloud environment.
In order to show some of the advanced features that an Enterprise Hybrid Cloud offers, but which are not supported in
a vLab environment, this section includes one lab that leverage the Cloud Experience Center's interactive demo
capabilities to show you a full simulation of VM data encryption using CloudLink SecureVM.
In this section you'll connect to vRealize Automation as an end user for the following tasks:
Lab C.1 - VM Lifecycle and Operations Management (Business Analyst)
In this Lab, you will log in to vRealize Automation using the Business Analyst account, and request a new virtual
machine from the business analyst's self-service portal.
Once the VM has been deployed, you will then review the VM's data-protection options, first by capturing a snapshot
of the VM, and then running on-demand backup and restore operations.
Next, while still logged on to vRA as the Business Analyst, you will change the VM's hardware allocation by adding
CPU, memory, and disk resources to the VM.
Finally, using the Business Analyst's vRA self-service portal, you will destroy the VM.
Lab C.2 - Deploy Applications and Services with VMware NSX
In this Lab you will log into vRealize Automation as the Developer, and deploy a series of web servers and a multi-tier
application that use VMware NSX for application security and automated network load balancing. You'll validate both
application security and application functionality to see how NSX enables both.
In the final Exercise, you'll use the self-service portal to add new web servers to the multi-tier application, and verify
NSX-based network load balancing.
Lab C.3 - Deploy a Puppet VM
In this Lab, you'll log on to vRealize Automation as the Developer user, and use an IaaS blueprint that leverages
Puppet and vCenter Orchestrator to provision a virtual machine with Tomcat web services automatically installed as
part of the deployment process. Then, you will verify application functionality by connecting to the new VM via web
browser.
Lab C.4 - Protecting Data Using CloudLink SecureVM
In this Lab, you'll use the Cloud Experience Center to provision a Windows 2012 Server virtual machine that leverages
a CloudLink security policy. You'll assign an encryption setting during the deployment process to secure the VM's
System and Data volumes, and then monitor the deployment process to completion and validate the VM's security
status.
You'll then add a new volume to the Windows VM and watch CloudLink automatically discover and encrypt the new
volume.
Lab Flow and Prerequisites
These labs are designed to be performed independently of one another. You can complete the labs in any order,
though the Exercises within each Lab should be completed in sequence. It is also recommended that when you begin
a Lab, you complete all of the Exercises within the Lab.
Lab Timing
This is a very large lab with a wide variety of use cases demonstrated. While about half of all modules in this Guide are
performed as the Cloud Administrator, there is also a significant amount of time spent in the role of various cloud-
services consumers.
Completing the entire Enterprise Hybrid Cloud v.3.5 vLab can take anywhere from two-and-a-half to four hours from
start to finish. If you wish to complete the entire lab from start to finish, you may need to complete the lab over several
visits of 60-90 minutes each due to the limited lease duration of a lab session. There are no cross-lab dependencies -
each Lab can be performed individually without precursor - so you can begin a new session at another time without
having to repeat any prior work.
These times are repeated at the beginning of each Lab to help you prioritize your time as you work through the Guide.
Suggested Lab Tracks
In addition to the Sections listed above, which can be completed individually during the course of a 60-90 minute lab
session, the following suggested lab tracks may offer a more optimal experience, depending on your objective in
completing the Enterprise Hybrid Cloud lab.
New content in the v3.5 lab release
If you've completed an earlier version of the Enterprise Hybrid Cloud lab and are looking for new content associated
with this release, please complete the following labs:
1. Lab A.3 - Add a vCloud Air Site to vRealize Automation (based on an interactive demo environment)
2. Lab B.3 - Integrated CMDB Management with ServiceNow (based on an interactive demo environment)
3. Lab C.2 - Deploy Applications and Services with VMware NSX
4. Lab C.3 - Deploy a Puppet VM
5. Lab C.4 - Protecting Data Using CloudLink SecureVM (based on an interactive demo environment)
Advanced cloud services management and usage
If you're looking for a deeper dive into Enterprise Hybrid Cloud use cases, the following labs offer a high-value hands-
on overview:
1. Lab A.3 - Add a vCloud Air Site to vRealize Automation (based on an interactive demo environment)
2. Lab B.1 - Create a New IaaS Service Blueprint and Approval Policy
3. Lab C.2 - Deploy Applications and Services with VMware NSX
4. Lab C.3 - Deploy a Puppet VM
Standalone labs
If time is limited, consider completing only one or two high-value or high-interest labs. There are no interdependencies
from one lab to the next, so you can complete any or all labs, and in any order.
Lab A.1 - Storage Provisioning with
EMC ViPR (15-20 minutes)
Exercise A.1.1 - Introduction to Cloud Management and Services
In this Lab, as the Cloud Administrator, you will use the vRealize Automation self-service portal to add more capacity
to an existing storage tier in the cloud environment. You will then assign that new storage to two different business
groups, thereby enabling them to provision new cloud workloads and VMs using that storage.
Management and customer services in the Enterprise Hybrid Cloud are created, provisioned, and consumed in
vRealize Automation, which is accessed via web browser.
In this first exercise, you will launch Firefox and log in to vRA as the Cloud Administrator.
Estimated time to complete Lab A.1

A.1: 15-20 minutes
Step 1 - Open Firefox and log in to the self-service portal
From the desktop, double-click the Mozilla Firefox icon to open the web browser. For optimal viewing, maximize the
browser to fill your desktop.
Log in to the vRealize Automation management portal
The browser's default home page should be set to the VMware vRealize Automation login portal.
1. Enter cloud_admin@vlab.local in the User name field.

2. In the Password field, enter Password123!
3. Click the Login button.
vRealize Automation URL (if necessary)
NOTE: If the vRA portal does not load automatically, click the vRA button in the Firefox bookmarks bar, or enter the
following in the address window:
https://vra.vlab.local/vcac/org/rp/
Step 2 - vRA navigation - overview
In vRealize Automation, services, management tasks, and status are all accessed via the Self-Service Portal
Portal, which will
display once your login has completed.
The tabbed row across the top of the portal enables navigation through the services and functions offered by vRA.
Cloud Administrator Home page
The Home tab is the default landing page upon login.
The Cloud Administrator's home page has been configured in this lab to provide an at-a-glance look at the Cloud
Administrator's Inbox
Inbox, servers and services that the Cloud Administrator owns, new and noteworthy services, recent
and upcoming events, and recent Cloud Administrator requests.
The Home page is individually customizable - each user can select the widgets to display and the layout they prefer.
Service Catalog page
The Catalog page is where services and VMs can be requested. The Catalog view is also user-aware, so users only see
the cloud services for which they have been specifically entitled.
Items page
The Items page shows cloud VMs and applications that you (in this case, the Cloud Administrator
Administrator) own. Each user will
see a different list of items: The Cloud Administrator user, whose responsibilities focus primarily on infrastructure and
service management, does not have any pre-provisioned VMs in this environment. Later in the Lab, you'll log in as the
Business Analyst user and / or the Developer user, and you'll see that each has one or more VMs that they own.
Requests page
The Requests page lists all requests, both current and past, which have been submitted by the logged-in user.
Inbox
The Inbox displays any pending actions that you need to take within vRA.
Examples of requests that might require approval include creating large VMs, enabling new services, or deleting
certain types of virtual machines. You'll work with Approval Policies in Lab B.1
B.1.
In addition to Approval notifications, the Cloud Administrator's Inbox also has categories that might contain assigned
tasks and reclamation requests.
Advanced Services
Advanced Services let you manage and configure advanced-service offerings, such as customized workflows, services,
and actions.
This tab is accessible only to cloud users with sufficiently elevated administrative rights.
Administration
The Administration page is where most cloud-management tasks, configuration settings, and external data-center/
resource connections are performed and configured.
This tab is also accessible only to cloud users with sufficiently elevated administrative rights. You'll work with some of
the available configuration settings and items on this tab in Lab B.1
B.1.
Infrastructure
The Infrastructure page is where cloud resources (as opposed to services) are managed. Resources include hosts,
storage, blueprints, and managed endpoints such as remote and disaster recovery sites, and public cloud providers.
This tab is also accessible only to cloud users with sufficiently elevated administrative rights. You'll work with some of
the available configuration settings and items on this tab in Labs A.1
A.1, A.2
A.2, A.3
A.3, B.1
B.1, and B.3
B.3.
Business Management
The Business Management tab provides access to the vRealize Business (vRB) financial oversight and management
tool.
This tab is only presented to users who are granted access to vRB data.
Step 3 - Open the cloud administrator's self-service catalog page
Click the Catalog tab at the top of the page.
Service Catalog overview
The Service Catalog page is divided into two sections:
1. A navigation widget on the left side.

2. A catalog page on the right.
Services and resources that have been made available for user request are presented as tiles, each of which can be
requested by clicking the individual tile's Request button.
The default view shows all available catalog items for which the user has been entitled (the All Services view). Each
catalog item has also been grouped with other similar items into one of several Services
Services, which are shown in the
navigation column on the left side.
Step 4 - Filter by Service
In the navigation widget, click the Virtual Servers service bar.
View available Virtual Servers catalog items
In the right-hand window, you'll see a series of tiles showing available virtual servers to request from the catalog.
You'll see multiple tile types, showing different VM blueprints for each type. In this view, each tile is repeated three
times, but the business group in each repeat is different - DevOps, IT Operations, and EHC Operations.
In subsequent Labs, you'll log in to vRealize Automation as a Business Analyst (a member of the EHCOperations
business group) and as a Developer (a member of the DevOps business group). You'll see different catalog views
associated with each user account.
Step 5 - Cloud Management by service
Click the Data Protection Services menu bar in the navigation widget.
Data Protection Services
In addition to requesting new virtual machines, the Enterprise Hybrid Cloud with vRealize Automation has also been
configured to enable certain cloud-management services as catalog items.
You'll see a series of data-protection creation and management catalog items in this view.
Catalog item entitlements
You'll also notice that all tiles are entitled to the IT Operations group, of which only the Cloud Administrator is a
member, rather than the different groups you saw in Step 3. If you were to log in as either the Business Analyst or the
Developer, you would not see the Data Protection Services menu item at all.
Entitlements (enabling access to cloud resources and/or services) are covered in more detail in Lab B.1
B.1.
Resource-management services
In addition to integrating automatic data-protection creation and management services, the Enterprise Hybrid Cloud
also includes the ability to create new cloud storage resources through via the service catalog. In Exercise A.1.2
A.1.2, you'll
leverage this service to provision a new datastore for cloud customer use.
Exercise A.1.2 - Provision New Cloud Storage
In this exercise, you will use the self-service portal in your role as the Cloud Administrator to add more space to the
RainPole Enterprise Hybrid Cloud environment's VNX-SAS storage pool.
You will then make that new storage available for tenant (DevOps and IT Operations) VMs in the Enterprise Hybrid
Cloud environment.
NOTE: This Exercise assumes that you've logged in to the vRealize Automation self-service portal as the Cloud
Administrator. If not, instructions for logging in to vRA are provided in Exercise A.1.1
A.1.1. In an actual Enterprise Hybrid
Cloud environment, tasks such as this can be delegated/assigned to a storage administrator user for completion to
streamline cloud security and operations. In this vLab, you're performing this task as the Cloud Administrator to
minimize the number of required logon operations you'll need to perform.
Step 1 - Open the Cloud Storage service page
To begin this Exercise, click the Storage Management service menu bar in the navigation widget.
NOTE: The Provision Cloud Storage workflow, which integrates EMC ViPR software-defined storage management with
VMware vRealize Orchestrator and vRealize Automation, is included as part of the Enterprise Hybrid Cloud -
Foundation solution.
Step 2 - Launch the cloud storage provisioning request
Once the Provision Cloud Storage service page loads, click the Request button inside the Provision Cloud Storage tile.
Enter a request description
When the New Request wizard loads:
1. In the Description field, enter New SAS storage for DevOps

2. Click Next
Provide password for storage request
1. On the Authentication page, enter the Cloud Administrator's password - Password123! - to authorize the
storage request.
2. Click Next
Specify the target site
1. On the Provisioning Site tab, click the drop-down button and select vLab
2. Click Next
Select the target vCenter resource cluster
1. On the vCenter Cluster page, click the drop-down button next to the Choose vCenter cluster field, and choose
Tenant
2. Click Next
Select the target storage type
1. Click the drop-down button next to the Choose datastore type menu of the Storage Type page, and select
VMFS
2. Click Next
Select the target storage tier
1. Click the drop-down button next to the Choose a ViPR storage tier field of the Storage Tier page, and select
VNX SAS; available:82GB
2. Click Next
Specify the new datastore size
1. On the Datastore Size page, enter 15 in the Size (GB) field. This will create a 15GB datastore.
2. Click Submit
Complete the request
After a few seconds, you'll see a request confirmation page. Click OK to return to the self-service catalog page.
Step 3 - Monitor the Storage Provisioning Request
From the self-service catalog page, click the Requests tab.
Locate the Provision Cloud Storage request item
When the Requests page loads, you'll see the Provision Cloud Storage operation that you just submitted, with the
request status showing In Progress
Progress.
1. Click on the row to highlight the item.

2. Click the View Details button in the upper-left corner of the panel.
Review request details
Click the Authentication tab to review the storage pool parameters as provided to ViPR when you submitted the
request.
1. Clicking the tabs across the top of the page will show you the details that you provided including description,
storage location, datastore type, storage tier, and size.
2. When you've finished reviewing the details of the new storage request, click OK to return to the Requests
page.
Refresh the page
The storage-provisioning operation should complete successfully within 3-5 minutes

minutes.
Click the Refresh button at the bottom of the page to reload the request status. Repeat until the Provision Cloud
Storage request's status changes to Successful
Successful.
Continue to next Exercise
Provisioning cloud storage through EMC ViPR and the vRealize Automation service catalog creates a new vSphere
datastore using the size and tier parameters you specified.
A successful completion of this request means that EMC ViPR has created a new LUN on the VNX storage array,
attached it automatically to the cloud infrastructure's underlying vCenter server and vSphere hosts as an iSCSI
datastore, and added it to the pool of available resources in vRA.
In Exercise A.1.3
A.1.3, you will configure the new storage for tenant access, making it available for new cloud workloads.
Exercise A.1.3 - Enable the New Storage for Business Use
In Exercise A.1.2
A.1.2, as the Cloud Administrator, you created 15GB of new VNX SAS storage through the vRealize
Automation self-service portal.
In this Exercise, you'll make that new storage capacity available for tenant access by allocating it to two of your
business groups' resource pools.
NOTE: In an actual Enterprise Hybrid Cloud environment, tasks such as this can be delegated/assigned to a storage
administrator user to streamline cloud security and operations. In this vLab, you're performing this task as the Cloud
Administrator to minimize the number of required logon operations you'll need to perform.
Step 1 - Open the Reservations page in the self-service portal
From the Requests tab in the vRA self-service portal, click the Infrastructure tab.
Continue to the Reservations page
From the Infrastructure Recent Events page, click the Reservations bar in the left-hand menu column.
View Business Group Reservations
When the next menu column loads, click Reservations again.
Step 2 - Edit the DevOps group's resource reservation
1. On the Reservations page, hover the mouse over the Production-DevOps01 reservation.
2. When the popout menu appears to the right, click Edit
View the available DevOps business group resources
When the Edit Reservation - vSphere (vCenter) page appears, click the Resources tab.
Locate the new datastore
In the Resources tab, scroll down through the Storage Paths section. There will be a total of 5 storage paths, four of
them pre-staged with the lab environment. The fifth will be the datastore you provisioned in Exercise A.1.2
A.1.2, and will
have a unique name, not corresponding to anything you'll see in the lab graphics. Look for the datastore named
VNXSAS_... with 15GB of physical space.
Enable the new datastore for access
In addition to the Physical space column, you'll also notice that...:
1. The Free capacity column shows 14GB of available space, even though there are no tenants using the storage
yet. This reflects the 1GB of capacity reserved for vSphere datastore management.
2. The This reservation reserved column is blank, indicating that none of this new storage has yet been assigned
to the DevOps business group.
3. To edit this setting, check the empty box in the left-most column of the new datastore's resource row.
Change the reservation's reserved value
1. Set the This reservation reserved value at 9, to make 9GB of VNX SAS storage available to the DevOps
business group.
2. Set the Priority value to 1. This value lets you manage distribution of new VMs across datastores.
3. Save the new setting by clicking on the green check symbol in the left-most column of the new datastore's
resource row.
You have now added 9GB of the 15GB of new space that you provisioned in Exercise A.1.2 to the DevOps business
group's storage reservation.
Confirm reservation changes
Confirm the change by clicking the OK button at the bottom of the Reservations page.
Step 3 - Allocate the remaining new storage to the Production-IT business group
Having closed the Production-DevOps01 group's reservation, you'll be returned to the Infrastructure > Reservations >
Reservations page.
In this step, you'll assign the remaining 5GB of new VNX SAS storage to the Production IT business group.
1. Hover the mouse pointer over the Production-IT reservation line item.
2. When the popout menu appears to the right, click Edit
View the available IT Business Group resources
When the Edit Reservation - vSphere (vCenter) page appears, click the Resources tab.
Edit the VNX SAS datastore's reservation allocation
In the Resources tab, scroll down through the Storage Paths section until you find the same VNXSAS_... datastore that
you edited in Step 2 above.
This time, you'll notice that...:
1. The Free column still says 14GB

14GB, indicating that none of this new storage has actually been consumed by any
business tenants yet.
2. The Reserved column now says 9, reflecting the 9GB's worth of space you assigned to the DevOps group in
Step 2.
Enable the storage for Production-IT
To enable the remaining 5GB of this datastore for Production-IT use, click the empty box in the left-most column of the
datastore's resource row.
Change the reserved value
1. Set the This reservation reserved value at 5, to consume the remainder of the VNX SAS datastore.
2. Set the Priority value to 1
3. Save the new setting by clicking on the green check symbol in the left-most column of the VNXSAS_...
resource row.
You have now assigned the remaining 5GB of the 15GB datastore that you provisioned in Exercise A.1.2 to the
Production-IT business group's storage reservation.
Confirm reservation changes
Confirm the change by clicking the OK button at the bottom of the Reservations page.
Step 4 - Return to the vRealize Automation page
Click the Catalog tab beneath the to return to the Cloud Administrator's Service Catalog page.
Summary
In this Lab, after logging in to the vRealize Automation Self-Service Portal and stepping through a subset of the
available Catalog services, you used the Provision Cloud Services catalog item to create a new storage LUN, mount it
into vCenter as an iSCSI datastore, and add it to the vRA inventory of available cloud resources, all through a few
clicks.
You then shared the new datastore across two tenant business groups in RainPole's cloud environment: 9GB of
capacity allocated to DevOps, and 5GB to Production-IT. Using this approach, new storage can be divided across
whichever business groups need additional capacity, rather than creating separate datastore clusters and tiers for
each business group, resulting in more efficient use of storage space.
Other Labs in this Guide have additional information about some of the topics and management concepts you were
introduced to in this Lab.
To add a vCloud Air virtual data center to vRealize Automation as a managed endpoint, please complete Lab
A.3
A.3.
Creating and publishing new Service Catalog items, including managing user access, is demonstrated in Lab
B.1
B.1.
To see how the Self-Service Portal is customized for user experience and user permissions, complete Lab C.1
C.1.
Lab A.2 - Import a Pre-Existing VM
into vRealize Automation (10-15
minutes)
Exercise A.2.1 - Locate the Target VM in VMware vCenter
After deploying an Enterprise Hybrid Cloud solution, organizations sometimes find it necessary to expand the scope of
cloud-managed resources to include components, services, and workloads that were created outside the cloud
environment. Importing pre-existing resources can enable cloud administrators to provide continuity of service - i.e., to
maintain existing services and to support critical business processes - while bringing those applications and
resources into the Enterprise Hybrid Cloud's centrally-managed services catalog.
In this Lab, in the role of the Cloud Administrator, you will import a pre-existing virtual machine into vRealize
Automation and assign it to the Developer user as the new owner.
You'll begin in this Exercise by initiating a data-collection operation from within vRA to prepare the environment and
locate the target VM.
NOTE: This Exercise assumes you are still logged in to vRealize Automation as the Cloud Administrator. For
instructions on logging in to vRA as cloud_admin, please refer to Lab A.1
A.1, Exercise A.1.1
A.1.1.
Estimated time necessary to complete Lab A.2

A.2: 10-15 minutes.
Step 1 - Log in to the VMware vSphere Web Client
Open a new browser tab by clicking the + symbol in the title bar of your Firefox session.
Connect to vCenter
When the new tab loads, click the vSphere Web Client button in the Firefox shortcuts bar.
Enable Adobe Flash plugin
When the login page loads, you may see an alert notifying you that Firefox is blocking Adobe Flash from running. Click
the Allow button to continue.
Authorize plugin for all future sessions
Click Allow and Remember to prevent the Flash alert from appearing in subsequent login prompts.
Log in to vCenter
Log in to vCenter using your Windows credentials.
1. In the User name field, enter vlab\administrator

3. Click Login
NOTE: The login process may take 2-3 minutes to complete.
Step 2 - Review the host cluster layout
Once the vCenter Web Client Homepage loads, you'll locate the pre-existing VM.
In the Navigation pane on the left side of the window, click the Hosts and Clusters link.
Note the host cluster arrangement
You'll see there are two host clusters in this solution environment:
1. MGMT
MGMT, which contains two hosts, esx01 and esx02 esx02, used for cloud-management virtual machines. You'll also
see a third host, used for virtual storage in the vLab environment.
2. Tenant
Tenant, which contains two additional hosts and the cloud tenant VMs.
NOTE: Depending on underlying conditions in your environment, you may see one or more vSphere hosts showing
alarms. This is likely due to the reduced resource availability of the vLab environment rather than a current problem
with any host. If, however a host is showing offline
offline, then please open a support ticket for your session on the vLab
portal.
Note the vApp arrangement on the Tenant host cluster
Within the Tenant cluster, you'll also see:
1. Three vApps: one for VM Templates
Templates, and the other two corresponding to the tenant resource pools within the
cloud environment.
2. Virtual machine VM1
VM1, currently unmanaged and outside the current cloud resource allocation.
Step 3 - Review the VMs and Templates layout
Click the VMs and Templates tab at the top of the Navigation Pane.
Note the datacenter VM folder structure
When the VMs and Templates view loads, you'll see a series of folders, showing the organization of management VMs,
tenant VMs, and templates.
VM folders named Daily... and Weekly... correspond to backup policies created by vRA and Avamar.
Within the Management folder, you'll see the component VMs for managing cloud services, such as the EMC Data
Protection Advisor (DPA
DPA), NSX
NSX, and vROps virtual machines.
Identify the target VM for import
At the bottom of the list are VMs that are hosted in the vLab datacenter, but which are not otherwise managed within
the cloud environment.
Click to highlight the unmanaged virtual machine named VM1

VM1. This is the VM that you will import into vRA in the next
Exercise.
Step 5 - Review VM details
When the VM's Summary page loads, expand the VM Hardware pane to see the VM's resource allocation.
Review allocated hardware
In the expanded VM Hardware page, note the VM's operating system and resource footprint.
1. Guest Operating System: Red Hat Enterprise Linux 6

2. 1 CPU
3. 2048 MB memory
4. 5GB disk space in one volume
5. Note also that the VM has already been powered off
off. This action is necessary prior to import into vRA.
Log out of vSphere Web Client
When you've finished browsing the VM and folder organization, log out of the vSphere Web Client session by clicking
the drop-down symbol next to the Administrator@vlab.local session link in the upper-right corner of the page, and
then selecting Logout from the drop-down menu.
Return to vRealize Automation
Close the vSphere Web Client tab and switch back to the Self-Service Portal
Portal.
Step 6 - Log in as Developer user
In the remainder of this Exercise, you'll review the current inventory of VMs owned by the Developer prior to importing
VM1 into vRealize Automation.
Open a private session of Firefox:
1. Click the menu button in the upper-right corner of the browser window.
2. Click the New Private Window button in the pop-out menu.
This will enable to you log in simultaneously as the Developer without having to log out as the Cloud Administrator.
Connect to vRealize Automation
When the new, private browser window opens, click the vRA shortcut button in the browser's Bookmarks toolbar.
Enter login credentials
Log in to vRA as the Developer:
1. In the User name field, enter devops_user@vlab.local

3. Click Login
Step 7 - View the Developer's current machines list
When you've logged in successfully, click the Items tab at the top of the self-service portal.
Note the current list of VMs
Take note of the VMs currently owned by the DevOps user.
NOTE: The current inventory of VMs owned by the DevOps user may differ from the items shown in this Guide.
After you've completed Exercise A.2.2
A.2.2, you'll come back to this page to see the difference.
Exercise A.2.2 - Import the Target VM into vRealize Automation
In this Exercise, while logged in as the Cloud Administrator, you will use the vRealize Automation Infrastructure
Organizer tool to add the VM1 server from Exercise A.2.1 to the managed inventory of tenant VMs.
Step 1 - Launch the Infrastructure Organizer
From the DevOps user's private Firefox window, switch back to the primary Firefox session.
Open the Infrastructure page
From the cloud administrator's vRA session, click the Infrastructure tab.
Browse to the top-level Infrastructure navigation menu
If you're completing the Lab exercises in sequence, you'll see the Reservations page from Lab A.1 when the
Infrastructure page loads. If not, skip this step
Click the Back to Infrastructure menu bar at the top of the navigation widget on the left side of the page.
Continue to the Infrastructure Organizer
When the Infrastructure page loads, click the Infrastructure Organizer menu item in the navigation widget.
Open the Infrastructure Organizer
VM import into vRealize Automation can be performed on individual VMs or small groups of VMs, or on VMs in bulk
using a .csv file. In this Exercise, you'll import a single VM.
To continue, click the Infrastructure Organizer menu item in the left-hand column, again.
Step 2 - Identify the target VM
When the Infrastructure Organizer page loads, you'll see an overview explanation of the wizard.
In addition to importing VMs, the Infrastructure Organizer can also be used for importing resources, such as compute
and storage, into the cloud infrastructure.
To begin the process of locating and importing the target VM, click Next
Next.
Select the target resource pool
In this first page, you'll choose the compute resource hosting the VM.
In this instance, the VM1 virtual machine is hosted on the Tenant resource pool, which corresponds to the Tenant host
cluster you found on the cloud environment's VC01 host cluster.
To continue with the wizard:
1. Check the box labeled Tenant

2. Click Next
Configure Compute Resources
On the next page, confirm that the Tenant resource cluster is the only one that appears on the list, and click Next
Next.
NOTE: If the Infrastructure Organizer wizard resets to the start page and you're unable to list the available resources,
log out of Firefox and log back in as the Cloud Administrator, using the instructions provided in the first Exercise of Lab
A.1
A.1, then return to the Infrastructure > Infrastructure Organizer wizard.
Step 3 - Configure the target VM
When the Choose Machines page loads, showing the available (unmanaged) VMs that were found on the Tenant
cluster. Locate the VM1 virtual machine in the list, and click the pencil icon in the left column of the row.
NOTE: The 'Pin' feature lets you edit multiple elements simultaneously. To do so, simply pin all the items you want to
configure and then edit one of the selections. The changes you make are then applied to all pinned selections.
Choose a business group
When the Business Group window appears:
1. Click the drop-down button and select DevOps

2. Click the green circle to the left of the VM name to save the updated configuration.
3. Click Next to continue
Configure the VM
When the Configure Machines page loads, click the pencil icon to the left of the form.
Assign existing blueprint, reservation, and owner
On the Configure Machines page:
1. Click the Blueprint drop-down button and choose RHEL6 (corresponding to the RHEL operating system you
saw on VM1 in vCenter in Exercise A.2.1
A.2.1).
2. Click the Reservation drop-down button and choose Production-DevOps01
3. Click the Owner drop-down button and choose devops_user@vlab.local
Save changes and continue
1. Click the green circle button at the left end of the row to save the configuration changes.
2. Click Next
NOTE: The Grow Allocations setting, if selected, increases the memory and storage allocated to the target reservation
by the exact amount consumed by the imported machine(s). Increase Quota raises the machine quota on the target
reservation by the number of VMs being imported.
Step 4 - Confirm import
Review the proposed action and click Finish

Finish.
Acknowledge registration
Click OK to acknowledge completion of the operation. You'll be returned to the Infrastructure > Recent Events page.
Step 5 - Review Developer's Machines
Using the Windows Taskbar

Taskbar, switch back to the private Firefox session in which the Developer is logged in to vRA.
Reload the Machines page
At the bottom of the Machines page, click the Refresh button to reload the DevOps user's VM inventory list.
NOTE: The newly-imported VM may take several minutes to appear on this page.
Confirm the import of VM1
When the page has reloaded, you'll see that VM1 has been added to the list of VMs owned by the Developer,
confirming the successful import of a pre-existing virtual machine into vRA.
Step 6 - Disconnect Developer and vCenter sessions
Click the Logout button in the upper-right corner of the self-service portal. This will end the Developer's login session
to vRA.
When you've successfully logged the Developer user out of vRA, close the Private browser window.
Summary
In this Lab, as the cloud administrator, you've imported a virtual machines from outside the cloud environment into
vRA, and verified that the VM has been successfully assigned to the Developer user.
As the new VM owner, the Developer can now manage the virtual machine - including power state, snapshots,
deletion, and reconfiguration - consistent with the settings of the RHEL6 Blueprint which you applied to VM1 when you
imported it.
For a deeper look at creating and managing VM blueprints, approval policies, and entitlement settings, please
complete Lab B.1
B.1.
To learn more about data protection management, including creating backup service levels, please see Lab
B.2
B.2.
To see how VMs can be enabled for enterprise management through integration with your CMDB platform,
please see Lab B.3
B.3.
For more information on managing VMs - including VM creation, backup and restore operations,
reconfiguration, power-state management, snapshots, and deletion - please complete Lab C.1
C.1.
To see how enterprise applications can be automatically deployed to a new VM as part of the provisioning
process, see Lab C.2
C.2.
Lab A.3 - Add a vCloud Air Site to
vRealize Automation (15-20
minutes)
Exercise A.3.1 - Connect to the Cloud Experience Center and launch the
demo
Built on converged infrastructure from VCE, an Enterprise Hybrid Cloud solution enables feature-rich capabilities such
as database-as-a-service (DBaaS), Disaster Recovery-as-a-Service(DRaaS) and continuous availability, and Hadoop-as-
a-Service. Additionally, while these are not part of a Foundation deployment or a modular add-on feature, you can also
leverage third-party tools for automated application deployments (e.g. Puppet), CMDB management (e.g. ServiceNow),
IP Address Management (e.g. Infoblox), to extend your cloud environment for even greater enterprise-level service and
support.
Due to the highly virtualized nature and limited size of the vLab environment, however, this lab session is unable to
support anything beyond local IaaS and limited-scope application deployment blueprints. To demonstrate some
additional uses and capabilities of an Enterprise Hybrid Cloud, we've created a number of interactive demos,
accessible through the Cloud Experience Center at http://interactivedemos.emc.com/ehc, which you can step through
as part of your lab experience today.
In this Lab, you will use the Cloud Experience Center to see how to connect your Enterprise Hybrid Cloud to a vCloud
Air site, and how to configure your environment with a new reservation and vCloud Air-based blueprint. Finally, you'll
deploy a new VM to your vCloud Air data center from the vRealize Automation self-service portal.
Step 1 - Connect to the Cloud Experience Center
You'll begin by opening a new Chrome browser instance from the Windows Taskbar.
Open the Cloud Experience Center
When the Chrome browser window loads, click the Cloud Experience Center link in the Bookmarks bar.
Step 2 - Continue to the next Exercise to launch the demo
To begin the demo, proceed to Exercise A.3.2
Exercise A.3.2 - Create a vCloud Air Endpoint
With an Enterprise Hybrid Cloud, you can manage resources and workloads across multiple sites - both public and
private cloud infrastructure - from within the same vRealize Automation self-service portal.
In this Exercise, you'll add a vCloud Air-based remote site to the cloud environment.
Step 1 - Open the new vCloud Air endpoint demo
From the Cloud Experience Center

Center's demo menu, click the vCloud Air Integration hyperlink in the bottom center of the
Menu.
Launch the interactive demo
When the vCloud Air Demos popup menu appears, click Create a vCloud Air Endpoint
Endpoint.
Step 2 - Open the New Endpoint configuration wizard
You'll begin on the All Services page of the service catalog. Click the Infrastructure tab at the top of the page.
Open the Infrastructure > Endpoints page
From the Infrastructure page, click the Endpoints bar in the left-hand navigation widget.
Continue to the Infrastructure > Endpoints > Endpoints page
On the next page, click Endpoints again.
Launch the wizard
You'll see the Infrastructure > Endpoints > Endpoints page.
This page shows the managed endpoint resources that have been configured in vRealize Automation. You can see that
the environment currently consists of only the local vCenter server (with its compute, network, and storage resources)
and the local vCenter Orchestrator server (for infrastructure and application deployment automation).
To add a vCloud Air site to vRA, click the New Endpoint button, then click Cloud
Cloud, then vApp (vCloud) from the popout
menus.
Step 3 - Discover the vCloud Air data center URL
When the New Endpoint - vApp (vCloud) page loads, you'll see that the Name has already been provided.
On this page, you'll need to enter the URL to your vCloud Air-based data center. In order to obtain this URL, you'll need
to open the vCloud Air portal
portal.
1. Click the Address window.

2. A popup box will appear at the bottom of the screen to connect to vCloud Air.
3. Click anywhere on the page to open the vCloud Air portal
portal.
Open the vCloud Air dashboard
The vCloud Air portal will appear, showing two tiles: My Subscriptions
Subscriptions, and Identity and Access
Access.
Click anywhere on the page to open the My Subscriptions tile.
Open the Virtual Data Center Page
You'll see the vCloud Air dashboard page, showing available resources (1), the current number of active VMs (2), and
the number of virtual data centers (3).
Since you'll be adding the vCloud Air virtual data center as a vRA-managed endpoint, this is the information you're
looking for.
Click anywhere on the page to open the Virtual Data Center

Center.
Expand the vCloud Director API URL
You'll see the Data Center Details page appear.
For the vRealize Automation instance in your local environment to connect and authenticate your vCloud Air data
center, you need the vCloud Director API URL from this page.
Click anywhere on the page to expand the API URL link.
Copy the URL to the Windows Clipboard
The first line of the URL is the information that you'll need to provide to vRA.
Click anywhere on the page to copy this line to the Windows Clipboard.
With the URL now successfully copied, click anywhere on the page to close the vCloud Air portal and return to vRealize
Automation.
Provide the URL to vRA
You'll be returned to the New Endpoint page in vRA.
Click in the Address field to paste the data center URL from vCloud Air.
Step 4 - Configure connection credentails
The next step in the process is to provide the necessary credentials for vRA to connect to the vCloud Air data center. To
begin, click the ellipsis button next to the Credentials field.
Add new credential entry
Authentication credentials for all vRA endpoints are managed from a single page. By consolidating this information,
vRealize enables separation of duties for organizations that require separation of duties between cloud administrators
and security administrators. A security administrator can manage this page, and the cloud administrator can use these
credentials to establish endpoint connections without having to know the endpoint credentials.
To create a new entry, click the New Credentials button in the upper right corner of the window.
Name the credential entry
A name for the new entry has been provided for you.
Click the User Name field to have the user account and password fields automatically filled in.
Save the credential entry
Click the green checkmark button in the left column of the row to save the new credentials.
Return to the New Endpoint page
Now that you've added the necessary credentials to vRealize Automation, and with the new vCA entry already
highlighted, click OK to return to the New Endpoint page.
Step 5 - Discover the vCloud Air Organization
You'll be returned to the New Endpoint - vApp (vCloud) configuration page.
The next step is to provide the Organization name, which we'll also copy from the vCloud Air portal.
Click anywhere on the page to return to the vCloud Air portal.
Copy the Organization name to the clipboard
You'll see the same Virtual Data Center Details page on the vCloud Air portal that we left in Step 3
3, showing the
organization name at the top of the dashboard.
Click anywhere on the page to copy the Organization name to the Windows clipboard.
With the Organization name now successfully copied, click anywhere on the page to close the vCloud Air portal and
return to vRealize Automation.
Provide the Organization name to vRA
Back on the New Endpoint configuration page, click in the Organization field to paste the Organization name from
vCloud Air.
Step 6 - Create and confirm the new Endpoint
With all the necessary information provided to vRealize Automation, click the OK button to create the new endpoint.
Validate the vCloud Air connection from vRA
You'll return to the Endpoints page, where you'll see that the new endpoint has been added to the managed endpoint
inventory.
Next, you'll validate the connection and run a data collection operation from vRA to discover the pool of resources
available to vRA from vCloud Air.
Discover vCloud Air resources
Hover the mouse pointer over the vCAir-DEV endpoint entry, then click Data Collection from the popout menu.
Confirm data collection operation
You'll see that data collection has already started. In this operation, vRealize Automation connects to vCloud Air to
enumerate the available resources in the new endpoint.
Click Refresh to update the status of the operation.
Complete the operation
You'll see that the data collection operation succeeded.
You'll also see a text box advising you to click anywhere on the page to create a new reservation using resources from
vCloud Air. Click anywhere on the page to return to the Endpoints page, and then proceed to Exercise A.3.3
A.3.3.
Exercise A.3.3 - Create a vCloud Air Reservation
In the previous Exercise, you added a new endpoint to vRealize Automation as a managed endpoint, then connected
to the endpoint from vRA and discovered its pool of available resources.
Now, in this Exercise, you'll create a new Reservation using some of the available vCloud Air resources, and make that
Reservation available to your IT users.
Step 1 - Assign a Fabric Group
Click the Back to Infrastructure link in the navigation column on the left side of the page.
Open the Groups page
From the Infrastructure navigation widget, click the Groups button.
Continue to Fabric Groups
Next, click the Fabric Groups button.
Edit the Fabric Group
Fabric Groups organize compute resources and cloud endpoints into logical clusters. These logical clusters can then
be presented to different tenants by business group, by LOB, by cost center, etc.
Hover the mouse pointer over the IT_Fabric_Group entry, then click Edit from the popout menu.
Enable the vCloud Air endpoint for IT
In the list of Compute Resources

Resources, you'll see both the list of available resource pools, and which pools are already
associated with the fabric group.
1. Check the box next to M814923143-6342

M814923143-6342, which you'll recall from the previous Exercise is the name assigned
to the vCloud Air virtual data center.
2. Click OK to save the updated list.
Step 2 - Create a new Reservation
You'll return to the Fabric Groups page, showing the IT_Fabric_Group to which you just enabled access to the vCloud
Air resource pool.
Click the Back to Infrastructure link in the navigation widget.
Continue to Reservations
Click the Reservations link.
Open the Reservations page
When the next widget appears, click Reservations again.
Open the new Reservation page
This page shows the existing Reservations. To add the vCloud Air resources to this list, you'll need to create a new
Reservation.
To begin, click the New Reservation button in the upper right corner of the page, then hover over Cloud
Cloud, then select
vApp (vCloud)
(vCloud).
Step 3 - Configure the Reservation Information
The New Reservation - vApp (vCloud) page will appear.
To begin, click the drop-down button in the Compute resource window and select M814923143-6342 (vCAir-DEV) from
the list.
Select a business group
The Reservation Name has already been provided for you.
Click the Business group drop-down button and select DevOps from the menu.
Assign a priority
1. Click the Priority window and enter 5.

2. Click the Resources tab.
Step 4 - Assign resources
This page lists the available memory and storage resources that were detected by vRealize Automation when the data
collection operation was run at the end of the previous Exercise.
Click the SSD-Accelerated checkbox to assign storage to the reservation.
Allocate storage to the Reservation
1. Click the This reservation reserved window and enter 100

100.
2. Click the Priority field and enter 10
10.
3. Click the green checkmark button to save the storage changes.
Allocate memory
1. Next, click the This Reservation window in the Memory section and enter 10
10.
2. Then click the Network tab.
Assign a network path
1. On the Network page, click the M814923143-6342-default-routed network path. This will enable external
network connectivity for vCloud Air-based VMs created from the vRA self-service portal.
2. Click OK to save the configuration and create the new Reservation.
Confirm new Reservation
You'll return to the Reservations page, where the vCAir_DEV reservation now appears at the bottom of the list.
Click the Catalog tab at the top of the page to open the Service Catalog
Catalog, and proceed to the next Exercise in the Lab.
Exercise A.3.4 - Create a vCloud Air vApp Blueprint
In previous Exercises of this Lab, you added a new vCloud Air Virtual Data Center as a managed endpoint in vRealize
Automation, and then created a new Reservation to host tenant workloads for IT users in your organization.
In this Exercise, you'll create a new vRA IaaS blueprint, using vCloud Air as the target.
Step 1 - Review the Virtual Servers Catalog page
From the previous Exercise, you'll begin on the Catalog page, looking at the available items from the Virtual Servers
service catalog. Note that there are currently four catalog items on this page at the beginning of this Exercise.
Step 2 - Open the Blueprints page
Click the Infrastructure tab at the top of the self-service portal.
Navigate the Infrastructure widget
From the Infrastructure page, click the Blueprints button in the navigation widget on the left.
Continue to the Blueprints page
Click Blueprints again on the next page.
Step 3 - Create a new vApp Blueprint
This page shows the inventory of Infrastructure-as-a-Service (IaaS) blueprints that have been created in vRealize
Automation. Blueprints from this page that have been published will appear as Catalog Items on the self-service
portal.
When a user requests a VM from the catalog, the Catalog Item's blueprint defines the parameters (CPU, memory, disk,
location) that will be used to create the new VM.
To add a blueprint for vCloud Air, well need to create a vApp container, with a single VM blueprint in the vApp.
Click the New Blueprint button. When the drop-down menu appears, click Cloud
Cloud, then vApp (vCloud)
(vCloud).
Provide blueprint information
The new blueprint's Name has already been provided for you. When this new blueprint has been published and
appears on the self-service portal as a Catalog Item, its name will be based on the name of the blueprint.
Click in the Description field to continue.
Provide description and archive values
1. The Description has already been provided for you.

2. Click the Archive window and enter 7.
3. Click the Build Information tab to continue.
Step 4 - Configure blueprint settings - select an image
The settings that you configure on this page will control how all VMs based on the new blueprint will be deployed.
The first step will be to assign an image from the available vCloud Air inventory. Click the ellipsis button next to the
Clone from window.
Select a VM image for the blueprint
When the Select vApp Template window appears:
1. Click the CentOS63-32BIT image from the list.

2. Click OK to return to the Build Information page.
Step 5 - Configure blueprint settings - Select a deployment blueprint
You've assigned an image for the vApp. The next step is to specify a deployment blueprint that defines hardware and
storage parameters for deploying VMs based on this image.
Click the pencil icon next to the VM image name.
Assign a hardware blueprint
1. Click the drop-down button in the Blueprint window

2. Select vAppVM-Off-Prem-Linux from the list.
3. Click the green checkmark button to the left to save the blueprint assignment.
Save all settings and create the blueprint
Now that you've defined a blueprint name, description, archive value, image, and build profile, click OK to create the
blueprint and add it to the vRA inventory.
Step 6 - Enable the new blueprint in the Catalog
You'll see the new blueprint appear on the inventory list, with its Published status currently set to No
No.
Publishing the blueprint will add it to the self-service portal as a Catalog Item.
Hover the mouse pointer over the CentoOS - vCloud Air (DEV) blueprint...
Publish the blueprint
...and click Publish from the popout menu.
Confirm publication
Click OK to confirm publication of the new blueprint.
Step 7 - Edit the new Catalog item
You'll return to the Blueprints page, where the Published status of the new vApp blueprint has changed to Yes
Yes.
The next step will be to configure the Catalog Item in vRealize Automation.
Click the Administration tab at the top of the page.
Open the Catalog Management page
From the Administration page, click the Catalog Management button in the navigation widget.
Open the Catalog Items page
Click the Catalog Items button.
Open the new Catalog Item's Details page
On the Catalog Items page, you'll see a list of some of the published and retired catalog items in the vRA inventory.
Click the CentOS - vCloud Air catalog item hyperlink to edit its settings.
Step 8 - Configure the Catalog Item's settings
Now that you've defined a vCloud Air blueprint and published it, you'll need to configure how and where you want it in
the Catalog. On this page, you can define which Catalog service and to which cloud users you want your new item to
appear. You can also assign an icon to the Item on this page too.
On the Configure Catalog Item page, you'll see the item's Name and Description
Description, which are based on the blueprint
values that were configured earlier in the Exercise.
To assign an icon to the new item, click the Browse button next to the Icon field.
Assign an icon to the new Catalog Item
You'll see a list of available image files to use as icons for the new item.
1. Since the vCloud Air template you assigned is based on a CentOS VM image, click to highlight the centos-vm
file on the list.
2. Click Open to return to the Configure Catalog Item page.
Open the catalog service menu
On the Configure Catalog Item page:
1. Scroll down to the bottom of the page
2. Click the drop-down button in the Service field.
Assign a Catalog service
The Service drop-down menu controls two attributes of the Catalog Item: the category in which the item will appear,
and (based on the Service's pre-configured Entitlements) which users / groups will be able to see and use the Item
from their own self-service portals.
1. Select Virtual Servers from the menu.

2. Click Update to commit the item's changes and update the Catalog Item.
Step 9 - Confirm new Catalog Item
You'll return to the Catalog Items page.
Click the Catalog tab at the top of the page to return to the Service Catalog.
Review Virtual Servers catalog page
You'll recall that in the first step of this Exercise, you began on the Service Catalog page with four catalog items.
Now that you've completed the Exercise, you'll see five items, one of which is the new CentOS - vCloud Air (DEV)
catalog item based on the new blueprint and catalog item that you just created.
Click anywhere on the page to activate the next demo, and proceed to the next Exercise in the Lab.
Exercise A.3.5 - Provision a vCloud Air Virtual Machine
In Exercise A.3.2 of this Lab, you added the vCloud Air data center to vRealize Automation as a managed endpoint,
then (in Exercise A.3.3
A.3.3) created a Reservation using available vCloud Air storage and memory resources for vRA users
to access. Next, in Exercise A.3.4
A.3.4, you built a new vCloud Air vApp blueprint for deploying VMs to vCloud Air from vRA.
In this final Exercise, you'll deploy a new VM in the vCloud Air data center, using that new blueprint.
Step 1 - Launch the new VM request
From the previous Exercise, you should be on the Virtual Servers service catalog page, on which you'll see the CentOS -
vCloud Air (DEV) catalog item that you just created in vRA.
Click its Request button to begin.
Configure and submit new VM request
As you can see, the vApp and VM blueprint are based on the settings you configured in Exercise A.3.4
A.3.4.
Accept the defaults and click Submit

Submit.
Confirm new VM request
Click OK on the Request confirmation page to acknowledge the submission and open the Requests page.
Step 2 - Monitor deployment status
On the Requests page, you'll see the new VM deployment operation at the top of the list, with its deployment status
showing In Progress
Progress.
Click the Refresh button at the bottom of the page to reload the page and update the status.
Confirm successful VM deployment
When the page reloads, you'll see that the deployment has successfully completed.
Click the Items tab at the top of the page to see the new vCloud Air-based VM.
Step 3 - Review details of the new VM in vRA
On the Items page, you can see the new VM has been deployed successfully and is powering on for the first time.
Click the + symbol next to the new item to expand the vApp instance and see the details of the new vCloud Air-based
VM.
Open VM details page
Due to the way in which vRA and vCloud Air manage shared resources, and based on blueprint settings that you
configured in the previous Exercise, DEV129 is the vApp container that vRA uses to manage the VM. CSP121 is the
actual VM running in the vCloud Air virtual data center.
Click the CSP121 hyperlink to view its Details page.
View the VM details
You can see that the CSP121 VM is based on an off-prem Linux blueprint, and hosted on the M814923154-6342
compute resource, which you'll recall from Exercise A.3.2 is the name of the vCloud Air virtual data center.
Click anywhere on the page to open the vCloud Air management console and see the new VM.
Step 4 - Confirm new VM in vCloud Air
You'll see the new VM, its name, hardware settings, and vApp details match what was configured in the blueprint and
deployed in vRealize Automation.
Click anywhere on the page to close the vCloud Air management console.
Return to the Catalog
You'll be returned to the Virtual Servers Catalog page, complete with the new Catalog Item that you created and
validated in this Lab.
Close the Chrome browser
When finished, unless you plan to continue directly to Lab B.3 or Lab C.4
C.4, close the Chrome web browser to improve
performance in the Firefox-based labs.
Conclusion
The Enterprise Hybrid Cloud offers the ability to add remote-site endpoints, such as vCloud Air, quickly and easily. This
gives you the agility to grow your cloud capacity in response to business growth and changing business demands.
With the flexibility of a vCloud Air virtual data center as part of your cloud infrastructure services portfolio, you can also
deliver increased value to your customers by ensuring that business workloads are optimally placed for availability,
capacity, and performance.
Related Labs
Based on the concepts introduced and reviewed during this Lab, you may be interested in one or more of the following
additional labs in this Guide:
For a more in-depth exploration of the process of creating a new IaaS blueprint, please see Lab B.1
B.1.
In addition to deploying a new VM, Lab C.1 provides a look at the entire lifecycle of a VM, from creation to
disposal.
Additional interactive demos are available in Lab B.3 and Lab C.4
C.4.
Lab B.1 - Create a New IaaS
Blueprint and Approval Policy
(20-30 minutes)
Exercise B.1.1 - Create a New IaaS Blueprint
This Lab will walk you through the process of creating, configuring, and publishing a new Infrastructure-as-a-Service
(IaaS) blueprint to the catalog. You'll also see how catalog items are enabled for access by specific cloud customers.
You will then create an approval policy and attach it to the catalog item to require Cloud Administrator approval for
users wishing to use the blueprint for new VMs. Finally, you'll test the blueprint and approval policy by requesting a
new VM as the Developer user.
In this exercise, as a Cloud Administrator, you will use the vRealize self-service portal to create a new single-VM IaaS
blueprint. You will publish this IaaS blueprint as a new catalog item in the vRealize self-service catalog page in
Exercise B.1.2
B.1.2.
Step 1 - Log in to vRealize Automation as the Cloud Administrator
From previous Labs, you may already be logged in to vRealize Automation as the Cloud Administrator. If so, proceed to
the next Step in the Exercise. If not, then from the vRA login portal:
1. Enter cloud_admin@vlab.local in the User name field.

Step 2 - Open the Blueprints management page in vRealize Automation
From the Cloud Administrator's Catalog page in vRealize Automation, click the Infrastructure tab.
Navigate to Infrastructure > Blueprints
The first page that will load will be the Infrastructure Recent Events log. In the left-hand menu column, click
Blueprints
Blueprints...
Navigate to Infrastructure > Blueprints > Blueprints
...and then click Blueprints again.
Step 2 - Launch the blueprint configuration process
When the Blueprints page loads, click the New Blueprint button on the top-right of the page.
Choose the blueprint type
In addition to vSphere/vCenter-based deployment templates, vRealize Automation supports blueprints based on

multiple platform types, including physical hardware (native support for deployments on Cisco UCS, HP iLO, and Dell
iDRAC hardware is included), public cloud (e.g., Amazon EC2 and OpenStack), and multiple hypervisor platforms
(including Hyper-V, KVM, and Xen Server).
When the drop-down menu appears, select Virtual

Virtual, then vSphere (vCenter)
(vCenter).
Step 3 - Configure blueprint settings
When the New Blueprint - vSphere (vCenter) page loads, enter Small VM - Protected
Provide a description
In the Description field, enter Small Linux server VM with data protection enabled
Assign the reservation policy
On the Reservation policy field, click the drop-down button and select Production
Production.
Configure VM limit and Archive settings
1. In the Maximum per user field, enter 2. This sets a limit of 2 VMs per user from this blueprint.
2. In the Archive (days) field, enter 7
Step 4 - Configure blueprint build information
Now that you've configured the blueprint settings, click the Build Information tab.
Set a blueprint type
In the Blueprint type field, click the drop-down button and choose Server
Server.
NOTE: This setting is used for license-tracking and compliance purposes only. It does not affect the VM provisioning
process in any way.
Set the method of VM creation
In the Action field, click the drop-down button and choose Clone
Clone.
Step 5 - Choose the template for the blueprint
If the template will be based on a clone, or a linked clone, you must specify the existing VM image template that will
be used as the source of the clone operation.
Click the Browse button next to the Clone from field.
Select the target VM template
When the Select Template form opens, verify DSLwNET is highlighted, and click OK
OK.
Step 6 - Configure resource settings
The Machine Resources section of this page allows you to set resource policies. You must provide a minimum setting
for CPU, memory, and storage for the VM. If you leave the maximum setting blank for any particular resource, vRA will
not allow users to add more of that resource.
Provide minimum resource settings
Under the left-side Minimum resource settings:
1. Set the CPUs minimum at 1

2. Set the Memory field at 32
You will configure the minimum storage setting in the next step. Leave the Lease (days) field blank.
Provide maximum settings
To set upper resource limits for all VMs based on this blueprint:
1. Set the CPUs maximum at 2

2. Set the Memory maximum at 128
3. Set the Storage limit at 5
Step 7 - Configure storage settings
In this step, you will configure the primary storage volume and choose a storage tier.
Click the New Volume link in the upper-right corner of the Storage volumes box.
Set storage capacity, tier, and selection policy
1. Set the Capacity (GB) of the new volume to 2
2. Click the Storage Reservation Policy drop-down button and select VNX FASTVP
FASTVP. All VMs deployed using this
template will have their initial volume created on the VNX FASTVP storage tier by default as a result of this
setting.
3. Click the green check button at the left end of the new volume row to save the volume setting.
4. Check the Allow user to see and change storage reservation policies button. This will give cloud customers
the ability to choose which storage tier they wish to use when they provision the VM initially or when they add
new storage.
Step 8 - Add data protection to the blueprint
Click the Properties tab at the top of the form.
Enable data protection
When the Properties page loads, check the box labeled BackupAndRestoreFunctions
BackupAndRestoreFunctions. Enabling this setting will require
users to select a backup service policy when they provision VMs from this template.
Step 9 - Configure user-enabled Actions for the blueprint
Click the Actions tab at the top of the form.
Configure user-enabled operations
On this page, you can select which features and actions users will be able to run against their own VMs.
NOTE: User-enabled settings that you configure in this Exercise will apply to VMs provisioned from this template, not
to the template itself. Users will have no rights to perform any of these actions against the template directly, or against
VMs created by other users from this template.
Most Machine operations in the template are enabled by default. Deselect the following boxes, leaving all remaining
operations enabled:
Connect to remote console

Connect by using RDP or SSH
Connect by using VDI
WFvCOMachineMenu1
Snapshot and VM editing
Accept the default settings to Allow snapshots

snapshots. With this setting, users can create, apply, and delete snapshots
against their own VMs.
Accept the default setting to Allow reconfigure

reconfigure. This setting lets users add CPU, memory, storage, and networking to
their VMs after they have been provisioned. The Enable execution selector and Enable power action selector options
allow users to specify when the reconfiguration operation should occur, and whether users have the ability to shut
down the VM automatically as part of the reconfigure operation.
Submit the blueprint
When finished, click OK

OK. You'll be returned to the main Blueprints page.
Confirm
When the blueprint has been successfully created, you'll be returned to the Blueprints inventory page. Scroll down
through the (alphabetically sorted) list until you find the Small VM - Protected blueprint that you just created.
Step 10 - Publish the new blueprint
Hover the pointer over the Small VM - Protected blueprint. When the popout menu appears, click Publish
Publish.
Confirm publication
When the Confirm Publish Blueprint page loads, click OK to publish the new Small VM - Protected blueprint.
Step 11 - Open the Catalog Management page
You'll return to the Infrastructure > Blueprints > Blueprints page in vRA. Click the Administration tab at the top of the
self-service portal.
Continue to Catalog Management
When the Administration > Identity Stores page loads, click the Catalog Management menu bar in the left-hand column
of the page.
Open the Catalog Items page
When the Administration > Catalog Management page loads, click the Catalog Items menu bar in the left-hand column
of the page.
Step 12 - Locate the new catalog item
When the Catalog Items page loads, you'll see the first of two pages of catalog items. Click the Last Page button at the
bottom of the window to advance to the next page.
Confirm the new catalog item
When Page 2 loads, you'll see the new Small VM - Protected catalog item corresponding to the blueprint that you
created and published in this Exercise.
Proceed to Exercise B.1.2

B.1.2, in which you'll configure and activate the new catalog item.
Exercise B.1.2 - Enable the New Item for the Self-Service Catalog
In the previous Exercise, you created, configured, and published a blueprint to create a small-footprint Linux virtual
machine with data protection enabled. When you published the new blueprint, it created a new catalog item.
Before a catalog item can be accessed by cloud users, it must first be associated with one of the available catalog
services, and have one or more entitlements assigned. The service association determines where in the catalog the
item will appear, and the entitlement settings control which group(s) of users will be able to use the catalog item.
In this Exercise, you will assign an icon to the new catalog item, associate the item with a service, entitle it for user
access, and confirm its appearance in the self-service catalog.
Step 1 - Configure the new catalog item
NOTE: This Exercise assumes you have just completed Exercise B.1.1
B.1.1.
From the previous exercise, you should still be looking at Page 2 of the Catalog Items inventory with your new catalog
item about midway down the list.
1. Note that the row's Service field is blank, indicating this is item hasn't yet been associated with a catalog
service.
2. Click the item name - Small VM - Protected to open its configuration page.
Open the icon image library
A new icon has already been created for this catalog item and placed in a subdirectory of the local Downloads folder.
To change the icon from the default image, click the Browse... button in the middle of the Configure Catalog Item page.
Open the Downloads folder
When the File Upload dialog box opens:
1. Click the Downloads folder in the left window pane.

2. Double-click the Icons folder in the right window pane.
Locate the icon image file
When the Downloads\Icons folder opens:
1. Scroll down and click to highlight the dsl-vm-dp image file.

2. Click Open
Open.
You'll return to the Configure Catalog Item page, and the icon preview will change from the default image to a
customized icon for this template.
Confirm icon update
You'll return to the Configure Catalog Item page, with the icon that you just assigned now visible in three sizes.
Scroll down to the bottom of the page, if necessary, and continue to the next Step.
Step 2 - Associate the catalog item with a service
The Status is set to Active by default already. This setting allows you to turn the item on or off in the catalog without
having to otherwise modify or delete it.
Click the drop-down button next to the Service field, and select the Virtual Servers menu item.
Open the Entitlements page
Click the Entitlements tab at the top of the Configure Catalog Item page.
Note the item's entitlements
On the Entitlements page, you'll see the groups which are now entitled to see and request the new VM item from the
catalog. These entitlements are inherited from the service to which you've associated the item, in this case, the Virtual
Servers service.
Click the Update button to finish configuring the item and to activate it in the service catalog.
Confirm the updated item settings and availability
You'll be returned to the filtered Catalog Items page, where the Small VM - Protected catalog item now shows itself
assigned to the Virtual Servers service.
Step 3 - Locate the new item in the catalog
Click the Catalog tab at the top of the self-service portal.
View the Virtual Servers catalog page
When the Service Catalog page loads, click the Virtual Servers service button in the navigation widget.
Note the new catalog items
You'll see three new catalog item tiles, each showing the icon file you assigned, and each labeled Small VM -
Protected
Protected, corresponding to the three entitled business groups you noted in Step 2 above.
Step 4 - Return to the catalog administration page
Click the Administration tab at the top of the page.
You'll be automatically returned back to the Administration > Catalog Management > Catalog Items page. Proceed to
the next Exercise in the lab.
Exercise B.1.3 - Create a New Approval Policy
In vRealize, approval policies can be applied to catalog-item requests, such as new VMs, services, and workflows, and
resource-action requests, such as changing the configuration or state of existing VMs, services, and workflows.
Approval policy enforcement can be configured to ALWAYS require approval, regardless of conditions or settings. They
can be triggered by THRESHOLDS, such as resource requests of a certain type, or above a certain cost/size threshold.
When it comes to assigning approvers, an approval policy can be set to require ANY member of the approving group
(e.g. cloud administrators, backup administrators, fabric administrators, etc.), or (to maximize visibility) to require ALL
members of the group to approve
In this Exercise, logged in as the Cloud Administrator, you'll create a new approval policy that will require that
developer requests for VMs with data protection enabled by approved by the cloud administrator. You'll then assign
the Cloud Administrator as the approver for requests associated with this policy, and define the policy's approval
parameters.
Step 1 - Open the Approval Policies page in vRealize Automation
Having just completed Exercise B.1.2

B.1.2, you should be on the Administration > Catalog Management > Catalog Items
page. Click the Back to Administration menu bar in the navigation column on the left of the page.
Continue to the Approval Policies page
Click the Approval Policies menu bar in the left-hand column of the page.
Step 2 - Add a new policy
From the Approval Policies page, click the Add button in the upper left corner.
Select the policy type
When the New Approval Policy form loads:
1. Click the radio button labeled Service Catalog - Catalog Item Request - Virtual Machine
2. Click OK
Step 3 - Configure policy settings
In this step, you'll assign a name, create a description, and set the approval level and conditions that will apply to the
policy.
From the Add Approval Policy page, enter the following information:
1. Name: DevOps VMs w/Data Protection

2. Description: Approval required for DevOps VMs with backup enabled
3. To set an approval level, click the green plus sign at the top of the Levels form.
Name the approval level
1. In the Name field, enter Cloud administrator

2. In the Description field, enter Cloud admin approval required for DevOps VMs that use data protection
Assign the cloud administrators as approvers
In the Who are the approvers? section on the right side of the Add Level page:
1. Click in the search box and enter ehc cloud

cloud, and then click the magnifying glass button on the right side.
2. Click EHC Cloud Administrator in the drop-down menu.
3. Click the Approval Form tab at the top of the page to continue.
Configure approval form settings
The settings you configure on this page determine what information is passed to the designated approver when the
request is submitted.
On the Approval Form page, check the following boxes:
CPUs
Machines
Memory (MB)
This page configures the approval form that the designated approver will see when determining whether or not to
approve the request. Since the blueprint you created does not include a lease limit, we'll omit that from the approval
form page.
Confirm the approval settings
When finished, click the Add button to return to the approval policy page.
Step 4 - Activate and create the approval policy
From the Add Approval Policy page:
1. Click the Status drop-down button, and select Active
2. Click Add
Continue to next Exercise
Proceed to Exercise B.1.4

B.1.4, in which you'll assign the new policy to the new catalog item you enabled in the previous
exercise.
Exercise B.1.4 - Assign the Approval Policy to the New VM Blueprint
In this Exercise, you'll assign the approval policy you created in Exercise B.1.3 to the catalog item that you created in
Exercise B.1.2
B.1.2.
Once you've applied the new approval policy to the catalog item, developer requests for new VMs from this catalog
item must be approved by the cloud administrator before any new VMs can be created.
Step 1 - Open the Entitlements page
NOTE: This exercise assumes you have just completed Exercise B.1.3.
From the Administration > Approval Policies page, click the Catalog Management menu bar in the left column of the
page.
Continue to Entitlements
Click the Entitlements menu bar in the left column of the page.
Process Overview
When you assigned the Small VM - Protected catalog item to the Virtual Servers service, it inherited four separate
entitlements automatically: Provisioning - DevOps
DevOps; DevOps
DevOps; Internal_vLab_Dev
Internal_vLab_Dev; and IT-Admins
IT-Admins.
Approval policies work on a per-entitlement basis: to enforce the approval policy across multiple entitlements, each
entitlement must be edited separately to assign the policy. In this Exercise, you will edit only the DevOps entitlement.
Step 2 - Add the new approval policy to the DevOps entitlement
When the Entitlements page loads, locate the DevOps entitlement and click the DevOps hyperlink.
Edit the DevOps Entitlement
On the Edit Entitlement page, click the Items & Approvals tab.
Add the new catalog item and set the approval policy
Click the green plus sign next to Entitled Catalog Items in the top center of the page.
Filter the list to locate the new catalog item
When the Add Catalog Items to Entitlement page loads:
1. Click the drop-down button next to Service
2. Select Virtual Servers
Servers.
You'll recall that this was the service you associated the catalog item with in Exercise B.1.2
B.1.2.
Filter the list to include only VMs
1. Click the drop-down next to Type

2. Select Virtual Machine
This was the type of approval policy you created in Exercise B.1.3
B.1.3.
Filter the list to locate the new catalog item
1. On the now-filtered list, check the box next to the Small VM - Protected catalog item.
2. Click the drop-down button next to Apply this Policy to selected items
items, and select DevOps VMs w/Data
Protection from the menu.
3. Click OK
Step 3 - Submit the new entitlement
When you return to the Edit Entitlement page:
1. Note that the Small VM - Protected catalog item has been added to the list, and the new DevOps VMs w/Data
Protection approval policy has associated with it.
2. Click Update to submit the change.
Summary
In this Lab thus far, as the Cloud Administrator, you have successfully created a new VM provisioning blueprint with
backups enabled, set the resource parameters on that blueprint, and published it to the Service Catalog.
You have also created a new Approval Policy, defined the approval parameters and the approval level, and (in this
Exercise) associated the new Approval Policy to the new blueprint for all developer requests based on the new
blueprint.
Continue on to the next and final Exercise of this Lab, where you'll validate both the new blueprint and the new
Approval Policy.
Exercise B.1.5 - Validate the New Blueprint and Approval Policy
In this final Exercise of the Lab, you'll log in to vRealize Automation as a Developer, and request a new instance of the
Small VM - Protected
Step 1 - Log in as Developer
In this step, you will verify enforcement of the new approval policy by logging in to vRA as a developer, then requesting
a VM based on the new catalog item you created in Exercises B.1.1-B.1.2
B.1.1-B.1.2.
In order to test the catalog item using a different user ID, you'll complete this step using a private Firefox session.
Using a new private window lets you avoid having to log the cloud administrator out of your primary browser session.
Open a new private window in Firefox
1. Click the menu button in the upper-right corner of the Firefox browser window to open the action menu.
2. Click the New Private Window tile.
Connect to vRealize Automation in the private browser window
When the new window opens:
1. Confirm you're in a private browser session
2. Click the vRA button in the browser's bookmarks bar.
Log in as the developer
1. In the User name field, enter devops_user@vlab.local

3. Click Login
Step 2 - Open the developer's catalog page
Once you've logged in as the developer, click the Catalog tab at the top of the page.
Filter the service catalog view
Once the DevOps user's Service Catalog page loads, click the Virtual Servers link in the navigation widget.
Step 3 - Request a new instance of the Small VM
Locate the Small VM - Protected tile, which you'll recognize from both the name and the custom icon you configured in
Exercise B.1.2
B.1.2, and click its Request button.
Configure the new VM's parameters
When the Request Information page loads:
1. Click the drop-down button next to Select Backup Service Level

Level, and change the assigned level to
Daily_1x_Retention_6mo_Archive_1yr
Daily_1x_Retention_6mo_Archive_1yr.
2. Click the Storage tab at the top of the request form.
Add a VNX-SAS volume to the VM
On the Storage configuration page, click the New Volume link to the right of the Storage volumes box.
Set volume parameters
When the new row appears in the Storage Volumes box:
1. Set the Capacity (GB) to 1

2. Click the Storage Reservation Policy drop-down button and choose VNX SAS
3. Click the green check mark button at the left end of the row to save the new volume configuration.
Submit the request
Click the Submit button to the bottom right of the New Request page to submit the VM request.
Confirm the submission
Click OK to acknowledge the VM submission request.
Step 4 - Check the request status
When you return to the developer's catalog page, click the Requests tab.
Open the request
When the Requests page loads:
1. Click to highlight the new request at the top of the page, and note that the status of this request shows
Pending Approval
Approval, showing the enforcement of the new approval policy.
2. With the new request highlighted, click the View Details button to see a more detailed status.
NOTE: The request number of the new VM in your environment may differ from the one shown in this Guide.
Note Request details
When the Request Details page loads, note the current status in the lower-left corner of the page, showing the request
is Pending Approval
Approval, with the EHC Cloud Administrator listed as the Approver.
Close the request
When finished, close the VM request by clicking the OK button in the lower-right corner of the page.
Return to the Cloud Administrator's vRA session
Minimize (do not close) the private Firefox window to return to the cloud administrator's vRA session.
Step 5 - Open the Developer's VM request
From the cloud administrator's vRA session, click the Inbox tab at the top of the page.
Open the approval message
When the Inbox page loads, locate the Small VM Protected request item and click the approval item number in the left
column.
Step 6 - Review request details
You'll see the request form, showing the CPUs

CPUs, Machines
Machines, and Memory on the main page, just as you configured in
Exercise B.1.3
B.1.3.
To review the storage details of the request, click the View Request link on the form.
Open the Storage page of the request
When the Request Details page loads, click the Storage tab at the top of the form.
Review Storage settings
The Storage page will load, showing the storage volumes and tiers you configured when you created the VM request as
the Developer.
Click Close to return to the Approval page.
Provide justification and approve the request
To approve the Developer's VM request:
1. In the Justification window of the form, enter Developer VM - request approved

2. Click Approve
Step 7 - Return to the developer's vRA session
On the taskbar at the bottom of the desktop, click the private-session Firefox button to return to the developer's vRA
console.
Update the Requests page
NOTE: If you're not already on the developer's Requests page, click the Requests tab at the top of the self-service
portal to return to the page.
If the request status has not automatically updated to In Progress after it was approved, click the Refresh button at the
bottom of the page to reload the requests and update the status. Once the VM request has been approved by the
Cloud Administrator, the provisioning process should take 3-5 minutes to complete, at which time the Status of the
request will change to Successful
Successful.
Step 8 - Log the developer out of vRA
To close out the developer's vRA session, you can either click Logout in the upper-right corner of the private session,
and then close the private-session browser window.
Summary
Per the configuration of the approval policy you created in Exercise B.1.4
B.1.4, approved requests begin processing
immediately upon administrator approval.
You've successfully created a new VM provisioning blueprint and published it to the catalog for developer access.
You've also successfully created a new approval policy and applied it to the VM-creation workflow, Finally, you
validated both the workflow and the approval policy by requesting a VM as a developer, then approving the request as
an administrator, and then confirming the post-approval creation of the new VM.
An in-depth look at the process of creating a new backup service level is provided in Lab B.2
B.2.
For an overview of how VM blueprints and data protection are presented to and consumed by cloud users,
please complete Lab C.1
C.1.
Lab B.2 - Integrated Data-Protection
Management (5-10 minutes)
Exercise B.2.1 - Creating a New Backup Service Level
NOTE: Data Protection services are available as an optional modular add-on service to the Enterprise Hybrid Cloud
Foundation solution.
As the Cloud Administrator, you can create multiple backup service levels for your cloud environment, based on your
organization's requirements for backup scheduling, data retention, and archiving. These service levels are presented
to your customers during the VM request process, and are supported behind the scenes by EMC Avamar and
(optionally) Data Domain. Backups are automatic according to the configured schedule, or can be initiated manually if
necessary.
In this Lab, as the Cloud Administrator, you will create and verify a new backup service level.
Step 1 - Launch the Create Backup Service request process
NOTE: This Exercise assumes you're still logged on to vRealize Automation as the Cloud Administrator. If not,
instructions for connecting to vRA as the Cloud Administrator are provided in Lab B.1
B.1, Exercise B.1.1
B.1.1.
Click the Catalog tab at the top of the page.
Open the Data Protection Services page
From the cloud administrator's Service Catalog page, click the Data Protection Services service menu bar in the
navigation widget.
Open the service request wizard
When the Data Protection Services page loads, locate the tile labeled Create Backup Service L... (The full catalog item
name - Create Backup Service Level - is truncated in this view), and click its Request button.
Step 2 - Provide a service level description and name
1. In the Description field of the Request Information tab, enter Avamar backup service policy - 2x/day, 3yr
retention, 5yr archive
2. Click Next
Provide a name and select a backup target
1. In the Specify the Service Level Name field of the Backup Service Level form, enter
Daily_2x_Retention_3yr_Archive_5yr
2. Using the drop-down button of the Choose backup target menu, select Avamar
3. Click Next
Step 3 - Configure the backup schedule
In the Schedule form, click the Backup Frequency drop-down menu button, and select Daily
Daily.
Configure a twice-daily backup window
Once you select Daily from the drop-down menu, the form will change. The default backup times, listed in the Time for
daily schedule window, will read 07:00,12:00,18:00,23:00
1. In the Time for daily schedule window, enter 05:00,17:00 (no space after the comma). This will set the backup
schedule to run at 5am and 5pm every day.
2. Click Next
Step 4 - Set the retention scope
From the Retention form, click the Retention scope drop-down button and select for
for.
Specify the retention periods
1. In the Retain for window, change the setting to 3

2. Click the drop-down button next to Choose an interval
interval, and select years
years. This will configure the policy to retain
backup data for one year.
3. In the Years to keep last backup field, accept the default value of 5 (NOTE: You may need to scroll down to see
this field, and you will not be able to continue submit the request without entering a value here).
4. Click Submit
Step 5 - Confirm and monitor the request
After submitting the request, you'll see a confirmation page. Click OK to return to the main page of the Catalog tab.
Open the Requests page
From the Catalog page, click the Requests tab.
Track the request status
NOTE: The new backup service level will take 3-4 minutes to complete.
You'll see the Create Backup Service Level request at the top of the page. If the status of the request still shows In
progress, click the Refresh button at the bottom of the page to reload the page until the status has changed to
Successful
Successful.
In Exercise B.2.2
B.2.2, you'll verify the completion of the new backup policy using the Service Catalog
Catalog.
Exercise B.2.2 - Verifying the New Backup Service Level
The Enterprise Hybrid Cloud includes a catalog item for designated backup administrators to query the available
backup service levels through a simple drop-down menu. You'll use this catalog item to verify the backup service level
you just created.
NOTE: Data Protection - Backup services are available as an optional modular add-on service to the Enterprise Hybrid
Cloud Foundation solution.
Step 1 - Open the Cloud Administrator's Service Catalog page
Once the request status has changed to Successful

Successful, click the Catalog tab to return to the cloud administrator's Service
Catalog page.
Filter the Services list
When the Catalog page loads, click the Data Protection Services menu bar in the navigation column to the left.
Step 2 - Launch the Display Backup Service Levels request
From the Data Protection Services page, locate the Display Backup Service L... (the catalog item's full title, Display
Backup Service Levels
Levels, has been truncated) tile and click the Request button.
Step 3 - Provide details
When the New Request page loads:
1. In the Description field, enter Verify new backup service level

2. Click Next
Step 4 - List the backup service levels
1. Click the Service Levels drop-down menu.

2. Note the presence of the Daily_2x - Retention 3yr - Archive 5yr backup service level that you just created in
Exercise B.2.1
B.2.1.
3. Click Submit
Listing the available backup service levels on this page is what this particular catalog item has been configured to do.
When you click Submit
Submit, you'll complete the workflow.
Step 5 - Recap
Click OK to acknowledge the submission.
This catalog item workflow does its work during the request process by displaying the available backup service levels
in the drop down menu.
Summary
In this Lab, as the Cloud Administrator, you created a new Avamar backup service level, in which you defined the
backup frequency and schedule (twice daily at 5am and 5pm), retention policy (3 years for all backups), and archival
policy (5 years).
A user requesting VMs through the service catalog must choose a backup service level from the available list at the
time the VM is provisioned. Backups are then automatically scheduled and retained according the defined settings of
the policy that the user chooses. If the cloud admin chooses to enable user-managed data protection, then the user
can initiate on-demand backups and manage their own restore operations as appropriate as well.
An in-depth look at how end users can choose backup policies and manage their own backup and restore
operations can be found in Lab C.1
C.1.
Enabling data protection at the VM blueprint level is explained and demonstrated in Lab B.1
B.1.
The ability to assign backup services and scheduling automatically means less administrative overhead for the cloud
admin, and self-service data-protection management means faster service for the end user.
Lab B.3 - Integrated CMDB
Management with ServiceNow
(10-15 minutes)
Exercise B.3.1 - Connect to the Cloud Experience Center and launch the
demo
In a traditional IT operational model, a Configuration Management Database (CMDB) tool is used to track the inventory
and configuration of VMs and physical servers that host business-critical workloads, or that deliver business-critical
services. Information about each server is typically entered into the CMDB when the server is built, and is carefully
maintained throughout the server's lifecycle. Although this can be a labor-intensive process, it can improve overall IT
efficiency by flagging potential change risks, identifying inter-dependent services during incidents and outages, and
reporting on licensing compliance.
While the self-service capabilities and business agility offered by an Enterprise Hybrid Cloud means rapid delivery of
new VMs and application stacks to cloud customers, it can present new challenges to IT administrators and staff
focused on IT configuration and service management. CMDB management often assumes that items in its inventory
are fairly static in lifecycle, so CMDB records are often updated by manual processes. In dynamic environments (e.g.
an Enterprise Hybrid Cloud platform) where workloads are rapidly spun up and then retired, a CMDB can quickly go
stale, jeopardizing IT service levels and diminishing its value.
Organizations that leverage ServiceNow can now integrate their ServiceNow CMDB with an Enterprise Hybrid Cloud, so
that VMs for certain workloads, or for specified departments, can be added to the CMDB database with the
appropriate inventory information as an integral part of every VM lifecycle event. With the integration workflows that
connect vRealize Orchestrator to ServiceNow, VM configuration change operations - e.g. VM deployment, upgrade,
reconfiguration, and destruction - can be automatically provided to ServiceNow for real-time inventory and
configuration tracking.
In this Lab, you'll see how the Enterprise Hybrid Cloud's self-service and automated VM-deployment capabilities can
be configured to work seamlessly with a ServiceNow CMDB environment.
To demonstrate this third-party integration features of an Enterprise Hybrid Cloud, you'll use the Cloud Experience
Center at http://interactivedemos.emc.com/ehc to experience the process.
NOTE: You may already have the Cloud Experience Center loaded from a previous Lab. If so, skip this Exercise and
proceed directly to Exercise B.3.2 to continue.
Open the Cloud Experience Center
When the Chrome browser window loads, click the Cloud Experience Center link in the Bookmarks bar.
To begin the demo, proceed to Exercise B.3.2

B.3.2.
Exercise B.3.2 - Create a ServiceNow Build Profile
In this Exercise, you'll use the Cloud Experience Center to see how the Enterprise Hybrid Cloud's self-service and
automated VM-deployment capabilities can be set up to work seamlessly with your ServiceNow CMDB platform.
In order to enable ServiceNow integration, you'll first need to create a new ServiceNow Build Profile containing the
ServiceNow-update workflows.
Step 1 - Select the ServiceNow demo from the Cloud Experience Center
You'll begin this Exercise on the demo menu of the Cloud Experience Center
Center.
Select the CMDB Integration with ServiceNow demo from the menu.
Step 2 - Open the Build Profiles page
From the Catalog page of the self-service portal, click the Infrastructure tab.
Open the Blueprints page
In the navigation widget on the left side of the page, click the Blueprints item.
Continue to Build Profiles
Click the Build Profiles item to continue.
Step 2 - Create a new Build Profile
When the Build Profiles page loads, click the New Build Profile link in the upper-right corner of the page.
Add a new Property
Properties, when attached to blueprints, enable you to specify additional attributes or tasks that are associated with
any VMs provisioned from the blueprint. In this case, any VM that you want to deploy with integrated ServiceNow
CMDB capabilities will need to call specific workflows in vRealize Orchestrator that will update ServiceNow whenever a
configuration change on the VM is triggered.
To simplify the process of associating these properties with ServiceNow VMs, you can create a Build Profile that
contains both properties, then add that profile to any blueprints that you want to register with ServiceNow.
The new Build Profile will need a descriptive name. This has been provided for you already.
Click the New Property link.
Step 3 - Create a new Property
This first property (1), whose name has already been provided in the Name field, calls a specific vRealize Orchestrator
(vRO) job ID that adds a new record to ServiceNow whenever a VM is deployed with this Build Profile attached. In the
Value field, we'll need to copy and paste the correct job ID number from vRO.
Click the Value field to activate a popup text box with a vRealize Orchestrator link.
Connect to vRealize Orchestrator
Once the popup box appears, click the Connect button to open the vRealize Orchestrator in a popout window.
Get job ID from vRealize Orchestrator
NOTE: This portion of the Exercise is an auto-drive demo, meaning that clicking anywhere on the page will
automatically advance to the next step, regardless of where the mouse pointer is on the page.
The ServiceNow integration workflows have already been installed in vRealize Orchestrator. These are the vRO jobs
that you'll associate with the Properties in the new Build Profile that you're creating in vRealize Automation.
The master_cmdb_insert job is what updates the CMDB when a new VM is created. That's the job ID you need for this
step.
Click anywhere on the page to expand the master_cmdb_insert job.
Copy the job ID
The job ID number on this next page is the value you'll need to provide for the first Property you've created in the new
Build Profile.
Click anywhere on the page to copy the job ID and return to vRealize Automation.
Enter job ID number
1. Back in vRA, click in the Value field to paste the job ID number that you copied from vRO.
2. Click the green check mark button to save the new Property.
Step 4 - Add another property
Now, you'll add a second Property to the Build Profile. This second Property will call a different vRO job ID, which will
update ServiceNow's records when an existing VM is modified or destroyed.
Click the New Property button again.
Provide the Property name
Once again, the Name of the new Property has already been provided for you.
Click in the Value window to open the vRealize Orchestrator Client window again.
Find the job in vRO
The master_cmdb_update job updates the ServiceNow CMDB when a new VM is modified or destroyed. That's the job
whose ID you'll need for the second Property in the Build Profile.
Click anywhere on the page to highlight the job object and display its Settings page.
Copy the second job ID number
Just as with the first Property, the highlighted ID number on this page is the Value you'll need to associate with the
Build Profile's second Property.
Click anywhere on the page to copy the job ID and return to vRealize Automation.
Paste the second job ID number
On the New Build Profile page in vRA:
1. Click in the Value field of the new Property to paste the job ID you just copied from vRO.
2. Save the new Property by clicking on the green check button
button.
Save the new Build Profile
Now that you've associated two specific ServiceNow-related vRealize Orchestrator workflows with this new Build
Profile, click the OK button to save it and return to the previous page in vRealize Automation, then proceed to the next
Exercise in the Lab.
Exercise B.3.3 - Attach the ServiceNow Build Profile to an Existing IaaS
Blueprint
In the previous Exercise, you used the Cloud Experience Center interactive demo to step through the process of
creating a new Build Profile and attaching the required ServiceNow workflows to it.
In order to run those workflows as part of the automated VM deployment process, you'll need to associate that new
Build Profile with any and all VM blueprints on which you wish to enable ServiceNow.
This Exercise will show you how to attach the new Build Profile to an existing IaaS blueprint.
Step 1 - Edit an existing IaaS blueprint
From the previous Exercise, you should be on the Build Profiles page of the Infrastructure tab.
You'll see the new ServiceNow Integration build profile that you just created now listed on the page.
Click the Blueprints item in the navigation widget on the left side of the page.
Open the target blueprint
1. Locate the Ubuntu - ServiceNow blueprint in the inventory list.
2. Hover the pointer over the blueprint. When the popout menu appears, click Edit
Edit.
Step 2 - Attach the ServiceNow Build Profile to the blueprint
When the Edit Blueprint - vSphere (vCenter) page opens, click the Properties tab.
Enable the new build profile
On the blueprint's Properties page, you'll see a list of available build profiles that you can attach to the blueprint.
Attaching a build profile to a blueprint automatically associates all of the build profile's properties with the blueprint.
1. Check the box next to ServiceNow Integration

Integration.
2. Click OK to save the blueprint with the build profile attached.
Summary
You'll return to the Blueprints inventory page.
Proceed to the next Exercise, you'll deploy a new VM based on this blueprint, and validate that the vRealize
Orchestrator workflows called from the build profile are triggered automatically to update ServiceNow with the
appropriate change data.
Exercise B.3.4 - Deploy a VM from the ServiceNow IaaS blueprint
In the previous Exercises of this Lab, you created a new Build Profile that contained properties, each of which called a
different workflow in vRealize Orchestrator to detect qualifying events (new VM, reconfigured VM hardware, VM state
changes, etc.) and update the ServiceNow CMBD with the relevant configuration changes. You then attached that new
Build Profile to a pre-configured IaaS blueprint.
In this Exercise, you'll use the vRealize Automation Service Catalog to deploy a VM from that blueprint, and validate its
ongoing connection to ServiceNow through creation, reconfiguration, and decommission.
Step 1 - Open the Service Catalog
From the previous Exercise, you'll be on the Infrastructure > Blueprints > Blueprints page, where you just saved the
Ubuntu - ServiceNow blueprint with the ServiceNow Integration build profile attached.
Click the Catalog tab to deploy a VM from this blueprint.
Open the ServiceNow service page
When the Catalog page loads, click the ServiceNow item in the navigation widget on the left side of the page.
Step 2 - Initiate the VM request
Click the Ubuntu - ServiceNow catalog item's Request button.
Confirm Build Profile association
If you've deployed IaaS blueprint VMs previously, you'll recognize this form.
Click the Properties button to verify the blueprint's ServiceNow enablement.
Submit the request
You'll see the ServiceNow workflows from the Build Profile have been added to the VM as custom properties, ensuring
that ServiceNow will be updated when this VM is created, and again if the VM is reconfigured, power-cycled, or
destroyed.
Click Submit to create the new VM.
Request submitted
Click OK to acknowledge the submission and open the Requests page.
Step 3 - Monitor the request
When the Requests page loads, you'll see the new VM you just requested at the top of the list, with its deployment
status set to In Progress
Progress.
Confirm VM deployment
When the page reloads, you'll see the status of the new VM deployment request change to Successful
Successful.
Click the Items tab to view the VM in your Machines inventory.
Step 4 - View VM details
When the Machines inventory list loads, you'll see the new Ubuntu VM, BLRPOCLIN043
BLRPOCLIN043, on the page.
Click the VM's name to open its Details page.
Note VM configuration details
On the Item Details page, you'll see the parameters the VM was deployed with, including:
Name
Power status
CPU count
Memory allocation
Storage allocation
Next, you'll compare the details on this page with those provided to ServiceNow when the VM was deployed.
Close the VM Details page
To return to the Machines page:
1. Scroll down to the bottom of the Item Details page

2. Click the Close button
Open the ServiceNow management console
You'll return to the Machines page, showing the single VM, BLRPOCLIN043
BLRPOCLIN043, in the inventory list, and a text box offering
to open the ServiceNow Service Automation management console.
Click the Connect button.
Step 5 - Confirm new VM in ServiceNow management console
A box showing the ServiceNow Service Automation management console will appear in your browser window.
NOTE: This portion of the Exercise runs in auto-drive mode, meaning that clicking anywhere on the page will advance
to the next screen, regardless of the cursor's position on the page.
Click anywhere on the page to view the list of Virtual Machine Instances in the ServiceNow CMDB.
View VM's configuration details
At the bottom of the list of VMs in the ServiceNow CMDB, you'll see the BLRPOCLIN043 VM that you just deployed.
Click anywhere on the page to view the VM's details.
View VM details
The VM's configuration details - name, resource footprint, network settings, power state - are all tracked and visible in
ServiceNow, and match the information shown on the VM's Details page in vRealize Automation, confirming that the
vRO workflow to update ServiceNow with the new VM information was launched and completed successfully.
Click anywhere on the page to close the ServiceNow Service Automation management window and return to vRA.
Step 6 - Destroy the VM
Now that you've confirmed that new virtual machines that include the ServiceNow build profile and properties in their
IaaS blueprint will automatically be added to the ServiceNow CMDB, you'll destroy the VM and check the results in
ServiceNow again.
With the VM highlighted on the Machines inventory page:
1. Click the Actions button at the top of the inventory list.

2. From the drop-down menu, click Destroy
Destroy.
Confirm VM destruction request
Click Submit to confirm the request and destroy the VM.
Acknowledge request
Click OK to open the acknowledge the submission.
Monitor status of the VM
You'll return to the Machines page with the single VM listed in the VM inventory.
Click the Refresh button at the bottom of the page to reload the page and update the VM status.
Return to ServiceNow management console
The VM's status will show Disposing

Disposing, and then the VM will disappear from the page.
In the text box that appears at the bottom of the page, click Connect to return to the ServiceNow Service Automation
management console.
Step 7 - Confirm VM removal from ServiceNow
Click anywhere on the page to return to the VM's Details page in the ServiceNow Service Automation management
console.
View retired VM
Now that the BLRPOCLIN043 VM has been deleted, the VM state has automatically changed to Retired
Retired, confirming that
the workflow to update ServiceNow was triggered as soon as the VM was removed.
Click anywhere on the page to close the management console and return to vRealize Automation.
Choose another demo or close Chrome
In addition to the ServiceNow exercise you just completed, the lab guide includes a walk-through of the following,
additional interactive demos:
1. Add a vCloud Air site to vRealize Automation - Lab A.3

2. Securing VM Data Using CloudLink SecureVM - Lab C.4
If you wish to step through another interactive demo, click the MENU tab along the left edge of the window to return to
the main menu and select one of the other available demos, and then open the appropriate chapter in the lab guide.
Otherwise, close the Chrome browser window to return to Firefox.
Summary
In a cloud environment, automation is not just useful in enabling rapid and accurate deployment of end-user services.
Even at the IT administrative level, critical service management tasks can be automated as part of any cloud-services
portfolio to simplify not just business service agility, but also real-time IT service management as well.
ServiceNow integration - when leveraged in an Enterprise Hybrid Cloud environment where users can provision,
upgrade, and reconfigure their own virtual machines from a self-service portal - means that IT processes don't have to
be made more complex when business processes are simplified.
With the ServiceNow capabilities that can be part of any Enterprise Hybrid Cloud deployment, service and workload
automation can be easily and automatically tracked at an enterprise level, even at scale, in a few simple steps.
Lab C.1 - Virtual Machine Lifecycle
Management (30-35 minutes)
Exercise C.1.1 - Log in to vRealize Automation as the Business Analyst
In this lab, you will log in to vRealize Automation using the Business Analyst account, and request a new virtual
machine from the business analyst's self-service portal.
Once the VM has been deployed, you will then review the VM's data-protection options, first by capturing a snapshot
of the VM, and then running on-demand backup and restore operations.
Next, while still logged on to vRA as the Business Analyst, you will change the VM's hardware allocation by adding
CPU, memory, and disk resources to the VM.
Finally, using the Business Analyst's vRA self-service portal, you will destroy the VM.
NOTE: This Exercise assumes you have not logged into vRealize Automation as the Business Analyst. If you already
have an active vRA session as the Business Analyst, please proceed to Exercise C.1.2
C.1.2.
Step 1 (optional) - Log out of any previous vRA sessions
If you are currently logged in to vRA as the Cloud Administrator or as the Developer after having completed any of the
other Labs, then click the Logout link in the upper right corner of the self-service portal, and proceed to Step 3 to log
back in to vRA as the Business Analyst.
Step 2 (optional) - Open the Firefox browser
If Firefox is not already open from an earlier lab session, then double-click the Mozilla Firefox icon on the desktop to
load the web browser. Proceed to Step 3 to log in to vRealize Automation as the Business Analyst.
Step 3 - Log in to vRealize Automation as the Business Analyst
From the vRA login portal, log in to vRA:
1. In the Username field, enter business_analyst@vlab.local
3. Click Login
Login.
Step 4 - Open the Business Analyst's catalog page
Click the Catalog tab at the top of the page to open the Business Analyst's self-service catalog view.
Review the available Catalog items
The default view of the Catalog page shows all available catalog items in one flat view. If you've already completed any
of the earlier labs, you'll notice a significant difference between the catalog items and services that were presented to
the Cloud Administrator, and what the Business Analyst sees and is able to request.
Cloud Administrator's Service Catalog
For comparison, here's a partial All Services view of the Cloud Administrator's catalog. Catalog items and services
available to the cloud_admin account include storage-, data protection-, and support-related tasks, whereas cloud
customers and end users will see only catalog items for requesting VMs and services.
Step 5 - Review the Virtual Servers catalog service
Click the Virtual Servers service menu bar. You'll see the virtual-server-based catalog items available to the Business
Analyst from this service.
To provision a virtual machine, proceed to Exercise C.1.2

C.1.2...
Exercise C.1.2 - Provision a New VM from the Catalog
In this Exercise, in the role of the Business Analyst, you will configure and request the creation of a new virtual
machine.
NOTE: For instructions on logging in to the vRealize Automation self-service portal as the Business Analyst and
opening the Catalog page, refer to Exercise C.1.1
C.1.1.
Step 1 - Request a new VM
From Exercise C.1.1

C.1.1, you should be looking at the Virtual Servers service page of the Business Analyst's self-service
catalog. Locate the tile labeled Linux - Protected
Protected, and click the title hyperlink (not the Request button).
Launch the VM request wizard
The Linux - Protected catalog item's details page will appear, showing you the item description, available resource
configuration options, and daily cost.
Click the Request button in the lower left-hand corner of the page.
Step 2 - Configure VM footprint and backup settings
1. Leave the Machine, CPU, and Memory values at their default settings.
2. Click the drop-down button next to Select Backup Service Level
Level, and choose
Daily_1x_Retention_6mo_Archive_1yr to assign a backup policy (backed up once per day, with a six-month
data-retention and 1-year archive retention policy) to this VM.
3. Click Submit to continue.
Close the request wizard
When the Request confirmation page loads, click OK to return to the default Service Catalog page.
Step 3 - Monitor VM provisioning status
From the Catalog page, click the Requests tab. This is where you can track the status of your VM provisioning
operation.
View details recap of VM request
At the top of the Requests list, you will find the line item labeled Linux- Protected
Protected, corresponding to the request you
configured and submitted in Step 1.
1. Click the request to highlight the row.

2. Click the View Details button in the upper-left corner of the Requests page.
Confirm request status and configuration details
From the Request Details page:
1. Review the Machine, CPU, Memory, and Storage settings for the new VM
2. Note the daily cost for running this VM in the RainPole environment with the configured settings. Depending
on your organization's policies and practices, these costs may be absorbed by your IT department, or passed
along to your business group.
3. When finished, click OK to return to the Requests page.
Track the status of your Linux - Protected request
To update the status page, click the Refresh Data button at the bottom of the page until the status of your VM
provisioning request changes from In Progress to Successful
Successful, if it hasn't already. This will let you know that your new
VM is complete.
Note: The VM-provisioning operation used in this automated workflow clones a new VM based on a small CentOS
template, so the provisioning operation that you initiated in this exercise should be completed within 4-6 minutes
after you submitted the request.
Step 4 - Browse to the Items page and identify your new VM
From the Requests page, click the Items tab.
Locate the new VM
When the Items > Machines page loads, you'll see the new virtual machine that you just provisioned.
NOTE: Your VM may have a different name than the one shown in the graphic on this page.
Note the name of the new VM; you'll need it for the remaining Exercises in this Lab. If there are multiple VMs on the
business analyst's Machines page, use the Date Created column to identify which machine was created on today's
date. This is the VM you'll use for the duration of this Lab.
After you've located the VM and noted its name, proceed to Exercise C.1.3
C.1.3.
Exercise C.1.3 - Self-Service VM Snapshot Management
In addition to the user-managed data protection capabilities enabled by the Enterprise Hybrid Cloud solution that
leverage more traditional backup and restore operations (which you'll perform in Exercise C.1.4
C.1.4), vRealize Automation
can also be configured to allow users to create and manage their own VM snapshots to enable VM-state recovery in
certain situations.
In this Exercise, you'll initiate a snapshot of the VM that you created in Exercise C.1.2
C.1.2, and then revert the VM back to
its pre-snapped state, using the vRealize Automation self-service portal.
NOTE: The use of snapshots, particularly user-initiated and self-managed snapshots, should be enabled and used
sparingly and with caution.
Step 1 - Load the VM's Details page
From the Machines page, click the name of the VM you provisioned in Exercise C.1.2
C.1.2.
NOTE: Your VM may have a different name than the one shown in the graphics of this Exercise.
Step 2 - Initiate a VM snapshot
From the VM's Item Details page, click the Snapshots tab.
Capture a new snapshot
On the VM's Snapshots page, click the New Snapshot link to initiate a snapshot.
Configure snapshot details
1. Accept the default snapshot name, leaving the Snapshot the machine's memory option unchecked
2. Click OK
OK.
Acknowledge the new snapshot
After 2-3 minutes

minutes, you'll see a message indicating the snapshot was created. Click Close to return to the Snapshots
page.
Step 3 - Revert the snapshot
From the VM's Snapshots page, you'll see the snapshot you just captured. To revert the VM and apply the snapshot,
hover the mouse pointer over the arrow next to the snapshot's timestamp.
Apply the snapshot back to the VM
In the popup action menu, click Apply

Apply.
Confirm snapshot reversion
Click Yes to confirm the operation.
Monitor the snapshot-reversion status
This operation may take anywhere from 2-3 minutes to complete.
Use the Refresh button to update the status.The Snapshot operation in progress... status beneath the snapshot
management box will disappear once the snapshot-revert operation has completed.
Step 4 - Delete the snapshot
Having successfully reverted the VM to its pre-snapshot state, you will now delete the snapshot you captured in Step
2.
Hover the mouse pointer over the arrow to the right of the snapshot's timestamp.
Initiate snapshot deletion
When the popout menu appears, click Delete

Delete.
Confirm delete-snapshot request
Click Yes to confirm the snapshot deletion.
Monitor snapshot-delete operation
This process will take 30-60 seconds to complete. Use the Refresh button to update the status page. When the delete
operation completes, the Snapshot operation in progress... status will disappear.
Step 5 - Close the Details page
When the snapshot has been successfully deleted, scroll down to the bottom of the VM's Item Details page and click
the Close button. You'll be returned to the business analyst's Items > Machines page in the vRA self-service portal.
Exercise C.1.4 - Self-Service Data Protection
In this Exercise, you will initiate an on-demand backup of the VM you provisioned in Exercise C.1.2
C.1.2, and monitor the
backup job to completion. You will then initiate a restore operation against the VM, using the backup dataset you just
created.
Step 1 - Initiate an on-demand backup
You should begin this exercise on the Items tab of the business analyst's self-service portal after completing the steps
outlined in Exercise C.1.2
C.1.2.
From the Machines page, find the VM you provisioned in Exercise C.1.2
C.1.2. Click the hyperlink of the VM's name.
NOTE: The name of your new VM may differ from the examples shown in the graphics of the lab guide. Use the Date
Created column of the Machines page to identify your new VM.
1. Click to highlight the VM's row in the Machines page.

2. Click the drop-down Actions button at the top of the page.
3. Click the On Demand Backup line item to request a new backup job.
Provide a request description
1. In the Request Information page's Description field, enter First backup of new VM
2. Click Next
Next.
Confirm backup request
On the New Request wizard's Review page, click Submit to initiate the backup operation.
Acknowledge the submission
Click OK to acknowledge that the request has been submitted successfully.
Return to the Requests page
You will be returned to the Machines page. Click the Requests tab.
Step 2 - Monitor backup job status
When the Requests page loads, locate the line item named On Demand Backup - DEV*** (where *** is the unique
numerical suffix assigned to your VM when you deployed it).
If the status shows the backup job is still in progress, click the Refresh button near the bottom of the page until the
request status changes to Successful
Successful.
NOTE: The on-demand backup request should complete within 2-5 minutes.
In the event of a backup failure
If the backup request fails, see the Troubleshooting step at the end of this Exercise. Otherwise, please proceed to Step
3.
Step 3 - Initiate a Restore operation
With the VM backup complete, you can now run a Restore operation:
1. From the Business Analyst's Items > Machines page, click to highlight the VM's row (if it isn't still highlighted
from Step 33).
2. Click the drop-down Actions button at the top of the Machines inventory list.
3. Click On Demand Restore
NOTE: If the drop-down Actions menu appears empty, check again to make sure the new VM is highlighted and click
the button again.
Restore description
When the On Demand Restore page loads:
1. In the Description field, enter Restore from most recent backup

2. Click Next
Choose a restore point
In the Restore Point page:
1. Click the drop-down backupPoint menu button, and select sole backup point from the menu. NOTE: If there is
more than one backup image, choose the topmost backup job in the list.
2. Click Submit
Confirm request submission
You'll see a message indicating that the request has been successfully submitted. Click OK to return to the Machines
page.
Step 5 - Monitor restore operation progress
From the Machines page, click the Requests tab to monitor the restore operation's progress.
Locate the Restore operation's request entry and verify successful completion
From the Requests page, locate the On Demand Restore request, most likely at the top of the page. If the request
status shows the operation is still In Progress
Progress, click the Refresh Data button at the bottom of the page. Repeat as
necessary until the request status changes to Successful
Successful.
NOTE: This operation may take between 3-5 minutes to complete.
Recap
In this Exercise, as the Business Analyst, you performed an on-demand backup job of the VM you provisioned in
Exercise C.1.2
C.1.2, followed by a restore operation.
The self-service model of vRealize Automation, integrated with the automated backup and restore workflows of
Avamar, means an Enterprise Hybrid Cloud solution that enables users to manage their own data protection without
administrative assistance or any type of IT intervention. This means rapid access to services for end users, as well as
reduced administrative overhead for the IT support staff.
Proceed to Exercise C.1.4

C.1.4, to see how vRA enables another type of user-managed data protection.
Troubleshooting
If the On-Demand Backup request fails, click the task number to open its Details page.
Review failure message
When the Details page loads:
1. Scroll down to the bottom to review the Status Details message.

2. If you see an error message similar to that shown in the image, please refer to the Resetting Avamar Services
in the Lab Environment Exercise of the Troubleshooting section at the end of this Guide to restart the Avamar
and Avamar proxy service in the Lab environment.
3. If you see an error message indicating a failure due to the mail server being unreachable, then please refer to
the Restarting the Mail Server Exercise of the Troubleshooting section at the end of this Guide for information
on restarting the Lab environment's mail server.
4. After completing the appropriate Troubleshooting exercise, return to the beginning of this Exercise and re-run
the on-demand backup operation, then proceed normally.
Exercise C.1.5 - Reconfigure the VM's Hardware
In this exercise, you'll edit the hardware settings of the VM that you provisioned in Exercise C.1.2
C.1.2, adding CPU,
memory, and storage to the VM's allocation.
Step 1 - Launch the Reconfigure VM Page
You should begin this exercise on the Items tab of the business analyst's self-service portal after completing Exercise
C.1.4
C.1.4. The VM should already be in a powered-off state from Exercise C.1.3
C.1.3.
From the Item>Machines page, find the VM you provisioned in Exercise C.1.2.
1. Click to highlight the VM's row on the page.

2. Click the Actions button at the top of the page.
3. When the Actions menu loads, click Reconfigure
NOTE: The name of your new VM may differ from the examples shown in the graphics of the lab guide. If necessary, use
the Date Created column of the Machines page to identify your new VM.
Step 2 - Edit the VM hardware resources
The Reconfigure page will load. To edit the allocated hardware:
1. Change the VM's CPUs value from its original setting of 1 to 2

2. Change the allocated memory from 256 to 512
Step 3 - Edit the VM's storage footprint
To add a second volume to the VM, begin by clicking the Storage tab at the top of the request page.
Add a new volume to the storage allocation
When the Storage page appears, click the New Volume link in the upper-right corner of the Volumes box.
Set the size of the new volume
When the New volume row appears:
1. Set the Capacity (GB) to 2

2. Save the volume settings by clicking the green check button on the left end of the row.
Step 4 - Finalize execution plan
Click the Execution tab at the top of the Request form.
Verify execution settings
1. Ensure the Execute request field is set to Immediate

2. In the Reason for request field, enter Additional VM resources needed for EOQ processing
3. Click Submit
NOTE: CPU and memory reconfiguration require that the target VM be in a powered-off state. If the VM were not already
powered off from the on-demand restore operation you performed in Exercise C.1.3
C.1.3, you have the option to power
down the VM using the Power action drop-down on this page.
Acknowledge submission
Click OK to acknowledge vRA's receipt of your VM reconfiguration request.
Monitor the reconfiguration status
You will be returned to the Machines page, with the status of your VM showing Off (Reconfigure pending) or Off
(Reconfiguring)
(Reconfiguring).
With the target VM already powered off, reconfiguration of the VM hardware should be complete in 2-3 minutes
minutes. Use
the Refresh button to reload the page until the Status returns to Off
Off.
Step 6 - Confirm new VM settings
From the Machines page, click the VM's name to load the Item Details page.
Review updated VM configuration
When the Item Details page loads, you will see the updated VM hardware settings on the Machine Information form,
including:
2 CPUs
512MB memory
7GB of storage
Click Close to return to the Machines page.
Exercise C.1.6 - Delete the Virtual Machine
In this Lab, having logged in as the Business Analyst, you configured and provisioned a new virtual machine. You then
initiated an on-demand backup of the VM, then a restore operation. Next, you created and then reverted a user-
initiated snapshot of the VM through the same self-service portal.
Finally, still logged on as the Business Analyst, you edited the VM's hardware configuration to add CPU, memory, and
disk resources to the VM footprint.
In this last Exercise, as the Business Analyst, you will destroy the VM through the self-service portal.
Step 1 - Initiate a Destroy operation
NOTE: Having just completed Exercise C.1.5

C.1.5, you should begin this Exercise on the Business Analyst's Machines page.
1. Click to highlight the VM on the Machines page.

2. Click the Actions button at the top of the page.
3. Click Destroy
Confirm destroy request
You'll see a popup box asking for confirmation of your request.
Click Submit
Submit.
You'll see a successful submission notification.
Click OK
OK.
Step 2 - Monitor destruction operation
The Machines page will now show the status of the VM as Disposing
Disposing.
Click the Reload button to update the page. This operation should complete within 3-5 minutes.
Confirm VM deletion
When the VM has been successfully destroyed, it will disappear from the Business Analyst's page.
Step 3 - Log the Business Analyst out of vRealize Automation
This Exercise is the last that you'll perform in the vLab as the Business Analyst. To log the Business Analyst out of
vRealize Automation, click the Logout link in the upper right corner of the portal.
Summary
The Enterprise Hybrid Cloud enables user empowerment to request, use, and manage their own resources. In this Lab,
you have followed a VM through its entire lifecycle: from creation to deletion, and including snapshot management,
backup, restore, and reconfiguration.
By providing users with a set catalog of blueprints and self-directed management capabilities, cloud administrators
can quickly deliver standardized services to their users. Additionally, the ease of creating and publishing new
blueprints means that IT can quickly expand their services portfolio in response to rapidly changing business
demands in a rapidly evolving competitive climate.
If you are interested in seeing some of these processes in more detail, this Guide also offers the following additional
Labs:
To add cloud services by importing pre-existing VMs, see Lab A.2

A.2.
For more information on creating and publishing new VM blueprints to the Service Catalog, and managing
user access to those blueprints, please see Lab B.1
B.1.
To see how to create new backup services, complete Lab B.2
B.2.
A demonstration of how to integrate self-service VM provisioning with enterprise CMDB management using
ServiceNow is available in Lab B.3
B.3.
To see how to provision VMs and applications that use NSX security and load balancing, please continue to
Lab C.2
C.2.
For more information on how to integrate application deployment and configuration operations into the VM
provisioning process, complete Lab C.3.
To see how to use CloudLink SecureVM to encrypt and protect VM data, see Lab C.4C.4.
Lab C.2 - Deploy Applications and
Services with VMware NSX (35-40
minutes)
Exercise C.2.1 - Deploy a Simple Two-Tier Application
In this Exercise, you'll log into vRealize Automation as the Developer persona and deploy a pair of Python Flask
applications built on NSX blueprints. The first application uses no NSX security features - all traffic passes to and from
the VM unimpeded. The second uses NSX-based micro-segmentation to isolate the application layers and protect
application services and data from compromise.
After completing the two application deployments, you will then compare the effective differences in security between
the two blueprints in the next Exercise.
Step 1 - Log in to vRealize as the Developer user
From the vRealize Automation login portal, enter the following credentials:
1. User name: devops_user@vlab.local

2. Password: Password123!
3. Click Login
Step 2 - Open the Applications service catalog page
When the vRealize Self-Service Portal loads, click the Catalog tab.
Filter the service catalog
Next, click the Applications Service tab in the navigation widget on the left.
Step 3 - Request an unsecure Python Flask application instance
From the vlab Development catalog page, locate the tile labeled Python Flask App - w/o Microsegmentation and click
the Request button.
Submit the request
Accept the default settings. Click the Submit button to submit the request.
Acknowledge the request submission
When the Request confirmation page loads, click OK to return to the Catalog tab.
Step 4 - Request a secure, micro-segmented Python Flask application instance
From the Catalog page, click the Applications service item in the navigation widget on the left.
Launch the secure Python Flask application request
From the vlab Development catalog page, locate the tile labeled Python Flask App
App, and click the Request button.
Submit the application instance request
Accept the default settings. Click the Submit button to submit the request.
When the Request confirmation page loads, click OK to return to the Catalog tab.
Step 5 - Monitor the status of the Application Requests
From the Catalog page, click the Requests tab.
Monitor the deployment status of both new applications
1. You'll see both requests at the top of the list. One or both may still show an In Progress status.
2. Click on the Refresh button at the bottom of the page to reload the status on the page until both requests
show up as Successful
Successful.
NOTE: Overall deployment time should be between 3-5 minutes per instance.
Step 6 - Confirm two new application VMs
Once both application requests show a Successful deployment status, click the Items tab at the top of the self-service
portal
Review VM inventory
You'll see two new VMs on the Machines inventory of the Items page, corresponding to the new applications you just
deployed.
Note the name of the secured application - the VM whose name begins with WEB...
WEB....
In the next Exercise, you'll review its configured NSX security policies in vCenter.
NOTE: VM names in your environment may differ from those shown in this Guide. Depending on which prior Labs
you've completed, the Machines inventory list in your environment may also differ from what is shown here.
Exercise C.2.2 - Review NSX Security Policies
In Exercise C.2.1
C.2.1, you deployed two side-by-side applications in vRealize Automation - one with a VMware NSX-based
micro-segmentation security policy and the other without. In this Exercise, you'll log into vCenter using the vSphere
Web Client and review the configured security policies.
NOTE: If you log into vCenter using either the administrator@vlab.local or administrator@vsphere.local
administrator@vsphere.local, you won't
have administrative rights to the NSX manager in vCenter. Please use the credentials supplied in this Exercise.
Step 1 - Login to vCenter using the vSphere Web Client
Open a new browser tab in Firefox.
Connect to the vSphere Web Client
From the new browser tab, click the vSphere Web Client button in the Favorites menu bar.
Provide authentication credentials
When the vSphere Web Client login page appears:
1. Enter ehc_nsx_ent_admin@vlab.local in the User name field

3. Click Login
NOTE: Logging in to the vSphere Web Client may take 1-2 minutes to complete.
Step 2 - Open the NSX Service Composer page
When the vSphere Web Client page loads, click the Networking & Security link in the Navigation column.
Continue to the Service Composer
From the Networking & Security menu, click the Service Composer link.
Step 3 - Review the WEB Tier Security Group settings
1. From the Security Groups page, locate the WEB Tier Security Group line item.
2. To see the applicable rules in this security policy, click the 3 under the Firewall Rules column.
Review firewall rules
In the Web Tier Security Group - Firewall Rules box, you'll see three rules in sequence, that regulate which types of
traffic can pass to and from the application, as well as between the tiers of the application.
1. Block the communication between VMs in the WEB Tier Security Group
Group*
2. Allow only traffic on port 8080
3. Block any other traffic
Taken together, these rules serve to secure the individual layers of a multi-tier application from compromise, while still
ensuring application functionality.
To close the box, click the x in the upper right hand corner (4).
Step 4 - Check the list of secured VMs
Back on the Security Groups page of the Service Composer

Composer, click the 1 under the Virtual Machines column.
Verify new application VM is secured
When the WEB Tier Security Group - Virtual Machines list loads, you'll see the WEBxxx VM, which you should recognize
from your Machines inventory in vRA as the secure application VM you provisioned in the previous Exercise.
The DEVxxx VM is not on this list, because it was deliberately excluded from any NSX security policies.
Step 5 - Return to the vRA self-service portal
Close the vSphere Web Client browser tab in Firefox to return to the Self-Service Portal
Portal.
In the next Exercise, you'll test the NSX security policies against the secure application VM, and compare those
against the unsecured VM.
Exercise C.2.3 - Test NSX Security Policies and Application Functionality
In this Exercise, you will test the security policies of the two NSX-based applications you deployed in Exercise C.2.1
C.2.1,
using a test ping and an SSH connection attempt.
Finally, you will connect to each application using a web browser to confirm that the application works, regardless of
security policy.
NOTE: This Exercise assumes you are logged into vRealize Automation as devops_user@vlab.local
devops_user@vlab.local.
Step 1 - Open a Notepad application instance
In this and subsequent Exercises in the Deploy Applications and Services with VMware NSX Lab, you'll need to use the
IP addresses of several VMs to validate security and application functionality. In a lab environment, the recommended
method for tracking this information will be to use the Windows Notepad to track the IP addresses of the VMs in your
environment.
Click the Start button on the desktop, and choose Notepad when the Start menu appears.
Return to the self-service portal
When Notepad has opened, click the Firefox button on the Windows taskbar to return to the self-service portal.
Step 2 - Capture the IP address of the unsecured application VM
From Exercise C.2.1

C.2.1, you should still be on the Items page.
You'll see both new application items on the Machines inventory page. In order to test network access between
components in the unsecured application, you'll need its IP address. The unsecure application is the item whose
name begins with EHC
EHC.
Click the VM's name (EHCxxx)

EHCxxx) to open its Details page.
Continue to the Network page
From the Details page, click the Network tab.
Copy the VM's IP address to the Windows Clipboard
On the VM's Network page, you'll see its IP address.You'll need this address for the remainder of the Exercise.
1. Highlight the VM's IP address

2. Right click the highlighted area and select Copy from the popout menu.
NOTE: Keyboard shortcuts, such as <Ctrl>+<C> and <Ctrl>+<V>, do not work in the vLab HTML5 RDP environment. You will
need to use the mouse for all copy/paste activity.
Switch to Windows Notepad
Switch to the Notepad application on the Windows taskbar.
Label and paste the IP address into Notepad
In the Notepad window:
1. Enter Unsecured on the first line, then <Space>

2. Right-click after the space, and click Paste from the popout menu.
Step 3 - Ping the VM's IP address
Open a Windows Command Prompt session.
1. Click the Start button

2. From the Start Menu
Menu, click the Command Prompt shortcut
Ping the unsecured application VM's IP address
When the command window loads, enter ping <ip_address>, using the IP address you pasted into Windows Notepad in
the previous step.
Confirm successful ping
You should see four responses from the target VM, confirming that NSX is allowing ping traffic to and from the VM. This
is normal, since there is no security policy applied by NSX to this VM.
Step 4 - Launch SSH session to the unsecured application VM
Having confirmed you can successfully ping the target VM, you will now test SSH connectivity to the VM.
Without closing the Command Prompt window, click the PuTTY button on the Windows Taskbar to open the SSH,
Telnet and Rlogin client
client.
Connect to the unsecured VM
When the PuTTY Configuration window opens:
1. Enter the Unsecured VM's IP address, which you pasted into Notepad earlier, in the Host Name (or IP address)
window.
2. Click Open
Accept security warning message
You'll see a PuTTY Security Alert window, warning you that the target VM may have been compromised.
Click Yes to accept the VM's security key and continue.
Confirm login prompt
When the SSH client window opens, you'll see (1) a login prompt asking for credentials. In addition to allowing ping
traffic, NSX will also permit SSH connectivity to the VM, since there are no security policy restrictions in place.
Close the PuTTY client window (2) and return to the self-service portal.
Step 5 - Check the IP address of the secured application VM
In Firefox, you should still be on the Network tab of the unsecured application VM's Item Details page.

2. Click the Close button to return to the Machines inventory
Open the secure application VM's Details page
From the Machines inventory page, you'll again see both new application items on the Machines inventory page.
The secure application, whose IP address you'll need, is the item whose name begins with WEB
WEB.
Click the VM's name (WEBxxx)

WEBxxx) to open its Details page.
Open the VM's Network page
From the Details page, click the Network tab.
Copy the VM's IP address to the Windows Clipboard
On the VM's Network page, you'll see its IP address.You'll need this address for the remainder of the Exercise.
1. Highlight the VM's IP address

2. Right click the highlighted area and select Copy from the popout menu.
NOTE: Keyboard shortcuts, such as <Ctrl>+<C> and <Ctrl>+<V>, do not work in the vLab HTML5 RDP environment. You will
need to use the mouse for all copy/paste activity.
Switch to the Notepad application on the Windows taskbar.
Label and paste the IP address into Notepad
In the Notepad window:
1. Enter Secured on a new line, then <Space>

2. Right-click after the space, and click Paste from the popout menu.
Click the Firefox button on the Windows Taskbar to return to the self-service portal.
Close the Details page

2. Click Close to return to the Machines inventory.
Step 6 - Ping the secure VM's IP address
Click the Command Prompt button on the Windows Taskbar (it should still be open from earlier in the Exercise) to
return to the Command Prompt window.
Enter the secure VM's IP address
From the Command Prompt window, enter ping <ip_address>, using the IP address of the Secured VM that you pasted
into Notepad.
Confirm all packets lost
You'll see a 100% packet loss for this attempt due to the NSX security policy in place around this VM, which blocks all
non-essential traffic (including ping packets) from reaching the VM.
Close the command prompt window
When finished, close the Command Prompt window.
Step 7 - Launch SSH session to the secured application VM
Having confirmed you are unable to ping the target VM, you will now test SSH connectivity to the VM.
Click the PuTTY button on the Windows Taskbar to open the SSH, Telnet and Rlogin client
Attempt to connect to the secured VM
When the PuTTY Configuration window opens:
1. Enter the Secured VM's IP address, which you pasted into Notepad earlier in the Exercise, in the Host Name
(or IP address) window.
2. Click Open
Confirm connection failure
Unlike the result you saw with the Unsecured virtual machine, in this VM you'll see that the connection attempt times
out, having been blocked by NSX using the VM's configured security policy.
Click OK to close the error warning, and close the PuTTY window to return to the Firefox browser.
Step 8 - Connect to the unsecure application instance
From the Firefox window, click to open a new browser tab.
Enter the unsecure VM's IP address
In the browser's Address window, enter http://<ip_address>:8080

>:8080, using the IP address of the Unsecured VM from
Notepad, and press <Enter>
<Enter>.
Confirm application webpage loads
You'll see a webpage confirming the application functions successfully.
Step 9 - Connect to the secure application VM's IP address
In the same browser tab's Address window, enter http://<ip_address>:8080, this time using the Secured VM's IP
address from Notepad, and press <Enter>
Confirm secure application webpage loads
You'll see a webpage confirming the application functions successfully, even with the NSX security policy. Non-
essential traffic to and from the application VM is blocked by NSX, but essential traffic continues to pass unimpeded.
NSX protects data and resources, while still enabling full application functionality.
Return to the Self-Service Portal
Now that you've confirmed that both new applications work, close the second browser tab in Firefox and return to the
Self-Service portal, then proceed to the next Exercise in the lab.
Exercise C.2.4 - Deploy a Scaleable Multi-Tier NSX Application
In previous Exercises, you deployed two single-VM applications, one with an NSX security policy and one without.
Having tested and validated VMware NSX's ability to protect applications and application VMs, you'll now see how
NSX can also be configured to provision multi-tier applications. Once you've deployed the application, you'll scale it
out by adding new web-server VMs to the application, and then validate NSX's ability to load-balance traffic between
the new web VMs.
NOTE: This Exercise assumes you are still logged in as devops_user@vlab.local from Exercise C.2.3
C.2.3.
Step 1 - Launch a new multi-tier application request
From previous Exercises, you should be on the Machines inventory of the self-service portal.
Click the Catalog tab at the top of the portal.
Browse to the Applications service catalog page
From the Catalog page, click the Applications item in the navigation widget.
Request a new multi-VM application
When the Applications catalog page loads, locate the 2-Tier-App w/Microsegmentation catalog item, and click its
Request button.
Step 2 - Review available VM options
1. Note that within the Multi-Machine Service vApp header, there are two configured tiers.
2. Click the DB Tier row.
Review DB VM parameters
With the DB Tier row highlighted in the top section of the page:
1. Note that the Machines count in the Request Information section of the page limits you to a single VM.
2. Click the WEB Tier row at the top of the page.
Note Web VM count limit
With the WEB Tier row highlighted, you'll see that the Machines setting has changed, allowing you to provision 1-5
web server VMs into this application.
Submit the application request
At this point, you'll accept the default settings of one DB VM and one Web VM in this new application.
Click the Submit button at the bottom of the page to launch the deployment process.
Step 3 - Track the deployment status
Click OK to acknowledge submission of the new application request
Click the Requests tab at the top of the Self-Service Portal to view the status of the new request.
Track the request status
At the top of the Requests page, you'll see the 2-Tier-App Micro-segmented application request that you just
submitted, whose status will show In Progress
Progress.
The new application will take 8 to 10 minutes to deploy. Use the Refresh button at the bottom of the page to reload the
page and update the status of your request.
Confirm successful request
When the application's Request status has updated to Successful

Successful, your application has been deployed.
Note: If deployment is failed, please go back to the step Browse to the Applications service catalog page and deploy
the 2-Tier-App w/Microsegmentation application one more time.
Step 4 - Capture the new application's DB server IP address
In order to connect to your new application and validate its NSX security policy settings, as well as its functionality,
you'll need to get its IP address from vRA. Click the Items tab at the top of the Self-Service Portal.
Expand the vApp container
At the top of the Machines inventory list, you should see a vApp container whose name begins with EHC...
EHC.... This is your
new multi-VM application instance.
NOTE: The vApp name in your environment may differ from what is shown in this Guide. Additionally, the items in your
environment may differ based on which Labs you've completed.
Click the + symbol to the left of the vApp to expand the vApp container.
Open the DB server's Details page
In the now-expanded vApp, click the DB server's name to open its Details page.
NOTE: The DB server name in your environment may differ from what's shown in this Guide.
Open the Network page
When the Item Details page loads, showing the DB server's hardware settings and additional configuration data, click
the Network tab at the top of the page.
NOTE: The DB server name in your environment may differ from what's shown in this Guide.
Copy the DB server's IP address
On the DB VM's Network page:
1. Highlight the server's IP address

2. Right-click the highlighted IP address, and select Copy from the popup menu.
Click the Notepad application button on the Windows Taskbar.
Paste the database server VM's IP address
In the Notepad application window:
1. Enter Database on a new line, followed by <Space>

2. Right-click after the space on the new line, and click Paste from the popup menu.
Step 5 - Test NSX security around the DB VM
Click the Command Prompt button on the Windows Taskbar (it should still be open from earlier in the Exercise) to
return to the Command Prompt window.
Ping the DB server's IP address
In the Command Prompt window, enter ping <ip_address>, using the IP address of the Database server that you pasted
into Notepad
Notepad, and then press <Enter>
<Enter>.
Confirm all packets lost
You'll see a 100% packet loss for this attempt due to the NSX security policy in place for the database VM, which
blocks all non-essential traffic (including ping packets) from reaching the VM.
Return to the vRA portal
Close the Command Prompt window and return to the Firefox browser and the DB VM's Network details page.
Step 6 - Capture the new application web server's IP address
When the Command Prompt window closes, you'll return to the DB server's Item Details page, showing its IP address.

2. Click the Close button to return to the Machines inventory
Expand the vApp container object again
When the Machines inventory page loads, you'll see the DEV... vApp at the top of the list again.
NOTE: The vApp name in your environment may differ from what is shown in this Guide. Additionally, the items in your
environment may differ based on which Labs you've completed.
Click the + symbol to the left of the vApp to expand the vApp container.
Open the web server's Details page
In the now-expanded vApp, click the Web server's name to open its Details page.
NOTE: The Web server name in your environment may differ from what's shown in this Guide.
Open the Network page
When the Item Details page loads, showing the Web server's hardware settings and additional configuration data,
click the Network tab at the top of the page.
NOTE: The Web server name in your environment may differ from what's shown in this Guide.
Copy the web server's IP address
On the Web VM's Network page:
1. Highlight the Web VM's IP address

2. Right-click the highlighted IP address, and choose Copy from the popout menu.
Switch back to Windows Notepad
Click the Notepad application button on the Windows Taskbar.
Paste the web server VM's IP address
In the Notepad application window:
1. Enter Web on a new line, followed by <Space>

2. Right-click after the space on the new line, and select Paste from the popup menu.
Click the Firefox button on the Windows Taskbar to return to the self-service portal.
Step 7 - Connect to the web server via browser
From the Firefox window, click to open a new tab.
Connect to the web server's IP address
In the browser's Address window, enter <ip_address>:8080

>:8080, using the IP address of the Web server from Notepad
Notepad, and
press <Enter>
<Enter>.
Confirm web page
When the webpage loads, you'll see a confirmation page showing the web server's UID and IP address.
NOTE: The web server's UID, IP address, and the color of the webpage may differ from what is shown in this Guide.
Step 8 - Review DB server connectivity from the web application
You'll also see a port scanning feature on the web page, offering to test IP address and port connectivity.
1. In the Enter an IP address to scan window, enter the Database server's IP address
address, which you pasted into
Notepad earlier in the Exercise.
2. Click Scan ports
ports, using the pre-configured port list.
Review open ports between web and DB servers
1. You'll see the results of the port scan. Note that, per the NSX security policy, only one port is open between
the web and database servers: Port 6379 is openopen, since that is the only port needed for Redis database
connectivity from the web server. NSX is blocking all non-essential ports.
2. Click Return to the main page
page.
Step 9 - Test database connectivity
Back on the original web page, click the Test Redis database connectivity link at the bottom of the page.
Provide database server IP address
When the Test Redis Database connectivity page loads:
1. Enter the IP address of the Database server, which you pasted into Notepad earlier in this Exercise.
2. Click the Test connectivity button.
NOTE: The IP address of the DB server in your environment may differ from what's shown in this Guide.
Confirm successful connection
You'll see a new webpage, confirming that access between the web and DB servers is successful through the NSX
security layer.
NOTE: If you see a timeout error when connecting to the database server, click the Try Again button using the same
database server IP address.
Proceed to next Exercise
Now that you've verified database connectivity between the web and DB tiers, continue to Exercise C.2.5
C.2.5, in which
you'll write a test value to the Redis database and then verify it from the vSphere Web Client.
Exercise C.2.5 - Writing and Validating Test Data to Application
Database
In this Exercise, you'll write a test key and value to the Redis database of the multi-tier application you deployed in
Exercise C.2.4
C.2.4. You'll also use the vSphere Web Client to edit the WEB Tier security policy, and then use SSH to
validate the test data from the Redis database.
Step 1 - Add new data to the Redis database
From the final Step of Exercise C.2.4

C.2.4, you should still be on the Testing Redis Database connectivity & reading data
page of the multi-tier application that you just provisioned.
At the bottom of the page are two windows: one for creating a new database key, and the other for an associated value
with the new key.
1. In the Enter a KEY window, enter DB-TEST

2. In the Enter a VALUE window, enter the current date, in YYYYMMDD format
3. Click Add to the Redis Database
Confirm addition of new Key
You'll see a confirmation page, advising that the new key and value were successfully added to the database.
Click the Return to the "Test Redis Database connectivity" page link.
Step 2 - Login to vCenter using the vSphere Web Client
Connect to the vSphere Web Client
From the new browser tab, click the vSphere Web Client button in the Favorites menu bar.
Login to vSphere if necessary
You should automatically load the vSphere Web Client homepage using credentials cached from your activity in
Exercise C.2.2
C.2.2, in which case you may proceed to Step 3
3. If you are prompted to log in again when the vSphere Web
Client login page appears:
1. Enter ehc_nsx_ent_admin@vlab.local in the User name field

3. Click Login
Step 3 - Open the NSX Service Composer page
When the vSphere Web Client page loads, click the Networking & Security link in the Navigation column.
Continue to the Service Composer
From the Networking & Security menu, click the Service Composer link.
Step 4 - Review the current Security Group settings
The Security Groups page will load.
1. This time, the WEB Tier Security Group shows two VMs this time instead of the single VM you saw in this
column in Exercise C.2.2
C.2.2: in addition to the original VM you provisioned in Exercise C.2.1
C.2.1, it now includes the
web server of the multi-tiered application that you deployed in Exercise C.2.4
C.2.4.
2. You'll also notice that there is a single VM in the DB Tier Security Group
Group's row. Click the 1 in the DB Tier
Security Group
Group's row of the Virtual Machines column.
Confirm database server in security group
You'll see a single VM in the popup box, corresponding to the DB server of the multi-tiered application that you
provisioned in Exercise C.2.4
C.2.4. Click the x symbol in the upper-right corner of the box to return to the Security Groups
page.
NOTE: The name of the DB VM in your environment may not match what is shown here in the Guide.
Return to the Security Groups page
Back on the Security Groups page, click the 1 under the Security Policies column, in the DB Tier Security Group row.
Open the DB security policy
In the DB Tier Security Group - Security Policy box, click the DB Tier Security Policy link.
Open the Firewall Rules view
When the Manage Security Policy box opens, click the 2 Firewall Rules navigation link in the left column.
Review DB server rules
You'll see two rules in the policy, applied in order:
1. Allow Redis database traffic on port 6379 (the REDIS service)

2. Block any other traffic
When finished, click the Cancel button at the bottom of the page.
Step 5 - Enable SSH connectivity to the Web server
From the Security Groups page in the vSphere Web Client

Client, click the Security Policies tab.
Locate the WEB Tier Security policy
When the Security Policies page loads, click to highlight the WEB Tier Security Policy row.
Edit the WEB Tier Security Policy
With the WEB Tier Security Policy highlighted:
1. Click the Actions button at the top of the table

2. From the drop-down Actions menu, click Edit
Select the Firewall Rules page
When the WEB Tier Security Policy - Security Policy page loads, click 3 Firewall Rules in the left-hand navigation
column.
Add a new line item to the security policy
Under the Firewall Rules panel of the WEB Tier Security Policy - Security Policy page, click the green + symbol to add a
new rule to the WEB Tier policy
New Firewall Rule
In the New Firewall Rule configuration box:
1. Enter Allow SSH to WEB in the Name field
2. Click the Change... hyperlink on the Source section of the box
Select allowed sources
When the Allow SSH to WEB - Select Source page loads:
1. Click the Any radio button to allow connectivity from any source
2. Click OK
Select the allowed Destination
Back on the New Firewall Rule box, click the Change... hyperlink on the Service section of the box.
Allow SSH service connectivity
In the Allow SSH to WEB - Select Service and Service Groups box:
1. Click the Select services and service groups radio button
2. Enter ssh in the search box
3. Click the magnifying glass search icon
Select SSH service
The service list will clear, leaving only SSH.
1. Check the box next to SSH

2. Click OK
Submit new rule
To recap, this new rule will enable SSH access from any source to any server in the WEB Tier.
Click OK to add the rule to the WEB Tier Security Policy

Policy.
Re-prioritize the new rule
You'll see the new rule, Allow SSH to WEB

WEB, at the bottom of the Firewall Rules list.
Click the Move up button at the top of the table, once, to move the rule up to the #3 priority, and ensure that the new
SSH rule won't be overridden by the Block any to WEB rule.
Submit the Policy change
With the new Allow SSH to WEB rule now at #3 in the priority list, click Finish to submit the change and update the
policy.
Step 6 - Log in to the Web server via SSH
Click the SSH, Telnet and Rlogin client button on the Windows Taskbar at the bottom of the page.
Connect to the Web server's IP address
In the PuTTY Configuration page:
1. Enter the Web server's IP address

address, which you pasted into Notepad in Exercise C.2.4
C.2.4.
2. Click Open to continue.
Decline the certificate prompt
You'll see a security alert regarding the Web server VM's host key. Click No decline the certificate update.
Provide login credentials
When the login as: prompt appears, enter root

root, and press <Enter>
<Enter>.
Enter password
When prompted for the password, enter Password123! and press <Enter>
<Enter>.
Step 7 - Query the Redis database
From the prompt in the SSH window, enter redis-cli -h <db_ip_address>, using the IP address of the DB server from
earlier, and then press <Enter>
<Enter>.
NOTE: The IP addresses in your environment may differ from those shown in this Guide. If you need the DB server's IP
address, it should still be shown on the web serer tab of your Firefox browser.
Query the database for all available keys
You'll see the prompt change, showing you have an open Redis query to the DB server.
Enter keys * and press <Enter>

<Enter>.
Confirm Key from earlier Exercise
1. You'll see the query return the "DB-TEST" key that you entered in Step 1 of this Exercise.
2. At the prompt, enter get DB-TEST and press <Enter>
<Enter>.
Confirm Value from earlier Exercise
You'll see the date field that you entered in Step 1 of this Exercise, confirming that NSX blocks nonessential traffic, but
allows application data to pass between tiers in this application.
Return to the Firefox browser
1. At the Redis query prompt, enter exit and press <Enter>

2. Close the PuTTY window to return to the Firefox browser.
Continue to Exercise C.2.6
In the next Exercise, you'll add four new web servers to the existing web application, then test VMware NSX's load-
balancing capabilities.
Exercise C.2.6 - Add New Web Servers to Application and Test NSX Load
Balancing
In this Exercise, you'll add four new web servers to the multi-tier application that you created in Exercise C.2.4
C.2.4. You'll
then test the load-balancing capabilities of VMware NSX by connecting to the application and verifying all web servers
are taking traffic evenly.
Step 1 - Return to the vRA Machines inventory page
From Exercise C.2.5

C.2.5, you should still be on the application web page in Firefox. Close the vSphere Web Client and the
application web server tabs to return to the Self-Service Portal.
Close the web server's Item Details page
Again from the previous Exercise, you'll see the web server VM's Network page in vRealize Automation.

2. Click Close to return to the Machines inventory
Step 2 - Deploy additional web server VMs to the application
On the Machines page, you'll see the vApp that you deployed in Exercise C.3.5 at the top of the page. Click to highlight
the DEV... vApp row.
NOTE: vApp and VM names in your environment may not match those shown in this Guide.
Launch the Add Components wizard
1. Click the Actions button at the top of the page

2. When the drop-down menu appears, click Add Components
Select the web tier for additional VMs
When the New Request page loads, click to highlight the WEB Tier row at the top of the page.
Add new web servers
1. With the WEB Tier row highlighted at the top of the page, scroll down (if necessary) to the bottom of the page
2. Change the Machines field on the Request Information tab to 4
3. Click Submit
This will deploy four additional web server VMs to the application's WEB tier.
Click OK to acknowledge that the request has been submitted.
Click the Requests tab to view the status of the new VM requests.
Confirm successful deployment
Provisioning four new web servers should take 1-2 minutes.
If the Status does not already show Completed

Completed, click the Refresh button at the bottom of the page to reload the
Requests table. Repeat as necessary.
Return to the Items page
When the four new VMs have been successfully deployed, click the Items tab to return to the Machines inventory.
Step 3 - Confirm new VMs
1. On the Machines page, click the + symbol in the left column to expand the DEVxxx vApp.
2. If the expanded vApp still shows only a single Web server, wait 5-10 minutes for all four new Web server VMs
to power on and initialize
initialize, then click the Refresh button at the bottom of the Machines page, and click to
expand the DEV... vApp again
NOTE: Machine names in your environment may differ from those shown in this Guide. Additionally, the items in your
environment's inventory will be based on which Labs you have completed, and may vary from those shown here.
View vApp Details
Once all new VMs have initialized, you'll see that there are now five Web server VMs, rather than the single VM that
had previously been in the WEB tier.
Click the View Details button at the top of the Machines page.
NOTE: VM names in your environment may differ from those shown in this Guide.
Step 4 - Capture the virtual IP address of the vApp
Click the Network tab in the vApp's Item Details page.
View the WEB Tier's Network details
Now that there are five web VMs attached to this vApp, NSX has enabled automatic load balancing across all five
servers.To connect to this newly expanded application, you'll use a virtual IP address, rather than connecting directly
to the original Web server VM's IP address as you did in previous Exercises.
Click the View hyperlink to see the WEB Tier layer's Network details.
Note the Load Balancer Virtual IP address
In the View Network box, you'll see a Load Balancer configuration form. This page shows the open ports, health-check
settings, as well as the Virtual IP address for the load balanced web server farm. As you can see, this application is
configured to distribute HTTP port 8080 traffic across five web servers.
1. Scroll to the bottom of the Load Balancer form

2. Note the Virtual IP address of the web service. You will need it to test the NSX load-balancing feature.
3. Click OK
NOTE: The Virtual IP address of the load-balanced web server array is automatically assigned by NSX, and the IP
address field is grayed out. You will be unable to copy the IP address to the Windows clipboard.
Close the Load Balancer item Details page
Again from the previous Exercise, you'll see the Load Balancer's Network page in vRealize Automation.

2. Click Close to return to the Machines inventory
Step 5 - Connect to the load-balanced web farm
Use the Virtual IP address
In the new browser tab's Address window, enter <virtual_ip_address>:8080

:8080, using the Virtual IP address that you noted
earlier, and press <Enter>
<Enter>.
Confirm connectivity to the Virtual IP address
You'll see a web page load, confirming that the Virtual IP address loads the same application that you've seen in
previous Exercises.
1. While the Virtual IP address that you entered still shows in the browser bar...
2. ...note that the application has been configured to return the actual IP address of the web server to which
you're connected.
3. Click the Refresh button at the far right end of the Address bar to refresh the page.
Step 6 - Cycle through the remaining web servers
Upon reloading the page, you'll see that NSX has connected your Virtual IP to a different web server:
1. The Web server's unique id value has changed.
2. The Web server's IP address has been updated to show a different web server.
3. The web page has changed color.
Reload the page through three more web servers
Use the browser's Refresh button to reload the page. After the fifth page refresh, you should have returned back to the
first web server again. The Web server's unique id and the Web server's IP address fields will cycle through all five web
servers as you refresh the page.
Close the web server tab
Close the web server tab in Firefox, leaving only the Self-Service Portal tab open.
Close Notepad et al
Close the Notepad application window without saving its contents. If the Command Prompt or PuTTY windows are still
open, close them also.
Conclusion
VMware NSX enables a powerful set of tools for your Enterprise Hybrid Cloud environment. Its micro-segmentation
capabilities let you secure your applications at the individual tier level, and its load-balancing feature means you can
easily scale out your applications for greater application availability and performance.
NSX offers features that in a traditional IT enterprise would require a complex planning phase and manual
configuration for every new application that an IT organization deploys. With the automated micro-segmentation and
load-balancing features of VMware NSX, this level of protection is enabled even for self-service applications. IT users
see much faster application and service deployments, and business users see much greater IT agility and rapid
delivery of IT value.
Based on the material covered in Lab C.2

C.2, you may also be interested in the following additional Labs:
To see how application and service deployments can be automated and enabled for end-user provisioning,
please proceed to Lab C.3 - Deploy a Puppet VM
VM.
An overview of how an Enterprise Hybrid Cloud environment can be integrated with enterprise CMDB
processes is shown in Lab B.3 - Integrated CMDB Management with ServiceNow
ServiceNow.
For a look at managing an Enterprise Hybrid Cloud virtual machine from provisioning to retirement, please
complete Lab C.1 - Virtual Machine Lifecycle Management
Management.
To see how to leverage additional add-on functionality to secure your Enterprise Hybrid Cloud virtual
machines with VM volume-level encryption, take a look at Lab C.4 - Securing VM Data Using CloudLink
CloudLink.
Lab C.3 - Deploy a Puppet VM
(10-15 minutes)
Exercise C.3.1 - Deploy a Tomcat web server using Puppet
In this Exercise, you'll log on to vRealize Automation as the Developer user, and use an IaaS blueprint that leverages
Puppet and vCenter Orchestrator to provision a virtual machine with Tomcat web services automatically installed as
part of the deployment process.
Step 1 - Log in to vRealize Automation
NOTE: If you are still logged in to vRealize Automation as the Developer persona from the previous Lab, you may
proceed directly to Step 2. If not:
From the vRealize Automation login portal, enter the following credentials:
1. User name: devops_user@vlab.local

3. Click Login
Step 2 - Log in to vCenter Orchestrator
You'll also need to log into vCenter Orchestrator to monitor the Tomcat server deployment process, which will initiate
automatically once the base VM has been provisioned.
1. Click the Start button in the lower-left corner of the desktop

2. Click the vCenter Orchestrator Client item in the Start Menu
Provide login credentials for vCO
When the VMware vCenter Orchestrator Login... page loads, enter the following account information:
1. In the Username field, enter cloud_admin@vlab.local

3. Click Login to continue
Step 3 - Open the Puppet workflows view
When the vCO client loads, click the Workflows tab in the left-hand panel.
Expand the Workflow library
From the Workflows page:
1. Click the drop-down arrow to the left of the Workflows list
2. Expand the vLab folder
The workflows in this folder will deploy the Puppet agent to the Linux VM you'll provision in this Exercise. You'll come
back to monitor the status of these workflows after deploying the VM.
Switch back to vRA
Click the Firefox browser button on the taskbar to return to vRealize Automation.
Open the Catalog page
If you're still on the Items page from the previous Lab, click the Catalog tab at the top of the page.
Step 4 - Configure and request a new Tomcat server VM
Once you've returned to vRA, click the Applications Service item in the Navigation widget.
Launch Tomcat server request
From the vLab Development catalog window, click the CentOS - Puppet - Tomcat catalog item's Request tab.
Load request configuration wizard
From the Tomcat VM's New Request wizard page, accept the default settings and click Submit
Submit.
When the request confirmation window appears, click OK to return to the Catalog page.
Step 5 - Open the Requests page
From the Catalog, click the Requests tab.
Monitor deployment status
On the Requests page, you'll see the deployment status of your new VM, showing In Progress
Progress.
NOTE: The full deployment cycle - creating a new VM and deploying the Tomcat binaries - should take 5-10 minutes to
complete.
Step 6 - Track deployment status in vCenter Orchestrator
Click the VMware vCenter Orchestrator button on the taskbar at the bottom of the desktop to return to the vCO client.
Monitor vRO for Puppet workflow launch
Click to highlight the FEHC-Puppet-Integration workflow
Open the workflow's Schema view
In the right-hand panel of the vCO client, click the Schema tab
Track workflow status
When the VM provisioning operation completes, vRO will automatically launch the Puppet workflows to install a
Puppet agent and then deploy Tomcat binaries to the VM.
1. You'll see the workflow launch in the vRO client

2. The current operation status appears in the upper right-hand panel
3. Use the Logs tab in the lower right-hand panel to monitor the active task and status
Confirm workflow completion
When the installation completes (should take 5-7 minutes), the workflow icon will change from running (green
triangle) to completed (green checkmark), indicating the successful deployment of a new Linux VM with Tomcat
installed automatically.
Switch back to vRealize Automation
Click the Firefox browser button on the taskbar to return to vRealize Automation.
Step 7 - Confirm successful request status
From vRA, click the Requests tab.
Reload the Requests status page
From the Requests page
1. Click the Refresh page to update the status

2. Verify the request status was Successful
Successful, confirming the completed deployment of the new Tomcat web
server.
Troubleshooting
If the Tomcat server deployment fails, it may be due to a startup or service failure on the Puppet Enterprise master
server. To restart the server and attempt the request again, please turn to the Troubleshooting section at the end of the
lab guide and refer to the restart procedure in the Restarting the Puppet Master Server Exercise.
Step 8 - Discover the new VM's IP address
To confirm the successful deployment of a Tomcat web server, you'll use a web browser to connect to the new VM's IP
address. To find the new VM's IP address, click the Items tab in vRA.
Open the VM's Details page
On the Machines page, you'll see a VM with a Tomcat icon, corresponding to the new VM you just deployed.
NOTE: VM names in your environment may differ from those shown in this Guide. If there are multiple Tomcat VMs in
the Machines inventory, use the Date Created value in the right column to identify the VM you just provisioned.
Click the VM's name to open the Details page.
Open VM's Network properties page
From the VM's Details page, click the Network tab.
Note VM's IP address
You'll see the new VM's IP address, which was automatically assigned by vRA during the deployment process.
Highlight the IP address, which you'll use to connect to the VM in the next step, and Copy it to your clipboard.
Step 9 - Connect to the new VM's webpage
Click the New tab icon in Firefox title bar.
Paste new VM's IP address
In the Address window of the new browser tab, paste the VM's IP address, and append :8080 to the end to connect to
the Tomcat server management port.
Confirm Tomcat server webpage
You'll see the Tomcat server management page appear, confirming that Tomcat has been successfully installed on the
new VM.
Step 10 - Destroy the Tomcat VM
Close the new web server's browser page to return to vRA.
Initiate VM destruction sequence
From the VM's Details page, click the Destroy link to delete the VM.
Confirm request
Click the Submit button to confirm your deletion request.
Click OK to return to the VM's Details page
Close the VM's Details page
From the VM's Details page, click the Close button to return to the Items inventory.
Summary
In addition to the more familiar IaaS capabilities of the Enterprise Hybrid Cloud - storage provisioning, self-service VM
deployments, IT governance and approval support - you can also leverage third-party integration tools, such as Puppet
Enterprise, to automate application deployments. This means that, while maintaining IT ownership and control over
deployment processes and user entitlements, you can provide rapid service rollouts, business-critical workloads at
scale, and even complex multi-tier application stacks directly to your business customers.
With the flexibility and power of Puppet Enterprise, your Enterprise Hybrid Cloud solution can deliver even greater
service agility, power, and value to IT and customers alike.
Based on the concepts you explored in this Lab, you may be interested in the following additional Labs, which offer
more in-depth experience with some related topics:
The overall process of managing a virtual machine from deployment to retirement is covered in detail in Lab
C.1 - Virtual Machine Lifecycle Management
Management.
To see how an Enterprise Hybrid Cloud can be configured to automate the requisition and deployment of
complex, secure web applications, please see Lab C.2 - Deploy Applications and Services with VMware NSXNSX.
For a look at how automated services and policies can be applied to end-user VMs as part of the deployment
process, complete Lab B.3 - Integrated CMDB Management with ServiceNow and Lab C.4 - Securing VM Data
Using CloudLink
CloudLink.
Lab C.4 - Securing VM Data Using
CloudLink
Exercise C.4.1 - Connect to the Cloud Experience Center and launch the
demo
You may already be familiar with the Enterprise Hybrid Cloud's optional data protection modular add-on features:
Backup and Restore

Continuous Availability
Disaster Recovery
By integrating CloudLink's volume-encryption capabilities into your cloud environment, you can also protect your
sensitive corporate data from unauthorized access or theft. In this Lab, you will use the Cloud Experience Center to see
how to provision and manage virtual machines that use volume-level encryption to secure business data.
Due to the highly virtualized nature and limited size of the vLab environment, however, this lab session is unable to
support anything beyond local IaaS and limited-scope application deployment blueprints. To demonstrate some
additional uses and capabilities of a Enterprise Hybrid Cloud, we've created a number of interactive demos,
accessible through the Cloud Experience Center at http://interactivedemos.emc.com/ehc, which you can step through
as part of your lab experience today.
NOTE: You may already have the Cloud Experience Center loaded from a previous Lab. If so, skip this Exercise and
proceed directly to Exercise B.3.2 to continue.
To begin the demo, proceed to Exercise C.4.2

C.4.2.
Exercise C.4.2 - Provisioning a New VM with CloudLink Encryption
In this Exercise, you'll provision a Windows 2012 Server virtual machine that leverages a CloudLink security policy.
You'll assign an encryption setting during the deployment process to secure the VM's System and Data volumes, and
then monitor the deployment process to completion and validate the VM's security status.
Virtual machines deployed from the Windows Server 2012 VM with CloudLink enabled volume encryption catalog item
use a standard IaaS blueprint. Once the VM is deployed, CloudLink will launch an agent inside the VM that
automatically encrypts the VM's volume(s) according to the policy that we'll specify when we request the VM.
Step 1 - Launch the CloudLink demo
From the Cloud Experience Center

Center's demo menu, click the Securing VMs and Data using CloudLink menu item near the
bottom of the Cloud Admin column.
Select the first demo
When the pop-out submenu appears, select Provision an Encrypted VM to launch the demo.
Step 2 - Request a Windows VM with CloudLink security
When the Service Catalog page opens, click the Virtual Servers item in the navigation widget on the left side of the
page.
Launch the New VM wizard
When the Virtual Servers catalog page loads, click the W2K12-CloudLink catalog item's Request button.
Step 3 - Configure VM settings
The VM provisioning wizard uses a standard IaaS deployment form.
Since this is a multi-site environment, you'll need to specify the target location for the new VM.
Click the Location field's drop-down button, and choose CTC MR31 EHC Private from the menu.
Set the VM's CloudLink Encryption Policy
To set the VM's CloudLink encryption policy:
1. Scroll down to the bottom of the New Request page

2. Click the drop-down button in the Encryption Policy window, and select BootAllData from the menu. This will
encrypt the VM's boot volume and all data volumes as soon as the VM is deployed.
3. Click Submit to create the new VM.
Click OK open the Requests tab and view the status of the request.
Step 4 - Track the request
The Requests page will show the new CloudLink Windows VM deployment request as currently In Progress
Progress.
Confirm successful deployment
The status of the request will update to Successful confirming the deployment of the Windows VM.
Click the Items tab at the top of the page to see the new VM.
View the new VM
On the Items page, you'll see the new VM, CL-Win36

CL-Win36.
Click anywhere on the page to open the CloudLink Center administration console, where you'll track the new Windows
VM's volume encryption progress.
Step 5 - Open the CloudLink Center administration console
NOTE: This portion of the Exercise is a click-through demo. Regardless of where the cursor is on the page, clicking the
mouse will advance to the next step.
You'll see the CloudLink Center administration console's Home page, giving a dashboard view of our environment's
current CloudLink status.
Click anywhere on the page to open the SecureVM page, then click a second time to open the Virtual Machines page,
where you'll track the encryption progress of the new Windows VM.
View managed machines
This page shows the current inventory of CloudLink managed/protected machines.
Now that CL-WIN36 has deployed, CloudLink will be notified that there is a new VM awaiting encryption.
Click anywhere on the page to continue.
Discover new VM
Once CloudLink adds the new VM to its inventory, it will connect to the VM and launch an agent to begin encrypting
the VM's volumes in accordance with the policy you configured in Step 3 above.
View details of new VM
You'll the expanded view of the VM, showing (1) its configuration settings (IP address, operating system, security
policy) and current encryption status.
When you deployed CL-WIN36

CL-WIN36, you set its CloudLink security policy (2) to encrypt all local volumes on the VM. You'll
see (3) that the New Volume (D:) drive has already been encrypted, and the encryption process for (C:) is now
underway.
Complete encryption operation
Once the encryption of the C: drive completes, the VM has been fully encrypted by CloudLink and is now compliant
with its assigned security policy.
Click anywhere on the page to return to the Items page in vRealize Automation.
Summary
Data protection, using volume-level encryption from CloudLink, is as simple as requesting a VM from the catalog.
Cloud-enabled automation can deploy VMs, protect against data loss (using integrated backup), and protect against
unauthorized data access (using integrated encryption).
Click anywhere on the page to advance to the next demo, and proceed to Exercise C.4.3
C.4.3, in which you'll add a new
volume to the DCL-WIN36 VM that you just provisioned.
Exercise C.4.3 - Add a New Volume to a VM
In this Exercise, you'll add a new volume to the Windows VM you deployed in Exercise C.4.2
C.4.2, and then watch
CloudLink automatically discover and encrypt the new volume.
Step 1 - Add a new volume to the VM
From the previous Exercise, you should be on the Machines page, where the CL-WIN36 VM is the only item in the
inventory.
Click the VM's name to open its Details page.
Reconfigure the VM
From the VM's Item Details page, click the Reconfigure hyperlink in the Actions menu.
Step 2 - Add new storage volume
On the Reconfigure page, click the Storage tab.
Create a volume
From the Storage page, click the New Volume link in the upper right corner of the page.
Set the storage volume capacity and policy
1. In the Capacity window of the New Volume row, enter 40 to set the new volume size to 40GB.
2. Click the drop-down button in the Storage Reservation Policy window, and select Diamond from the menu.
3. Click the green check symbol at the left end of the new entry to save the New Volume settings.
Submit the request
Click Submit to create the new volume on the Windows VM.
Click the OK button to open the Requests tab to view the status of the request.
Step 3 - Monitor the request
When the Requests page loads, you'll see the Reconfigure request at the top of the list, with its current status set to In
Progress
Progress.
Confirm request success
When the page reloads, the status will show Successful

Successful.
Click anywhere on the page to return to the CloudLink Center administration console's Virtual Machines page, where
you'll track the new volume's encryption status.
Step 4 - Open the CloudLink Center administration console
On the SecureVM > Virtual Machines page of the CloudLink Center administration console, you'll see the CL-WIN36
Windows VM, still highlighted from the previous Exercise, with both its C: and D: volumes successfully encrypted.
Once CloudLink has been notified of the existence of a new volume, it will connect to the VM and encrypt the drive
automatically.
View the new volume encryption
You'll see the new volume encryption process begin automatically.
Once encryption has been successfully completed, click anywhere on the page to connect to the CL-WIN36 VM directly
and verify volume encryption from within Windows.
Step 5 - Verify volume encryption
The CloudLink Center window will close, and a Windows RDP session will open in its place, showing a blank Windows
desktop.
NOTE: This portion of the Exercise is set on auto-drive, so clicking the mouse will advance automatically, regardless of
the cursor's position in the window.
In this Step, you'll confirm the encryption of the VM's local volumes through the operating system. Click anywhere on
the page to continue.
Confirm the SecureVM agent settings
The CloudLink SecureVM agent window will open on the desktop, showing that all three local volumes (the original C:
and D: drives, plus the F: volume that you added in this Exercise) are encrypted
encrypted.
Click anywhere on the page to continue. When the SecureVM agent window closes, click again to advance, and
continue until the Windows Explorer window opens on the desktop.
Confirm encryption in Windows Explorer
In Windows Explorer
Explorer, the open padlock icon next to each volume indicates that the volume is both encrypted and
write-enabled, in compliance with the VM's CloudLink security policy that you assigned in Exercise C.4.2
C.4.2.
Click anywhere on the page to return to the Items window in vRealize Automation.
Step 6 - Return to the Cloud Experience Center Menu
The security policy associated with this VM, which you set in Exercise C.4.2
C.4.2, requires all volumes to be encrypted. Any
additional volumes created on this VM will be automatically encrypted on deployment using the same process.
Cloud users (administrators, business managers, customers) can use this VM, and similarly configured VMs, for
securely hosting sensitive data, confident that CloudLink is protecting their data from unauthorized access or theft.
Click the MENU button to return to the Cloud Experience Center

Center's Demo menu.
Close the Chrome browser
When finished, unless you plan to continue directly to Lab B.3 or Lab C.4
C.4, close the Chrome web browser to improve
performance in the Firefox-based labs.
Summary
The security policy associated with this VM, which you set in Exercise C.4.2
C.4.2, requires all volumes to be encrypted. Any
additional volumes created on this VM will be automatically encrypted on deployment using the same process.
Cloud users (administrators, business managers, customers) can use this VM, and similarly configured VMs, for
securely hosting sensitive data, confident that CloudLink is protecting their data from unauthorized access or theft.
Additional Lab which you might be interested in:
To add cloud services by importing pre-existing VMs, see Lab A.2

A.2.
For more information on creating and publishing new VM blueprints to the Service Catalog, and managing
user access to those blueprints, please see Lab B.1
B.1.
To see how to create new backup services, complete Lab B.2 B.2.
A demonstration of how to integrate self-service VM provisioning with enterprise CMDB management using
ServiceNow is available in Lab B.3
B.3.
For an overview of the VM lifecycle, from provisioning to disposal, see Lab C.1
C.1.
To see how to provision VMs and applications that use NSX security and load balancing, please continue to
Lab C.2
C.2.
For more information on how to integrate application deployment and configuration operations into the VM
provisioning process, complete Lab C.3.
Troubleshooting
Troubleshooting and Tips
This section provides general suggestions and tips to resolve some issues that may arise in this lab before opening a
support ticket with the vLab team.
Troubleshooting and management tools
Since this is a fully functional cloud environment, many of the standard infrastructure- and cloud-management tools
and applications have been included and enabled. A certain level of technical proficiency is assumed for users of this
lab environment, so instructions in this Troubleshooting guide are limited to connecting and authenticating only.
Please exercise caution when adjusting or rebooting components and configurations using these tools. There are a
number of interdependencies in this solution stack, and any misstep could bring down the entire lab environment. If
you aren't completely comfortable carrying out any of these steps, please open a ticket with the vLab team before
continuing.
Troubleshooting guidelines
In many cases, issues with pages not loading or displaying correctly can be resolved by reloading the page. To do this,
hit the F5 key on your keyboard with the browser window active, or click the Refresh button to the right of the
browser's address window.
Restarting Lab Solution Components
If refreshing / reloading the webpage does not resolve the issue, it may be necessary to restart the lab component(s)
that support the service you are trying to use. Of these components, only the vROps and ViPR vApps are managed by
the environment's own vCenter instance. To restart either of those components, just restart the VM or vApp associated
with that component in vCenter. Instructions for connecting to vCenter are included below.
WARNING: The EHC-vCC vApp is included in this environment for demonstration purposes only. Launching the vcc
vApp, or using the vCenter client to take any action against any VM/vApp other than the vrops and vipr will render your
entire lab environment unusable and unrecoverable.
VMware vSphere Client
On the desktop of your console, you'll find an icon for launching the VMware vSphere Client
Client. To launch the client,
double-click the icon.
Login using Windows credentials
1. If it isn't selected already, click the Use Windows session credentials box to log in as the VLAB\Administrator
user.
2. Click Login
Login.
VMware vSphere Web Client
If you prefer the interface or features of the vSphere Web Client, a link has been included in the bookmarks bar of your
Firefox browser. To open the Web Client, click the vCenter Web Client button.
Use Windows login credentials
When the login page loads, log in as vlab\administrator with a password of Password123! and click Login
Login.
VMware vCenter Orchestrator client
The VMware vCenter Orchestrator (vCO) client can be used for monitoring and troubleshooting failed workflows. To
launch the vCO client:
1. Click the Start button on the desktop.

2. Click the vCenter Orchestrator Client menu item.
Login credentials for vCO
To log in to the vCenter Orchestrator client:
1. Verify the host name is set to vco

vco.
2. Verify the user name is set to cloud_admin@vlab.local
3. Use Password123! as the login password
EMC ViPR management console
If you wish to log in directly to the EMC ViPR management console, either for troubleshooting purposes or to remove
provisioned storage from the cloud resource pool, click the EMC ViPR button in the bookmarks bar of the Firefox
browser.
Provide authentication credentials
When the login page appears:
1. Use root as the username

2. Enter Password123! in the password field
3. Click the Login button to continue.
Remote-Desktop Protocol and Secure Shell console access
Remote-Desktop Protocol (RDP) and Secure Shell (SSH) console access can be gained using the included mRemoteNG
management tool, the default Windows Remote Desktop Connection client (mstsc.exe), or PuTTY. A shortcut button to
launch PuTTY has been included in the Windows Taskbar to the right of the Start button.
To open the mRemoteNG tool, double-click the mRemoteNG icon on the desktop.
mRemote launch pane
When the mRemote tool has loaded, you'll see a list of available VMs that you can access from the launch pane on the
left.
Use mRemote tool to connect to any component VM
To connect to any of the available VMs, right click on its entry in the launch pane, and click Connect from the pop out
menu. Connection protocol (e.g. RDP or SSH) and login credentials have been preconfigured for each system, so login
should be automatic.
Additional systems information
Some components use custom URLs or client applications for administration rather than console access. The full list of
systems, including URLs and login credentials, can be downloaded as a standalone PDF file from this lab's collateral
page on the vLab portal.
Additional assistance
If you require additional troubleshooting help beyond what's covered in this chapter, or if you are unable to resolve a
supported lab issue using the tools available, please open a support ticket through the EMC vLab portal's Quick Links
widget.
Resetting Avamar Services in the Lab Environment
Due to the highly virtualized and resource-constrained nature of the vLab environment, you may find that some
services destabilize, particularly in vLab sessions that are more than 1-2 weeks old. In particular, you may see failures
in On-Demand Backup and On-Demand Restore operations (Lab Lab C.1
C.1, Exercise C.1.4
C.1.4). If you do see Failed requests in
the self-service portal when you attempt to perform on-demand VM backup and restore operations, you may find that
restarting Avamar and Avamar proxy services resolves the issue.
This Exercise will walk you through the process of resetting Avamar services.
Step 1 - Open the Windows Task Scheduler
To launch the Task Scheduler
1. Click the Windows Start button in the lower left corner of the desktop.
2. Click Task Scheduler from the Start menu.
Step 2 - Restart and register Avamar and proxy services
When the Task Manager opens, click the Task Scheduler Library folder.
Start scheduled Avamar task
In the Task window, locate the Restart_AVE_MCS task, then right-click on the task and select Run from the popout
menu.
Reload the Task window
After starting the task, right click on the white space at the bottom of the Task window and select Refresh from the
popout menu.
Confirm running task
The task status will change to Running

Running.
Step 3 - Wait for task to complete
Allow the task to run to completion (approximately 3-5 minutes). Refresh the task window again until the task status
returns to Ready
Ready.
Re-run the original on-demand backup or on-demand restore task in Lab C.1, Exercise C.1.4
C.1.4.
Launching the Avamar Administrative Console
Based on the nature of certain demos, you may find it necessary to launch the Avamar Administrator management
console in your environment.
Desktop icon is broken
If you attempt to use the desktop icon in your environment, you'll see it doesn't load the application.
Close the error message
Instead, you'll see an error message indicating the application failed to load. Click OK to return to the desktop.
Use the Start Menu to launch the Avamar Administrative Console application
To load a working instance of the Avamar Administrative Console, click the Start button on the desktop.
Navigate to a working shortcut
From the Start menu, browse to All Programs > EMC Avamar > Administrator > 7.1.0-302 > Avamar Administrator
Log in to the Avamar Administrator application
When the login screen appears, log in using the following settings:
1. User name: cloud_admin@vlab.local

3. Domain name: / (leave at the default setting)
4. Administrator server: ave-01.vlab.local
Connect to the Avamar server
Click the Log On button to submit your credentials and log into EMC Avamar.
Continue into the application
From here, you can use the Avamar management console as appropriate.
Restarting the Mail Server
Due to the complex and highly virtualized nature of the vLab environment, there are occasionally sessions in which
one or more component VMs failed to start or initialize properly. If a submitted backup or restore request operation
returned a Failed result due to an unreachable mail server, then the mail server did not start up completely when the
vLab environment was created.
This exercise will walk you through the process of restarting the mail server in the vLab environment.
Open the mRemoteNG connection client
To restart the mail server, you'll need to establish an SSH connection.

2. When the Start menu appears, choose mRemoteNG
Connect to the mail server VM via SSH
In the Connections window, right-click the Mail entry and choose Connect from the popout menu.
Restart the mail server
Connection and credential information for all component VMs and appliances in the environment have been pre-
configured.
In the session window, enter shutdown -r now <Enter> to restart the server.
Return to the Exercise
The mail server should take 3-5 minutes to restart and come back online, after which VM backup and restore
operations should complete successfully again.
Return to Exercise C.1.4 to run the VM protection workflows.
Restarting the Puppet Master Server
Due to the complex and highly virtualized nature of the vLab environment, there are occasionally sessions in which
one or more component VMs failed to start or initialize properly. If a Tomcat server deployment request (Lab
Lab C.3
C.3)
returns a Failed result, then it may be that the Puppet master server did not start up completely when the vLab
environment was created.
This exercise will walk you through the process of restarting the Puppet master server in the vLab environment.
Open the mRemoteNG connection client
To restart the mail server, you'll need to establish an SSH connection.

2. When the Start menu appears, choose mRemoteNG
Connect to the mail server VM via SSH
In the Connections window, right-click the Puppetmaster entry and choose Connect from the popout menu.
Restart the Puppet master server
Connection and credential information for all component VMs and appliances in the environment have been pre-
configured.
In the session window, enter shutdown -r now <Enter> to restart the server.
Return to the Exercise
The mail server should take 3-5 minutes to restart and come back online, after which Tomcat server deployment
requests should complete successfully again.
Return to Exercise C.3.1 to run the Tomcat server deployment again.
Deleting failed requests from the vRealize Automation history
You may have noticed that submitted requests cannot be deleted from the Requests history using the vRA portal tools.
While an unsubmitted (e.g. Saved
Saved) request can be removed using the Delete button, that option is grayed out for
submitted requests, regardless of whether the request was successful or not.
Using the command-line psql utility, it is possible to remove recent (i.e. less than about 90 days old) requests,
including failed submissions, from the vRealize vPostgres database directly, which results in those requests also
being removed from the vRA Requests history. Whether you're looking to stage a cleaner demo environment, or to
erase a window in your request history where you were attempting to validate new and updated catalog items and
workflows, it may be necessary at times to delete failed requests from the vRealize Automation request history.
This exercise will step you through the process of removing a single request item from the vPostgres database.
NOTE: This is not a procedure supported by VMware (or EMC).
Note the failed workflow request numberuet
From the Requests page, locate the Failed request's ID number and note it for later in the Exercise.
Connect to the vRealize Automation appliance via SSH
Open the mRemoteNG terminal client from the Start menu

menu.
Open a vRA console session
In the Connections window, right-click the vRA line item and choose Connect from the popout menu.
Open the vCAC Postgres edit utility
From the SSH session prompt, switch bin directory of vPostgres:
cd /opt/vmware/vpostgres/9.2/bin/ <Enter>
Connect to the vCAC database
From the /opt/vmware/vpostgres/9.2/bin/ directory prompt, open the vPostgres editing utility as the vcac user.
./psql -U vcac -d vcac <Enter>
Get the request ID of the failed workflow
At the vcac=> prompt, query the vPostgres database for the request ID of the failed workflow, using the workflow
request number from the vRA Requests page that you noted at the beginning of this Exercise.
SELECT id,requestnumber FROM cat_request where requestnumber = '<failed workflow ID>'; <Enter>
Note the id number of the failed request
You'll see an ASCII table showing the request ID in the left column, and the corresponding vRA workflow ID in the right
column.
Using your mouse pointer, highlight the request ID in its entirety, ensuring no space or overlap are highlighted on
either end. You'll use this highlighted value for the remainder of the Exercise.
Delete all instances of the failed ID from the vPostgres database
From the prompt, execute the following command, using the right-click paste feature to insert the request ID between
the single quote marks:
delete from cat_requestevent where request_id = '<right-click to paste the highlighted ID number
here>'; <Enter>
Delete remaining instances of the failed ID from the vPostgres database
You'll see a return code indicating how many instances of the record were deleted from the previous command
(typically 4).
From the prompt again, execute the following command, again using the right-click paste feature (ensuring the request
ID is still highlighted) to insert the request ID between the single quote marks:
delete from cat_request where id = <right-click to paste the highlighted ID number here>'; <Enter>
Verify record deletion
You'll see a return code indicating one record was deleted.
NOTE: Requests that are older than about 90 days old cannot be deleted from the vPostgres database using this
method. If a request has aged beyond its deletion window, you'll see an error indicating the record is still referenced
from elsewhere.
Confirm deletion of the failed workflow
Switch back to the vRealize Automation browser session and reload the Requests page using the Refresh button.
Verify removal of failed workflow
You'll see the failed workflow has been removed from the Requests history.
Exit the SSH session
To quit the vPostgres editing utility, return to the mRemoteNG terminal client and run the following command in the
vRA session:
\q <Enter>
Close the terminal client
Click to close the mRemoteNG terminal client and return to the browser window.
Conclusion
Summary
The Enterprise Hybrid Cloud empowers IT to be a broker of cloud services, providing the control and visibility that IT
organizations need, and the on-demand self-service that developers and application users expect. Users can easily
provision standardized services directly from an application marketplace portal, with upfront pricing. Delivering these
resources from private and public clouds whatever the workload calls for all built on policies set by IT. This ensures
application workloads are placed in the right cloud, with the right cost, security, and performance.
Beyond delivering baseline Infrastructure-as-a-Service, an Enterprise Hybrid Cloud delivers feature-rich capabilities to
expand from Infrastructure-as-a-Service (IaaS), to business-enabling IT-as-a-Service. Application-as-a-Service, Backup-
as-a-Service, and Disaster Recovery-as-a-Service are now just policies and blueprints that can be enabled with a few
clicks.
End-users and developers can quickly gain access to a marketplace of application resources, from Microsoft, Oracle,
SAP, and Pivotal, as well as the ability to add 3rd-party packages and integrations as needed. All of these resources
can be deployed on private cloud or public-cloud services from EMC-powered cloud service providers.
Additional vLabs for More Hands-On Experience
If you would like to get additional, in-depth with some of the individual components of the Federation Enterprise
Hybrid Cloud solution, visit the EMC vLab portal at https://portal.demoemc.com, and request one or more of these
available labs:
Avamar 7.2 VM Recovery and Instant Access

6.2 Data Protection Advisor
EMC Storage Analytics for VMAX Overview
Next-Generation Storage Monitoring for the VNX Family
EMC Storage Analytics for VNX Overview
Experience the New VxRail: VCE's Hyper-Converged Appliance
Next-Generation Storage Monitoring for the VNX Family
ViPR SRM v3.7 - Visualize, Analyze, Optimize Storage Resources
ViPR Controller 2.2 - Automating Delivery of Storage Services
VMware vSphere Integration with VNX2
VNX2 Storage Management and Administration
Conclusion
Thank you for taking time to walk through this vLab. We hope you've seen how easy EMC has made some formerly
complex services, by moving them to a Cloud Solution model that leverages unique integration features that are only
available from EMC. By offering services that your end users demand, youll enable them to react quickly to business
needs. At the same time, you can reduce the cost, risk, and performance challenges that are attributed to public cloud
services.
Integrated data-protection capabilities, automated and exposed to both the cloud administrator and the end user, is a
core component of what makes this model much simpler. When the Cloud Admin can create new backup policies and
retention scopes in just a few clicks, thats simple. When an end user can perform on-demand backup and restore
operations, thats simple.
At EMC, we've worked hard to make storage provisioning and management easier for the cloud administrator. By
integrating the management and monitoring views of the storage environment into the vCenter Operations console, we
can add intelligent analytics at the same time as we reduce the number of monitoring consoles and alerts that the
administrator needs to manage.
Additional Resources
Theres plenty more to learn about the Enterprise Hybrid Cloud Solution. Here are some great resources you can use to
learn more:
EMC.COM Hybrid Cloud Portal
https://www.emc.com/cloud/hybrid-cloud-computing/
EMC Community Network:
Everything Cloud at EMC - https://community.emc.com/community/connect/everything-cloud
Everything VMware at EMC - https://community.emc.com/community/connect/everything_vmware
Or connect with your local field engineer or EMC vSpecialist for more information.

Enterprise Hybrid Cloud 3.5 For Business and IT Agility

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Enterprise Hybrid Cloud 3.5 For Business and IT Agility

Uploaded by

Copyright:

Available Formats

GENERAL RELEASE - ENTERPRISE

HYBRID CLOUD 3.5 FOR

Data Center Virtualization and Cloud Management.........................................................................................17

Storage and Storage Virtualization Components.............................................................................................19

Enterprise Hybrid Cloud Data-Protection Components ....................................................................................22

EMC and VMware Integration..........................................................................................................................23

Modular Add-On Components ........................................................................................................................27

Lab Overview .............................................................................................................................................. 28

Lab Credentials ..............................................................................................................................................33

Lab Scenario ..................................................................................................................................................35

Lab A.1 - Storage Provisioning with EMC ViPR (15-20 minutes).................................................................... 45

Exercise A.1.2 - Provision New Cloud Storage .................................................................................................63

Exercise A.2.2 - Import the Target VM into vRealize Automation ....................................................................101

Exercise A.3.2 - Create a vCloud Air Endpoint ...............................................................................................118

Exercise A.3.3 - Create a vCloud Air Reservation ...........................................................................................138

Exercise A.3.4 - Create a vCloud Air vApp Blueprint ......................................................................................150

Exercise A.3.5 - Provision a vCloud Air Virtual Machine.................................................................................171

Exercise B.1.3 - Create a New Approval Policy...............................................................................................210

Exercise B.1.5 - Validate the New Blueprint and Approval Policy...................................................................224

Lab B.2 - Integrated Data-Protection Management (5-10 minutes) ............................................................ 239

Exercise B.2.2 - Verifying the New Backup Service Level ...............................................................................251

Exercise B.3.2 - Create a ServiceNow Build Profile ........................................................................................260

Exercise B.3.4 - Deploy a VM from the ServiceNow IaaS blueprint.................................................................277

Lab C.1 - Virtual Machine Lifecycle Management (30-35 minutes)............................................................. 298

Exercise C.1.2 - Provision a New VM from the Catalog...................................................................................302

Exercise C.1.3 - Self-Service VM Snapshot Management...............................................................................309

Exercise C.1.4 - Self-Service Data Protection.................................................................................................317

Exercise C.1.5 - Reconfigure the VM's Hardware ...........................................................................................327

Exercise C.2.2 - Review NSX Security Policies ...............................................................................................347

Exercise C.2.3 - Test NSX Security Policies and Application Functionality......................................................354

Exercise C.2.4 - Deploy a Scaleable Multi-Tier NSX Application .....................................................................378

Lab C.3 - Deploy a Puppet VM (10-15 minutes) ......................................................................................... 446

Lab C.4 - Securing VM Data Using CloudLink ............................................................................................. 466

Exercise C.4.2 - Provisioning a New VM with CloudLink Encryption ...............................................................468

Exercise C.4.3 - Add a New Volume to a VM ..................................................................................................484

Troubleshooting ....................................................................................................................................... 497

Resetting Avamar Services in the Lab Environment.......................................................................................508

Launching the Avamar Administrative Console .............................................................................................513

Restarting the Mail Server ............................................................................................................................518

Restarting the Puppet Master Server ............................................................................................................522

Deleting failed requests from the vRealize Automation history .....................................................................526

Conclusion ............................................................................................................................................... 535

Key components of RainPole's Enterprise Hybrid Cloud solution include:

Self-Service Portal and Catalog

Modular Add-On Functionality

Disaster Recovery with EMC RecoverPoint

Third-party Add-On Functionality

Puppet Enterprise automated application-deployments

Add-On Features in this vLab environment

VMware vRealize Automation

VMware vSphere ESXi and VMware vCenter Server

VMware vCenter Orchestrator

VMware NSX for vSphere

VMware vRealize Operations

VMware vRealize Business Standard

VMware vRealize Log Insight

VMware vCloud Connector

EMC ViPR Storage Resource Management

EMC Fully Automated Storage Tiering for Virtual Pools

EMC Data Protection Advisor

EMC Data Domain System

EMC ViPR Storage Provider

Operational Management and Monitoring