Broad-Cloud.NL

Dear v(CF)Admins and v(CF)Architects. I am incredibly excited about the release of VMware Cloud Foundation 5, which introduces a bunch of new features, functionality and a brand new update/upgrade mechanism!

VMware Cloud Foundation is the secure and automated hybrid cloud platform for modernizing datacenters and deploying modern apps. VMware Cloud Foundation provides a complete set software-defined services for compute, storage, network, security, Kubernetes management, and cloud management. The result is an elastic, agile, reliable, securely architected, and efficient cloud infrastructure that offers consistency across private and public clouds.

This release will be available for download on June 1, 2023, for VCF perpetual customers.

What’s new?

Let’s start with the focus on the Building Blocks and zoom in on the Scalability, Security and a lot of other Enhancements.

VMware Cloud Foundation 5.0 includes support for VMware vSphere 8.0 update 1, vCenter Server 8.0 update 1 and VMware NSX version 4.1.

VMware vSAN 8.0 U1 is included in the VMware ESXi bundle.

So this basically means that VMware Cloud Foundation 5 is based on VMware vSphere 8 U1, see also my post about VMware vSphere 8 U1 What’s new and discover al the new functionality related to VMware vSphere and VMware vSan 8 U1 What’s new for the vSAN updates.

Not all VMware vSphere features are supported in VCF5. Details will follow later in a new post.

What’s New with NSX in VMware Cloud Foundation 5.0

VMware NSX-T, the basis for facilitating a Software Defined Network and Security offers a lot of new functionality.

A summary of supported NSX 4.1.0 Highlights:

Configure Multi-tenancy 

NSX 4.1.0 allows an Enterprise Admin to segment an NSX instance within Cloud Foundation into projects, giving different spaces to project users (tenants) whilst maintaining full visibility and control.  Multi-tenancy can be configured in NSX Manager or by using the API and allows multiple NSX users to consume their own objects, see their own alarms and monitor their own VMs with traceflow.

NSX Application Platform (NAPP) 

NSX 4.1.0 is compatible with the latest version of NAPP 4.0.1. The NSX Application Platform (NAPP) is a high-performance security analytics platform that hosts microservices-based applications that is used to collect and analyse large data sets. The correlation of network and security events is accomplished using resource-intensive analytics and machine learning.  The following NSX Advanced Threat Prevention (ATP) security applications run on NAPP: NSX Intelligence. Network Detection & Response (NDR) NSX Malware Prevention.

Container Networking and Security:

Antrea to NSX Integration improvements

NSX 4.1.0 introduces new container networking and security enhancements which allows firewall rules to be created with a mix of VMs and Kubernetes ingress/egress objects. Dynamic groups can also be created based on NSX tags and Kubernetes labels. This improves usability and functionality of using NSX to manage Antrea clusters. You can now create firewall policies that allow/block traffic between Virtual Machines and K8s pods in one single rule. A new enforcement point is also introduced to include all endpoints and the correct apply-to is determined based on the source and destination group member targets. Kubernetes Network Policies and Tiers created in the Antrea cluster can now be viewed in the NSX Policy ruleset. Along with this, NSX 4.1.0 also includes Traceflow and UI improvements which allow for better troubleshooting and management of K8s network policies providing for a true centralized management of K8s network policies via NSX.

Online Diagnostic System 

Online Diagnostics provide predefined runbooks that contain debugging steps to troubleshoot a specific issue. These runbooks can be invoked by API and will trigger debugging steps using the CLI, API and scripts. Recommended actions will be provided post debugging to fix the issue and the artifacts generated related to the debugging can be downloaded for further analysis. Online Diagnostic System helps to automate debugging and simplifies troubleshooting. 

Available Runbooks include:  

ESXi Multi-TEP High Availability

VMware Cloud Foundation configures each ESXi host as a transport node with two TEPs. New to NSX 4.1 is the ability for NSX to track the health of each TEP based on the status of its BFD sessions to other transport nodes. This feature provides high availability against physical switch issues, like a physical switch port remaining up but forwarding not working properly.

BGP AS per VRF
Configure different BGP ASN (Autonomous System Number) per Tier-0 VRF Gateway and also per BGP neighbor.   

Note: SDDC Manager workflows do not include the configuration Tier-0 VRF on Edges. Tier-0 VRF on NSX Edges need to be configured manually.

Inter-VRF Routing

NSX 4.1 introduces a more advanced VRF interconnect and route leaking model. With this feature, users can configure inter-VRF routing using easier workflows and fine-grained controls by dynamically importing and exporting routes between VRFs. 

Note: SDDC Manager workflows do not include the configuration Tier-0 VRF on Edges. Tier-0 VRF on NSX Edges need to be configured manually.

Distributed Firewall

Block Malicious IPs in Distributed Firewall is a new capability that allows the ability to block traffic to and from Malicious IPs. This is achieved by ingesting a feed of Malicious IPs provided by VMware Contexa. This feed is automatically updated multiple times a day so that the environment is protected with the latest malicious IPs. For existing environments, the feature will need to be turned on explicitly. For new environments, this feature is enabled by default.

New AppIDs

          More than 100 new AppIDs have been added to the L7 distributed firewall

Network Detection and Response (NDR)

Support for IDPS events from the Gateway Firewall

       Starting with NSX 4.1.0, IDPS events from the Gateway/Edge firewall are used by NDR in correlations/intrusion campaigns.

VMware Cloud Foundation 5.x Capability Evolution

VMware is actively and regularly expanding the VCF portfolio.

See an overview with all functionality for each VCF version in a clear matrix below:

VMware vRealize (Aria) 8.10

VMware Cloud Foundation 5 includes Automation, Operation and Cost tooling which has been renamed to VMware Aria.

VMware Aria provides all the tools, so companies are able to Optimize, Automate and get Visibility across the full VMware (Multi-Cloud) stack.

Transform your data center into a private cloud with hybrid/multi-cloud support.

VMware Aria Suite in a nutshell.

VMware Aria Cost:

Deliver comprehensive visibility, optimization, and governance for cost and usage across clouds.

VMware Aria Operations:

Provide full-stack visibility, troubleshooting, insights and remediation for app and infra performance.

VMware Aria Automation:

Automate and configure app and infra deployment and enforce cost, security and performance using best practices.

Direct Skip-level Upgrade Support

From now on it is possible to upgrade your current VCF environment relatively quickly and straight forward.

Existing VMware Cloud Foundation 4.3.x, 4.4.x and 4.5.x deployments can be upgraded directly to VMware Cloud Foundation 5.0 in a single step.

The Administrator should first update SDDC manager to version 5. The SDDC Manager 5 includes a number of key enhancement which streamlines the in-place upgrade process including:

Asynchronous SDDC Manager Upgrades

New and existing VMware Cloud Foundation deployments which have been upgraded to VCF 5.0 are now able to upgrade SDDC Manager without the need to update the full SDDC stack.

Asynchronous SDDC Manager upgrades allow VMware to release new SDDC Manager versions which contain new features and fixes on a more regular cadence.  In turn, this capability allows Administrators to access new features and capabilities of future SDDC Manager releases sooner while also allowing them to quickly apply critical patches and fixes.

This brings a lot of benefits, including:

For further information on updating SDDC Manager please download the VMware Cloud Foundation Lifecycle Management Documentation

Security

VMware Cloud Foundation 5.0 deployments allow administrators the option to configure new workload domains using a separate SSO instance. This scenario is useful for Managed Service Providers who can allocate workload domains to different tenants with their own SSO domains.  Isolated SSO domains within VCF 5.0 are each configured with their own NSX instance.

Workload domains can now be configured in one of two ways, see the picture above.

Workload Domain Scalability Limits Increased

VMware Cloud Foundation 5.0 allows greater scale for both new and existing deployments.

Each VCF instance can now scale from 15 workload domains to 25 workload domains.  

Create Multiple Workload Domains in Parallel

VCF 4.3 introduced the ability to add up to 10 new clusters in parallel at the same time.  

VCF 4.5 extended parallelism further allowing VCF Administrators to grow and shrink up to 10 existing clusters at the same time (in parallel) and also performing several host commissioning and decommissioning operations at the same time (in parallel).

In addition to these capabilities, VCF 5.0 now allows VCF Administrators to add multiple VI Workload Domains in parallel.

Adding new VI Workload Domains in parallel can be triggered using SDDC Manager or the REST APIs.

In Product Feedback Tool

And last but not least, VMware Cloud Foundation introduces an integrated feedback tool, ​allows customers to share feedback on product areas.

Resources:

VMware Cloud Foundation 5.0 Release Notes

VMware Cloud Foundation Product Page

Cloud Foundation Resource Center – Demos and Guides

docs.vmware.com/en/VMware-Cloud-Foundation

End of this post.

Disclaimer: This blog is based on my personal title and assumptions. No rights can be derived from this blog.