VxRail SaaS Multi-cluster Management

VxRail Software as a Service Multi-Cluster Management is the artist formerly known as VxRail ACE, and is managed via the MyVxRail portal.

The product was recently re-branded (to be more descriptive of it’s capabilities) while also bringing its first wave of Active Management features to the party.

Up until recently, users could avail of all of the great features provided in the original ACE portal in a read-only manner, including:

  • Global visualisation
  • Simplified health scores
  • Advanced metrics charting
  • Future capacity planning
  • Lifecycle management operations (Upgrade Pre-check & Bundle Staging)

In this latest release of the re-branded MyVxRail, VxRail introduces:

  • Execution of multi-cluster updates
  • Export of Jobs and Tasks reports
  • Role-based access control for administrators to assign SaaS multi-cluster management privileges to users
  • Centralised credentials management for multi-cluster updates
  • Review status of cluster connectivity state

The access details have changed slightly now also. Whereas previously, users of VxRail ACE would have browsed to https://vxrailace.emc.com, these same (and new) users should now browse to https://myvxrail.dell.com. A redirect is in place and ‘should’ work, but just in case!

In terms of Active Management, what the MyVxRail portal now offers, should customers elect to avail of the functionality, is the ability to implement Role Based Access Control (RBAC) across their VxRail clusters, with the ability to Upgrade selected VxRail systems directly from the MyVxRail portal.

It is important at this point to note that the MyVxRail portal is simply orchestrating the VxRail LCM process and operations. It is not replacing VxRail Manager, rather the MyVxRail portal is providing the ability, from a single SaaS portal, to orchestrate multiple VxRail cluster upgrades via their respective VxRail Managers.

So how does this work ….

The first step towards Active Management is a license, applied at the cluster level.

Licensing

MyVxRail has now introduced an add-on license for customers that want to avail of Active Management functionality. The licenses are as follows:

  • VxRail HCI System Software (HSS)
    • This license is the default license included with every VxRail purchase for all existing customers and continues to enable/provide all of the original features outside of Active Management.
      • This is for customers who DO NOT wish to use the MyVxRail portal to upgrade their VxRail systems. This would include VCF on VxRail systems whose LCM is controlled by SDDC Mgr.
  • SaaS Active Multi-cluster Management for VxRail HCI System Software
    • This is an optional add-on license, which enables the Active Management functionality to perform multi-cluster software updates.
      • This license can be purchase at an additional cost for customers who DO wish to use the MyVxRail portal to upgrade their VxRail systems.

With the add-on license, the ability to initiate a single or multi-cluster upgrade is also dependent upon a new MyVxRail access model, which is defined by how the customer is connected to the MyVxRail portal:

  • On-Premises Access
    • This is where the customer is connecting to their MyVxRail portal from the same network as their VxRail Manager (The MyVxRail portal continues to be located in the public Dell EMC Cloud, not actually on customer site)
      • This access model is REQUIRED for Active Management functionality.
  • Off-Premises Access
    • This is where the customer is connecting to their MyVxRail portal from a different/external/public network to their VxRail Manager.
      • This access model defaults to the feature-set provided by the default VxRail HCI System Software license, regardless of what license is actually applied to the cluster.

… to summarise:

FeatureLicenseOff-PremOn-Prem
Health Check (Upgrade Pre-Check)HSS
Bundle DownloadHSS
Credential ManagementAdd-on
UpgradeAdd-on
Download and UpgradeAdd-on

Note that, for this initial release, upgrades from the MyVxRail portal are only possible for Standard VxRail cluster deployment types. For example, it is not possible to upgrade 2-node or Stretched Cluster deployments today (but that is coming in a later release).

From a technical perspective we need to get our basic pre-reqs in order, such as:

  • Fully functional SRS connection
  • Telemetry Settings (4.5) / Customer Improvement Plan (4.7, 7.x) must be enabled (Basic/Medium/Advanced)
  • VxRail must be running at least v4.5.215/v4.7.100/ v7.x

After that there are some new requirements in order to avail of Active Management from the MyVxRail portal.

vCenter Server Administration

Active Management is enabled/driven by RBAC in the respective VxRail vCenter Servers, so there is some vCenter user configuration required.

A common vCenter Administrator account is required (must already be in-place) when enabling vCenter Access Control in the MyVxRail portal, which will first register MyVxRail extension privileges on all required vCenter Servers.

There are four privileges for SaaS multi-cluster management that must be defined and added to vCenter:

  • Download Software Bundle: Download a new software bundle to one or more clusters.
  • Execute Health Check: Execute a health check of any type on one or mode clusters.
  • Execute Upgrade: Initiate an upgrade on one or more clusters (requires the SaaS active management for VxRail HCI System Software add-on license).
  • Manage Update Credentials: Modify the MyVxRail credential store

The privileges provided by this extension enable customers to configure the following varying role based access MyVxRail roles in vCenter, for example:

  • Viewer
    • Execute Health Checks
  • Operator
    • Execute Health Checks
    • Download Software Bundle
    • Execute Upgrade
  • Administrator
    • Manage Update Credentials

The above roles are for EXAMPLE ONLY and do not already exist out of the box! Configuration and allocation of these privileges are customer-driven.

The common vCenter Admin for MyVxRail can add the new MyVxRail-privileged vCenter users to an RBAC configuration on individual VxRail cluster vCenters.

These privileged vCenter users themselves can then run the Enable vCenter Access Control wizard from the MyVxRail portal, to switch their Identity and Access Control from Dell EMC Service360 to vCenter. The following image displays multiple VxRail clusters with different Access Control methods, as specific in the Access Control column:

This Enable Access Control action for each user registers their Service360-to-vCenter account name mapping in VxRail lockboxes. Only when this is complete is a user enabled for Active Management on the clusters that they have visibility of.

In general, Dell EMC Service360 shows what you can view, and the vCenter privileges enable you to control what you can do with what you can view in MyVxRail.

The MyVxRail portal provides an overview of Licensing as well as Identity and Access Control, as shown below:

Certificate

VxRail Manager uses a self-signed SSL certificate which will not be trusted by the customer’s browser. This will prevent the MyVxRail web application from sending HTTPS requests to VxRail Manager.

VxRail Manager provides a simple mechanism to allow the customer to install their own trusted SSL certificate. Once the certificates have been installed in each VxRail Manager, the MyVxRail web application will be able to communicate again with the clusters (because a customer’s browser will already have the corresponding certificate installed, via their corporate IT team).

Secure Access

Allowing access to systems in your private datacenter from a Public Cloud is no trivial task, so this is where the MyVxRail portal leverages on-site, local VxRail RSA Lockbox functionality to store and verify user mappings.

All requests are initiated from the MyVxRail portal, but the privileged usernames and accounts never leave the local customer datacenter.

The following diagram explains some of the mechanics of this Identity and Access Control architecture.

Of the two clusters shown bottom-left, the one on the left is managed by vCenter (using the add-on license), the other on the right is managed by Service360 (using the default license). The credentials never leave the customer site, and the customer controls assignment of the access control provider.

When a user accesses the MyVxRail portal, their username is sent (over encrypted Secure Remote Services connection) from Service 360 for validation, via the MyVxRail Adaptive Data Controller (ADC), to a local RSA Lockbox in each VxRail cluster’s VxRail Manager. This RSA Lockbox will then check for a Service360-to-vCenter user mapping to match that account. It is at this point that MyVxRail will determine the Access Control for each VxRail cluster for that user: Service360, vCenter RBAC, or a mixture of both across multiple VxRail clusters.

If the user is authorised/privileged in vCenter then they will see the associated Active Management (Upgrade) functionality in their MyVxRail portal. If not, then they will see the default Service360-managed functionality (no Upgrade).

Note that, once the target code version has been selected and downloaded/staged locally, the MyVxRail portal will now also display the estimated time for the planned upgrade to complete.

Again, this is only possible when accessing the MyVxRail portal from within the customer datacenter. Accessing the MyVxRail portal from anywhere else will default to Service360 Access Control (no Active Mgmt, regardless of license type).

More details can be found in the official VxRail documentation as well as the MyVxRail Online Help.

Thanks to my colleague Ed Spaenij whose MyVxRail KT content I leveraged for much of this post!

Hope that helps,

Steve

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.