This post pulls together the notes I have made during the planning of VMware Cloud (VMC) on AWS (Amazon Web Serivces) deployment and migration planning of virtual machines from traditional on-premise vSphere infrastructure. It is intended as a list of considerations and not a comprehensive guide.
Capacity Planning
At the time of writing up to 10 SDDC’s can be deployed per organisation, each SDDC supporting up to 10 vSphere clusters and each cluster up to 16 physical nodes.
The standard I3 bare metal instance currently offers 2 sockets, 36 cores, 512 GiB RAM, 10.7 TB vSAN storage, a 16-node cluster therefore provides 32 sockets, 576 cores, 8192 GiB RAM, 171.2 TB.
New R5 metal instances are deployed with 2.5 GHz Intel Platinum 8000 series (Skylake-SP) processors; 2 sockets, 48 cores, 768 GiB RAM and AWS Elastic Block Storage (EBS) backed capacity scaling up to 105 TB for 3-node resources and 560 TB for 16-node resources.
When deploying the number of hosts in the SDDC consider the pay as you go pricing model and ability to scale out later on-demand; either manually or using Elastic DRS which can optimised for performance or cost.
The What-If analysis in both vRealize Business and vRealize Operations can help with capacity planning and cost comparisons for migrations to VMware Cloud on AWS. Use Network Insight to understand network egress costs and application topology in your current environment. If you are not licensed for these products download the free trial from VMware.
Migration Planning
If possible your migration team should be made up of the following: Infrastructure administrators for compute, storage, network, and data protection. Networking and Security teams for security and compliance. Application owners for applications, development, and lifecycle management. Support and Operations for automation, lifecycle, and change management.
Group services together based on downtime tolerance, as this could determine how the workload is moved: prolonged downtime, minimal downtime, and zero downtime.
Virtual machines can follow a ‘life and shift’ model from traditional vSphere by enabling vMotion between the on-premise vCenter Server and VMC. HCX can stretch L2 subnets into VMC for seamless migration of workloads.
There are additional requirements for hybrid linked mode if you are looking to vMotion machines into VMC, see here for full details.
Consider migration paths for any physical workloads, whether that be P2V, AWS Bare Metal instances, or co-locating equipment.
Consider any load balancing and edge security requirements. The AWS Elastic Load Balancer (ELB) can be used or alternative third party options can be deployed through virtual appliances. NSX load balancing as a service in VMC is planned for future releases.
You will likely still need Active Directory, DNS, DHCP, time synchronisation, so use native cloud services where possible, or migrate these services as VMs to VMC on AWS.
Remember Disaster Recovery (DR) still needs to be factored in. DR as a Service (DRaaS) is offered through Site Recovery Manager (SRM) between regions in the cloud or on-premise.
Make sure any existing monitoring tools are compatible with the new environment and think about integrating cloud monitoring and management with new or existing external tools.
Move backup tooling to the cloud and perform full backups initially to create a new baseline. Consider native cloud backup products that will backup straight to S3, or traditional backup methods that connect into vCenter. The reference architecture below has been updated to include Elastic Block Storage (EBS) backed Elastic Compute Cloud (EC2) instances running Veeam; which will backup virtual machines from the VMC vCenter into Simple Storage Service (S3) and Glacier.
Lockdown Mode has been enabled on an ESXi 6.x host and users are restricted from logging into the Direct Console User Interface (DCUI).
Which two statements are true given this configuration? (Choose two.)
A: A user granted administrative privileges in the Exception User list can login.
B: A user defined in the DCUI.Access without administrative privileges can login.
C: A user defined in the ESXi Admins domain group can login.
D: A user set to the vCenter Administrator role can login.
Correct Answer: AB
In normal lockdown mode the DCUI service is not stopped. If the connection to the vCenter Server is lost and access through the vSphere Web Client is no longer available, privileged accounts can log in to the ESXi host's Direct Console Interface and exit lockdown mode. Only these accounts can access the Direct Console User Interface:
Accounts in the Exception User list for lockdown mode who have administrative privileges on the host. The Exception Users list is meant for service accounts that perform very specific tasks. Adding ESXi administrators to this list defeats the purpose of lockdown mode.
Users defined in the DCUI.Access advanced option for the host. This option is for emergency access to the Direct Console Interface in case the connection to vCenter Server is lost. These users do not require administrative privileges on the host.
Question 2
Strict Lockdown Mode has been enabled on an ESXi host.
Which action should an administrator perform to allow ESXi Shell or SSH access for users with administrator privileges?
A: Grant the users the administrator role and enable the service.
B: Add the users to Exception Users and enable the service.
C: No action can be taken, Strict Lockdown Mode prevents direct access.
D: Add the users to vsphere.local and enable the service.
Correct Answer: B
Strict Lockdown mode:
In strict lockdown mode the DCUI service is stopped. If the connection to vCenter Server is lost and the vSphere Web Client is no longer available, the ESXi host becomes unavailable unless the ESXi Shell and SSH services are enabled and Exception Users are defined. If you cannot restore the connection to the vCenter Server system, you have to reinstall the host.
Question 3
A common root user account has been configured for a group of ESXi 6.x hosts.
Which two steps should be taken to mitigate security risks associated with this configuration? (Choose two.)
A: Remove the root user account from the ESXi host.
B: Set a complex password for the root account and limit its use.
C: Use ESXi Active Directory capabilities to assign users the administrator role.
D: Use Lockdown mode to restrict root account access.
Correct Answer: BC
root User Privileges
By default each ESXi host has a single root user account with the Administrator role. That root user account can be used for local administration and to connect the host to vCenter Server.
This common root account can make it easier to break into an ESXi host and make it harder to match actions to a specific administrator.
Set a highly complex password for the root account and limit the use of the root account, for example, for use when adding a host to vCenter Server. Do not remove the root account. In vSphere 5.1 and later, only the root user and no other named user with the Administrator role is permitted to add a host to vCenter Server.
Best practice is to ensure that any account with the Administrator role on an ESXi host is assigned to a specific user with a named account. Use ESXi Active Directory capabilities, which allow you to manage Active Directory credentials if possible.
Question 4
An administrator wants to configure an ESXi 6.x host to use Active Directory (AD) to manage users and groups. The AD domain group ESX Admins is planned for administrative access to the host.
Which two conditions should be considered when planning this configuration? (Choose two.)
A: If administrative access for ESX Admins is not required, this setting can be altered.
B: The users in ESX Admins are not restricted by Lockdown Mode.
C: An ESXi host provisioned with Auto Deploy cannot store AD credentials.
D: The users in ESX Admins are granted administrative privileges in vCenter Server.
Correct Answer: AC
Configure a Host to Use Active Directory
You can configure a host to use a directory service such as Active Directory to manage users and groups.
When you add an ESXi host to Active Directory the DOMAIN group ESX Admins is assigned full administrative access to the host if it exists. If you do not want to make full administrative access available, see VMware Knowledge Base article 1025569 for a workaround.
If a host is provisioned with Auto Deploy, Active Directory credentials cannot be stored on the hosts. You can use the vSphere Authentication Proxy to join the host to an Active Directory domain. Because a trust chain exists between the vSphere Authentication Proxy and the host, the Authentication Proxy can join the host to the Active Directory domain. See Using vSphere Authentication Proxy.
Question 5
Which two advanced features should be disabled for virtual machines that are only hosted on a vSphere system? (Choose two.)
Disable Unexposed Features
VMware virtual machines are designed to work on both vSphere systems and hosted virtualization platforms such as Workstation and Fusion. Certain VMX parameters do not need to be enabled when you run a virtual machine on a vSphere system. Disable these parameters to reduce the potential for vulnerabilities.
Prerequisites
Turn off the virtual machine.
Procedure
Question 6
To reduce the attack vectors for a virtual machine, which two settings should an administrator set to false? (Choose two.)
Removing Unnecessary Hardware Devices
Any enabled or connected device represents a potential attack channel. Users and processes without privileges on a virtual machine can connect or disconnect hardware devices, such as network adapters and CD-ROM drives. Attackers can use this capability to breach virtual machine security. Removing unnecessary hardware devices can help prevent attacks.
Question 7
Which two groups of settings should be reviewed when attempting to increase the security of virtual machines (VMs)? (Choose two.)
A: Disable hardware devices
B: Disable unexposed features
C: Disable VMtools devices
D: Disable VM Template features
Correct Answer: AB
Securing Virtual Machines
The guest operating system that runs in the virtual machine is subject to the same security risks as a physical system. Secure virtual machines as you would secure physical machines.
Subtopics
General Virtual Machine Protection
Configuring Logging Levels for the Guest Operating System
Limiting Exposure of Sensitive Data Copied to the Clipboard
Disable Unexposed Features
Limiting Guest Operating System Writes to Host Memory
Removing Unnecessary Hardware Devices
Prevent a Virtual Machine User or Process from Disconnecting Devices
Prevent a Virtual Machine User or Process from Disconnecting Devices in the vSphere Web Client
Question 8
Which password meets ESXi 6.x host password requirements?
A: 8kMVnn2x!
B: zNgtnJBA2
C: Nvgt34kn44
D: !b74wr
Correct Answer: A
ESXi Passwords
By default, ESXi enforces requirements for user passwords.
Your user password must meet the following length requirements.
Passwords containing characters from one or two character classes must be at least eight characters long.
Passwords containing characters from three character classes must be at least seven characters long.
Passwords containing characters from all four character classes must be at least six characters long.
When you create a password, include a mix of characters from four character classes: lowercase letters, uppercase letters, numbers, and special characters such as an underscore or dash.
The password cannot contain the words root, admin, or administrator in any form.
Question 9
An administrator would like to use a passphrase for their ESXi 6.x hosts which has these characteristics:
Minimum of 21 characters
Minimum of 2 words
Which advanced options must be set to allow this passphrase configuration to be used?
B-) ESXi Passwords and Account Lockout
For ESXi hosts, you have to use a password with predefined requirements. You can change the required length and character class requirement or allow pass phrases using the Security.PasswordQualityControl advanced option.ESXi uses the Linux PAM module pam_passwdqc for password management and control. See the manpages for pam_passwdqc for detailed information.
ESXi Passwords: ESXi enforces password requirements for direct access from the Direct Console User Interface, the ESXi Shell, SSH, or the vSphere Client. When you create a password, include a mix of characters from four character classes: lowercase letters, uppercase letters, numbers, and special characters such as underscore or dash.
Question 10
Which Advanced Setting should be created for the vCenter Server to change the expiration policy of the vpxuser password?
I had a very interesting question recently about how vSAN handles a failure in an object that is running with an erasure coding configuration. In the case of vSAN this is either a RAID-5 or a RAID-6. On vSAN, a RAID-5 is implemented with 3 data segments and 1 parity segment (3+1), with parity striped across all four components. RAID-6 is implemented as 4 data segments and 2 parity segments (4+2), again with the parity striped across all of the six components. So what happens when we need to continue writing to one of these objects after a component/segment has failed.
After discussing this with one of our vSAN engineering leads, the answer is that it depends on which offset you are writing to. Let’s take RAID-5 as an example. The RAID-5 VMDK object address space is split into 1 MB stripes. If we take the 3 of the 4 RAID-5 components together, this makes up one contiguous 3 MB range. We refer to this a row which is distributed over the three components. The fourth component is used for parity. The component used for the parity gets rotated for each row.
First, we will look at a row that has lost a data component. Let’s take the first row. Future writes to the 0-2 MB range in the object address space will be unaffected. They will still go to their respective data component (either 1 or 2). Writes to the 2-3 MB range will read data from Comp1 and Comp2, calculate the new parity based on all 3 data components, and then write parity in Comp4. But of course there cannot be a write to Comp3 as it is now failed/missing. This same procedure applies to all other rows that are missing data due to a failure of Comp3.
Let’s now look at a row that has lost its parity component, for example, row 2. Writes to the 3-6 MB range will just write the data to Comp1, Comp2 and Comp4 as normal with no parity. Hence there are no parity reads associated with this write operation. In this case there is a reduction in the amount of IO amplification involved. For RAID-5 writes, we would typically have to read the existing data and parity, write back the new data, calculate the new parity and write it back. Now, with rows that have parity on the failed component, the reads and writes will not be amplified. In fact, as we have seen, reads and writes are decreased from 2 to 1 in cases where parity on the affected component.
So, to recap, we still maintain a 3+1 RAID-5 arrangement for data placement, but there is a “functional repair” whereby we include the data that cannot be written in the parity calculation. We can then use that parity (with the other two data components Comp1 and Comp2) to reconstruct the original data if we need to service a guest read, or of course to resync to Comp3 when it recovers.
Success Secrets: How you can Pass VMware Certification Exams in first attempt
You may configure any Kubernetes distribution to access VMware vSphere VMDK Volumes. This includes using VMware vSphere VMDK Volumes as persistent volumes for application data with Datrium. The vSphere Cloud Provider allows using vSphere managed storage for Volumes, Persistent volumes, Storage classes, and provisioning volumes. Datrium presents a single-namespace (or multiple) datastore to vSphere that is then abstracted by Kubernetes.
Dynamic Volume Provisioning
Dynamic volume provisioning allows storage volumes to be created on-demand. Without dynamic provisioning, cluster administrators have to manually make calls to their cloud or storage provider to create new storage volumes, and then create PersistentVolume objects to represent them in Kubernetes. The dynamic provisioning feature eliminates the need for cluster administrators to pre-provision storage. Instead, it automatically provisions storage when it is requested by users.
To enable dynamic provisioning, a Kubernetes cluster administrator needs to pre-create one or more StorageClass objects for users. StorageClass objects define which provisioner should be used and what parameters should be passed to that provisioner when dynamic provisioning is invoked.
Backing Up Persistent Volumes
Kubernetes provisions new volumes as persistent independent disks to freely attach and detach the volume on any node in the cluster, and for Datrium DVX each persistent volume is an independent VMDK.
As a consequence, it is not possible to backup volumes that use VMware snapshots, and VMware recommends stopping the application utilizing the PV, cloning the PV, restarting the application.
Datrium can uniquely address Kubernetes persistent volumes backup and replication with native non-disruptive snapshots that have zero impact on volumes and applications usability or performance.
Success Secrets: How you can Pass VMware Certification Exams in first attempt
CRN, a brand of The Channel Company, has recognized three VMware products as part of their 2018 Products of the Year Awards:
VMware Cloud on AWS – overall winner in the Hybrid Cloud category
VMware NSX updates named as a finalist in the Software-Defined Networking category
VMware vSAN 6.7 – overall winner in the Software-Defined Storage category
Products and services named on this list represent best-in-breed technological innovation, financial opportunity for partners, and customer demand. For the third year in a row, the winners were determined through a combination of editorial selection and a survey fielded to solution providers, who are currently selling both the technology and specific vendor product, to accurately capture real-world satisfaction among partners and their customers.
We are thrilled to announce that Workspace ONE Boxer supports Google’s G Suite! Customers using G Suite for corporate email will now be able to deliver our secure, containerized email app, Workspace ONE Boxer to their employees. Equipped with time-saving workflows and features built for business users, Boxer’s all-in-one email, calendar, and contacts app is ideal for enterprises seeking a blend of consumer simplicity and enterprise security.
Today, Boxer seamlessly integrates with enterprise email services Exchange, Office 365, Outlook, IBM Notes and personal email services Yahoo, iCloud and Gmail. Boxer also works with third-party business apps like Office 365, Box, Google Drive, and our other Workspace ONE productivity applications to simplify file attachment workflows while maintaining enterprise security
With support for Google’s enterprise solution G Suite, we’re able to provide a secure, containerized email, calendar and contacts solution for more customers than ever before.
This is an exciting time for customers using G Suite! Thanks to our partnership with Google, we can enable enterprises to go further and faster into their digital workplace transformation journey and support a wider range of customers and use cases. It is a true recognition of Workspace ONE’s ability to work across systems while providing the best, secure experience for business users. G Suite and Boxer is a unique combination for organizations willing to leverage best of breed solutions, while modernizing their environment.
Gregory Lehrer/Sr Director, Head of Technology Alliances, VMware
Joint customers of G Suite and Boxer will also be able to take advantage of advanced integrations such as Workspace ONE mobile flows. Workspace ONE mobile flows provide the framework to enable developers to build context-based notifications and actions into Boxer for their users. Organizations have the option of using pre-built connectors we’ve provided to backends like Salesforce and ServiceNow or custom developed connectors based on workflow requirements.
A company wants to virtualize the SAP (Business Application) for the first time. The company has to ensure high availability for its virtualized workloads, so it has explored several vSphere features and would like to review the findings.
Which two features improve SAP’s availability and recoverability? (Choose two.)
vSphere High Availability
Single Root I/O Virtualization (SR-IOV)
VMFS file system
VMware vSphere vMotion
Sample Question 2
A latency-sensitive, legacy business-critical application must be migrated to a vSphere cluster.
The application does NOT support application-level failovers.
The application owner would like to leverage virtualization features like high availability and vMotion to increase availability during failures and maintenance operations.
Which two performance optimizations can be enabled in this scenario? (Choose two.)
Enable the host and virtual machine for SR-IOV.
Enable the host and virtual machine for appropriate network buffer sizes.
Enable the host and virtual machine for Uniform Memory Access (UMA).
Enable the host and virtual machine for SplitTx and SplitRx.
Sample Question 3
During a recent maintenance window, a customer experienced a hardware failure of an ESXi host. As a result of degraded capacity, vSphere HA was unable to restart a number of virtual machines (VMs).
Which sizing strategy will allow the cluster to maintain the ability for HA to restart VMs during maintenance windows while keeping hardware resources at a minimum?
N-1
N+1
N+2
N=3
Sample Question 4
A network administrator has specified that Link Layer Discovery Protocol (LLDP) must be supported in his company's vSphere network design.
Which type of virtual switch can be used?
vSphere Standard Switch
Open vSwitch
vSphere Distributed Switch
Cisco Nexus 1000v Switch
Sample Question 5
A solution architect has been tasked with designing a new environment that meets the needs of a growing company, and has obtained this information:
Blade servers are the current required standard and are configured with 2x12 core CPUs, 384GB of memory, no HDD, and a single dual port 10Gb Converged Network Adapter.
Based on the server's Mean Time Between Failure, the design must accommodate a single blade failure without affecting performance.
The current delivery time for the servers is 90 days.
The Dell storage is currently 100% configured, utilizing Raid5 volumes of which 40% of the array is currently free space.
The current Data Domain backup solution has been determined to have enough space to accommodate the additional virtual machines that were sized according to the application team's requirements and the backup team's retention policies.
Based on this information, which two statements are risks for the new design? (Choose two.)
The server delivery date may be more than 90 days.
Blade servers will not perform as optimally as rackmount servers.
The retention policy for backups meets company requirements.
The failure if a second disk during a diskgroup rebuild will result in data loss.
Sample Question 6
A customer has four VLANs: Management, vMotion, iSCSI, and Application.
The network team requires each type of traffic to be on its own VLAN.
The security team requires Layer 3 connectivity to each network for monitoring.
Which two settings must be configured? (Choose two.)
Multiple NICs
Custom TCP/IP Stack
vMotion TCP/IP Stack
One VMkernel port per network
Sample Question 7
A customer requires Windows Server Failover Clustering between physical and virtual servers.
The environment design of the storage must meet this requirement.
The customer wants to use storage as efficiently as possible, including granularity, QoS, VAAI, etc.
Which type of storage for a physical RDM proxy file can be used?
NFS
VMFS
vSAN
DVVol
Sample Question 8
A company is deploying a modern video news-streaming application.
The application is capable of scaling (expanding and collapsing) its streaming nodes on demand.
To host the application, the company decided to implement a new VMware cluster with vSphere 6.5.
vMotion is not supported by the application.
Using VMware-recommended best practices, where should the company place the swap file?
On replicated datastores
On local solid state drives
On thin-provisioned LUNs
On hardware-encrypted drives
Sample Question 9
A solutions architect is building a new data center at a remote site for a company.
All of the necessary virtual machine templates are already stored in a Content Library at the main office.
The company also needs the ability to rapidly deploy virtual machines throughout the next year in this site.
Which vCenter Server deployment strategy will meet these requirements?
The new vCenter Server should manually subscribe to the Content Library at the main site and download contents only when needed.
The new vCenter Server should join the existing SSO domain, automatically subscribe to the published Content Library, and download all of the contents.
The new vCenter Server should manually subscribe to the Content Library at the main site and download all the contents of the published library immediately.
The new vCenter Server should join the existing SSO domain, automatically subscribe to the published Content Library, and download the contents only when needed.
Sample Question 10
A company is consolidating its IT operations efforts by moving the Finance, IT, and QA departments towards a selfservice environment, following SDDC best practices.
All departments have different priorities and expectations for uptime of the required infrastructure and applications.
Project stakeholders are still discussing final approvals for the budget with the CFO.
To drive down the operating cost of the environment, only blade servers will implement this project.
To ensure business continuity, a colocation provider was chosen to fail over virtual machines.
The implementation of the project will follow a public reference architecture provided by VMware.
Which is the risk in this scenario?
The chosen architecture is sufficient.
All departments demand different SLAs.
Final budget approvals are being discussed.
The environment will be shared by several departments.
VMware 3V0-624 Exam Answer Key:
1-A and D; 2-B and D; 3-C; 4-C; 5-A and D; 6-B and D; 7-B; 8-B; 9-C; 10-C.
If you are searching VMware 3V0-624 Certification Exams question and answers than you are the right place. You're in luck, because vceexamstest provide you VMware 3V0-624 Exam PDF Questions Answers that will help you pass Real Exam 3V0-624 VCAP in your first attempt. Our experts have compiled the VMware 3V0-624 Real Exam Questions and Answers which will help you pass the Exam. VCE exams test offering you two types of VCE products, 3V0-624 Exam PDF format and 3V0-624 Exam Practice VCE Software. Both these VCE products are different in their specifications but their features are shared. In VCE Exam Software you can practice your exam with real scenarios. Because Hands-on practice is the best way to cement what you learn from VMware 3V0-624 Exam study material. Get most Updated 3V0-624 Dumps, 3V0-624 braindumps, 3V0-624 Practice Test Questions, 3V0-624 Practice Exam Questions with 100% accurate answers. Hence, you will just pick any of VCE products and begin preparing with best resource for VMware 3V0-624 Exam preparation.
