Recently I was fortunate enough to design and build an enterprise level distributed installation of the vRealize Automation suite of products and integrate it into an enterprise environment. I’ve done several vRA/vCAC deployments before but each time I do a new deployment I like to collate information, read all the latest articles and make sure what worked in the past for me hasn’t changed or more likely has been enhanced so I can provide an even better deployment.
For those unsure of what an enterprise distributed deployment comprises of I have added a logical diagram below (click on the picture to expand it as it is fairly large)
For my current deployment it was based on vRealize Automation 6.1 due to it being part of an EMC Hybrid Cloud deployment but the architecture and layout are exactly the same for 6.2. (note this is defined after collecting customer requirements based on amount of workloads, NSX load balancing and the requirement of application services so make sure you have reasons for design decisions)
For the resources I used, some are ones I used in the past to learn how to do an enterprise deployment and some are ones I re-read prior to this deployment. I have listed them below to save me looking for them again but also to maybe help other people:
- The first place anyone should start is the vRA documentation centre which has a large portion of the vRA documentation you will need to have read and at some points follow along with to do your deployment.
- One of the most important documents to utilise is the Installation and Configuration document. As I mentioned, I was deploying vRA 6.1 so utilised the following document from page 43 onwards.
- One challenge when deploying an enterprise level deployment of vRA is that you should at a minimum use internally signed certificates. For vRA if you are changing one on the components then you need to change all of them or else you will have a plethora of problems (I have spent countless hours in the past helping companies who have tried their own PoC , have only changed a few certificates and then deployed workloads that they now want to keep). For this portion I like to follow Eiad Al-Aqqad’s resources as to me they seem really straight forward and have worked really well in the past
NB: Make sure when importing the certificate into the appliances remember to remove the bag attributes at the beginning of the PEM file and start from —BEGIN CERTIFICATE—– until ——–END CERTIFICATE————-
- Once you have the certificates prepared then you can start the deployments. I used the identity appliance rather than the vCenterSSO due to the identity appliance following the same upgrade schedule as all the other vRA components and in the past I have hit a few problems due to people using vCenter SSO. There are positives and negatives of using SSO so make sure you look at both options and select the correct option for your deployment. The official documentation is good but I also used Emad and Grants blogs for the deployment of the identity appliance
- Next portion is the configuration of the external vPostgres database and for this I used the vRA appliance and disabled the services that were not required. For this i used the official documentation. If you don’t know how to deploy the vRA appliances then go to the next step , follow that then come back to this step (Although I do worry if you don’t know how to deploy an appliance)
NOTE: VMware no longer recommend using an external postgres database. The 6.2 documentation has been updated to reflect this.
- Now you need to deploy the vRA appliances. This is fairly straight forward and really shouldn’t cause you any issues.
- Next are the IaaS components. This is SO MUCH easier than the vCAC 4.1 days now that there is the pre-req script. The script can be found here. Before installation of the IaaS components ensure you have ntrights.exe downloaded, a windows iso attached to the virtual machine (2012 requires this but 2008 never did) and java 7u75 downloaded in an easily searchable folder (java version is correct as of this posting). For these steps I was going to break it down into a few blog postings but fellow vBrownbag member, Jonathan Frappier has done such a cracking job I recommend you follow his:
- Now that the components are installed it is time to grant permissions, create the required tenant/s for your cloud workloads apart from the default tenant and create all the business groups. Again Jonathan has broken this down brilliantly and this is what I re-read prior to my deployments
- Now on to the application services, adding and preparing of vSphere templates and creating entitlements so that services can be requested. Again Jonathan has covered it perfectly ( as does the official documentation that you should be following alongside these)
- Now for the vRO deployment as well as including NSX into vRA and installing the NSX plug-in to the vRO server. For vRO I used the windows method rather than the appliance route due to us being unable to do multi-hop WinRM using the PowerShell plugin when we need to run PowerShell scripts locally on multiple servers rather than locally on the vRO server. For this I used Sid Smith’s articles as well as the standard VMware documentation:
Along the way I hit a few errors and spent a fair bit of time with VMware support also on a few of them. The main ones are listed below:
- Received a 401 error in the Infrastructure Tab of vRA
- Received a 404 error when opening thevRA portal
- Received a “Failed to retrieve form from provider” when requesting an Application Service catalog item in vRA
- Received errors about trust relationships failing between the components
- Received a “Failed to retrieve form from provider” when requesting a catalog item in vRA (this is using multi-machine rather than application services). This error is one I still have a ticket with engineering open for as what is happening is that when we do a quiesced backup of the vRO database this at times causes one of the vRO nodes to stop due to a timeout in connectivity to the database. Currently the only way fix is to start the stopped node. I will update this if/when VMware engineering give a realistic solution.
If you are unsure about any of the portions mentioned or want to know more, you can ask VMware Professional Services for whom I did this design and deployment or Xtravirt who are a VMware partner, to come in and help you with the design/configuration of your environment.
Also let me know if you think I missed something or if it helped you.