VMware this morning released a KB article and a fix for the Edge devices filling up on disk space. While it did not kill the edge or cause an outage, it did stop you from being able to make changes to the Edge’s configuration.

The official fix will be released on this site:

The upgrade/patch will require the standard vCloud Network Security (vShield) upgrade process where the Edge device will need to be replaced with the new code. (READ: Possible outage of network for a few moments while the Edge is swapped)

How do you know if you have this problem?

In vCloud Director, attempting a reconfig fails with this error:


In vCloud Director, when looking at Edge Gateways, you receive this error:

Edge VM backing the edge gateway is unreachable

Just remember, when this happens it is not causing an outage or a network failure. The edge is basically running ‘headless’ at that time, and will not accept any ruleset changes.

Time for a change… Well a new direction at least

I started working at VMware just under two years ago. In that time I have gone for a Cloud Practice, where we developed the services and solutions that are being implemented today. Which transitioned into a group developing bleeding edge documentation, processes, and ultimately ‘making the marketing world a reality’.

Since then I have transitioned to a more security in the cloud role. For example, how can a workload in the cloud be secured and audited against, no matter where it is running?

Now for a new challenge, something fresh; most importantly… something NEW. Not only to me, but to almost everyone.

I was asked a few weeks ago to join a new business unit in VMware to join a new Global Center of Excellence on Network Virtualization Security. There I will be focusing on the current VMware vCloud Network Security Suite of products. Most interesting is merging the vCloud Network Security Suite with Nicira’s NVP product.

While it is still cloud related, it is now more network (NaaS), security, and then cloud.

Let the mayhem being!

Network as a Service

What the heck is Network as a Service (NaaS)?

Wait I know… it is one of those catchy new jargons that the marketing people use.

Actually, they will; someday.

Right now though I am referring to the idea that what was done for compute, virtualization, can be done for networking. Think quickly of how networking is tied to the physical.

If you want to add a new server to your datacenter… You have to rack it, power it, and connect it to the physical network. Imagine that server is virtual… Now you just have to wire the network to the host, then connect the virtual machine to that physical network.

Take it a step further.

You create the server, then you connect it to the logical network.

Logical network? Yes.

A network that is defined by software, managed by software, and is agile like software.

Want to move that virtual machine to a new datacenter? Take your network and virtual machine with you.

This is the next big thing for datacenters, networking and virtualization. Sure over a decade ago servers started to get virtualized. Now what is one of the last things to hold a machine to the physical world? Networking.

While details, methods and the nitty-gritty is still being worked out… just think of the possibilities.

I am sure I will have more to say on this in the coming weeks and months.

What does it take to achieve a VCDX certification?

There have been lots of articles on the defense and the process‚Ķ so I will not waste space on that. This is going to be focused on ‘What is a VCDX?’

It means that you are an expert at designing and architecting VMware virtual environments; more specifically vSphere environments. Of course to achieve this level of certification you had to pass a VCP test, a VMware Certified Advanced Professional Datacenter Design (VCAP-DCD) and Datacenter Administrator (VCAP-DCA) test.

Does it mean you are a master at the technical portions of vSphere (Networking configuration, storage configuration, computer configuration)?


There are VCDX’s that are CCIE level network engineers, but that is not their only skill set. They know of SAN design, layout, configuration, as well of compute limitations.

  • For example they know that a physical server with 4,096TB of RAM, with 64 socket’s is just not realistic or cost effective.
  • They also know that a RAID 5 probably should not be used for a write heavy workload, but if they use a RAID 5 LUN, they identify this possible issue.

Sure it seems easy to install and design a vSphere environment, but consider that vSphere is a technology and suite of products that touches nearly every aspect of a corporations IT.

vSphere requires networking, storage, servers, power, cooling, a workload. This means that you will need to understand enough of those areas, including other areas that you may touch, to properly design the solution.

  • It means that you are able to gather requirements from a customer for their use cases.
  • It means that you are able to consider the impacts of such requirements, product limitations, product features, and most importantly‚Ķ The impact of decisions that you make.
  • It means that you are able to identify the risks in your design, then mitigate or reduce that risk to an acceptable level.
  • It means that you are able to consider dependancies to the elements of your design, the customers existing environment, and the customers existing operational procedures.

You also need to understand the operational aspects of a design.

  • How do I implement it?
  • How do I test it?
  • How can I update it?
  • How do I maintain it?
  • What do I do when something breaks?
  • What is likely to break?

It requires a different mind set.

It requires the mindset of an architect, a consultant, and a system administrator.

vCloud Network Security (formerly vShield)

Those of you that used the former product vShield that is OLD news, VMware’s marketing team has renamed it to be VMware vCloud Network Security, which is really what it is. vShield EndPoint is now free with vSphere host licenses, Enterprise Plus is needed of course.

Here is a highlight of what is new in vCloud Network Security:

  • The Edge product finally supports more than two interfaces, and becomes a more flexible and usable product. It now features 10 interfaces, it can be a mix of internal and external interfaces.
  • Edge now has an SSL VPN built in to it, this is truly interesting with vCloud Deployments. Instead of needed an IPSec VPN client, and the underlying requirements (looking at you GRE), now the requirement is port 443.
  • The new UI… can’t say enough about it. It is clearly a ground up re-design from the old design. Now it is more standard, easier to follow, and much easier to add/change/delete rules.
  • Throughput – Edge is now ‘officially’ supporting > 3Gb/s with 2,000 NAT and 2,000 Firewall rules. ‘Unofficially’ it tested much higher than that.
  • Load Balancer is actually getting smarter now, it is not just the round-robin as it was before, it now will do load balancing policies.

vCenter and vSphere 5.1

The latest versions of VMware’s vCenter, vSphere, vCloud Director, and vShield are now at version 5.1. The first major, ground breaking change…


That is right, a year after making the very unpopular choice to limit the amount of ‘vRAM’ you could use per license, VMware has heard the screams of pain and completely tossed the idea. While it only really effected a handful of the thousands of customer of VMware, it was a complexity that caused more confusion than answers.

Now to the news…

vSphere 5.1 has once again rev’ed the virtual hardware version to version 9. Version 9 will give you the ability to run 64 cores on a single VM, this makes the ‘Monster VM’ even larger!

vCenter 5.1 supports 20,000 VMs powered on in the same vCenter, 25 linked vCenters, 1,000 hosts per datacenter, 128 storage vMotions concurrently.

VMware is also moving away from the thick C# client that was tied to Windows only machines, to a web-based client. This new vSphere Web Client was there in 5.0 but it was incomplete and lacked basic functions still. 5.1 is the first version of the vSphere Web Client that is actually a near replacement for the old thick client. If the vSphere Web Client is used you can actually get around 150 concurrent client connections to your vCenter server(s).

More to come as information comes out of VMWorld this week!

How I Get Things Done

Here are the programs and things that I need on a daily business to get my job done.

1. Instapaper – While reading blogs, security news and other information; I log the pages to instapaper.
2. Evernote – I have an AppleScript that takes items from Instapaper and places them into Evernote for later retrieval. I also use Evernote to keep wikis and other documents for easy search and access.
3. Skype – Great VoIP client and IM client, best of all it is secure where AIM, MSN and others are clear text.
4. iA Writer – One of the best writers that I have found for capturing thoughts, notes and blog posts. It is simple, slimmed down, and just works. It works with iCloud to keep all the docs in sync between my iDevices and Mac.
5. MindNode Pro – Before heading to iA Writer I mind map out my document in detail; mostly in order to get my thoughts in order.
6. OmniOutliner Pro – Once I have the mind map created I import it into OmniOutliner, where I can then edit the map, and add depth to the discussion points. From there I export it to a mark down file then into iA Writer for final editing.
7. MS Word – Once iA Writer has my document, I need to be able to put it a format that the tech writers can use. So to MS Word, for styling and final proof reading. 
8. OmniFocus – My GTD application, works great, I am able to use Apple Mail rules and formatting to put tasks in to OmniFocus remotely. OmniFocus also has great iDevice applications that allow for GTD on the go.
9. TextExpander – Working in a company that uses acronyms for everything, TextExpander allows me to type those acronyms and have them expanded for the final document.
10. SpiderOak – Securely keeps my machines in sync.

Other programs on my Mac that I use…

gfxCardStatus –  – Keeps tabs on my graphics card, for optimal battery life.
geektool – I have my RAM usage, network status and date on my desktop.
Adium – Best IM client for the Mac
Tweetbot – It may be in Alpha and crash sometimes, it is a blessing, compared to TweetDeck



Barcelona is going to be the first VCDX5 defenses, meaning you can submit a vSphere design and only be questioned on vSphere 5.x features. Sure with the current program you can submit vSphere 5 designs, but you will only receive a VCDX4 certification. So the real question what changes with VCDX 5?

The short answer is nothing. Nothing changes from all the blog posts and information that is out there for VCDX 5.

VMworld Sessions

Consider voting for session 1314, 1315 and 1628 here. Here is a brief on what you will learn…

Session 1314

Will cover how vShield App can make use of a single Layer 3 network with multiple security zones in the same network with access control and auditing from server to server communications. It will also cover how vShield App will assist with passing audits and security tests.

Session 1315

Will cover how to recover from a site outage and how to restore services in a DR or BC scenario. It will also cover how to restore vShield Edge/App from corruption or failures as well.

Session 1628

Mark Achtemichuk and I will cover how to make sure that your vCloud installation is running at 110% and will show you how allocation models can effect performance for the better or worse! Are you ready to run a vTornado?

SpiderOak v. Sugar Sync


I recently moved from Sugar Sync with over 60GB stored to SpiderOak for cloud based storage of documents, pictures and other data. Before I explain why here is a quick overview on how they work differently (based on the documentation on their web sites).


Data is transmitted unencrypted to SugarSync through a encrypted  SSL/TLS connection to the SugarSync servers. The data is then encrypted and stored on the SugarSync servers for later retrieval. This means that if SugarSync is ‘hacked’ or subpoenaed by a law enforcement agency they can have access to all of your data.
While I do not store sensitive information outside of secure containers (think TruCrypt files), it still concerned me enough to find a new cloud storage provider.


SpiderOak does things differently, they do not want to know what information you store or how to get to it. Data is encrypted on the local machine before it is sent over a SSL/TLS connection to the SpiderOak servers. The key is based off the password that is used to create the account. This means that SpiderOak does not know your password or the encryption key for your data. Which ultimately means that if they are subpoenaed by a law enforcement agency, the only data that they can hand over is a jumble of random data bits.
Is there a perfect solution of course not; given enough time and enough resources any encryption method will fail. SpiderOak utilizes AES256 for their encryption. Assuming 10 billion billion keys per second, it would take 3 x 10^51 years; longer than the data I store is usable (barely).
If you want to try SpiderOak here go here. First 2GB is free, after that for $75/yr you can get 75GB (use the promo code ‘spring’), normally it is $100. Unlimited computers and devices, 100GB stored (compressed/de-duplicated) data.


Browse Categories