The vCenter FQDN is a sub-domain of vmwarevmc.com and is managed by VMware, including its certificates. By default, the FQDN is set to resolve to a public IP address to facilitate initial access to vCenter Server via the vSphere Web Client. If you are looking to build a hybrid environment and interconnect with on-premises vSphere environment, you may want to change the resolution of the vCenter FQDN to a private IP. This IP is only accessible via VPN, DX, or connected VPC and requires valid Border Gateway Protocol (BGP) configurations to be able to advertise the management network. We recommend setting up the connectivity before changing the vCenter IP.
You will be able to change the FQDN resolution for vCenter Server using the Settings tab in the SDDC console.
Figure 4.38 – Change the vCenter FQDN to resolve to a private IP
Now that we can access the vCenter Server, we’ll set up basic Role-Based Access Control (RBAC) and add additional users to vCenter and Cloud Services Platform (CSP).
RBAC and identity management on vCenter and CSP
VMware Cloud on AWS service access has two authentication domains: the CSP authentication domain and the vCenter authentication domain. With the new version 1.22 release, it is possible to configure federated SSO between CSP and vCenter: when this feature is enabled, a user authenticated through CSP will get access to vCenter Server without additional authentication. Before a user will be able to log in, an appropriate vCenter role must be assigned using the cloudadmin account.
VMware Cloud on AWS uses a restricted operation model to manage access to vCenter Server. The default administrator user – [email protected] – does not have full administrator rights compared to the [email protected] account. This is expected for a managed service and prevents users from accidentally changing the settings having an impact on SLA or environment stability. The permission set available to the cloudadmin account and the corresponding CloudAdmin role includes the maximum level of permissions available for users on VMware Cloud on AWS and cannot be increased.
Note
The creation of local users or groups on the vmc.local domain is not supported.
To authenticate using a user or a member of a group other than the [email protected] user, we have a couple of options:
- Use federated login with CSP (version 1.22 onward): https://vmc.techzone.vmware.com/resource/feature-brief-vcenter-federated-login-vmware-cloud-aws.
- Use Cloud Gateway Appliance (CGA) and configure Hybrid Linked Mode (HLM) with the on-premises vCenter SSO domain. You can check the process at https://docs.vmware.com/en/VMware-Cloud/services/vmware-cloud-gateway-administration/GUID-91C57891-4D61-4F4C-B580-74F3000B831D.html.
- Configure an external identity source such as an LDAP AD.
In this book, we will illustrate the third option as the first two options are adequately covered in the service documentation.
Let us go through the configuration of an external identity source in vCenter:
- To start, we need to log in to the vCenter Web Client using the cloudadmin account and navigate to the Administration section on the left-hand menu, as seen in the following screenshot:
Figure 4.39 – vCenter Administration section
2. Afterward, go to Single Sign-On | Configuration and Identity Sources. Here, we can click on ADD and configure another LDAP identity source, as seen in the following screenshot:
Figure 4.40 – Identity sources under the vCenter Administration section
The configurations corresponding with this managed AD service can be seen in the following screenshot:
Figure 4.41 – AWS managed AD setup
The preconfigured AD has the domain name of enterprise.customer, with an admin account of admin and two endpoints – one on each AZ for redundancy purposes. The vCenter configuration is reflected in the following screenshot:
Figure 4.42 – Identity source AD details – vCenter
In the following example, we associate the admin user with the CloudAdmin role and click on Propagate to children to apply this on the entire vCenter hierarchy of objects, as seen in the following screenshot:
Figure 4.43 – Global permission association in vCenter
Next, with the configurations in the previous steps completed, log in to vCenter with the ENTERPRISE.CUSTOMER Admin domain user. In the following screenshot, you can see that the login is successful, and the user can view the vCenter hierarchy with the CloudAdmin role:
Figure 4.44 – vCenter login with the enterprise.customer admin user