MacStadium vSphere 6.7 Infrastructure Changes

MacStadium is happy to announce we officially support vSphere 6.7, which includes official Apple File System (APFS) and macOS Mojave support. We know our customers will be excited to use the new macOS along with the other great features that come with vSphere 6.7. Along with new features, vSphere 6.7 has new infrastructure requirements to ensure full supportability from VMware. One of these new requirements is the use of Fully Qualified Domain Names (FQDN) for the vCenter Server Appliance (VCSA). In our previous infrastructure, the VCSA and all ESX hosts used an IP for access. VMware has stated that with vSphere 6.7 all VCSAs must use FQDNs to stay within Production Support. To accommodate this, MacStadium has added additional infrastructure for all customers moving to vSphere 6.7. The new infrastructure includes a Domain Name System (DNS) Server and requires deploying a new VCSA. MacStadium has prepared a strategy to build these new VCSAs and migrate your ESX hosts and VMs into the new environment.

What this means to you

In order to meet VMware’s new requirements, a new VCSA has to be deployed using an FQDN for resolution. Once the new VCSA has been deployed with a DNS server in your environment, your ESX hosts and all the VMs on them will be migrated to the new environment. The vSphere 6.7 upgrade should not require any downtime for your VMs or ESX hosts, however in order to complete the upgrade to vSphere 6.7, a few things must happen. We will deploy the new VCSA to match your existing environment. This can be done at any time and will not affect your environment. This also allows you to validate the new environment prior to migrating your VMs and hosts over. Once it is built, we will need to update your firewall VPN to use the new DNS server to resolve the hostname. For most customers, this is the only change that will need to be made to access the new VCSA, however some customers with Site-to-Site VPN or AWS connections may require additional configuration changes to access the new environment. Also, if you are using any CI/CD systems or tools, you will need to update your systems with the new VCSA information. See the FAQ below for additional information.

Once the VCSA is built and your firewall has been updated, the engineering team will reach out to you to schedule the migration of your hosts. This process will require a two-hour window to migrate the hosts and update the network information of the hosts and VMs. Any CI/CD functions should be paused during this window. You will be notified once all the hosts have been migrated and network information updated and you are ready to use the new VCSA and cut over any CI/CD functions to the new environment.

FAQ

What’s a DNS Server?

DNS stands for Domain Name System. When you go to https://google.com, for example, a DNS server pairs the name google.com (or any fully-qualified domain name) to an IP address within that company’s network. A simple way of looking at it is lining up an IP address to a friendlier name format, similar to something like a phone number to a name in the Yellow Pages.

What kind of DNS server is this?

We are using a Linux-based VM with BIND DNS installed. It is locked down to only be accessible via your VPN and the ESXi network. It has a custom DNS domain specific to your environment configured and forwards all other traffic to 8.8.8.8 and 8.8.4.4. The only record created is for the VCSA on this DNS server.  

Why do I need a new VCSA?

VMware, and more specifically the VCSA, does not support changing the system name of a VCSA after deployment. This means we are not able to update your existing appliance to use an FQDN name and must deploy a new VCSA to meet this new requirement.

Do I have to use a new VCSA? Can I keep my old IP-based VCSA?

This is a new requirement from VMware starting with vSphere6.7. In order to maintain Production Support for your environment, your VCSA must use an FQDN for resolution. Because of the limitations of the VCSA, we must deploy a new VCSA to use an FQDN.

I have a Site-to-Site/AWS Connection. What do I need to do?

If you are using anything but the Firewall VPN provided by MacStadium, you may need to create your own host record for the FQDN of the VCSA. The FQDN as well as the IP will be provided to you in your IP Plan attached to your account in the MacStadium Portal. You can either create local host records for each machine that needs to access the VCSA, or setup a host record on your own internal DNS server to resolve the name. If you need additional information or support, feel free to reach out to MacStadium support.

What else is changing?

This is the only major infrastructure change required to upgrade to vSphere 6.7. Your ESX hosts will still use IP-based access. The following settings will be recreated or moved on the new VCSA: Distributed Switch and port groups, VM Folders, Clusters with DRS and HA settings, licensing and Resource Pools. All host configurations will remain the same during the migration with the exception of the networks which will be updated by MacStadium during the migration.

Can I setup additional host records/forward zones on the DNS Server?

At this time the DNS server is used strictly to manage the VCSA access.  We do not support adding any additional host records or configuring any forward zones. Customers should not point any of their systems to this DNS server and should instead create their own DNS servers for use.

What does the upgrade process look like?

Once you have requested an upgrade, MacStadium will reach out to you to you to begin planning the upgrade. The new VCSA and DNS server will be deployed on your existing ESXi network. The VCSA will be configured to match your existing environment. Once the new VCSA has been completed, your Firewall VPN will be updated to use the new DNS server to enable access to the new environment for any pre-configurations/validations you may need to perform. After it has been validated, you will need to provide a maintenance window in which your hosts and VMs will be migrated over to the new VCSA. MacStadium will ensure all the hosts and VMs remain online and operational during the migration.

What is the timeline for the upgrade? How long does the upgrade take?

MacStadium engineering will be available to complete the upgrade anytime Monday through Friday from 6:00AM to 7:00PM EST. The new VCSA can be pre-staged and you will be given access to do any pre-configurations/validations you may desire prior to the upgrade. Once you are satisfied, we would schedule a maintenance window to migrate the ESX hosts and VMs. This window needs to beat least two hours long and no tasks or operations should be planned during this time. We will need at least 72-hour notice for the window in order to plan and coordinate accordingly.

What am I responsible for?

While MacStadium is doing everything we can to ensure your new vSphere 6.7 environment matches your existing environment, there are some items that will require manual configuration from you on the new VCSA. Please check the list below and prepare for any changes that may apply to you:

  • If you have any third-party solutions not provided by MacStadium connected to your VCSA (like Docker or other automation features), you will need to reconfigure them.
  • If you created any additional accounts in the SSO domain, they will need to be recreated.
  • If you have any external identity sources configured, you will need to reconfigure them.
  • If you use VM Templates, you may need to re-register them from your data stores.
  • If you use VM folders or Resource Pools, you will need to move the VMs to the appropriate folder and/or Resource Pool as well as configure the Resource Pool settings after the migration.
  • You will be responsible for upgrading the ESX hosts as well as the VMware Tools and VM hardware to 6.7 after migrating to the new environment. Documentation will be provided on how to quickly and easily complete this task.
  • Your VPN connection will be updated to use a new DNS server prior to the upgrade. If you have set a custom DNS server for your VPN connection or use any internal DNS, this may affect behavior and require reconfiguration on your end.  

What about the ESX hosts/VMware Tools/VM Hardware?

MacStadium will provide the install media to upgrade your ESX hosts to version 6.7 as well as documentation on how to easily upgrade your hosts. This will enable you to perform the upgrades in your approved maintenance windows. Once all the hosts have been upgraded, you may upgrade the VMware Tools and VM hardware of your VMs. If you run into any issues, you may open a MacStadium support ticket.

How do I get started?

Put in a support ticket requesting a vSphere 6.7 upgrade. A MacStadium engineer will reach out to you with additional information and request a timeframe and a point of contact to use during the upgrade. As always, we will communicate with you before making any changes to your environment to ensure your environment remains reliable and operational during the upgrade process. We will also be available after the upgrade to address any issues or questions you may have.