My personal review of VMware NSX and vRealize Automation

I thought I'd start off the technical discussion here by telling you about my personal experience with VMware SDDC products, vRealize Automation and NSX. Working with these products has been quite an experience, sometimes a pain, sometimes a pleasure.

 

Let's start with NSX

 

THE GOOD

Simply put : wow, this is an awesome, rock solid product. Even if you're not looking to automate 100% of your infrastructure provisioning and operations, you can get a lot of value from it. There are quite a few automation-friendly constructs in NSX that make it so easy to manage and consume, this is one product that definitely lives up to the hype. More specifically, the Distributed Logical Router (DLR) and Distributed Firewall (DFW) functionalities can have huge positive impacts on the way you design your network and also day-to-day operations. With its already great feature set and its enormous potential, I can't recommend this product enough for nearly any organization heavily invested in vSphere and looking to accelerate deployment time for networking services.

 

THE BAD

There's not much negative to say about NSX. It is a growing product and already achieves a big chunk of what it set out to do. But if I had to say something, it would be more of a feature wishlist rather than something it does wrong. Also, not many vendors have full-on integration with NSX's VxLAN implementation (Logical Switches) yet, which could complicate your network design a little bit if you still have some physical servers that need to communicate with your vSphere environment.

 

THE BOTTOM LINE

Start using VMware NSX. Now.

 

Next up, vRealize Automation

 

I've put this product through the paces, stretched its limits and somehow I've lived to tell the tale!

All kidding aside, the driving idea behind vRA is basically to make all your automation dreams come true. In reality, it almost achieves that. I've worked quite a bit with vRealize Automation 6.2.x and now 7.0. The thing with vRA, is that to use it to its full potential, you'll need to know your way inside out of vRealize Orchestrator. There's no way around it if you want to automate complex tasks. The fact that vRA and vRO are so closely knit together can be a great thing though, because nearly anything you currently accomplish with a vRO workflow can be almost effortlessly integrated into vRA to give users self-service consumption for that action. That is huge. It makes life easier for vendors that want to integrate their products and services with vRA, they can do it in the form of a vRO plugin, which is basically a collection of workflows and actions that you can re-use to automate stuff. These things are usually clearer with an example: Take F5 for instance, let's say you own a physical F5 load balancer, you configure all of the LB's settings through the Big-IQ/Big-IP web console. F5 will also provide you with a plugin for vRealize Orchestrator that basically contains Actions and Workflows that allow you to "Add a server to a LB pool", "Create a Virtual Server" by talking to Big-IQ's "iContol REST API". Then it's up to you to integrate those vRO Workflows into vRA provisioning tasks and/or Day 2 Resource Actions.

 

THE GOOD

The out-of-the-box functionality of vRealize Automation is mostly focused on Infrastructure as a Service. That means, vRA can pilot your virtual environment and provision machines on-demand. That's already good enough for some very simple use cases, but the true automation goodness comes from integrating other products with vRA, such as NSX and of course vRO, which is part of vRA's core. Thanks to vRealize Orchestrator, vRA can integrate with pretty much anything you can think of. If you can automate an action with Orchestrator, you can just as easily give that action to your users as a Self-Service. Version 7 is a major improvement in a few key areas, like extensibility with the event broker and some usability improvements when using multi-machine blueprints. (P.S.: I'll be publishing a piece on the Even Broker soon!).

 

THE BAD

The main weak points of vRealize Automation are two-fold.

 

First, vRA (6.2.x) suffers from significant stability problems, in the past few months my team and I have had to open a few VMware Support cases every week because of them. This type of random and inexplicable error is not very comforting to anyone involved in a high-visibility automation project… In the past few months, I've encountered enough inexplicable errors in vRA for a lifetime. Errors like a Reservation being spontaneously deactivated for no apparent reason, preventing any VM provisioning task from taking place. Also, vRA would sometimes put VMs it provisions in a random NSX Security Group, causing the wrong firewall rules to be applied to a bunch of VMs. Another one of my favorites is that when deleting multi-machine blueprints that use Edge Gateways, vRA would delete all the VMs in the multi-machine blueprint, except the Edge Gateway and its attached Logical Switches. If you configured NAT network profiles on those Edges, the Edges retain the NATted external IPs, but vRA thinks it deleted those Edges, so it puts those same addresses back in its Network Profile's IP pool, which in turn will cause some *awesome* IP conflicts!

 

Second, this is only an issue if you plan to use vRA with NSX (which you really should be doing, but I digress…), but the integration between these 2 products is not complete enough in my opinion. There was some improvements in this area in vRA 7, but there are still some major omissions. If you look at VMware's NSX design guide, it clearly pushes your design toward using DLRs for east-west network traffic. Therefore it would make sense that you would want to create DLRs on demand for every new application environment, right? But alas, that is not possible! You can only use pre-existing DLRs and attach on-demand networks to those. That simply doesn't work well enough with some of the use cases I've seen.

 

THE BOTTOM LINE

Despite the issues listed above, vRealize Automation is still a great product. After spending some time tweaking, you should be able to get vRA to automate some pretty awesome things. Also, vRA 7 is a big step in the right direction. Personally, I'm on the edge of my seat waiting to see what features the next version brings us!

 

 

Let me know in a few words what you guys think of VMware NSX and vRealize Automation in the comments!