A virtual machine (VM) is a software computer that, like a physical computer, runs an operating system and applications. The virtual machine consists of a set of specification and configuration files, and is backed by the physical resources of a host. Every virtual machine has virtual devices that provide the same functionality as physical hardware but are more portable, more secure, and easier to manage.

In addition to the operations that you can run on a physical machine, VMware Cloud Director virtual machines support virtual infrastructure operations, such as taking a snapshot of virtual machine state, and moving a virtual machine from one host to another.

Virtual machines support IPv6 connectivity. You can assign IPv6 addresses to virtual machines connected to IPv6 networks.

Important: The documentation covers the steps for working with virtual machines from the card view, assuming that you have more than one virtual data center. Completing the same procedures from the grid view is also possible, but the steps might slightly vary.

Securing Virtual Machines with a Trusted Platform Module

Starting with VMware Cloud Director 10.4.2, you can create, copy, and edit VMs with Trusted Platform Module (TPM) devices. A TPM is a software-based representation of a physical Trusted Platform Module 2.0 chip. A TPM acts as any other virtual device.

TPMs provide hardware-based, security-related functions such as random number generation, attestation, key generation, and more. When you add a TPM to a VM, the TPM enables the guest operating system to create and store private keys. The guest operating system cannot access these keys, which reduces the VM attack surface. Usually, compromising the guest operating system compromises its secrets, but enabling a TPM greatly reduces this risk. Only the guest operating system can use these keys for encryption or signing. With an attached TPM, a client can remotely attest the identity of the VM, and verify the software that it is running.

A TPM does not require a physical Trusted Platform Module 2.0 chip to be present on the ESXi host. From the perspective of the VM, a TPM is a virtual device. You can add a TPM to either a new or an existing VM. To secure vital TPM data, a TPM depends on the VM encryption, and you must configure a key provider. When you configure a TPM, the VM files are encrypted but not the disks.

To add a TPM device to a VM, your environment must meet the following requirements:
  • The VM is powered off.
  • The VM does not have any snapshots.
  • A VDC that supports TPM backs the VM.
  • The VM firmware is EFI.
  • The VM hardware version is version 14 or later.
  • The guest OS is compatible with TPM.
To remove a TPM device from a VM, your environment must meet the following requirements:
  • The VM is powered off.
  • The VM does not have any snapshots.

To perform certain operations for VMs with TPM across vCenter Server instances, you must verify that your environment meets certain prerequisites.

Operations Prerequisites
Copy a VM
  • The key provider used to encrypt each VM must be registered on the target vCenter Server instance under the same name.
  • Verify that the VM and the target vCenter Server instance are on the same shared storage or that fast cross vCenter Server vApp instantiation is enabled. See the fast cross vCenter Server vApp instantiation information in the VMware Cloud Director 10.4 Release Notes.
Move a VM
Copy a vApp
Move a vApp
Create a VM from a template
Save a vApp as a vApp template to a catalog
Add a standalone VM to a catalog
Create a vApp template from an OVF file
Import a VM from vCenter Server
For VMs with a TPM device, when the target catalog uses any available storage in an organization which has multiple backing vCenter Server instances, VMware Cloud Director does not support the following operations:
  • Save a vApp as a vApp template to a catalog
  • Add a standalone VM to a catalog
  • Create a vApp template from an OVF file
  • Importing a VM from vCenter Server as a template
If the target vCenter Server instance is version 8.0 or later, you can replace the TPM device of a VM during the following operations:
  • Copy a VM
  • Copy a vApp
  • Compose a vApp
Table 1. TPM Device Options Depending on the vCenter Server Version
Operation vCenter Server 7.x vCenter Server 8.x
Create a Standalone Virtual Machine New TPM device New TPM device
Create a VM from a Template Copy and replace

Depends on the specific VM template.

Copy and replace

Depends on the specific VM template.

Create a vApp Using VM Templates Copy and replace

Depends on the specific VM templates.

Copy and replace

Depends on the specific VM templates.

Create a vApp From an OVF Package New TPM device

Uploading an OVF with a TPM RASD section attaches a new TPM device to each VM with a defined TPM.

New TPM device

Uploading an OVF with a TPM RASD section attaches a new TPM device to each VM with a defined TPM.

Create vApp from Template Copy and replace

Depends on the vApp template.

Copy and replace

Depends on the vApp template.

Import a VM from vCenter Server as a vApp Copy Copy
Add a new VM to a vApp New TPM device New TPM device
Add a VM from a Template to a vApp Copy and replace

Depends on the specific VM template.

Copy and replace

Depends on the specific VM template.

Copy a VM to a Different vApp Copy Copy and replace
Move a VM to a Different vApp Copy Copy

Copy a Stopped vApp to Another VDC

Copy a Powered-On vApp

Copy

Applies to all TPM devices within the vApp.

Copy and replace

Applies to all TPM devices within the vApp.

Save a vApp as a vApp Template to a Catalog Copy and replace Copy and replace
Create a vApp Template from an OVF File New TPM device

Uploading an OVF with a TPM RASD section attaches a new TPM device to each VM with a defined TPM.

New TPM device

Uploading an OVF with a TPM RASD section attaches a new TPM device to each VM with a defined TPM.

If you do not specify whether to copy or replace a TPM device in the API, VMware Cloud Director copies the TPM by default. When performing operations on vApps in the UI, the option to copy or replace TPM applies to all VMs within the vApp.

When instantiating a VM from a vApp template containing a TPM device there are some considerations you must take into account.
  • If the template was created by using VMware Cloud Director, the instantiation copies or replaces the TPM device based on the selected TPM Provisioning option when the template was captured.
  • If the template was created by uploading an OVF or OVA, the instantiation replaces the TPM device.
  • If the template was created by importing a VM from vCenter Server, the instantiation copies the TPM device.
  • If the target vCenter Server meets the TPM requirements, you can perform instantiations across vCenter Server instances for templates for which VMware Cloud Director replaces the TPM devices during instantiation.

If you subscribe to a catalog containing templates with TPM devices, the VMware Cloud Director version of the subscriber must be 10.4.2 or later. If the VMware Cloud Director version of the subscriber is 10.4.1 or earlier, the templates do not contain TPM devices.

For TPM prerequisites for vCenter Server, see the prerequisite sections in Create a Virtual Machine with a Virtual Trusted Platform Module or Add Virtual Trusted Platform Module to an Existing Virtual Machine in the vSphere Security guide.