Docs

You can find information about these new features and more at VMware vRealize Automation Cloud and in the signpost and tooltip help in the user interface. Even more information is available when you open the in-product support panel where you can read and search for related topics, and view community posts and KBs, that appear for the active user interface page.

IMPORTANT

Behaviour Change: Deployment failures occur when static IP assignments are used with “Network Configure” extensibility event

In Cloud Templates, when "assignment: static" is used for a VM network interface, a network with IP ranges configured will be selected during allocation. If there are no networks with IP ranges configured in network profile(s) then allocation fails.

The "assignment: static" should only be used for a VM network interface when using a vRA internal IPAM or an external IPAM with static IP ranges. If the static IP is allocated via the "Network Configure" extensibility event custom solution then the "assignment: static" should not be used for a VM network interface in the Cloud Template. This results in an allocation failure.

Workaround - If the static IP is allocated via the "Network Configure" extensibility event custom solution and allocation is failing with Error: 'Unable to find common placement for compute <vm-name> and its associated network', then remove the "assignment: static" from the VM network interface in the Cloud Template and retry.

Log4J vulnerabilities

Updated Apache log4j to version 2.17 to resolve CVE-2021-44228 and CVE-2021-45046. For more information on these vulnerabilities and their impact on VMware products please see VMSA-2021-0028.

VMware Cloud Services (CSP) Authentication Policy IP address/range restrictions are not supported

As part of the Authentication Policy configuration, VMware Cloud Services (CSP) introduced IP Authentication Policy that can restrict certain IP addresses/ranges for an organization. Configuring IP address/range restrictions is not supported from VMware vRealize Automation. Use of this policy can result in service limitations.

VMware Cloud Services (CSP) Authentication Policy Multi-Factor Authentication for API login is not supported

As part of the Authentication Policy configuration, VMware Cloud Services (CSP) introduced Multi-Factor Authentication. Configuring VMware Cloud Services Multi-Factor Authentication is not supported from VMware vRealize Automation. Use of this policy can result in service limitations.

Evolution of the ABX On Prem engine

ABX On Prem now uses the next generation On Prem engine, which has advanced performance and scalability. The New FaaS is much faster, fixes numerous issues with memory limits, and introduces memory based throttling. You can also troubelshoot action runs easier with additional logging capabilities.

The new on prem engine includes these improvements:

• ABX On Prem actions use a new FaaS engine that is more stable, scalable, and faster. It also fixes numerous issues discovered using the old FaaS engine.
• ABX On Prem actions have faster deployment times. This enables you to develop actions much faster.
• ABX On Prem action memory limits are now per action run, instead of shared. As a result, the memory limit of all existing actions is reset to the default value due to memory based throttling. If we allowed existing actions with high memory limits that were created from sharing parallel action runs, they would consume a large amount of the capacity when, which is no longer needed.
• ABX On Prem action run logs now include additional information for finished action runs. There is an additional log line at the end of the log which shows the approximate memory consumed from the action run, allowing you to set appropriate memory limits.
• ABX On Prem actions now show logs in case of an action run timeout. This allows for easier investigation of timed out action runs.
• ABX On Prem now enables better isloation between action runs of the same action, because every action run is now run in a separate container.

As part of continuous security improvements, related to SSL verification when calling systems with untrusted certificates from the action, an additional configuration might be needed in the action’s code which is explained in KB 88278. In future releases, we plan to provide an easy way to trust such certificates by importing them from the UI and no longer skip SSL verification.

Online vRA 7 Assessment in vRA Cloud

You can now use the vRA Migration Online Assessment feature to the determine migration readiness of your vRealize Automation 7 and vRealize Orchestrator source environments from VMware Cloud Assembly.

The online assessment in vRA Cloud:

• Allows you to skip deploying a full vRealize Automation 8 instance to perform an assessment.
• Allows you to perform the assessment live from Cloud Assembly's vRealize Automation 8 Migration Assistant, which does not require collecting and uploading a data bundle into the cloud.
• Supports vRealize Automation and vRealize Orchestrator source environments
• Supports external vRealize Orchestrator source environments

Changing deployment projects for provisioned deployments

Day 2 action to change project is now enabled for provisioned deployments. Provisioned deployments can contain any number of Machines, Disks, Resource Groups, Load Balancers, Networks, Security Groups, NATs, and Gateways. If a provisioned deployment is updated to either contain a not aforementioned resource, for example, terraform configuration, or an onboarded/ migrated resource, the change project action is not available. If the resource is deleted, then the change project action becomes available again.

• Day 2 action is restricted to cloud administrators only.
• Machines' and Disks' cloud zones must be present in the target Project and set quota limits are respected. The quota is released from the initial project and reserved in the target project. In case of any failure, the action is automatically rolled back.
• See Day 2 Actions for more information.

SaltStack Config available as a resource type within Cloud Templates

You can now natively deploy and configure a salt-minion as part of a Cloud Template as a day-0 operation by dragging and dropping directly on to the canvas to attach the SaltStack Config resource type to one or multiple virtual machines. The new resource type is found under SaltStack on the left-hand resource menu.

Updated vRealize Automation plugin for vRealize Orchestrator with versions 8.4.2+

Updated plugin version is now available here: https://marketplace.cloud.vmware.com/services/details/vmware-vrealize-orchestrator-plug-in-for-vrealize-automation011-1?slug=true

The plugin now supports:

• Iaas Inventory and scripting objects for Machines
• CRUD for Machines
• EntityFinders

For complete functionality description, please check the “Documents” section in our new vRealize Orchestrator community page: https://communities.vmware.com/t5/vRealize-Orchestrator/ct-p/1303

Custom validation for catalog item by custom forms now supported via API

VRealize Automation now supports custom validation with API. With this new feature, you can design a catalog item with a custom form and external validation via the API. When the user creates a deployment from the catalog item via API, the validation is executed. In the case that the validation fails, the api response would contain validation error messages.

Custom Remediations for SaltStack SecOps

You can now import advisories that aren't supported by SaltStack SecOps. Custom remediation files can be attached to an advisory for automated remediation. Learn more about custom remediation.

Dynamic Job Inputs for SaltStack Configuration Jobs

Reduce, reuse, and delegate your IT automation and configuration management outcomes with Dynamic Jobs.

Optional inputs in property groups

Input property groups now support optional input. In a property group, all properties are optional by default. In order to mark all non-Boolean properties without a default value as required, add the following cloud template property to the desired property group: populateRequiredOnNonDefaultProperties: true If the above property is omitted / set to false, then all properties will be treated as optional (which is the default behavior).

Retain deployment creation date for migrated deployments

Deployments moved by the migration tool now retain the original creation date.

Deployment Limit Policy support for storage

Deployment Limit Policy now supports storage constraints on both day-0 provisioning and day-2 actions including: resizing, adding, and deleting disks. Learn more about deployment limit policies.

Removal of infrastructure machines and volumes view

The infrastructure machines and volumes view has been replaced with the virtual machines and volumes view in the Resource Center under the Resources top level tab. The permission for machines view is no longer available.

Marketplace Retirement

The Marketplace intergration within vRealize Automation has been retired.

Custom forms supports bind field and conditional value to any input or variable

Custom Forms Field/Tab visibility configuration now supports 'Bind field' Value Source. You can now bind the visibility of a Field or a Tab to another field to type 'Boolean' (i.e. Checkbox).

Service Broker cache for custom form actions

Service Broker now issues the minimal amount of requests to resolve External Source values by making better use of its internal caching mechanism. Upon changing the project field, all cached values are cleaned, but caching is still active for the current vRO integration. Duplicate requests are properly marked based on all relevant information for the request.

Seamless synchronization between external IPAM provider server and vRA IP ranges.

When an IP range from an external IPAM provider is deleted, the state is automatically detected and deleted in vRA. The deleted external range is no longer visible, and cannot be associated with networks or cause failures and "orphan" range experiences on vRA customer site.

Resources Tab

The "Deployments" tab is now renamed to "Resources" as we continue expand the functionality of the Resource Center and increase visiblity of discovered objects.

Resource Center - Simplified view of discovered resources and day 2 actions

Following the last release of Resource View, vRealize Automation enhanced the Resources tab to help cloud admins and end users manage cloud resources across compute, storage, networking, and security. The new features include:

• Individual resources page by resource types: virtual machines, networking and security, and volumes
• All resources page with advanced filter
• In-context resource details panel: show machine details and associated network/storage
• Create simple new VM without VMware cloud templates:
  • Quick create VM
  • Quick create VM with existing network
  • Quick create VM with new/existing storage
• All-in-one Cloud Resource Center has provisioned, onboarded, migrated and discovered (admin only) resources
• Admin only Day 2 action on discovered resources: power on/off, remote console
• The same resource center is also live in Service Broker without quick create VM action
• Note that the resource views under Infrastructure top level tab will be removed in following months: virtual machines, volumes, networks and security
• Image, boot disk, and inline disks even though they are a part of deployment appear as discovered resource in resource view.
• Track resource request history through deployment history
• Resources can map to multiple cloud accounts, displaying or filtering by these multiple cloud accounts will be supported in the following release in resource center.
• Learn more about working with resources.

vRA Ansible Integration supports 2.11

Inter-op support has been increased to Ansible 2.11.5. Ansible 2.11 is the latest stable Ansible version and customers can now use this version when running playbooks with the vRA Ansible integration.

Approval policy now supports AD groups

Approval policies in Service Broker now support AD groups as approvers, as opposed to only accepting individual users. Learn more about approval policies.

Onboarding support for IPv6

Onboarding plans now support machines which have IPv6 addresses.

vRealize Standard+ now supports 11 additional languages

As part of the on-going integration of the SaltStack products to VMware we have completed the translation and release of vRA STD + in 11 languages making it easier for our users around the world take advantage of the powerful capabilities in the vRA STD + product. vRA STD + is now available in the following languages: German, French, Spanish, Japanese, Korean, Simplified Chinese, Traditional Chinese, Russian, Dutch, Italian, Brazilian Portuguese.

vRealize Log Insight content pack for vRealize Orchestrator v8.3+ now available

The VMware vRealize Orchestrator (vRO) content pack compliments the vSphere content pack and provides a consolidated summary of log events across all vRO components of the environment. The vRealize Orchestrator 8.0+ (vRO 8.0+) content pack for Log Insight provides you with important information across all components of your vRealize Orchestrator 8.3+ environment

The vRO 8.0+ content pack enables:

• Proactive monitoring of your vRO 8.3+ environment.
• Server Overview dashboards.
• Authorization related deatils.
• Configuration and Content Audit dashboards.
• Workflow related dashboards includes failure, logs, statitics.
• Metrics dashboards includes REST Api logs, JVM logs details.
• Request-based tracing across vRO 8.0+ services using trace id.
• Troubleshooting and assistance during root-cause analysis.

Content pack can be found here: https://marketplace.cloud.vmware.com/services/details/vrealize-orchestrator-8-0-log-insight-content-pack-dist-1-1?slug=true

Plug-in API compatibility updates for VUM plug-in

The VUM (Update Manager) plug-in now supports vSphere 6.7, 7.0, 7.0 U1, 7.0 U2. This enhances support beyond the original vSphere 6.5 API. With VUM you can perform these actions:

• Upgrade and patch ESXi hosts.
• Install and update third-party software on hosts.
• Upgrade virtual machine hardware and VMware Tools

UI Updated to Angular 12

The UI has been updated to Angular 12. This is a seamless update and we foresee no customer impact.

Access all your vRealize Automation Cloud documentation in one place

To simplify your experience in using the vRealize Automation product documentation, we combined the vRealize Automation 8.x and vRealize Automation Cloud product documentation in a single vRealize Automation Documentation Center.

• Streamlined navigation. Use the left-hand navigation menu to access the documentation for the core vRealize Automation services. By default, these links take you to the cloud documentation, but you can find your 8.x version by using the version selector drop-down menu in each topic. You can find links to other related and supporting documentation on the vRealize Automation landing page.
• All your documentation in one place. Cloud Assembly, Service Broker, and Code Stream documentation now live in the consolidated vRealize Automation Documentation Center. Your existing cloud bookmarks will be automatically redirected to the new location.

Explore the vRealize Automation Documentation Center.

Deprecated Functionality: Migration assistant update

Starting in the February 2022 release, vRA will support migrations via Migration Assistant only from vRA 7.6. Migration Assessment for older versions will continue to work.

Approval API: Incompatible change in response attribute

The response attribute has changed from "phase" to "level" in the following API calls:

get /approval/api/approvals

get /approval/api/approvals/{id}

Assign icons to onboarded deployments

To give end you more information about deployments, vRA Cloud updates the deployment Edit action to support assigning custom icons to onboarded deployments.

SaltStack and Carbon Black integration

Carbon Black and SaltStack SecOps are now integrated to pass information from Security Teams to Infrastructure Teams. This integration passes Carbon Black's findings into the SaltStack SecOps framework for action through remediation. By leveraging the Carbon Black's security scanning capabilities along with the SaltStack action, arm companies can quickly find and fix vulnerabilities in their infrastructure which reduces exposure and eliminates advisory abilities to exploit these vulnerabilities.

Scale out migrated deployments

After the Cloud admin migrates deployments, you can scale out existing resources within that migrated deployment.

Migrate property groups with external values

The Migration assistant tool now supports the migration of property groups with external values.

Create Extensibility Subscription for lease expire

Cloud admins can extend the machine management process and trigger specific actions when a machine lease is expiring. This allows them to perform a variety of automated tasks such as backing up the machine or adding additional monitoring.

Deployment Limit Policy to define Deployment and Deployment Resource Limits

The Deployment Limit Policy allows Cloud Admins to define Deployment limits to restrict CPU count, Memory, and VM count. These policies also allow Cloud Admins to define Deployment Resource limits to restrict CPU count and Memory of specific resources within a larger deployment. These policies are enabled by default for an entire organization, but can be scoped down using familiar criteria such as applying to a certain project, being deployed from a specific VMware Cloud Template, or containing a certain tag. The Deployment Limit Policy also is enforced against any resize actions performed after a successful deployment that falls within the scope of the policy. Learn more.

Assign VCT to onboarded deployments

You can assign a VMware Cloud Template (VCT) to onboarded deployments.

Note: VMware Cloud Template assignments are for visual representation only and updating the onboarded deployments by iterating on the assigned template is not supported.

Ability for devops project users create a TKGs cluster

DevOps project Users can now create TKG clusters.

SaltStack SecOps support for Tenable import scans of Windows systems

Users who leverage Tenable now have the ability to import scans for Windows systems as well as Linux systems.

Offline vRealize Automation 7 Migration Assessment in vRealize Automation Cloud

In Cloud Assembly, you can perform an offline vRealize Automation 7 to 8 migration asessment in vRealize Automation Cloud without deploying a vRealize Automastion 8 instance. For more information see the vRealize Automation Cloud Transition Guide.

Support Puppet Enterprise for machines without a public IP address

You can register machines without a public IP address.

Ability to configure name of Azure NIC interfaces

You can use the new API to configure a name of NIC for a VM running on Azure. Learn more about using extensibility actions to configure a NIC name.

Note: This is only supported using API and not using VCT.

Resource Quota policy additional day 2 governance

In this release, vRealize Automation Cloud includes Resource Quota Policy enhancements that add additional support for Day2 actions. Quotas now properly account for Day2 actions that affect allocations including disk and machine resizes. Learn more about resource quota policies.

Ability to add External validation to a custom day2 action

You can apply a complex validation to the user inputs on the custom day2 request form. The validation is run externally as a vRealize Orchestrator action and prevents you from submitting the request form until the validation is complete. Learn more.

New VMware Salt Modules Available

We are pleased to announce the release of Salt modules for vSphere/ESXi, NSX, and VMC. These modules were developed as a collaborative effort between VMware and the Salt Open Community and are available under the Salt GitHub project in 'Salt Extension Modules for VMware'.

New "Project Supervisor" role for approvals

This release introduces a new out of the box role called "Project Supervisor" which can be used for approving deployment requests. Any user with this role can serve as an approver only for that specific Project. Learn more.

Onboard vSphere networks

You can onboard vSphere network objects along with the VM while executing the onboarding plan. When a VM is onboarded, the attached vSphere network object is also onboarded and the network object is shown on the deployment canvas.

Indicate vRO based catalog item status

Based on the status of vRO workflow, you can see if any items are valid/invalid/out of sync.

Custom Resources with extensibility actions

Application architects can use extensibility actions in cloud templates to build complex applications. They can create custom resources based on extensibility actions and assess lifecycle operation and day2 context actions. The extensibility action script can return text that can be directly populated as a custom component on the design canvas. Learn more.

Kubernetes support in Code Stream Workspace

The Code Stream pipeline workspace now supports Docker and Kubernetes for continuous integration tasks. The Kubernetes platform manages the entire lifecycle of the container, similar to Docker. In the pipeline workspace, you can choose Docker (the default selection) or Kubernetes. In the workspace, you select the appropriate endpoint. The Kubernetes workspace provides:

• The builder image to use
• Image registry
• Namespace
• Node port
• Persistent Volume Claim
• Working directory
• Environment variables
• CPU limit
• Memory limit.

You can also choose to create a clone of the Git repository.

Ability to configure machine tags in VCT for VMs deployed in VMC

You can configure machine tags for a VM deployed on VMC and update the tag after initial deployment. These tags are used to dynamically assign a VM to an appropriate security group. This builds on similar capability introduced for NSX-T in earlier vRA release. Learn more.

Ability to change default Active Directory OU settings after VM provisioning.

You can now configure a special custom property in YAML template and move machine to a different OU after the post provisioning task.

Cloud Templates with dynamic vRO inputs

You can leverage dynamic inputs in native Cloud Templates when vRO workflow based dynamic values are enabled in the Cloud Templates inputs. Learn more.

Allow IPAM settings to be an input property on machine NIC component in the blueprint

Prior to this feature, IPAM properties always come from the network that the nic targets to. This feature allows customers to directly set gateway addresses, domain, dns and dns search domain via VCT and ignore the properties from the network.

CodeStream API changes

Workspace section in pipeline has two new fields to support k8s based workspaces.​

POST /codestream​/api​/pipelinesGET ​/codestream​/api​/pipelines/{id}

GET ​/codestream​/api​/pipelines/{project-name}/{pipeline-name}.workspace

In the request/response payloadWorkspace Type: Two new fields are added "type" - indicates type of workspace (defaults to docker and backward compatible)"customProperties" - a key value pair to customize k8s workspace

New version of Cloud Assembly IaaS API

This is the new version of Cloud Assembly IaaS API. Users can call this version by using the parameter apiVersion='2021-07-15'.

Notable changes in the new Cloud Assembly IaaS APIs:

1. Asynchronous Cloud Account APIs – CRUD Cloud account operations and enumeration requests are now asynchronous and help users avoid timeout issues for long running operations with different cloud accounts such as regions enumeration and credentials validation. The time out issue was most frequently observed when creating a cloud account for vSphere, VMC, NSX and when adding a new IPAM Integration. When you execute a cloud account request, you are provided with a RequestTracker link to query for obtaining the current operation execution status.
2. Creation of Cloud Accounts supports obtaining certificate information and accepting self-signed certificate through the new /iaas/api/cloud-accounts/certificates endpoint.
3. User session timeout is configurable through {{url-home}}iaas/api/configuration-properties
4. Revert operation /iaas/api/machines/{machineId}/operations/revert is changed to /iaas/api/machines/{id}/operations/revert/{snapshotId}

The first version of the Cloud Assembly IaaS API which is 2019-01-15 is deprecated and will be supported for 12 months.

All requests executed without apiVersion parameter are redirected to the first version of the Cloud Assembly IaaS API which is 2019-01-15. This redirect allows every previously missed user to specify the apiVersion parameter to transition smoothly to the new version ’2021-07-15’ without experiencing breaking changes.

Project Administrator can act as Approver for all approval requests

When creating an approval policy, administrators can select a Project Administrator (for the project in which the approval was triggered) as the approver. This means a policy can be created once, for the organization, or a group of projects, instead of a policy per project with specific user(s) as approver. Learn more.

Configure when IP address from IPAM is released

You can configure how long it takes for an IP address to be released from allocation once it is no longer used. This allows for faster provisioning of new workloads where IP addresses are scarce. There is no change to default behavior where it can take up to 30 mins before an IP address is released after its no longer used. Learn more.

VMware vRealize Orchestrator plug-in for vRealize Automation 8.5 and vRealize Automation Cloud

The updated vRealize Automation plug-in supports scripting objects generation such as cloud accounts, cloud zones, projects, tags, and CRUD operations to build your own content. For each object, some sample content is provided by default. Learn more.

Technical limitations:

• The timeout period for REST operations is 2 minutes.
• Masked custom property values coming from vRealize Automation do not work as input in the Update Project workflow, where custom properties hold encrypted values due to the different encryption logic implemented in vRealize Orchestrator. As a workaround, re-enter the encrypted value without the secret key.
• No pagination support for vSphere cloud account, NSX-T, NSX-V, Data Collector, Regions.

Enable resources across Azure regions to be added to the same resource group

An Azure resource group is created in an Azure region. However, resources from any Azure region can be added into it. This feature enables admins to add resources from other regions into the Azure RG. Learn more about working with Azure resource groups.

NVDS-CVDS Migration Support

The infrastructure admin can migrate vSphere NVDS to CVDS and have vRA update its state including networks and deployments with new information. Additional considerations apply if using vSphere network representations in vRA.

Snapshot management for Azure disks

You can now pass the resource group name, encryption set, and network policy while creating the disk snapshot. This builds on previous Azure disk snapshot functionality introduced in prior release. Learn more about Azure snapshots.

Ability to enable/disable boot diagnostics for Azure VMs - Day 2

You can enable/disable boot diagnostics for Azure VMs as a day 2 action. This builds on ability to enable this as Day 1 action introduced in prior release. Learn more about the day 2 boot diagnostic actions.

Notifications

The Service Broker administrator can view the list of available email notification scenarios and enable or disable them for all users in their organization:

• Deployment lease expired
• Deployment lease expiring
• Deployment request approved
• Deployment request rejected
• Deployment request waiting for approval (notification sent to requester)
• Pending approval request (notification sent to approver)

Learn more about notifications.

Support for existing global security group as part of NSX-T Federation

vRealize Automation can now discover global security groups configured under NSX-T global manager. These groups can be leveraged in network profiles and VMware Cloud Templates to build deployments. This builds on initial support for NSX-T Federation introduced in May 2021 vRA release. Learn more.

Day 2 Install of Salt Minions

You can deploy a Salt Minion on a previously deployed VM resource as a day 2 action. Learn more about the day 2 Salt configuration action.

Day 2 Application of Salt State Files

You can apply one or more Salt State files to a previously deployed VM resource as a day 2 action. Learn more about the day 2 Salt configuration action.

Custom Roles API

The APIs for Custom Roles (RBAC) are now available (Create, Read, List, Update, Delete).

To access API specifications for Custom Roles, see https://www.mgmt.cloud.vmware.com/project/api/swagger/swagger-ui.html?urls.primaryName=rbac%3A2020-08-10

Disks added through vRO and extensibility reflected on deployment (topology) diagram

Disks that were added using vRO workflows or ABX with vRA APIs at the time of initial provisioning are also reflected on the deployment design canvas. All current day 2 actions are available for these disks.

Support for Microsoft Azure Disk Encryption Set

The Microsoft Azure disk encryption set supports:

• Disk Encryption feature for Microsoft Azure independent disks (independent managed disks) in vRA
• Disk encryption feature for Day 2 action "Add Disk"

Property group enhancements (vRO, secrets)

Property groups can now:

• Use vRO workflows for dynamic external values to define properties. Learn more.
• Bind secrets to property groups in order to reuse multiple secrets. Learn more.

Shared IP range for multiple networks

It is now possible for vRA to assign same IP range coming from internal or external IPAM to multiple networks. Learn more.

Provider Events triggered upon tenant resource CRUD

Events in the provider organization enable the provider to trigger subscriptions and write in the CMDB etc. (or for billing purposes). These events are only for resources that the provider must have visibility into. No deployment level events are triggered in the provider org, for tenant deployments.

Limit the number of namespaces for a project on a K8s zone

Prior to this, there was no per K8s zone limit for projects. This feature introduces a configurable limit for the max number of supervisor namespaces that can be deployed for the project on a given K8s zone.

Support for Snapshot management of Microsoft Azure disksThe Microsoft Azure disk snapshot management now supports:

• Disk Snapshot Enumeration
• Day 2 action for deleting Disk Snapshot from Machine
• Compatibility for Managed Disk Snapshot – Resource Group, Encryption set, Network policy, Tags as parameters

Resource view for deployments

In addition to the existing deployment view, you can now use the new resource view to monitor and manage your resources:

• Select if you prefer managing all your resources or managing resources by specific resource types.
• Perform searches by resource name among all resources outside the deployment layer.
• Easy access to day 2 actions performed directly on resources.
• See if a resource or deployment is undergoing a day 2 action.
• Learn more about working with resource view list.

Parallel day 2 actions for deployment resources

Allow multiple resources in the same deployment to go through day 2 actions at the same time.

Property group enhancements (RBAC, cloud template association)

Property groups are enhanced with several new features:

• Role based access control (RBAC) permissions to use and manage property groups.
• Show associated cloud templates to specific property groups. Learn more.

Additional policy criteria attributes across all policy types

Several new resource-based deployment criteria attributes are now consistently available across all policy types and enhance the policy based multi-cloud governance capabilities.

Some of the resource attributes include:

• Cloud Zone
• Cloud Account
• CPU Count
• Cloud Type
• Flavor
• Has Snapshots
• Image
• Image ID
• OS Type
• Power State
• Region
• Disks
• Tags
• Total Memory (MB)
• Resource Type

Scoping a policy to multiple projects

Scoping a policy to multiple projects allows cloud administrators and project administrators to define policies that can apply to one project, across multiple projects, or the entire organization. Scoping can be done by leveraging a set of project-based criteria available across all policy types. Expanding the scope of a policy so that it can be applied to multiple projects in an organization allows a policy to be defined once and reused across multiple projects. Scoping enhances the multi-cloud governance capabilities. Learn more.

Policies: Define and enforce resource limits using resource quota policies

Cloud administrators can now control the consumption of resources across the entire organization and in projects by setting and enforcing reusable resource quotas or consumption limits on certain metrics, such as CPU, Storage, Memory, or number of instances.

This allows cloud administrators to gain more visibility into the consumption of a finite set of shared resources and enforce policy-based governance on resource quotas across the entire organization, per project, or per user. Learn more.

Ability to enable or disable boot diagnostics for Azure VMs - Day0

You can toggle boot diagnostics for VMs provisioned in Azure with the VMware Cloud Templates.

Ability to enable or disable log analytics for Azure VMs

You can toggle log analytics for VMs in Azure.

Support of NSX Federation with NSX-T Cloud Account (Global Manager / Local Manager, existing networks)

With an NSX-T cloud account, it is now possible to connect to NSX-T Global Manager and configure an association between NSX-T Global Manager and Local Managers in the context of the NSX-T Federation. Learn more.

SaltStack Config Cloud Template Integration

SaltStack Config integration is further enhanced to support:

• Automatic installation of minions by using VMware Cloud Templates.
• Deploying software config as salt state files in VMware Cloud Templates.

Support for VMware Cloud on AWS (VMC) on Dell EMC

Continued validatation management of workloads running in all flavors of VMware Cloud. The latest edition to this effort is VMC on Dell EMC infrastructure deployed at the edge.

Custom resource action troubleshooting

• Ability to show user input from workflow runs.
• You can now view values from workflows performed as part of a resource action.

Ability to create subscriptions based on custom resource pre and post events

Cloud administrators can trigger action runs before and after custom resource provisioning.

Storage Policies

• As an admin you can now select which storage policies are allowed for use in a namespace that the admin is provisioning to a project (user), allowing an end-to-end automated workflow resulting in a readily usable supervisor namespace.
• Storage policies configured on the vSphere 7 with Tanzu that are visible to a supervisor namespace determine which datastores the namespace can access and use for persistent volumes. The storage policies appear as matching Kubernetes storage classes in the namespace. They are also propagated to the Tanzu Kubernetes cluster on this namespace. DevOps engineers can use the storage classes in their persistent volume claim specifications.

IaaS API

Force delete functionality to the IaaS API endpoint for deleting deployments. The option is used with the “forceDelete” query parameter.

• If “forceDelete” = true, then the best effort is made for deleting the deployment and all related resources. It should be used with caution since it may leave provisioned infrastructure resources behind which users must remove manually.
• If “forceDelete” = false, a standard delete action will be executed.

vRO plug-in

The VMware vRealize Orchestrator Plug-in allows interaction between vRealize Orchestrator and vRealize Automation.

The preconfigured workflows provided with the plug-in help you deploy and manage resources in vRealize Automation in automated way. In addition to the provided workflows, you can create and run custom workflows. Newly provided content in vRO that is compatible with vRealize Automation, provide solutions to the main customer use cases to create and run workflows for the main functions such as managing projects and users, use custom types, manage VMs, etc. Learn more.

The March Cloud release supports:

• Host management and CRUD operations for hosts
• Out of the box workflows for host management
• Preserved Authentication to the hosts and dynamic host creation
• Rest client for requests to vRealize Automation

Required: To use the plugin, you must download and install it from the marketplace.

Support for multi-vm/disk configuration

• You can specify the creation of multiple VMs with several disks attached to them.
• Support for Day 2 actions on all disks created for the VMs
• Easy identification of the disks attached to the respective VMs

Add disk with different sizes

Cloud templates allow configurations of different size disks.

Disk placement should align with the VM in Workload placement\Multi-VM scenario

Previously, when creating multiple VMs in a single deployment (using the count field), the disk might not attach to the same cluster that hosts the VM. Now, with vROps enhancements, the disk placement is always on the cluster that hosts the VM for optimal performance.

Policy criteria support for resource tags across all policy types

Support for resource based tags as additional criteria allows cloud administrators to define granular policies that can target deployments with resources that have specific tags.

The resource tag policy criteria clause is consistently available across all policy types.

Networking: Reconfigure Existing Security group for vSphere and VMC - Iterative and Day 2

Reconfigure Security Group (Day-2 and Iterative deployment) action allows you to modify, add, or remove rules of an existing security group for a running application in vSphere or VMware Cloud on AWS. See Day 2 Actions.

Changing deployment projects for onboarded deployments

You can use the Change project action to update a project as a day 2 action for onboarded deployments

• Day 2 action is only available for onboarded deployments. If an onboarded deployment is updated to add any provisioned resources, the change project action won't be available. If the provisioned resource is deleted, then the change project action becomes available again.
• In case of any failure, the action is not automatically rolled back. You can manually initiate the action again.
• The same resource Cloud Zones must be present in the target Project otherwise subsequent day2 actions might not work as expected.
• See Day 2 Actions.

Single secret store

You can now create project service secrets. Secrets can be used to add encrypted input values to your extensibility actions. The extensibility action secrets feature added with the December 2020 release is now known as extensibility action constants. Learn more.

Action constants share the same list as the project service secrets. There is no action needed for users who have existing extensibility action constants from the previous release.

Operations center: optimizable deployment filter

Added a filter for deployments to be optimized: optimizable resources only.

When vROPs detects that there is a deployment that has optimization available:

• The optimization may include but not limited to: machines that can be resized, or deleted.
• Optimization data is calculated in the order of days

Operations center : Custom roles and other enhancements

Functionalities of HCMP (Insights, Alerts and Optimizations) can now be filtered by custom roles having read only/read write access to Cloud Zones, Projects, and Deployments. See organization and service roles, and custom roles.

Cloud zone insights now show projects along with their reclaimable capacity.

Optimizable deployments can now be filtered from the deployment list to easily reach them.

Specify order and SCSI controller for vSphere disks

When creating new disks with deployments:

• In the cloud template, you can specify the order in which the disks are created. This allows for better identification of disks for day 2 actions. See Day 2 Actions.
• In the cloud template, you can specify which SCSI controller needs to be mapped to the disk. You can use a total of 4 SCSI controllers per deployment and you can choose among these 4 for each of the disks.

Support for disks which are part of the image template

There can be instances where an image template has disks in addition to the boot disk. In such cases, these disks are supported for day 2 actions. You can view these disks under the VM details. You can also take day 2 actions such as resize on these disks. This resize action is shown as the VM object in the deployment diagram and lists all disks connected to the VM. See Day 2 Actions.

Support for Azure image gallery

The image gallery supports:

• Provisioning using custom images residing in an image gallery
• Leveraging the same image across multiple Azure subscriptions.

Snapshot management for Azure disks

You can create and manage disks snapshots with azure deployments.

• Support for CRUD operations on snapshots
• Support for both managed disks only
• See Day 2 Actions.

Support for Azure disk encryption sets

Azure disk encryption sets to support these use cases:

• Support for third party KMS systems that leverage encryption sets.
• Support encrypting VM and all the attached disks (current and future) with the same key.
• Support for managed disks only.

Enhanced support for Azure availability sets

Enhancing the support for availability sets to address these use cases:

• Support reusing existing availability sets in the cloud template.
• Support having the availability set as optional so that the resources are not part of any availability set.

Changes to permissions and logging for Azure-based extensibility actions

Microsoft Azure 3.x Scripting API support introduces changes to Azure-based extensibility actions:

• Users must add new permissions to their cloud account so they can use Azure-based extensibility actions. Learn more.
• To continue to use logging in their Python-based extensibility actions, users must modify their script. Learn more.

Ansible enhancements

• New Ansible Tower blueprint property – maxJobRetries which retries Ansible Playbooks
• Ability to call workflow templates from Ansible Tower integration
• Ansible integration with user account execution
• In Ansible open source, the server is created using hostname instead of IP Address
• Ability to Pass additional variables from blueprint yaml to Ansible tower
• Update the "Prompt on launch / Limit" for Ansible tower integration to use default value

Puppet enhancements

• Pass user defined properties from Blueprint as facts to Puppet master from agent node.
• Specify PE master of masters.

Event Broker enhancements

Ability to add subscriptions at post provisioning stage and before power on.

IPAM registration for vRealize Automation 7.x workloads while onboarding

When onboarding resources that are part of vRealize Automation 7.x, the IPAM registration is updated for the onboarding workloads. This ensures that there is no duplicate assignment with the IPAM provider and also ensures the IPs come back to the pool once the workloads are deleted.

Unregister onboarded machines

You can now unregister onboarded machines

• The unregister action is available for "onboarded" machines only.
• This action removes the resource from the deployment and makes it available for onboarding again.
• When "unregistering" the onboarded machine, any attached disks (that were onboarded with machine) are unregistered automatically.
• Once you add additional disks to the onboarded machine, the machine is not treated as onboarded anymore and the unregister functionality is not be available.
• See Day 2 Actions.

GCP Sole Tenancy

You can now set a custom property to take advantage of the GCP Sole Tenancy capability (dedicated host).

Networking: Change On-Demand and Existing Security groups for VMC - Iterative and Day 2

The Change Security Groups (Day-2 and Iterative deployment) action now allows you to associate or dissociate a security group (existing/new), which is part of VMware Cloud on AWS deployment, to one or more machines in the deployment. You can attach or detach the security group in blueprint to and from respective machines, and update deployments with this new topology through iterative development.

If you want to add an additional security group (existing or new), which is not part of deployment, to one or more machines in the deployment, you can add the additional security group in blueprint and attach it to machines, and update deployments with this new topology through iterative development.

Networking: Reconfigure On-demand Security group for VMC - Iterative and Day 2

The Reconfigure Security Group (Day-2 and Iterative deployment) action now allows you to modify, add, or remove rules of an on-demand security group for a running application in VMware Cloud on AWS.

Support for AVS

With this release, vRealize Automation Cloud is tested and certified to work with VMware's hosted cloud solutions on Microsoft Azure, called Azure VMware Solution (AVS). Workloads running in AVS can now be managed by vRealize Automation Cloud after setting up vCenter and NSX-T cloud accounts. For more information on AVS, see Azure VMware Solution Documentation.

CloudHealth integration for public cloud costing

Integration with CloudHealth provides cost visibility at two levels - Deployment and Project. The integration supports collection cost information for both AWS and Azure. Once the integration with CloudHealth is set up, the cost information is automatically collected for the workloads.

Storage allocation as per full VM size

Storage for a template/content library based deployments are now allocated at the beginning of deployment to allocate for the full deployment size including image data disks without impacting Workload placement with vROps. This also includes the capacity of any data disks which are part of the template.

Simplification of onboarding workflow

The onboarding plan creation workflow is simplified to make it easier to bring VMs under management. The rules option is now depreciated and the workflow allows direct selection of machines. The machines view now shows only those VMs which were explicitly selected by the user.

Hostname in Ansible Tower

When a machine is provisioned, the IP Address of the machine is added in the Ansible Tower instead of hostname. In this release, Hostname is added as ansible_host variable in Ansible Tower. The Hostname or FQDN string can be passed to Ansible Tower from Cloud Templates.

Policy criteria support for additional Integer/String operators

Integer and String based operators are now supported for policy criteria to allow the cloud administrator to define policies with additional granularity.

Integer operators: greater than, less than, equal and less than, or equal can now be used for criteria clauses 'Total Memory (MB)' and 'CPU Count'.

String operator 'contains' can now be used for criteria clauses 'Created By' and 'Owned By'.

Cancel pending action with approvalPreviously, when a action was cancelled the pending approval request was not cancelled or cleared. Now, cancelling the pending action before it gets approved also cancels the pending approval.

Organization Customization

Cloud Provider partners can brand their organization and their tenants’ organizations with their logo, service names, and colors. This functionality is available to all customers.

Networking: Additional properties in IPAM SDK action schema

IPAM SDK action schema is extended to include the following properties:

• Standardized projectId, blueprintId, deploymentId for Allocate/Deallocate/AllocateRange/DeallocateRange/UpdateRecord
• Included addressSpaceId, vraIPAddressId in Deallocate/UpdateRecord
• Added ID fields for AllocateRange/DeallocateRange

Non-overlapping cloud zones

Cloud zones represent compute capacity and include compute resources (vCenter clusters, hosts or resource pools for VMware Cloud, availability zones for AWS, Azure and GCP).

Cloud zones are defined in one of three ways:

1. Include all available clusters / availability zones
2. Manually select clusters / availability zones
3. Dynamically select clusters / availability zones based on tags

Prior to the January 2021 release, the same compute resources could be a member of multiple cloud zones.

In this release, cloud zone definitions no longer include the same underlying compute resources.

All existing cloud zone definitions continue to work the same way, however the user is notified when a cloud zone includes a compute resource that is already a member of another cloud zone. Modify and re-save cloud zones to make them distinct.

Note: Auto-generated cloud zones (during cloud account creation) are associated with the underlying compute resources after the data collection. For dynamically defined cloud zones (tag based), when the tags are updated for the underlying compute resources, the cloud zone definitions are updated after the next data collection cycle.

Support for Google Cloud VMware Engine

vRealize Automation Cloud is tested and certified to work with VMware's hosted cloud solutions on Google Cloud Platform, called Google Cloud VMware Engine (GCVE). Workloads running on GCVE are now managed by vRealize Automation Cloud after setting up vCenter and NSX-T cloud accounts. For more information, refer to Google Cloud VMware Engine documentation.

What's New December 2020

vRealize Orchestrator in vRealize Automation Cloud

• You can now use vRealize Orchestrator 8.x product capabilities in vRealize Automation Cloud. Features from older vRealize Orchestrator 8.x releases are documented in the following release notes:
  • https://docs.vmware.com/en/vRealize-Orchestrator/8.0/rn/VMware-vRealize-Orchestrator-80-Release-Notes.html
  • https://docs.vmware.com/en/vRealize-Orchestrator/8.1/rn/VMware-vRealize-Orchestrator-81-Release-Notes.html#
  • https://docs.vmware.com/en/vRealize-Orchestrator/8.2/rn/VMware-vRealize-Orchestrator-82-Release-Notes.html
  • Configure a vRealize Orchestrator integration in Cloud Assembly
• New features:
  • Content usage and dependencies of the vRealize Orchestrator content object . You can view where objects, such as workflows, actions, resource elements, and configuration elements are used.
  • An improved deployment experience for vRealize Orchestrator instances enabled for vRealize Automation Cloud. The new deployment uses a cloud extensibility proxy that you can deploy on either your vCenter Server or VMC (Vmware Cloud on AWS).

Important: vRealize Orchestrator roles cannot be leveraged directly in vRealize Automation Cloud. This means you cannot add vRealize Orchestrator roles, such as administrator and workflow developer. Roles for the vRealize Orchestrator integration in vRealize Automation Cloud are managed through Cloud Assembly service roles. For administrator rights, the user needs the Cloud Assembly Administrator role. For workflow developer rights, the user needs the Cloud Assembly User role. Learn more.

Important: Integration of a new SaaS-enabled vRealize Orchestrator 7.6 instances is no longer supported. Existing vRealize Orchestrator 7.6 SaaS integrations will continue to operate, but you cannot update the configuration of these integrations. To migrate these vRealize Orchestrator 7.6 SaaS integrations to your new vRealize Orchestrator 8.x integration, see Migrating a vRealize Orchestrator 7.6 SaaS instance to the cloud extensibility proxy.

Create, store, and use cloud template secrets

The "secure properties" feature stores and encrypts sensitive data in the database. This data is hidden from all areas. You can create and encrypt secret variables for project scope under infrastructure administration, and use in cloud templates. For more information, see How to create and reference a secret Cloud Assembly property and How to use secrets in vRealize Automation Terraform integration.

Create, store, and use extensibility action secrets

You can now enhance your extensibility actions by using secrets. Extensibility action secrets are useful for use cases where the input parameters of your extensibility action include sensitive data, such as passwords or certificates. Learn more.

Networking: NSX-T Tier-1/ NSX-V ESG sharing within a deployment

• Ability to reuse a single NSX-T Tier-1 router or NSX-V Edge Service Gateway (ESG) in a single deployment.
• Previously, every on-demand NSX-T network created a new Tier-1 logical router and every on-demand NSX-V network created a new ESG. The Tier-1/ESG sharing capability allows you to share a Tier-1 or ESG in a deployment, without requiring a separate Tier-1 or ESG for every network in the deployment.
• You can achieve this capability with the Gateway resource type in the Cloud Template. The Gateway resource represents the Tier-1/ESG and it can be connected to multiple networks in the deployment. Learn more.

Networking: New NAT resource type for port forwarding (DNAT rules) support for NSX outbound networks

In a previous release, port forwarding (DNAT rules) supported NSX outbound networks with the Cloud Template resource type, Cloud.NSX.Gateway. This allowed DNAT rules to be specified for the gateway/router connected to the outbound network.

In this release, a new Cloud Template resource type, named Cloud.NSX.NAT, is available in the Cloud Template to define DNAT rules for the deployment. Learn more.

Note: The Cloud.NSX.Gateway resource type is still supported and is used for NAT rules strictly for backward compatibility. However, this will be removed in a future release. Going forward, users will have to use the Cloud.NSX.NAT resource type for defining DNAT rules, and use the Cloud.NSX.Gateway resource for defining shared NSX-T Tier1 or NSX-V ESG.

Networking: Reconfigure On-Demand Security group - Iterative and Day 2 - NSX-T

Reconfigure Security Group (Day-2 and Iterative deployment) action is only supported for NSX-T on-demand security groups. It allows you to modify, add or remove rules of a security group for a running application. Learn more.

Add custom properties while onboarding VMs

While onboarding VMs, you can specify custom properties to add during onboarding. You can specify these at a onboarding plan level. You can also remove these properties from individual VMs if the addition is not required. Learn more.

Support attached disks with onboarding

You can onboard disks as part of an onboarding plan and perform all Day 0\1\2 operations. This feature only supports disks that are attached to the VMs. For more information, see What are onboarding plans in Cloud Assembly.

Property Groups

Property groups help you work more efficiently by reusing groups of properties, storing metadata, and tracking resource usage.

• Create, update, read, and delete property groups with pre-defined data
• Reuse property group as cloud template inputs and resource properties
• Query resource and deployment by property groups as key value pairs

For more information, see How to reuse the same properties in different designs.

Improvements in Custom resource types and custom day2 actions

Enhance custom resource request forms and configuring resource types with powerful workflows and dynamic request forms.

• Ability to use resource properties in Custom request forms of a day2 actions
• Ability to bind complex objects and query collection of object properties and reference types

Custom Forms enhancements

Multi Value picker enhancements

• Ability to browse full details while searching via "show all" option
• Support for reference object types Learn more

Deployment request status as a filter

You can filter deployments by the last request status or the deployment lifecycle status. Learn more

• Deployment lifecycle status: create/update/delete successful or failed
• Last request status: the last request status on the deployment, can include: cancelled/approval_pending/approval_rejected/in_progress/successful/failed

Notify cloud consumers for optimization and enable consumers to take action

As a cloud administrator, you can alert project owners of optimization opportunities. Enable deployment owners to optimize deployments, by providing recommendations and actions in-context for deployments. Learn more.

Active directory per cloud template

Admins can now allow further active directory (AD) integration modification at the Cloud Template level.

• Application architects can now change the relativeDN OU setting directly in the cloud template based on certain preferences.
• In the same manner that the AD integration can be skipped, certain machines are not registered in the preconfigured AD domain based on the machine's properties.

Resource Utilization for consumers.

You can display the total consumption of resource usage (CPU, memory, storage) per end user. When an end user logs in, the amount of consumed resources are displayed. Learn more

Documentation changes

Use cases and examples are now in a new Tutorial section. Added new tutorials.

What's New November 2020

Storage - Datastore, storage profile selection optimization

When multiple storage profiles are eligible for placement, this criteria is used for placement optimization:

1. All eligible datastores belonging to these storage profiles become under consideration and not just the first
2. Ensures that the cluster and datastore are connected.

Performance Improvements

• Leverage vCenter content library to clone the "closest" template when creating a new VM. This eliminates copying of templates when a template copy may already be present in the local data store, reducing cloning time.
• Deployments are distributed across multiple cloud zones, based on policy, when all other criteria selects multiple candidate cloud zones.
• Extensibility actions run in a K8s pod linked to a particular extensibility action - for the life of the platform. Pods are reclaimed and available for other extensibility actions to be run, enhancing extensibility action scale and concurrency characteristics.

Support for AWS Dedicated Instances

Create dedicated instances when provisioning in AWS. To enable this, you have to set a specific property in the cloud template (dedicatedInstance:true). This enables the user to derive all the benefits of using dedicated instances in AWS.

Change deployment ownership

Change deployment ownership as admin or member - for any project admin/member. You can also set a policy with regards to the deployment owner.

Alert synchronization from vROps

• Alerts from vROps are now available, where alerts are defined on Cloud Objects such as Machines, Deployments, Projects and Cloud zones.
• As a response to alerts, cloud providers can now initiate actions such as Analyzing Insights of a Cloud Zone, and Notifying deployment owners of reclamation opportunity. Learn more.

Load Balancer - Health monitor settings for NSX-V and NSX-T

• Configure (Day 0) active health monitor to test server availability, and passive health monitor to monitor failures during client connections and mark servers causing consistent failures as DOWN.
• Support reconfiguration (Day 2) of health monitor settings.Learn more.

Reconfigure On-Demand Security group

Reconfigure Security Group (Day-2 and Iterative deployment) action is only supported for NSX-T on-demand security groups for now. It allows user to modify, add or remove rules of a security group for a running application. Learn more.

Terraform provider enhancements

• Verified to be part of Hashicorp Terraform registry
• Support First Class Disk resource type

Infoblox - filter data collected to optimize performance

• Allow filtration for data collected networks to minimize the initial set of networks for which actions are executed.
• The Infoblox IPAM plugin performs datacollect on all networks from Infoblox. Default page size is 1000. For customers, who have thousands of networks, but only need to use a few, they can easily tag these networks with Extensible Attributes.
• This feature includes properties in the Infoblox plugin that allow you to provide special filters to select only the required network type objects from Infoblox and filter out the rest. Learn more.

Support Day 2 Disk creation in to a SDRS datastore cluster

Support day 2 actions to create new disks when:

1. SDRS is enabled.
2. datastore clusters are being used.

What's New October 2020

Deployments - Change ownership

Change deployment ownership as admin or member for any project member.

Custom property update via API

Update custom property for machines through IaaS API.

Reuse Azure resource groups

Ensure there is no sprawl of resource groups and help simplify management.

• Abilility to choose if the day 2 created disk should go to a new resource group or into an existing one. If existing is required, user will be able to choose the Resource Group from a drop down.
• Abilility to reuse a resource group when defining the cloud template so that even with day 0 provisioning, a new resource group create is not created.

Cloud zone capacity and consumption Insights

• Integrate with vRealize Operations to view capacity insights for a cloud zone in context.
• Key Indicators such as Physical resources available (CPU GHz, Cores), and utilization are provided.
• Trend of consumption for CPU and Memory help in understanding capacity trend situation.
• Projects and resources consumed from this cloud zone by them are provided for detailed consumption analysis. Learn more.

Networking: Change Security Group - Iterative deploymentChange security groups for a machine component using iterative development. Learn more.

• Ability to associate or dissociate a security group (existing/new), which is part of deployment, to one or more machines in the deployment, the user can attach/detach the security group in a cloud template to/from respective machines, and update deployments with this new topology through iterative development.
• Ability to add an additional security group (existing/new) which is not part of deployment, to one or more machines in the deployment, the user can add the additional security group in blueprint and add (attach) it to machine(s), and update deployments with this new topology through iterative development.

Multi-tenancy

• Create Image Mappings at the Tenant Management screen (de-couple from VPZ)
• Create Flavor Mappings at the Tenant Management screen (de-couple from VPZ) Learn more.

What's New August 2020

vRealize Automation Blueprint name change to VMware Cloud Templates

• Blueprints are renamed to VMware Cloud Templates. Learn more.
• You might still see the term Blueprint in the official documentation, API, error messages, and other areas of code.

Terraform Configuration as a VMware Cloud Templates Resource

Terraform open source configurations are now integrally supported by VMware Cloud Templates. Cloud Administrators can integrate Terraform configurations stored in Git and release as self-service catalog items. Select capabilities include the following. Learn more

• Create Cloud Templates with Terraform configurations
• Compose hybrid Terraform-VMware Cloud Templates
• Enable built-in power Day 2 actions and custom day 2 actions on Terraform resources
• Central deployment state file
• Managed Terraform runtime in cloud
• Code Stream pipeline to deploy Terraform based Cloud Templates for DevOps users

Multi-tenancy: Centralized Management of Tenant Infrastructure

The capability for a provider to allocate provider-managed infrastructure to their tenants. Learn more.

• Provider administrator creates a bundle of isolated IaaS resources (Compute, Network, Storage, Image, and Flavor) called the Virtual Private Zone (VPZ).
• Provider administrator shares the VPZ with a tenant.
• Tenant administrator, in turn, shares the VPZ with a project within the tenant org.
• Tenant project members can provision a machine into the VPZ.
• Project members view the deployment and see an "obfuscated" view of the underlying infrastructure (only the VPZ name).
• Tenant A resources are not visible to Tenant B, even when underlying infrastructure is shared.

Custom Role Based Access Control (RBAC)

• Custom roles based access enables customers to closely align the roles they assign consumers and providers to the actual roles they hold within their organizations. It helps with configuring restrictive enough roles, based on the actual tasks (permissions) users are eligible for and resource they are eligible to without overloading permissions with unnecessary tasks or confront organization security.

  Base concepts:

  • Org admins are able to define custom roles within organization.
  • Each custom role can be assigned to an organization users/group.
  • New custom roles model integrates with out of the box roles, and works in collaboration with access control and policy within the organizations.

  Available configurable permissions:

  • Custom Roles for Images, Flavors, Zones, Machines and Requests, Cloud Accounts, Cloud Zones and Projects
  • Custom Roles for Manage and View Onboarding Plans
  • Custom Roles for Extensibility use cases:
    • Manage and View
      • • Subscriptions
        • Actions
        • Action Runs
      • Viewer permissions for:
        • Events
        • Event Topics
        • Workflows
        • Workflow Runs
  • Custom Roles to Manage and View Cloud Templates
  • Custom Roles to Manage and View Custom day2 for builtin & custom resources
  • Custom Roles for Pipeline Modeling, Execution, Configuration
  • Custom Roles for Policy Permissions
  • Custom Roles to manage permissions for approvals

XaaS Custom Resource and Custom Action Enhancements

• Custom Resources Schema Dynamic data support. Includes automatic validation for the workflows added as lifecycle actions to your custom action. This feature also includes improvements to the external type property and custom resource property schema. Learn more.
• Custom Day 2 actions bindings. Support for three types of action bindings: in request, with binding action, and direct binding. Learn more.

Support 1:N Association Between NSX-T Manager and vCenter

• Support for 1 NSX-T manager connected to multiple vCenters. Learn more.

NSX-T Policy Mode Support

• Enable the creation of a new NSX-T endpoint in Policy mode. Learn more.
• Policy mode support for Networks (Day 0, Day 2), Load Balancers (Day 0), Security Groups (Day 0), Tagging (Day 0), VM Scale In/Out (Day 2), and Port Forwarding (Day 0, Day 2)

NSX Load Balancer Configurations - Logging Level, Algorithm, Type, NIC, and VIP

• Support for NSX Load Balancer advanced configurations, including Logging level, Algorithm, and Type (Day 0,Day 2). Learn more.
• Support for NSX Load Balancer configuration options for NIC for all network types, including private, outbound and routed networks. ( 07.20 release supported this feature for existing and public networks). Load Balancer can now be connected to a specific machine NIC, rather than always using the first NIC in the machine by default. Learn more.
• Ability to specify the IPv4 VIP (Virtual IP) in the Cloud Templates; this would allow Load Balancer to have a specific IP, instead of an IP from a static IP range.

Port Forwarding

• Port Forwarding (DNAT rules) support for NSX outbound networks. Introducing a new Cloud.NSX.Gateway Cloud Templates resource type that allows the DNAT rules to be specified for the gateway/router connected to the outbound network. Learn more.
• Day 2 actions support for adding new NAT port forwarding rules, reordering rules, editing existing rules, and deleting rules.

Networking Day 2 – Reconfigure Security Groups

• Support for Day 2 actions for security groups
  • Change security groups - add a new or existing security group, remove associated security groups, and modifyassociated security groups. Security groups should be part of deployment for the day2 actions. The day2 actions are supported for single machine only, not for multi-machine cluster.
  • Delete security group - remove security group from deployment. If the security group is on-demand, then it is destroyed.

vSphere 7 Supervisor Namespace as a Cloud Templates Resource

• Cloud Templates author can define supervisor namespace resource limits on the Cloud Templates resource. This allows the admin to restrict user resource consumption

ITSM Plug-in 8.1.1

Custom Forms

• Support for Custom Forms which has Text Area, Text Field, Text, Password, Decimal, Integer, Drop Down, Checkbox, Date Time, Radio Group

Catalogs in Native ServiceNow Catalog

• Catalogs items are now available in native ServiceNow catalog for Deployment

Scaling Improvements

• Up to 250 resources per deployment and 400,000 virtual machines.
• If you anticipate deployments to have more than 100 resources, upgrade to the new API version 2020-08-25.

New Version of theREST API

As of August 25, 2020, a new version of the REST APIs is available with all releases. The new version increases resource support to 300 resources per deployment and provides performance improvements. If you are an API user and have not locked your API to a version before, you might encounter a change in an API response. As a best practice, you should lock your API to the latest version which is apiVersion=2020-08-25. In this way, you ensure that your API responses do not change unexpectedly with an API update. If left unlocked, your API requests will default to the latest version.

What's New July 2020

Extensibility Subscriptions

• Support for up to 50 blocking and 50 non-blocking subscriptions per event topic. Learn more

First Class Disk IaaS APIs – additional actions

• New IaaS API support for First Class Disk (FCD) snapshot management (Create, Delete, List, and Restore). Learn more.
• New IaaS API to convert existing disk to an FCD. Learn more.

ITSM Plugin

• New ITSM plugin (version 8.1) is now available on ServiceNow store.
• Orlando Support – Plugin supports Orlando which is latest ServiceNow version. It also supports previous ServiceNow versions Madrid and New York.
• Multi-level Approval – The ServiceNow administrator can configure multi-level approval for ServiceNow Catalog requests.
• Email Notifications – The ServiceNow administrator can configure email notifications for various activities like Deployment Requests, Approval Requests, Day 2 Requests, and Endpoint and Entitlement configurations.
• Auto Create tickets for failed deployments – A support ticket is created and assigned to support groups in ServiceNow whenever a deployment request fails or a day-2 action fails.

Shared Infrastructure Multi-Tenancy for Cloud Provider Hub Organizations

Setup and manage Virtual Private Zones and share IaaS resources across projects while maintaining tenant isolation. For managed service providers, shared infrastructure multi-tenancy ensure optimal resource allocation and control. Currently this is only supported for provider organizations in Multi-Tenancy configuration through VMware Cloud Provider Hub.

• The Provider Administrator can create a Virtual Private Zone which is a bundle of isolated IaaS resources (Compute, Network, Storage, Image, and Flavor). All CRUD operations are supported.
• The Provider Administrator can add the newly created Virtual Private Zone to a project. You can add multiple Virtual Private Zones to a single project.
• Project members can provision machines into the added Virtual Private Zone.

This is a key step towards “Shared Infrastructure Multi-Tenancy” in a multi-tenant environment. In multi-tenant environment the provider will be able to allocate Virtual Private Zones for provisioning from Tenant side.

NSX Enhancements

• NSX Cloud specific Load balancer exposes advanced configuration options and can now be connected to a specific machine NIC, rather than always using the first NIC in the machine itself by default. Learn more.

Custom Role Based Access Control (RBAC)

Custom roles based access enables customers to closely align the roles they assign consumers and providers to the actual roles they hold within their organizations. It helps configuring restrictive enough roles, based on the actual tasks (permissions) users are eligible for and their eligible resources without overloading permissions with unnecessary tasks or confront organization security.

Base concept:

• Organization administrators are able to define custom roles within organization.
• Each custom role can be assigned to an organization user/group.
• New custom roles model natively integrate with out-of-the-box roles and work in collaboration with access control and policy within the organizations.

Available configurable permissions:

• Custom Roles for Images, Flavors, Zones, Machines, and Requests
• Custom Roles to Manage and View Custom day2 for built-in & custom resources
• Custom Roles for Pipeline Modeling, Execution, and Configuration
• Custom Roles for Policy Permissions
• Custom Roles to manage permissions for approvals
• More information about custom roles and examples of how they work with the the other roles

vSphere Supervisor Namespace Support

• Ability for catalog user to request vSphere supervisor namespaces from the catalog powered by an underlying VMware Blueprints.

vRealize Orchestrator Integration

• VMware Cloud (VMC) on AWS is currently not supported as authentication provider for vRealize Orchestrator.

What's New June 2020

Approval For Onboarded Deployments And Cloud Assembly

• Support approval flow for pre-provision and day 2 actions for cloud assembly blueprint deployments
• Support approval flow for day 2 actions on imported deployments
• More information about approval policies

FCD - IaaS API – CRUDL

• Create, deleted, list, attach and detach First Class Disks (FCD)

IaaS API Filter Resources Within Particular Region In Cloud Accounts

• Resources in Cloud Assembly IaaS API can be found by the region that they belong to using Data filter. The region can be uniquely identified by the externalRegionId and the corresponding cloudAccountId

Integration With vROPS Cloud

• Support for workload placement, cost and pricing, and health metrics. Learn more

New vRA Cloud Service Regions

• Singapore AWS ap-southeast-1 since 05/28
• Frankfurt AWS eu-central-1 since 06/01

What's New May 2020

Approval Policy

• Approvals now apply to all catalog items beyond Cloud Assembly blueprints including CFTs, vRO workflows, extensibility actions, OVAs, etc.).
• You can now trigger approval policies based on the attributes of underlying resources filtered by: cloud account, cloud type, flavor, image, region or resource type. Learn more

API for Updating Cloud Account Password

• Update cloud account password for vSphere and NSX using IaaS API.

Custom Day 2 Actions

• Custom day 2 operations for custom resources and built-in types. Learn more

Custom Resources

• Support for custom resources based on vRO types. Learn more

Deployment History

• View and filter deleted deployment history for up to 90 days after deletion. Learn more

Day 2 Networking

• Update deployment constraints on the vSphere machine NIC to move it from one existing network to another existing network in the same network profile.
• Machine can be moved from static to static network, or dynamic to dynamic network.
• The previous network is deleted from the deployment.Learn more.

Share Extensibility Actions Across Projects

• Ability to share a extensibility action across multiple projects. Learn more.

What's New March 2020

Active Directory

• Apply AD policies to select cloud zones in a project based on tags.
• Specify a set of optional tags when creating an AD policy.
• Expose or indicate health for the AD integration end point and the health of the underlying extensibility action integration in use.

Compute Limits

• Limit how much CPU and memory resource can be consumed by deployments of a project.

NSX-V: On-demand security Group

• Enable native support for NSX-V on-demand security groups in blueprint design canvas. Learn more

Pipeline as Catalog Item

• Support pipeline workflow as a catalog item.

Powershell Support Beta

• Powershell support on-prem for extensibility actions (wrappers, image, callback, proxy, code editor, log enhancement, dependencies, code completion, flow support, troubleshooting).

Policy Enhancement

• UX improvements on filter and criteria.

RBAC Enhancement

• View only role for project and org.

Storage Limit For vSphere

• Limit storage capacity of a cloud zone that deployments of a particular project can consume.
• For vSphere templates based provisioning, before day 2 actions.

Security Group

• Enhancement to graphical representations and bindings of compute networking interface cards to Security Group constructs in blueprint design canvas.

Tagging API

• Create and manage tags on resource pools, clusters and computes via IaaS API.

What's New February 2020

OVA As A Catalog Item

• Bitnami based open virtual appliances (OVA) files from the marketplace can be shared in the catalog for specific projects.
• Users can then request and provision an OVA catalog item.
• While a deployment is being created it can be managed as any other employments (e.g. policy, day2).

Ansible Tower Integration

• Out of the box support for Ansible Tower and open source version of Tower in Cloud Assembly. Learn more

Persistent Disk API

• Ability to ensure disks are not deleted on deployment/VM delete. Learn more
• Ability to create a disk independent of a VM.

Service Broker Admin To Manage K8s Zones

• Service Broker admin can create and manage project configurations for Kubernetes zones.

Approvals For Deployment Requests

• User-based approvals for initial catalog item requests and day 2 actions.
• Triggering (multiple) approvals based on deployment criteria.
• Auto-approve or reject when there is no response within specified time period.
• Ability to add reason for approval decision.
• Ability to specify whether one (any) or multiple (all) approvers are required.
• Approval through URL in email.
• Ability to track approval process for requesters/approvers.
• Email notifications for approvals.
• Learn more about approval policies

Bulk Deployments

• You can select the number of deployments to create from a single blueprint at request so that the user can deploy multiple environments in a single request. Learn more about setting a deployment count on deployments

Networking Day 2 Actions

• Day 2 actions support for network reconfigure and managing load balancer-specific properties. Included as part of the possible actions

Networking Extensibility Events

• Subscribe to new independent extensibility events for networks, load-balancers, and security groups for custom deployments enhancements by applying extensibility actions and vRealize Orchestrator workflows.

Custom Forms

• Export/Import CSS in a custom form. Learn more

What's New January 2020

Cloud Assembly IaaS API

• Users can enumerate all private images for enabled regions of specified account through the IaaS API. The account here can be of type: AWS, Azure, GCP, VMC, vSphere
• Users can create a new VMC Cloud account through the IaaS API.
• Users can get the resources for specified zone through the IaaS API. The returned list of computes has the following properties:

{ name : Compute name id : The id of this resource instance tags : A set of tag keys and optional values that were set on this resource instance type : Type of the compute instance externalRegionId : The external region id of the compute externalZoneId : The external zone id of the compute externalId : External entity id on the provider side orgId : The id of the organization that this entity belongs to createdAt : Date when the entity was created updatedAt : Date when the entity was last updated }

For more details, refer to vRealize Automation Cloud IaaS API Swagger documentation: https://www.mgmt.cloud.vmware.com/iaas/api/swagger/ui/.

What's New October 2019

• Deployment SharingAbility to enable deployment visibility and day 2 actions across all project members or limit that ability to the deployment owner and project admins. More about enabling deployment sharing in projects.

• VM Console AccessAllows remote access for vSphere machines as a day 2 action. Included in the day 2 actions.

• On-demand Security GroupsCreate an on-demand NSX Security Groups directly on the blueprint design canvas. Display all security groups under new Security tab. More about security resources.

• Graphical Input Editor in Blueprinting CanvasConfigure your topology inputs by using a graphical editor on the design canvas in Cloud Assembly. Choose how you prefer to interact with your blueprints with the yaml script editor and the graphical editor.

• Blueprint API schema validationBlueprint APIs are being updated to perform schema validation for level 2 objects. For example, Ansible playbooks must be an array of strings and not a string.

• Cloud Assembly IaaS API deployed resources are visible in UIWhen provisioning a resource by using the Cloud Assembly IaaS API, the resources are visible in the UI on the Deployments tab.

What's New September 2019

• Graphical Property Editor in Blueprinting Canvas The Blueprint editor now includes a GUI for objects properties. The GUI reflects what is present on the canvas and in the code view in real time and can be used to add properties or edit existing properties. The GUI includes helpful and relevant signposts to all displayed fields.
• Policy Deployment CriteriaA policy in Service Broker can now be further refined when the policy is applied within the selected scope. The policy criteria is a logical expression. The expression is evaluated against deployments. More about configuring the deployment criteria.
• IPv6 Support for vSphere MachinesCloud Assembly supports pure IPv4 or dual stack IPv4 and IPv6 for vSphere cloud accounts and their endpoints. More about IPv6 and IPv4.

What's New August 2019

• Network Automation - Security Groups in Blueprints​Assign existing NSX security groups directly on the blueprint design canvas. All security groups are listed on the new "Security" tab. Existing security groups can be applied per vNIC of a virtual machine in a deployment. More about security groups.

• Action Based Extensibility (ABX) for On-Premises (Beta)Introducing Action Based Extensibility (ABX) serverless capabilities on-premises. Tie actions to lifecycle events with subscriptions. Create inputs in blueprints and define package dependencies and requirements. Establish and release versions for actions. Create workflow chains of actions across clouds and establish failure actions. Python 3 and NodeJS languages supported. The actions will run on a local extensibility action appliance (with a dedicated cloud extensibility proxy). More about action-based extensibility (ABX) for on-premises integration.

• Active Directory Integration in Cloud Assembly (Beta)Out-of-the-box integration with Active Directory is now supported. With this integration, users can manage the placement of machines within the Active Directory structure easily through configurations at the project level.

• Set Icons on Catalog ItemsCatalog items in Service Broker have a default icon when created. You can now change the icon to whatever you choose as more relevant to your catalog entry.

• Enable Custom Forms import / export in the custom Form DesignerA custom form can be exported and imported as a JSON file or as a YAML file.

• New Action Editor design pageThe extensibility Actions page on the Extensibility tab has been updated to improve the user experience. More about extensibility actions.

• Kubernetes Cluster and Namespace Management (Beta) The following capabilities were added for Kubernetes support. More about Kubernetes.
  • Connect to PKS endpoint and share the PKS plans across projects
  • Self-service request for creating a cluster
  • Admin provided shared cluster for the project
  • Discover and add existing PKS clusters on the endpoint
  • Onboard an external native Kubernetes cluster (EKS, GKE etc.)
  • Policy based placement of namespaces
  • RBAC for Kubernetes namespaces
  • Ability to requests namespaces from catalog
  • Ability to manage and share namespaces on Kubernetes clusters
• Network Automation - Tagging Networking ObjectsEnable the provisioning and management of network resources, including network load balancers and Virtual Machine NICs, that can be consumed in projects and blueprints by leveraging tags. The tags can be propagated to the endpoints for NSX-T, NSX-V, vSphere, AWS, and Azure. More about tags.
• Cloud Agnostic Load Balancer - Day 2 reconfigurationYou can now reconfigure a deployed load balancer (ports, networks, and member pool) for load balancers on NSX-T, NSX-V, AWS and Azure. More about reconfiguring a load balancer.
• Ability to set IP mode (DHCP, Static & Mixed)You can now define your preferred IP mode as DHCP, static, or mixed for private, outbound and routed networks. More about IP mode.
• Access Control for Day 2 ActionsControl who can access and edit Day 2 actions for existing workloads through the Service Broker policy engine. More about Day 2 actions.

• Service Broker Catalog content refreshA scheduled refresh of templates imported into the Service Broker catalog is now set to occur every 6 hours.

• New Extensibility event topicsAdditional events topics for Blueprints, Kubernetes, and Disk events has been added.

What's New July 2019

• Custom Naming (Beta)Define the naming nomenclature of your VMs with custom machine naming on a project level. By defining these name templates on a project level, all machines deployed by users within the project are automatically assigned a name based on the template. More about custom naming.

• Blueprint validationA test option is now available within the blueprint design. The test capability provides the ability to auto suggest flavors and constraints based on the project of the blueprint and also provide the ability to simulate the flow and show placement errors before starting the actual provisioning.

• Infoblox IPAM Integration (Beta)Cloud Assembly now includes integration with Infoblox as a provider-specific IPAM solution within your environment. Once the IPAM integration configuration is complete, you can use the Infoblox to provision IP addresses using existing Infoblox networks. More about configuring for Infoblox IPAM integration.

What's New June 2019

• Disk Provisioning in AzureThe default behavior for disk provisioning in Azure when no storage profile exists has been changed. Previously, if no storage profile had been configured for an Azure cloud account, storage accounts were created by default and disks were placed within the on-demand storage account. With this change, the default behavior when there is no storage profile is to use Azure managed disks.

• Role NamesThe names of the Cloud Assembly service roles have been updated. The Automation Cloud Admin role is now named Cloud Assembly Administrator. The Automation User role is now named Cloud Assembly User. No other change has been made to the Cloud Assembly roles. More about Cloud Assembly roles.

• Blueprint SharingCloud Assembly administrators can now control whether a blueprint can be shared to users in other projects. When creating or editing a blueprint, you can restrict the blueprint to its project or make the blueprint sharable to all projects within the same organization. If a blueprint is sharable, a Service Broker administrator can manage which projects have access to that blueprint for self-service provisioning in Service Broker.
• Cost VisibilityCost visibility has been temporarily disabled. This functionality is being rebuilt based on a new costing engine and will be expanded to include upfront cost prior to provisioning a deployment, as well as the running cost of deployed workloads.
• Resource Tags on Project Contain tag sprawl with tagging policies for your workload resources. Tags on provisioned machines within a project can now be set for each project. By defining these tags on a project level all machines deployed by users within the project are automatically tagged. More about project tags.

• Day 2 TagsTags can now be added or edited on deployed machines as a Day 2 action. More about Day 2 actions.

• Systems ActionsExtensibility actions can now be executed via the API without an association to a project. A projectId field is now optional.

What's New May 2019

• Google Cloud Platform (GCP)GCP cloud provider functionality has passed Beta and is now enabled for use in production. More about the Google Cloud Platform cloud account. The following areas have been addressed:
  • GCP account registration
  • Native Discovery of GCP resource
  • Provision a VM
    • Network
    • Network profile
    • Load Balancer support
    • Disk
    • Storage profile
  • Day 2 operations
    • Compute Resources - Power On/Power Off, Reset, Suspend, Resize, Snapshot Management
    • Storage - Disk Management operations
    • Networking
  • Networking
    • Add/Remove Nic from VM
    • Firewall rules updates
  • GCP-specific properties support
    • constraints
    • count
    • name
    • persistent
    • persistentDisk
    • tags
    • attachedDisks
    • constraints
    • count
    • imageRef
    • name
    • tags
• IaaS APIThe VMware Cloud Assembly IaaS API is a multi-cloud policy-based placement API designed for consumers who prefer an imperative over declarative style of provisioning of workloads. The official swagger documentation is available from https://www.mgmt.cloud.vmware.com/iaas/api/swagger/ui/.IaaS API versioning is now mandatory and the IaaS API URL has changed to /iaas/api/. More about API documentation.

• VersioningThe IaaS API version parameter is now mandatory. This means that calls such as “GET /iaas/api/network-profiles” should be changed to “GET /iaas/api/network-profiles?apiVersion=2019-01-15”.Calls that do not explicitly contain the apiVersioning parameter, such as “GET /iaas/api/network-profiles” where the apiVersioning parameter is not included, will fail.To help ensure a smooth transition for existing code, during the next 3 months all calls that do not contain the apiVersioning parameter will log a warning message and the call will succeed.

• URLThe officially supported IaaS API URL path is /iaas/api/.This means that you should updated existing calls such as “GET /iaas/network-profiles?apiVersion=2019-01-15” to “GET /iaas/api/network-profiles?apiVersion=2019-01-15”.To ensure a smooth transition for already existing code, during the next 3 months all calls that have omitted the api subdirectory in the URL will be routed to an updated path that includes the api subdirectory. For example, the path “GET /iaas/network-profiles?apiVersion=2019-01-15” will be routed to the updated path “GET /iaas/api/network-profiles?apiVersion=2019-01-15”.
• Display Page-Specific Help Topics You can now access page-specific help topics by clicking the Help icon on the toolbar. You can also search for additional help content using the Search box. To pin the in-product Help panel in place while you continue working, click the pin in the top right corner.More about the in-product Help panel.