Security is on everyone’s mind these days, and vSphere has made a number of improvements when it comes to security in vSphere 6.7, including support for Trusted Platform Module (TPM). Encryption is now enabled by default and adheres to the FIPS 140-2 standard.
Another obvious focus for VMware is linking all things vSphere to the cloud. VMware Cloud on AWS has been publicly available for a little over a year and has seen steady growth, both in terms of users and regional availability.
vSphere 6.7 includes a new vCenter Server Hybrid Linked Mode that enables management insight across both on-premises and cloud-based resources. Other feature enhancements such as cross-cloud hot and cold migration make it simpler to migrate VMs in a hybrid cloud environment.
New Features in vSphere 6.7
While this release doesn’t contain any tectonic features, it does have a number of new and improved capabilities to enhance the overall experience for users and admins. Besides the security improvements already mentioned, a number of performance-related enhancements, including persistent memory support, debut in vSphere 6.7.
ESXi Quick Boot is a new capability developed jointly with a number of major server vendors that allows the ESXi Hypervisor to restart without rebooting the physical host. For large memory systems this greatly reduces the time required to reboot after a system update.
While Instant Clone was a feature added several releases ago, it has been enhanced in vSphere 6.7 with a new public Instant Clone API. With this update you no longer have a dependency on the source VM, allowing the creation of a fully independent new VM. It is derived from a running VM including the existing state.
This capability came out of the Horizon View world and will be especially welcomed by virtual desktop users. A community GitHub site for customized scripts has been created to help you get started with this new capability.
The vSphere 6.7 Client (see Figure 1) is still not 100% feature-complete in the HTML version. VMware has stated, however, that vSphere 6.7 will also be the last release with the Flash-based vSphere Client.
At VMworld 2018, VMware announced update 1 for vSphere 6.7 and indicated everything was on track to bring the HTML client into full compatibility with previous Flash-based and standalone versions.
vCenter Server Appliance
VMware also announced that vSphere 6.7 will be the last version with support for vCenter Server for Windows. The migration plan is to move to the vCenter Server Appliance (VCSA) for all vCenter management.
A new migration tool makes this process easier and features the ability to keep historical performance data. Standardizing on VCSA will make it easier to support for VMware going forward and will bring stability to the management platform in the long term.
The latest installment of the vCenter Server Appliance (VCSA) brings a new deployment experience that simplifies the process (see Figure 2). Everything from the initial virtual machine provisioning to the configuration happens through the installer tool. You will need to have a DNS record created for the VCSA virtual machine before you start the process or it will fail.
A new backup scheduler allows administrators to automatically back up the appliance with no further user intervention (see Figure 3). Backups can optionally be encrypted as well by simply entering a password.
Protocols supported for backup include FTPS, HTTPS, SCP, FTP and HTTP. The restore process has also been improved with a new backup archive browser. Once the backup location has been entered, a listing of available files will be displayed. It’s also possible to search for files on a backup server.
Security in VMware vSphere 6.7
The Trusted Platform Module (TPM), now at version 2.0, is a hardware chip included with most newer server systems that is designed to enhance security features such as the generation of crypto keys and the authentication of hardware devices. Virtual TPM 2.0 brings hardware-level security features to guest operating systems.
It’s also simpler to encrypt virtual machines in this release. From the list of VMs in the vSphere Client, simply select Edit Settings, then VM Options, followed by enabling encryption. This still requires a key management server (KMS) to handle the storage and management of encryption keys. VMware supports a number of KMS vendors, including Dell EMC, HyTrust, IBM and others.
Credential Guard is a feature of Windows 10 that utilizes hardware and software virtualization to enhance security. It’s also known as virtualization-based security (VBS) and has become quite popular in the enterprise space.
vSphere 6.7 now fully supports Microsoft VBS for Windows guest operating systems to include everything necessary such as UEFI firmware and secure boot. TPM 2.0 is used to secure credentials and is implemented in the guest as virtual TPM or vTPM.
Bottom Line
vSphere 6.7 is a solid release with many enhancements and improvements you’ll want to consider. While not all enterprises will implement every point release, you’ll find enough value in this release to at least evaluate it for your environment. The security enhancements alone should be worth the time and effort.
Paul Ferrill, based in Chelsea, Alabama, has been writing about computers and software for almost 20 years. He has programmed in more languages than he cares to count, but now leans toward Visual Basic and C#.