vCenter Operations: Integrated and Secure?

VMware released 3 versions of vCenter Operations, standard, advanced, Enterprise.  We have already discussed the abilities of vCenter Operations vCenter Operations – vSphere Performance, Capacity and Configuration Management with Self Learning Analytics but is this an integrated and secure implementation of monitoring or do we need more security than what is provided?

At the time the first article was written there was a bit of vital information we did not have available to us. That is how to access vCenter Operations Standard or Advanced in a multi-tenant manner, that has now been provided. vCenter Operations Alive functionality can be accessed directly from a web browser using your VMware vCenter Credentials, which allows you to see the Alive status of any VM you have the permissions to view. This capability is a huge capability, as it now allows me to provide a non-vSphere Client mechanism to view the status of the virtual environment.


Why is this important? Now I can give access to vCenter Operations Alive capability to my Network Operations Team, Management, and anyone else who needs access to this type of dashboard without giving them direct access to vCenter.

Not everyone needs direct access to vCenter via the vSphere Client or SDKs as that access could grant them dangerous capabilities unless the Roles Based Access Controls (RBAC) within vCenter are scrutinized per user and group. Their is a growing need review RBAC inside vCenter as its RBAC is somewhat reverse of what normal mechanisms use. If you have propagated RBAC within vCenter (which is the common method) then the least-privileges always apply (you cannot get more privs on an object lower down the tree if your privs high in the tree are restricted). But without propagation, setting RBAC on each object becomes painful. So in many ways RBAC is ignored within vCenter. Everyone is an administrator or Read-Only. There is usually no middle ground.

vCenter Operations gives a view into the virtual environment one step removed. Since it cannot make changes, it is the perfect tool to instantly see the health of your environment without giving direct access to vCenter. Unfortunately, this still implies you need to give access to vCenter to each user or organization using this tool, but it only needs to be Read-Only access (which is appropriate) on the objects you want vCenter Operations to see.

One solution to the RBAC problem is to use the HyTrust Appliance instead of vCenter’s built-in RBAC, which gives you a central location to manage permissions based on directory server delivered roles (based on groups of users instead of individual users). You can restrict to what objects a user can gain access using HyTrust in a much more logical and understandable form. Very much like how you use Active Directory today.


vCenter Operations Standard is very well integrated into vSphere via the vCenter plugin and the vCenter Operations virtual appliance. Actually, I find this tool most helpful for drilling down when a problem exists. While the look and feel is different than the vSphere Client, I personally like it, as it allows me a simple way to see conservatively gigabytes of metrics per VM, host, and other objects easily. With 500 or more VMs, ease of viewing the data is crucial. The current integration works well to do just this. I however think the 500 VM limit is too low, as I see this tool being used by more than just the virtualization administrator but by the Network Operations Center and huge monitors that everyone can see.

There is only a few options I would like to see. Instead of drilling down from the host directly to the VM I would like the option to drill down to the Resource Pool or Folder then the VM. This way I could see the health of my Resource Pools as well as the VMs within them. Since Resource Pools can limit resources, this extra ability would be extremely useful to determine if my pools are sized properly.

Unfortunately, with vCenter Operations Advanced and Higher, there are bundled tools Capacity IQ and Configuration Management that do not integrate well into vCenter Operations yet. It would be very useful if there was some integration, minimally the ability to launch the other consoles if there is a problem area or desire to see those areas. It would also be extremely useful for vCenter Operations Alive to be able to make use of the Capacity IQ and Configuration Management data as another comparison of Capacity and Health.

Perhaps another option to determine if Health within vCenter Alive is inline with the Capacity IQ capacity model, or include into Health how different an object is from the configuration of the object.

Integration will come over time we can only hope.


vCenter Operations does provide a secure mechanism to access virtual environment status information without a need for direct access to vCenter. In fact, any implementation of vCenter Operations should consider this as part of the security design. You can do this by allowing access to the vCenter Operations web interface, but limit access to everything else within the management network. Yes vCenter Operation’s virtual appliance should live within your protected virtualizaiton administrative network.

vCenter Operations Standard or Advanced with its Alive functionality could be used by a network operations team as well as management to gain a view of how well the environment is doing and if there is a problem place the call to the virtualization administrators. I see this tool being displayed on large monitors for all to see, then used locally to drill down into problem areas.

Lastly, I would like a mechanism to apply corrective actions from within vCenter Operations so that not only can I monitor, but I could automatically or by approval fix common problems that vCenter Operations finds. vCenter Operations could be a step towards Dynamic Resource Load Balancing.