VCAP-CMA Deploy – Objective 3.2/3.3

Disclaimer: These are my notes from studying for the 3V0-31.18 exam. If something doesn’t make sense, please feel free to reach out.

The main goal for the whole of section 3 is to understand how to build governance into your vRA installation.

Objective 3.2 – Implement a Governance Model that Maps to Given Business Needs


This is very much around approval policies so we need to think about how to define a policy & how to consume said policy.

Define a policy:

  • Policy Type
  • Pre
  • Post
  • Conditional
  • Levels
  • Approvers

Consume a policy:

  • Catalogue item
  • Resource action

Policy Definition

Go to Administration, Approval Policies and hit the New button. You’ll be presented with the policy type box. These are fairly self explanatory but in essence they’re split into two categories – Resource Action & Catalogue Item – with the resource type after. In this case I’m firing up a policy for Catalog Item. Give your policy a name & set the status.

Quick note on status. Active & assigned policies cannot be edited to preserve them for auditing. Recommendation if you need to change a policy is to clone the policy & create a new policy. Again to preserve the integrity of the auditing.

Underneath this you can see two tabs, one to define ‘Pre’ approvals & the other to define ‘post’ approvals. The difference between these is:

  • PRE: Approval is required before the item is provisioned
  • POST: Approval is required before the item is presented back to the user

Once you’ve made the decision on when you need your approval to take place, you’ll need to decide if you want to have all requests approved (which may defeat the purpose of building a cloud platform) or if you wish to have items approved if they meet certain criteria such as cost or resource usage.

I’m configuring a fairly typical policy that will request approval before provisioning if a user is requesting more than xGB memory or if more than x CPUs are requested. When doing multiple conditions these can be configured in an AND/OR scenario. I’m doing an OR, so more than 2047MB memory OR more than/equal to 2 CPUs. (Lab environment values :-))

Your next step is to define the approvers. This can be any of the below:

  • Specific Users/Groups (pretty self explanatory)
  • Determine from request (I tend to use this to get the approval from the business group managers)
  • Use an event subscription (Tend to be when the approval will come in from another workflow, Service Now for example)

In this example I’ve gone for the business group manager, and set to anyone can approve (a single approval is enough for this example).


Next on the System Properties tab you can set the items that can be changed by the approver. So I could put CPU & memory on this to allow the approver to drop them down to under the threshold if they chose. I try to avoid this if possible, most people have a reason they’ve requested x, y & z. A conversation tends to be the best way to resolve these things! 🙂

You can also add custom properties to the approval, I’m not at this stage.

Once you’ve created the approval, you can then add another level. This doesn’t take effect until the first level has been approved. Using our example here, the manager approves of the additional resources usage but this means that finance need to approve the additional spend. For this example we’ll leave it at a single level.

Policy Consumption

To enable the approval policy against specified items, edit the entitlement where you need it to take effect.

An approval policy can only be set against a catalogue item or a resource action, not against a service. When you first add the policy to the item, the drop down will only show you policies that are of the same type, but you can change to show all to see all the policies. Often you find that the blueprints you’ve created are composite blueprints and you want to configure an approval policy against say, a virtual machine.

That’s the way to create and consume an approval policy, now onwards to actually approving!

Objective 3.3 – Configure notifications to allow approvers to respond via email

This is split up into two parts:

  • Configure the mail server (inbound & outbound)
  • Activate/Deactivate notification scenarios

The email side of approvals is needed to remove some of the friction from the approval process. Instead of relying on an approver logging into the vRA portal and actioning the approval, they receive an email from which they can click either an approve link or a reject link. This generates an email to the inbound mailbox, which vRA will process. Below is how to configure, although it won’t work in my lab as I haven’t got access to a mail server (Note to self, configure mail server…)

Configure Mail Server

Go to Administration, Notifications, Email Servers and hit the Add button. vRA will then ask if you want to configure the inbound or outbound mail server. The settings underneath are pretty much what you’d expect. I wouldn’t have the inbound mailbox as an account that users can login to, just to ensure that any approvals don’t go MIA.

Notification Scenarios

Once the mail server is configured, click on Scenarios. You’ll notice that they’re all active by default, you can go through and Suspend the notifications that you don’t want to send out. Suspending certain notifications is just as valid as ensuring they are active.

VCAP-CMA Deploy – Objective 3.1

Disclaimer: These are my notes from studying for the 3V0-31.18 exam. If something doesn’t make sense, please feel free to reach out.

The main goal for the whole of section 3 is to understand how to build governance into your vRA installation.

Objective 3.1 – Manage Multiple Reservations to Meet Business Needs


To reiterate again we need to think about what could be involved end to end so in a scenario where multiple reservations are the answer, what else could be involved?

  • Business Groups
    • Members – Support, Manager, Users
    • Infrastructure – Machine prefixes, AD Config
  • Reservations
    • Business Group
    • Reservation Policy
    • Resources
    • Network
    • Priority

Let’s start with creating a new machine prefix, I like to set each business group up with a default prefix.

Go to Infrastructure, Administration, Machine Prefixes & hit the New button. Fill in the details and remember to click the green tick.

You may also want to consider using an Active Directory Policy. This defines where machine accounts are created when a IaaS machine are deployed. Go to Administration, Active Directory Policies & hit the New button. Fill in the details and hit ok. Once created this can be allocated to a business group.

Then create the business group, Goto Administration, Users & Groups, Business Groups. Fill in the details on each page and hit Finish.

Quick reminder of the business group roles:

Role Name Permissions
Business Group Manager
  • Add/Delete users to the group
  • Assign user roles for the group
  • Create/manage entitlements for group
  • Request/manage items on behalf of other group users
  • Monitor resource usage for group
  • Change machine owner
Business Group Support User
  • Request/manage items on behalf of other group users
  • Change machine owner
Shared Access Role
  • Use/Run actions on resources provisioned by another user
Business User
  • Request catalogue items
  • Manage their own resources

Next up we’re creating the reservation policy, this is basically a tag that can be used to link a blueprint & a particular reservation. Often used if a blueprint has specific hardware requirements or if a tiering strategy is implemented. Go to Infrastructure, Reservations, Reservation Policies & hit the New button. Fill in the details and click OK.

Now all the foundations are in, let’s create the reservation itself. Go to Infrastructure, Reservations, Reservations and hit the New button. You’ll get some options as to what type of reservation you want to create, choose the most appropriate, here we’re going for vSphere.

If you already have a reservation created, you’ll get a drop down at the top to copy the settings across so you can just make the necessary changes. Complete the pages as you would normally for creating a reservation.

If you’ve got multiple reservations assigned to the same business group vRA will use the below list to select which to use first.

  • Does the reservation satisfy the requirements of the blueprint?
    • Hardware
    • Quota remaing
    • Location
    • Platform
    • etc.
  • Lowest priority first
  • If have multiple with same priority – reservation with lowest percentage of quota allocated
  • If multiple reservations have same priority and same quote usage – distributed between reservations using round-robin





VCAP-CMA Deploy – Objective 2.3

Disclaimer: These are my notes from studying for the 3V0-31.18 exam. If something doesn’t make sense, please feel free to reach out.

The main goal for the whole of section 2 is to understand how to configure vRA to be able to consume resources.

Objective 2.3 -Configure vRealize Automation to consume NSX resources


First thing you’re going to need to do if you want to setup NSX within vRA is confirm that NSX is healthy. Now we won’t be going into depth as this is a vRA exam, but you’ll need to check the basics. For me this is just the dashboard.


Once this is confirmed, next step is to add the NSX endpoint (assuming the vCenter endpoint is already added). Within the endpoint section, add a Networking & Security endpoint, fill in NSX details:


Then you’ll need to associate the NSX endpoint with the vCenter endpoint. You can do this from either the vCenter endpoint or the NSX endpoint. vRA will populate the reverse fixture. However, when removing the association, you’ll need to remove it on both ends.


Once all this is complete, it’s worth checking the data collection to make sure that everything was successful.

vRA allows you to perform a number of different functions with NSX built in. However if you want to do anything out side of these function you’ll need to configure NSX as an endpoint within vRO. Easily enough to achieve this, simply run the Create NSX Endpoint workflow.


Once run, verify in the inventory.



VCAP-CMA Deploy – Objective 2.2

Disclaimer: These are my notes from studying for the 3V0-31.18 exam. If something doesn’t make sense, please feel free to reach out.

The main goal for the whole of section 2 is to understand how to configure vRA to be able to consume resources.

Objective 2.2 – Create and Manage Storage Profiles


This would seem to cover off two key parts of a storage profile.

  • Where to configure storage reservation policy
  • How to consume those policies

Where to configure storage reservation policy

Infrastructure, Reservations, Reservation Policies. Hit the new button, you can change the type of reservation policy under the ‘Type’ drop down.


Once you’ve created the policy, you can allocate it to a datastore. This means that any disk that is created using that policy, will be created on that datastore.

To assign this, go to Infrastructure, Compute Resources, Edit your resource. Once on this edit page, go to the Configuration tab and edit the datastore you want to assign the policy to.


How to consume those policies

Browse to the blueprint you want to enforce the storage reservation policy on. Under the Storage tab on the Virtual Machine object, you can select the policy.


Hey presto! Not a great deal to this one really, but need to remember that this knowledge is likely to be part of a wider task you’re being asked to do.

VCP7-CMA – Objective 6.4

Disclaimer: These are my notes from taking the 2V0-731 exam. If something doesn’t make sense, please feel free to reach out.

The goal of this objective is be comfortable with installing plugins into vRO and doing the initial configuration. Particular emphasis on VMware products (no surprises!)

Objective 6.4 – Install and Configure Plugins in vRealize Orchestrator

  • Install and configure plug-in in vRealize Orchestrator
    • Install and configure vRealize Automation plugin
    • Install and configure VMware NSX plugin
  • Run configuration workflows in vRealize Orchestrator client
    • Run configuration workflows for vRealize Automation plugin
    • Run configuration workflows for NSX plugin
    • Run configuration workflows for vSphere plugin
  • Determine if a plugin is enabled


Plugins can be downloaded from VMware solution exchange as .vmoapp files ( Then transfer to vRO using WinSCP or similar. The vRA plugin is included in the internal vRO instance. The NSX plugin also needs installing to be able to add the NSX endpoint.

We install the plugins from vRO control center. On the internal instance of vRO the control center service isn’t running by default. SSH to the vRA appliance and run the below command to start the service.

/etc/init.d/vco-configurator start

Once the service has started, browse to https://<fqdn>:8283/vco-controlcenter and login.

Hit the manage plug-ins button, and install the plug-in on the next page. This is the same page you’d come to check if a plug-in is enabled. Scroll down the list of installed plug-ins until you find the item in question, look to see if it’s enabled or not by virtue of the tick box on the right hand side.

Configuration of the plug-in can be done from vRA for a pre-defined set, or vRO for everything else.

From vRA, you’ve these options. Plus AD, which as the message at the top states, I’ve already configured so it’s missing.


To configure a plug-in from vRO, you need to run a configuration workflow. Browse the library to the appropriate place in ‘Run’ view and hit the run button on the configuration workflow.


To confirm that a plugin is configured, browse the inventory in vRO under the relevant plugin. Once expanded you should see a selection of inventory items from that object.


VCP7-CMA – Objective 6.3

Disclaimer: These are my notes from taking the 2V0-731 exam. If something doesn’t make sense, please feel free to reach out.

The goal of this objective is be comfortable with automated certain tasks based on the lifecycle state of a VM.

Objective 6.3 – Configure Virtual Machine Lifecycle Automation

  • Configure automatic post-provisioning actions based on design criteria
  • Configure automatic deactivation of a virtual machine based on condition criteria
  • Configure automated event brokering for different status or event criteria based on design requirements


These all rely on creating vRO workflows based on specific events. Such as:

  • Post-provisioning – Create DNS records, Update CMDB
  • Automatic deactivation
  • Automated event brokering

Workflow states are (snipped straight from Life Cycle Extensibility):

Workflow stubs are due to be deprecated, you should instead use event broker workflow subscriptions.


More details on these:


These can be used as the triggers when creating an event subscription workflow.