VCP7-CMA Section 5 Objective 5.2 Create and Manage Fabric Groups, Reservations and Network Profiles

Create and configure a fabric group & Select compute resources to include in the fabric group

The fabric includes all the compute resources that are discovered by endpoint data collection. The fabric is organised into fabric groups for provisioning.

As detailed in section 2.1 The fabric is accessible by all tenants and as such Fabric Group resources can be made available to users who belong to business groups in all tenants. In most scenarios it would be common for the Fabric (Endpoints and Fabric Groups) to be configured in the default Tenant and Tenants access the fabric through reservations.

To clarify, if we have 3 Tenants. Tenant A, Tenant B and Tenant C and the IAAS Administrator of Tenant C created a Fabric Group within Tenant C, then that Fabric Group would be also be available to Tenant B & Tenant A. Commonly this is why the IAAS Administrator, System Administrator and possibly the Fabric Administrator role would belong to a member of IT and the Fabric Groups would be created in the Default Tenant.

To Create a Fabric Group you need to be an IAAS Administrator, this maybe confusing as there is a Fabric Administrator role and it would seem Logical that the Fabric Administrator would create a Fabric Group, however that is not the case.

As we have an IAAS Administrator (Infrastructure Admin) the Infrastructure Admin creates a Fabric Group which is essentially a logical group of infrastructure, if we look at it that way it makes more sense. The IAAS Administrator  (Infrastructure Admin) is responsible for creating groups of infrastructure where as the Fabric Administrator is assigned to that group of infrastructure (Fabric Group) to manage amongst other things who has access to that Infrastructure group.

I will reiterate again that learning the vRA roles is very important (details in section 2.1)

To create the Fabric Group, log in as an IAAS Administrator browse to the Infrastructure Tab Select Endpoints>Fabric Groups>New


Since I only have a single compute resource configured in my lab (vCenter) then I can only select this compute resource. Assign a Fabric Administrator and give a Name to the Fabric Group.

  • If you’re following along in your lab and the compute resource section is blank despite adding an Endpoint then check for this issue.

Configure compute resource Data Collection

Depending on your setup, you may need to log in and out of the tenant to be assigned the Fabric Administrator role. The Required Tabs wont appear until you have done this.

As the Fabric Administrator you will gain a number of new options within the Infrastructure TAB where you can manage the Fabric Group resources you are now responsible for.

Under Infrastructure > Compute Resources > Compute Resources

We can now see the Compute Resources from the Fabric Groups we are responsible for


Ensure that Data Collection is working by clicking the magnifying glass and viewing the info of that compute resource


You can kick off data collection for the compute resource if the info fields haven’t populated by clicking the right facing arrow and selecting Data Collection.


Here we can configure the default Data Collection frequency. By default Inventory, Performance and Network Security Inventory are done daily. It’s worth changing these times to match the requirements of your environment. Keep in mind the impact of collections performed too regularly. As my lab environment is very small I have set my collection times to every hour, you could also come here to request immediate data collection if required


  • If you’re following along in your lab and Data Collection isn’t working on your compute resource then check for this issue.

Create a vSphere reservation & Assign a business group to the vSphere reservation

Reservations are created by the Fabric Administrator, They are a share of provisioning resources allocated by the fabric administrator from a fabric group and reserved for use by a particular business group.

Each Reservation is for a single business group, a business group can have multiple reservations.

A reservation is a share of the memory, CPU, networking, and storage resources of one compute resource allocated to a particular business group. If we had a vCenter with a total of 96GB of RAM available and 3 Business Groups, we could create 3 reservations on the same compute resource, 1 reservation for each Business Group and assign each reservation 32GB of RAM, so each business group has 32GB of RAM available. vRA reservations are different to vSphere reservations, in that vRA reservations are about what resources are AVAILABLE to a business group rather than guaranteeing that resource to a business group.


Create a reservation under Infrastructure>Reservations>Reservations using the Fabric Administrator role.


Select the appropriate vRA resource you want to create a reservation on.


On the general Tab, give the reservation a Name, select which Tenant you wish to create the reservation for. Remember that Fabric and Fabric Groups are available to all tenants, as a reservation links Fabric Groups to Business Groups, it makes sense that a reservation can be created in Tenant A for a Fabric Group in Tenant B.

Reservation policies are a way to guarantee that the selected reservation satisfies additional requirements for provisioning machines from a specific blueprint. For example, if a blueprint uses a specific VM Template, you can use reservation policies to limit provisioning to a reservation linked to a vCenter endpoint that has that VM Template available.

Select the Priority, if the Business Group is provisioning a machine and has multiple vCenter reservations then this priority will set the provisioning preference.

Ensure that the reservation is enabled.

On the resources tab, select the Compute Resource you wish to create a reservation for and complete the required fields

The Machine Quota field limits the number of Machines (VMS) that can be provisioned using this reservation.


The Network tab contains information relating to which networks (port groups) are available to the business group when provisioning virtual machines, This will be explained in the network profile types objective below., for now I just selected a single port group.

The properties tab is where we can assign custom properties to the reservation, custom properties are covered in section 1.1

Once a reservation is assigned to a Business Group we can see the business groups quota allocation used from Administration>Users & Groups>Business Groups


Create a vCloud Air Reservation

vCloud Air Reservations are created in the same manor as vCenter reservations with the exception that you select vCloud Air from the vRA Resource Types.

Create and configure network profile types

First and foremost there’s a really good blog post from VMware on use cases for Network Profiles here.

  • External network profiles

Essentially an External Network is a pre-existing subnet within your environment that can be VXLAN\VLAN backed, it’s already deployed and an IP range is already assigned to the network. The Network Profile will specify the existing gateway of that subnet, the subnet mask and the available IP range on that network.

  • NAT network profiles

Used when deploying networks with overlapping IPs, dynamically provisioning an NSX edge to NAT to these networks externally. You need an external network profile (next hop network) in order to create a NAT network profile, the specified external network will be where the newly deployed NSX edge GW will attach it’s Uplink, all other provisioned networks will be attached to an NSX LIF.

  • Routed network profile

When deploying networks behind a pre-existing NSX DLR and wanting those networks to dynamically route out an up stream NSX Edge. You need an external network profile (next hop network) in order to create a routed network profile, the DLR will use the GW IP specified in the external network profile to distribute the new network routes to.

Network Profiles are created within Infrastructure>Reservations>Network Profiles


Select the profile type you want to create, here we are selecting External Network

Complete the required tabs





Network Ranges


Once this has been completed we can assign it to a network within a business group reservation from the Network tab, a machine provisioned using this reservation resource on the 168_DATA network will now receive it’s IP settings from the 168_DATA_NP network profile.


In order to create NAT & Routed network profiles you really need to have an understanding of what you’re trying to achieve, I will link another blog about NAT & Routed Network Profiles and how it relates to my lab environment later, this should hopefully help the concept of these profiles stick.

Create and configure machine prefixes

Machine Prefixes are used to generate names of provisioned machines and are shared across all tenants. Fabric administrators are responsible for managing machine prefixes. Every business group has a default machine prefix and every blueprint must also have a machine prefix, if no prefix is specified in the blueprint it will use the default prefix specified in the business group.

Machine Prefixes relating to Blueprints is covered in Section 1 Objective 1.1

You specify a number of digits to each prefix and then the next number. With a machine prefix of DLVRA a number of digits of 3 and then the next number of 1, the first Machine provisioned will be DLVRA001 and the next DLVRA002 and so on.

Prefixes are created under Infrastructure>Administration>Machine Prefixes by the Fabric Administartor


Ensure that all business groups have been assigned a Default Prefix, Machine prefixes was also covered in Section 2.3


VCP7-CMA Section 5 Objective 5.1 Create and Manage VMware Endpoints

Create and configure a vSphere Endpoint

A vSphere endpoint enables vRealize Automation to provision virtual machines against the resources managed by a vCenter Server instance.

There must be a proxy agent installed for EACH vCenter server you intend to add as an endpoint.


To Install the proxy agent. On a Windows Server browse to the vRA appliance and select the “vRealize Automation Component Installation Page”


Then select the IaaS Installer


Open the installer, accept the license and then proceed through the installation. Set the Appliance host name and the ROOT username and password details to access the VAMI page


Select Proxy Agents to install


Set the user with which the Windows Service will run under.


Select the vSphere agent type and complete the required fields. The Manager Service host and Model Manager web Service host will be running on an IAAS server. Depending on your deployment model this maybe the same server


Note that the Endpoint name must MATCH the value we give in vRealize Automation.

Add the endpoint and then let installation continue and complete.


We can now see the service running on the Windows Server we installed the proxy agent on.


The service shows the SERVICE name and not the ENDPOINT name we specified.

FYI you specify a vSphere proxy agent for a vCenter during the installation of vRA, I had forgotten what I called my endpoint and subsequently thought it was worth running through this process for study purposes

I stopped the other proxy agent that was running on my IAAS box


To Add a vSphere Endpoint to vRA you need to have the IAAS Administrator role assigned to your user.

Browse to the Infrastructure TAB and Select Endpoints.

Select new and browse to Virtual > vSphere (vCenter)


Complete the fields ensuring that the NAME section matches the ENDPOINT name of the proxy agent configured above. I’m using my DLIAASSVC service account to connect to vCenter.


Add a vRealize Orchestrator endpoint to vRealize Automation

The vRA Appliance has an embedded Orchestrator Appliance that can be used in smaller deployments or you can configure an external Orchestrator appliance\cluster in larger deployments.

The tenant administrator can configure tenant specific Orchestrator settings under Administration tab > vRO Configuration> Server Configuration.

Here you can choose to use the default Orchestrator Server that was configured by the system administrator in the default tenant, this will be the embedded Orchestator appliance out of the box. Or you can configure an external Orchestator server


As I havent configured the default tenant to use a different Orchestator appliance I am using the default Orchestator server in my lab which is the embedded Orch Appliance by default.


You can browse to the default Orchestrator Control center using the standard orchestrator ports, although known that the control center service is stopped by default.


If you browse to the vRA splash page you can launch the Orchestrator client


The Orchestrator client opens using port 443 on the vRA appliance and not 8281 and the default login for the Orchestrator client is the same system administrator account you’d use to access the default tenant “administrator”

You will still need to add the vRealize Orchestrator Appliance as an Endpoint even if you’re using the embedded appliance.

Logged in as an IAAS Admin

Browse to the Infrastructure TAB and Select Endpoints.

Select new and browse to Orchestrator > vRealize Orchestrator


Enter the name and optionally the description.

The address for the embedded vRO appliance will be https://VRAFQDN:443/vco

As I’ve not configured my Orch appliance to be integrated with AD yet i’m using the default vRO username and password which is the same credentials used to log in to the default vRA tenant.

There is a priority option, if you have multiple Orch endpoints this priority option will help vRA determine which vRO appliance to execute the workflow from. The highest priority Orch endpoint will be used first, then subsequently the next highest priority if no others are available.

Lower values mean higher Priority, in older versions of vRA the same could be achieved by setting the VMware.VCenterOrchestrator.Priority property on the vRO endpoint Properties tab, the property is case sensitive.


At this point vRA knowns about vRO & vCenter (vSphere)

However as vRO does all the heavy lifting when it comes to Automation, vRO also needs to know about vCenter & vRA. Configuring vRA & vCenter settings in vRO is covered in Section 6 however as this Section covers endpoint configuration, you can configure some vCenter vRO settings within vRA.

You can create a vSphere endpoint for vRealize Orchestrator in vRA by going to Administration tab > vRO Configuration > Endpoint


Give the endpoint a name, matching it to the vRA endpoint name


Set the vCenter hostname


Set the user name of the user that Orchestator will use to connect to vCenter. I have created a vRO service account. So all actions performed by vRO can be traced under this vRO Service Account. It has Administration privledges and global admin privledges


Adding the endpoint through vRA kicks off the vRO “Add a vCenter Server Instance” worflow. Essentially here vRA is calling a vRO API to run the workflow, running this workflow directly through vRO is covered in Section 6.4

Once this has been completed, we can see in the vRO inventory that the vCenter has been added to vRO and we can now run vRO workflows against the vCenter from vRA


Configure the NSX plugin in vRealize Orchestrator

Some of this section seems to be covered in Section 6 objective 4 “Install and configure NSX plugin” so I wont included the installation of the plugin here. See section 6.4 for those details.

With the NSX plugin installed, run the workflow under Libary>NSX>Configuration> Create NSX endpoint


This will add NSX as an endpoint in vRO, enter the workflow input parameters required to connect to NSX Manager


Troubleshot if required, successfully running the workflow will show NSX manager in the vRO inventory.


Integrate vRealize Automation with NSX

To Add an endpoint in NSX you will need the IAAS Administrator role assigned to your user account.

Browse to Infrastructure>Endpoints>New


Complete the required fields and add the NSX endpoint



Perform data collection in vRealize Automation

This is done by the IAAS Administrator under Infrastructure>Endpoints select the vRO appliance and then start Data Collection.


Configure NSX Network and Security for the vSphere endpoint

This is done by the IAAS Administrator under Infrastructure>Endpoints, within the vSphere vCenter endpoint, under the associations tab.

Assign the appropriate NSX manager to the correct vCenter


Adding the NSX association on the vSphere Endpoint will automatically add the vCenter endpoint to the NSX Associations.

Create and configure a vCloud Air Endpoint

This is done by the IAAS Administrator under Infrastructure>Endpoints, select new and under cloud select vCloud Air, complete the required information to add the vCloud Air endpoint.



VCP7-CMA Section 2 Objective 2.4 Manage User and Group Role Assignments

Explain the roles available to vRealize Automation

The roles available in vRealize Automation have been detailed in my blog post on Section 2 Objection 2.1

I would reiterate that learning the differences between these roles is an essential part to passing the VCP7-CMA exam

Assign roles to individual users for a given design & Assign roles to directory groups for a given design

Under the administrator tab > Users & Groups > Directory Users & Groups you can search for a directory user or group that has sync’d with vRealize Automation (as detailed in Objective 2.2) and assign roles to these users or groups .

Search for the user or group you wish to assign roles to.


Click on the user or group and assign the roles you wish to assign to the user or group



Create vRealize Automation custom groups and assign roles

To create a custom group under Administration Tab > Users & Groups > Custom Groups > New. Select the roles you wish to assign to the Custom Group.

The “Authorities Granted by Selected Roles” will show you the overall privileges of the Custom Group


When creating a LAB and to get yourself familiar with vRA you may want to create a god role and assign all Roles to the “god” custom group. Whether this is beneficial for the exam is debatable as learning the privileges assigned to each role is important for the exam.

You can then add directory users/groups or local tenant users to the Custom Group



vRO vMotion VM to SDRS Datastore cluster and inflate disk

The following can be used to vMotion a machine to an SDRS Datastore Cluster, inflating the disk to Lazy Zero at the same time (done by VcVirtualMachineRelocateTransformation.flat)

Create two input parameters. vMotionVM of type VC:VirtualMachine & a parameter name SDRSCL of type VC:StoragePod

The output parameter will be myVcTask of type VC:Task

var storageSpec = new VcStoragePlacementSpec();
var StorageResourceManager = vMotionVM.sdkConnection.storageResourceManager;
var myStoragePlacementResult = VcStoragePlacementResult();
var myKey = new Array();
var podSelectionSpec = new VcStorageDrsPodSelectionSpec();
var relocateSpec = new VcVirtualMachineRelocateSpec();
relocateSpec.transform = VcVirtualMachineRelocateTransformation.flat;

podSelectionSpec.storagePod = SDRSCL;

storageSpec.type = "relocate";
storageSpec.vm = vMotionVM;
storageSpec.podSelectionSpec = podSelectionSpec;
storageSpec.relocateSpec = relocateSpec

myStoragePlacementResult = StorageResourceManager.recommendDatastores(storageSpec);

myKey[0] = myStoragePlacementResult.recommendations[0].key
myVcTask = StorageResourceManager.applyStorageDrsRecommendation_Task(myKey);

VCP7-CMA Section 2 Objective 2.3 Create and Manage Business Groups

Configure business groups for a given design


To understand the requirement of a business group you need to understand a little about the vRA fabric. In vRA, infrastructure resources you can perform actions on are called Endpoints (see Objective 3.4) for instance a vCenter is an endpoint because we can provision VMs to it etc. (other endpoints could be AWS, Hyper-V or things like NSX as we can create vxlan portgroups or vRO as we can start workflows)

If you have Multiple vCenter endpoints you may want to group these together in a Fabric Group because the same administrator is likely responsible for all vCenters, a fabric administrator can then be assigned to this fabric group. As you may have a different administrator (or maybe developers) who are responsible for vRO, you may want to group these vRO endpoints in a different Fabric Group so you can assign a different fabric administrator

Once a fabric group is created that contains endpoints (defined as compute resources) a fabric administrator will grant access to these compute resources\endpoints by defining a reservation. The reservation will be specific to a business group and define the relationship between the business group and the compute resource\endpoint within the fabric group. This allows business groups to consume the compute resource\endpoint and allows the Fabric administrator to put a restriction on the amount of endpoint resource that can be consumed by that business group


Catalogue items are also scooped to a business group through entitlements.

The “My Goals”  Wizard lists tasks which are useful to complete before creating a  business group. These can be found under My Goals>Tenant Configuration




We have already created a Directory service that allows us to assign directory users to a business group (in the case of my lab Active Directory LDAP) in Objective 2.2 

We will detail the creation of Custom Groups in Objective 2.4

We will also configure Users & Groups in Objective 2.4

Configuring Branding is not specifically called out in any Objective, and isn’t a requirement for a business group, I will come back and visit this in Objective 2.1 managing tenants.

Adding and configuring a notification provider (specifying an email server) is also not covered in any objective within the exam blueprint but is covered below as business group managers will receive emails from the business group



Adding Notification Providers is done by the Tenant Admin role

To Configure Notification providers click on the link in My Goals>Tenant Configuration>Configure Notification Providers or browse to Administration > Notifications > Email Servers

You will need to set an in going and outgoing email server, my vRA appliance has access to the internet and since I dont have an exchange server i’m using my ISP settings to configure the provider!


Business Groups are created by the Tenant administrator under Administration > Users and Groups > Business Groups.



Custom Properties are covered in Objective 1.1 and can be assigned to a business group.

There’s a good blog here on Active Directory Policies, no need to re-write the wheel!
Add users and groups to appropriate support roles for a given design


A business group must have at least one business group manager, who monitors the resource use for the group and can be the approver for catalog requests.

Lets assume a development team has their own business group, a developer, who will be a business group user, has an entitlement to a catalogue item that allows them to provision a virtual machine to any of the endpoints that the business group (development team) has a reservation too.

The business group manager, who is likely to be the development team manager or team leader, can be set as  an approver of that catalog item request and the virtual machine wont be provisioned until the development team manager has approved the developers request.

It’s good to have this ability to approve requests as only the business group manager has access to monitor resource usage within their business group.

The business group manager will also create and manage entitlements to catalogue items for their business group.

The details of all vRA roles are found on my Objective 2.1 blog

Determine and select the appropriate machine prefix for the business group

Creating machine prefixes is described in Section 5 objective 5.2

Once a machine prefix has been created, you can set the default Business group machine prefix on the infrastructure tab of the Business group. When a virtual machine is provisioned by a user within the business group the default pre-fix will be used to form the VM name based on these settings. This does not stop a different pre-fix from being assigned within a catalogue blueprint & the default business group machine pre-fix can also be changed at any time.

If the pre-fix is changed, it will only affect new Virtual Machines being provisioned and will not change the name of virtual machines that have already been provisioned!


The active directory container option is for WIM provisioning only, if you don’t intend to use WIM Provisioning to build Windows Servers then stick with the Active Directory Policies on the general tab to define the destination OU of provisioned VMs, however for the exam it’s good to know the difference between the two options.

The AD Container option expects an active directory DN name in the form of



VCP7-CMA Section 2 Objective 2.1 Create and Manage Tenants

  • Create a new tenant for a given design

VMware Docs link

Out of the box a default tenant named vsphere.local is created, which is accessed via the https://myvraserver.mydomain.local/vcac/ url. You log into the default tenant using the System Administrator role with the username administrator and the password set for the system administrator account during the installation of vRA.


Once inside the default tenant you will see the default tenant listed under the tenant section, any  new tenants created will also be displayed here.


All new tenants are created inside the default tenant by the system administrator


To create a tenant select new and fill in the details required


click submit and next to proceed to creating a Local User or Users for the new tenant, these local users are specific to the new tenant, you don’t have to create local users at this stage to complete creating the tenant however you wont be able to log into the new tenant if you dont!

If you want to use directory users, you must create the local user(s), assign them/it as tenant and iaas admins, log into the new tenant with the new local user, setup the identity source, log back into the default tenant with the system administrator account, edit the new tenant, add the domain users or groups as the tenant and iaas admins!

Then you will be able to log into the new tenant as a tenant/iaas admin to start the configuration of the new tenant.


Assign the roles of Tenant Administrator and IaaS Administrators if required, you don’t have to assign these roles at this time to finish creating the new tenant, however you wont be able to log into the tenant if you dont assign these roles to a local user. Once you have configured an identify source we can come back into the default tenant and add directory users and\or remove the local user(s) from these groups.


It’s important to understand that privileges of the IaaS administrator role are NOT tenant specific. The IaaS administrator role is System Wide, so even though our new local user “danlab” is specific to the danlab tenant, this user has system wide IaaS privileges.

This is because the Infrastructure Fabric is available to all tenants. Depending on how you want your architecture configured you may want an IaaS administrator per tenant to configure endpoints, and have fabric groups per tenant as shown below


However I would say in the majority of vRA architectures it’s more common to see the below with System Administrator, IaaS Administrator and Fabric roles assigned to members of IT within the default tenant with Tenants then having access to that infrastructure via Fabric Groups

single iaas

  • Create, add, and manage local users

Creating local users for a tenant can be done inside the default tenant by the system administrator as described above.

  • Configure administrative access and describe privilege level differences between roles

There are many Roles within vRA, each role having different privileges. 2 roles are system wide  (System Administrator role and the IaaS Administrator role) and having the following provileges

system wide

The remaining roles are Tenant Specific




tenant 4

I would say learning the differences in these roles is very important for the exam, little more than hands on experience will help you with this. For that that are creating a vRA lab to study, you may want to assign yourself “god” permissions. The only way to do that is to create a custom group

Inside the new Tenant, select Administration>Custom Groups> Create a new custom group, give it a Name, Assign ALL Roles to the group, then on the members tab select your local user (or directory account if you’ve already added a directory service)

Once the account is created, log out of vRA and back in for the permission changes to take affect.


  • Determine the unique URL used to access the tenant

The unique URL is set during the creation of the tenant. When creating my tenant i specified the URL danlab as can be seen below.


So my tenant will be access via


Note that this is different from the default tenant which is accessed via


Assume we created a third tenant named test1 with a URL of test1 and a forth tenant named test2 with a url of test2bob then access would be as follows

default tenant – https://myvraserver.mydomain.local/vcac/

danlab tenant – https://myvraserver.mydomain.local/vcac/org/danlab

test1 tenant – https://myvraserver.mydomain.local/vcac/org/test1

test2 tenant – https://myvraserver.mydomain.local/vcac/org/test2bob


vRO Remove CD ROM Workflow

The following can be used to remove a CDROM drive from a powered on Virtual Machine using vRO, vRealize Orchestrator.

Paste the following into a Scriptable task and create an input Parameter of type VC:VirtualMachine called workflowVM


var configSpec = new VcVirtualMachineConfigSpec();
var deviceConfigSpecs = new Array();
var deviceConfigSpec = new VcVirtualDeviceConfigSpec();
var devices = workflowVM.config.hardware.device;

for ( var ii in devices) {
var device = devices[ii];
if ( device instanceof VcVirtualCdrom) {
deviceConfigSpec.device = device;
deviceConfigSpec.operation = VcVirtualDeviceConfigSpecOperation.remove;
deviceConfigSpecs.push (deviceConfigSpec);
configSpec.deviceChange = deviceConfigSpecs