VMware just announced a major new upgrade to their flagship product, vSphere 7 Update 2. This information has been under NDA until today, so as we share it with you, you're most likely the first one to read it. In this new release, we'll talk about new VM hardware version 19, the new vSAN version, new security enhancements, and new features such as the standalone cryptography module in vCenter Server and ESXi hosts, which finally provide built-in support for encrypting vSAN and your VMs without third-party product.

Let's start with some of the security features that will most likely make all customers and IT admins very happy with their home labs. VMware introduces the native key provider with Key Management Server (KMS), which is needed for using encryption across vSphere.

VMware vSphere native key provider

Many admins simply were not able to use external KMS or did not take the time to set things up properly, as some of the lower cost KMS have quite complex setups.

As you know, before you can start with VM encryption, VSAN encryption, or Virtual TPM for workloads, you must set up the standard key provider.

With previous releases of vSphere, you had to go and buy commercial third-party software to use encryption. You had to add an external Key Management Server (KMS) to your vSphere environment.

With vSphere 7 Update 2, things have changed. VMware now provides you with a native key provider, which is available out of the box without additional license. The native key provider is integrated in vCenter Server and clustered ESXi hosts. It works with ESXi key persistence to eliminate dependencies.

With the native key provider, you can easily add a layer of security for data at rest. However, you can still use an external KMS if you want to. Customers who are already using an external KMS can continue to use it.

VMware vSphere native key provider

VMware vSphere native key provider

There is another area that is now more secure, which many admins will be able to use. With a physical "trusted platform" module chip and encryption, you'll be able to protect the ESXi boot sectors, since the disks where ESXi is installed are encrypted.

When those servers go for replacement, the disks are already secured. This feature is enabled automatically if the server has a TPM hardware chip. Note that you can also buy one of these chips and install it on your servers yourself.

VMware virtual hardware 19

This release brings another version of virtual hardware with really interesting new functionality. Among these are the enhancements of the Virtual Trusted Platform Module (vTPM). This feature does not require physical TPM. The vTPM is now available not only for Windows VMs, but also for some selected Linux distributions. You can configure it when you edit settings for your virtual machine. Go to Add New Device > Trusted Platform Module.

We have had this feature since vSphere 6.7, but there have been only some Windows operating systems, such as Windows Server 2016 (64 bit) or Windows 10 (64 bit), for use as the guest OS. Linux VMs were not supported.

VMware tools and virtual Trusted Platform Module for Linux VMs

VMware tools and virtual Trusted Platform Module for Linux VMs

VMware Time Provider via VMware Tools

It is a new plugin in VMware tools. It can be installed optionally on certain VMs. The Time Provider allows you to synchronize guest OS clocks with Windows Time Services so you don't have to manually tweak your VMs for time source servers. It is added via the custom install option in VMware tools. This feature can also be used for a precision clock device that was added to vSphere in version 7. It is available in VM Hardware 18 and higher.

VMware Time Provider is a high-quality alternative to traditional time sources like NTP or Active Directory.

VMware Time Provider plugin within the VMware Tools package

VMware Time Provider plugin within the VMware Tools package

VMware vSphere 7 U2 vSAN enhancements

HCI mesh enhancements

VMware vSAN has matured and is now, after many versions, a very robust and reliable product. However, as with any other software product, there are still areas for improvement.

With the vSphere 7 U1, VMware introduced the possibility of using remote vSAN datastores. You can mount those datastores within your local vSAN cluster. They call this HCI mesh.

In vSphere 7 U2, this feature has been enhanced to non-vSAN clusters. Now you can mount external datastores and use them within your environment. You can mount a remote vSAN datastore from a non-vSAN-based vSphere cluster. It is possible to mount up to 128 hosts to a remote vSAN datastore.

You don't need any additional license.

HCI Mesh with compute only in vSAN 7 U2

HCI Mesh with compute only in vSAN 7 U2

The storage policies are integrated with this feature. This means you can now specify in the storage policy or when deploying a new VM that the VM will automatically be protected and be placed accordingly.

vSAN File services enhancements

With the latest version of vSAN, there are other enhancements to file services that were initially introduced in the previous release.

  • Support for VSAN stretched clusters and 2-Node topologies—Previously only traditional vSAN clusters were supported, not stretched clusters or 2-Nodes.
  • Data-in-transit encryption and UNMAP—The previous release had only data-at-rest, so no new enhancement here.
  • Improved scale, performance, and efficiency—For file services, there is an increased number of shares per cluster and improved performance for small file shares.
vSAN 7 U2 file services enhancements

vSAN 7 U2 file services enhancements

vSAN over RDME support

New in this release, you'll be able to use RDMA over converged Ethernet v2 (RoCE v2); vSphere is offering built-in automatic detection and handling.

These devices are able to lower CPU usage, so the overall efficiency of vSAN and speed of the vSAN traffic are increased. This applies to certain workloads using sequential reads or random mixed reads/writes.

RoCE v2 is supported only in this release.

Highly efficient RDMA NICs are automatically detected

Highly efficient RDMA NICs are automatically detected

Reduced resolution times for isolated environments

The vSphere Skyline Health Diagnostic tool, which usually pulls new updates from the internet, can now be updated offline. This is particularly useful for highly secure environments without Internet access.

It will be provided as a self-service utility for customers so they can get the latest signature library from VMware, scan log bundles, and detect issues. After detection of an issue, they'll be able to visualize recommendations the same as if this cluster were connected to the internet. In the end, this tool will also help the VMware support team.

Subscribe to 4sysops newsletter!

Wrap up

VMware continues to improve vSphere, their flagship product. In the latest release of vSphere 7 U2, customers will find many small enhancements in the UI but also some bigger new features that we have talked about in this post. At the time of writing, we do not have any information as to when this release will be available for download.


Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account