November 9, 2021
vSphere 7.0 Update 2 – Key Improvements and New Features
vSphere 7.0 Update 2 is a new release from VMware vSphere. Since the release of VMware vSphere 7.0 in April 2020, VMware moved vSphere to a six-month release cycle to get the advantages of using vSphere with the latest hardware and software, as well as providing new useful features. VMware vSphere 7.0 Update 1 was subsequently released in October 2020 and VMware vSphere 7.0 Update 2 in March 2021. VMware vSphere 7 Update 2 is optimized for deploying environments for artificial intelligence and machine learning (AI/ML), provides better performance optimization, user experience, as well as improves security. This blog post covers the improvements, new features, and other interesting changes included in VMware vSphere 7.0 Update 2 (vSphere 7 U2).
Support for New NVIDIA GPUs
As a result of the partnership between VMware and NVIDIA, support for the NVIDIA AI Enterprise suite was added in vSphere 7.0 U2 to enable businesses to use artificial intelligence (AI) and machine learning (ML) technologies with virtual machines and containers. VMware vSphere 7 U2 supports GPU (Graphical Processing Unit) virtualization and modern graphics adapters powered by NVIDIA to achieve high performance and build a powerful AI-ready enterprise platform.
VMware vSphere7.0 U2 supports:
- The latest generation of NVIDIA GPUs (including GPUs from the Ampere family and A100 GPU) to provide up to 20X better performance than the previous generation of NVIDIA GPUs
- GPUDirect RDMA for vGPUs for better graphical performance in VMs
- New multi-instance GPUs (MIG) in addition to traditional time-sliced GPUs
- Live migration of MIG vGPU powered VMs with vMotion to enable non-disruptive operations and simplify infrastructure management, and load balancing with DRS
Optimizations for AMD Processors
Optimizations for AMD EPYC processors have been implemented in vSphere 7 U2 to bring higher performance on AMD EPYC platforms and the AMD NUMA (non-uniform memory access) architecture. The design of the AMD-specific CPU scheduler in vSphere was changed in version 7.0 Update 2 to take advantage of the multiple last-level caches. As a result of this architectural optimization, you can use AMD Zen processors on ESXi servers and run more virtual machines and containers with higher performance.
Support for High-Speed Network Adapters
VMware vSphere 7.0 Update 2 provides support for 200-Gbit network adapters for extremely fast network performance. Mellanox ConnectX-6 200G NICs are supported, including Mellanox Technologies MT28908 Family (ConnectX-6) and Mellanox Technologies MT2892 Family (ConnectX-6 Dx) 200G.
Support for USB Network Adapters
With vSphere 7.0 Update 2, you can now install ESXi on a server with only a USB NIC (network interface controller) and get a better user experience. Configuration now relies on the kernel option during the ESXi installer boot (you need to press Shift+O to define the options):
In contrast, in previous versions of vSphere, you had to perform a series of measures to fix the exception: No vmknic tagged for management was found when the installation process was interrupted at 81%.
Improvements for Running Containers
VMware Tanzu is a family of software products and services to run Kubernetes clusters and deploy containers with containerized applications in vSphere. Tanzu for vSphere has also received a set of improvements.
With Kubernetes 1.19 support, you can now use a new version of Kubernetes with patches and bug fixes. The n-1 pattern is used for Kubernetes support in VMware vSphere releases. For example, at the time of the vSphere 7.0 U2 release with Kubernetes 1.19 support, the latest generally available version of Kubernetes was 1.20. vSphere 7U2 delivers better support for container registries, providing more security and flexibility.
VMware NSX Advanced Load Balancer Essentials is supported for balancing network-intensive containerized applications in Kubernetes. As a result, you can use network load balancing in Kubernetes if you have not deployed NSX. The Supervisor cluster is supported in this new vSphere version with Tanzu Load Balancer.
A Higher Level of Security
VMware vSphere 7.0 Update 2 provides great security features on all levels – for interacting with hardware, configuring encryption, running VMs and containers, etc. Let’s look at some of those features.
vSphere Native Key Provider
Before vSphere 7 Update 2, administrators were required to use an external key provider for VM encryption and a vTPM (Virtual Trusted Platform Module) in vSphere. Now you can use vSphere Native Key Provider and configure the key provider and all components to enable encryption in VMware vSphere 7.0 U2 (VM encryption, vTPM, and vSAN Encryption). VMware vSphere Native Key Provider is managed by vCenter and clustered ESXi hosts. The functionality of a Native Key Provider is almost the same as the functionality of a traditional Key Management Service (KMS). VMware Native Key Provider is available out of the box without the need to buy an additional license. As a result, the encryption functionality is now more affordable for vSphere customers.
ESXi Configuration Encryption
ESXi configuration contains different parameters and secrets that are archived in a boot bank partition. If these files are not protected, they can be potentially used by attackers to retrieve the configuration from an ESXi host, compromise credentials, and change configuration. In vSphere 7 U2 the archived ESXi configuration can be encrypted with a key stored in a Trusted Platform Module (TPM).
ESXi Key Persistence
Encrypted VMs and virtual TPMs can function even if a key server becomes temporarily unavailable. An ESXi host can persist encryption keys to continue the operation of vTMPs and encryption. In previous vSphere versions, VMs and vTPMs always required access to the key server.
Before the release of vSphere 7.0 Update 2, the behavior was as follows. An ESXi host initially obtained a key and stored the key in the cache. If a key server was unavailable, ESXi could continue to use the key stored in the cache. If the ESXi host was rebooted, then the key was deleted from the cache and the ESXi host had to access a key server to obtain a key.
In vSphere 7.0 U2 the encryption keys are persisted in TPM (if the ESXi host has a TPM) across reboots. If vSphere Native Key Provider is used, key persistence is also supported, and no external key server is required. Note that ESXi Key Persistence is not enabled by default. You can enable this feature in ESXCLI or PowerCLI.
Confidential vSphere Pods
This feature provides extra security for VMware environments with Tanzu Kubernetes. A vSphere Pod is a logical unit that contains a lightweight Linux kernel to run isolated containers with applications inside the guest. Containers run in vSphere Pods when using VMware vSphere. The AMD SEV-ES hardware feature is provided in vSphere 7.0 U2 with Confidential vSphere Pods. AMD SEV-ES encrypts the CPU registry and the guest’s memory space to protect accessing them from the hypervisor.
Precision Time for Windows
Time synchronization accuracy is improved with the new Precision Time for Windows feature. Using Active Directory and NTP is the traditional practice for time synchronization. However, the time accuracy achieved with these features on virtual machines is not enough sometimes due to jitter and other synchronization issues.
Precision Time for Windows is the new precision time architecture that uses the VMware proprietary channel to synchronize time on VMs with the minimal jitter. The advantages of using this feature are low overhead and the resulting VM-Hypervisor interface with extremely low jitter.
vmwTimeProvider is the new plugin that is a part of VMware Tools that are installed on a guest Windows operating system to provide time from the precision clock virtual device. This virtual device is used to provide VM access to the system time of the underlying ESXi host. The advantage of this approach is that the networking stack is not used and network latency doesn’t have an impact on synchronization and time precision. The APIs to develop plugins such as vmwTimeProvider are published, which enables developers to write their own plugin. Windows 10, Windows Server 2016, and newer Windows versions are supported to use the new Precision Time feature.
The advanced settings of VMware vCenter are now located in ConfigStore. Many settings were moved from esx.conf and other configuration files. For instance, global High Availability (FDM) settings were moved from /etc/opt/vmwware/fdm/fdm.cfg.
ConfigStore is the internal storage for different settings. The idea of storing settings in this internal storage is the ability to manage all settings in a single place instead of editing a variety of configuration files. The configstorecli command line utility must be used to change settings in ConfigStore. The workflow to edit the configuration is now the following: First, export the needed configuration to the json file, then edit the json file locally, and finally, upload the edited json file to the ConfiguStore.
Let’s look at the example of editing a configuration of vSwitch in vSphere 7 U2 when editing esx.conf doesn’t work as it had before.
View configuration of a virtual switch:
configstorecli config current get -c esx -g network_vss -k switches
Exporting configuration of the vSwitch to the json file:
configstorecli config current get -c esx -g network_vss -k switches > vswitch.json
Edit the json file and save changes in this file.
Upload the configuration saved in the json file to ConfigStore:
configstorecli config current set -c esx -g network_vss -k switches -i vswitch.json --overwrite
Suspend to Memory
A new feature called Suspend to Memory has been released to make the ESXi update process more convenient. When you update ESXi hosts that are members of a HA/DRS cluster in VMware Lifecycle Manager, the hosts must be put into the maintenance mode to install the update. In addition to that, you need to migrate running virtual machines from the host with vMotion before enabling the maintenance mode on the host. The VMs can be migrated back to the ESXi host after the update process is finished, and the maintenance mode is disabled on the ESXi host. As an alternative, VMs can be shut down but that operation causes downtime in this case.
Suspend to Memory allows you to suspend VMs to keep their state in RAM instead of migrating or stopping VMs. In this case, you can update faster and don’t waste time spent on VM migration and VM downtime. However, you cannot reboot the ESXi host in this state. For this reason, Suspend to Memory is used together with the ESXi Quick Boot feature to allow the ESXi hypervisor reboot without a reboot of the server hardware. ESXi server hardware must support Quick Boot to use this feature.
vMotion Auto Scaling
Virtual machine live migration can now be performed on 25, 40, and 100 GbE networks more effectively. This functionality leverages the benefits of using modern fast networks and enables you to migrate VMs faster.
In previous vSphere versions, you had to tune vMotion streams, VMkernel interfaces, and drivers of network interface controllers (NICs) manually. The maximum speed of one stream was 15 Gbps, which was optimal for 10-Gbps networks. When using networks faster than 15 GbE, full network bandwidth was not utilized without tuning.
In vSphere 7 U2, vMotion checks the available bandwidth and automatically adjusts (scales) the number of streams to fit the bandwidth of a network adapter connected to a vMotion network. Now, vMotion is optimized for work with modern high-speed networks.
New VMware Tools
VMware Tools 11.2.5 are now available in vSphere 7.0 U2. The features of the new version of VMware Tools are listed below:
- Virtual hardware 19
- Update of OpenSSL to version 1.1.1i
- Upgrade of Perl Compatible Regular Expression (Prce) to version 8.44
- GuestStore for Windows VMs is a feature to distribute content for guest operating systems running on VMs by using VMware Tools (without configuring traditional network shares). A GuestStore repository located on a shared datastore is used for this purpose. The maximum size of files stored in the repository is 512 MB.
- Enhancements for the vTPM (a physical TPM is not required). The Virtual Trusted Platform Module can be used for VMs running some Linux distributions.
As mentioned above, VMware Time Provider is included in the new version of VMware Tools.
Features of virtual hardware 19:
- Support for Direct3D 11 in virtual machines
- The maximum number of PVRDMA network adapters is 10
- vSphere High Availability with persistent memory
- vMotion supports PVRDMA native endpoints
- Linux VMs have extended vTPM support
VMware vSAN 7.0 Update 2 also includes improvements. HCI mesh can be used in non-vSAN clusters. This means that you can mount external vSAN datastores to a vSphere cluster (HA/DRS) in your vSphere environment (a remote vSAN datastore can be mounted to a non-vSAN based cluster).
Updates for vSAN file services:
- 2-node topologies and vSAN stretched clusters are supported to configure vSAN file services.
- UNMAP and data-in-transit encryption has been added.
- The number of shares per cluster for file services has been increased and performance for small file shares improved.
Remote Direct Memory Access (RDMA) over converged Ethernet v2 (RoCE v2) is now supported. This feature helps increase the speed of vSAN traffic, optimize CPU usage, and improve overall efficiency. Administrators can create file shares on vSAN datastores for client access via NFSv3, NFSv4.1, and SMB protocols.
VMware vSphere Virtual Volumes Statistics
More detailed Virtual Volume (vVol) statistics improve debugging and speed up issue identification in vSphere 7 U2. You can track performance statistics for a specified namespace or all VASA providers. The vvols stats command is used on an ESXi host to get statistics in the command line interface (ESXCLI).
VMware vSphere 7.0 Update 2 provides a variety of useful features including new hardware support, higher security, higher performance, optimizations for VMs and containers, and better user experience. You can update to the latest version of VMware vSphere to get the latest features and improvements. New security features in vSphere 7.0 Update 2 are great. However, it is recommended that you perform VMware VM backup on a regular basis as for any other version of vSphere. Download the Free Edition version of NAKIVO Backup & Replication and start protecting your virtual machines for instant point-in-time restores when you need them.