VMware is a leader in Virtualization and Cloud Computing, offering solutions for network and desktop virtualization. It has transformed the tech world by moving from physical systems to virtual ones.

As more companies adopt virtual environments to optimize hardware, the need for experts in this field is growing. Organizations rely on skilled professionals to manage and maintain their operations. To find the best talent, companies conduct technical interviews and HR evaluations.

Technical interviews focus on testing a candidate’s knowledge and skills in virtualization. Below are some advanced VMware interview questions and answers on data center virtualization, suitable for candidates with up to 5 years of experience.

These interview questions are categorized into the following technical areas:

Let’s get it started…

VMware Hypervisor Interview Questions

#1. What is VMKernel, and why is it important?

VMkernel is a virtualization interface between a Virtual Machine and the ESXi host, which stores VMs. It is responsible for allocating all available resources of the ESXi host to VMs, such as memory, CPU, storage, etc. It also controls special services such as vMotion, fault tolerance, NFS, traffic management, and iSCSI. The VMkernel port can be configured on the ESXi server using a standard or distributed vSwitch to access these services. Without VMkernel, hosted VMs cannot communicate with the ESXi server.

#2. What are the hypervisor and their types?

A hypervisor is a virtualization layer that enables multiple operating systems to share a single hardware host.  Each operating system or VM is allocated physical resources, such as memory, CPU, storage, etc., by the host. There are two types of hypervisors.

  • Hosted hypervisor (works as application, ie VMware Workstation)
  • Bare-metal (is virtualization software ie VMvisor, Hyper-V which is installed directly onto the hardware and controls all physical resources).

#3. What is Virtualization?

The process of creating virtual versions of physical components, i.e., Servers, Storage Devices, Network Devices on a physical host, is called virtualization. Virtualization lets you run multiple virtual machines on a single physical machine which is called ESXi host.

#4. What are the different types of virtualization?

There are 5 basic types of virtualization.

  • Server virtualization: consolidates the physical server, and multiple OS can be run on a single server.
  • Network Virtualization: Provides complete reproduction of physical network into a software-defined network.
  • Storage Virtualization: Provides an abstraction layer for physical storage resources to manage and optimize virtual deployment.
  • Application Virtualization: increased mobility of applications and allows migration of VMs from a host to another with minimal downtime.
  • Desktop Virtualization: virtualize desktop to reduce cost and increase service

VMware Fault Tolerance (FT) Interview Questions

#5. What is VMware FT?

FT stands for Fault Tolerance, a very prominent component of VMware vSphere. It provides continuous availability for VMs when an ESXi host fails. It supports up to 4 vCPUs and 64 GB memory. FT is very bandwidth-intensive, and 10GB NIC is recommended to configure it. It creates a complete copy of an entire VM, including storage, computing, and memory.

#6. How many vCPUs can be used for a VM in FT in VMware vSphere 7.0?

In VMware vSphere 7.0, there can be up to 8 vCPUs with the VMware vSphere Enterprise Plus license.

#7. What is the name of the technology used by VMware FT?

vLockstep technology is used by VMware FT

#8. What is Fault Tolerant Logging?

The communication between two ESXi hosts is called FT logging when FT is configured between them. The pre-requisition of configuring FT is to configure the VMKernel port.

#9. Will the FT work if the vCenter Server goes down?

vCenter Server is only required to enable Fault Tolerance on a VM. Once it is configured, vCenter is not required to be online for FT to work. FT failover between primary and secondary will occur even if the vCenter is down.

#10. What is the main difference between VMware HA and FT?

The main difference between VMware HA and FT is: HA is enabled per cluster, and VMware FT is enabled per VM. In HA, VMs will be re-started and powered on on another host in case of a host failure, while in FT, there is no downtime because the second copy will be activated in case of host failure.

Virtual Networking Interview Questions

#11. What is virtual networking?

A network of VMs running on a physical server that is connected logically with each other is called virtual networking.

#12. What is vSS?

vSS stands for Virtual Standard Switch, is responsible for the communication of VMs hosted on a single physical host. It works like a physical switch that automatically detects a VM that wants to communicate with another VM on the same physical server.

#13. What is vDS?

vDS stands for Virtual Distributed Switch, acts as a single switch in a whole virtual environment, and is responsible for providing central provisioning, administration, and monitoring of the virtual network.

#14. How many maximum standard ports per host are available?

4096 ports per host are available either in a standard switch or a distributed switch.

#15. What are the main benefits of a distributed switch (vDS)?

vDS can provide:

  • The central administration for a virtual data center
  • Central provision, and
  • Monitoring

#16. What is the VMKernal adapter, and why is it used?

VMKernel adapter provides network connectivity to the ESXi host to handle network traffic for vMotion, IP Storage, NAS, Fault Tolerance, and vSAN. For each type of traffic, such as vMotion, vSAN, etc., a separate VMKernal adapter should be created and configured.

#17. What is the main use of port groups in data center virtualization?

You can segregate the network traffic using port groups such as vMotion, FT, management traffic, etc.

#18. What are the three-port groups configured in ESXi networking?

  • Virtual Machine Port Group – Used for Virtual Machine Network
  • Service Console Port Group – Used for Service Console Communications
  • VMKernel Port Group – Used for VMotion, iSCSI, NFS Communications

#19. What is VLAN, and why is it used in virtual networking?

A logical configuration on the switch port to segment the IP Traffic where each segment cannot communicate with other segments without proper rules is called VLAN. Every VLAN has a proper number called VLAN ID.

#20. What is VLAN Tagging?

The practice of inserting VLAN ID into a packet header to identify which VLAN packet belongs to is called VLAN tagging.

#21. What are the three network security policies/modes on vSwitch?

  • Promiscuous mode
  • MAC address change
  • Forged transmits

#22. What is the promiscuous mode on vSwitch?

Promiscuous mode is a security policy that can be defined at the virtual switch or portgroup level in vSphere ESX/ESXi. A virtual machine, Service Console, or VMkernel network interface in a portgroup that allows the use of promiscuous mode can see all network traffic traversing the virtual switch.

By default, a guest operating system’s virtual network adapter only receives frames that are meant for it. Placing the guest’s network adapter in promiscuous mode causes it to receive all frames passed on the virtual switch that is allowed under the VLAN policy for the associated portgroup. This can be useful for intrusion detection monitoring or if a sniffer needs to analyze all traffic on the network segment.

#23. What is MAC address changes network policy?

The security policy of a virtual switch includes a MAC address change option. This option affects the traffic that a virtual machine receives.

When the Mac address changes option is set to AcceptESXi accepts requests to change the effective MAC address to a different address than the initial MAC address.

When the Mac address changes option is set to RejectESXi does not honor requests to change the effective MAC address to a different address than the initial MAC address. This setting protects the host against MAC impersonation.

#24. What is the Forged transmits network policy?

The Forged transmits option affects traffic that is transmitted from a virtual machine.

When the Forged transmits option is set to AcceptESXi does not compare source and effective MAC addresses.

VMware vCenter Server Interview Questions

#25. What are the main components of vCenter Server architecture?

vCenter Server provides a centralized platform for the management, operation, resource provisioning, and performance evaluation of virtual machines and hosts.

When you deploy the vCenter Server Appliance, vCenter Server, the vCenter Server components, and the authentication services are deployed on the same system.

The following components are included in the vCenter Server appliance deployments:

  • The authentication services contain vCenter Single Sign-On, License service, Lookup Service, and VMware Certificate Authority.
  • The vCenter Server group of services contains vCenter ServervSphere Client, vSphere Auto Deploy, and vSphere ESXi Dump Collector. The vCenter Server appliance also contains the VMware vSphere Lifecycle Manager Extension service and the VMware vCenter Lifecycle Manager.

#26. What are PSC and its components?

PSC stands for Platform Services Controller, first introduced in version 6 of VMware vSphere, which handles infrastructure security functions. It has three main components.

  • Single Sign-On (SSO)
  • VMware Certificate Authority (CA)
  • Licensing service

#27. What are the two main PSC deploying methods?

You can install PSC in VMware vSphere 6.7 in two ways:

  • Embedded
  • External

However, in VMware vSphere 7.0, we can install PSC only in embedded mode; external PSC deployment has been deprecated in VMware vSphere 7.0 or onwards.

#28. What are the different types of vCenter Server deployment?

It has two deployment types till VMware vSphere 6.7.

  • Embedded Deployment
  • External deployment

In VMware vSphere 7.0 and onwards, External PSC has been deprecated. We can only install PSC in Embedded mode.

#29. What is vRealize Operation (vROP)

vROP provides the operation dashboards for performance analytics, capacity optimization, and monitoring the virtual environment.

#30. What is vCloud Suite?

vCloud Suite combines multiple VMware components to give a complete set of cloud infrastructure capabilities in a single package, including virtualization, software-defined datacenter services, disaster recovery, application management, etc.

#31. What is the basic security step to secure vCenter Server and users?

Authenticate vCenter Server with Active Directory. By using this, we can assign specific roles to users and can also efficiently manage the virtual environment.

Virtual Storage Interview Questions

#32. What is a data store?

A datastore is a storage location where virtual machine files are stored and accessed. Datastore is based on a file system which is called VMFS, NFS.

#33. What is the .vmx file?

It is the configuration file of a VM

#34. What information .nvram file store?

It stores BIOS-related information of a VM.

#35. What is the .vmdk file used?

vmdk is a VM disk file and stores data of a VM. It can be up to 62 TB in size in the vSphere 5.5 and onward versions.

#36. How many disk types are in VMware?

There are three disk types in vSphere.

  • Thick Provisioned Lazy Zeroes: every virtual disk is created by default in this disk format. Physical space is allocated to a VM when a virtual disk is created. It can’t be converted to a thin disk.
  • Thick Provision Eager Zeroes: this disk type is used in VMware Fault Tolerance. All required disk space is allocated to a VM at the time of creation. It takes more time to create a virtual disk compare to other disk formats.
  • Thin provision: It provides an on-demand allocation of disk space to a VM. When data size grows, the size of a disk will grow. Storage capacity utilization can be up to 100% with thin provisioning.

#37. What is Storage vMotion?

It is similar to traditional vMotion; in Storage vMotion, a virtual disk of a VM is moved from one datastore to another. During Storage vMotion, virtual disk types think provisioning disk can be transformed to thin-provisioned disk.

What’s New in vSphere 6.0

#38. What is the VM Hardware version for vSphere 6.0?

Version 11

#39. What VM hardware version for vSphere 6.5?

Version 13

#40. What VM Hardware version for vSphere 6.7 and vSphere 7.0?

Version 14 for ESXi 6.7, Version 15 for ESXi 6.7 U2, Version 17 for ESXi 7.0, Version 18 for ESXi 7.0 U1, and Version 19 for ESXi 7.0 U2

#41. In which version of vSphere PSC was introduced?

Platform Services Controller (PSC) is introduced in vSphere 6.0. vSphere 6.0 is also known as Virtual Hardware version 11.

#42. How many maximum hosts can manage a vCenter Server in vSphere 6.0?

In vSphere 6.0, a single vCenter Server can manage up to 1000 hosts either in Windows or vCenter Appliance (vCSA). In vSphere 6.5 and 6.7, 2000 hosts, and in vSphere 7.0, 2500 can be managed by a single vCenter Server.

#43. How many hosts can be managed by a cluster in vSphere 6.0?

A single cluster can manage a maximum of 64 hosts in VMware vSphere 6.0 and onward versions.

#44. How can a single cluster manage maximum VMs?

A single cluster can manage a maximum of 8000 VMs.

#45. What is VVol?

Virtual Volume is a new VM disk management concept introduced in vSphere 6.0 that enables array-based operations at the virtual disk level. VVol is automatically created when a virtual disk is created in a virtual environment for a VM.

#46. How many licensing options are for vSphere 6.0?

There are three licensing options for vSphere 6.0:

  • Standard Edition: Contains 1 vCenter Server Standard license, up to 2 vCPUs for Fault Tolerance, vMotion, Storage vMotion, HA, VVols, etc.
  • Enterprise Edition: Same as Standard Edition, with additional APIs for Array Integration and Multipathing, DRS, and DPM.
  • Enterprise Plus: Includes all Standard and Enterprise Editions features with additional Fault Tolerance up to 4 vCPUs and 64GB of RAM. It also includes Distributed vSwitch and the most expensive licensing option of vSphere 6.0.

#47. How much Maximum RAM can support vSphere 6.0?

It supports up to 12TB of RAM per host in vSphere 6.0 and vSphere 6.5 and 16TB of RAM per host in VMware vSphere 6.7 and 7.0.

Content Libraries Interview Questions

#48. What is the Content Library?

Content Library is the central location point between two different geographical locations with vCenter Servers where you can store VM templates, ISO images, scripts, etc., and share them between geographical locations

#49. What are the main benefits of content libraries?

We create VM templates and share on another geographical location without creating again on other locations. It has many benefits, such as sharing and consistency, storage efficiency, and secure subscription.

#50. How many types of Content Libraries have?

It has three types:

  • Local: library of local control.
  • Published: local library which contents (VM templates, ISO images, etc.) for a subscription.
  • Subscribed: A library that syncs with the published library

#51. What are the requirements and limitations of Content Libraries?

A content library has the following requirements and limitations

  • Single storage, which can size up to 64TB
  • Maximum of 256 items per library
  • Sync occurs once every 24 hours

#52. What is VMFS?

VMFS is a file system for a VM in VMware vSphere. VMFS is a datastore that is responsible for storing virtual machine files. VMFS can also store large files, which size can be up to 64TB in vSphere 6.0. In the latest versions of VMware vSphere, VMFS 6 is used to store VMs.

VSAN Interview Questions

#53. What is vSAN?

Virtual SAN is software-defined storage first introduced in vSphere 5.5 and is fully integrated with vSphere. It aggregates locally attached storage of ESXi hosts, which are part of a cluster, and creates a distributed shared solution.

#54. What is cold migration?

To move a powered-off VM from one host to another is called cold migration.

#55. What is Storage vMotion?

To move a powered-on VM from one datastore to another is called Storage vMotion.

#56. What are the different configuration options for VSAN?

There are two configuration options for  vSAN:

  • Hybrid: Uses both flash-based and magnetic disks for storage. Flash are used for cashing, while magnetic disks are used for capacity or storage.
  • All-Flash: Uses flash for both caching and for storage

#57. Are there VSAN-ready nodes available in the market?

Yes, vSAN-ready, such as VxRail 4.0 and 4.5, are available in the market. VxRail is the combination of min 3 servers that are part of a cluster and can scale up to 64 servers.

#58. How many minimum servers/hosts are required to configure vSAN?

To configure a vSAN, you should have a minimum of 3 ESXi hosts/servers in the form of a vSAN cluster. If one of the servers fails, a vSAN cluster will fail.

#59. How many maximum ESXi hosts are allowed for vSAN?

64 hosts are allowed to configure a vSAN cluster at maximum.

#60. How many disk groups and max magnetic disks are allowed in a single disk group?

A maximum of 5 disk groups are allowed on an ESXi host, which is a part of a vSAN cluster, and a maximum of 7 magnetic and 1 SSD per disk group is allowed.

#61. How many types of storage can we use in our virtual environment?

  • Direct Attached Storage
  • Fiber Channel (FC)
  • iSCSI
  • Network Attached Storage (NAS)

#62. What is NFS?

Network File System (NFS) is a file-sharing protocol that ESXi hosts use to communicate with a NAS device. NAS is a specialized storage device that connects to a network and can provide file access services to ESXi hosts.

#63. What is Raw Device Mapping (RDM)?

Raw Device Mapping (RDM) is a file stored in a VMFS volume that acts as a proxy for a raw physical device. RDM enables you to store virtual machine data directly on a LUN. RDM is recommended when a VM must interact with a real disk on the SAN.

#64. What is iSCSI storage?

An iSCSI SAN consists of an iSCSI storage system, which contains one or more storage processors. TCP/IP protocol is used to communicate between host and storage array. an iSCSI initiator is configured with the ESXi host. an iSCSI initiator can be hardware-based, either dependent or independent, and software-based is known as an iSCSI software initiator.

#65. What is the format of iSCSI addressing?

It uses TCP/IP to configure.

#66. What are iSCSI naming conventions?

iSCSI names are formatted in two different ways:

  • the iSCSI qualified name (IQN)
  • extended unique identifier (EUI)

vApp Interview Questions

#67. What is vApp?

vApp is a container or group where more than one VM can package and manage multi-tiered applications for specific requirements; for example, a Web server, database server, and application server can be configured as a vApp and can be defined as their power-on and power-off sequence.

#68. What settings can be configured for vApp?

We can configure several settings for vApp, such as CPU and memory allocation, and IP allocation policy, etc.

Basic Concepts of NSX

#69. What is decoupling?

An important concept of network virtualization is the decoupling of software and networking hardware. The software works independently of the networking hardware that physically interconnects the infrastructure. Any networking hardware that can inter-op with the software will always enhance the functionality, but it is not necessary. Remember that your network hardware performance will always limit your throughput on the wire.

#70. What is Control Plane?

The decoupling of software and networking hardware allows you to control your network better because all the logic resides in the software. This control aspect of your network is called the control plane. The control plane provides the means to configure, monitor, troubleshoot, and allow automation against the network.

#71. What is Data Plane?

The networking hardware forms the data plane where all the data is forwarded from source to destination. The management of data resides in the control plane; however, the data plane consists of all the networking hardware whose primary function is to forward traffic over the wire from source to destination.

#72. What is the Management Plane?

The management plane primarily consists of the NSX manager. The NSX manager is a centralized network management component and primarily allows for a single management point. It also provides the REST API that a user can use to perform all NSX functions and actions. During the deployment phase, the management plane is established when the NSX appliance is deployed and configured. This management plane directly interacts with the control plane and also the data plane.

#73. What is Logical Switching?

NSX allows the ability to create L2 and L3 logical switching that enables workload isolation and separation of IP address space between logical networks. NSX can create logical broadcast domains in the virtual space that prevent the need to create any logical networks on the physical switches. This means you are no longer limited to 4096 physical broadcast domains (VLANs).

#74. What are NSX Gateway Services?

The Edge gateway services interconnect your logical networks with your physical networks. This means a virtual machine connected to a logical network can send and receive traffic directly to your physical network through the gateway.

#75. What is Logical Routing?

Multiple virtual broadcast domains (logical networks) can be created using NSX. As multiple virtual machines subscribe to these domains, it becomes crucial to be able to route traffic from one logical switch to another.

#76. What is East-West Traffic in Logical Routing?

East-west traffic is traffic between virtual machines within a data center. In the current context, this typically will be traffic between logical switches in a VMware environment.

#77. What is North-South Traffic?

North-south traffic is traffic moving in and out of your data center. This is any traffic that either enters your data center or leaves your data center.

#78. What is a Logical Firewall?

Logical firewalls are of two types: distributed firewall and Edge firewall. A distributed firewall is ideally deployed to protect any east-west traffic, while an Edge firewall protects any north-south traffic. A distributed logical firewall allows you to build rules based on attributes that include IP addresses, VLANs, virtual machine names, and vCenter objects. The Edge gateway features a firewall service that can be used to impose security and access restrictions on north-south traffic.

#79. What is a Load Balancer?

The logical load balancer distributes incoming requests among multiple servers to allow load distribution while abstracting this functionality from end-users. The logical load balancer can also be used as high availability (HA) mechanism to ensure your application has the most uptime. An Edge services gateway instance must be deployed in order to enable the load balancer service.

#80. What is Service Composer?

The service composer allows you to allocate network and multiple security services to security groups. Virtual machines that are part of these security groups are automatically allocated the services.

#81. What is Data Security?

NSX data security provides visibility into sensitive data, ensures data protection, and reports back on any compliance violations. A data security scan on designated virtual machines allows NSX to analyze and report any violations based on the security policy that applies to these virtual machines.

#82. Configuration Maximum of NSX 6.2

DescriptionLimit
vCenters1
NSX Managers1
DRS Clusters12
NSX Controllers3
Hosts per Cluster32
Hosts per Transport Zone256
Logical Switches10,000
Logical Switch Ports50,000
DLRs per Host1,000
DLR per NSX1,200
Edge service gateways per NSX Manager2,000

NSX Core Components

#83. Define NSX Manager?

The NSX manager allows us to create, configure, and manage NSX components in an environment. The NSX manager provides a graphical user interface and REST APIs that enable you to interact with various NSX components. NSX Manager is a virtual machine that you can download as an OVA and deploy it on any ESX host managed by vCenter.

#84. Define NSX Controller Cluster?

NSX controller provides a control plane functionality to distribute logical routing and VXLAN network information to the underlying hypervisor. Controllers are deployed as virtual appliances and should be deployed in the same vCenter NSX manager is connected to.

In a production environment, it is recommended to deploy a minimum of three controllers. We need to ensure DRS ant-affinity rules are configured to deploy controllers on a separate ESXi host for better availability and scalability.

#85. What is VXLAN?

VXLAN is a layer 2 over layer 3 tunneling protocol that allows logical network segments to extend on routable networks. This is achieved by encapsulating the Ethernet frame with additional UPD, IP, and VXLAN headers. Consequently, this increases the size of the packet by 50 bytes. Hence, VMware recommends increasing the MTU size to a minimum of 1,600 bytes for all interfaces in the physical infrastructure and any associated vSwitches.

#86. What is VTEP?

When a virtual machine generates traffic meant for another virtual machine on the same virtual network, the hosts on which the source and destination virtual machines run on are called VXLAN tunnel endpoints (VTEP). VTEPs are configured as separate VMKernel interfaces on the hosts.

The outer IP header block in the VXLAN frame contains the source and the destination IP addresses that contain the source hypervisor and the destination hypervisor. When a packet leaves the source virtual machine, it is encapsulated at the source hypervisor and sent to the target hypervisor. On receiving this packet, the target hypervisor decapsulates the Ethernet frame and forwards it to the destination virtual machine.

Once the NSX Manager prepares the ESXi host, we need to configure VTEP. NSX supports multiple VXLAN vmknics per host for uplink load balancing features. In addition to this, Guest VLAN tagging is also supported.

#87. Describe Transport Zone?

A transport zone defines the extension of a logical switch across multiple ESXi clusters that span across multiple virtual distributed switches. A transport zone enables a logical switch to extend across multiple virtual distributed switches. Any ESXi hosts that are part of this transport zone can have virtual machines as part of that logical network. A logical switch is always created as part of a transport zone, and ESXi hosts can participate in them.

#88. What is Universal Transport Zone?

A universal transport zone allows a logical switch to span multiple hosts across multiple vCenters. A universal transport zone is always created by the primary NSX server and is synchronized with the secondary NSX managers.

#89. What is NSX Edge Services Gateway?

The NSX Edge Services Gateway (ESG) offers a feature-rich set of services that include NAT, routing, firewall, load balancing, L2/L3 VPN, and DHCP/DNS relay. NSX API allows each of these services to be deployed, configured, and consumed on-demand. You can install the NSX Edge as an ESG or as a DLR.

The number of Edge appliances, including ESGs and DLRs, is limited to 250 on a host. The Edge Services Gateway is deployed as a virtual machine from the NSX manager, which is accessed using the vSphere web client.

Note: Only the enterprise administrator role, which allows for NSX operations and security management, can deploy an Edge services gateway:

#90. Describe Distributed Firewall in NSX?

NSX provides L2-L4 stateful firewall services using a distributed firewall that runs in the ESXi hypervisor kernel. Because the firewall is a function of the ESXi kernel, it offers massive throughput and performs at a near-line rate. When NSX initially prepares the ESXi host, the distributed firewall service is installed in the kernel by deploying the kernel VIB—VMware internetworking service insertion platform (VSIP).

VSIP is responsible for monitoring and enforcing security policies on all the traffic flowing through the data plane. The distributed firewall (DFW) throughput and performance scales horizontally as more ESXi hosts are added.

#91. What is Cross-vCenter NSX?

Beginning from NSX 6.2, you can manage multiple vCenter NSX environments using the cross-vCenter functionality. This allows you to manage multiple vCenter NSX environments from a single primary NSX manager. In a cross-vCenter deployment, multiple vCenters are all paired with their own NSX Manager per Center.

One NSX Manager is assigned the primary while other NSX managers become secondary. This primary NSX manager can now deploy a universal controller cluster that provides the control plane. Unlike a standalone vCenter-NSX deployment, secondary NSX managers do not deploy their own controller clusters.

#92. What is a VPN?

Virtual private networks (VPNs) allow you to securely connect a remote device or site to your corporate infrastructure. NSX Edge supports three types of VPN connectivity. SSL VPN-Plus, IP-SEC VPN, and L2 VPN.

#93. What is SSL VPN-Plus?

SSL VPN-Plus allows remote users to access applications and servers in a private network securely. There are two modes in which SSL VPN-Plus can be configured: network access mode and web access mode. In the network access mode, a remote user can access the internal private network securely. This is done by a VPN client that the remote user downloads and installs on their operating system. In web access mode, the remote user can access the private networks without any VPN client software.

#94. What is IPSec VPN?

The NSX Edge service gateway supports a site-to-site IPSEC VPN that allows you to connect an NSX Edge services gateway-backed network to another device at the remote site. NSX Edge can establish secure tunnels with remote sites to allow secure traffic flow between sites.

The number of tunnels an Edge gateway can establish depends on the size of the edge gateway deployed. Before configuring IPsec VPN, ensure that dynamic routing is disabled on the Edge uplink to allow specific routes defined for any VPN traffic.

#95. What is L2 VPN

An L2 VPN allows you to stretch multiple logical networks across multiple sites. The networks can be both traditional VLANs and VXLANs. In such a deployment, a virtual machine can move between sites without changing its IP address. An L2 VPN is deployed as a client and server where the destination Edge is the server, and the source Edge is the client. Both the client and the server learn the MAC addresses of both local and remote sites. For any sites that are not backed by an NSX environment, a standalone NSX Edge gateway can be deployed.

NSX Functional Services

#96. How many can NSX managers be installed and configured in a cross-vCenter NSX environment?

There can only be one primary NSX manager and up to seven secondary NSX managers. You can select one primary NSX manager, following which you can start creating universal objects and deploying universal controller clusters as well. The universal controller cluster will provide the control plane for the cross-vCenter NSX environment. Remember that in a cross-vCenter environment, the secondary NSX managers do not have their own controller clusters.

#97. What is the Segment ID pool, and how to assign it?

Each VXLAN tunnel has a segment ID (VNI), and you must specify a segment ID pool for each NSX Manager. All traffic will be bound to its segment ID, which allows for isolation.

#98. What is L2 Bridge?

A logical switch can be connected to a physical switch VLAN using an L2 bridge. This allows you to extend your virtual logical networks to access existing physical networks by bridging the logical VXLAN with the physical VLAN. This L2 bridging is accomplished using an NSX Edge logical router that maps to a single physical VLAN on the physical network.

However, L2 bridges should not be used to connect two different physical VLANs or two different logical switches. You also cannot use a universal logical router to configure bridging, and a bridge cannot be added to a universal logical switch. This means that in a multi-vCenter NSX environment, you cannot extend a logical switch to a physical VLAN at another data center through L2 bridging.

Edge Services Gateway

#99. What is Equal Cost Multi-Path (ECMP) Routing?

ECMP allows the next-hop packet to be forwarded to a single destination over multiple best paths that can be added statically or dynamically using routing protocols such as OSPF and BGP. These multiple paths are added as comma-separated values when defining the static routes.

#100. What are the default ranges for directly connected, static, external BGP, etc.?

The value ranges from 1 to 255 and default ranges are: Connected (0), Static (1), External BGP (20), OSPF intra-area (30), OSPF inter-area (110), and Internal BGP (200).

Note: Any of the above values will be entered in “Admin Distance” by editing the Default Gateway configuration in Routing Configuration.

#101. What is Open Shortest Path First (OSPF)?

OSPF is a routing protocol that uses a link-state routing algorithm and operates within a single autonomous system.

#102. What is Graceful Restart in OSPF?

Graceful Restart allows for non-stop packet forwarding even if the OSPF process is being restarted. This helps in non-disruptive packet routing.

#103. What is Not-So-Stubby Area (NSSA) in OSPF?

NSSA prevents the flooding of an external autonomous system link state advertisements by relying on the default routes to external destinations. NSSAs are typically placed at the Edge of an OSPF routing domain.

#104. What is BGP?

The BGP is an exterior gateway protocol designed to exchange routing information among autonomous systems (AS) on the internet. BGP is relevant to network administrators of large organizations that connect to two or more ISPs and internet service providers who connect to other network providers. If you are the administrator of a small corporate network or an end-user, then you probably don’t need to know about BGP.

#105. What is Route Distribution?

In an environment where multiple routing protocols are being used, route redistribution enables cross-protocol route sharing.

#106. What is Layer 4 Load balancer?

Layer 4 load balancer takes routing decisions based on IPs and TCP or UDP ports. It has a packet view of the traffic exchanged between the client and a server and takes decisions packet by packet. The layer 4 connection is established between a client and a server.

#107. What is Layer 7 load balancer?

A layer 7 load balancer takes routing decisions based on IPs, TCP, or UDP ports, or other information it can get from the application protocol (mainly HTTP). The layer 7 load balancer acts as a proxy and maintains two TCP connections: one with the client and one with the server.

#108. What is Application Profile in configuring Load Balancer?

Before we create a virtual server to map to the pool, we have to define an application profile that defines the behavior of a particular type of network traffic. When traffic is received, the virtual server processes the traffic based on the values defined in the profile. This allows for greater control over managing your network traffic:

#109. What is the sub-interface?

A sub-interface, or an internal interface, is a logical interface that is created and mapped to the physical interface. Sub-interfaces are simply a division of a physical interface into multiple logical interfaces. This logical interface uses the parent physical interface to move data. Remember that you cannot use sub-interfaces for HA because a heartbeat needs to traverse a physical port from one hypervisor to another between the Edge appliances.

#110. Why is Force Sync NSX Edge necessary for your environment?

Force sync is a feature that synchronizes the Edge configuration from the NSX Manager to all of its components in an environment. A synchronization action is initiated from the NSX Manager to the NSX Edge that refreshes and reloads the Edge configuration.

#111. Why is a remote Syslog server necessary to configure in your virtual environment?

VMware recommends configuring Syslog servers to avoid log flooding on the Edge appliances. When logging is enabled, logs are stored locally on the Edge appliance and consume space. If left unchecked, this can have a performance impact on the Edge appliance and can also result in the Edge appliance stopping due to a lack of disk space.

Service Composer

#112. What are Security Policies?

Security policies are sets of rules that apply to a virtual machine, network, or firewall services. Security policies are reusable rulesets that can be applied to security groups. Security policies express three types of rulesets:

  • Endpoint Services: Guest-based services such as anti-virus solutions and vulnerability management
  • Firewall rules: Distributed Firewall policies
  • Network introspection services: Network services such as intrusion detection systems and encryption

These rules are applied to all objects and virtual machines that are part of a security group to which this policy is associated.

NSX Monitoring

#113. What is Endpoint Monitoring in NSX?

Endpoint Monitor provides insight and visibility into applications running within an operating system to ensure that security policies are correctly enforced. Endpoint Monitoring requires guest introspection to be installed. On virtual machines, you will need to install a guest introspection driver, which is part of the VMware tools installation.

#114. What is Flow Monitoring?

NSX Flow monitoring is a feature that allows detailed traffic monitoring to and from protected virtual machines. Flow monitoring can uniquely identify different machines and services exchanging data and, when enabled, can identify which machines are exchanging data over specific applications. Flow monitoring also allows live monitoring of TCP and UDP connections and can be used as an effective forensic tool.

Note: Flow monitoring can only be turned on for NSX deployments where a firewall is enabled.

#115. What is Traceflow?

Traceflow is an interesting tool built to allow administrators to seamlessly troubleshoot their virtual network environment by tracing a packet flow in a similar way to the legacy Packet Tracer application. Traceflow enables you to inject a packet into the network and monitor its flow across the network. This flow allows you to monitor your network and identify issues such as bottlenecks or disruptions.

Managing NSX

#116. How does the Syslog server work in NSX?

Configuring NSX Manager with a remote Syslog server lets you collect, view, and save all log files to a central location. This allows you to store logs for compliance purposes; when you use a tool such as VMware vRealize Log insight, you can create alarms and use the built-in search engine to review logs.

#117. How do backup and restore work in NSX?

Backups are critical for an NSX environment that allows you to restore them appropriately during a system failure. Apart from vCenter, you can also perform backup operations on the NSX Manager, controller clusters, NSX Edge, firewall rules, and Service Composer. All these can be backed up and restored individually.

#118. What is the SNMP trap?

Simple network management protocol (SNMP) traps are alert messages sent from a remote SNMP-enabled device to a collector. You can configure the SNMP agent to forward SNMP traps.

By default, the SNMP trap mechanism is disabled. Only critical and high severity notifications are sent to the SNMP manager when the SNMP trap is enabled.

I hope you have enjoyed reading this post. Good luck with your interview! 👍

Miscellaneous Interview Questions

#119. What is VMware Tanzu?

VMware Tanzu is the suite or portfolio of products and solutions that allow its customers to Build, Run, and Manage Kubernetes-controlled container-based applications. This technology is introduced in VMware vSphere 7.0.

#120. What is VMware DRS?

DRS stands for Distributed Resource Scheduler, which automatically balances available resources among various hosts by using clusters or resource pools. With the help of HA, DRS can move VMs from one host to another to balance the available resources among VMs.

#121. What are share, limit, and reservation?

Share: A value that specifies the relative priority or importance of a VM access to a given resource.

Limit: Consumption of a CPU cycle or host physical memory that cannot cross the defined value (limit).

Reservation: This value is defined in the form of CPU or memory and must be available for a VM to start.

#122. What are the alarms? Why do we use them?

An alarm is a notification that appears when an event occurs. Many default alarms exist for many inventory objects. Alarms can be created and modified using vSphere Web Client;

#123. What are the hot-pluggable devices that can be added while VM is running?

We can add HDDs and NIC while VM is running.

#124. What is a Template?

When a VM is converted into a format that can be used to create a VM with pre-defined settings is called a template. An installed VM can be converted into a template, but it cannot be powered on.

#125. What is Snapshot?

To create a copy of a VM with the timestamp as a restore point is called a snapshot. Snapshots are taken when an upgrade or software installation is required. For better performance, a snapshot should be removed after a particular task is performed.

#126. How to convert a physical machine into a VM?

Three steps are required to convert a physical machine to a VM:

  • An agent needs to be installed on the Physical machine
  • VI client needs to be installed with Converter Plug-in
  • A server to import/export virtual machines

#127. What is vMotion, and what is the primary purpose of using it in a virtual environment?

It is a very prominent feature of VMware vSphere used to migrate running VMs from one ESXi host to another without any downtime. Datastores and ESXi hosts can both be used while vMotion.

#128. What is the difference between a clone and a template?

A clone is a copy of a virtual machine. Cloning a VM will save time if multiple VMs with the same configurations are required to configure. A template is a master copy of an image created from a VM, which can be later used to create many clones. It can’t be powered-on or edited after converting a VM to a template.

#129. What monitoring method is used in vSphere HA?

  • Network Heartbeat
  • Datastore Heartbeat

#130. How is the master host elected in vSphere HA?

When HA is enabled in a cluster, all hosts take part in a selection process to be selected as master hosts. A host which has the highest number of datastores mounted will be selected as a master host. All other hosts will remain slave hosts.

#131. What is the purpose of VMware Tools?

It is a suite of utilities that are used to enhance the performance of a VM in the form of graphics, mouse/keyboard movement, network card, and other peripheral devices.

#132. What is VMware DPM?

Stands for Distributed Power Management is a feature of VMware DRS that is used to monitor required resources in a cluster. When the resources are decreased due to low usage, VMware DPM consolidates workloads and shuts down the hosts that are not being used, and when resources are increased, it automatically powers on the unused hosts.

#133. What is the ESXi Shell?

It is a command-line interface. It is used to run the repair and diagnostics of ESXi hosts. It can be accessed via DCUI, vCenter Server enables/disable, and via SSH.

#134. How do you run ESXTOP on the ESXi host?

To run ESXTOP on an ESXi host, we’ll need two pre-requisites:

  • Install vSphere Client on a host where you want to configure
  • Enable SSH from DCUI by using the “Troubleshooting Options” link

#135. What is VMware vCenter Enhanced Linked Mode, and How It Works?

VMware vCenter Server Enhanced Linked Mode (ELM) is one of the vSphere advanced features that allows connecting multiple vCenter Servers to provide a single interface where you can view, search, and manage permissions, replications of roles, policies, and licenses between multiple vCenter Servers.

It allows you to simplify enterprise virtual environments deployed in the same or multiple sites with multiple vCenter Servers while deploying vCenter Servers such as VCSA or Windows Servers.

What’s Next