VMworld Barcelona from the notebook: VMware Strategic Summary

At the VMworld conferences in San Francisco and Barcelona VMware we learned that VMware is continuing the strategic priorities it started almost a year ago. Not a real surprise as the road still has a lot of opportunities but also some bumps to take. These are some of the notes that I crafted during my visit of keynotes, sessions and such at VMworld Barcelona. While there where not mind blowing new technical announcements, it does tell about the ever changing world in which we are and what VMware is bringing to help IT business with these changes and challenges.

The VMware strategic priorities are divided in to three pillars to continue to serve the liquefying IT world. Within this strategies there are no limits, and this was also the theme of VMworld this year is (maybe no limits is not that good for the VMworld parties ;-) ).

As we learned from the keynotes the current IT world is moving from a rigid, known, limited IT environment to a more liquid, unknown, unlimited, accessible from everywhere and every device IT environment. Here new business models are needed where data and applications are presented in a uniform way to the users and the devices they are using.

Strategy - Overview 1

These IT business models need more AND decisions instead of the OR decisions it currently sees. We don’t build the infrastructure for traditional application or cloud applications, on or off-premise, we build the infrastructures for traditional and cloud applications available on and off-premise depending on the users and application requirements. The power of AND. And this also includes for the mentioned VMware strategic pilars where cloud is the returning component in the SDDC, Hybrid Cloud and EUC for cloud mobility. Cloud in all it’s glory, private, hybrid, mobile, cloud applications and public cloud services.

Strategy - Power of AND

Software-Defined Data Center (SDDC)

Continuing to further virtualize the data center from the compute virtualization via flagship vSphere (now in vSphere 6.0 Beta) and continue to virtualize the network (via NSX) and storage (via Virtual SAN/VSAN and Virtual Volumes). This can be done by designing and building your own building blocks (as long those blocks are on the VMware compatibilty matrix), VMware ready partner building blocks optimized for vSphere and Horizon View. Since VMworld VMware introduced another building component, the VMware Hyperconverged Infrastructure Architecture in the form of EVO:RAIL and EVO:RACK (the big brother of EVO:RAIL for cloud scalability). These are complete OEM hardware building blocks combining compute, networking and storage, and VMware vSphere and VSAN ready to go (a somewhat simplified explanation). This reduces deployment times, complexity, optimizes resources and performance for a number of reasons. Rack, cable and create a initial configuration from defined wizards and their configuration. Deploy VM’s in 15 minutes with pre-defined VM configuration blocks. Or create your own VM configuration based on your needs, security and such. This probably takes a little more than the announced 15 minutes, but still significant less time then when using your own building blocks or VMware ready blocks.
A the partner level of news, HP is introduced as partner in EVO:RAIL, networking and enterprise mobillity, exciting what that will bring from the partner eco-sphere.

Strategy - SDDC Compute Strategy - SDDC Network Strategy - SDDC Storage

End-User Computing (EUC) in a Mobile Cloud Era

This is one of the layers needed for providing applications and data that run on VMware software products. In the last year there where several knowledge investments (or takeovers) that where needed to put the VMware EUC mobile cloud strategy in the right place on the IT world map. This started with the acquisition of Desktone for Desktop as a server (DaaS), Airwatch as leader in enterprise mobile device management and the latest Cloud Volumes acquisition for delivering virtualized applications (announced around VMworld US). Next to this VMware updated it’s own product from a VDI to a hybrid VDI published application/desktop product suite with VMware Horizon Suite updates. Additionally VMware announced Just in time Dekstops for the mobile users, Horizon Flex for offline BYOD desktops and Project Fargo for rapid duplication and sharing of resources of EUC virtual machines. 

Hybrid Cloud

Cloud is everywhere. It could be that a strategic model with the Hybrid cloud pilar positioned between SDDC and EUC pilars is a little unclear as it is not a pilar on it’s own (but that is that whole AND that was in Pat’s keynote). The cloud pilar is partly for transition and partly for allowing new cloud related functionality from and outside of the VMware product groups. You can also see this a different way, SDDC and EUC are delivered in the cloud, for the cloud which cloud definition this is. But I can see that a business model and strategy requires a little more then just a theoretical term that is everywhere.
The VMware strategy breaths and revolves about cloud. The cloud is presented in services for the private (the local on-premise data center services in SDDC) and public cloud (the public accesible services and cloud applications). Around this tools to seamlessly as possible move fast from the one cloud to the other without affecting but serving the user. Users move from on premises workspaces, to traveling workers back to the office workspaces and to home. All those places have there devices and infrastructures and all need a form of interaction with the company data and applications. In the private cloud the important products are the SDDC. To move from private to a hybrid cloud VMware earlier introduced vCloud Hybrid Services. This got more body (more services like DB as a Service) and a re-branding to vCloud Air. At VMworld a new location for vCloud Air for the EMEA market was announced, Germany will offer a new vCloud Air location.
This last year the main usage of the hybrid cloud was a Disaster Recovery endpoint and testing and developing. This needs to be expanded in other vCloud services like (but not limited to) virtual private cloud (starting piont for IaaS in the cloud for old and new workloads), DB as a Service (DBaaS MSSQL and MySQL) and further using DRaaS.

The IT business experimental phase of cloud is over, now the professional phase is starting with more and more production workloads are landing on the cloud.The growth of 2% workloads in the cloud in 2009 to 6% in 2014 does not show a lot of cloud adoption, but the exceptional growth in the last year (the 6%) is showing faster cloud adaption. Are you next?

vCloud Air is not only positioned for VMware related workloads, vCloud Air is also meant to host new cloud applications for mobile devices or for legacy applications created in the own DevOps environment. vCloud air is a central platform that allows other hypervisors then just VMware proprietary. 

vCloud connector (free) as a product or integrated with vCloud Director and vRealize Automation (the artist formely known a vCloud Automation Center or vCAC) is one of the tools to move workloads from the private to the vCloud.

vCloud Air Virtual Private on Demand beta is opened. An on demand services to offer flexibility to rapidly expand capacity and to integrate with the existing local infrastructure. A workspace in minutes and within a few easy steps. Direct access to cloud services that are the same as the onsite VMware infrastructure. Just have a credit card ready. Pay per minute for the resources you use. Support for 5000+ VMware certified applications and 90+ OS.

An overview of this and other Beta programs with these announcement can be found at my previous blogpost: https://pascalswereld.nl/2014/10/15/vmworld-barcelona-keynote-mentioned-beta-and-early-access-programs-link-list/.

Docker containers

A combined architecture of VM’s and application containers is nothing new for this VMworld. More and more organizations are rapidly adopting the Docker platform as it allows them to ship applications faster. Whether these applications are delivered to bare metal, virtualized data center, or public cloud infrastructures, it must not matter. For IT businesses seeking to efficiently build, deliver, and run enterprise applications, Docker and VMware deliver the best of both worlds for developers and IT/operations teams. Docker integration is brought to several VMware products.

Cloud management

Management of the private and public cloud, or physical environments, is delivered via the vRealize suite. vRealize is a suite of management tools for SDDC computer, network and storage virtualization, cloud and EUC (vRealize for Horizon). vRealize is a collection partly from re-branding and new features of old known components. Application and infrastructure automated provisioning is done via vRealize Automation (formally known as vCloud Automation Center or vCAC), management and monitoring is done via vRealize Operations (vCenter Operations Management) and IT billing and cost management is done via vRealize Business (ITBM, or IT Business Management). Not just a new name but also improved visualization, proactive alerting, improved capacity planning, project management with what-if scenario’s and automated resolving of found issues. Not just for the VMware products but also provisioning and management of physical or other hypervisor platforms as Hyper-V, KVN or OpenStack clouds. 

Announcement overview Strategy - SDDC Management

 

+++ Are you ready to go beyond your current limits?

Looking to find more information on VMware products, take a start here: http://www.vmware.com/products/?src=vmw_so_vex_pheld_277.

Next up I will be drafting from my VMworld notes some posts about product demo’s and technical briefings from my multiple visits to the partner ecosphere at the VMworld solutions exchange. I will be doing (or at least trying) a series about the technologies these partners and exhibitors are offering so stay tuned.

Sources: vmware.com.

 

VMworld Barcelona: Keynote mentioned Beta and early access programs link list

In the keynote sessions there are/where several Beta and early access programs mentioned for the VMware innovations.Beta’s are excellent if you have access to a lab, and some are available as a hosted beta program if you happen to miss resources or such. Get an early look, play, try and break. But do also comment, discuss and return feedback.

So where are those Beta’s? I have tried to put up a list of the mentioned Beta program URL’s for your convenience (okay started for my own reference, but I can share ;-)).

vSphere 6.0

VVOLS

VSAN 2.0

vCloud Air

vRealize Air

VMware Integrated OpenStack (VIO)

Please join in the fun and participate in these beta (and off course also others) programs.

Have I misted one or more (that could be true but I call sleep deprivation as my witness), please let me know.  

Sources: vmware.com.

 

VMworld Barcelona: day of the tentacle (or my first VMworld 2014 day)

My first VMworld day, or actually pre-day, was probably the same as a lot of the VMworld visitors, travelling inbound, finding my hotel, registration and vRockstar. Plus trying some little bit of a tourist mode. 

I had a afternoon flight from the Netherlands that arrived a 30 minutes behind on schedule (something to do with the weather above France). But on the plus side, this let me arrive in time for the shuttle and the venue to start up. As Sunday registration means no lines, I had my badge in no time. Good addition is the QR express check in. Next up get the T-10 metro card (check) from the information stand. I also wanted to pick up the VMworld backpack, but I was denied apparently because I am there on a bloggers pass. To bad, now I have to figure out a way to transport my stuff around as I innocently counted on the backpack.

2014-10-13 09.14.26

After that it was time to hop on the metro shuttle and get from the Fira station to the Plaça d’Espanya where my hotel should be. Fortunately it was there, just I little walk around the placa because the first time I take a metro exit, it is always the one on the opposite site that I need to be. But hey, with the Barcelona weather I don’t mind.

After some freshening up, after-travel drinks and some diner, I went walking around town. After a few miles wandering and looking around, I found myself at my last target of the day, the vRockstar party at the Hard Rock Cafe. That was a blast.

Monday will be a day for some further walking around the venue, Partner day and such. Maybe see you around?

vSphere: Working with traffic filtering in the vNetwork Distributed Switch

Introduction

Within a physical and virtual infrastructure there are several options to limit the inbound and outbound traffic from and to a network node, part of the network or entire network (security zone). A limit can be, filtering (allow or dropping certain traffic) or the prioritization of traffic (QoS / DSCP tagging of the data) where a defined type of traffic is limited versus a kind of traffic with a higher prioritization.

Options include filtering with ACL, tagging and handling sort of traffic with QoS / DSCP devices, firewalling (physical or virtual appliances), physical or logical separation or Private VLAN’s (PVLAN for short). Furthermore, an often overlooked component, keep all your layers in view when designing the required security. If required to filter traffic from a specific data source to a specific group of hosts where the requirement is that those VM’s are not allowed to see or influence the other hosts, traffic filters setup on the physical network layer will not always be able to “see” the traffic as for example blade servers in certain blade chassis can access the same trunked switch ports / VLAN, or VM’s with same portgroup / VLAN are able to connect to each other’s network as the traffic is not reaching or redirected to the physical network infrastructure where these filters are in place. That is when not using a local firewall on the OS. You could say this is bad designing, but I have seen these described “flaws” pop up a little too often.

 Options in the VMware virtual infrastructure

You have to option to use third party virtual appliances as firewalls, vCloud suite components or network virtualization via NSX (SDN) for example. Not always implemented due to constraints overheard around, like: overhead of the handled traffic by the virtual firewall (sizing), single point of failure when just using one appliance, added complexity for certain IT Ops where networking and virtualization are strict separated (Bad bad bad) or just no budget/intention to implement a solution that goes further than just the host virtualization the organization is at (as they probably just started). These are just a few, not all are valid in my opinion….

From vSphere 5.5 there is another unused option (mostly unknown); use the traffic filtering and tagging engine in the vNetwork Distributed Switch (vDS or dvSwitch). That is when you have an Enterprise Plus edition, but hey without this a vDS is not available in the first place. Traffic filtering is introduced in version 5.5 and therefore can only be implemented on vSphere 5.5+ members of the 5.5+ version of vDS. This vDS option is the one I want to show you in this blog post.

Traffic filters, or ACL, control which network traffic is allowed to enter or return (ingress and/or egress rules) from a VM, a group of VM’s or network via the port group, or a uplink (vmnic). The filters are configured at the Uplink or port group, and allow for an unlimited number of rules to be set at this level. These handle the traffic from VM to the portgroup and/or the traffic from portgroup to the physical uplink port, and vice versa. The rules are processed in the VMkernel, this is fast processed and there is no external appliance needed. With outgoing traffic rule processing happens before the traffic leaves the vSphere host, which also possibly will save on the ACL on the physical layer and networking traffic when only types of traffic or to a specific destination are allowed.

With the traffic filter we have the option to set rules based allow drop (for ACL) on the following Qualifiers:

vDS - image1

The tag action allows setting the traffic tags. For this example we don’t use the tag action.

System Traffic are the vSphere traffic types you will likely see around, where we can allow a certain type of traffic to a specific network. MAC let’s us filter on layer 2, and specific source and/or destination MAC addresses or VLAN ID’s. IP let’s us filter on Layer 3 for the IP traffic types TCP/UDP/ICMP traffic for IPv4 and IPv6.

The following System traffic type are predefined:

vDS - image2

Make it so, number One

I will demonstrate the filtering option by creating a vDS and adding a ESXi host and VM to this configuration. Just a simple one to get the concept.

My testlab vDS is setup with a VM like this screenshot:

vDS - image3

I got a DSwitch-Testlab vD switch with a dvPortgroup VM-DvS (tsk tsk I made a typo and therefore not consistent with cases, please don’t follow this example ;-)). A VM Windows Server 2012 – SRDS is connected to this portgroup.

 The VM details are as follow:

vDS - image4

The IP address 192.168.243.165 we will be looking at.

A the VM-DvS and going to the manage tab, we can choose Policies. When we push the edit button we can add or change the traffic filtering (just look for the clever name).

vDS - image5vDS - image6

As you see I already have created an IP ICMP rule which action currently says something completely the opposite as the rule name. This is on purpose to show the effect when I change this action. When I ping the VM from a network outside of the ESXi host, I get a nice ICMP response:

vDS - image7

When we change the ICMP rule to drop action, we get the following response:

vDS - image8

 

That’s what we want from the action. Other protocols are still available as there are no other rules yet, I can open an RDP to this Windows Server.

vDS - image9

When wanting to allow certain traffic and others not you will have to create several rules. The applied network traffic rules are in a strict order (which you can order). If a packet already satisfies a rule, the packet might not be passed to the next rule in the policy. This concept does not differ from filtering on most physical network devices. Document and draw out your rules and traffic flows carefully else implementation/troubleshooting will be a pain in the $$.

This concludes my simple demonstration.

 – Enjoy!

Sources: vmware.com