VMware vCloud Availability for Cloud to Cloud 1.5 is announced! What’s New?

I am excited to announce that vCloud Availability for Cloud to Cloud 1.5 (vCAv-C2C) will be released for VMware Cloud Providers at end of September. This has been a long and fruitful journey between strategic design partners and our internal teams.

In this post, I will review what’s new inside of vCloud Availability for Cloud to Cloud 1.5.

Don’t know what vCloud Availability for Cloud to Cloud is – don’t worry, check out this intro post!

To start, our lightboard video as an intro to C2C and what’s new with 1.5 –

A quick summary of what I’ll be discussing:

    1. Enterprise Scale
    2. Service Provider Policies for Offer Management
    3. Seamless and unified experience with integration to vCloud Director
    4. vRealize Orchestrator Integration (Compatible with C2C 1.0)
    5. vRealize Operations Day 2 Monitoring Pack (Compatible with C2C 1.0)
    6. Public API
    7. Enhanced Usage Reporting

Scale

Let’s talk about scalability for C2C for a moment. The BU has certified the following for C2C 1.5 –

  • 110 concurrent failover protections
  • Over 3,000 active protections across 100 tenants. This is a variable number as it will depend on the number of active tenants along with protected operations. However, in discussing this with Engineering, we’ve seen 4,000 VM’s protected by vCAv-C2C.
  • Scale up to 7 tested replication instances.

Again, this has been an important enhancement as we have received multiple requests regarding scale. I would also say this is the maximum configuration we’ve tested so far. This does not mean our technology is limited to these numbers. If there’s something specific you’d like to see, please talk to your VMware Cloud Provider field team.

Policies

With C2C 1.5, Cloud Service Providers (CSPs) can now manage access control for vCloud Availability – Cloud to Cloud DR on per tenant organization basis. By default, all tenant organizations are disabled and CSPs can choose to enable C2C DR service for one or many organizations. This allows CSPs to deliver Cloud to Cloud DR as a value-added service to their tenants.

As we can see from above, I have the Default Policy along with “Org1 Policy” that I created that I applied to my Org1 organization.

So, if an org that has not been whitelisted for Cloud to Cloud usage, what do they see? Well, they would get an error when attempting outgoing or incoming replications such as the below:

In addition to white-listing organizations, C2C DR also allows a CSP to create and assign new policies for select organization, thus giving them an opportunity for tiered offering and providing them better control on their capacity management. Following new policies have been added:

  1. Limit the maximum number of outgoing and/or incoming replications per organization
  2. Limited maximum number of replicated VM’s per organization
  3. Limited maximum number snapshots created by VM
  4. Allow to set lower limit on RPO per organization

Again, providing a granular application to specific orgs. We could create multiple policies and have different policies associated with each of them.

Last of all, we can see the compliance state on each org –

Integrated vCD UI

While using the vCloud Director portal extensibility capability, the team has now introduced an integrated C2C plugin for vCD!

Once C2C is deployed and registered to your vCD instance, we will see the Availability link in the context switching menu (or what we like to call the hamburger menu).

From there, the tenant user can navigate to C2C from the vCD interface, thus providing fully integrated and seamless experience and alleviating need of any console hopping.

vRealize Orchestrator Integration

This is an awesome addition as now we can provide unique workflows on a per tenant/use-case basis in an automated fashion. Now, combine this with the power of the new vRO/vCD integration within the Content Library!

From vRO, we can see we have a new section vCloud Availability –

The first thing we would need to do is connect to each respective site –

From here, we have multiple options available that were built by our team, including IP address change after failover:

vRealize Operations Day 2 Monitoring Pack

We are now introducing a management pack for vRealize Operations. This will allow the Provider team to have a single monitoring and analytics tool for providing vCAv-C2C statistics and rollups of the environment.

There a few out of the box dashboards available –

From here, we can get a picture of what’s going on from an operational perspective, including any RPO violations set by vCAv policies. While my test environment is clean, this gives you an idea of what to expect.

As a last note – vRealize Orchestrator and vRealize Operations plug-in have their own release cycles and would typically lag a little bit behind the core Cloud to Cloud releases. The vRO and vROPs plug-ins for Cloud to Cloud are currently supported only for C2C 1.0 release). Please reach out to your VMware Cloud Provider field team if you’d like to discuss these further.

Public API

There is now an API available for C2C operations. Public API are generated through Swagger which is quickly becoming a de-facto standard for generating APIs. This allows for additional extensibility to Providers on managing C2C operations along with potential opportunity to integrate their Cloud to Cloud DR use-cases into their own Cloud management portal if this wish to do so.

Start off by going to the API documentation here

The steps to set up the Swagger client is fairly easy. I was able to do this in a Windows environment by using the PowerShell commands.

Start with downloading the JSON file –

Then, download the swagger-codegen client and run the generate command to generate the Java client –

And now the build is ready for .java files with the C2C parameters. I hope to have time to play around with this further.

Enhanced Usage Reporting

While Usage Meter integration is underway, we can pull reports from the C2C appliances by logging into the application console – documentation is here. 

We start by SSH’ing or opening the console to the C2C appliance. From there, we need to authenticate again in the h4 context so we can type in the ‘usage-report’ command –

Now, I am able to run ‘usage-report’ and find out my usage –

Again, a lot of great content and additions to C2C 1.5. Please check it out!

-Daniel

Security Compliance – Pre-configure your vApp firewall rules inside vCloud Director using NSX DFW (Part 1 of 2)

This is a joint blog series with Wissam Mahmassani 

Today, we will be discussing pre-configured firewall rules for vApps inside of vCloud Director (vCD).

Recently, I received a request from a new provider that wants to deploy a specific vApp when they onboard a new tenant (or organization). This specific vApp will need to have NSX Distributed Firewall rules in place – the vApp will be the same for every tenant and will need to be secured accordingly.

While this is a Provider managed approach, this is a very simple way of “stamping” out vApps or other required virtual machines that need specific policies applied to them. Moreover, we would like an automatic way to pick up the associated DFW rules so it’s one less step for the Provider.

Overall Steps:

  1. Creation of a Security Group with Dynamic Membership
  2. Creation of a Security Policy
  3. Activating Security Policy against Security Group
  4. Creating vApp that meets dynamic membership criteria

Creation of a Security Group with Dynamic Membership

  1. Navigate to Menu -> Networking and Security -> Service Composer
  2. The first thing we are going to do is create a Security Group that will associate the VMs based on criteria.
  3. The easiest way to do this is by using a dynamic membership policy. We want to apply this group to any VM’s that meet a specific name. In my example, I’m going to be utilizing “mgmt-pod” as my criteria – 
  4. Click Finish, and we are off to the next step.

Creation of a Security Policy

  1. Let’s click on the Security Policies tab inside of Service Composer and create a new Security Policy – 
  2. Let’s give it a name – I am using Standard vApp DFW Rules. 
  3. From here, we can click on Firewall Rules and create our rules. In my example, I am going to let HTTPS traffic in and block everything else. Typically, for micro-seg rules, we would create granular rules to secure all types of traffic. I am using these just as an example. 
  4. Creating DFW policies is fairly straightforward in the Service Composer – 

Activating Security Policy against Security Group

  1. Now, we are ready to apply our newly created policy to our group. Click the Apply button while your newly created policy is selected – 
  2. From the pop-up window, we will select our Standard vApp Rule group as a Selected Object – 
  3. Success – now we can see it has been applied –
  4. From the DFW view, we can see a new section created with associated DFW rules – 
    1. Solid note from Tom Fojta“Do not forget the order of DFW sections is important. If tenant’s DFW VDC section is above and he creates any-any-allow rule it will nullify provider rules. Tenant sections are created by default on top unless forced with API to be created at the bottom.”

Creating vApp that meets dynamic membership criteria

  1. Now from my Provider UI, I am going to go ahead and create my Management vApp for a new tenant. Again, the context is this would be managed by the Provider initially while we are inheriting the Security Group set forth above. 
  2. Once my vApp is up, I can verify that I am unable to access via ICMP which meets my criteria. We can see the Standard vApp Rule group was associated with the vApp and I am unable to ping it. 

While this is not the only path of securing Provider-managed VM’s for a tenant. Check out Wissam’s approach here by utilizing Resource Pools!

-Daniel

VMware vCloud Usage Meter – BND to Bundle Translation Technical Discussion

Recently, we received a post on VMware Communities forum for vCloud Usage Meter requesting clarification on the “BND” column on the Virtual Machine History Report. I’d like to spend a little more time discussing this further for others and some of the logic under the covers.

Moreover, I’m going to review a sanitized customer collection and discuss something I even learned.

Luis Ayuso and I spend a lot of time with Usage Meter, so over time, we’ve come intimately close to the inner workings of UM logic (more Luis, follow him for further updates and direction!). While UM has its quirks, it has quite a bit of logic and intelligence integrated for billing purposes.

First, here’s the BND mapping to current VCPP bundles –

Items that I want to point out:

  1. The BND identifier does not reflect the actual bundle point value. This is by design due to the variances of past bundles.
  2. The Standard Bundle is being retired, but will still show up in any existing or previous Usage Meter instances.
  3. While we have a unique ID for the Standard SP Bundle with Management or Networking, the point bundle value remains the same.

The second thing I’d like to cover is the BND column inside of the Virtual Machine History report – this is column P –

We can see in the above screenshot three important columns:

  1. Bnd Column – which is the bundle identifier. In the above example, we see VM’s reporting ID 7, which is the Standard Bundle.
  2. vROps Column – we would see a “Y” or “N” here depicting if this VM is registered inside of vRealize Operations. What we can conclude from the above screenshot is the following:
    1. Running vSphere Enterprise (NOT Enterprise Plus)
    2. vRealize Operations Itemized Breakout
    3. How? Well, Usage Meter will always pick the most cost-effective option as a bundle for the Providers. We know that the 7-point/Advanced Bundle has vSphere Enterprise Plus while the 5-point Standard bundle uses vSphere Enterprise which was EoL’d a few years ago. Moreover, if the Provider utilizes Advanced or Standard vROps, this is not in any VCPP bundle, so this will be itemized billed out. This could also be the Enterprise version since we are using the 5-point bundle.
  3. NSX Column – in this example, we do not have any NSX detection. However, if we did, we would see:
    1. B – NSX SP Base Version. Included in Advanced/7-Point Bundle
    2. A – Advanced SP Version. Included in Standard with Networking (8-Point) OR Advanced with Networking Bundle (9-Point).
    3. E – Enterprise SP Version. Included in Advanced with Networking and Management/12-Point Bundle.

As a quick refresher, here are the different versions of NSX inside of VCPP –

We can see in the below screenshot where the VM state changed – VM was registered inside of vROps. Therefore, the bundle went from BND 8 (Advanced SP) to BND 10 (Standard with Management). Why? Well, it was not utilizing vCloud Director nor NSX, so this is the most cost-effective option for this VM. 

Makes sense. Moreover, this is AVERAGED over the month, so if you utilize the Advanced bundle for half of the month while utilizing Standard with Management for the rest, you only pay for the specific hours of use.

Let’s talk about an interesting scenario. I noticed that a VM was “flapping” between BND 7 and BND 13 – that’s a big change. We can see that it’s utilizing vROps and NSX Advanced, but why wasn’t defaulting to a lower point bundle?

Well, Usage Meter will append a new line for VM state change – that includes vMotions. What we can see if this VM vMotion from host-30 to host-31 (sanitized names) but were using different vSphere licenses. Ah ha!

We can see on the top line which is host-30, it was using a vSphere Enterprise license while the next three line items (host-31) were on an vSphere Enterprise Plus license.

Interesting! So, how did this look in the Monthly Usage Report?

We can see NSX Advanced in the Monthly Report. While there is no itemized NSX Advanced in the Product Usage Guide, I believe the Provider would have to just report NSX Enterprise for these VM’s.

So, what did we learn from this scenario? Make sure your licensing is configured in a uniform fashion! This will be very unlikely in the future as Enterprise is not supported after September 2018, but it’s imperative to have proper hygiene for the same hosts in the same cluster.

Happy Metering,

-Daniel

VMworld 2018 Sessions for VMware Cloud Providers

This is a very exciting time for us at VMware, especially in the Cloud Provider Program. I am elated to say there are over 34 sessions that are tied to VMware Cloud Providers at VMworld 2018 – we are only publishing the sessions that are allowed currently…

I believe this is the most we’ve ever had at a VMworld. This signifies the importance of our Cloud Providers to VMware and our channel partners. As many of you have experienced, we are in a significant growth space and these sessions are very important for us to showcase what VMware is delivering around Cloud Providers. Moreover, this is a very important venue for us to present our current and future investments in VCPP.

I was honored when two of my sessions were accepted a few months ago. While it’s a little stressful on ensuring we are creating valuable content for our Cloud Service Providers, I am looking forward to presenting this material at VMworld.

Why VMware vSAN Is the Best Solution for Cloud Provider Environments [HCI1145BU]

The first session I have is with Greg Kaffenberger who is one of my esteemed colleagues inside of the VMware Cloud Provider team. We’ve noticed there’s some confusion around how vSAN works inside of our subscription model. Our goal is to demystify and showcase how vSAN is a sustainable operating model for Cloud Service Providers.

A lot of great content created that will be reviewed in this hour. Unfortunately, I wish we had more time – we’ve had to cut a lot but we will make the best of it!

Case Study: Hybrid Cloud with vCloud Extender from Customer to Provider [HYP1142BU]

I am co-presenting with Raffaelo Poltronieri at CloudItalia and we are stoked about speaking about vCloud Director Extender. While many of you have seen my Extender posts over the past year, we will be talking about some of the best practices and lessons learned with one of our strategic partners. Moreover, I will be discussing the goals going forward for our extensibility solutions – significant investment is going in to ensure we make it easy for our Cloud Providers to provide hybridity between on-prem and vCloud environments.

A few callouts I want to make as these are sessions you should not miss –

  • Consuming Cloud Provider SD-WAN Services [BRE3038BU] – this reviews VeloCloud for VCPP and it is very top of mind for many providers. Providing seamless connectivity between sites in a secure, multi-tenant, architecture is critical.
  • Delivering Custom Services Through vCloud Director Extensibility [HYP1803BU] – you will continue to see further development in UI Extensibility inside of vCloud Director. Milko and Martin will do a great job discussing what’s possible inside of the new vCD H5 UI.
  • Introducing VMware Cloud Provider Pod [HYP1499BU] – I can’t speak much about this right now, but check out what Wade Holmes and Yves Sandfort will be presenting. This is a new initiative and we’d love to get feedback from our Cloud Providers.

Honestly, they are all awesome. I was going to continue to list more, but there’s some valuable content being created by amazing leaders in this organization.

I will be at VMworld Saturday to Thursday – please reach out if ever want to talk about any of our solutions!

See you there,

-Daniel