VMware Project Arctic Graduates to vSphere+

Introduction

Today, June 28 2022, VMware announced vSphere+ and vSAN+; subscription based offerings of their enterprise compute and storage virtualisation solutions.

First mooted during VMworld 2021, Project Arctic promised to deliver a cloud operating model to customer’s data centre and edge locations. At a high level, that means hands-off maintenance, proactive monitoring, pay-as-you-grow consumption, subscription billing, and a shift to opex funding.

Furthermore, vSphere subscriptions allow VMware to integrate products and services as features. VMware Cross-Cloud Services will enable on-demand scale out capacity and disaster recovery capabilities. We know from the general industry shift towards Software-as-a-Service (SaaS), that the frequency of development cycles and feature delivery are increased, resulting in faster and greater value to the end customer.

The release of vSphere+ and vSAN+ is VMware’s first iteration of the Project Arctic feature set, with more capabilities and products to be added. In this release, customers can expect to benefit from simplified operations, faster time to value, and future investment in IT strategy. Find out more at the vSphere+ microsite.

What is vSphere+?

The launch of vSphere+ and vSAN+ provides customers with a subscription to compute and storage virtualisation solutions. It is aimed at organisations wanting to retain an on-premises footprint, either data centre or edge, with a consistent operating experience to their cloud infrastructure.

This means it is easy for brownfield environments to adopt, and improve their operational processes and security posture. vSphere+ is more than just a subscription to an existing product, it also offers administrators the following benefits:

  • Aggregate vCenter Servers and global infrastructure into a single view
  • VMware assisted lifecycle management, initially for vCenter Server
  • Significantly lower maintenance touch, and reduced down time with vCenter Server Reduced Downtime Upgrades
  • Faster access to new features, fixes, and security patches
  • Check for configuration drift, security issues, consistent errors, and update status across all vCenters and clusters
  • Enable access to the embedded Tanzu services for build, run, and manage, of modern container based applications
  • Global monitoring of VMware environments, see examples in this vSphere+ Tech Zone blog
  • Deploy virtual machines to multiple platforms from anywhere with the new cloud admin interface
  • Co-term licensing and support across VMware environments with flexible scaling options
  • Removes the need for individual vCenter Server licenses (see the licensing section below)

vSphere+ introduces a new cloud admin portal, this is an additional SaaS control plane, which interacts with a gateway server on-premises. The sections below go into more technical detail, but the vCenter Servers do not talk directly out to the Internet, and no workloads or components are moved to the cloud as part of this operating model.

The term cloud-like operating model relates to features like the one-click vCenter updates, one-click Kubernetes cluster enablement (a cloud native container orchestration tool), and flexible subscription, or operating expenditure, nature of the service.

Many customers want the benefits of cloud, namely flexible consumption, minimal maintenance, built-in resilience, developer agility, and anywhere management. They may also need to retain some on-premises infrastructure, for data privacy, security, or sovereignty reasons, and for high-performance or low-latency requirements. The introduction of vSphere+ aims to provide these cloud benefits in the remaining data centre or edge locations.

You can read more about the admin services and developer services available through the new cloud portal, as well as the full range of benefits introduced by vSphere+, in the blog VMware vSphere+ Introducing The Multi-Cloud Workload Platform.

vSphere+ Benefits

How Does vSphere+ Work?

Beyond the licensing information in the section below, there are some further technical considerations and clarifications.

Since the vSphere infrastructure on-premises are already deployed, there is no impact to those existing vSphere, vCenter, or vSAN environments. The vCenter Server needs to be running a minimum of version 7.0.3, so there may be a vCenter upgrade, but there is no vSphere/ESXi update required. vCenter 7.0.3 is backwards compatible with vSphere 6.5 onwards, although note that vSphere 6.x reaches end of support on 15 October 2022.

A Cloud Gateway appliance is used to connect the on-premises vSphere estate with the VMware Cloud control plane. The appliance is a standard OVA, here is some additional information:

  • The appliance needs 8 CPU, ~24 GB RAM, 190 GB disk, and a secondary IP address
  • The appliance does not need backing up or HA deployment
  • The appliance is stateless and can easily be deleted and re-deployed in the event of any issues
  • There is an admin interface for setting minimal configuration such as Internet proxy
  • Lifecycle management of the appliance is automated from the cloud control plane
  • There is a maximum latency requirement of 100ms from the vCenter to the gateway appliance, and from the gateway to the cloud portal
  • The gateway appliance has limited access to the customer environment
  • Communication between the gateway appliance and cloud portal is fully encrypted and there is no VPN requirement
  • The gateway appliance needs outbound HTTPS connectivity only, and there are no network charges
  • The gateway appliance also uploads logs to VMware support, accelerating troubleshooting during incidents
  • The gateway appliance is the point of authentication, and no usernames and passwords are transmitted to the cloud
  • Data is not shared with third parties or used for marketing purposes
  • You can have multiple gateway appliances, with up to 4 vCenter Servers per gateway (note that there is no change in vCenter and vSphere configuration maximums)
vSphere+ Cloud Gateway Appliance High Level Architecture

Subscription services for vSphere+ and vSAN+ can be activated from the cloud portal. Host billing and licensing is also managed here, with no need to install license keys. Outside of vCenter lifecycle management, and subtle differences like the removal of license keys, there is no day-to-day change in how you manage and operate the vSphere environment.

If the gateway appliance, or Internet connection, is lost the vSphere environment continues to work as normal. If the gateway has not connected to the cloud control plane after 24 hours then vSphere administrators will see advisory messages bringing this to their attention, on the login page.

For vCenter updates, VMware do not apply updates automatically without informing the customer. The customer has complete control over the planning and scheduling of updates across vCenter Servers. When a new update is available a notification is generated, and the customer chooses when to have the update applied. The inventory will apply a traffic light system for vCenter instances depending on how many versions behind the latest release they might be.

How Does vSphere+ Licensing Work?

Previously, virtualisation customers would shell out a large upfront cost for perpetual licenses they would own outright. To deliver full value the perpetual license was supplemented with SnS (Support and Subscription), adding technical support, and access to the latest updates and security patches.

With perpetual licenses and SnS renewals, the vCenter Server license (per instance) and vSphere license (per CPU) were purchased separately. The vCenter Server provides overarching management capabilities, including enterprise features like resource balancing and High Availability (HA). The hypervisor vSphere, or ESXi, is installed on physical servers and facilitates compute virtualisation.

From July 2022, customers can upgrade to subscription based offerings of vSphere+ and vSAN+ rather than the traditional SnS renewal. You may have seen a similar early access program, branded vSphere Advantage. Both vSphere Advantage and Project Arctic are officially named vSphere+ at launch.

The vSphere+ license will include vSphere (for the core count stipulated), vCenter Server (for unlimited instances), the new vSphere admin service (SaaS Based), the Tanzu Standard runtime, and Tanzu Mission Control Essentials. Tanzu services enable build, run, and manage for modern applications through the use of containers and Kubernetes orchestration, directly within the hypervisor.

The version of vSphere included with vSphere+ has feature parity with vSphere Enterprise Plus, and production support. You can view the full vSphere Enterprise Plus feature set here.

Once a vCenter Server is registered with the cloud control plane all connected hosts and associated CPUs will be counted as licensed physical cores. Note that 16 cores make up 1 CPU, which is a change to the existing perpetual limit where 1 CPU is currently valid for up to 32 cores. As physical servers are added or removed, the corresponding core count is increased or decreased.

Core commits can be made for 1, 3, or 5 year periods, with additional cores billed as overage (or the commit level increased). Any overage is calculated per hour and billed in arrears at the end of the month. A customer can run a combination of vSphere+ and perpetual vSphere, however they need to be registered with different vCenter Servers.

How Does vSAN+ Licensing Work?

The vSAN+ license is available as an add-on to vSphere+, it cannot be purchased separately. As the license is an add-on it automatically co-terms with the vSphere+ duration. Commit and overage terms are the same as vSphere+.

Using vSAN+, customers benefit from centralised management, global inventory monitoring, and global alert status from the cloud console. Existing vSAN datastores are integrated into the cloud portal virtual machine provisioning workflow, to allow deployment of workloads to a vSAN cluster from anywhere. You can read more in the Introducing vSAN+ blog.

The vSAN+ license has feature parity with vSAN Enterprise, you can view the full vSAN feature list here. At initial release, lifecycle management only covers vCenter Server. It is likely that in the future vSphere/vSAN lifecycle management may also be added to Project Arctic.

VMware Sovereign Cloud Overview

Introduction

It isn’t a secret that the overwhelming majority of data hosted by enterprises in the cloud is with US-owned cloud providers. But a study by the Centre for European Policy Studies in 2021 found that a whopping 92% of the western worlds data is currently stored in the US. In principal that has been fine with organisations based in other countries, since the scale of these cloud providers was such that data locality was not a problem. The relevant security controls and technologies also exist to protect the data from unauthorised third parties.

Politically however, the landscape is changing. The majority of the worlds population has privacy regulations inline with GDPR. The number of countries implementing data privacy laws has been increasing annually, for both personal and enterprise data. Furthermore, the very definition of personal information is evolving with our online presence, and it’s only going to get more complex over time.

Thanks to the US Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018, courts can instruct US companies to collect data on systems they manage, not just on US soil, but in theory anywhere in the world. Separately, in July 2020, the Court of Justice of the European Union (CJEU) made judgement on a case that essentially invalidated the EU/US Privacy Shield framework for transferring data outside of the EU.

This isn’t just a European concern either, it’s on the radar across other regions on a global scale. Legal cases and fines are starting to arise for organisations incorrectly interpreting GDPR, and there are still open questions about how legislation will be enforced internationally.

These are not isolated instances, and in conjunction with an increased risk of data breaches and more sophisticated cyber attacks, companies are starting to seriously consider repatriation of data stored overseas. Through the global network of VMware Cloud Provider Partners (VCPP), and the VMware Sovereign Cloud framework, VMware have the means to implement data sovereign solutions locally across any region.

What is VMware Sovereign Cloud?

VMware Sovereign Cloud is a framework of guiding principles and best practices to help partners deliver cloud services that adhere to the data sovereignty requirements of a specific jurisdiction. A sovereign cloud framework does not replace public cloud, nor does it replace industry compliance. In fact the opposite is true, the sovereign cloud framework seeks to augment existing platforms and regulations, with a specific focus on putting the customer in complete control of their data.

This control is derived by providing both data residency and data sovereignty with full jurisdictional control. Data residency relates to where the data is physically and geographically stored and processed. Due to the extreme scale of the main public cloud providers, this is something they are usually able to provide. Often though, metadata (data about the data) can leak out into other regions, typically the US. In some cases, data residency alone is not sufficient to ensure compliance with data privacy laws. Data sovereignty relates to law, specifically data being subject to the governance structure, and more importantly jurisdiction, of the nation where the data is processed and stored.

Data still needs to be accessible, and this is a really important point. A sovereign cloud solution needs to not only protect critical data, but also unlock its value. Data can be extracted in a meaningful way, for both private and public sector organisations, whilst providing transparency around architecture and operations.

As an example, both my banking and health records are stored extremely securely in a data centre, with a bunch of regulatory and audit processes in place. However, I can access these records on-demand using my mobile phone, which is a device my bank and my healthcare provider has no control over. Equally, there may be times when others need to access the same records, either anonymised or with personal identifiable information. Like if I applied for a credit-based financial service, or if I was referred to a healthcare specialist for a specific condition. Data sovereignty isn’t about locking up data and making it inaccessible.

Clearly, data still needs to be accessible to the right people through an end client, device, or system, whilst maintaining the integrity of the data. It is important therefore, to have an example architecture for how data can be exchanged, or act as a landing platform for data collected from member states and repatriated from other regions. In implementing such an architecture, a national capability for the digital economy can be achieved, whilst securing data with audited security controls, and ensuring compliance with data privacy laws.

High Level Sovereign Cloud Framework

The basis of a VMware Sovereign Cloud is the VMware reference architecture, in the form of VMware Validated Solutions (VVS) and the VMware Cloud Provider Partner (VCPP) stack. There is no need for a dedicated sovereign cloud reference architecture. Instead, an overlay is being introduced to organise the infrastructure into different security classifications and domains. This separation of security domains ensures there is no data leakage, of either primary data or metadata, outside of the required locality and jurisdiction.

The VMware Sovereign Cloud framework uses transparent, standardised, software-defined architectures along with a number of key principles and best practises:

  • Data sovereignty and jurisdictional control
    • Control, authority, and operations are fully managed within the jurisdiction of the nation state where that data was collected
  • Data access and integrity
    • Cloud infrastructure is resilient across at least 2 data centre locations within the jurisdiction, with secure and private connectivity options
  • Data security and compliance
    • Information security management system controls are audited and applied inline with industry recognised standards
  • Data independence and mobility
    • Data and application portability with modern application architectures to prevent lock-in

These key principles deliver benefits such as increased security, improved control, and continuous compliance, whilst future proofing services and unlocking the power of data. National and sovereign digital capabilities can be developed, with national data pooled together to fuel economic innovation and growth.

How Does VMware Sovereign Cloud Work?

The VMware Sovereign Cloud provider sets up an audited and approved cloud architecture for the customer in the relevant locality and jurisdiction. Each sovereign cloud must have at least 2 security domains within it. A typical example of a security domain will be built in software, with every IT system or data classification representing one or more security domains.

Security domains provide a common authentication and authorisation boundary. The perimeter is typically protected by things like firewalls, access control, and application filters, whilst services like micro-segmentation can provide further optional security inside the security domain itself. You can think of a security domain as a logical network connectivity area with a common security posture, they can be built specifically to house top-secret data, secret data, restricted data, and so on . The 2 types of security domains are as follows:

  • Sovereign domain
    • Used to connect out to other services, similar concept to a DMZ, this security domain features the highest level of security and risk mitigation
  • Resident domain
    • Stores and processes data, will only accept connections from its parent sovereign domain or other trusted resident domains in the same jurisdiction, this security domain features the highest level of trust and confidence

Security domains can be used to make secure connections out to other environments, such as the customers private cloud, or a commercial public cloud provider. The sovereign cloud architecture ensures that if the service is paired with commercial clouds, then no data or metadata is leaked or escapes the sovereign cloud boundary.

The screenshot below is taken from the VMware Sovereign Cloud Technical Whitepaper, which provides a technical deep dive into the aspects and examples of sovereign cloud architectures and integrations. It shows how a sovereign cloud provider can host an application, whilst still consuming the benefits of public cloud services from AWS, Azure, Google, etc.

In this example, the data is encrypted and replicated between the sovereign cloud compliant provider and the public cloud, with the encryption keys only stored on the KMS server with the compliant provider. Other methods can also be used to integrate with third party tooling, such as anonymising data, or replacing sensitive data with specific key pair values that can then be mapped back on the sovereign cloud compliant provider.

Sovereign Cloud Compliancy Chain from the VMware Sovereign Cloud Technical Whitepaper

You can find a local VMware Sovereign Cloud provider, from the likes of Telefonica, UK Cloud, and OVH, on the VMware Cloud Provider Services page. Further reading material that may be of interest around sovereign cloud and the Gaia-X project in Europe is listed below.

What is Gaia-X?

Gaia-X is a broader project beyond sovereign cloud, that attempts to build a federated cloud ecosystem of data, infrastructure, and service providers. The aim is to deliver European digital sovereignty with a future cloud architecture, whilst controlling the flow of data for an overarching state through different legislation boundaries.

Data assets should be able to move freely between approved providers, with both parties providing tools to assist with the migration process to prevent lock-in. Access permissions and data usage controls will travel with the data as it moves through the ecosystem. As with sovereign cloud, the hyperscalers are not excluded and can still participate, providing data sovereignty remains intact. VMware are contributing to the development of the Gaia-X reference architecture as a day 1 member.

Hornetsecurity Cyber Threat Report

Introduction and Chapter 1

Hornetsecurity recently published their Cyber Threat Report Edition 2021/22. This post will examine why cybersecurity, and the Cyber Threat Report, are relevant in today’s digital world.

Cybercrime ranks amongst the highest of threats worldwide. In the UK, we have experienced cyberattacks on public services such as healthcare and local authorities. Just looking up cyberattacks in the news confirms recent attacks on a wide range of industries, such as retail providers, snack companies, news corporations, research centres, political parties, and airlines.

The impact of these attacks is far and wide reaching. Individuals can be impacted by data breaches, fraud, and loss of products and services. On a national scale, society can be impacted by the loss of critical national infrastructure, underpinning things like financial services and emergency response services.

Chapter 1 of the Cyber Threat Report starts by examining the monetary cost of cybercrime on a global scale, which has increased by 345 billion US dollars in just 2 years. The author moves on to more thought provoking subjects: world affairs like a pandemic, global espionage, and even war, can all be accelerated by cyberattacks.

Public sector and private sector industries of all kinds have multiple attack vectors in common. The report makes the case that email is typically one such example. This can be as an ingress point for ransomware attacks, or as a means of hijacking business or official email addresses. The news search I mentioned earlier highlights the breach of an official email address within one of the world’s largest intelligence and security services. Clearly anything we use in day-to-day life with a digital footprint carries a risk of being compromised, and that’s why this report is so important.

Chapter 2

The second chapter starts to lift the lid on the risk of email; starting out by stating that around 300 billion emails are sent every day. This number is expected to rise by a further 61.6 billion over the next 2 years, leading to an exponential rise in threats.

By analysing the email traffic of the first half of 2021, the Hornetsecurity Security Lab concluded that 40% of emails sent were classified as undesired emails. That’s potentially 120 billion unsolicited emails sent every day.

Most of these emails will already be blocked in advance, using known spam filters, known bad sender’s lists, and identifying common traits. It’s obvious that executables will be rejected, and individuals are now savvier to opening links or Excel files from unknown senders. However, as education and cybersecurity protection improves, attackers themselves are becoming more sophisticated.

Embedding web pages, downloads, and links in HTML files or PDFs is now a common attack format. The Cyber Threat Report goes into the detail behind the most-used file types in malicious emails, really showing the wide range of tools attackers have adopted.

This same trend is echoed when it comes to both the industries affected, and the type of attacks carried out by cybercriminals. Examples include phishing, spearphishing, malicious attachments, blackmail, ransom leaks, and brand impersonation.

The global covid-19 pandemic accelerated a shift towards online services, for public services like healthcare, as well as private services like shopping and banking. Although digital enablement is a good thing, it does have potential to increase the attack surface. Brand impersonation is a great example, and it’s good to see the report call out the impact of the pandemic on this type of attack vector. As expected, impersonation of brands like Amazon, DHL, and Fedex are commonly used with malicious URLs.

The final section of the second chapter talks to the rise of as-a-service offerings on the dark web, which is something I was hoping would be called out. There is a growing market for Ransomware-as-a-Service, as well as for attackers to penetrate networks or systems, and then sell that access to the highest bidder. There are several use cases for this type of transaction, it could be selling secrets to competitors, opposing governments or nation states, for criminal or monetary extortion, and so on.

Chapter 3

The third chapter in the Cyber Threat Report breaks down Malware-as-a-Service (MaaS) further, with a compelling example. Emotet evolved from a banking trojan to a widely distributed MaaS operation, forming a network of cybercriminals. Before being disabled in early 2021, Emotet could infect a system and hijack email conversations, spreading amongst email contacts and mailbox recipients.

Emotet was eventually taken down by an international operation of law enforcement. In the aftermath, many other botnets have emerged, but none yet have the same scale. That said, the landscape is ever changing and as the report highlights, the existing customer base of Emotet’s MaaS operation still exists.

The final note for the ‘threat-highlights’ of 2021 is the Microsoft Exchange hack. Microsoft Exchange is perhaps one of the worlds widest used technologies, and an estimated 250,000 email servers were hit by attacks in March 2021.

The vulnerabilities were made up of 4 separate types, impacting multiple versions of Microsoft Exchange Server. Although an unscheduled security update was released, breaches were widespread before the patch could be fully rolled out.

It is believed the attack was carried out by a Chines state-sponsored hacker group, and in the clean-up that followed even the FBI were involved in removing traces from corporate networks to take out the risk of further attacks.

Chapter 4 and Summary

The report closes by highlighting the increase in digitalisation, as well as the number of devices and accounts, all providing opportunities for cybercrime to continue across borders and continents. As predicted, a huge increase in ransomware attacks is already starting to materialise. We’ve read throughout the report of the many and evolving attack options for cybercriminals, and the role in which email plays.

Microsoft 365 is an Office 365 suite with over 258 million active users, it provides Microsoft Exchange and other Microsoft products as Software-as-a-Service (SaaS). Whilst SaaS in general can help reduce the manual overhead of securing IT infrastructure, it doesn’t in any way rule out cyberattacks.

According to Hornetsecurity, every fourth business that uses Microsoft 365 has been affected by an email security vulnerability. Reading the Cyber Threat Report is really an eye opener for both individuals and business as to the risks we encounter, and often don’t even see, every time we carry out any form of digital interaction.

The Cyber Threat Report Edition 2021/22 from Hornetsecurity is available to download and read now.

April 2022 VMware Multi-Cloud Briefing

The VMware Multi-Cloud Briefing is an online quarterly series, in its fifth iteration, that brings vision, technology, and customer stories to the table. The briefing series has evolved through cloud platform, operations, and application development since its introduction in the summer of 2020. Both cloud technology and cloud adoption is advancing at a fast pace, and this April briefing provides an opportunity to see what’s new directly from VMware engineering, independent industry experts, and customers.

The latest session is opened with Joel Neeb, VP Execution and Transformation, VMware, and former F-15 pilot. Joel will talk through the history of aviation and the advancements in the cockpit, from having limited technology to running over 300 different instruments. With so many new features and capabilities, there comes a tipping point where it cannot be practically managed by a single operator, or it takes more time than it offers value. These instruments are now streamlined into a handful of features, displayed on screens instead of through switches and dials, with the computer systems surfacing what’s important to the operator at a given time.

We can learn from this approach, and apply similar models to be able to abstract and simplify multi-cloud complexity across different environments and locations. VMware Cross-Cloud Services can remove complexity, whilst enabling the agility of different cloud providers and the freedom to choose the right target environment for each application. Offering standardisation and consistency at the infrastructure layer allows scale and flexibility. Then, as requirements change and new use cases are uncovered, IT teams and developers can move quickly to accelerate overall business transformation.

VMware Cross-Cloud Services

The session continues with quick fire customer stories around streamlining operations with VMware technology, and a customer interview with S&P Global covering their approach to solving multi-cloud complexity. Later, we’ll also hear a partner perspective from DXC Technology, on how they work with customers to deliver multi-cloud outcomes, and what trends they are seeing across the market.

Next is a technology deep dive, starting out with examining how we’ve arrived at the complexity of running environments across public cloud, private cloud, and the edge. You can then expect to see:

  • How easy it is to add a new VMware environment to a hyperscaler, using vRealize Automation. In this demo we’ll start with an on-premises hosted environment, and scale out by spinning up new environments in the cloud, with the same management tooling and policies.
  • How to manage multiple cloud environments from a single tool, using vRealize Operations. In this demo we’ll look at a consistent way of managing and optimising resources, performance, capacity, and costs, with a unified troubleshooting interface.
  • How to add Kubernetes clusters in different hyperscalers to a common management plane, using Tanzu Mission Control. In this demo we’ll see how you can standardise the management of Kubernetes services, which will likely compliment your existing virtual machine infrastructure. Furthermore, we’ll find out how Tanzu Service Mesh can secure the communication of micro-services between environments and across clouds. Tanazu Service Mesh is able to bring micro-services under the same security umbrella, and automate features like mutual TLS encryption across all services.

The final segment is an industry interview with IDC and VMware, talking about what it means for customers to standardise their infrastructure and cloud platforms. There are multiple layers of abstraction and standardisation, covering the likes of management, optimisation, and security. IDC will detail where you can start, and what they see as good first steps.

The April 2022 VMware Multi-Cloud Briefing, and associated launch blog, is now live and available on YouTube. The video is embedded below. You can watch the current and previous briefings on the VMware Multi-Cloud Briefing page, each video is between 30-40 minutes long.

VMware Multi-Cloud Briefing April 2022