VMware Skyline Advisor Pro Overview

Introduction

Skyline Advisor Pro is a cloud-based, pro-active, support technology that helps VMware customers avoid issues before they occur. It automates the capture and analysis of configurations, support bundles, and trend telemetry, and provides granular visibility throughout the global environment with predictive and prescriptive recommendations.

As well as proactive avoidance of downtime, Skyline also monitors and provides remediation guidance for security risks across the VMware estate. IT staff can spend less time fixing issues or manually searching through security vulnerabilities, and more time improving services and aligning to strategic initiatives. If an issue does occur; Skyline also helps speed up the support request resolution, since VMware Global Support Services (GSS) already have visibility into the VMware logs through the Log Assist feature.

How Does Skyline Advisor Pro Work?

Skyline Advisor Pro is setup in the VMware Cloud Services portal. You need a Cloud Services Organisation to activate Skyline, and any other VMware Cloud services. You can create a new org or use an existing one to group your VMware Cloud services together. The Cloud Services Organisation acts as a logical container where you will manage features like identity and access management, subscriptions, billing, and support. Skyline Advisor Pro is included at no extra cost for VMware customers with production and premier support, or vRealize Cloud Universal and Customer Success 360 consumers.

The Skyline Advisor Pro intelligence and user interface is all provided and hosted as a cloud service, known as Software-as-a-Service (SaaS). The Skyline Collector is a small virtual appliance, it is deployed in the customers VMware environment and facilitates the secure connection back to the SaaS control plane. The collector appliance is a standard OVA deployment, and will allocate 2 vCPU, 8 GB RAM, and 1.1 GB thin provisioned disk (or 87.1 GB thick provisioned).

Once the collector is deployed, endpoints for vCenter and other products can be added. Skyline Advisor Pro is able to provide proactive intelligence for vSphere, vSAN, NSX, VMware Cloud Foundation, Horizon, vRealize Automation, and vRealize Operations. After registering endpoints, the Skyline collector automatically and securely collates product usage data. Skyline then analyses the data to identify patterns, events, trends, design-compliance, and cross-product interaction.

Data collected is encrypted both at-rest and in-transit (transmitted back to the Skyline platform using the TLS 1.2 encryption protocol). Access is limited to VMware employees in customer support roles that have undergone full training. Although object names and IP addresses are included in the product usage data, there is no personally identifiable information collected. Skyline is GDPR compliant and certified in SOC2, Cyber Essentials Plus, and others. You can find out more in the VMware Cloud Trust Centre and VMware Skyline Frequently Asked Questions, see also VMware Skyline Data Collection Examples.

Proactive findings and recommendations are presented back to users through the Skyline portal in the VMware Cloud console, or through the vRealize Operations Cloud integration. The availability of the Skyline collector is critical in ensuring visibility into the environment from the Skyline portal. Depending on the size and scale of the environment, you may have multiple collector appliances. You can learn more about the high level architecture in the Skyline Architecture Documentation.

Skyline Advisor Pro Components

What’s New in Skyline Advisor Pro?

Just before VMworld 2021, VMware announced Skyline Advisor Pro. This latest iteration provides a major step forward in user experience from its predecessor, and it’s not just dark mode either. Both functional and operational improvements have been made to the product.

Skyline Advisor Pro significantly accelerates data processing and insights; now surfacing issues and inventory changes within 4 hours. With Skyline, this process was previously taking 48 hours. Further environment insights have been added to Skyline Advisor Pro, such as end of life notifications and historical insights. The Skyline Advisor Pro API now allows users to interrogate findings data with other tools, or trigger events to be sent to collaboration tools or ticketing systems. You can read more about these features in the VMware Skyline Advisor Pro is here blog.

Getting Started With Skyline Advisor Pro

The easiest way to enable Skyline Pro is to follow the Get Started link on the VMware Skyline product page. This will direct you to log into the VMware Cloud Services portal, use your corporate/work account that has an active support subscription aligned. Once logged in you will be invited to create or select a Cloud Services Organisation and activate Skyline, the Skyline administrator role is assigned to your account as part of the process.

The onscreen instructions will allow you to download and link the collector appliance. You can also download the VMware Skyline Collector from the Customer Connect downloads site. When you deploy the OVA to your environment you will be prompted for configuration such as network settings and endpoint registration. For more detailed information see the Skyline Planning and Deployment section of the VMware Skyline Documentation.

After setup is complete the Skyline Advisor Pro panel is added to your available services in the VMware Cloud Services portal:

Skyline Advisor Pro Dashboard

Within the Findings and Recommendations tab you’ll be able to see findings with affected objects, risk, recommendations, and historical data. You can click into each finding for more information, context, and fixes or links to KB articles if applicable.

Another thing to note is that Skyline integrates with vRealize Operations (vROps), either using the management pack for on-premises vROps, or directly for vROps Cloud. To see which features and findings can be pulled into vROps see the Extending Skyline’s Integration with vRealize Operations Cloud via the Skyline Management Pack blog post.

Skyline Advisor Pro Active Findings

VMware Sovereign Cloud Overview

Introduction

It isn’t a secret that the overwhelming majority of data hosted by enterprises in the cloud is with US-owned cloud providers. But a study by the Centre for European Policy Studies in 2021 found that a whopping 92% of the western worlds data is currently stored in the US. In principal that has been fine with organisations based in other countries, since the scale of these cloud providers was such that data locality was not a problem. The relevant security controls and technologies also exist to protect the data from unauthorised third parties.

Politically however, the landscape is changing. The majority of the worlds population has privacy regulations inline with GDPR. The number of countries implementing data privacy laws has been increasing annually, for both personal and enterprise data. Furthermore, the very definition of personal information is evolving with our online presence, and it’s only going to get more complex over time.

Thanks to the US Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018, courts can instruct US companies to collect data on systems they manage, not just on US soil, but in theory anywhere in the world. Separately, in July 2020, the Court of Justice of the European Union (CJEU) made judgement on a case that essentially invalidated the EU/US Privacy Shield framework for transferring data outside of the EU.

This isn’t just a European concern either, it’s on the radar across other regions on a global scale. Legal cases and fines are starting to arise for organisations incorrectly interpreting GDPR, and there are still open questions about how legislation will be enforced internationally.

These are not isolated instances, and in conjunction with an increased risk of data breaches and more sophisticated cyber attacks, companies are starting to seriously consider repatriation of data stored overseas. Through the global network of VMware Cloud Provider Partners (VCPP), and the VMware Sovereign Cloud framework, VMware have the means to implement data sovereign solutions locally across any region.

What is VMware Sovereign Cloud?

VMware Sovereign Cloud is a framework of guiding principles and best practices to help partners deliver cloud services that adhere to the data sovereignty requirements of a specific jurisdiction. A sovereign cloud framework does not replace public cloud, nor does it replace industry compliance. In fact the opposite is true, the sovereign cloud framework seeks to augment existing platforms and regulations, with a specific focus on putting the customer in complete control of their data.

This control is derived by providing both data residency and data sovereignty with full jurisdictional control. Data residency relates to where the data is physically and geographically stored and processed. Due to the extreme scale of the main public cloud providers, this is something they are usually able to provide. Often though, metadata (data about the data) can leak out into other regions, typically the US. In some cases, data residency alone is not sufficient to ensure compliance with data privacy laws. Data sovereignty relates to law, specifically data being subject to the governance structure, and more importantly jurisdiction, of the nation where the data is processed and stored.

Data still needs to be accessible, and this is a really important point. A sovereign cloud solution needs to not only protect critical data, but also unlock its value. Data can be extracted in a meaningful way, for both private and public sector organisations, whilst providing transparency around architecture and operations.

As an example, both my banking and health records are stored extremely securely in a data centre, with a bunch of regulatory and audit processes in place. However, I can access these records on-demand using my mobile phone, which is a device my bank and my healthcare provider has no control over. Equally, there may be times when others need to access the same records, either anonymised or with personal identifiable information. Like if I applied for a credit-based financial service, or if I was referred to a healthcare specialist for a specific condition. Data sovereignty isn’t about locking up data and making it inaccessible.

Clearly, data still needs to be accessible to the right people through an end client, device, or system, whilst maintaining the integrity of the data. It is important therefore, to have an example architecture for how data can be exchanged, or act as a landing platform for data collected from member states and repatriated from other regions. In implementing such an architecture, a national capability for the digital economy can be achieved, whilst securing data with audited security controls, and ensuring compliance with data privacy laws.

High Level Sovereign Cloud Framework

The basis of a VMware Sovereign Cloud is the VMware reference architecture, in the form of VMware Validated Solutions (VVS) and the VMware Cloud Provider Partner (VCPP) stack. There is no need for a dedicated sovereign cloud reference architecture. Instead, an overlay is being introduced to organise the infrastructure into different security classifications and domains. This separation of security domains ensures there is no data leakage, of either primary data or metadata, outside of the required locality and jurisdiction.

The VMware Sovereign Cloud framework uses transparent, standardised, software-defined architectures along with a number of key principles and best practises:

  • Data sovereignty and jurisdictional control
    • Control, authority, and operations are fully managed within the jurisdiction of the nation state where that data was collected
  • Data access and integrity
    • Cloud infrastructure is resilient across at least 2 data centre locations within the jurisdiction, with secure and private connectivity options
  • Data security and compliance
    • Information security management system controls are audited and applied inline with industry recognised standards
  • Data independence and mobility
    • Data and application portability with modern application architectures to prevent lock-in

These key principles deliver benefits such as increased security, improved control, and continuous compliance, whilst future proofing services and unlocking the power of data. National and sovereign digital capabilities can be developed, with national data pooled together to fuel economic innovation and growth.

How Does VMware Sovereign Cloud Work?

The VMware Sovereign Cloud provider sets up an audited and approved cloud architecture for the customer in the relevant locality and jurisdiction. Each sovereign cloud must have at least 2 security domains within it. A typical example of a security domain will be built in software, with every IT system or data classification representing one or more security domains.

Security domains provide a common authentication and authorisation boundary. The perimeter is typically protected by things like firewalls, access control, and application filters, whilst services like micro-segmentation can provide further optional security inside the security domain itself. You can think of a security domain as a logical network connectivity area with a common security posture, they can be built specifically to house top-secret data, secret data, restricted data, and so on . The 2 types of security domains are as follows:

  • Sovereign domain
    • Used to connect out to other services, similar concept to a DMZ, this security domain features the highest level of security and risk mitigation
  • Resident domain
    • Stores and processes data, will only accept connections from its parent sovereign domain or other trusted resident domains in the same jurisdiction, this security domain features the highest level of trust and confidence

Security domains can be used to make secure connections out to other environments, such as the customers private cloud, or a commercial public cloud provider. The sovereign cloud architecture ensures that if the service is paired with commercial clouds, then no data or metadata is leaked or escapes the sovereign cloud boundary.

The screenshot below is taken from the VMware Sovereign Cloud Technical Whitepaper, which provides a technical deep dive into the aspects and examples of sovereign cloud architectures and integrations. It shows how a sovereign cloud provider can host an application, whilst still consuming the benefits of public cloud services from AWS, Azure, Google, etc.

In this example, the data is encrypted and replicated between the sovereign cloud compliant provider and the public cloud, with the encryption keys only stored on the KMS server with the compliant provider. Other methods can also be used to integrate with third party tooling, such as anonymising data, or replacing sensitive data with specific key pair values that can then be mapped back on the sovereign cloud compliant provider.

Sovereign Cloud Compliancy Chain from the VMware Sovereign Cloud Technical Whitepaper

You can find a local VMware Sovereign Cloud provider, from the likes of Telefonica, UK Cloud, and OVH, on the VMware Cloud Provider Services page. Further reading material that may be of interest around sovereign cloud and the Gaia-X project in Europe is listed below.

What is Gaia-X?

Gaia-X is a broader project beyond sovereign cloud, that attempts to build a federated cloud ecosystem of data, infrastructure, and service providers. The aim is to deliver European digital sovereignty with a future cloud architecture, whilst controlling the flow of data for an overarching state through different legislation boundaries.

Data assets should be able to move freely between approved providers, with both parties providing tools to assist with the migration process to prevent lock-in. Access permissions and data usage controls will travel with the data as it moves through the ecosystem. As with sovereign cloud, the hyperscalers are not excluded and can still participate, providing data sovereignty remains intact. VMware are contributing to the development of the Gaia-X reference architecture as a day 1 member.

Introducing VMware Cloud Flex Storage 1.0

Introducing VMware Cloud Flex Storage 1.0

Introduction

The uptake and importance of both cloud and data services has increased significantly over recent years. Since VMware Cloud on AWS was first introduced in 2017, the customer base has followed a similar trajectory, with new use cases being uncovered. As a result, customer expectations have also risen. Consumers now want elastic compute; the ability to scale compute independent of storage, elastic performance; the ability to scale IOPS independent of capacity, and elastic capacity; the ability to scale capacity independent of IOPS.

The very nature of VMware Cloud on AWS Hyper-Converged Infrastructure (HCI) nodes has afforded its users greater consolidation and compression ratios, and more flexibility around virtual machine sizing. The first node type introduced was the i3.metal with around 10.37 TiB raw storage, all based on local host NVMe SSD devices. VMware then experimented with an r5.metal node type, offering elastic vSAN backed by the automatic provisioning and management of AWS EBS volumes. The r5 was decommissioned shortly after, and the i3 node was joined by the i3en.metal. The i3enhanced boasted a more powerful specification, including 45.84 TiB of raw capacity per host.

Whilst the i3en.metal node boosted the available storage capacity, it boosted compute with it. For large environments the power of the i3en node is great, but there was still a gap for those environments which were really heavily skewed in the direction of storage consumption, without the need for matching compute overhead.

What is VMware Cloud Flex Storage?

Enter VMware Cloud Flex Storage. Announced today, March 29; a fully VMware-managed and integrated cloud storage service for VMware Cloud on AWS.

VMware Cloud Flex Storage provides disaggregated and elastic storage, catering for capacity-heavy workloads and lower performance needs. By augmenting vSAN as supplemental storage, customers can scale out attached storage without the growth in compute capacity.

NFS datastores of up to 400 TB and up to 150K IOPS can be attached to an SDDC cluster, comprising of either i3 or i3en nodes. Multiple datastores can be attached to a cluster, and a datastore can also be shared across clusters, enabling an initial target into the petabytes. As with the vSAN datastore, data is encrypted at rest by default. Customers can choose between a pay-as-you-go consumption model, or an optional subscription term with a minimum capacity buy in.

VMware Cloud Flex Storage Overview

How Does VMware Cloud Flex Storage Work?

The traditional block storage used by vSAN in the hyper-converged nodes is designed for latency sensitive applications, it handles random transactional workloads well, and is simple to manage or consume. As outlined above, HCI block storage scales per host, as does the cost.

In the back end, VMware Cloud Flex Storage uses AWS S3 with a VMware-managed front end. Object based storage is typically not for latency sensitive workloads, however the additional architecture built around the file system adds caching and I/O optimisation. The scale out file system itself it built on the same technology as VMware Cloud Disaster Recovery. Object storage is also highly durable, resilient across availability zones, low cost, and allows for more granular scaling of capacity, whilst only paying for consumption.

VMware Cloud Flex Storage mounts directly to the hosts using NFS. It resides in a separate VPC maintained by VMware, but connects in using a cross-VPC Elastic Network Interface (ENI). Writes are synchronously written to a HA pair of back end nodes, before being moved into thin-provisioned cloud object storage. There are no customer managed VMs, or cloud gateway type connectivity to worry about. Furthermore, existing vCenter and vROps tooling will be able to monitor performance, latency, IOPS, and availability.

VMware Cloud Flex Storage High Level Architecture

How Do I Access VMware Cloud Flex Storage?

Customers can apply for the early access program by emailing vmcfs_ea at vmware.com. Those accepted onto the program will be provided with a VMware Cloud on AWS SDDC with VMware Cloud Flex Storage for testing at no cost. Although there has been no official date published for general availability, more information can be found on todays blog post Announcing Preview of VMware Cloud Flex Storage.

Featured image by Steve Johnson on Unsplash