VMware Skyline Advisor Pro Overview

Introduction

Skyline Advisor Pro is a cloud-based, pro-active, support technology that helps VMware customers avoid issues before they occur. It automates the capture and analysis of configurations, support bundles, and trend telemetry, and provides granular visibility throughout the global environment with predictive and prescriptive recommendations.

As well as proactive avoidance of downtime, Skyline also monitors and provides remediation guidance for security risks across the VMware estate. IT staff can spend less time fixing issues or manually searching through security vulnerabilities, and more time improving services and aligning to strategic initiatives. If an issue does occur; Skyline also helps speed up the support request resolution, since VMware Global Support Services (GSS) already have visibility into the VMware logs through the Log Assist feature.

How Does Skyline Advisor Pro Work?

Skyline Advisor Pro is setup in the VMware Cloud Services portal. You need a Cloud Services Organisation to activate Skyline, and any other VMware Cloud services. You can create a new org or use an existing one to group your VMware Cloud services together. The Cloud Services Organisation acts as a logical container where you will manage features like identity and access management, subscriptions, billing, and support. Skyline Advisor Pro is included at no extra cost for VMware customers with production and premier support, or vRealize Cloud Universal and Customer Success 360 consumers.

The Skyline Advisor Pro intelligence and user interface is all provided and hosted as a cloud service, known as Software-as-a-Service (SaaS). The Skyline Collector is a small virtual appliance, it is deployed in the customers VMware environment and facilitates the secure connection back to the SaaS control plane. The collector appliance is a standard OVA deployment, and will allocate 2 vCPU, 8 GB RAM, and 1.1 GB thin provisioned disk (or 87.1 GB thick provisioned).

Once the collector is deployed, endpoints for vCenter and other products can be added. Skyline Advisor Pro is able to provide proactive intelligence for vSphere, vSAN, NSX, VMware Cloud Foundation, Horizon, vRealize Automation, and vRealize Operations. After registering endpoints, the Skyline collector automatically and securely collates product usage data. Skyline then analyses the data to identify patterns, events, trends, design-compliance, and cross-product interaction.

Data collected is encrypted both at-rest and in-transit (transmitted back to the Skyline platform using the TLS 1.2 encryption protocol). Access is limited to VMware employees in customer support roles that have undergone full training. Although object names and IP addresses are included in the product usage data, there is no personally identifiable information collected. Skyline is GDPR compliant and certified in SOC2, Cyber Essentials Plus, and others. You can find out more in the VMware Cloud Trust Centre and VMware Skyline Frequently Asked Questions, see also VMware Skyline Data Collection Examples.

Proactive findings and recommendations are presented back to users through the Skyline portal in the VMware Cloud console, or through the vRealize Operations Cloud integration. The availability of the Skyline collector is critical in ensuring visibility into the environment from the Skyline portal. Depending on the size and scale of the environment, you may have multiple collector appliances. You can learn more about the high level architecture in the Skyline Architecture Documentation.

Skyline Advisor Pro Components

What’s New in Skyline Advisor Pro?

Just before VMworld 2021, VMware announced Skyline Advisor Pro. This latest iteration provides a major step forward in user experience from its predecessor, and it’s not just dark mode either. Both functional and operational improvements have been made to the product.

Skyline Advisor Pro significantly accelerates data processing and insights; now surfacing issues and inventory changes within 4 hours. With Skyline, this process was previously taking 48 hours. Further environment insights have been added to Skyline Advisor Pro, such as end of life notifications and historical insights. The Skyline Advisor Pro API now allows users to interrogate findings data with other tools, or trigger events to be sent to collaboration tools or ticketing systems. You can read more about these features in the VMware Skyline Advisor Pro is here blog.

Getting Started With Skyline Advisor Pro

The easiest way to enable Skyline Pro is to follow the Get Started link on the VMware Skyline product page. This will direct you to log into the VMware Cloud Services portal, use your corporate/work account that has an active support subscription aligned. Once logged in you will be invited to create or select a Cloud Services Organisation and activate Skyline, the Skyline administrator role is assigned to your account as part of the process.

The onscreen instructions will allow you to download and link the collector appliance. You can also download the VMware Skyline Collector from the Customer Connect downloads site. When you deploy the OVA to your environment you will be prompted for configuration such as network settings and endpoint registration. For more detailed information see the Skyline Planning and Deployment section of the VMware Skyline Documentation.

After setup is complete the Skyline Advisor Pro panel is added to your available services in the VMware Cloud Services portal:

Skyline Advisor Pro Dashboard

Within the Findings and Recommendations tab you’ll be able to see findings with affected objects, risk, recommendations, and historical data. You can click into each finding for more information, context, and fixes or links to KB articles if applicable.

Another thing to note is that Skyline integrates with vRealize Operations (vROps), either using the management pack for on-premises vROps, or directly for vROps Cloud. To see which features and findings can be pulled into vROps see the Extending Skyline’s Integration with vRealize Operations Cloud via the Skyline Management Pack blog post.

Skyline Advisor Pro Active Findings

VMware Sovereign Cloud Overview

Introduction

It isn’t a secret that the overwhelming majority of data hosted by enterprises in the cloud is with US-owned cloud providers. But a study by the Centre for European Policy Studies in 2021 found that a whopping 92% of the western worlds data is currently stored in the US. In principal that has been fine with organisations based in other countries, since the scale of these cloud providers was such that data locality was not a problem. The relevant security controls and technologies also exist to protect the data from unauthorised third parties.

Politically however, the landscape is changing. The majority of the worlds population has privacy regulations inline with GDPR. The number of countries implementing data privacy laws has been increasing annually, for both personal and enterprise data. Furthermore, the very definition of personal information is evolving with our online presence, and it’s only going to get more complex over time.

Thanks to the US Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018, courts can instruct US companies to collect data on systems they manage, not just on US soil, but in theory anywhere in the world. Separately, in July 2020, the Court of Justice of the European Union (CJEU) made judgement on a case that essentially invalidated the EU/US Privacy Shield framework for transferring data outside of the EU.

This isn’t just a European concern either, it’s on the radar across other regions on a global scale. Legal cases and fines are starting to arise for organisations incorrectly interpreting GDPR, and there are still open questions about how legislation will be enforced internationally.

These are not isolated instances, and in conjunction with an increased risk of data breaches and more sophisticated cyber attacks, companies are starting to seriously consider repatriation of data stored overseas. Through the global network of VMware Cloud Provider Partners (VCPP), and the VMware Sovereign Cloud framework, VMware have the means to implement data sovereign solutions locally across any region.

What is VMware Sovereign Cloud?

VMware Sovereign Cloud is a framework of guiding principles and best practices to help partners deliver cloud services that adhere to the data sovereignty requirements of a specific jurisdiction. A sovereign cloud framework does not replace public cloud, nor does it replace industry compliance. In fact the opposite is true, the sovereign cloud framework seeks to augment existing platforms and regulations, with a specific focus on putting the customer in complete control of their data.

This control is derived by providing both data residency and data sovereignty with full jurisdictional control. Data residency relates to where the data is physically and geographically stored and processed. Due to the extreme scale of the main public cloud providers, this is something they are usually able to provide. Often though, metadata (data about the data) can leak out into other regions, typically the US. In some cases, data residency alone is not sufficient to ensure compliance with data privacy laws. Data sovereignty relates to law, specifically data being subject to the governance structure, and more importantly jurisdiction, of the nation where the data is processed and stored.

Data still needs to be accessible, and this is a really important point. A sovereign cloud solution needs to not only protect critical data, but also unlock its value. Data can be extracted in a meaningful way, for both private and public sector organisations, whilst providing transparency around architecture and operations.

As an example, both my banking and health records are stored extremely securely in a data centre, with a bunch of regulatory and audit processes in place. However, I can access these records on-demand using my mobile phone, which is a device my bank and my healthcare provider has no control over. Equally, there may be times when others need to access the same records, either anonymised or with personal identifiable information. Like if I applied for a credit-based financial service, or if I was referred to a healthcare specialist for a specific condition. Data sovereignty isn’t about locking up data and making it inaccessible.

Clearly, data still needs to be accessible to the right people through an end client, device, or system, whilst maintaining the integrity of the data. It is important therefore, to have an example architecture for how data can be exchanged, or act as a landing platform for data collected from member states and repatriated from other regions. In implementing such an architecture, a national capability for the digital economy can be achieved, whilst securing data with audited security controls, and ensuring compliance with data privacy laws.

High Level Sovereign Cloud Framework

The basis of a VMware Sovereign Cloud is the VMware reference architecture, in the form of VMware Validated Solutions (VVS) and the VMware Cloud Provider Partner (VCPP) stack. There is no need for a dedicated sovereign cloud reference architecture. Instead, an overlay is being introduced to organise the infrastructure into different security classifications and domains. This separation of security domains ensures there is no data leakage, of either primary data or metadata, outside of the required locality and jurisdiction.

The VMware Sovereign Cloud framework uses transparent, standardised, software-defined architectures along with a number of key principles and best practises:

  • Data sovereignty and jurisdictional control
    • Control, authority, and operations are fully managed within the jurisdiction of the nation state where that data was collected
  • Data access and integrity
    • Cloud infrastructure is resilient across at least 2 data centre locations within the jurisdiction, with secure and private connectivity options
  • Data security and compliance
    • Information security management system controls are audited and applied inline with industry recognised standards
  • Data independence and mobility
    • Data and application portability with modern application architectures to prevent lock-in

These key principles deliver benefits such as increased security, improved control, and continuous compliance, whilst future proofing services and unlocking the power of data. National and sovereign digital capabilities can be developed, with national data pooled together to fuel economic innovation and growth.

How Does VMware Sovereign Cloud Work?

The VMware Sovereign Cloud provider sets up an audited and approved cloud architecture for the customer in the relevant locality and jurisdiction. Each sovereign cloud must have at least 2 security domains within it. A typical example of a security domain will be built in software, with every IT system or data classification representing one or more security domains.

Security domains provide a common authentication and authorisation boundary. The perimeter is typically protected by things like firewalls, access control, and application filters, whilst services like micro-segmentation can provide further optional security inside the security domain itself. You can think of a security domain as a logical network connectivity area with a common security posture, they can be built specifically to house top-secret data, secret data, restricted data, and so on . The 2 types of security domains are as follows:

  • Sovereign domain
    • Used to connect out to other services, similar concept to a DMZ, this security domain features the highest level of security and risk mitigation
  • Resident domain
    • Stores and processes data, will only accept connections from its parent sovereign domain or other trusted resident domains in the same jurisdiction, this security domain features the highest level of trust and confidence

Security domains can be used to make secure connections out to other environments, such as the customers private cloud, or a commercial public cloud provider. The sovereign cloud architecture ensures that if the service is paired with commercial clouds, then no data or metadata is leaked or escapes the sovereign cloud boundary.

The screenshot below is taken from the VMware Sovereign Cloud Technical Whitepaper, which provides a technical deep dive into the aspects and examples of sovereign cloud architectures and integrations. It shows how a sovereign cloud provider can host an application, whilst still consuming the benefits of public cloud services from AWS, Azure, Google, etc.

In this example, the data is encrypted and replicated between the sovereign cloud compliant provider and the public cloud, with the encryption keys only stored on the KMS server with the compliant provider. Other methods can also be used to integrate with third party tooling, such as anonymising data, or replacing sensitive data with specific key pair values that can then be mapped back on the sovereign cloud compliant provider.

Sovereign Cloud Compliancy Chain from the VMware Sovereign Cloud Technical Whitepaper

You can find a local VMware Sovereign Cloud provider, from the likes of Telefonica, UK Cloud, and OVH, on the VMware Cloud Provider Services page. Further reading material that may be of interest around sovereign cloud and the Gaia-X project in Europe is listed below.

What is Gaia-X?

Gaia-X is a broader project beyond sovereign cloud, that attempts to build a federated cloud ecosystem of data, infrastructure, and service providers. The aim is to deliver European digital sovereignty with a future cloud architecture, whilst controlling the flow of data for an overarching state through different legislation boundaries.

Data assets should be able to move freely between approved providers, with both parties providing tools to assist with the migration process to prevent lock-in. Access permissions and data usage controls will travel with the data as it moves through the ecosystem. As with sovereign cloud, the hyperscalers are not excluded and can still participate, providing data sovereignty remains intact. VMware are contributing to the development of the Gaia-X reference architecture as a day 1 member.

VMware Cloud on AWS Outposts Overview

Introduction

Managed and as-a-service models are a growing trend across infrastructure consumers. Customers in general want ease and consistency within both IT and finance, for example opting to shift towards OpEx funding models.

For large or enterprise organisations with significant investments in existing technologies, processes, and skills, refactoring everything into cloud native services can be complex and expensive. For these types of environments the strategy has sharpened from Cloud-First to Cloud-Smart. A Cloud-Smart approach enables customers to transition to the cloud quickly where it makes sense to do so, without tearing up roots on existing live services, and workloads or data that do not have a natural progression to traditional cloud.

In addition to the operational complexities of rearchitecting services, many industries have strict regulatory and compliance rules that must be adhered to. Customers may have specific security standards or customised policies requiring sensitive data to be located on-premises, under their own physical control. Applications may also have low latency requirements or the need to be located in close proximity to data processing or back end systems. This is where VMware Local Cloud as a Service (LCaaS) can help combine the key benefits from both public cloud and on-premises environments.

What is VMware Cloud on AWS Outposts?

VMware Cloud on AWS Outposts is a jointly engineered solution, bringing AWS hardware and the VMware Software Defined Data Centre (SDDC) to the customer premises. The relationship with AWS is VMware’s longest standing hyperscaler partnership; with VMware Cloud on AWS the maturest of the multi-cloud offerings from VMware, having been available since August 2017. In October 2021, at VMworld, VMware announced general availability of VMware Cloud on AWS Outposts.

VMware Cloud on AWS Outposts is a fully managed service, as if it were in an AWS location, with consistent APIs. It is built on the same AWS-designed bare metal infrastructure using the AWS Nitro System, assembled into a dedicated rack, and then installed in the customer site ready to be plumbed into power and networking. The term Outpost is a logical construct that is used to pool capacity from 1 or more racks of servers.

The VMware SSDDC overlay, and hardware underlay, comprises of:

  • VMware vSphere and vCenter for compute virtualisation and management
  • VMware vSAN for storage virtualisation
  • VMware NSX-T for network virtualisation
  • VMware HCX for live migration of virtual machines with stretched Layer 2 capability
  • 3-8 AWS managed dedicated Nitro-based i3.en metal EC2 instances with local SSD storage
  • Non-chargeable standby node in each rack for service continuity
  • Fully assembled standard 42U rack
  • Redundant Top of Rack (ToR) data plane switches
  • Redundant power conversion unit and DC distribution system (with support for redundant power feeds)

At the time of writing the i3.en metal is the only node type available with VMware Cloud on AWS Outposts. The node specification is as follows:

  • 48 physical CPU cores, with hyperthreading enabled delivering 96 logical cores
  • 768 GiB RAM
  • 45.84 TiB (50 TB) raw capacity per host, delivering up to 40.35 TiB of usable storage capacity per host depending on RAID and FTT configuration

Both scale-out and multi-rack capabilities are currently not available, but are expected. It is also expected that the maximum node count will increase over time, check with your VMware or AWS teams for the most up to date information.

Once the rack is installed on-site, the customer is responsible for power, connectivity into the LAN, and environmental prerequisites such as temperature, humidity, and airflow. The customer is also responsible for the physical security of the Outpost location, however each rack has a lockable door and tamper detection features. Each server is protected by a removable and destroyable Nitro hardware security key. Data on the Outpost is encrypted both at-rest, and in-transit between nodes in the Outpost and back to the AWS region.

Inside the rack, all the hardware is managed and maintained by AWS and VMware, this includes things like firmware updates and failure replacements. VMware are the single support contact for the service regardless of whether the issue is hardware or software related. Additionally, VMware take on the lifecycle management of the full SDDC stack. Customers can run virtual machines using familiar tooling without having to worry about vSphere, vSAN, and NSX upgrades or security patches. Included in the cost ‘per node’ is all hardware within the rack, the VMware SDDC licensing, and the managed service and support.

Existing vCenter environments running vSphere 6.5 or later can be connected in Hybrid Linked Mode for ease of management. Unfortunately for consumers of Microsoft licensing, such as Windows and SQL, Outposts are still treated as AWS cloud infrastructure (in other words not customer on-premises).

Why VMware Cloud on AWS Outposts?

VMware Cloud on AWS Outposts provides a standardised platform with built-in availability and resiliency, continuous lifecycle management, proactive monitoring, and enhanced security. VMware Cloud on AWS delivers a developer ready infrastructure that can now be stood up in both AWS and customer locations in a matter of weeks. Using VMware Cloud on AWS, virtual machines can be moved bi-directionally across environments without the need for application refactoring or conversion.

The initial use case for VMware Cloud on AWS Outposts is existing VMware or VMware Cloud on AWS customers with workloads that must remain on-premises. This could be for regulatory and compliance reasons, or app/data proximity and latency requirements. As features and configurations start to scale, further use cases will no doubt become more prominent.

You can also use other AWS services with Outposts, however you have to make a decision on a per-rack basis whether you are running VMware Cloud on AWS for that rack, or native AWS services. The deployment of the rack is dedicated to one or the other.

VMware Cloud on AWS Outposts Network Connectivity

VMware Cloud on AWS Outposts requires a connection back to a parent VMware Cloud on AWS supported region, or more specifically an availability zone. Conceptually, you can think of the physical VMware Cloud on AWS Outposts installation as an extension of that availability zone. The connection back to AWS is used for the VMware Cloud control plane, also known as the service link.

The service link needs to be a minimum of 1Gbps with a maximum 150ms latency, either using a Direct Connect, or over the public internet using a VPN. Public Amazon Elastic IPs are used for the service link endpoint. Although the VMware Cloud on AWS Outposts service is not designed to operate in environments with limited or no connectivity, in the event of a service link outage the local SDDC will continue functioning as normal. This includes vCenter access and VM operations. A service link outage will prevent monitoring and access to configurations or other functionality from the VMware Cloud portal.

There is no charge for data transfer from VMware Cloud on AWS Outposts back to the connected region. Data transfer from the parent availability zone to the VMware Cloud on AWS Outposts environment will incur the standard AWS inter-AZ VPC data transfer charges.

Customers can use the connected VPC in the customer managed AWS account to access native AWS services in the cloud, either using the Elastic Network Interface (ENI) or VMware Transit Connect.

The Local Gateway (LGW) is an Outposts-specific logical construct used to route traffic to and from the existing on-premises network. This traffic stays within the local site allowing for optimised traffic flow and low latency communication. There is no data transfer cost for data traversing the LGW, either out to the internet or to your local network.

For more information on network connectivity and VMware Cloud on AWS Outposts in general, take a look at the AWS re:Invent 2021 session – A technical deep dive on VMware Cloud on AWS Outposts.

VMware Cloud on AWS Outposts LGW example

Getting Started with VMware Cloud on AWS Outposts

You can view a demo of the steps in the VMware Cloud on AWS Outposts: Order Flow video. At a high level, the process is as follows:

  • Extensive workshops are carried out between VMware and/or AWS and the customer
  • If the customer is a new VMware Cloud customer then a new org is created with a unique org ID
    • Customer pre-req: a VMware Cloud account and org is required
  • The customer receives an invite to join the VMware Cloud on AWS Outposts service through email
  • The customer places an order via the VMware Cloud console
    • Customer pre-req: customer AWS account with VPC and dedicated subnet, if using a private VIF for Direct Connect, then the VIF should already be created in the customer AWS account
    • Customer pre-req: knowledge of the facility, power, and network setup*
    • Customer pre-req: knowledge of desired instance count and configuration
  • The customer receives and responds to the request to submit logical networking information
    • This information will be gathered during the customer workshop, the service link requires a dedicated VLAN and /26 subnet, the SDDC management network requires a dedicated /23 minimum, and an additional CIDR block needs allocating for compute networks
  • AWS schedule and carry out a site survey
  • AWS builds and delivers the rack
  • Final onsite provisioning is carried out by AWS and validated by VMware
  • VMware notify the customer the environment is ready to use
  • The SDDC is provisioned through automated workflows as instructed by the customer

*full details of the facility, power, and network requirements for the local site can be found in the AWS Outposts requirements page

The VMware Cloud on AWS Outposts solution brief provides more information, and you can find an overview, pricing, and FAQ section on the VMware Cloud on AWS Outposts solution page. AWS also have their own version of the VMware Cloud on AWS Outposts FAQ page.

Another great place to get started is the VMware Cloud Tech Zone, and for AWS specifically the VMware Cloud on AWS Tech Zone.

VMware Cloud on AWS Tech Zone