VMware Cloud on Dell EMC

VMware Cloud on Dell EMC Overview

by esxsiLeave a Comment on VMware Cloud on Dell EMC Overview

Introduction

Managed and as-a-service models are a growing trend across infrastructure consumers. Customers in general want ease and consistency within both IT and finance, for example opting to shift towards OpEx funding models.

For large or enterprise organisations with significant investments in existing technologies, processes, and skills, refactoring everything into cloud native services can be complex and expensive. For these types of environments the strategy has sharpened from Cloud-First to Cloud-Smart. A Cloud-Smart approach enables customers to transition to the cloud quickly where it makes sense to do so, without tearing up roots on existing live services, and workloads or data that do not have a natural progression to traditional cloud.

In addition to the operational complexities of rearchitecting services, many industries have strict regulatory and compliance rules that must be adhered to. Customers may have specific security standards or customised policies requiring sensitive data to be located on-premises, under their own physical control. Applications may also have low latency requirements or the need to be located in close proximity to data processing or back end systems. This is where VMware Local Cloud as a Service (LCaaS) can help combine the key benefits from both public cloud and on-premises environments.

What is VMware Cloud on Dell EMC?

VMware Cloud on Dell EMC is a fully managed Infrastructure-as-a-Service (IaaS) local-cloud deployment. A dedicated rack with all supporting hardware and equipment is wheeled into the customer site where it is maintained directly by VMware Site Reliability Engineering (SRE). The customer provides the physical location for the rack to sit, the power source, and the existing network for the data plane switches to plug into.

VMware Cloud on Dell EMC delivers a fully integrated software and hardware stack, jointly engineered by VMware and Dell EMC.

VMware Cloud on Dell EMC Overview

The VMware Software Defined Data Centre (SDDC) overlay, and hardware underlay, comprises of:

  • VMware vSphere and vCenter for compute virtualisation and management
  • VMware vSAN for storage virtualisation
  • VMware NSX-T for network virtualisation
  • VMware HCX for live migration of virtual machines with stretched Layer 2 capability
  • 3-26 Dell VxRail Hyper-Converged Infrastructure (HCI) nodes per full-height rack (and currently up to 3 racks per SDDC)
  • 1 non-chargeable standby VxRail node per rack for service continuity
  • Redundant Power Distribution Units (PDUs)
  • Uninterruptible Power Supply (UPS) for half-height rack configurations
  • Redundant Top of Rack (ToR) data plane switches
  • Redundant VMware SD-WAN appliances for remote management

All of this is delivered in a dedicated rack, as a fully managed service, with a single point of support directly with VMware. VMware SRE will take care of updating and maintaining all components of the software overlay, firmware updates, and management or repair of the underlying hardware. The customer maintains responsibility for the virtual machines they run on the infrastructure, plus configuration like network and storage policies. Let’s take a deeper dive.. you can also find out more from the VMware Cloud on Dell EMC product page, or the VMware Cloud on Dell EMC Solution Overview Brief.

VMware Cloud on Dell EMC can be used in any location the customer has authority to land equipment into. A site survey needs to be carried out before kit is shipped and installed. VMware is the single point of contact for support (unless you are purchasing through Dell APEX, more on that at the end of this post). For support issues that require an on-site fix, a Dell engineer will attend, but VMware will manage that support case directly. The subscription price per-node is inclusive of all hardware, software, licensing, support, and services, outlined in the graphic below.

VMware Cloud on Dell EMC What’s Included

The VMware SRE boundary ends at the LAN link into the customers network (beyond the ToR switches), VMware teams have no access beyond this point. Equally, the customer boundary ends at the LAN link between the SDDC and the VeloCloud Edge devices in the rack. The VeloCloud Edge devices provide connectivity over VMware’s SD-WAN using a secure IPSEC tunnel, and will need outbound connectivity on ports TCP 443 and UDP 2426.

There are multiple security processes in place to protect against unauthorised access. For example, in order to access a customer environment, a support engineer must generate one-time, time-sensitive credentials, which require a support case to be raised in the system. All activity is logged and monitored by VMware’s Cyber Security Operations Centre (CSOC), and can also be logged into a similar customer setup. Further references and information can be found in the VMware Cloud on Dell EMC Shared Responsibility Model Overview.

VMware Cloud on Dell EMC hosts come in standardised ‘T-Shirt’ sizes to optimise CPU, memory, and storage resources. Currently there are 6 different node sizes from extra small through extra large. You can find full specifications of the node sizes and rack types in the VMware Cloud on Dell EMC Service Data Sheet. Here is a quick run down of the sizing naming convention:

VMware Cloud on Dell EMC Node Sizing Guide

Why VMware Cloud on Dell EMC?

You’ll see me advocate public cloud a lot on this blog, but on-premises infrastructure often has its use cases. Data sovereignty, regulatory and compliance, workload to data proximity, latency requirements, local control, and existing investments all spring to mind. Running infrastructure at the edge is also becoming more prominent and overlaps with some of these use cases. As systems are more distributed, and consumers have more choice, there are many benefits in creating consistent application, infrastructure, and operating experiences across private cloud, public cloud, and edge locations.

VMware Cloud on Dell EMC benefits from a cloud operating and delivery model, whilst being classed as an on-premises service. This means that regulatory and data sovereignty requirements can be satisfied as all customer data is held on the local hardware. The VMware SD-WAN appliances and VMware Cloud portal are only used for management, without any further access into the customers network. VI admins continue to use vCenter Server as normal to manage virtual machines, however they no longer need to worry about maintaining the underlying infrastructure. IT teams now benefit from a managed service operating model with a predictable subscription-based monthly or annual outgoing, without the hardware ownership depreciation and management overhead.

VMware Cloud on Dell EMC Use Cases

A great use case for VMware Cloud on Dell EMC is VDI. Whether or not you have data or application proximity requirements, the Hyper-Converged Infrastructure (HCI) and node size configurations fit exceptionally well with virtual desktops utilising hyper-threading and instant clone technology. The SDDC can be built as a brand new pod, or used to extend an existing pod within the customers environment.

At the time of writing Horizon perpetual licenses can be used to run virtual desktops on VMware Cloud on Dell EMC, along with existing Microsoft licensing. A common consideration of moving VDI to the cloud is around Microsoft license mobility for Windows, Office 365, and SQL, and the requirement for Horizon Universal. Microsoft treat this solution as customer on-premises, which means that implementing VMware LCaaS delivers the best of both worlds. You can read more about the VDI use case in the VMware Horizon Deployed on VMware Cloud on Dell EMC technical overview.

As well as VDI, other popular use cases for VMware Cloud on Dell EMC include data centre modernisation, a change in IT funding model, application modernisation, and services with low latency, sensitive data, or data sovereignty requirements. VMware Cloud on Dell EMC integrates seamlessly with existing on-premises environments, with continuity of third party tools and processes already in place, such as backups, monitoring, and security. Hybrid Linked Mode allows single pane of glass management of vCenter Servers across IaaS and self-managed infrastructure. You can find out more about the benefits of VMware Cloud on Dell EMC, including Total Cost of Ownership (TCO) improvements, in the VMware Cloud Economics data sheet.

VMware Local Cloud as a Service (LCaaS)

Getting Started with VMware Cloud on Dell EMC

VMware Cloud on Dell EMC can be ordered, customised, and scaled through the VMware Cloud portal. Delivery and installation takes place in a matter of weeks, including the site survey. Check with your VMware or Dell account team for up to date time timelines, I have been quoted between 4-8 weeks at the time of writing (early 2022) which may fluctuate depending on hardware availability. The service is available in the UK, USA, France, and Germany, with plans to roll out to further regions.

When ordering the service, the customer can select the rack type and see full details of the host capacity, network bandwidth, height in rack units, and power configuration. The customer will be asked to confirm that the site location meets the rack requirements, including rack dimensions, power source, and environmental variables such as temperature and humidity.

VMware Cloud on Dell EMC Example Requirements

Next the customer will be asked to select the host type, the number of hosts, and provide the networking settings. A CIDR block is needed for the management subnets, including rack out-of-band management, SDDC management, and the VMware SD-WAN appliances. It is very important that the IP ranges are correct and do not overlap with any existing networks. Changing these values post-order will cause additional complexity and delays.

Ports TCP 443 and UDP 2426 will need to be open outbound to connect to VMware Cloud. The term commitment is also selected during the order process, and the term begins when the SDDC is deployed and activated from the VMware Cloud console. You can track the status of the order at any time from the portal.

VMware Cloud on Dell EMC Example SDDC Order

When the rack arrives on-site it is fully cabled and ready to be connected to the customer environment. The ToR switches are physically connected to the existing upstream network using customer provided SFP adapters and copper or fibre cables. Dynamic routing can be configured using eBGP, facilitating fast routing failover in the event of a ToR switch failure or upstream switch failure. Static routing can also be used but is less optimal.

Once the SDDC is deployed the L3 ECMP uplink connectivity between the ToR switches and the existing upstream network can be configured from the VMware Cloud console.

VMware Cloud on Dell EMC Example SDDC Summary

After setup is complete the service maintains operational consistency with existing VMware environments; for example virtual machines are managed using vCenter Server, and new networks are created using NSX-T. For more information review the VMware Cloud on Dell EMC Data Sheet, or the more comprehensive VMware Cloud on Dell EMC Technical Overview.

Another great place to get started is the VMware Cloud Tech Zone. You can find detailed white papers, reference architectures, technical demos, and hands on labs for VMware Cloud on Dell EMC specifically at the VMware Cloud on Dell EMC Tech Zone.

VMware Cloud on Dell EMC vs Dell APEX Cloud Services

At VMworld 2021, VMware and Dell announced general availability of Dell APEX Cloud Services With VMware Cloud.

As outlined in the introduction of this post, many organisation are moving to as-a-service and subscription services. Dell, along with VMware, have recognised this shift and made many of their compute and storage platforms available on managed and subscription based plans. Dell APEX Cloud Services is the self-service portal where Dell customers can configure and order such solutions.

Dell APEX Cloud Services with VMware Cloud, allows Dell customers to order VMware Cloud on Dell EMC directly through Dell. Although this may seem confusing, it gives customers an alternative purchasing route which can help leverage existing commercial agreements, credits, partners, and relationships.

The core technical concepts of the solution outlined above all remain the same. The key difference is that when purchasing through Dell APEX, the customer is buying directly from Dell (instead of VMware), and Dell are the single point of contact for all support and maintenance (instead of VMware). Whilst the order process remains fundamentally the same, the screenshots above are of the VMware Cloud portal, and so the Dell APEX portal will look slightly different.

Hornetsecurity

365 Total Protection for Microsoft 365

by esxsi1 Comment on 365 Total Protection for Microsoft 365

Introduction

Over the past few years, an increasing number of organisations have chosen to implement cloud computing, distributed system architectures, and as-a-service or subscription based operating models throughout their IT environments. The most popular example is Microsoft 365 (M365); providing SaaS (Software-as-a-Service) based versions of Microsoft’s productivity suite, which is embedded into the processes and technology stack of many businesses.

Due to the internet-hosted nature of the service, and its global popularity spanning nearly all sectors, Microsoft 365 is a common target for cyber security attacks. Email has long been the easiest and most successful attack vector for cyber criminals, using phishing attacks to either deploy malware and ransomware, or steal login credentials. Once attackers have penetrated corporate networks or resources using these methods, they can steal sensitive data, carry out malicious activities, impersonate people and systems, or simply monitor traffic and behavioural patterns over time to plan out a longer, sustained attack.

Securing a company from such attacks generally comes down to implementing layers of security, without restricting employees or users in such a way that they take measures to bypass security processes. Third-party tools can play a positive role in an organisation’s overall security posture.

Hornetsecurity’s 365 Total Protection, is specifically designed for Microsoft 365 security, protecting your business from malicious emails and files before they reach the users mailbox. 365 Total Protection integrates seamlessly with M365 by connecting directly into the service in just 30 seconds. You select the security policies and protection to apply, without having to install and manage agents, servers, or other components.

365 Total Protection comes in two editions to enhance the security of your M365 accounts, and the wider organisation:

  • 365 Total Protection Business is a comprehensive security package providing email and data security for M365 accounts.
  • 365 Total Protection Enterprise builds on the functionality above, by adding AI-based advanced forensic analysis and intelligence, along with business continuity and legally compliant email archiving.  

365 Total Protection Business

When a user’s mailbox is secured by 365 Total Protection Business, they have a full overview of all emails for which they are the intended recipient. With real-time mail flow analysis, and Email Live Tracking, the user has at their fingertips an extensive list of filters and self-service actions to secure their email and data, without impacting productivity.

365 Total Protection is built upon a multi-stage, in-depth Threat Intelligence system, that analyses and filters new attacks or threats before they reach the users mailbox. Hornetsecurity’s Threat Blocking system will statistically block 99% of attempts to deliver spam, with the Threat Intelligence feature guaranteeing a detection rate of 99.99% for spam, and 99.9% for viruses. In both cases emails blocked or quarantined will not reach the users mailbox. The spam and malware protection systems are constantly learning and improving, through Hornetsecurity’s Security Lab and AI/ML based algorithms.

Integration of Hosted Spam Filtering and Malware Protection into the Email Management System

Emails quarantined as potentially unwanted can be released by the user, who can also manage their own safe and blocked sender lists, and crucially, see comprehensive detail on the status of each email communication. This helps a user to understand how a mail has been classified, for example spam, and the reason for the classification. Daily reports can help collate and stop marketing or info mails, with the user able to whitelist those relevant to them. Of course, the level of flexibility afforded to the user is defined by the company directive and policies configured.

Administrators can configure compliance filters and content control, for example to remove unwanted or unauthorised file attachments depending on the file type, content, or recipient. Outgoing emails can be encrypted, with granular control over the encryption method, and automated certificate management, protecting email communication from being viewed or changed by anybody other than the intended recipient. Where specific recipients are unable to provide email encryption the Websafe mailbox delivers a way of securely communicating with those external parties.

Finally, the implementation of a global mail security solution such as 365 Total Protection Business enables standardisation and enforcement of email signatures and company disclaimers. If desired, intelligent ads and social media buttons can also be embedded for external corporate communication.

365 Total Protection Email Live Tracking

365 Total Protection Enterprise

365 Total Protection Enterprise builds on the features outlined above, including further Forensic Analyses mechanisms to review and detect malicious behavioural patterns, fraud, spoofing attempts, targeted attacks, and identification of spy-out attacks and feign facts or click-bait. URL Malware control checks and secures all internet links and downloads, to protect against blended attacks, while the Advanced Threat Protection (ATP) Sandbox Engine adds a safe, sandpit environment to analyse suspect files. All activities can be monitored in real-time using the Real Time Threat Report.

Integration of Advanced Threat Protection into the Email Management System

In addition to ATP and the advanced threat capabilities, 365 Total Protection Enterprise provides GDPR-compliant email archiving, with a retention period up to 10-years. The email archive can be accessed by auditors on-demand using the web based front-end, taking advantage of the eDiscovery service for fast, complex queries or search filters.

As mentioned earlier, 365 Total Protection has a guaranteed spam detection rate of 99.9% and virus detection rate of 99.99%, with a false positive rate of only 0.00015. However, as cyber security professionals will attest, additional layers should act as a failsafe to mitigate risk as much as possible. 365 Total Protection Enterprise also caters for malware ex post alert and deletion, so that if a malicious mail has already been delivered then the threat can be quickly contained.

In the event of a Microsoft 365 service outage, 365 Total Protection Enterprise also enables users to carry on working with its Email Continuity Service, as a stand-by system. Furthermore, where 365 Total Protection Enterprise is in place, users can uplift to 365 Total Protection Enterprise Backup. This bolsters business continuity by adding automated backup and recovery, for user M365 mailboxes, Teams, OneDrive, SharePoint data, and Windows-based endpoints.

Summary

In summary, the advanced threat analysis and detection capabilities of 365 Total Protection make it a worthy addition to any security tool kit, with the logging, reporting, and business continuity capabilities affording extra peace of mind.

Whilst securing mailboxes and data, above all 365 Total Protection provides improved user experience with self-service flexibility. This dynamic approach means that the implementation is more likely to be successful in its aim to secure the organisation. As threats and attackers grow over time, the Security Labs and Threat Intelligence algorithms continue to adapt for future trends and attack vectors. The best way to see if 365 Total Protection adds value to your business is to get hands on and try it out yourself using the free trial.

vRealize

vRealize Operations Capacity Shows 100% Cluster Utilisation

by esxsi1 Comment on vRealize Operations Capacity Shows 100% Cluster Utilisation

Recently we were examining a vSphere cluster where vRealize Operations Manager was showing 100% CPU utilisation, with zero capacity remaining. However, the usage of all resources in the cluster was generally low. We know that the cluster capacity is based on demand rather than usage. CPU demand is the amount of CPU resources a virtual machine would use if there were no CPU contention or limit. Sometimes, this can cause a little confusion when we look at the utilisation metrics of the cluster.

This type of behaviour is actually expected because of how vRealize Operations interprets the data. When virtual machines have latency sensitivity set to high, all of the CPU is requested by the virtual machine in order to reserve it. Since vRealize Operations Manager cannot differentiate between latency sensitivity reservations and legitimate CPU requests, we see CPU and/or memory contention alerts. More information can be found in the KB article Virtual Machine(s) Workload badge reports constant 100+ score in VMware vRealize Operations Manager (2145552). The KB article suggests that if latency sensitivity cannot be set back to normal, then a custom group can be created to disable the alerts.

This scenario is well documented. However what if latency sensitivity is not enabled or configured beyond the default setting, but the symptoms are the same? In this case, the cluster is dedicated to running SQL workloads.

From using the metrics view of the cluster under the environment tab, we can see high peaks for the CPU co-stop and CPU ready values every night. The discrepency seems to be caused by the behaviour of the virtual machines in claiming all available CPU resource at a specific time. Whilst this might sound environmentally specific, there are a number of scenarios where this could be the case and a workaround is needed.

Beyond changing the behaviour of the virtual machines, some available options are as follows:

  • Action the rightsize recommendations to ensure we are not over allocating CPU resources
  • Follow the steps outlined in the KB article above to ignore/disable the alerts
  • Follow the steps outlined below to set a maintenance schedule, disregarding metrics where the peak is at a consistent time every day or night
  • In the capacity policy change the setting of the time remaining calculations

Updating how the time remaining is calculated may be a last resort, but can provide a slightly different interpretation of the data. You can see the description of each setting, and how the associated projection graph changes in the screenshots below. The default policy uses conservative capacity planning which takes the higher values, whereas aggressive uses the averages values of resource utilisation.

To update this setting either change the default policy, or create a new policy to assign to specific objects like a cluster. Follow the policy based steps outlined below, disregarding the maintenance schedule. You can find out more information on how remaining time is calculated in the blog Rightsizing VMs with vRealize Operations.

vRealize Operations Conservative Capacity Policy
vRealize Operations Aggressive Capacity Policy

Setting a Maintenance Schedule

The following steps will walk through creating a maintenance schedule with associated capacity policy. You can also change the time remaining calculations from the capacity policy, with or without a maintenance schedule. The screenshots are from vROps 8.6, but previous versions of 8.x should be a similar process.

  • First, create the maintenance schedule. From the left hand navigation pane, expand Configure and select Maintenance Schedules.
  • Click Add. Enter the name, time zone, and time configuration of the schedule. Click Save.
  • Next, we need to create a policy. From the Configure menu again, select Policies.
  • Click Add. Enter the name, and select a policy to clone. Click Create Policy.
  • Select the policy from the list, and click Edit Policy.
  • Select the Capacity block, and then choose the object type.
vRealize Operations Capacity Policy

Here if required you can change the policy for time remaining calculations, mentioned above, as well as manually change the alert thresholds. When considering the time remaining calculations, the default conservative policy will take the highest resource utilisation to project the time remaining before this crosses the usable capacity threshold. The aggressive policy will use the mean average resource utilisation to project the time remaining before this average crosses the usable capacity threshold. Both policies are of use, aggressive may be better suited to smaller organisations wanting to sweat hardware assets.

  • Make any desired changes to the policy per the description above. Scroll down to Maintenance Schedule and select the schedule created earlier. Click Save.
  • Next, select Groups and Objects. Choose a custom group or object to apply the policy to, and click Save.
vRealize Operations Assigned Policy
  • Now that the policy is configured and assigned to an object, it is active and in use.
vRealize Operations Active Policy
  • When we check back on the maintenance schedule we can now see the linked policy.
vRealize Operations Maintenance Schedule

There are additional ways of setting maintenance schedules, the example above is relevant to the described use case to disregard metrics during a certain time interval. You can also manually enter maintenance through both the vROps UI and API, see Maintenance Mode for vRealize Operations Objects, Part 1 by Thomas Kopton, or create dynamic groups containing hosts in maintenance mode, see Maintenance Mode for vRealize Operations Objects, Part 2.