Multi-Cloud Management with vRealize Operations

This post will take a look at how vRealize Operations (vROps) can provide a single monitoring and visibility tool into your on-premises data centre, native public cloud services, and hybrid cloud platforms like VMware Cloud on AWS, or Azure VMware Solution. vRealize Operations provides VMware customers with monitoring and alerting, troubleshooting and remediation, dashboards and reporting, performance and capacity management, cost visibility and comparison, and security compliance.

vROps for Cloud-First

The vRealize Operations Manager instance itself can either be self-hosted (on-premises) where the customer is responsible for lifecycle management, hosting and availability, or Software-as-a-Service (SaaS). When using SaaS, vRealize Operations Cloud is hosted and maintained by VMware, and consumed as a service by the customer. Whilst the self-managed vRealize Operations is packaged into Standard, Advanced, and Enterprise editions, vROps Cloud comes in one edition only which has feature parity with enterprise, plus some additional capabilities like near-real-time 20 second monitoring. You can compare features between Standard, Advanced, Enterprise, and Cloud editions in the vRealize Operations Solution Brief.

In the UK, the closest locality for vROps Cloud is currently Frankfurt, you can review compliance and data processing information in the VMware Cloud Trust Centre. When looking at public cloud or hybrid cloud, including SaaS options, you may also want to review VMware’s award winning sustainability initiatives including a commitment to net zero carbon emissions by 2030 across VMware global operations, all VMware Cloud solutions and VMware Cloud Provider Partners.

vROps also now integrates with CloudHealth, providing advanced financial management and optimisation recommendations for native cloud resources in Azure, AWS, Google Cloud Platform, and Oracle Cloud Platform. As well as overall cost savings, finance teams can use cloud health with resource tagging to bill individual departments for the exact capacity they have used. This empowers service or application owners to look after their digital assets and only use resources or hold data that they really need. The power of CloudHealth can be brought into vROps using the new management pack.

Hybrid Cloud Examples

The example below shows a customer with a hybrid cloud setup. In this scenario they may choose to host big data services in the Microsoft Azure cloud, and VMware workloads across on-premises and Azure VMware Solution. The hyperscaler is interchangeable and could be AWS, Google Cloud, Oracle Cloud, or a combination of cloud providers. Using vRealize Operations we are able to provide a consistent operating model across platforms from a single SaaS based UI.

When onboarding with vRealize Operations Cloud, the primary contact on the account will receive an activation email to enable the subscription. A Cloud Customer Success Manager will carry out the activation steps with you. Once onboarded rolling updates are carried out automatically for new features. You can also take a look at the vRealize Operations Cloud Solution Overview.

vRealize Operations with Azure

The cloud proxy is an OVF appliance deployed to the vCenter Server. This proxy forms a tunnel using HTTPS to send data to the SaaS based control plane. The OVA requires HTTPS access outbound to a set of URLs, which can be found in the vRealize Operations Cloud Documentation.

The same cloud proxy model can be used for Azure VMware Solution. There are some points to be aware of with Azure VMware Solution, such as limited visibility into management VMs (as this is part of a managed service). Nothing problematic but these are listed in the Known Limitations section of the documentation. If you are running an ‘on-premises’ or self-managed version of vRealize Operations, instead of the SaaS version, then at this time the vRealize Operations Manager appliance cannot run directly on Azure VMware Solution.

Native Azure services can be added using an Azure AD app registration with service principal/client secret. Instructions can be found in the Configuring Microsoft Azure section of the documentation, you can also find a list of Supported Azure Services for vROps. Again, this doesn’t have to be Microsoft Azure, it could be AWS.

AWS works slightly different in that, when configuring VMware Cloud on AWS for use with vRealize Operations Cloud, the integration happens through an API token, since both solutions are native to the VMware Cloud Services Portal (CSP), see Configuring VMC on AWS in vROps Cloud.

Native AWS services can be added using an IAM generated access key and secret. Instructions can be found in the VMware documentation under Add a Cloud Account for AWS, you can also find a list of Supported AWS Services for vROps.

vRealize Operations with AWS

Additional Resources

VMware Hands-on-Labs are a fantastic free resource giving access to sandpit environments with step by step instructions for nearly all VMware solutions. Some example Hands-on-Labs for vROps are listed below, along with further video and written documentation.

  • HOL-2101-91-CMP – Getting Started with vRealize Operations – Lightning Lab
  • HOL-2101-06-CMP – vRealize Operations Advanced Topics
  • HOL-2101-04-CMP – vRealize Operations – Optimize and Plan vSphere Capacity and Costs
vRealize Operations Troubleshooting Workbench

The following sessions are available at VMworld 2021, and if you’re reading this after the event the sessions will also be made available on-demand.

  • A Big Update on vRealize Operations [MCL1277] Technical level 100
  • vROps Dashboarding 101 and Beyond [VMTN2843] Technical level 200
  • Manage Public Cloud with CloudHealth and vRealize [MCL1247] Technical level 100
  • An End-to-End Demo of Taming Public Clouds with CloudHealth and vRealize [MCL1439] Technical level 300 (Tech+ pass)
  • Track Sustainability Goals in Datacenter with vRealize Operations [VMTN2802] Technial level 200
  • Accelerate Your VDI Management with vRealize Operations [MCL1899] Business level 100
  • Next-Gen Infra and Apps Operations Management with vROps – Design Studio [UX2539]
  • Consistent Cloud Operations with vCenter and vRealize Operations [MCL2611] Technical level 100
  • An End-to-End Demo – Operationalizing VMware Cloud Foundation with vRealize [MCL1442] Technical level 300 (Tech+ pass)
  • A Cloud Management Journey from Monolith to Modern Apps with vRealize Suite [GWS-HOL-2201-08-CMP] Technical level 200 (Tech+ pass)
  • Design Principles: Cloud Architecture Design and Operations [MCL2151] Technical level 200
  • Get Close to 100% Automation to Get to True Cloud Operations at Scale [MCL2023] Technical level 300 (Tech+ pass)
vRealize Operations ESXi Configuration Dashboard

How CloudHealth Optimises and Secures Your Cloud Assets

How CloudHealth Optimises and Secures Your Cloud Assets

Introduction

Over the past 12 months we have seen further growth within the cloud, as many organisations scale or create new digital services in response to the coronavirus pandemic. Improved speed and agility has allowed businesses to pivot where traditional siloed infrastructure may have caused them to stall.

As the usage of cloud services expands, standardising and consolidating cloud tooling becomes important for financial management, operational governance, and security and compliance. Visibility into distributed system architectures across many accounts or subscriptions, or even multi-cloud, is another key challenge. For some customers cloud workloads are not optimised or configured to best standards, many will spend more than their anticipated budget, and others may accidentally expose data or services.

Those with an established cloud strategy may decide to implement a Cloud Centre of Excellence (CCoE); responsible for cloud operations, security, and financial management. The CCoE will navigate the security and configuration landscape of cloud assets, automating response and remediation to configuration drift or threats. As the team grows in maturity optimisations are made continuously and automatically, inline with the key drivers of the business. This is where CloudHealth comes in.

CloudHealth by VMware is a multi-cloud SaaS solution managing more than $11B of public cloud spend for over 10,000 customers. CloudHealth accelerates business transformation in the cloud by providing a single platform solution for visibility into AWS, Microsoft Azure, Google Cloud Platform, Oracle Cloud Infrastructure, VMware Cloud on AWS, and on-premises VMware based environments. The key functionality is broken down into the 2 products we’ll look at below.

CloudHealth Multicloud Platform

CloudHealth takes data from cloud platforms, data centres, and third party tools for application, security, and configuration management. Data is ingested and aggregated using CloudHealth’s integrated data layer, which performs analysis on usage, performance, cost, and security posture. CloudHealth becomes a single source for multi-cloud management across environments, strengthening security and compliance, consolidating management, and improving collaboration between previously siloed teams of people and tools.

Data and assets can be categorised by tags or other metadata, and viewed in logical business groups known as perspectives . Perspectives provide a breakdown for cost allocation using dynamic groups such as line of business, department, cost centre, or project. The output can be used to identify trends and build dashboards and reports. This approach simplifies financial management, saves time, aids with budgeting and forecasting, and encourages accountability through accurate chargeback or showback.

CloudHealth Cost Dashboard

Whilst visibility is great, to really have a positive impact on operations we need to know what to do with the data collected. CloudHealth presents back cost optimisation recommendations and security risks, but can also carry out remediation actions automatically.

Cost optimisation is where you can save money, using AWS as an example, based on things like; EC2 instances that are oversized or on an inefficient purchase plan, elastic IP addresses or EBS volumes that are not attached to any resources, snapshots that have not been deleted. In the physical on-premises world all of these issues were common as part of VM sprawl, they impacted capacity planning and resource consumption but were mostly hidden or swallowed as part of the wider infrastructure cost. As organisations shift from large capital investments to ongoing revenue and consumption based pricing, oversized or unused resources literally convert to money going out of the door every single month.

CloudHealth Health Check

Recommendations and actions are where CloudHealth carries out remediation for incorrectly configured or under-utilised resources. Policies can also be used to define desired states and ensure operational compliance. For example, an organisation may want to report on untagged resources, connected accounts, or open ports. The number of available actions currently appears to only cover AWS and Azure, but with support recently added for Oracle Cloud Infrastructure, and Google Cloud Platform before that, hopefully this functionality will continue to be built out.

CloudHealth Remediation Actions

At the time of writing CloudHealth is priced based on cloud spend, and can be purchased as a 1, 2, or 3 year prepaid commitment, or variable pricing based on the previous months cloud spend. A free trial is available to uncover ROI in your own environment from CloudHealth here.

Where VMware environments are in use with vRealize Operations, the CloudHealth management pack for vRealize Operations can be installed. Bringing CloudHealth dashboards and prospects into vROps allows IT ops teams to track on-premises infrastructure and public cloud costs from a single interface. The CloudHealth management pack for vROps can be downloaded from the VMware Marketplace, instructions are here.

CloudHealth Secure State

By default CloudHealth provides real-time information on security risk exposure, but for deep-dive visibility and remediation those who are serious about security will want to look at Secure State. CloudHealth Secure State is available with CloudHealth or standalone, and currently supports AWS, Azure, and GCP.

Dashboards within CloudHealth Secure State enable at-a-glance checks on security posture and compliance. There are over 700 built-in security rules and compliance frameworks that can be used as security guardrails, with the ability to add custom rules and frameworks on top.

As systems become distributed over multiple accounts, subscriptions, or even clouds, the dynamics of securing an organisations assets shift significantly. Previously all services were contained within a data centre, firstly using perimeter firewalls and then with micro-segmentation. IT teams were generally in control and had visibility throughout the corporate network. Nowadays a developer or user responsible for a service can potentially open applications or data to the public, either on purpose or by accident. Cloud security guardrails form an important baseline for security posture and cloud strategy. Security guardrails are made up of critical must-have configurations in policies with auto-remediation actions attached, they help avoid mistakes or configuration drift to ultimately reduce security risk.

CloudHealth Secure State gives further visibility into resource relationships and context, using the Explore UI. Explore enables a powerful model of multi-cloud or account architectures, with visual topology diagrams of complex environments. Cyber security analysts or operations centres can drill down into individual resources with all interoperable components and dependencies already mapped out.

CloudHealth Secure State Dashboard
CloudHealth Secure State Compliance

Featured image by Scott Webb on Unsplash

AWS Native Services Integration With VMware Cloud on AWS

This post lists some of the available options for connecting VMware Cloud on Amazon Web Services (AWS) with native AWS services for hybrid cloud deployments. Read more about multi-account and VPC management at Building AWS Environments for VMware Cloud Customers.

The most common way of consuming AWS services with VMware Cloud on AWS is to use the built-in Elastic Network Interface (ENI) functionality. Each VMware Cloud Software-Defined Data Center (SDDC) can be connected to another AWS Virtual Private Cloud (VPC) during the deployment phase. A VPC is Amazon’s logical separation of virtual networks. At scale, you may choose to have many VPCs and many accounts for different applications and environments. Multiple VPCs can be connected together using an AWS Transit Gateway (TGW). A further option we will look at is VPC Endpoints, enabling you to privately connect to supported AWS services and endpoints.

1. Connected VPC

The AWS bare metal hosts deployed for VMware Cloud on AWS use a redundant 25 Gbps physical interface or Elastic Network Adaptor (ENA). The physical interface uses a trunk port to carry multiple VLANs for services like management, vMotion, NSX, and connectivity to the AWS backbone network.

The cross-linked VPC architecture is provided by a series of ENIs. Each host in the vSphere cluster uses the network adaptor outlined above to provide an individual cross-VPC ENI per physical host; supporting high-bandwidth, low latency connectivity to native AWS services.

VMC_Host_Connectivity

VMware Cloud on AWS uses the AWS VPC  as an underlay for NSX-T. The NSX Edge (Tier 0) router is a virtual router acting as the uplink to the connected VPC. The active ENI in use is the physical ESXi host where the virtual router is running. The connected VPC is owned and managed by the customer, any native services deployed are billed separately by AWS. When deploying the SDDC, the connected account and VPC is required along with a private subnet in each applicable Availability Zone (AZ). A static route is created for the defined subnets adding the connected VPC router as the next hop.

Traffic that traverses the ENI is not chargeable; however, cross-AZ charges do need to be taken into consideration if a Stretched Cluster is in use. During provisioning of the SDDC, and connection of the customer-managed AWS account, a CloudFormation template is deployed creating the necessary AWS Identity Access Management (IAM) roles and ENI configuration.

SDDC_AWS_1SDDC_AWS_2

Following the SDDC deployment, you can view the connected account, VPC, ENI, and subnet details in the Connected VPC menu under the Networking & Security tab of the SDDC, from the VMware Cloud Services Portal.

Access to and from native AWS services can be controlled and needs to be opened, using the NSX firewalls (gateway and distributed) and AWS Security Groups. To see an example configuration see the Connecting VMware Cloud on AWS to Amazon EC2 post or the Access an EC2 Instance section of the VMware Cloud on AWS Docs page.

2. VPC Endpoints

VPC Endpoints allow private connectivity between your VPC and supported AWS services or custom applications. Network traffic traversing a VPC endpoint does not leave the AWS backbone network and therefore does not require Internet Gateway, Direct Connect, or VPN.

The Access an S3 Bucket Using an S3 Endpoint section of the VMware Cloud on AWS Docs page details the process for configuring a Gateway VPC Endpoint to access AWS Simple Storage Services (S3) from VMware Cloud on AWS, without having to go out to the Internet. Furthermore, you can use Interface VPC Endpoints to connect to supported AWS services in another VPC, or VPC Endpoint Services (AWS PrivateLink) to connect to custom applications in another VPC. Here are some examples:

AWS_Integration_Examples

The general process for creating an endpoint is the same across these VPC Endpoint types. In the example below, we are connecting to a VPC Endpoint Service for Splunk, fronted by a Network Load Balancer (NLB) in another VPC. The administrator of the VPC Endpoint Service needs to grant IAM service consumer permissions and accept the incoming connection, as detailed in the AWS documentation here.

In the AWS console, I log into the connected account and select the VPC service. I choose Endpoints and Create Endpoint. To create a Gateway VPC Endpoint, e.g. for S3, or an Interface VPC Endpoint, e.g. for DynamoDB or other services, I would select the appropriate service from the AWS services service category. In this instance, I use Find service by name and enter the endpoint private service name. Either way, the key point is that I select the connected VPC from the VPC drop-down and the subnets that match up with those used for the ENI when deploying the VMware Cloud on AWS SDDC.

VPCEndpoint1VPCEndpoint1cont

By using the cross-VPC linked subnets the Virtual Machines in the SDDC will utilise the static route across the ENI outlined in the Connected VPC section above. AWS Security Groups can be used to limit this to certain source IP addresses from within the SDDC or the wider VPC if required. In this instance, we can successfully test the connection over port 443 following the creation of the VPC Endpoint.

3. Additional VPC Connectivity

Traditionally VPC Peering has been used to provide one to one private network connectivity between VPCs, including VPCs in different accounts. VPC Peering cannot be configured in the SDDC as we do not have access to the underlying AWS account. VPN connections between additional VPCs and the SDDC router (Tier 0) can be configured from the VMware Cloud Services Portal, enabling VMware Cloud on AWS connectivity with other VPC environments. As the number of VPCs and accounts begins to scale the VPN approach becomes harder to manage.

This predicament is resolved with a relatively new addition to AWS; the Transit Gateway (TGW). The native AWS TGW is available now and acts as a transit network hub allowing you to connect multiple VPCs and on-premise networks (using Direct Connect or VPN attachments). A Managed Transit Gateway is being developed by VMware to assist with multi-SDDC and multi-VPC connectivity. You can review how the native AWS Transit Gateway fits into the VMware Cloud on AWS architecture on the VMware Network Virtualization blog: VMware Cloud on AWS with Transit Gateway Demo:

VMC_TGW_Examples

Image VMware Cloud on AWS with Transit Gateway Demo. Further Resources: