April 2022 VMware Multi-Cloud Briefing

The VMware Multi-Cloud Briefing is an online quarterly series, in its fifth iteration, that brings vision, technology, and customer stories to the table. The briefing series has evolved through cloud platform, operations, and application development since its introduction in the summer of 2020. Both cloud technology and cloud adoption is advancing at a fast pace, and this April briefing provides an opportunity to see what’s new directly from VMware engineering, independent industry experts, and customers.

The latest session is opened with Joel Neeb, VP Execution and Transformation, VMware, and former F-15 pilot. Joel will talk through the history of aviation and the advancements in the cockpit, from having limited technology to running over 300 different instruments. With so many new features and capabilities, there comes a tipping point where it cannot be practically managed by a single operator, or it takes more time than it offers value. These instruments are now streamlined into a handful of features, displayed on screens instead of through switches and dials, with the computer systems surfacing what’s important to the operator at a given time.

We can learn from this approach, and apply similar models to be able to abstract and simplify multi-cloud complexity across different environments and locations. VMware Cross-Cloud Services can remove complexity, whilst enabling the agility of different cloud providers and the freedom to choose the right target environment for each application. Offering standardisation and consistency at the infrastructure layer allows scale and flexibility. Then, as requirements change and new use cases are uncovered, IT teams and developers can move quickly to accelerate overall business transformation.

VMware Cross-Cloud Services

The session continues with quick fire customer stories around streamlining operations with VMware technology, and a customer interview with S&P Global covering their approach to solving multi-cloud complexity. Later, we’ll also hear a partner perspective from DXC Technology, on how they work with customers to deliver multi-cloud outcomes, and what trends they are seeing across the market.

Next is a technology deep dive, starting out with examining how we’ve arrived at the complexity of running environments across public cloud, private cloud, and the edge. You can then expect to see:

  • How easy it is to add a new VMware environment to a hyperscaler, using vRealize Automation. In this demo we’ll start with an on-premises hosted environment, and scale out by spinning up new environments in the cloud, with the same management tooling and policies.
  • How to manage multiple cloud environments from a single tool, using vRealize Operations. In this demo we’ll look at a consistent way of managing and optimising resources, performance, capacity, and costs, with a unified troubleshooting interface.
  • How to add Kubernetes clusters in different hyperscalers to a common management plane, using Tanzu Mission Control. In this demo we’ll see how you can standardise the management of Kubernetes services, which will likely compliment your existing virtual machine infrastructure. Furthermore, we’ll find out how Tanzu Service Mesh can secure the communication of micro-services between environments and across clouds. Tanazu Service Mesh is able to bring micro-services under the same security umbrella, and automate features like mutual TLS encryption across all services.

The final segment is an industry interview with IDC and VMware, talking about what it means for customers to standardise their infrastructure and cloud platforms. There are multiple layers of abstraction and standardisation, covering the likes of management, optimisation, and security. IDC will detail where you can start, and what they see as good first steps.

The April 2022 VMware Multi-Cloud Briefing, and associated launch blog, is now live and available on YouTube. The video is embedded below. You can watch the current and previous briefings on the VMware Multi-Cloud Briefing page, each video is between 30-40 minutes long.

VMware Multi-Cloud Briefing April 2022

VMware Sovereign Cloud Overview

Introduction

It isn’t a secret that the overwhelming majority of data hosted by enterprises in the cloud is with US-owned cloud providers. But a study by the Centre for European Policy Studies in 2021 found that a whopping 92% of the western worlds data is currently stored in the US. In principal that has been fine with organisations based in other countries, since the scale of these cloud providers was such that data locality was not a problem. The relevant security controls and technologies also exist to protect the data from unauthorised third parties.

Politically however, the landscape is changing. The majority of the worlds population has privacy regulations inline with GDPR. The number of countries implementing data privacy laws has been increasing annually, for both personal and enterprise data. Furthermore, the very definition of personal information is evolving with our online presence, and it’s only going to get more complex over time.

Thanks to the US Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018, courts can instruct US companies to collect data on systems they manage, not just on US soil, but in theory anywhere in the world. Separately, in July 2020, the Court of Justice of the European Union (CJEU) made judgement on a case that essentially invalidated the EU/US Privacy Shield framework for transferring data outside of the EU.

This isn’t just a European concern either, it’s on the radar across other regions on a global scale. Legal cases and fines are starting to arise for organisations incorrectly interpreting GDPR, and there are still open questions about how legislation will be enforced internationally.

These are not isolated instances, and in conjunction with an increased risk of data breaches and more sophisticated cyber attacks, companies are starting to seriously consider repatriation of data stored overseas. Through the global network of VMware Cloud Provider Partners (VCPP), and the VMware Sovereign Cloud framework, VMware have the means to implement data sovereign solutions locally across any region.

What is VMware Sovereign Cloud?

VMware Sovereign Cloud is a framework of guiding principles and best practices to help partners deliver cloud services that adhere to the data sovereignty requirements of a specific jurisdiction. A sovereign cloud framework does not replace public cloud, nor does it replace industry compliance. In fact the opposite is true, the sovereign cloud framework seeks to augment existing platforms and regulations, with a specific focus on putting the customer in complete control of their data.

This control is derived by providing both data residency and data sovereignty with full jurisdictional control. Data residency relates to where the data is physically and geographically stored and processed. Due to the extreme scale of the main public cloud providers, this is something they are usually able to provide. Often though, metadata (data about the data) can leak out into other regions, typically the US. In some cases, data residency alone is not sufficient to ensure compliance with data privacy laws. Data sovereignty relates to law, specifically data being subject to the governance structure, and more importantly jurisdiction, of the nation where the data is processed and stored.

Data still needs to be accessible, and this is a really important point. A sovereign cloud solution needs to not only protect critical data, but also unlock its value. Data can be extracted in a meaningful way, for both private and public sector organisations, whilst providing transparency around architecture and operations.

As an example, both my banking and health records are stored extremely securely in a data centre, with a bunch of regulatory and audit processes in place. However, I can access these records on-demand using my mobile phone, which is a device my bank and my healthcare provider has no control over. Equally, there may be times when others need to access the same records, either anonymised or with personal identifiable information. Like if I applied for a credit-based financial service, or if I was referred to a healthcare specialist for a specific condition. Data sovereignty isn’t about locking up data and making it inaccessible.

Clearly, data still needs to be accessible to the right people through an end client, device, or system, whilst maintaining the integrity of the data. It is important therefore, to have an example architecture for how data can be exchanged, or act as a landing platform for data collected from member states and repatriated from other regions. In implementing such an architecture, a national capability for the digital economy can be achieved, whilst securing data with audited security controls, and ensuring compliance with data privacy laws.

High Level Sovereign Cloud Framework

The basis of a VMware Sovereign Cloud is the VMware reference architecture, in the form of VMware Validated Solutions (VVS) and the VMware Cloud Provider Partner (VCPP) stack. There is no need for a dedicated sovereign cloud reference architecture. Instead, an overlay is being introduced to organise the infrastructure into different security classifications and domains. This separation of security domains ensures there is no data leakage, of either primary data or metadata, outside of the required locality and jurisdiction.

The VMware Sovereign Cloud framework uses transparent, standardised, software-defined architectures along with a number of key principles and best practises:

  • Data sovereignty and jurisdictional control
    • Control, authority, and operations are fully managed within the jurisdiction of the nation state where that data was collected
  • Data access and integrity
    • Cloud infrastructure is resilient across at least 2 data centre locations within the jurisdiction, with secure and private connectivity options
  • Data security and compliance
    • Information security management system controls are audited and applied inline with industry recognised standards
  • Data independence and mobility
    • Data and application portability with modern application architectures to prevent lock-in

These key principles deliver benefits such as increased security, improved control, and continuous compliance, whilst future proofing services and unlocking the power of data. National and sovereign digital capabilities can be developed, with national data pooled together to fuel economic innovation and growth.

How Does VMware Sovereign Cloud Work?

The VMware Sovereign Cloud provider sets up an audited and approved cloud architecture for the customer in the relevant locality and jurisdiction. Each sovereign cloud must have at least 2 security domains within it. A typical example of a security domain will be built in software, with every IT system or data classification representing one or more security domains.

Security domains provide a common authentication and authorisation boundary. The perimeter is typically protected by things like firewalls, access control, and application filters, whilst services like micro-segmentation can provide further optional security inside the security domain itself. You can think of a security domain as a logical network connectivity area with a common security posture, they can be built specifically to house top-secret data, secret data, restricted data, and so on . The 2 types of security domains are as follows:

  • Sovereign domain
    • Used to connect out to other services, similar concept to a DMZ, this security domain features the highest level of security and risk mitigation
  • Resident domain
    • Stores and processes data, will only accept connections from its parent sovereign domain or other trusted resident domains in the same jurisdiction, this security domain features the highest level of trust and confidence

Security domains can be used to make secure connections out to other environments, such as the customers private cloud, or a commercial public cloud provider. The sovereign cloud architecture ensures that if the service is paired with commercial clouds, then no data or metadata is leaked or escapes the sovereign cloud boundary.

The screenshot below is taken from the VMware Sovereign Cloud Technical Whitepaper, which provides a technical deep dive into the aspects and examples of sovereign cloud architectures and integrations. It shows how a sovereign cloud provider can host an application, whilst still consuming the benefits of public cloud services from AWS, Azure, Google, etc.

In this example, the data is encrypted and replicated between the sovereign cloud compliant provider and the public cloud, with the encryption keys only stored on the KMS server with the compliant provider. Other methods can also be used to integrate with third party tooling, such as anonymising data, or replacing sensitive data with specific key pair values that can then be mapped back on the sovereign cloud compliant provider.

Sovereign Cloud Compliancy Chain from the VMware Sovereign Cloud Technical Whitepaper

You can find a local VMware Sovereign Cloud provider, from the likes of Telefonica, UK Cloud, and OVH, on the VMware Cloud Provider Services page. Further reading material that may be of interest around sovereign cloud and the Gaia-X project in Europe is listed below.

What is Gaia-X?

Gaia-X is a broader project beyond sovereign cloud, that attempts to build a federated cloud ecosystem of data, infrastructure, and service providers. The aim is to deliver European digital sovereignty with a future cloud architecture, whilst controlling the flow of data for an overarching state through different legislation boundaries.

Data assets should be able to move freely between approved providers, with both parties providing tools to assist with the migration process to prevent lock-in. Access permissions and data usage controls will travel with the data as it moves through the ecosystem. As with sovereign cloud, the hyperscalers are not excluded and can still participate, providing data sovereignty remains intact. VMware are contributing to the development of the Gaia-X reference architecture as a day 1 member.

VMware Cloud on Dell EMC Overview

Introduction

Managed and as-a-service models are a growing trend across infrastructure consumers. Customers in general want ease and consistency within both IT and finance, for example opting to shift towards OpEx funding models.

For large or enterprise organisations with significant investments in existing technologies, processes, and skills, refactoring everything into cloud native services can be complex and expensive. For these types of environments the strategy has sharpened from Cloud-First to Cloud-Smart. A Cloud-Smart approach enables customers to transition to the cloud quickly where it makes sense to do so, without tearing up roots on existing live services, and workloads or data that do not have a natural progression to traditional cloud.

In addition to the operational complexities of rearchitecting services, many industries have strict regulatory and compliance rules that must be adhered to. Customers may have specific security standards or customised policies requiring sensitive data to be located on-premises, under their own physical control. Applications may also have low latency requirements or the need to be located in close proximity to data processing or back end systems. This is where VMware Local Cloud as a Service (LCaaS) can help combine the key benefits from both public cloud and on-premises environments.

What is VMware Cloud on Dell EMC?

VMware Cloud on Dell EMC is a fully managed Infrastructure-as-a-Service (IaaS) local-cloud deployment. A dedicated rack with all supporting hardware and equipment is wheeled into the customer site where it is maintained directly by VMware Site Reliability Engineering (SRE). The customer provides the physical location for the rack to sit, the power source, and the existing network for the data plane switches to plug into.

VMware Cloud on Dell EMC delivers a fully integrated software and hardware stack, jointly engineered by VMware and Dell EMC.

VMware Cloud on Dell EMC Overview

The VMware Software Defined Data Centre (SDDC) overlay, and hardware underlay, comprises of:

  • VMware vSphere and vCenter for compute virtualisation and management
  • VMware vSAN for storage virtualisation
  • VMware NSX-T for network virtualisation
  • VMware HCX for live migration of virtual machines with stretched Layer 2 capability
  • 3-26 Dell VxRail Hyper-Converged Infrastructure (HCI) nodes per full-height rack (and currently up to 3 racks per SDDC)
  • 1 non-chargeable standby VxRail node per rack for service continuity
  • Redundant Power Distribution Units (PDUs)
  • Uninterruptible Power Supply (UPS) for half-height rack configurations
  • Redundant Top of Rack (ToR) data plane switches
  • Redundant VMware SD-WAN appliances for remote management

All of this is delivered in a dedicated rack, as a fully managed service, with a single point of support directly with VMware. VMware SRE will take care of updating and maintaining all components of the software overlay, firmware updates, and management or repair of the underlying hardware. The customer maintains responsibility for the virtual machines they run on the infrastructure, plus configuration like network and storage policies. Let’s take a deeper dive.. you can also find out more from the VMware Cloud on Dell EMC product page, or the VMware Cloud on Dell EMC Solution Overview Brief.

VMware Cloud on Dell EMC can be used in any location the customer has authority to land equipment into. A site survey needs to be carried out before kit is shipped and installed. VMware is the single point of contact for support (unless you are purchasing through Dell APEX, more on that at the end of this post). For support issues that require an on-site fix, a Dell engineer will attend, but VMware will manage that support case directly. The subscription price per-node is inclusive of all hardware, software, licensing, support, and services, outlined in the graphic below.

VMware Cloud on Dell EMC What’s Included

The VMware SRE boundary ends at the LAN link into the customers network (beyond the ToR switches), VMware teams have no access beyond this point. Equally, the customer boundary ends at the LAN link between the SDDC and the VeloCloud Edge devices in the rack. The VeloCloud Edge devices provide connectivity over VMware’s SD-WAN using a secure IPSEC tunnel, and will need outbound connectivity on ports TCP 443 and UDP 2426.

There are multiple security processes in place to protect against unauthorised access. For example, in order to access a customer environment, a support engineer must generate one-time, time-sensitive credentials, which require a support case to be raised in the system. All activity is logged and monitored by VMware’s Cyber Security Operations Centre (CSOC), and can also be logged into a similar customer setup. Further references and information can be found in the VMware Cloud on Dell EMC Shared Responsibility Model Overview.

VMware Cloud on Dell EMC hosts come in standardised ‘T-Shirt’ sizes to optimise CPU, memory, and storage resources. Currently there are 6 different node sizes from extra small through extra large. You can find full specifications of the node sizes and rack types in the VMware Cloud on Dell EMC Service Data Sheet. Here is a quick run down of the sizing naming convention:

VMware Cloud on Dell EMC Node Sizing Guide

Why VMware Cloud on Dell EMC?

You’ll see me advocate public cloud a lot on this blog, but on-premises infrastructure often has its use cases. Data sovereignty, regulatory and compliance, workload to data proximity, latency requirements, local control, and existing investments all spring to mind. Running infrastructure at the edge is also becoming more prominent and overlaps with some of these use cases. As systems are more distributed, and consumers have more choice, there are many benefits in creating consistent application, infrastructure, and operating experiences across private cloud, public cloud, and edge locations.

VMware Cloud on Dell EMC benefits from a cloud operating and delivery model, whilst being classed as an on-premises service. This means that regulatory and data sovereignty requirements can be satisfied as all customer data is held on the local hardware. The VMware SD-WAN appliances and VMware Cloud portal are only used for management, without any further access into the customers network. VI admins continue to use vCenter Server as normal to manage virtual machines, however they no longer need to worry about maintaining the underlying infrastructure. IT teams now benefit from a managed service operating model with a predictable subscription-based monthly or annual outgoing, without the hardware ownership depreciation and management overhead.

VMware Cloud on Dell EMC Use Cases

A great use case for VMware Cloud on Dell EMC is VDI. Whether or not you have data or application proximity requirements, the Hyper-Converged Infrastructure (HCI) and node size configurations fit exceptionally well with virtual desktops utilising hyper-threading and instant clone technology. The SDDC can be built as a brand new pod, or used to extend an existing pod within the customers environment.

At the time of writing Horizon perpetual licenses can be used to run virtual desktops on VMware Cloud on Dell EMC, along with existing Microsoft licensing. A common consideration of moving VDI to the cloud is around Microsoft license mobility for Windows, Office 365, and SQL, and the requirement for Horizon Universal. Microsoft treat this solution as customer on-premises, which means that implementing VMware LCaaS delivers the best of both worlds. You can read more about the VDI use case in the VMware Horizon Deployed on VMware Cloud on Dell EMC technical overview.

As well as VDI, other popular use cases for VMware Cloud on Dell EMC include data centre modernisation, a change in IT funding model, application modernisation, and services with low latency, sensitive data, or data sovereignty requirements. VMware Cloud on Dell EMC integrates seamlessly with existing on-premises environments, with continuity of third party tools and processes already in place, such as backups, monitoring, and security. Hybrid Linked Mode allows single pane of glass management of vCenter Servers across IaaS and self-managed infrastructure. You can find out more about the benefits of VMware Cloud on Dell EMC, including Total Cost of Ownership (TCO) improvements, in the VMware Cloud Economics data sheet.

VMware Local Cloud as a Service (LCaaS)

Getting Started with VMware Cloud on Dell EMC

VMware Cloud on Dell EMC can be ordered, customised, and scaled through the VMware Cloud portal. Delivery and installation takes place in a matter of weeks, including the site survey. Check with your VMware or Dell account team for up to date time timelines, I have been quoted between 4-8 weeks at the time of writing (early 2022) which may fluctuate depending on hardware availability. The service is available in the UK, USA, France, and Germany, with plans to roll out to further regions.

When ordering the service, the customer can select the rack type and see full details of the host capacity, network bandwidth, height in rack units, and power configuration. The customer will be asked to confirm that the site location meets the rack requirements, including rack dimensions, power source, and environmental variables such as temperature and humidity.

VMware Cloud on Dell EMC Example Requirements

Next the customer will be asked to select the host type, the number of hosts, and provide the networking settings. A CIDR block is needed for the management subnets, including rack out-of-band management, SDDC management, and the VMware SD-WAN appliances. It is very important that the IP ranges are correct and do not overlap with any existing networks. Changing these values post-order will cause additional complexity and delays.

Ports TCP 443 and UDP 2426 will need to be open outbound to connect to VMware Cloud. The term commitment is also selected during the order process, and the term begins when the SDDC is deployed and activated from the VMware Cloud console. You can track the status of the order at any time from the portal.

VMware Cloud on Dell EMC Example SDDC Order

When the rack arrives on-site it is fully cabled and ready to be connected to the customer environment. The ToR switches are physically connected to the existing upstream network using customer provided SFP adapters and copper or fibre cables. Dynamic routing can be configured using eBGP, facilitating fast routing failover in the event of a ToR switch failure or upstream switch failure. Static routing can also be used but is less optimal.

Once the SDDC is deployed the L3 ECMP uplink connectivity between the ToR switches and the existing upstream network can be configured from the VMware Cloud console.

VMware Cloud on Dell EMC Example SDDC Summary

After setup is complete the service maintains operational consistency with existing VMware environments; for example virtual machines are managed using vCenter Server, and new networks are created using NSX-T. For more information review the VMware Cloud on Dell EMC Data Sheet, or the more comprehensive VMware Cloud on Dell EMC Technical Overview.

Another great place to get started is the VMware Cloud Tech Zone. You can find detailed white papers, reference architectures, technical demos, and hands on labs for VMware Cloud on Dell EMC specifically at the VMware Cloud on Dell EMC Tech Zone.

VMware Cloud on Dell EMC vs Dell APEX Cloud Services

At VMworld 2021, VMware and Dell announced general availability of Dell APEX Cloud Services With VMware Cloud.

As outlined in the introduction of this post, many organisation are moving to as-a-service and subscription services. Dell, along with VMware, have recognised this shift and made many of their compute and storage platforms available on managed and subscription based plans. Dell APEX Cloud Services is the self-service portal where Dell customers can configure and order such solutions.

Dell APEX Cloud Services with VMware Cloud, allows Dell customers to order VMware Cloud on Dell EMC directly through Dell. Although this may seem confusing, it gives customers an alternative purchasing route which can help leverage existing commercial agreements, credits, partners, and relationships.

The core technical concepts of the solution outlined above all remain the same. The key difference is that when purchasing through Dell APEX, the customer is buying directly from Dell (instead of VMware), and Dell are the single point of contact for all support and maintenance (instead of VMware). Whilst the order process remains fundamentally the same, the screenshots above are of the VMware Cloud portal, and so the Dell APEX portal will look slightly different.