Category Archives: Service Providers

Released: vCloud Director 9.0 – The Most Significant Update To Date!

Today is a good day! VMware have released to GA vCloud Director 9.0 (build 6681978) and with it come the most significant feature and enhancements of any previous vCD release. This is the 9th major release of vCloud Director, now spanning nearly six and half years since v1.0 was released in Feburary of 2011 and as mentioned from my point of view it’s the most significant update of vCloud Director to date.

Having been part of the BETA program I’ve been able to test some of the new features and enhancements over the past couple of months and even though from a Service Provider perspective there is a heap to like about what is functionally under the covers, but the biggest new feature is without doubt the HTML5 Tenant Portal however as you can see below there is a decent list of top enhancements.

Top Enhancements:

 

  • Multi-Site vCD – Single Access point URL for all vCD instances within same SP federated via SSO
  • On-premises to Cloud Migration – Plugin that enables L2 connectivity, warm and cold migration
  • Expanded NSX Integration – Security Groups, Logical Routing for east-west traffic and audit logging
  • HTML5 Tenant UI – Streamlined workflows for VM deployment, UI Extensibility for 3rd party services/functionality
  • HTML5 Metrics UI – Basic Metrics for VMs shown through tenant portal
  • Extensible Service Framework – Service enablement, SSO Ready
  • Application Extensibility – Plugin Framework
  • PostGres 9.5 Support – In addition to MSSQL and Oracle, Postgres is now supported.
  • …and more under the hood bits

I’m sure there will be a number of other blog posts focusing on the list above, and i’ll look to go through a few myself over the next few weeks but for this GA post I wanted to touch on the new HTML5 Tenant UI.

There is a What’s New in vCloud Director 9.0 PDF here.

New HTML5 Tenant UI:

The vCD team laid the foundation for this new Tenant UI in the last release of vCD in bringing the NSX Advanced HTML5 UI to version 8.20. While most things have been ported across there may still be a case for tenants to go back to the old Flex UI to do some tasks, however from what I have seen there is close to 100% full functionality.

To get to the new HTML5 Tenant UI you go to: https://<vcd>/tenant/orgname

Once logged in you are greeted with a now familiar looking VMware portal based on the Clarity UI. It’s pretty, it’s functional and it doesn’t need Flash…so haters of the existing flex based vCD portal will have to bite their tongues now 🙂

The Networking menu is inbuilt into this same Tenant portal and you you can access it directly from the new UI, or in the same way as was the case with vCD 8.20 from the flex UI. Below is a YouTube video posted by the vCD team that walks through the new UI.

There is also VM Metrics in the UI now, where previously they where only accessible after configuring the vCD Cells to route metric data to a Cassandra database. The metrics where only accessible via the API and some providers managed to tap into that and bring vCD Metrics into their own portals. With the 9.0 release this is now part of the new HTML5 Tenant UI and can be seen in the video below.

As per previous releases this only shows up to two weeks worth of basic metrics but it’s still a step in the right direction and gives vCD tenant’s enough info to do basic monitoring before hitting up a service desk for VM related help.

Conclusion:

vCloud Director 9.0 has delivered on the what most members of the VMware Cloud Provider Program had wanted for some time…that is, a continuation of the commitment to the the HTML5 UI as well as continuing to add features that help service providers extend their reach across multiple zones and over to hybrid cloud setups . As mentioned over the next few weeks, I am going to expand on the key new features and walk through how to configure elements through the UI and API.

Compatibility with Veeam, vSphere 6.5 and NSX-v 6.3.x:

vCloud Director 9.0 is compatible with vSphere 6.5 Update 1 and NSX 6.3.3 and supports full interoperability with other versions as shown in the VMware Product Interoperability Matrix. With regards to Veeam support, I am sure that our QA department will be testing the 9.0 release against our integration pieces at the first opportunity they get, but as of now, there is no ETA on offical support.

A list of known issues can be found in the release notes.

#LongLivevCD

References:

https://docs.vmware.com/en/vCloud-Director/9.0/rn/rel_notes_vcloud_director_90.html

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/vcloud/vmware-vcloud-director-whats-new-9-0-white-paper.pdf

VMware Announces New vCloud Director 9.0

VMware Cloud on AWS: Thoughts One Year On

Last week at VMworld 2017 in the US, VMware announced the initial availability of VMware Cloud on AWS. It was the focal point for VMware at the event and probably the most important strategic play that VMware has undertaken in it’s history. This partnership was officially announced at last year’s VMworld and at the time I wrote a couple of blog posts commenting on the potential impact to the then, vCloud Air Network (now VCPP) and what needed to be done to empower the network.

As you can imagine at the time, I was a little skeptical about the announcement, but since that time we have seen the fall of vCloud Air to OVH and a doubling down of the efforts around enhancing vCloud Director and general support for the VMware Cloud Provider Program. Put this together with me stepping out of my role within the VCPP to one that is on the outside supporting it I feel that VMware Cloud on AWS is good for VMware and also good for service providers.

What It Looks Like:

This time last year we didn’t know exactly what VMC would look like apart from using vSphere, NSX and vSAN as it’s compute, networking and storage platforms or how exactly it would work on top of AWS’s infrastructure. For a detailed look under the hood, Frank Denneman has published a Technical Overview which is worth a read. A lot of credit needs to go to the engineering teams at both ends for achieving what they have achieved within a relatively small period of time.

The key thing to point out is the default compute and storage that’s included as part of the service. Four ESXi hosts will have dual E5-2686 v4 CPUs @2.3GHz with 18 Cores and 512GB of RAM. Storage wise there will be 10TB raw of All Flash vSAN per host, meaning depending on the FTT of vSAN a usable minimum of 20TB. The scale-out model enables expansion to up to 16 hosts, resulting in 576 CPU cores and 8TB of memory which is insane!

What does is Cost:

Here is where is starts to get interesting for me. Pricing wasn’t discussed during the Keynotes or in the announcements but looking at the pricing page here you can see what this base cluster will cost you. It’s going to cost $8.37 USD per host per hour for the on-demand option, which is the only option until VMware launches one year and three year reserved instances in the future where there looks to be a thirty and fifty percent saving respectively.

Upon first glance this seems expensive…however it’s only expensive in relative terms because there is the default resources that come the service. You can’t get anything less than the four hosts with all the trimmings at the moment which, when taken into consideration might lock out non enterprise companies from taking the service up.

Unless pricing changes by way of offering a smaller resource footprint I can see this not being attractive in other regions like ANZ or EMEA where small to medium size enterprises are more common. This is where VCPP service providers can still remain competitive and continue to offer services around the same building blocks as VMC on their own platforms.

CloudPhysics have an interesting blog post here, on some cost analytics that they ran.

How Can it be Leveraged:

With Veeam being a launch partner with VMware Cloud on AWS offering availability services it got me thinking as to how the service could be leveraged by service providers. A few things need to fall into place from a technology point of view but I believe that one of the best potential use cases for VMC is for service providers to leverage it for failover, replication and disaster recovery scenarios.

The fact that there this service posses auto-scaling of hosts means that it has the potential to be used as a resource cluster for disaster recovery services. If I think about Cloud Connect Replication, one of the hardest things to get right as a provider is sizing the failover resources and the procurement of the compute and storage to deal with customer requirements. As long as the base resources are covered the auto scaling capabilities mean that service providers only need to cover the base resources and pay any additional costs if a failover event happens and exceed the default cluster resources.

It must be pointed out that Cloud Connect can’t use a VMC cluster as a target at the moment due to the networking used…that is VXLAN on top of AWS VPN networking.

As I wrote last year, I feel like there is a great opportunity for service providers to leverage VMC as vCloud Director provider clusters however I know that this currently isn’t being supported by VMware. I honestly feel that service providers would love the ability to have cloud based Provider vDCs available across the world and I’m hoping that VMware realise the potential and allow vCloud Director to connect and consume VMC.

VMworld End of Show Report on VMware Cloud on AWS:

References:

https://www.vmware.com/company/news/releases/vmw-newsfeed.VMware-and-AWS-Announce-Initial-Availability-of-VMware-Cloud-on-AWS.2184706.html

https://cloud.vmware.com/vmc-aws

https://www.crn.com.au/news/pricing-revealed-for-vmware-cloud-on-aws-472011

Cloud to Cloud to Cloud Networking with Veeam Powered Network

I’ve written a couple of posts on how Veeam Powered Network can make accessing your homelab easy with it’s straight forward approach to creating and connection site-to-site and point-to-site VPN connections. For a refresh on the use cases that I’ve gone through, I had a requirement where I needed access to my homelab/office machines while on the road and to to achieve this I went through two scenarios on how you can deploy and configure Veeam PN.

In this blog post I’m going to run through a very real world solution with Veeam PN where it will be used to easily connect geographically disparate cloud hosting zones. One of the most common questions I used to receive from sales and customers in my previous roles with service providers is how do we easily connect up two sites so that some form of application high availability could be achieved or even just allowing access to applications or services cross site.

Taking that further…how is this achieved in the most cost effective and operationally efficient way? There are obviously solutions available today that achieve connectivity between multiple sites, weather that be via some sort of MPLS, IPSec, L2VPN or stretched network solution. What Veeam PN achieves is a simple to configure, cost effective (remember it’s free) way to connect up one to one or one to many cloud zones with little to no overheads.

Cloud to Cloud to Cloud Veeam PN Appliance Deployment Model

In this scenario I want each vCloud Director zone to have access to the other zones and be always connected. I also want to be able to connect in via the OpenVPN endpoint client and have access to all zones remotely. All zones will be routed through the Veeam PN Hub Server deployed into Azure via the Azure Marketplace. To go over the Veeam PN deployment process read my first post and also visit this VeeamKB that describes where to get the OVA and how to deploy and configure the appliance for first use.

Components

  • Veeam PN Hub Appliance x 1 (Azure)
  • Veeam PN Site Gateway x 3 (One Per Zettagrid vCD Zone)
  • OpenVPN Client (For remote connectivity)

Networking Overview and Requirements

  • Veeam PN Hub Appliance – Incoming Ports TCP/UDP 1194, 6179 and TCP 443
    • Azure VNET 10.0.0.0/16
    • Azure Veeam PN Endpoint IP and DNS Record
  • Veeam PN Site Gateways – Outgoing access to at least TCP/UDP 1194
    • Perth vCD Zone 192.168.60.0/24
    • Sydney vCD Zone 192.168.70.0/24
    • Melbourne vCD Zone 192.168.80.0/24
  • OpenVPN Client – Outgoing access to at least TCP/UDP 6179

In my setup the Veeam PN Hub Appliance has been deployed into Azure mainly because that’s where I was able to test out the product initially, but also because in theory it provides a centralised, highly available location for all the site-to-site connections to terminate into. This central Hub can be deployed anywhere and as long as it’s got HTTPS connectivity configured correctly to access the web interface and start to configure your site and standalone clients.

Configuring Site Clients for Cloud Zones (site-to-site):

To configuration the Veeam PN Site Gateway you need to register the sites from the Veeam PN Hub Appliance. When you register a client, Veeam PN generates a configuration file that contains VPN connection settings for the client. You must use the configuration file (downloadable as an XML) to set up the Site Gateway’s. Referencing the digram at the beginning of the post I needed to register three seperate client configurations as shown below.

Once this has been completed you need deploy a Veeam PN Site Gateway in each vCloud Hosting Zone…because we are dealing with an OVA the OVFTool will need to be used to upload the Veeam PN Site Gateway appliances. I’ve previously created and blogged about an OVFTool upload script using Powershell which can be viewed here. Each Site Gateway needs to be deployed and attached to the vCloud vORG Network that you want to extend…in my case it’s the 192.168.60.0, 192.168.70.0 and 192.168.80.0 vORG Networks.

Once each vCloud zone has has the Site Gateway deployed and the corresponding XML configuration file added you should see all sites connected in the Veeam PN Dashboard.

At this stage we have connected each vCloud Zone to the central Hub Appliance which is configured now to route to each subnet. If I was to connect up an OpenVPN Client to the HUB Appliance I could access all subnets and be able to connect to systems or services in each location. Shown below is the Tunnelblick OpenVPN Client connected to the HUB Appliance showing the injected routes into the network settings.

You can see above that the 192.168.60.0, 192.168.70.0 and 192.168.80.0 static routes have been added and set to use the tunnel interfaces default gateway which is on the central Hub Appliance.

Adding Static Routes to Cloud Zones (Cloud to Cloud to Cloud):

To complete the setup and have each vCloud zone talking to each other we need to configure static routes on each zone network gateway/router so that traffic destined for the other subnets knows to be routed through to the Site Gateway IP, through to the central Hub Appliance onto the destination and then back. To achieve this you just need to add static routes to the router. In my example I have added the static route to the vCloud Edge Gateway through the vCD Portal as shown below in the Melbourne Zone.

Conclusion:

Summerizing the steps that where taken in order to setup and configure the configuration of a cloud to cloud to cloud network using Veeam PN through its site-to-site connectivity feature to allow cross site connectivity while allowing access to systems and services via the point-to-site VPN:

  • Deploy and configure Veeam PN Hub Appliance
  • Register Cloud Sites
  • Register Endpoints
  • Deploy and configure Veeam PN Site Gateway in each vCloud Zone
  • Configure static routes in each vCloud Zone

Those five steps took me less than 30 minutes which also took into consideration the OVA deployments as well. At the end of the day I’ve connected three disparate cloud zones at Zettagrid which all access each other through a Veeam PN Hub Appliance deployed in Azure. From here there is nothing stopping me from adding more cloud zones that could be situated in AWS, IBM, Google or any other public cloud. I could even connect up my home office or a remote site to the central Hub to give full coverage.

The key here is that Veeam Power Network offers a simple solution to what is traditionally a complex and costly one. Again, this will not suit all use cases but at it’s most basic functional level, it would have been the answer to the cross cloud connectivity questions I used to get that I mentioned at the start of the article.

Go give it a try!

Attack from the Inside – Protecting Against Rogue Admins

In July of 2011, Distribute.IT, a domain registration and web hosting services provider in Australia was was hit with a targeted, malicious attack that resulted in the company going under and their customers left without their hosting or VPS data. The attack was calculated, targeted and vicious in it’s execution… I remember the incident well as I was working for Anittel at the time and we where offering similar services…everyone in the hosting organization was concerned when starting to think about the impact a similar attack would have within our systems.

“Hackers got into our network and were able to destroy a lot of data. It was all done in a logical order – knowing exactly where the critical stuff was and deleting that first,”

While it was reported at the time that a hacker got into the network, the way in which the attack was executed pointed to an inside job and all though it was never proved to be so it almost 100% certain that the attacker was a disgruntled ex-employee. The very real issue of an inside attack has popped up again…this time Verelox, a hosting company out of the Netherlands has effectively been taken out of business with a confirmed attack from within by an ex-employee.

My heart sinks when I read of situations like this and for me, it was the only thing that truely kept me up at night as someone who was ultimately responsible for similar hosting platforms. I could deal and probably reconcile with myself if I found myself in a situation where a piece of hardware failed causing data loss…but if an attacker had caused the data loss then all bets would have been off and I might have found myself scrambling to save face and along with others in the organization, may well have been searching for a new company…or worse a new career!

What Can Be Done at an Technical Level?

Knowing a lot about how hosting and cloud service providers operate my feeling is that 90% of organizations out there are not prepared for such attacks and are at the mercy of an attack from the inside…either by a current or ex-employee. Taking that a step further there are plenty that are at risk of an attack from the inside perpetrated by external malicious individuals. This is where the principal of least privileged access needs to be taken to the nth degree. Clear separation of operational and physical layers needs to be considered as well to ensure that if systems are attacked, not everything can be taken down at once.

Implementing some form of certification or compliancy such as ISO 27001, SOC and iRAP will force companies to become more vigilant through the stringent processes and controls that are forced upon companies once they meet compliancy. This in turn naturally leads to better and more complete disaster and business continuity scenarios that are written down and require testing and validation in order to pass certification.

From a backup point of view, these days with most systems being virtual it’s important to consider a backup strategy that not only looks to make use of the 3-2-1 rule of backups, but also look to implement some form of air-gapped backups that in theory are completely seperate and unaccessible from production networks, meaning that only a few very trusted employees have access to the backup and restore media. In practice implementing a complete air-gapped solution is complex and potentially costly and this is where service providers are chancing their futures on scenarios that have a small percentage chance of happening however the likelihood of that scenario playing out is greater than it’s ever been.

In a situation like Verelox, I wonder if, like most IaaS providers they didn’t backup all client workloads by default, meaning that backup services was an additional service charge that some customers didn’t know about…that said, if backup systems are wiped clean is there any use of having those services anyway? That is to say…is there a backup of the backup? This being the case I also believe that businesses need to start looking at cross cloud backups and not rely solely on their providers backup systems. Something like the Veeam Agent’s or Cloud Connect can help here.

So What Can Be Done at an Employee Level?

The more I think about the possible answer to this question, the more I believe that service providers can’t fully protect themselves from such internal attacks. At some point trust supersedes all else and no amount of vetting or process can stop someone with the right sort of access doing damage. To that end making sure that you are looking after your employee’s is probably the best defence against someone feeling aggrieved enough to carry out an malicious attack such as the one Verelox has just gone through. In addition to looking after employee’s well being it’s also a good idea to…within reason, keep tabs on an employee’s state in life in general. Are they going through any personal issues that might make them unstable, or have they been done wrong by someone else within the company? Generally social issues should be picked up during the hiring process, but complete vetting of employee stability is always going to be a lottery.

Conclusion

As mentioned above, this type of attack is a worst case scenario for every service provider that operates today…there are steps that can be taken to minimize the impact and protect against an employee getting to the point where they choose to do damage but my feeling is we haven’t seen the last of these attacks and unfortunately more will suffer…so where you can, try to implement policy and procedure to protect and then recover when or if they do happen.

Vote for your favorite blogs at vSphere-land!

Top vBlog Voting 2017

Resources:

https://www.crn.com.au/news/devastating-cyber-attack-turns-melbourne-victim-into-evangelist-397067/page1

https://www.itnews.com.au/news/distributeit-hit-by-malicious-attack-260306

https://news.ycombinator.com/item?id=14522181

Verelox (Netherlands hosting company) servers wiped by ex-admin from sysadmin