building vmware software-defined data...
TRANSCRIPT
BuildingVMwareSoftware-DefinedDataCenters
TableofContents
BuildingVMwareSoftware-DefinedDataCentersCreditsAbouttheAuthorAbouttheReviewerwww.PacktPub.com
eBooks,discountoffers,andmoreWhysubscribe?
PrefaceWhatthisbookcoversWhatyouneedforthisbookWhothisbookisforConventionsReaderfeedbackCustomersupport
DownloadingthecolorimagesofthisbookErrataPiracyQuestions
1.TheSoftware-DefinedDataCenterThedemandforchangeBusinesschallenges:Theusecase
ThebusinessviewTheITview
ToolstoenableSDDCTheimplementationjourney
TheprocesscategoryTheprocesschangeexampleinTom'sorganization
ThepeoplecategoryThepeopleexampleinTom'sorganization
ThetechnologycategoryThetechnologyexampleinTom'sorganization
Whyarethesethreetopicssoimportant?Additionalpossibilitiesandopportunities
Theself-healingdatacenterTheself-scalingdatacenter
Summary2.IdentifyAutomationandStandardizationOpportunities
AutomationprinciplesDaytwoautomationThe80:20ruleThinkbig,startsmall
TheefficiencybottleneckBringingitalltogether
ScriptorworkflowIdentifyingprocessesandhowtoautomatethemITdeliveryframeworks
WhatifnoCMDBorticketmanagementisinplaceAchievingstandardization
DeploymentstandardsOrganizationautomationexamples
SimpleVMdeploymentThehybridclouddeployment
TheanalysisofthehybridclouddeploymentThebetterapproach
Summary3.VMwarevSphere:TheSDDCFoundation
BasicsandrecommendationsforvSphereintheSDDCDistributedResourceSchedulerResourcepoolsStorageDRSDistributedVirtualSwitchHostProfiles
vSphereconfigurationconsiderationsSeparatemanagementclusterManagementclusterresourceconsiderations
SeparatemanagementVDSThepayloadcluster
TheresourcepoolapproachTheclusterapproach
StoragePolicyBasedManagementSPBMdefinition
IntegratedvSphereautomationBestpracticesandrecommendations
Summary4.SDDCDesignConsiderations
ThebusinessusecaseThebusinesschallengeTheCIOchallengeConstraints,assumptions,andlimitations
ConstraintsLimitsAssumptions
ScalabilityandfuturegrowthvRealizeAutomationvRealizeCodeStream
vRealizeOrchestratorvRealizeOperationsManagervRealizeBusinessvRealizeLogInsightNSX
DesignandrelationsofSDDCcomponentsLogicaloverviewoftheSDDCclustersLogicaloverviewofthesolutioncomponents
ThevRealizeAutomationdesignSmallEnterprise
InfrastructuredesignexamplesNetworkStorageCompute
DesigningthetenantsTenants,businessgroups,andinfrastructurefabricsWhatisatenant?
Whatisabusinessgroup?Whatisafabricgroup?Whatistheinfrastructurefabric?
WhatmustbeincludedinthedesignWhatifthevSphereenvironmentisalreadyrunning?
Summary5.VMwarevRealizeAutomation
vRAinstallationFirstthingsfirstAdvancedinstallationconfiguration
vRAconceptsvRA'slittlehelper
DEMTheIaaSservervRealizeOrchestrator
TheInfrastructuretabEndpointsComputeResourcesReservationsManagedMachines
TheAdministrationtabApprovalPoliciesDirectoriesManagementCatalogManagementPropertyDictionaryReclamation
BrandingNotificationsEventsvROconfiguration
vRAconceptsAsaServicesynonyms
IaaSPaaSXaaS
BlueprintsSinglemachineblueprintsMultimachineblueprintsApplicationautomation
SampleconfigurationsTemplatepreparationinvCenterCreatinganetworkpoolCreatingasetofpropertiesCreatingtheIaaSblueprintPublishingtheblueprintasaservice
Summary6.vRealizeOrchestrator
vRealizeOrchestratorprinciplesWorkflowelementsanddesign
Attributes,inputs,andoutputsInputsAttributesOutputsConfigurationsWorkflowelements
Workflowcreation101CreatingtheworkflowIntegratingtheworkflowintovRA
AddingthepropertiestotheblueprintExternalservicesConnectingvROtovCenter
vROcontextactionsinvCenterFindingandenablingcontextactions
Enablingacontext-basedworkflowSummary
7.ServiceCatalogCreationServicecatalogsDefiningacatalog
MultiplecatalogsCatalogs:Aslessaspossibleasmanyasrequired
ProvidebasiccatalogsaswellasspecificcatalogsChooseadescriptiveandshortnameOutcome-orientedversustechnology-oriented
KnowyouraudienceServicecatalogcreationinvRA
Firststep:CreatingthecatalogSecondstep:PublishingcatalogitemsThirdstep:Entitlingaservice
MultimachineblueprintdesignexampleSoftwarecomponentsSampleapplicationdesign
DefiningthecomponentsApachewebserverPHPwebcomponentMySQLwebcomponentFSTIndustrieswebcomponentFSTIndustriesDBcomponent
DefiningtheblueprintSummary
8.NetworkVirtualizationusingNSXNetworkVirtualization101
CurrentnetworkinginfrastructuresVLAN:Networkvirtualizationknownforalmost30yearsTraditionalroutingandsecurityModernnetworkapproach
L3Networking-thenewarchitectureNetworkvirtualizationfortherescue
NSXterminologyVXLANEDGELogicalSwitchesVTEPNSXcontroller
NSXsetupandpreparationESXiprerequisitesforVXLAN/NSXNetworkprerequisitesforNSXStep1:InstallingNSXmanagerStep2:Settingupthecomponents
PreparetheESXihostsDeploytheNSXcontrollernodesDefiningthesegmentIDConfiguringthetransportparametersSetupthetransportzone
Step3:Virtualnetworking101
AddaLogicalSwitchAddaDistributedLogicalRouterAddaEDGEservicesGatewayDynamicroutingbetweenvirtualandphysical
ConnectingvRealizeAutomationNetworkreservationsSettingupNSXnetworkprofiles
TheexternalprofileTheNATprofileTheroutedprofile
UsingNSXnetworkprofilesinblueprintSummary
9.DevOpsConsiderationsWhatisDevOps
AgilitymeetspoliciesHowdoesDevOpswork
WhatarecontainersContainersarenotVMsContainerhost:Virtualorphysical
DevOpsandShadowITRadicalnewITapproach
CattleversuspetsChangingtheorganizationalculture
PaaSaspartofDevOpsTheCloudFoundryframework
CloudFoundryandtheSDDCvRealizeCodeStream:DevOpswithoutcontainers
AllaboutthepipelinevRealizeCodeStreamintegration
SDDCandDevOps:AmixedworldDevOpsrequirementsEnterpriserequirementsLegacyandDevOps:Coexistenceinoneenvironment
UseDevOpsprinciplestomanagetheSDDCSummary
10.CapacityManagementwithvRealizeOperationsCapacitymonitoringintheSDDCvRealizeOperationsManager
vROps6.3deploymentworkflowCapacitymonitoringOverprovisioningandresourceallocationNavigatingvRealizeOperationsManager
CapacityremainingCapacityplanning
ProjectsinvRealizeOperationsManagerReportsinvRealizeOperationsManagerViewsinvRealizeOperationsManager
Summary11.TroubleshootingandMonitoring
MonitoringandanalyticsintheSDDCTheriskoffalsepositivesManagementversuspayloadmonitoring
ManagementmonitoringPayloadmonitoringKPIsversusthresholds
vRealizeOperationsManagerAnalyticsusingvRealizeOperationsManager
ExploringvRealizeOperationsManageranomaliesBadgesandwhattheydescribe
TheHealthbadgeandhowtoreaditTheRiskbadgeandhowtoreaditTheEfficiencybadgeandhowtoreadit
ServicehealthinformationinvRealizeAutomationLogmanagementintheSDDC
MillionsoflogentriesLogmanagementfromthebigdataperspectivevRealizeLogInsight
SDDCcomponentstoaddtovRealizeLogInsightHowtoanalyzelogsusingvRLIUsingtheInteractiveAnalyticsViewCreatingandusingdashboardsThepro-activeanalyticsfeatures
Summary12.ContinuousImprovement
ContinualServiceImprovementTechnicalassurance
ReviewingblueprintsReviewingautomationandintegration
RevisitingthebusinesscaseITILintheSDDC
MatchingtherequirementstothesolutionApplyingcontinuousserviceimprovementtotheSDDC
Summary
BuildingVMwareSoftware-DefinedDataCenters
BuildingVMwareSoftware-DefinedDataCentersCopyright©2016PacktPublishing
Allrightsreserved.Nopartofthisbookmaybereproduced,storedinaretrievalsystem,ortransmittedinanyformorbyanymeans,withoutthepriorwrittenpermissionofthepublisher,exceptinthecaseofbriefquotationsembeddedincriticalarticlesorreviews.
Everyefforthasbeenmadeinthepreparationofthisbooktoensuretheaccuracyoftheinformationpresented.However,theinformationcontainedinthisbookissoldwithoutwarranty,eitherexpressorimplied.Neithertheauthor,norPacktPublishing,anditsdealersanddistributorswillbeheldliableforanydamagescausedorallegedtobecauseddirectlyorindirectlybythisbook.
PacktPublishinghasendeavoredtoprovidetrademarkinformationaboutallofthecompaniesandproductsmentionedinthisbookbytheappropriateuseofcapitals.However,PacktPublishingcannotguaranteetheaccuracyofthisinformation.
Firstpublished:December2016
Productionreference:1061216
PublishedbyPacktPublishingLtd.
LiveryPlace
35LiveryStreet
Birmingham
B32PB,UK.
ISBN978-1-78646-437-8
www.packtpub.com
Credits
Author
ValentinHamburger
CopyEditors
SafisEditing
DiptiMankame
Reviewer
DanielKoeck
ProjectCoordinator
JudieJose
CommissioningEditor
KartikeyPandey
Proofreader
SafisEditing
AcquisitionEditor
VijinBoricha
Indexer
PratikShirodkar
ContentDevelopmentEditor
RashmiSuvarna
Graphics
KirkD'Penha
TechnicalEditor
GauravSuri
ProductionCoordinator
ShantanuN.Zagade
AbouttheAuthorValentinHamburgerwasworkingatVMwareformorethansevenyears.Inhisformerrole,hewasaleadconsultingarchitectandtookcareofthedeliveryandarchitectureofcloudprojectsincentralEMEA.Inhiscurrentrole,heisEMEAsolutionsleadforVMwareatHitachiDataSystems(HDS).FurthermoreheworksasanadvisorwithHDSengineeringontheHitachiEnterpriseCloud,whichisbasedonVMwarevRealizetechnology.HeholdsmanyindustrycertificationsinvariousareassuchasVMware,Linux,andIBMPowercomputeenvironments.HeservesasapartnerandtrustedadvisortoHDScustomersprimarilyinEMEA.HismainresponsibilitiesareensuringthatHDS'sfutureinnovationsalignwithessentialcustomerneedsandtranslatingcustomerchallengestoopportunitiesfocusedonvirtualizationtopics.ValentinenjoyssharinghisknowledgeasaspeakeratnationalandinternationalconferencessuchasVMworld.
IwanttopersonallythankDanielKoeckforreviewingthetechnicalcontentofthisbookandprovidingsuchvaluableandproductiveinputs.BesideshistechnicalexpertiseIamhappytohavehimasafriendandsupporterforthisbook.Furthermore,IwanttothankmybeautifulwifeanddaughterfortheirpatienceandunderstandingwhileIwaswritingthisbook.Withouttheirsupportandlove,thiswouldn’thavebeenpossibleatall.FinallyIdowanttothankRashmiSuvarnawhohadpatiencewithmeasanauthorandsupportedmewherevershecouldinordertogetallthisworkdone.
AbouttheReviewerDanielKoeckhasbeenworkingfor15yearsinIT.Heleadedlargescale(morethan20,000VMs)projects,reachingfromServiceProviderClouds,toDevOpsenabledlargescalesoftwaresolutionsinthelast6years.HeholdsadegreeforappliedcomputerscienceandIT-security.DanielisanIBMRedbookGoldauthor,andco-authoredothermanyotherbooksandwhitepapersaboutx86virtualization.HeisregularlyinvitedasaspeakertodifferentuniversitiesandtechnologyconferencesalloverEuropeandUSA,andenjoyssharinghisexperiencethere.Youcanfindhimontwitter@Cloudsandwakes.
www.PacktPub.com
eBooks,discountoffers,andmoreDidyouknowthatPacktofferseBookversionsofeverybookpublished,withPDFandePubfilesavailable?YoucanupgradetotheeBookversionatwww.PacktPub.comandasaprintbookcustomer,youareentitledtoadiscountontheeBookcopy.Getintouchwithusatcustomercare@packtpub.comformoredetails.
Atwww.PacktPub.com,youcanalsoreadacollectionoffreetechnicalarticles,signupforarangeoffreenewslettersandreceiveexclusivediscountsandoffersonPacktbooksandeBooks.
https://www2.packtpub.com/books/subscription/packtlib
DoyouneedinstantsolutionstoyourITquestions?PacktLibisPackt'sonlinedigitalbooklibrary.Here,youcansearch,access,andreadPackt'sentirelibraryofbooks.
Whysubscribe?FullysearchableacrosseverybookpublishedbyPacktCopyandpaste,print,andbookmarkcontentOndemandandaccessibleviaawebbrowser
PrefaceThisbookusesthemostup-to-date,cutting-edgeVMwareproductstohelpyoudeliveracompleteunifiedhybridcloudexperiencewithinyourinfrastructure.
ItwillhelpyoubuildanSDDCarchitectureandpracticestodeliverafullyvirtualizedinfrastructurewithcost-effectiveIToutcomes.Intheprocess,youwillusesomeofthemostadvancedVMwareproductssuchasvSphere,vRealizeAutomationandOrchestrator,andNSX.YouwillseehowtoprovisionapplicationsandITservicesonprivatecloudsorIaaSwithseamlessaccessibilityandmobilityacrossthehybridenvironment.
ThisbookwillensurethatyoudevelopanSDDCapproachforyourdatacenterthatfulfillsyourorganization'sbusinessneedsandtremendouslyboostsyouragilityandflexibility.Itwillalsoteachyouhowtodraft,design,anddeploytoolsetsandsoftwaretoautomateyourdatacenterandspeedupITdeliverytomeetyourlinesofbusinessesdemands.Intheend,youwillbuildunifiedhybridcloudsthatdramaticallyboostyourIToutcomes.
WhatthisbookcoversChapter1,TheSoftware-DefinedDataCenter,discussesprinciplesandbasicsabouttheSDDC.Besidesthetechnicalaspects,itwillalsohighlighttheorganizationalaspectsandthattheSDDCisanewwayofmanagingandrunningadatacenterandthereforealsoanarchitecturalchange.Also,itwilldescribetheimplementationjourneyandwhatisnecessarytotakeintoaccountbesidesthetechnologicalaspects.
Chapter2,IdentifyAutomationandStandardizationOpportunities,highlightsthemainprinciplesofautomationandstandardization.Thedifferencesbetweenscriptsandworkflowsaredescribed.Also,itwillbringexampleshowtoapplystandardizationandautomationtothedatacenterinordertomaketheSDDCflexibleandagileaspossible.
Chapter3,VMwarevSphere:TheSDDCFoundation,coversimportantvSpherefunctions,whichwilldecreasetheamountofcustomizationwhenitcomestoautomation.SincevirtualizationisthebaseofanSDDC,thischapterwillfocusonexamplesandconfigurationsforvSphere.ThischapterwilldiscussadvancedvSpherefunctionsandtheirimportanceforanSDDC.
Chapter4,SDDCDesignConsiderations,explainsthemainprinciplesofanSDDCdesignincludingdetailedexamples.Highlightedarealsowhatassumptions,constraintsandlimitsareandhowtheywillinfluenceadesign.Furthermore,itwillshowasimple–to-followapproachtotranslatebusinesschallengesinatechnicalsolutionandthereforeanagileandefficientSDDCdesign.
Chapter5,VMwarevRealizeAutomation,introducesvRA(formallyknownasvCloudAutomationCenter)anditscapabilities.Theimplementationofthedesignconsiderationsoftheformerchapterwillbediscussed,anditwillshowotherimportantconfigurationoptions,principles,andconcepts.Also,itwillfocusonthecreationofso-calledblueprintsandwhatisneededtoprepareaVMtemplatetobedeployed.
Chapter6,vRealizeOrchestrator,touchesonwhatworkflowsareandhowtheycanbedevelopedinacontrolledandcleanmanner.ItwillhighlighthowtointegratethoseintovRealizeAutomationtocreatepowerfulservicesforalmostanytaskintheSDDC.Inaddition,itwilldiscusswhatpostdeploymentthird-partyintegrationcanbeachievedusingvRO(forexample,IPAMandCMDBintegration).
Chapter7,ServiceCatalogCreation,bringsupthebasicservicecatalogdesign.Also,itbridgesthebusinesscasetotheservicecataloganddescribeswhythatisimportantandhowthatsynccanbeachieved.Itwillexplainbasedonanexamplehowtoconfigureanoutcome-focusedservicecataloginvRealizeAutomation.
Chapter8,NetworkVirtualizationusingNSX,discussessoftware-definednetworkingprinciples.IthighlightsNSXbasicfunctionsandconfigurationsandwhyitisagamechangerwithintheSDDC.WithNSX,broaddatacenterautomationcanbefullyachievedbygainingmaximal
flexibilityandagilityforservicedeployments.ItwillalsocoverthebaseconfigurationandintegrationwithSDDCbasedonpracticalexamplesanddetailedintegrationdescriptions.
Chapter9,DevOpsConsiderations,describesDevOpsingeneralandwhatchangesitbringstoITandtheSDDC.ItdiscussesmostofthemoderntechnologiestorunDevOpsincludingcontainersandcontainerframeworkssuchasPivotalCloudFoundry.Furthermore,itdescribesaDevOpsapproachtorunandmanagetheSDDCitselfusingVMwarevRealizeCodeStreamManagementPackforITDevOps.ThiswilladdadditionalagilityandflexibilitywhenitcomestomanagingandoperatingtheSDDC.
Chapter10,CapacityManagementwithvRealizeOperations,mentionshowimportantapropercapacitymanagementisinafullyautomateddatacenter.Itwillhighlighttechniquesandprinciplesinregardtosuccessfullyplaninfrastructureexpansion.Itprovidespracticalconfigurationexamplesforresourceplanningandpredictivecapacitymaintenance.
Chapter11,TroubleshootingandMonitoring,explainsthemonitoringandanalyticsmethodsfortheSDDC.Sinceanautomateddatacentermighthavedifferentchallengesintermsofmonitoring,itfurtherhighlightsthedifferencestostaticinfrastructureandwhyitisimportanttohaveasmartmonitoringandanalyticsapproachfortheSDDC.Itwilldescribehowtolimittheimpactofissueswithsmartandpredictivetroubleshootingandanalyticsmethods,includingtheuseofvRealizeLogInsight.
Chapter12,ContinuousImprovement,mentionstheimportanceofcontinuouslyworkingontheservicesandprocesseswithintheSDDC.OncetheSDDCisdeployedandfunctionsproperlyitistimetoreflectandmaybeupdatethecreatedservices.Thechaptermentionshowimportantitistodetectpossibleprocessflawsorglitchesandupdatethose.Furthermore,itsummarizestheimportanceofITILinamoderndatacenterandexplainsthattheSDDCisbasicallythefullyautomatedversionofITILbringingallitsbenefitstolifewithoutallitsdrawbackslikethebureaucracyoverhead.
WhatyouneedforthisbookvRealizeAutomationvRealizeOrchestratorvRealizeOperationsManagervRealizeLogInsightvRealizeCodeStream
ManagementpackforITDevOpsVMwarevSphereVMwareNSX
WhothisbookisforIfyouareanITprofessionalorVMwareadministratorwhovirtualizesdatacentersandITinfrastructures,thisbookisforyou.DevelopersandDevOpsengineerswhodeployapplicationsandserviceswouldalsofindthisbookuseful.DatacenterarchitectsandthoseattheCXOlevelwhomakedecisionswillappreciatethevalueinthecontent.
ConventionsInthisbook,youwillfindanumberoftextstylesthatdistinguishbetweendifferentkindsofinformation.Herearesomeexamplesofthesestylesandanexplanationoftheirmeaning.
Codewordsintext,databasetablenames,foldernames,filenames,fileextensions,pathnames,dummyURLs,userinput,andTwitterhandlesareshownasfollows:"ProvideameaningfulnamesuchasBackup."
Anycommand-lineinputoroutputiswrittenasfollows:
msdtc–uninstall
Ablockofcodeissetasfollows:
#!/bin/bash
#Turnoffiptablesforappserveraccess
/sbin/serviceiptablesstop
Newtermsandimportantwordsareshowninbold.Wordsthatyouseeonthescreen,forexample,inmenusordialogboxes,appearinthetextlikethis:"ClickOKtostorethenewproperty."
Note
Warningsorimportantnotesappearinaboxlikethis.
Tip
Tipsandtricksappearlikethis.
ReaderfeedbackFeedbackfromourreadersisalwayswelcome.Letusknowwhatyouthinkaboutthisbook-whatyoulikedordisliked.Readerfeedbackisimportantforusasithelpsusdeveloptitlesthatyouwillreallygetthemostoutof.Tosendusgeneralfeedback,[email protected],andmentionthebook'stitleinthesubjectofyourmessage.Ifthereisatopicthatyouhaveexpertiseinandyouareinterestedineitherwritingorcontributingtoabook,seeourauthorguideatwww.packtpub.com/authors.
CustomersupportNowthatyouaretheproudownerofaPacktbook,wehaveanumberofthingstohelpyoutogetthemostfromyourpurchase.
DownloadingthecolorimagesofthisbookWealsoprovideyouwithaPDFfilethathascolorimagesofthescreenshots/diagramsusedinthisbook.Thecolorimageswillhelpyoubetterunderstandthechangesintheoutput.Youcandownloadthisfilefromhttps://www.packtpub.com/sites/default/files/downloads/BuildingVMwareSoftwaredefinedDataCenters_ColorImages.pdf
ErrataAlthoughwehavetakeneverycaretoensuretheaccuracyofourcontent,mistakesdohappen.Ifyoufindamistakeinoneofourbooks-maybeamistakeinthetextorthecode-wewouldbegratefulifyoucouldreportthistous.Bydoingso,youcansaveotherreadersfromfrustrationandhelpusimprovesubsequentversionsofthisbook.Ifyoufindanyerrata,pleasereportthembyvisitinghttp://www.packtpub.com/submit-errata,selectingyourbook,clickingontheErrataSubmissionFormlink,andenteringthedetailsofyourerrata.Onceyourerrataareverified,yoursubmissionwillbeacceptedandtheerratawillbeuploadedtoourwebsiteoraddedtoanylistofexistingerrataundertheErratasectionofthattitle.
Toviewthepreviouslysubmittederrata,gotohttps://www.packtpub.com/books/content/supportandenterthenameofthebookinthesearchfield.TherequiredinformationwillappearundertheErratasection.
PiracyPiracyofcopyrightedmaterialontheInternetisanongoingproblemacrossallmedia.AtPackt,wetaketheprotectionofourcopyrightandlicensesveryseriously.IfyoucomeacrossanyillegalcopiesofourworksinanyformontheInternet,pleaseprovideuswiththelocationaddressorwebsitenameimmediatelysothatwecanpursuearemedy.
Pleasecontactusatcopyright@packtpub.comwithalinktothesuspectedpiratedmaterial.
Weappreciateyourhelpinprotectingourauthorsandourabilitytobringyouvaluablecontent.
QuestionsIfyouhaveaproblemwithanyaspectofthisbook,[email protected],andwewilldoourbesttoaddresstheproblem.
Chapter1.TheSoftware-DefinedDataCenterOriginallythetermsoftware-defineddatacenter(SDDC)hasbeenintroducedbyVMware,tofurtherdescribethemovetoacloud-likeITexperience.Thetermsoftware-definedisanimportantbitofinformation.Itbasicallymeansthateverykeyfunctioninthedatacenterisperformedandcontrolledbysoftware,insteadofhardware.Thisopensawholenewwayofoperating,maintainingbutalsoinnovatinginamoderndatacenter.
Buthowdoesaso-calledSDDClooklike,andwhyisawholeindustrypushingsohardtowardsitsadoption?Thisquestionmightalsobeareasonwhyyouarereadingthisbook,whichismeanttoprovideadeeperunderstandingofitandgivepracticalexamplesandhintshowtobuildandrunsuchadatacenter.Meanwhile,itwillalsoprovidetheknowledgeofmappingbusinesschallengeswithITsolutions.Thisisapracticewhichbecomesmoreandmoreimportantthesedays.
IThascomealongwayfromapurebackoffice,taskorientedroleintheearlydays,toabusinessrelevantasset,whichcanhelporganizationstocompetewiththeircompetition.Therehasbeenamajorshiftfromapureinfrastructureproviderroletoabusinessenablementfunction.Today,mostorganizationsbusinessisjustasgoodastheirinternalITagilityandabilitytoinnovate.TherearemanyexamplesinvariousmarketswhereawholebusinessbranchwasbuiltonITinnovationssuchasNetflix,AmazonWebServices(AWS),Uber,Airbnb,justtonameafew.
However,itisunfairtocompareanystartupwithatraditionalorganization.Astartuphasoneapplicationtomaintainandtheyhavetobuildupacustomerbase.
Atraditionalorganizationhasawidecustomerbaseandmanyapplicationstomaintain.SotheyneedtoadapttheirinternalITtobecomeadigitalenterprise,withalltheflexibilityandagilityofastartup,butalsomaintainingthetrustandcontrolovertheirlegacyservices.
Thischapterwillcoverthefollowingpoints:
WhyisthereademandforSDDCinITWhatisSDDCUnderstandthebusinesschallengesandmapittoSDDCdeliverablesTherelationofanSDDCandaninternalprivatecloudIdentifynewdatacenteropportunitiesandpossibilitiesBecomeacenterofinnovationtoempoweryourorganization'sbusiness
ThedemandforchangeTodayorganizationsfacedifferentchallengesinthemarkettostayrelevant.Thebiggestmovewasclearlyintroducedbysmartphonesandtablets.Itwasnotjustacomputerinasmallerdevice,theychangedthewayITisdeliveredandconsumedbyendusers.Thesedevicesprovedthatitcanbesimpletoconsumeandinstallapplications.Justsearchinanappstore,choosewhatyoulike,useitaslongasyoulikeit.Ifyoudonotneeditanylonger,simplyremoveit.Allwithverysimplisticcommandsandeasytousegestures.
MoreandmorepeoplerelyingonITservicesbyusingasmartphoneastheirterminaltoalmosteverything.Thesedevicescreatedademandforfastandeasyapplicationandservicedelivery.Soinaway,smartphoneshavenotonlytransformedthewholemobilemarket,theyalsotransformedhowmodernapplicationsandservicesaredeliveredfromorganizationstotheircustomers.
Althoughitwouldbequiteunfairtocomparealargeenterprisedatacenterwithanappstoreorenterpriseservicedeliverywithanyappinstallsonamobiledevice,therearestartupsandindustries,whichrelysolelyonthesmartphoneastheirtargetforservices,suchasUberorWhatsApp.
Ontheotherside,smartphoneappsalsointroduceawholenewwayofdeliveringITservices,sinceanycompanyneverknowshowmanypeoplewillusetheappsimultaneously.Butinthebackend,theystillhavetousewebserversanddatabasestocontinuouslyprovidecontentanddatafortheseapps.
Thisalsointroducesanewvaluemodelforallothercompanies.Peoplestarttojudgeacompanybythequalityoftheirsmartphoneappsavailable.Also,peoplestartedtomigratetocompanieswhichmightofferbettersmartphoneintegrationasthepreviousoneused.Thisisnotboundtoasingleindustry,butaffectsabroadspectrumofindustriestodaysuchasthefinancialindustry,carmanufacturers,insurancegroups,andevenfoodretailers,justtonameafew.
Aclassicdatacenterstructuremightnotbeidealforquickandseamlessservicedelivery.Thesearchitecturesarecreatedbyprojectstoserveaparticularusecaseforacoupleofyears.Anexampleofthisbiggerapplicationenvironmentsiswebserverfarms,traditionalSAPenvironments,oradatawarehouse.
Traditionallytheseweredesignedwithanassumptionabouttheirgrowthanduse.Specialprojectteamshavesetthemupacrossthedatacenterpillars,asshowninthefollowingfigure.Typically,thoseprojectteamsseparateaftersuchtheapplicationenvironmenthasbeencompleted.
Allthesepillarsinthedatacenterarerequiredtoworktogether,buteveryoneofthemalsoneedstomindtheirownbusiness.Mostlythosedifferentdivisionsalsohavetheirownprocesseswhichthenmayintegrateintoadatacenterwideprocess.Therewasagoodreasontostructureadatacenterinthisway,thesimplefactthatnobodycanbeanexpertineverydiscipline.Companiesstartedtocreategroupstooperatecertainareasinadatacenter,eachbuildingtheirownexpertisefortheirownsubject.
ThiswasevolvingandbecamethemostappliedmodelforIToperationswithinorganizations.Many,ifnotall,biggerorganizationshaveadoptedthisapproachandpeoplebuildtheircareersonthesedefinitions.ItservedITwellfordecadesandensuredthateachpartywasaddingitsbestknowledgetoanygivenproject.
However,thissetuphasoneflaw,ithasnotbeendesignedformassivechangeandscale.Thebiggerthesedivisionsget,theslowertheycanreacttorequestfromothergroupsinthedatacenter.Thisintroducesabi-directionalissue,sinceallgroupsmaygrowatasimilarrate,theoverallservicedeliverytimemightalsoincreaseexponentially.
Unfortunately,thisalsointroducesacostfactorwhenitcomestoservicedeploymentsacrossthesepillars.Eachnewservice,anorganizationmightintroduceordevelop,willrequireeachareaofITtocontribute.Traditionally,thisisdonebyhumanhandoversfromonedepartmenttotheother.
Eachofthesehandoverswilldelaytheoverallprojecttimeorservicedeliverytime,whichisalsooftenreferredtoastimetomarket.Itreflectstheneededtimeintervalfromtherequestofanewservicetoitsactualdelivery.Itisimportanttomentionthatthisisalevelofcomplexityeverymodernorganizationhastodealwithwhenitcomestoapplicationdeploymenttoday.
Thedifferencebetweenorganizationsmightbeinthesizeoftheseparateunits,buttheprincipleisalwaysthesame.Mostorganizationstrytobringtheiroverallservicedeliverytimedowntobequickerandmoreagile.ThisisoftenrelatedtobusinessreasonsaswellasITcostreasons.
Insomeorganizations,thetimetodeliverabrandnewservicefromrequesttofinalrolloutmaytake90workingdays.Thismeansarequestormightwait18weeksormorethanfourandahalfmonthfromrequestinganewbusinessservicetoitsactualdelivery.Donotforgetthatthisreflectsthecompleteservicedelivery,overallgroupsuntilitisreadyforproduction.Also,afterthese90days,therequirementoftheoriginalrequestmighthavechangedwhichwouldleadintorepeatingtheentireprocess.
Oftenaquickertimetomarketisdrivenbythelinesofbusiness(LOB)ownerstorespondtoa
competitorinthemarket,whomightalreadydelivertheirservicesfaster.Thismeansthattoday'sIThaschangedfromapureinternalserviceprovidertoabusinessenablersupportingitsorganizationtofightthecompetitionwithadvancedandinnovativeservices.
WhilethisintroducesagreatchancetotheITdepartmenttoenableandsupporttheirorganizationsbusiness,italsointroducesathreatatthesametime.IftheinternalITstrugglestodeliverwhatthebusinessisaskingfor,itmayleadtoleverageshadowITwithintheorganization.
ThetermshadowITdescribesasituationwhereeithertheLOBsofanorganizationoritsapplicationdevelopershavegrownsodisappointedwiththeinternalITdeliverytimes,thattheyactuallyuseanexternalproviderfortheirrequirements.ThisbehaviorisnotagreedwiththeITsecurityandcanleadtoheavybusinessorlegaltroubles.
Thishappensmoreoftenthanonemightexpect,anditcanbeassimpleasputtingsomeinternalfilesonapubliccloudstorageprovider.Theseservicesgrantquickresults.ItisassimpleasRegister-Download-Use.Theyareveryquickinenrollingnewusersandsometimesprovidealimiteduseforfree.Thedeveloperorbusinessownermightnotevenbeawarethatthereissomethingnon-compliantgoingonwhileusingtheseservices.
Sobesidesthebusinessdemandforaquickerservicedeliveryandthesecurityaspect,anorganization'sITdepartmenthasnowalsothepressureofstayingrelevant.ButSDDCcanprovidemuchmorevaluetotheITthanjuststayingrelevant.
TheautomateddatacenterwillbeanenablerforinnovationandtrustandintroduceaneweraofITdelivery.Itcannotonlyprovidefasterservicedeliverytothebusiness,itcanalsoenablenewservicesorofferingstohelpthewholeorganizationbeinginnovativefortheircustomersorpartners.
Businesschallenges:TheusecaseToday'sbusinessstrategiesofteninvolveadigitaldeliveryofservicesofanykind.ThisimpliesthattherequirementsamodernorganizationhastowardstheirinternalIThavechangeddrastically.Unfortunately,thebusinessownersandtheITdepartmenttendtohavecommunicationissuesinsomeorganizations.Sometimestheyevenoperatecompletelydisconnectedfromeachother,asifeachofthemweretheirownsmallcompanywithintheorganization.
Nevertheless,alotofdatacenterautomationprojectsaredrivenbyenhancedbusinessrequirements.Insomeofthesecases,theITdepartmenthasnotbeenmadeawareofwhatthesebusinessrequirementslooklike,orevenwhattheactualbusinesschallengesare.SometimesITjustgetsaslittleinformationas:Wearedoingcloudnow.
It'sadangeroussimplification,sincetheusecaseiskeywhenitcomestodesigningandidentifyingtherightsolutiontotheorganization'schallenges.ItisimportanttogettherequirementsfromtheITdeliverysideaswellasthebusinessrequirementsandexpectations.
Hereisasimpleexamplehowausecasemightbeidentifiedandmappedtotechnicalimplementation.
ThebusinessviewJohnworksasabusinessownerinaninsurancecompany.Herecognizesthattheirbiggestcompetitorinthemarketstartedtoofferamobileapplicationtotheirclients.Theappissimpleandallowstodoonlinecontractmanagementandtellstheclientswhichproductstheyhaveenrolledaswellasrichinformationaboutcontracttimelinesandpossibleconsolidationoptions.
Heaskshismanagertostartaprojecttoalsodeliversuchanapplicationtotheircustomers.Sinceitisonlyasimplesmartphoneapplication,heexpectsthatitsdevelopmentmighttakeacoupleofweeksandthentheycanstartabetaphase.Tobecompetitiveheestimatesthattheyshouldhavesomethingusablefortheircustomerswithinamaximumof5months.Basedonthesefacts,hegotapprovalfromhismanagertorequestsuchaproductfromtheinternalIT.
TheITviewTomisthedatacentermanagerofthisinsurancecompany.Hegotinformedthatthebusinesswantstohaveasmartphoneapplicationtodoallkindsofthingsforthenewandexistingcustomers.Heisresponsibleforcreatingaprojectandbringallnecessarypeopleonboardtosupportthisprojectandfinallydelivertheservicetothebusiness.Theprogrammingoftheappwillbedonebyanexternalconsultingcompany.
Tomdiscussesacoupleofquestionsregardingthisrequestwithhisteam:
Howmanyusersdoweneedtoserve?Howmuchtimedoweneedtocreatethisenvironment?Whatistheexpectedlevelofavailability?Howmuchcomputepower/diskspacemightberequired?
Afteraroundofbrainstormingandintensediscussion,theteamstillisquiteunsurehowtoanswerthesequestions.Foreveryquestion,thereareacoupleofvariablestheteamcannotpredict.
Willonlyafewoftheirthousandsofusersadapttotheapp,whatiftheyundersizethemiddlewareenvironment?
Whatiftheuseradoptionriseswithinacoupleofdays,whatifitlowersandtheenvironmentisoverpoweredandthereforethecostistoohigh?
Tomandhisteamidentifiedthattheyneedadynamicsolutiontobeabletoservethebusinessrequest.Hecreatesamappingtomatchpossibletechnicalcapabilitiestotheusecase.Afterthismappingwascompleted,heisusingittodiscusswithhisCIOifandhowitcanbeimplemented.
Businesschallenge Question ITcapability
Easytouseapptowinnewcustomers/keepexisting
Howmanyusersdoweneedtotheserver?
Dynamicscaleofanenvironmentbasedonactualperformancedemand.
Howmuchtimedoweneedtocreatethisenvironment?
Tofulfilltheexpectationstheenvironmentneedstobeflexible.Startsmall–scalebig.
Whatistheexpectedlevelofavailability?
Analyticsandmonitoringoveralllayers.Includingpossibleself-healingapproach.
Howmuchcomputepower/diskspacemightberequired?
Createcomputenodesbasedonactualperformancerequirementsondemand.Introduceacapacityondemandmodelforrequiredresources.
Giventhistable,Tomrevealedthatwiththeircurrentdatacenterstructureitisquitedifficulttodeliverwhatthebusinessisaskingfor.Also,hegotacoupleofrequirementsfromotherdepartments,whicharegoinginasimilardirection.
Basedonthesemappings,heidentifiedthattheyneedtochangetheirwayofdeployingservicesandapplications.Theywillneedtouseafairamountofautomation.Also,theyhavetospanthesefunctionalitiesacrosseachdatacenterdepartmentasaholisticapproach,asshowninthefollowingdiagram:
Inthisexample,TomactuallyidentifiedaverystrongusecaseforSDDCinhiscompany.Based
ontheactualbusinessrequirementsofasimpleapplication,thewholeITdeliveryofthiscompanyneedstoadopt.Whilethismaysoundlikepurefiction,thesearethechallengesmodernorganizationsneedtofacetoday.
Tip
Itisveryimportanttoidentifytherequiredcapabilitiesfortheentiredatacenterandnotjustforasingledepartment.Youwillalsohavetoservethelegacyapplicationsandbringthemontothenewmodel.Thereforeitisimportanttofindasolution,whichisservingthenewbusinesscaseaswellasthelegacyapplicationseitherway.InthefirststageofanySDDCintroductioninanorganization,itisthekeytokeepingalwaysaneyeonthebigpicture.
ToolstoenableSDDCThereisabasicandbroadlyaccepteddeclarationofwhatanSDDCneedstooffer.Itcanbeconsideredasthesecondevolutionarystepafterservervirtualization.Itoffersanabstractionlayerfromtheinfrastructurecomponentssuchascompute,storage,andnetworkbyusingautomationandtoolsassuchasaself-servicecatalogInaway;itrepresentsavirtualizationofthewholedatacenterwiththepurposetosimplifytherequestanddeploymentofcomplexservices.OthercapabilitiesofanSDDCare:
Automatedinfrastructure/serviceconsumptionPolicybasedservicesandapplicationsdeploymentChangestoservicescanbemadeeasilyandinstantlyAllinfrastructurelayersareautomated(storage,network,andcompute)Nohumaninterventionisneededforinfrastructure/servicedeploymentHighlevelofstandardizationisusedBusinesslogicisforchargebackorshowbackfunctionality
AlloftheprecedingpointsdefineanSDDCtechnically.ButitisimportanttounderstandthatanSDDCisconsideredtosolvethebusinesschallengesoftheorganizationrunningit.Thatmeansbasedontheactualbusinessrequirements,eachSDDCwillserveadifferentusecase.Ofcourse,thereisthemainsetupyoucanadoptandrollout,butitisimportanttounderstandyourorganization'sbusinesschallengesinordertopreventanyplanningordesignshortcomings.
Also,torealizethisfunctionality,SDDCneedsacoupleofsoftwaretools.Thesearedesignedtoworktogethertodeliveraseamlessenvironment.Thedifferentpartscanbeseenlikegearsinawatchwhereeachgearhasanequallyimportantroletomaketheclockworkfunctioncorrectly.
ItisimportanttorememberthiswhenbuildingyourSDDC,sincemissingononepartcanmakeanotherverycomplexorevenimpossibleafterward.
ThisisalistofVMwaretoolsbuildinganSDDC:
vRealizeBusinessforCloudvRealizeOperationsManagervRealizeLogInsightvRealizeAutomationvRealizeOrchestratorvRealizeAutomationConvergedBlueprintvRealizeCodeStreamVMwareNSXVMwarevSphere
vRealizeBusinessforCloudisachargeback/showbacktool.Itcanbeusedtotrackthecostofservicesaswellasthecostofawholedatacenter.SincetheagilityofanSDDCismuchhigherthanforatraditionaldatacenter,itisimportanttotrackandshowalsothecostofaddingnewservices.Itisnotonlyimportantfromafinancialperspective,italsoservesasacontrolmechanismtoensureusersarenotdeployinguncontrolledservicesandleavingthemrunningeveniftheyarenotrequiredanymore.
vRealizeOperationsManagerisservingbasicallytwofunctionalities.Oneistohelpwiththe
troubleshootingandanalyticsofthewholeSDDCplatform.Ithasananalyticsengine,whichappliesmachinelearningtothebehaviorofitsmonitoredcomponents.Theanotherimportantfunctioniscapacitymanagement.Itiscapableofprovidingwhat-ifanalysisandinformsaboutpossibleshortcomingsofresourceswaybeforetheyoccur.Thesefunctionalitiesalsousethemachinelearningalgorithmsandgetmoreaccurateovertime.Thisbecomesveryimportantinadynamicenvironmentwhereon-demandprovisioningisgranted.
vRealizeLogInsightisaunifiedlogmanagement.Itoffersrichfunctionalityandcansearchandprofilealotoflogfilesinseconds.ItisrecommendedtouseitasauniversallogendpointforallcomponentsinyourSDDC.ThisincludesallOSesaswellasapplicationsandalsoyourunderlyinghardware.Inaneventoferror,itismuchsimplertohaveacentrallogmanagementwhichiseasilysearchableanddeliversanoutcomeinseconds.
vRealizeAutomation(vRA)isthebaseautomationtool.ItisprovidingthecloudportaltointeractwithyourSDDC.Theportalitprovidesoffersthebusinesslogicsuchasservicecatalogs,servicerequests,approvals,andapplicationlifecycles.However,itreliesstronglyonvRealizeOrchestratorforitstechnicalautomationpart.vRAcanalsotapintoexternalcloudstoextendtheinternaldatacenter.ExtendinganSDDCismostlyreferredtoashybridcloud.ThereareacoupleofsupportedcloudofferingsvRAcanmanage.
vRealizeOrchestrator(vRO)isprovidingtheworkflowengineandthetechnicalautomationpartoftheSDDC.Itisliterallytheorchestratorofyournewdatacenter.vROcanbeeasilyboundtogetherwithvRAtoformaverypowerfulautomationsuite,whereanythingwithanapplicationprogramminginterface(API)canbeintegrated.Also,itisrequiredtointegratethird-partysolutionsintoyourdeploymentworkflows,suchasconfigurationmanagementdatabase(CMDB),IPaddressmanagement(IPAM),orticketingsystemsviaITservicemanagement(ITSM).
vRealizeAutomationConvergedBlueprintwasformallyknownasvRealizeAutomationApplicationServicesandisanadd-onfunctionalitytovRA,whichtakescareofapplicationinstallations.Itcanbeusedwithpre-existingscripts(likeWindowsPowerShellorBashonLinux),butalsowithvariablesreceivedfromvRA.Thismakesitverypowerfulwhenitcomestoon-demandapplicationinstallations.ThistoolcanalsomakeuseofvROtoprovideevenbettercapabilitiesforcomplexapplicationinstallations.
vRealizeCodeStreamisanadditiontovRAandservesspecificusecasesintheDevOpsareaoftheSDDC.ItcanbeusedwithvariousdevelopmentframeworkssuchasJenkins.Alsoitcanbeusedasatoolfordeveloperstobuildandoperatetheirownsoftwaretest,QAanddeploymentenvironment.Notonlycanthedeveloperbuildtheseseparatestages,themigrationfromonestageintoanothercanalsobefullyautomatedbyscripts.ThismakesitaverypowerfultoolwhenitcomestostageanddeploymodernandtraditionalapplicationswithintheSDDC.
VMwareNSXisthenetworkvirtualizationcomponent.Giventhecomplexitysomeapplications/servicesmightintroduce,NSXwillprovideagoodandprofoundsolutiontohelpsolvingit.Thechallengesinclude:
DynamicnetworkcreationMicrosegmentationAdvancedsecurityNetworkfunctionvirtualization
VMwarevSphereismostlythebaseinfrastructureandusedasthehypervisorforservervirtualization.YouareprobablyfamiliarwithvSphereanditsfunctionalities.However,sincetheSDDCisintroducingachangetoyoudatacenterarchitecture,itisrecommendedtorevisitsomeofthevSpherefunctionalitiesandconfigurations.ByusingthefullpotentialofvSphereitispossibletosaveeffortwhenitcomestoautomationaspectsaswellastheservice/applicationdeploymentpartoftheSDDC.
Thisrepresentsyourtoolboxrequiredtobuildtheplatformforanautomateddatacenter.Allofthemwillbringtremendousvalueandpossibilities,buttheyalsowillintroducechange.ItisimportantthatthischangeneedstobeaddressedandisapartoftheoverallSDDCdesignandinstallationeffort.Embracethechange.
TheimplementationjourneyWhileabigpartofthisbookfocusesonbuildingandconfiguringtheSDDC,itisimportanttomentionthattherearealsonon-technicalaspectstoconsider.Creatinganewwayofoperatingandrunningyourdatacenterwillalwaysinvolvepeople.ItisimportanttoalsobrieflytouchthispartoftheSDDC.Basically,therearethreemajorplayerswhenitcomestoafundamentalchangeinanydatacenter,asshowninthefollowingimage:
Basically,therearethreemajortopicsrelevantforeverysuccessfulSDDCdeployment.Sameasforthetoolsprinciple,thesethreedisciplinesneedtoworktogetherinordertoenablethechangeandmakesurethatallbenefitscanbefullyleveraged.
Thesethreecategoriesare:
PeopleProcessTechnology
TheprocesscategoryDatacenterprocessesareasestablishedandsettledasITitself.Beginningwiththefirstoperatortaskslikechangingtapesorstartingproceduresuptohighlysophisticatedprocessestoensurethattheservicedeploymentandmanagementisworkingasexpectedtheyhavealreadycomealongway.However,someoftheseprocessesmightnotbefitforpurposeanymore,onceautomationisappliedtoadatacenter.TobuildanSDDCitisveryimportanttorevisitdatacenterprocessesandadaptthemtoworkwiththenewautomationtasks.Thetoolswillofferintegrationpointsintoprocesses,butitisequallyimportanttoremovebottlenecksfortheprocessesaswell.However,keepinmindthatifyouautomateabadprocess,theprocesswillstillbebad,butfullyautomated.Soitisalsonecessarytorevisitthoseprocessessothattheycanbecomeslimandeffectiveaswell.
RememberTom,thedatacentermanager.HehassuccessfullyidentifiedthattheyneedanSDDCtofulfillthebusinessrequirementsandalsodidausecasetoITcapabilitiesmapping.WhilethismappingismainlytalkingaboutwhattheITneedstodelivertechnically,itwillalsoimplythatthecurrentITprocessesneedtoadapttothisnewdeliverymodel.
TheprocesschangeexampleinTom'sorganization
IfthecomputedepartmentworksonaserviceinvolvingOSdeployment,theyneedtofilloutanExcelsheetwithIPaddressesandservernamesandsendittothenetworkingdepartment.ThenetworkadminswillensurethatthereisnodoublebookingbyreservingtheIPaddressandapprovetherequestedhostname.Aftersuccessfullyprovingtheuniquenessofthisdata,nameandIPgetaddedtotheorganization'sDNSserver.
Themanualpartofthisprocessisnolongerfeasibleoncethedatacenterenterstheautomationera,imaginethateverytimesomebodyordersaserviceinvolvingaVM/OSdeploy,thenetworkdepartmentgetsane-mailcontainingtheExcelwiththeIPandhostnamecombination.Thewholeprocesswillhavetostopuntilthisstepismanuallyfinished.
Toovercomethis,theprocesshastobechangedtouseanautomatedsolutionforIPAM.ThenewprocesshastotrackIPandhostnamesprogrammaticallytoensurethereisnoduplicationwithintheentiredatacenter.Also,aftersuccessfullycheckingtheuniquenessofthedata,ithastobeaddedtotheDomainNameSystem(DNS).
Whilethisisasimpleexampleofonesmallprocess,normallythereisalargenumberofprocessesinvolvedwhichneedtobereviewedforafullyautomateddatacenter.ThisisaveryimportanttaskandshouldnotbeunderestimatedsinceitcanbeadifferentiatorforsuccessorfailureofanSDDC.
Thinkaboutallotherprocessesinplace,whichareusedtocontrolthedeploy/enable/installmechanicsinyourdatacenter.Hereisasmallexamplelistofquestionstoaskregardingestablishedprocesses:
WhatisourcurrentIPAM/DNSprocess?DoweneedtoconsideraCMDBintegration?Whatisourcurrentticketingprocess?(ITSM)Whatisourprocesstogetresourcesfromthenetwork,storage,andcompute?WhatOS/VMdeploymentprocessiscurrentlyinplace?Whatisourprocesstodeployanapplication(handovers,steps,ordepartmentsinvolved)?Whatdoesourcurrentapprovalprocesslooklike?
Doweneedatechnicalapprovaltodeliveraservice?Doweneedabusinessapprovaltodeliveraservice?
Whatintegrationprocessdowehaveforaservice/applicationdeployment?DNS,ActiveDirectory(AD),DynamicHostConfigurationProtocol(DHCP),routing,InformationTechnologyInfrastructureLibrary(ITIL),andsoon
Nowfortheapprovalquestion,normallytheseareanexceptionfortheautomationpartsinceapprovalsaremeanttobemanualinthefirstplace(eithertechnicalorbusiness).Ifalltheotheranswerstothisexamplequestionsinvolvehumaninteractionaswell,considertochangingtheseprocessestobefullyautomatedbytheSDDC.
Sincehumaninterventioncreateswaitingtimes,ithastobeavoidedduringservicedeploymentsinanyautomateddatacenter.Thinkofitastheroboticconstructionbandstoday'scarmanufacturersareusing.Theprocessestheyhaveimplemented,developedoveragesofexperience,arealldesignedtostopthebandonlyincaseofanemergency.
ThesamecomestruefortheSDDC;trytoenabletheautomateddeploymentthroughyourprocesses,stoptheautomationonlyincaseofanemergency.
Identifyingprocessesisthesimplepart,changingthemisthetrickypart.However,keepinmindthatthisisanall-newmodelofITdelivery,thereforethereisnogoldenwayofdoingit.Onceyouhavecommittedtochangethoseprocesses,keepmonitoringiftheytrulyfulfilltheirrequirement.
ThisleadstoanotherprocessprincipleintheSDDC:ContinualServiceImprovement(CSI).Revisitwhatyouhavechangedfromtimetotimeandmakesurethatthoseprocessesarestillworkingasexpected,iftheydon't,changethemagain.
ThepeoplecategorySinceeverydatacenterisrunbypeople,itisimportanttoalsoconsiderthatachangeoftechnologywillalsoimpactthosepeople.TherearesomeclaimsthatanSDDCcanberunwithonlyhalfofthestafforsaveacoupleofemployeessinceallisautomated.
Thetruthis,anSDDCwilltransformITrolesinadatacenter.Thismeansthatsomeclassicrolesmightvanish,whileotherswillbeaddedbythischange.
Itisunrealistictosaythatyoucanrunanautomateddatacenterwithhalfthestaffthanbefore.Butitisrealistictosaythatyourstaffcanconcentrateoninnovationanddevelopmentinsteadofworkinga100%tokeepthelightson.Andthisisthechangeanautomateddatacenterintroduces.Itopensupthepossibilitiestoevolveintoamorearchitectureanddesignfocusedroleforcurrentadministrators.
ThepeopleexampleinTom'sorganization
Currently,therearetwoadminsinthecomputedepartmentworkingforTom.Theyaremanagingandmaintainingthevirtualenvironment,whichislargelyVMwarevSphere.TheyarecreatingVMsmanually,deployinganOSbyanetworkinstallroutine(whichwasarequirementforphysicalinstalls-sotheykepttheprocess)andthenhandingthereadyVMsovertothenextdepartmenttofinishinstallingtheservicetheyaremeantfor.
RecentlytheyhaveexperiencedalotofdemandforVMsandeachofthemconfigures10to12VMsperday.Giventhis,theycannotconcentrateonotheraspectsoftheirjob,likeimprovingOSdeploymentsorthehandoverprocess.
Atafirstlook,itseemsliketheSDDCmightreplacethesetwoemployeessincethetoolswilllargelyautomatetheirwork.Butthatislikesayingajackhammerwillreplaceaconstructionworker.
Actually,theirroleswillshifttoamorearchitecturalaspect.TheyneedtocomeupwithatemplateforOSinstallationsandanimprovementhowtofurtherautomatethedeploymentprocess.Also,theymightneedtoaddnewservices/partstotheSDDCinordertofulfillthebusinessneedscontinuously.
SoinsteadofcreatingalltheVMsmanually,theyarenowfocusedondesigningablueprint,abletobereplicatedaseasyandefficientaspossible.
Whiletheirtasksmighthavechanged,theirworkforceisstillimportanttooperateandruntheSDDC.However,giventhattheyfocusondesignandarchitecturaltasksnow,theyalsohavethetimetointroduceinnovativefunctionsandadditionstothedatacenter.
KeepinmindthatanautomateddatacenteraffectsalldepartmentsinanITorganization.Thismeansthatalsothetasksofthenetworkandstorageaswellasapplicationanddatabaseteams
willchange.Infact,inanSDDCitisquiteimpossibletostilloperatethedepartmentsdisconnectedfromeachothersinceadeploymentwillaffectallofthem.
Thisalsoimpliesthatallofthesedepartmentswillhaveadminsshiftingtohigher-levelfunctionsinordertomaketheautomationpossible.Intheindustry,thisshiftisalsooftenreferredtoasOperationalTransformation.Thisbasicallymeansthatnotonlythetoolshavetobeinplace,youalsohavetochangethewayhowthestaffoperatesthedatacenter.Inmostcasesorganizationsdecidetoformaso-calledcenterofexcellence(CoE)toadministerandoperatetheautomateddatacenter.
Thisvirtualgroupofadminsinadatacenterisverysimilartoprojectgroupsintraditionaldatacenters.ThedifferenceisthatthesepeopleshouldbepermanentlyassignedtotheCoEforan
SDDC.Typicallyyoumighthaveonechampionfromeachdepartmenttakingpartinthisvirtualteam.
Eachpersonactsasanexpertandambassadorfortheirdepartment.Withthisprinciple,itcanbeensuredthatdecisionsandoverlappingprocessesarewelldefinedandreadytofunctionacrossthedepartments.Also,asanambassador,eachparticipantshouldadvertisethenewfunctionalitieswithintheirdepartmentandenabletheircolleaguestofullysupportthenewdatacenterapproach.
ItisimportanttohavegoodexpertiseintermsoftechnologyaswellasgoodcommunicationskillsforeachmemberoftheCoE.
ThetechnologycategoryThisisthethirdaspectofthetriangletosuccessfullyimplementanSDDCinyourenvironment.Oftenthisisthepartwherepeoplespendmostoftheirattention,sometimesbyignoringoneoftheothertwoparts.However,itisimportanttonotethatallthreetopicsneedtobeequallyconsidered.Thinkofitlikeathree-leggedchair,ifonelegismissingitcanneverstand.
Thetermtechnologydoesnotnecessarilyonlyrefertonewtoolsrequiredtodeployservices.Italsoreferstoalreadyestablishedtechnology,whichhastobeintegratedwiththeautomationtoolset(oftenreferredtoasthird-partyintegration).ThismightbeyourAD,DHCPserver,e-mailsystem,andsoon.
Theremightbetechnologywhichisnotenablingorempoweringthedatacenterautomation,soinsteadofonlythinkingaboutaddingtools,theremightalsobetoolstoberemovedorreplaced.ThisisanormalITlifecycletaskandhasbeengonethroughmanyiterationsalready.Thinkofthingslikeafaxmachineorthetelex;youmightnotusethemanymore,theyhavebeenreplacedbye-mailandmessaging.
ThetechnologyexampleinTom'sorganization
Theteamusessometoolstomaketheirdailyworkeasierwhenitcomestonewservicedeployments.OneofthetoolsisalittlegraphicaluserinterfacetoquicklyaddcontenttoAD.Theadminsuseittoinsertthehostname,organizationalunit(OU)aswellascreatingthecomputeraccountwithit.Thiswasmeanttosaveadmintimesincetheydon'thavetoopenallthevariousmenusintheADconfigurationtoaccomplishthesetasks.
Withtheautomatedservicedelivery,thishastobedoneprogrammatically.OnceanewOSisdeployedithastobeaddedtotheADincludingallrequirementsbythedeploymenttool.SinceADoffersanAPIthiscanbeeasilyautomatedandintegratedintothedeploymentautomation.Insteadofpainfullyintegratingthegraphicaltool,thisisnowdonedirectlybyinterfacingtheorganization'sAD,ultimatelyreplacingtheoldgraphicaltool.
Theautomateddeploymentofaserviceacrosstheentiredatacenterrequiresafairamountofcommunication.Notinatraditionalway,butmachine-to-machinecommunicationleveragingprogrammableinterfaces.UsingsuchAPIsisanotherimportantaspectoftheapplieddatacentertechnologies.Mostofthetoday'sdatacentertools,frombackupallthewayuptowebservers,docomewithAPIs.ThebettertheAPIisdocumented,theeasiertheintegrationintotheautomationtool.Insomecases,youmightneedthevendorstosupportyouwiththeintegrationoftheirtools.
Ifyouhaveidentifiedatoolinthedatacenter,whichdoesnotofferanyAPIorevencommand-lineinterface(CLI)optionatall,trytofindawayaroundthissoftwareorevenconsiderreplacingitwithanewtool.
APIsaretheequivalentofhandoversinthemanualworld.Thebetterthecommunicationworksbetweentools,thefasterandeasierthedeploymentwillbecompleted.Tocoordinateandcontrol
allthiscommunication,youwillneedfarmorethanscriptstorun.Thisisataskforanorchestrator,whichcanrunallnecessaryintegrationworkflowsfromacentralpoint.Thisorchestratorwillactasaconductorforabigorchestra.ItwillformthebackboneofyourSDDC.
Whyarethesethreetopicssoimportant?Thetechnologyaspectclosesthetriangleandbringsthepeopleandtheprocessespartstogether.Iftheprocessesarenotalteredtofitthenewdeploymentmethods,automationwillbepainfulandcomplextoimplement.Ifthedeploymentstopsatsomepoint,sincetheprocessesrequiremanualintervention,thepeoplewillhavetofillinthisgap.
Thismeansthattheynowhavenewroles,butalsoneedtomaintainsomeoftheiroldtaskstokeeptheprocessrunning.Byintroducingsuchanunbalancedimplementationofanautomateddatacenter,theworkloadforpeoplecanactuallyincrease,whiletheservicedeliverytimesmaynotdramaticallydecrease.Thismayleadtoanavoidanceoftheautomatedtaskssincethemanualinterventionmightbeseenasfasterbyindividualadmins.
SoitisveryimportanttoacceptallthreeaspectsasthemainpartoftheSDDCimplementationjourney.Theyallneedtobeaddressedequallyandthoughtfullytounveilthebenefitsandimprovementsanautomateddatacenterhastooffer.
However,keepinmindthatthistrulyisajourney.AnSDDCisnotimplementedindaysbutinmonths.Giventhis,alsotheimplementationteaminthedatacenterhasthistimetoadoptthemselvesandtheirprocesstothisnewwayofdeliveringITservices.Also,allnecessarydepartmentsandtheirleadneedtobeinvolvedinthisprocedure.
AnSDDCimplementationisalwaysateameffort.
AdditionalpossibilitiesandopportunitiesAllthepreviewsmentionedtopicsservethesolegoaltoinstallandusetheSDDCwithinyourdatacenter.However,onceyouhavetheSDDCrunningtherealfunbeginssinceyoucanstarttointroduceadditionalfunctionalitiesimpossibleforanytraditionaldatacenter.Let'sjustbrieflytouchonsomeofthepossibilitiesfromanITview.
Theself-healingdatacenterThisisaconceptwheretheautomaticdeploymentofservicesisconnectedtoamonitoringsystem.Oncethemonitoringsystemdetectsthataserviceorenvironmentmaybefacingconstraints,itcanautomaticallytriggeranadditionaldeploymentforthisservicetoincreasethethroughput.
Whilethisisapplicationdependent,forinfrastructureservicesthiscanbecomequitehandy.ThinkofESXihostautodeploymentsifcomputepowerisbecomingaconstraint,ordatastoredeploymentsifdiskspaceisrunninglow.Ifthisautomationisactingtooaggressiveforyourorganization,itcanbeusedwithanapprovalfunction.Oncethemonitoringdetectsashortcomingitwillaskforapprovaltofixitwithadeploymentaction.
Insteadofgettingane-mailfromyourmonitoringsystemthatthereisaconstraintidentified,yougetane-mailwiththeconstraintandtheresolvingaction.Allyouneedtodoistoapprovetheaction.
Theself-scalingdatacenterAsimilarprincipleistouseacapacitymanagementtooltopredictthegrowthofyourenvironment.Ifitapproachesatrigger,thesystemcanautomaticallygenerateanorderletter,containingallneededcomponentstosatisfythegrowingcapacitydemands.
Thiscanthenbesenttofinanceorthepurchasingmanagementforapprovalandbeforeyouevengetintoanycapacityconstraints,thenewgearmightbeavailableandreadytorun.However,considertheregularturnaroundtimefororderinghardware,whichmightaffecthowfarinthefutureyouhavetosetthetriggerforsuchfunctionality.
Bothofthisopportunitiesaremorethanjustnicetohaves,theyenableyourdatacentertobetrulyflexibleandproactive.DuetothefactthatanSDDCisofferingahighamountofagility,itwillalsoneedsomeself-monitoringtostayflexibleandusableandtofulfillunpredictabledemand.
SummaryInthischapter,wediscussedthemainprinciplesanddeclarationsofanSDDC.Itprovidedanoverviewoftheopportunitiesandpossibilitiesthisnewdatacenterarchitectureprovides.Also,itcoveredthechangeswhichwillbeintroducedbythisnewapproach.Finally,itdiscussedtheimplementationjourneyanditsinvolvementwithpeople,processes,andtechnology.
Inthenextchapter,wewilldivedeepintoidentifyingtasksandprocessesforautomationwithinthedatacenter.ItwilldiscussinmoredetailwhatlevelofautomationanSDDCrequiresandwhystandardizationisveryimportantforautomatedservicesdeployment.
Chapter2.IdentifyAutomationandStandardizationOpportunities"Ajourneyofathousandmilesmustbeginwithasinglestep."-LaoTzu
Inthiscase,itisthejourneyofbuildingtheSDDCandfullyautomatingyourdatacenter.Automationisthekeywordanditisveryworthwhiletospendafairamountoftimetoidentifytasksforautomation.Thedifficultpartisautomatingtherightthings,efficientlyandhelpfulforthedailyoperationsofamoderndatacenter.
Automationitselfisnotanewtopicwithinadatacenter.Therehasalwaysbeenautomationpresentinformofscriptscalledbydatecontrolledtaskmanagers.IntheLinuxworld,itisusuallycrondcallingcommand-linescripts.InWindows,thiscanbedoneusingthetaskmanager.
However,theSDDCautomationapproachisbiggerthanalocaltaskbasedautomation.Itneedstointroduceautomationacrossmanydifferenttools,infrastructure,anddepartments.Thereforeitneedstobecontrolledandmanagedbyacentralinstance,whichoftenisreferredtoasanorchestrator.Also,thereneedstobeoneplacewherethisautomationiscontrolledandmanaged,otherwiseitwillbecomeverydifficulttoimplementchangesandupdates.
Beforeyoustartandautomateeachandeverymanualtaskinthedatacenteritisimportanttothinkaboutwhatmakessenseandwhatdoesnot.Also,thepartnerofautomationisstandardization.Withoutstandards,itwillbeimpossibletoautomate,sinceworkflowswillhavenosenseforexceptions.Itisimportanttodefineapathforcertaintasksandthenrigidlyfollowit.Thereforetheimportantstepistomakesurethispathisvalidandwellworkingbeforeautomatingit.
Thischapterwillcoverthefollowingtopics:
AutomationprinciplesandbestpracticesComparisonofascriptversusaworkflowIdentifyprocessestofindapathforautomationIdentifyyourITdeliveryframeworkStandardizationofrepeatabletasksExamplesofappliedstandardizationandautomationapproach
AutomationprinciplesAutomationisatopic,whichseemsquitesimpleandstraightforwardatafirstglance.Mostlyitisseenassimpleas:
1. Findarepeatabletask.2. Createascriptorprogramtoreplacethemanualsteps.3. Addittoatriggerorschedulerforrepeatedexecution.
Whilethisistruefortheactualscriptingthefirstpointismaybethemostimportant.Therearemanytasksinamoderndatacenter,butnotallaregoldcandidatesforautomation.
DaytwoautomationAutomatingdailymanualtaskswhichareimportanttorunandoperatethedatacenterandoftenperformedbyadminsareso-calleddaytwooperations.Normallyeachdatacenterhasquiteafewofthemhappeninginthebacktokeeprunning.Theveryfirststepintotheautomationworldshouldbetoproperidentifyanddefinethosetasks,aswellasfindarepeatableandclearwayofexecutingthem.Thereforeyoushouldthinkofafewcriteriatosuccessfullyidentifythosetasks:
OftenrepeatedperworkdayExecutionisstraightandlinearDoesnotrequirepatternrecognitionDonotrelatetoothertaskstofinishOptionalcriteria:Followarunbooktobeexecuted
Basedonthesecriteriatheremightbealreadyalotoftaskswhichcanbeautomatedtojustreducetheamountofmanualtimetorunadatacenter.IntheSDDC,itisallaboutincreasingtheefficiency.Also,thosetasksareoftennottheadminsfavoriteandmostprobablytheremightbealreadyscriptstosupporttheadminswiththeirmonotonetaskworkerrole.
The80:20ruleThisisanolderprinciplewhichbasicallydescribestheamountofworkversusthevalueaddataskorprojectcanbring.
Hereareafewexamplesoftypical80:20ruleclaims:
80percentofworkisneededtofinalizethelast20percentofaproject.
80percentoftaskscanbeeasilyautomatedbut20percentarerealdifficulttotackle
Thisisaveryimportantruletofollow,picktherighttasksforautomationattherighttime.Assimpleasthat.BasedonrealSDDCprojectexperience,alotofimplementationsfailbecausethisrulewascompletelyignored.Itisimportanttopickthe80%oftaskswhichareeasytoaccomplishandtherearemultiplereasonsforfollowingthisstrategy.
Firstofall,itisanewITprojectsoeverybodywillwatchcloselywhatishappening.Itismuchbettertohavealotoflittlesuccessfulthingsgoingon,thanonebigsophisticatedprojectwheretheoutcomemaybeunclearforacoupleofmonths.
Second,itgrowsconfidenceintheteamandwiththemanagerthatthiswholeSDDCprojectistherightthingtodo.Succeedinginsmallautomationchunksistranslatedtosucceedingwiththebiggercomplexorchestrationtasks,whichwillcome.
Third,itisimportanttogainallthisexperiencewiththesesmallertaskssincethemostcomplexoneswilldefinitelyrequireeverylessonlearnedfromtheformerautomationprojects.
ThisleadstothesecondimportantprinciplewhenitcomestoautomationandanySDDCitself.
Thinkbig,startsmallThisisasimportantasthe80:20rule.Keepaneyeonthebigpicture,butstartsmalltogetquickwins.Asmentionedbefore,quickwinsareimportanttomakeeverybodybelieveintheprojectitself.Also,ithelpstoadvertisethevalueoftheoverallSDDCinsmallerchunksandsuccessnews.Thosetwoprinciplesplayverywelltogetherwhenitcomestoautomationandshouldbekeptinmindforallupcomingautomationrequests/tasks.Forthistoworkproperly,thereareafewpractices,whichmayhelptoeasetheworkoncomplexandbigtasks:
BreakbigtasksintosmallerchunksUsethe80:20rule(again)onthischunksCommunicateeachsuccessfulcompletionofachunkaswinRebuildthebigtasksbyrecombiningthesmallerchunks
However,cuttingabigtaskintosmallerpiecestoautomatethewholethingisonlyoneaspectofthisprinciple.Itisalsoametaphorforkeepingthewholecomplexityofadatacenterinmindandidentifiesrealisticandefficientwaystoautomateprocessesaswellasincreasetheefficiency.Thinkbigintermsofhowmanytasksarerequiredtosucceedinordertodeployaserviceintoyourdatacenter.Howmanytasksarerequiredtojustaddresourcesorevenchangearesourceallocationtoanexistingservice?
TheefficiencybottleneckEfficiencyandbottlenecksarenormallynottwothingswhichhavetoomuchincommon.Butwhenitcomestoautomation,thesetwocanaddupwhichnormallyhasthesideeffectthatitcompletelyzeroesoutanyefficiencyortimebenefits.Thereareafewexampleswhenthishappens,alotoftheseexamplesarebecauseofcommunicationissuesorbecauseofalackofstandardization.
Thereisagoodchancethateachdepartmentlooksattheirowntasksandtriestoautomateasmuchaspossibletomakethemsmootherandquicker.Butthisisactuallyquitedifficultifthewholeprocessisalsodependentonotherdepartments.Sotheymightkeepworkingontheirendoftheprocesstomakeitasefficientaspossible.
Thereisoneveryprominentexampleofthisefficiencybottleneck.Itwasusedtointroducevirtualizationandwasusedalottoshowitsgreatness.
Createaserver(VM)in5minutesinsteadofanhour!
Wow,yousavenearlyanhourbyusingvirtualizationandittakesjust5minutestocreateanewserver.Thisisanimprovementof92.6%!
Buthowlongdoesittaketodeploythewholeserviceacrossalldepartments?
Iftheoveralldeploymenttimeofaservicemighttakeupto90workdays,theimprovementontheserverinstallationisonly0.02%(rounded)oftheoverallprocess.
Soitisimportanttoknowthescaleofataskorprocessandthenstartimprovingit.Theremightbeareaswhichareconsumingalotoftimebecauseofmanualwork,automatingthemmightbeaddingmorevaluetotheoveralltimesavings.
However,thisdoesnotmeanthatthetimeimprovementsduetoautomation(virtualization)arenotimportant.Itdoesonlymeanthattheyareapieceoftheoverallpuzzle.Thethinkbigapproachaddressesthewholeservicedeliveryprocess,thestartsmallstepintheoverallprocessmightbetointroducevirtualizationtoinstallaserverin5minutes.Butthebigpictureneedstobekeptinmindtorealizethewholeprocess.However,automatingtheentiredatacenterneedsasolidbasisandthereforealotofthesesmallstepsarerequiredtoformthebiggerprocess.Thebettertheseworkontheirown,theeasiertheycanbehandledbyautomationlateron.
BringingitalltogetherThesefourprinciplesshouldhelpandguideeveryonewhoiswillingtointroduceanSDDCandstartautomatingtheirdatacenter.Theyarerelevantforthewholedatacenterandalldepartments.Asingleplayercannotaccomplishthis,allhavetobeaboardreadytorevolutionizethewayITisdelivered.InatypicalSDDCproject,itisimportanttostartbyidentifyingthescopefirst.ThescopecontainsthemainfunctionalitiesoftheSDDC,whichmightalsobetranslatedtothemostimportantautomationfunctionalitiesanSDDCshoulddeliver.
Itcontainsatleastoneserviceorapplicationandthecompleterolloutofthisservice.Alltasksandnecessarystepsaredocumentedandknownbyeachpartywhoisinvolvedintheoverallautomation.Theservicehasbeenchosenbyapplyingthe80:20rule,soitshouldbeonewhichiseasyenoughtobeaccomplishedinareasonableamountoftime(quickwin).Allstepsbetweendepartments(process)areknownandcanbeautomated.Also,third-partyintegrationisunderstoodandcanalsobedonebyusingworkflowsandautomationprinciples.
Congratulations,youhavesuccessfullychosenthestartingpointforyourSDDC!
ScriptorworkflowItisimportanttounderstandthedifferencesbetweenaworkflowandascript.Asmentionedearlier,scriptsarewellestablishedintheITandoriginallywerecreatedtocompletesmallertasksfasterthanahumancould.Typically,scriptsprovideasinglescriptinglanguagelikeBashscriptsinUNIXorPowerShellscriptsinWindows.Theycanalsobeusedtoaddresscomplextaskscallingotherscriptsintroducingmultiplelayersofrelationstosuccessfullycompleteatask.Byfollowingthislogic,itcangetveryconfusingverysoon.
Thesescriptshavetohavelogictowaitfortheirsubscriptstocomebackwithstatusinformation(success/failure/idle).Thisstatusqueriesarenotassimpleasitsoundsandsometimesrequiresanownscript,justtotakecareofallthesubscriptsrunning.Also,theycan'tsimplybestoppedsincetheyhavenocontroloverthesubscriptsrunninginthebackground.
Oftenscriptsaremaintainedbyasingleadmin,whoisawareoftheirlogicandfunctions.Thescriptscanberunwithouttheadmin,buthemightberequiredtodotroubleshootingortoaddadditionalfeatures.Itisbestpracticetohaveacentralscriptinghostrunningallrequiredscripts.Butthismightonlybetrueforthesolution/scriptinglanguagethescriptisusing.
TheLinuxteammighthaveacentralLinuxhost,theWindowsadminsdoitfromaWindowssystem,thenetworkadminmayhavetheircompleteownintegrationandthestorageadminhassomerunbooklikeinstructionstoconfigureagivenstoragearray.Finally,theSANadminsmight
usesomeSSHcombinationtoaccesstheirfiberchannelswitchesandcreate/changethezoningonceinawhile.
Allthismighthaveworkedperfectlyinthepast,butonceyouentertheSDDCera,theseconceptscannotkeepupwiththemassivescale.Thatdoesnotmeanthattheirlogicandhardworkisautomaticallylost.Butthereneedstobeacentralsystemwhichiscallingandmanagingallautomationtakesoverallrequireddepartments.Thisiswhatmostsoftwarevendorscallanorchestrator.
Typically,anorchestratorisrunningworkflowsinordertoautomatetasks.Theorchestratortakescareoftheschedulingandmakestheworkflowsalsotriggerableiftheyneedtorunondemand.Itcancallaworkflowfromaworkflow,butkeeptherelationandtracktoquicklyshowwhatiscurrentlyrunning.Itkeepstrackofallthereferencedworkflowsandtheirstatusandprovidesaframeworktoeasilymakethestatusofdifferentworkflowsavailabletotheoverallworkflow,withoutacomplexlogictothinkof!
Sotheorchestrator'sjobistokeeptrackofitsrunningworkflowandtheirstatus.Thisenablessomegreatfunctionality,whichisonlylimitedavailableforscripts.Youcanpauseaworkflowincludingitssubworkflows.Youcanstopaworkflowandautomaticallyknowwhatchangeshavebeenmadealready.Youmightevenbeabletorollbackchangesfromaworkflow.Thisprovidesalotmoreflexibilitythanascriptcould.Also,ifaworkflowfailsyoucouldtroubleshootandrunitfromwhereitstopped.Thisprovidesgreatflexibilityintermsofdevelopingandqualitycheckingautomation.
Besidesthat,allyourworkflowsstayinoneplace,beingabletorunendeditbymultipleusers.Normallyanorchestratoralsoappliesaversioningmodelinordertomakesurethateachworkflowisusingitsmostrecentversionincludingallitschangesandaddedfunctions.Changingbetweenversionsisasimplemouseclickandupdatestheentireworkflowlibrary.
Withinaworkflow,thereistypicallyscriptingelementsresponsibleforcallingcertainautomationfunctionwithtargetinfrastructure.Thebrilliantthingaboutaworkflowis,itisnotlimitedtoasinglescriptinglanguage,itcancallwhateverisrequiredatthisstep.TheworkflowcanstartbydoingtheRESTcall,continuetotalktovCenterandendbyprovidingdataviaSQLintoadatabase.Thatofferaveryhighlevelofflexibility,plusyoucanuseexistingscriptsandcalls.Allyouneedtodoisadaptitintotheworkflowsbyensuringthatdatacanbesharedacrosstheseworkflowsteps.
SincethiswillbuildthebackboneofyourSDDC,itisimportanttocreatesimpleandsmoothrunningworkflows.Thereareacoupleofbestpracticestofollowwhenyoucreateworkflows:
Pickasimpletasktostartwith(80:20rule)KeepthescriptingwithintheworkflowstepsasshortandsimpleaspossibleIfaseriesofstepsisusedmultipletimesinaworkflow,thinkofcreatingasubworkflowcontainingthesestepsKeepinmindthatitwillbeeasiertomaintaintobreakcomplexworkflowsinsmallerworkflowstocallForeverysubstantialchange,changetheversionoftheworkflowUsereasonableandunderstandablestatusmessagesforworkflowstepsThinkofpossibleerrorsandimplementtheerrorhandlingintheworkflow
Toleverageallfunctionalitiesanorchestratorwithworkflowshastoofferitisimportanttofollowthatrules.Atthebeginning,itmightfeelstrangetohaveonly10linesofcodeinascriptedelement,butthatquicklybecomesnormalandfamiliarwhencreatingaworkflow.Ifyouaredoingalotofscriptingalready,thismightpossiblybethebiggestchange,trytopreventyourselffromwritinglongandcomplexstepsinaworkflow.
Anexampleworkflowcouldlooklike:
1. QueryaVMsassociateddatacenterviavSphereAPI.2. QueryaVMsassociatedclusterviavSphereAPI.3. Composetheinformationintovariables.4. CreateanSQLstatementusingthesevariablestoinjectintotoaCMDBdatabase.5. Providestatusmessage(success/failure).6. Endworkflow.
Noweachofthiscanbedonewithasinglelineofcode.ThisisjustasimpleexampleofapossibleITILautomationfunctionality.Withthemixoflanguages(vSphereAPIandSQLcode)andthepossibilitytosharevariablesacrosssteps,itmakesitquiteeasytoaccomplishthistask.
Anorchestratorandworkflows,ingeneral,shouldmakecomplexautomationtaskseasytocreate,butkeepinmindthatithighlydependsonthewaytheworkflowsarecreated.Thisiswhyyouneedtoapplytheautomationprinciplestotheworkflowsinordertofullyleverageallworkflowbenefits.
IdentifyingprocessesandhowtoautomatethemThisisoneofthemaindiscussionpointswhenitcomestoanSDDC.Theconceptofautomationacrossdepartmentsisdependentonthepre-existingprocesses.Thefirststepofautomatingthemisactuallyidentifyingalltheirstagesandrequirements.ThismightbeatrickytaskbutisveryimportantforapplyingallSDDCbenefitslateron.
Howwouldaperfectprocesslookliketobeautomated?
CleardefinedstepsandstationsTheexecutionoftheprocessispreapproved;noapprovalsrequiredduringruntimeWelldefinedrequirementsandoutcomesforeachstationAllusedtoolsareprogrammable(API,scripts,CLI,andsoon)Allendpoints/toolscanbereachedfromasinglelocationAll(yet)manualtaskscanbeautomatedusingworkflows
Again,thisreflectsthedescriptionofaperfectcandidate.Theremightbeachancethatyouhaveprocesses,whichfulfillonlypartsofthesecriteria.Ifthatisthecase,itisveryimportanttobeabletochangethepartoftheprocess,whichdoesnotfitintotheautomationcriteria.Thishappensfromtimetotimesinceprocessesarelessoftenchangedthantools.Also,somepracticesinaprocessmightbeprovenbuthaven'tbeenrevisitedforalongtimeandcanbethereforeoutdated.
Hereareexampleswhereitbecomesquitedifficulttoautomateaprocessbecauseofsuchsteps:
Manualdataentry:SomeorganizationsmanagetheirinternalITassetsbyExcel.SometimestheyeventrackIPaddressesandhostnamesusingthisversatiletool.ThebigproblemwithExcelis,itisnotprogrammablefromtheoutside.
Note
Recommendedchange:Iftheprocessrequiresmanualdataentrysteps,itishighlyrecommendedtorethinkthesesteps.Byhavingallprocessstepsautomated,theneedformanualdataentrymightalreadybeirrelevant.
Sinceanorchestratortakescareofalldataentriesitcanalsoprovidetheprocessoutcometoanyprogrammableinterface.
Noprogrammabletools:Therearetoolsinthedatacenter,whichmaylackanAPIorsimplyhavenodocumentationfortheirAPI.However,theymightbeusedforimportantstepswithinaprocess.SomeofthesemaybeusedasCMDBandothersmaybesimplyusedtotracktheprogressandthecurrentstageoftheprocess.
Note
Recommendedchange:Firstrevisitthepurposeofthetoolandprovethatitisstillvalidand
requiredtocompletetheprocess.IfthisisthecasetrytofindawaytoingestorextractdatafromthetoolevenwithoutanAPI.
Thinkoutoftheboxandexploreallfeasiblepossibilitiesforthesetools.Ifadatabaseisused,maybeSQLcommandscanbeleveraged.SometoolssupportingestionofdataviaXMLfiles.OthersmayhaveanimportorexportfunctionalityforCSVorfeatureacommandlinetobeused.
IfthereisabsolutelynowaytoprogramthetoolwithoutaGUI,itmightbenecessarytoeitherchangetheprocesstoworkwithoutthistoolorreplacethetoolwithonewhichfeaturesanAPIoranyotherprogrammableinterface(fileimport).
Onceyouhaveidentifiedallstepsoftheprocessandalltoolsandactionsrequired,itisreadyfortheautomation.Trynottocreateagiantworkflowtocovereverything,breakitinsmallerworkflows.Maybeoneworkflowforeachtooltointegrate,oroneforeachmajorprocesstaskorstep.Byusingthismethoditwillbequiteeasytoreplaceatoolorchangeastepintheprocess,simplychangethecorrespondingworkflowandlettheUberworkflowcallit.
Thisisalsocalledmodularapproachandshouldbeappliedtokeeptheworkflowautomationsimpleandmaintainable.
Byapplyingthemodularapproach,youalsoensurethatyoucanaccomplishtheautomationofevencomplexprocesses.Itisbasicallytheuseofallbestpracticesdiscussedearlierforautomation.Thisapproachwillalsograntthatyoucancommunicateeverysmallsuccessasabigwin,everytimeonestepoftheoverallprocessrunsasaworkflow,thatisawin.Donotforgettocommunicateit,sincegoodnewswillhelptheentireITtosuccessfullyfinishanSDDCproject.
ITdeliveryframeworksEachIThasitsowndeliveryframeworks.Evenifitisatinycompany,therearesometoolsandactionswhichneedtobeperformedtosuccessfullydeliveranyapplicationorservice.Thetermframeworkmeansbasicallythatitisapredefinedroutineorsetoftoolswhichshouldmakeitsdeliveryeasier.Thesenormallyconsistoutofinstallationtoolsusedforapplicationdelivery,deploymenttoolsforOSesandconfigurationtoolsforinfrastructure.Alltogethertheyformyourdeliveryframework.
ITisimportanttounderstandwhatfunctioneachtooliscovering.Sometimestherearetoolswhichalreadycoverapartofaprocessoranentireprocess.Thenitisimportanttounderstandhowtointeractwiththosetoolsandatwhichpointtheautomationhastohandoverthetasktothistools.Averypopularexampleisticketmanagingsystems.Inbiggercompanies,theyaretypicallypartofthedeliveryprocess,eventhoughtheyservearatherpassiverole.However,theydocovernormallyquiteabigpartofotherprocessessuchaschangemanagement,releaseplanningaswellastrackingservicedeployments.
ThereisamisbelievethatITILplaysnoroleinamodernSDDC,thatisactuallynottrue.ITILisstillvalid,withthedifferencethattheintegrationcannowbedonecompletelyautomatically.Thisguaranteesitscompletenessovermanualdataentryandalsohelpstorelievesometedioustasksfromtheadministrators.ThisisatypicalexampleofanITdeliveryprocesstakingcareofallthetechnicalorchestration,handingoverallnecessaryinformationtotheticketingsystemandthen,ifitgotasuccessfulreturn,continuingthetaskandclosingtheticket.
Note
Ifthisisalreadyinplace,respecttheticketingandchangeprocessandconcentrateonthetechnicalhandoverwithinyourautomationworkflows.
ThesamecomestrueforCMDB.ThisisatypicalITILrequirementandcontainsandmaintainsallsoftwareandhardwareconfigurationswithinadatacenter.Itismeanttoholdthisinformationinordertokeeptrackofchangesaswellasknowingwhatisdeployedandrunninginthedatacenter.Youmightnotfindthisinsmallerdatacenters,butinbiggerones,withthousandsofserversandhundredsofapplications,itmightbecomenecessarytomaintainaCMDB.TokeepthesesCMDBsaccurateisoftenoneofthelesspopularthingstodoforanadministrator.Sometimestheyarealreadyusingdataoutoftheticketingsystem.Sometimesacompleteconfigurationdatasethastobeprovidedplustheticketingsystemisrequiredtofileachange/support/deploymentrequest.
However,withthepowerofautomation,alsothisdataentrycanbetakencareofbythetechnicaldeploymentworkflow.AllweneedistoknowwhichdataisrequiredtogointotheCMDBandifwecanuseanAPItosimplyhandthedataover.Also,eachtimesomebodyrequestsachangewecanupdatetherecordtokeepthedataaccurate.Finally,onceauserhasdecidedtoremoveaworkload/application,automationcaneventuallymarktherecordintheCMDBasapplication
deleted.
ThesearestepsoftheITdeliveryframeworkwhichtypicallyformabiggerpicture.SincealldepartmentshavetoaddtheirdatatoaCMDBorusetheticketmanagementsystem.Thismeansthatautomationwithinthedatacentermakesthejoboftheteamseasiertokeepthiskindofinformationaccurate.Butitisimportanttoknowwhenandwherethesetoolsareusedandwhatdatagoesintothem.
WhatifnoCMDBorticketmanagementisinplaceOntheotherhand,ifyourorganizationisnotusingaCMDBorticketmanagementsystemyet,thegoodnewsisthatalotoftheSDDCfunctionsandfeaturesarequitesimilartotheseframeworks.Therefore,youdonotneedtospecificallyintroducetheseconceptsalltogetherwiththeSDDC.YoucouldsimplydeclarethewaytheSDDCmanagementhandlesdeploymentsasyourchangeandconfigurationmanagementstandards.SinceintroducingaproperticketmanagementsystemmightbeascomplexasintroducinganSDDC,youmightconsiderusingtheSDDCsoptionsfirstandthendecideifitisfulfillingyourrequirements.However,therearesomeregulationswhichmightstillrequireaCMDBorticketsystem,toensurecompliancestandards.
Allthisispartofyourframework,byidentifyingyourinternaldatacenterprocessesyoumightalsoidentifyhowyourdeliveryframeworklookslike.Alwayskeepinmindthatthisisrelevantforallinvolvedpartiesanddepartments.Itdoesnotmakesensetohaveitfullydocumentedfortheserverdepartment,buttheprocessesandtoolsforanyotherdepartmentsaremostlyunknown.AlwayskeepinmindthattheSDDCwilltoucheachandeverypartofyourdatacenter,evenifitmighthaveabigshareintheserverunit,itcanandwillnotworkwithouttheparticipationofeveryotherdepartmentinthedatacenter.
Achievingstandardization
ThisismaybethebigtopicwhenitcomestotheSDDCorautomationitself.Forscriptsandworkflows,itisparamounttoadheretoastandardindoingthings.Ifalldeploymentsconsistofsomeexceptionsitmightbeimpossibletouseautomationtodeploy.Normallythereareafewtasksinadatacenter,whichhavealreadybeenstandardized.Thereareafewfactors,whichpointoutthatsomethingisalreadyfollowingastandard:
ThereisaformtorequesttheserviceTheserviceisdeployedaccordingtopresetchoicesThesechoiceswillmodularfitmostrequirementsTheremightberunbookstocreateanyconfig/deployanyserviceThereisacatalogofservices
Typicallyanyofthesethingsdescribethestandardizedsetupofaservice.Standardizationbasicallystandsforeasilyrepeatableactions,basedonpredefineddataentryforms.Thisiswhystandardizationgoeshandinhandwithautomation.IfeverydeploymentisdifferentandeveryOSiscustom,ifeverynetworksettingisuniqueandeverystoragerequirementisdifferent,itwillbeimpossibletoautomateitinastraightforwardmanner.Workflowsareperfectforapplyingstandards,butonlylimitedusableforexceptionsandcustomizedinstallations.
Therefore,oneofthemostimportantthingstodobeforecreatinganSDDCisensuringstandardizationisinplace.Thegoodnewsisalotoforganizationsalreadyhavesomekindstandardizationinplace.
Thereareareaswherestandardizationistransparentfortheenduser:
Inthestorageteam,thepoolsize,logicaldevice(LDEV)sizeorlogicalunitnumber(LUN)sizecanbesetinchunks(forexample,100GBsteps)Inthenetworkteam,IPs/networksmayberequestedatapoolorrangelevel(forexample,
20addresses)Intheserverdepartment,VMscanberequestedusingpredefinedcomputeandmemoryvalue1vCPUwith2GBRAM,2vCPUwith4GBRAM,andsoon
However,therearestandards,whichmightinfluencetheusermorethantheinfrastructurestandards.Mostly,thoseareOStoapplicationcombinations.OronlycertainOStypesaresupportedfordeployment.Typically,organizationstrytokeepthezooofOSesandapplicationsassmallaspossibleandasbigasnecessary.Therefore,mostlytheysupportsomeversionsofWindowsaswellassomespecificLinuxdistributions.
TheseareoftensetbytheITgroupitself.JustkeepinmindthatforeveryOS/applicationyouwanttosupport,youneedtohavesomebodywhocanhelpyoutroubleshootandfixproblemswhichmayariseontheseplatforms.
DeploymentstandardsAlso,sometimesstandardizationcanleadtotheintroductionofso-calledrunbooks,whichareneededtoinstallanOSoranyapplicationontopofit.Theserunbooksneedtobeasuptodateaspossibletostayrelevant.SosomebodyneedstoproveallthestepsoverandoverandupdatethemastheOSes/applicationsdevelop.Thisoftenisafull-timejobandconsumesalotoftime.Therefore,someITdepartmentstrytokeepthisatalowprofile,topreventtheirstafffromconstantlyupdatingthoserunbooks.
Arunbooktypicallyisadetailedstepbystepguidewhichiseasytofollowbyanadministrator.Normally,theyarewritteninawaythatevenanewemployeecanfollowtheirinstructions.Biggerorganizationscanhavemultiplerunbooksfortensorhundredsofusecases.However,sincethisisareadandcopyexercise,thisworkmightbequiteerrorproneforadministratorswhoaredoingitforthefirstcoupleoftimes.
Thegoodnewsisthatwithautomation,thisistakenoverbytheorchestratorrunningtheworkflows.Theworkflowreplacestherunbookandiswayquickerthanahumanincompletingthesteps.Also,ithasnoissuesindoingthesamestepsoverandoveragain.Thisiswhystandardizationandautomationgosowelltogether.
Insteadofmaintainingtherunbooks,administratorsorservicedesignersnowkeeptheworkflowuptodate.
Byfollowingthemodularapproach,thisshouldbequitesimpletodo.Oncetheworkflowisupdateditcanberuntorecheckitsfunctionality.Noonewillhavetositthroughallthestepsandcopyonthescreenwhat'swritteninabook.
Beforeautomation,standardizationwaslimitingyourserviceportfoliobutenhancingyourefficiency.WiththeSDDCyoucanactuallybroadenyourportfoliowhilestillkeepingstandardizationwiththepowerofautomation.Indeed,youwillbeabletoaccomplishmoretasksthanbefore,withenhancedefficiencyanddiversity.
OrganizationautomationexamplesManythingshavebeencoveredalready,butthissectionshouldgiveanoverviewwhattothinkaboutwhenitcomestoautomationandstandardization.Also,itwillhighlighthowactualprojectsdealtwithchallengesandrequirementswhichwerediscoveredduringtheworkflowcreation.
Often,notallrequirementsforadeploymentordeliverytaskinadatacentermaybeknownbyalladministrators.Thisisbecausetraditionally,everyoneisfocusingontheirowntasksuntiltheyhanditovertoanothergroupordepartment.
SimpleVMdeploymentThemissionsoundsquitesimple:DeployaVMinadatacenteroutofaportal.Theserveradministratorinofusmightthink:Easy,justcreateatemplatefortheOS,addsomecustomization(hostname,IP)andthat'sit.
Indeed,thefirststepwastocreateatemplatecontainingtheOS.ButthereisalsoarequirementtousethemostrecentversionoftheOSforeachdeployment.
Note
ThefirstsidetaskwastocreateaworkflowwhichensuresthattheOStemplateisasuptodateaspossible.Thiswasnecessarytopreventtheinstallationofahugeamountofpatches,whichmayslowdowntheoverallsetupprocess.
Oncethishasbeencreated,theorganizationdecidedthatitisbesttohavemultiplestorageperformanceclasses.ThiswasalreadyintroducedforthemanualinstallationofVMsandmustbeavailableforautomatedinstallationsaswell.
Note
ThesecondsidetaskwastouseaworkflowtoidentifytherightdatastoretoputtheVMonto,basedontheselectedperformanceclass.Also,ItneededtobeensuredthattheworkflowisnotsimplyfillinguponedatastorebutdistributingtheVMsacrossallpossiblematches.
Afterthathasbeenaccomplished,thejourneycontinued.ThisorganizationhasanIPaddressmanagementtoolinplace.ThesetoolstypicallyreserveIPaddressesoutofapoolandalsoworkasanorganization-wideDNSserver.
Note
ThethirdsidetaskwasthattheIPaddressrequesthastobeforwardedtothattooltoentertheVMshostnameandcreatetheproperreservationrecord.Also,thisworkflowhastoremoveIPaddressandhostnamereservation,oncetheVMisdeleted.
Afterthiswassuccessfullyaccomplished,theOShastobebroughtintotherightADorganizationalunit(OU).TheOUisactuallydependentontheuser/departmentwhorequestedtheVM,alsotheusershouldbeentitledtotheVMtoactuallylogintotheOSwithitsADaccount.ItwasalsorequestedthattheusercanspecifyagrouporotheruserswhoshouldhaveaccesstotheVM.
Note
ThefourthsidetaskwastogetalltheinformationeitherautomaticallyorbyaformfromarequestortoputtheVMintherightOU.ThencreateaworkflowwhichaddsacomputeraccountinthisOUandentitlestherequestoraswellasadditionalusers/groupstobeabletologintothe
newOS.Also,thisworkflowneedstoremovethecomputeraccountandtheuserentitlements,oncetheVMiseventuallydeleted.
Furthermore,theorganizationisusingaCMDBtotrackalldeploymentsandchanges.ForeachandeverynewcreatedservertherehastobeaspecificdatasetenteredintotheCMDB.
Note
ThefifthsidetaskwastocaptureallrequiredCMDBdataliketheCPU,RAM,anddiskoftheVM.Butalsoonwhichclusteritisdeployedandinwhichdatacenteritisgoingtoreside.Again,allthiswasdoneinaworkflowwhichalsohasthepossibilitytoadddeletedtothecreateddatasetoncetheVMgetsremoved.
TherewheremultiplesitesandtherequestorshouldhavethechancetoactuallychoseinwhichdatacentertheVMwillbedeployed.Also,theyshouldhavethechancetochooseadisasterrecoveryoptionfortheVM.Also,abackupretentionpolicyshouldbeofferedtotherequestor.
Note
Thesixthsidetaskwastoidentifyandofferthedifferentdatacenters.Also,aworkflowwascreatedtoinstantiatereplicationforselectVMs(iftherequestorchoosesthisoption).
BackupintegrationwasdoneusinganXMLfileinterfacetothebackupsystem,tellingitabouttheretentionpolicy(apresetstandardpolicy)andtheVMnameanddatacenterlocation.TheXMLfileisdynamicallycreatedbytheworkflow.Again,everythingtoberemovedoncetheVMgetsdeleted.
OncealltheseworkflowshavebeencompletedtheVMdeploymentcanactuallyrun.Thiswasmainlyrequirementsfromthecomputedepartmentandthenetworkrequirementswererathereasy(predefinedVLANtodeployinto).
However,itmayillustratehowquicklysimplelookingtaskscangetcomplicated.
SothetypicalthingstoaskwhenitcomesVMdeploymentsare:
ArethereanyspecialADrequirements?Arethereanyperformanceoptions(SLAs,classes)required?IsthereanyIPAMorDHCPreservationsysteminuse?Ismultidatacenterdeploymentrequired?IsreplicationoftheVMrequired?Isbackupintegrationarequirement?Doestheretentionpolicyforbackupneedstobeselectable?DoesthedeploymentdataneedtogointoaCMDB?
Additionalthingstothinkof:
Virusscannerintegration
Isworkflowbasedbackuprestorearequirement?PossiblenetworkandroutingconfigurationrequirementsOSupdateandtemplaterequirementsSecurityrequirements(hardening,creating/obtainingcertificates,andsoon)IntegrationofamonitoringtoolAnypossiblethird-partymanagementtoolintegration?
Therearemanymorethingswhichmightcomeupduringthiskindofdeployments.RememberthisisstillaVMwithanOSonlyinstallation.Onceanapplicationisaddedtothis,ormultiVM/serviceinstallationsthewholerequirementsgetevenmorecomplex.
However,thisexampleshouldillustratethatthereisoftenmorebehindasimplesoundingtaskthenonemightexpect.Beopentoaskingthesetypeofquestionsupfronteveniftheanswermightbeunknownforthemoment.Thebetterthepreparationisforsuchtasks,theeasieritistoputeverythinginanorchestrationframework.
ThehybridclouddeploymentThisisanothergoodexampleofanorganization,lookingtodeployoneoftheirkeyapplicationsintoahybridcloud.Typically,thetermhybridclouddescribesacloudsetupwhereanorganization'sdatacenterisvirtuallyconnectedwithacloudprovider.Therefore,servicescansimplyeitherbedeployedinthelocaldatacenter,orinthehybridcloudenvironment.
Thegoalwastohavethekeyapplicationrunninginthehybridcloudwithallnecessarysupportingsystems.Afteraworkshoptoidentifytheapplicationsrequirement,itturnedoutthatitconsistsoutofacoupleofapplicationservers,somewebfrontendservers,twodatabaseservers,andsomeadditionalhelperserversformaintenanceandorchestrationoftheapplication.Itwasalittlemorethan15VMsallwithdifferentfunctionsandOSes(LinuxandWindows)butallformtogetheroneapplication.
Note
AnapplicationdoesnottypicallyonlyconsistoutofoneVMwithanOSandsomesoftwareinstalled.OftenVMsandsoftwareareonlycomponentsofbiggerapplications.Agoodexampleforthatiscompanywebpages.Thesetypicallyconsistoutofwebservers,applicationserversaswellasdatabaseserversforthecontent.Therearemanyapplicationswhichrequiremultipleserverstofunctioninadatacenter.
InordertobringalltheseVMstothehybridcloud,ithasbeendecidedtocreateagiantvirtualcontainer.Thiscontainerisbasicallyofferingavirtualnetworkinfrastructure(AppServ,DB,andwebserverareallrequiredtorunindifferentVLANs).Thisapplicationcontainerisautomaticallycreated(perAPI/workflow)tobetestedinthelocaldatacenter.Onceallthisissuccessful,thehybriddeploymentshallbetested.
Multipleweekswerespentonfinalizingthecontainercreationanddeploymentautomation.Thisisalreadyaquitecomplexandhighsophisticatedusecase,butitisdoablethroughautomationandworkfloworchestration.
Eventually,everythingwasreadyandcouldbeautomaticallydeployedinthelocaldatacenter.Sothedecisionwasmadetoputthewholedeploymentintothehybridcloud.
Sincethisapplicationisverymuchself-contained,thehybridclouddoesnothavetohaveaVPNtunnelintothelocaldatacenter.Thiswasalsorejectedduetosecurityreasons.
Thedeploymentwentfineandafteracoupleofhours,theapplicationwithallits15VMsanddatabasewasrunningonthehybridcloud.
However,unfortunately,itwasnotusable.NoadmincouldlogintotheVMs,allaccountsandusersappearedtobelocked.Also,theapplicationserverscouldnotcommunicatewiththedatabaseservers.
Theanalysisofthehybridclouddeployment
Alotofworkwasputintotheautomationandcontainercreationofthisapplication.Theapproachwasfinefromatechnicalpointofview.Buttheproblemwasthattheapplicationteamwasnotinvolvedwithallthiswork.Itwasa100%infrastructureproject.Oncetheapplicationwasdeployed,theVMstriedtoreachanADservertoverifytheuseraccounts.SincetherewasnoADserverdeployedinthehybridcloud,nobodycouldlogontotheVMs.
Also,therewasanexternalservicebususedtoinstantiatethecommunicationfromtheapplicationserverstothedatabasesystems.Thisservicebuswasnotpresentaswellinthehybridcloud.
Soifitcomestohybridclouddeployments,itisimportanttothinkabouteveryaspectofit.Keepinmindthatifthereisnodirectconnectionintoyourdatacenter,theremightbenoADorDNSorDHCPserveravailableforthedeployedVMs.
Keepthebigpictureinmindandaskquestionswhichmightbeobviousbutknowingisalwaysbetterthanguessing.
Thebetterapproach
Hybridcloudisagoodwayinordertoprovideresourcesforburstingorforcapacitywhichisrequiredonceforanapplication.Therearegoodexamplesthatthisconceptmakesalotofsenseandalsothatitcanworkflawlessly.
Inordertoensurethatthisworks,beawareoftherequirementsoftheseapplicationsandprovideavalidsolutionforthem.AnexamplecouldbetoclonesomeADservertoruninthecloud,ortohaveaverysolidsite-to-siteVPNlineinplace,whichservestheadvancedneedsoftheapplication.
Therearemanyglobalorganizationssuccessfullyleveragingthebenefitsofsuchanapproach.Besidestheperformanceorcapacityreasons,somedosoinordertohavetheservicelocatedclosertotheenduser.
Imaginethatanairlineprovidesamapservicetotheirpilots.Thisservicemightincludethemapsanddirectivesforeveryairporttheyoperate.Wouldn'titbegreatifthedatacanbederivedfromalocalsourceinsteadofalwaystravelingtheentireworldtogettothesepilots?Thisisaperfectusecaseforhybridcloudandmakestheapplicationevenbetterandmoreresponsivefortheendusers.
Whenitcomestohybridcloud,thinkoutoftheboxtoaddcapabilitiestoyourapplication,whichhasnotbeenpossibleinatraditionaldatacenter!
SummaryInthischapter,wediscussedthemainprinciplesofautomationandstandardization.Also,thedifferencesofworkflowsandscriptshavebeenhighlighted.Finally,twoexampleshavebeendescribedtogiveabetterinsighthowautomationandstandardizationmightbeappliedinareal-worldusecase.
Inthenextchapter,wediscussthefoundationoftheSDDCwhichisbuiltonVMwarevSphere.ItwillbemuchmoretechnicalandprovideadetaileddescriptionofusefulvSpherefeaturesandfunctionalitiesfitfortheSDDC.WewillalsorecapsomevSphereautomationbasicsroundworkloaddeployment,storagemanagement,andmanagementbestpractices.
Chapter3.VMwarevSphere:TheSDDCFoundationVMwarevSphereisthefoundationfortheSDDC.Itisthehypervisortobuildtherestoftheautomationandmanagementfunctionallyupon.Consideritasthebasementforyourdatacenterautomation.vSphereisoftenseenasthegiveninfrastructureprovider.Likearealbasement,itissometimesnotseenastheimportantbitofacloudorSDDCenvironment.
However,thisdoesnotmeanthatitisunimportant,aseverysupportorbasementinstallation;ifyoumakemistakeshere,yourwholeSDDCmightbeweakandloose.Also,vSphereisofferingautomation,whichisbuiltalreadyintothehypervisor.Whilesomeofthesefunctionsmightbenotasimportantfortraditionalenvironments,theyareahugetimesaverforanSDDC.EveryvSpherefunctionality,whichisofferingtimeandeffortsavingsshouldbestronglyconsideredfortheSDDC.
Note
Ifyouhaven'talreadyconsideredanEnterprisePluslicenseforvSphere,youmaydosonow.EnterprisePlusisthemostfeature-richlicensingoptionforVMwarevSpheresupportingalotofhelpingandsometimesnecessaryfeaturesforanSDDC.Ifyouwanttoseeafulloverviewoffeaturesandfunctionalitiespleasevisithttp://www.vmware.com/licensing.
KeepinmindthateachbuildinfunctionalitywhicheasestheoperationofyourSDDCsavesyoufromcreatingworkflowstoaccomplishexactlythis.Automationisimportant,butyoudonotneedtoreinventthewheelandprogrameverythingyourself.Theprincipleweareapplyinghereis:Keepitassimpleaspossible.
Thischapterwilltouchonthefollowingtopics:
vSpherebasicsinanSDDCvSphereconfigurationconsiderationsfortheSDDCAvailabilityandresiliencyRecapofrecentSDDCrelevantvSpherefeaturesBestpracticesandgoodpracticestoconfigureyourvSphereenvironmentfortheSDDCBuildinvSphereautomationcapabilities
BasicsandrecommendationsforvSphereintheSDDCThischapterisnotdiscussinggeneralvSpherebasics,thetitlemightbeslightlymisleading.YoushouldalreadyhaveaprofoundvSphereknowledgeandknowyourwayaroundinvCenterserver.Also,youshouldknowhowtosetupandconfigureanESXiserver.However,inatraditionalvSphereenvironment,somefeaturesmightnotbeasimportantandthereforetheymightnotbeconsideredtobeused.Thischapteristotouchsomebasicfeatures,whichwillhelpyouinefficientlysettingupyourSDDContopofvSphere.
Alltheserecommendationsarebasedongoodpractice,buttheywillnotreplacetheneedforadesignofthevSphereinfrastructuretomeetyourSDDCsrequirements.ThevSpheredesignisaveryimportantpointandshouldnotbeunderestimated.
Besidesthat,herearesomevSphereprerequisitesforasuccessfulSDDCinstallation:
ChecktheinteroperabilitymatrixforallusedVMwareproductsEnsurethemostrecentversionofvSphereandvCenterisusedUpdateautomationforvSphere(updatemanager)isinplaceFullyworkingDNS;allcomponentscanberegisteredandresolvedAccessfromvCenterandSDDCcomponentsispossibleintotheESXimanagementLANvSpherecertificatesareallvalidandnotself-signed(includingPSC)NetworkTimeProtocol(NTP)serviceisavailableandusedbyallESXihostsvCenterrole-basedaccessispreparedaccordingly(serviceuser,read-onlyroles,andsoon)
Byfollowingtheserecommendations,youwillsavetimeandeffortwithinanSDDCimplementation.AlotofthemhavebeendesignedandintroducedbyVMwarewiththeSDDCideainthebackground.Everyfunction,whichsavesyoufromdesigningandcreatingitfromscratchfortheSDDC,shouldbeused.
DistributedResourceSchedulerDistributedResourceScheduler(DRS)isoneoftheoldestfeaturesofVMwarevSphereandhasreceivedalonglistofupdatesandenhancementssinceitsintroduction.Itsjobistokeeptheclusterbalancedintermsofresourceusage.ThisdoesnotmeantokeepthesameamountofVMsoneachhost,thisisapopularmisbelief.ItwillcontinuouslymonitorVMresourcedemandslikeCPUandmemoryanddecidewhichhostmightbeperfecttofulfillthose.ItisanautomationroutinetomanagetheVMdistributionwithinaclusterandalsotoapplyself-healingvMotiononcetheresourcedemandcan'tbemetanymore.DRSisbeingconfiguredinthevSphereclustersettingsandhasacoupleofdifferentmodesitcansupport:
GradeofautomationLevelofaggressivenessVMgroupsHostgroupsAffinityrulesAnti-affinityrulesHostaffinityrulesResourcepools
Mostly,DRSgetsenabledandsometimesthereareacoupleofaffinityrulesconfigured.MostorganizationsapplythedefaultsandletDRSdoItsthing.Somesettheautomationleveltomanual,inthatcase,anadministratorcandecidewhathappenstoaVMtobemigrated.DRSwillaskiftheVMcanbemoved,andmoreimportant,alsowheretopoweronnewVMs.
OneoftheothermajorthingsDRStakescareofisadmissioncontrol.
Thismeansthat,basedontheutilizationandresourceavailability,DRSdecideswheretostart/deployaVM.ThisisaveryimportantfeatureifyouwanttodeployVMsautomatically.
Tip
ItishighlyrecommendedtosetDRStoFullyAutomatedinanySDDCenvironment.ThisenablesvSpheretochoosetherighthostfordeployingorpoweringonVMs.Theaggressivenessmightbesettomediocre,dependentonyouraverageworkloadprofile.Ifyouignorethissetting,yourclusterorhostsmightbeunbalancedwhichcanleadtosevereperformanceissues!
Theaffinitysettingisamorecomplextopic.AnySDDCwillalsoworkwithoutsettingaffinitytoVMsorhostgroups.However,theremightbeapplicationswhereyourequireaffinitygroupsorVManti-affinity.Justtorecapwhataffinity/anti-affinitymeans:
AVMshouldrunonthesamehostasanother:VM=VMaffinityAVMshouldnotinonthesamehostasanother:VM!=VManti-affinityAVMshouldrunonaspecifiedgroupofhostsinthecluster:VM=hostgroupaffinityAVMshouldnotrunonaspecifiedgroupofhostinthecluster:VM!=hostgroupanti-affinity
Note
TheForceAffinePowerOnsettinginadvancedDRSshouldalsobereviewed.ThisswitchcancontrolwhatshouldhappentoVM-to-VMaffinityifthereisaresourceissue.Ifitissetto0,itmeanstheVMscanstillpoweronwithoutrespectingtheaffinityrule.Ifitissetto1,theVMscannotbepoweredoniftheaffinityrulecannotberespected.However,thissettinghasnothingtodowithVM-to-VManti-affinity!
Forhostgroups,thereisadifferencebetweenshouldrunandmustrun.Beverycarefulifyouchoosethelatterone.ItmeanstheVMcannotviolateitshostgroupaffinitypolicy,evenifit'soriginalhostgrouphasanoutage!
AffinityrulescanalsoaffectvSphereHighAvailability(HA),beverycarefulifyouuseMustrunonhostsingroupsettings,remembertoconfigureHAaccordinglyandallowittoviolatetheaffinityrulesincaseofanHAevent,otherwisetheseVMswillnotberestartedonsurvivinghostsiftheyareoutsideoftheirconfiguredhostgroup.
Hostgroupsareusefulifyouhaveacross-rackorcrossserverroomorevenmetroclusterinuse.TheycanbeusedtoensurethatnotallVMsendupinoneplace.TheycaneasilybeintegratedintovRealizeAutomation,whichwillsavealotoftimeandeffortifthislevelofcontrolisrequired.Mostlythisisdoneforcross-datacenterdeploymentstosupportametrocluster.TherequestorcoulddecidewheretheVMneedstorun(DC1orDC2);vRealizeOrchestratoristhenusingthevSphereAPItoplacetheVMintherighthostaffinitygroup.
Thishostgroupaffinity/anti-affinityisalsooftenusedtoseparateVMsbetweendifferentdatacenterroomsorsections.AllhostsinoneroomorsectionformahostgroupandvRAcanthenusealocationparametertomatchthosegroupsofhosts.
ResourcepoolsResourcepoolsareamajorpartofDRSandhelpDRStoshareanddistributeresourcesamongsthostsinacluster.However,theyareprobablyoneofthemostdiscussedandmisunderstoodconceptsintheentireVMwareecosystem.
Note
Donotuseresourcepoolsasfoldersortostructurethelookandfeelofyourenvironment.EveniftheyarenotconfiguredtheywillfollowtheirfunctionandlimitorenableresourcesforallVMscontained.Also,neverplaceVMsside-by-sidetoaresourcepool,thiswilldegradeperformanceforallVMsundertheresourcepool!
Inacloudenvironment,resourcepoolscanbeusedtoonlyprovideashareofyouravailableinfrastructuretoatenant.However,beawarethatyouhavetouseresourcepoolsforallworkloadsonceyougetstarted,sincehavingVMsoutsideofresourcepools(intherootfolderofthecluster)willleadtoperformanceconstraints.
Generally,itisnotnecessarytouseresourcepoolsforavRealizeCloud,butinabiggerenvironment,itmightbeusefultocarveoutaspecificamountofresources.Thebestpracticesfortheusageofthesefeaturesis:Keepitassimpleaspossibleandonlyascomplexasnecessary.
Therearesomegoodblogsavailabletodiscussthewayresourcepoolsworkingreatdetail.OneofthebestresourcesistheblogofFrankDenneman,hedidabrilliantseriestodescribehowalltheshares,reservationandlimitationfunctionalitiesworktogether.Also,onthetopicofadvancedvSphereHAandhowitworksinharmonywithDRS,DuncanEppinghashisblogcalledYellowBricks,whichisdefinitelywortharead!
Beforeyoudecidetouseresourcepoolsyoushouldmakesurethatyouhaveallinformationrequiredtocreatecrispandfunctionalconfigurations.Also,resourcepoolsneedmaintenancetoo.Ifyourclustergrowsoryourresourceschange,thesechangesneedtobereflectedintheresourcepools.
StorageDRSStorageDRSisnotaslongaroundasDRSitself,butitcanbeseenasoneofthevSphere'sstandardfunctionalities.Basically,itcreatesaDRS-likeautomationacrossVirtualMachineFileSystem(VMFS)datastores.Thoseareaddedtoso-calleddatastoreclustersandeveryVMFSaddedwillbeprovidingmorecapacityandperformancetotheentiredatastorecluster.
Often,ifStorageDRSismentioned,peoplethinkimmediatelyoftheI/Oload-balancingcapabilitiesofthisfunction.Whiletheymightbeanoptiontopreventanoisyneighborproblem,sometimestheycannotbefullyleveragedsincethestoragearraymighthavesimilarfeatures,typicallyreferredtoasauto-tieringordynamictiering.
Oncethearrayhassuchacapability,theStorageDRSI/Oload-balancingmaybedisabled,dependentifthearraywillsupportitornow.WithVASA2.0VMwareaddedthecapabilitytosupportsucharraysandgiveStorageDRSmoreinsightsbeforemigratingworkloadsbasedontheirI/Opattern.Makesureyoustoragevendorissupported;otherwiseitmightleadtoconfusionandadegradedperformance.Ifthevendordoesnotsupportit,itcanbeturnedoffindividually.
Note
PleaserefertoyourstoragevendortofindoutifstorageI/Oload-balancingcanbeenabledevenifthearrayisusingauto-tieringordynamictieringfunctions.
Intheprecedingscreenshot,weseeaStorageDRSconfigurationsettoFullyAutomated.However,theI/ObalanceautomationlevelissettoNoAutomation(ManualMode)toensurethatthissettinggoeswellwiththeusedstoragearray.
AnotherusefulfunctionofStorageDRSclustersistheautoplacementofVirtualMachineDisks
(VMDKs).Basically,assoonasadatastoreclusterischosentohouseaVMDK,itdeterminesthebestfittingdatastoreintermsofIOPsandbalance(numberofVMDKsalreadypresent)toplacethatnewdisk.ThisissimilartotheadmissioncontrolfunctionofDRStodetermineonwhichhostaVMisbesttobepoweredon.
InanSDDCenvironment,whereVMsgetdynamicallyprovisioned,thisisaveryusefulfunctionsincethesystembasicallybalancesthestoragedeploymentitselfanddeterminesthebestdatastoretobeusedforaVMDKplacement.BeforethisfunctionalitywasavailableinvSphere,allthishadtobedoneusingscriptsorworkflows.Enablingitshouldnotonlyprovideatime-savingfactorbutalsoaddsvaluableandpracticalautomationtoyourenvironment.
AnotherimportantfeatureofStorageDRSistheoutofspaceavoidancemovefunctionality.Itisathreshold,whichcanbeconfiguredtomoveVMDKstodifferentdatastoresincasetheoriginaldatastoreisrunningoutoffreespace.ThisshouldavoidthattheVMsareforcedtopause,whichisastandardvSpherebehaviorifdatastoresrunoutofspace.ItwillmovetheVMDKtoadifferentdatastoreinsteadwithenoughfreespacebeforeanimpactmighthappen.Soitcanbeseenlikeapro-activedowntimeprevention,whichisofferedbyStorageDRSoutofthebox.
IntheStorageDRSclusterconfig,thisissetto80%perdefault.Inthatcase,SDRSwilltrytofindanotherdatastoretomovesomeVMsontotofreeupspacebeforeanyimpactwillhitotherVMs.Also,VMevacuationautomationlevelneedstobeenabledforthistotakeeffect.Inthiscase,itisusingtheclustersetting,whichissettoFullyAutomated
TheI/OmetricinclusionfunctionisanotherusefulsettingatanSDRScluster.SettingaSDRSclustertoFullyAutomatedmeansthatitwillapplyrecommendationsimmediately.ThesettingwillprovideinformationaboutthegeneralI/Obehaviorofdatastoresandworkloadsanduseits
findingsforanySDRSrecommendation.ItwillalsopreventadatastorefrombeingfilledwithtoomanyhighprofileI/OVMs.
Note
ItishighlyrecommendedtousetheautoplacementandthespaceavoidancemovefunctionalityinanSDDCenvironment.ThesetwoStorageDRSfeatureswillbasicallyensurethatyourenvironmentstayshealthyandeasethedeploymentofVMsondatastores.
DistributedVirtualSwitchThevSphereDistributedVirtualSwitch(DVS)isensuringthateachandeveryhostinaclusterorevenavCenterishavingthesamenetworkconfigurationaswellasportgroupsettings.Itisalogicallayerwhichensuresthatonceyouaddaportgroupcentrally;allotherhostswillalsohavethesameconfigurationinstantlyavailable.
InanSDDCenvironment,thisisanimportantandtime-savingfunctionwhichalsoensuresacommonconfigurationacrossallhostsinagivencluster/datacenterorvCenter.
Basically,theswitchescanbesetuponavCenterlevelanddifferenthostsfromdifferentclusterscanbeaddedtoeachswitchviatheirphysicaluplinks.ItalsoofferssomeotherhelpfulfunctionalitylikeNetworkI/OControl,whichiscontrollingthepreferenceofspecifictraffictypes,forexample,VirtualMachineTraffic,vMotion,VADP(dataprotection),management,andsoon.
ThisisusefultoensurethattheVirtualMachineTrafficisalwaysgettingpreferredoverotherservicesontheavailablebandwidth,evenifforexample,vMotionisusingahighamountofresourcestomigrateaVM.Itisrecommendedtousethesharestosetthepreference.Althoughitisalsopossibletosetstaticreservations,thesecanalsoharmanenvironment.Shareswillonlykickinoncethereisbandwidthcongestion.Ifthereisnone,anytraffictypecanuseasmuchbandwidthasitneeds.ThisenablesaverydynamicandfairtrafficmanagementonthevSphereDistributedSwitch(VDS).
Reservationswillbedeductedfromtheoverallbandwidth,evenifthereisnocongestion.Thismeansotherserviceswillnotbeabletousethereservedbandwidth,evenifthetraffictypeholdingareservationisnotfullyutilizingit.Thisprincipleisverysimilartoresourcereservationsandsharesmanagementforcomputing.
Tip
NetworkI/OControlisonlyavailablewiththeDVS.
NetworksharesinNICworksimilartocomputesharesinresourcepoolsorVMs.Theywillonlyenforceifthereiscongestiononthenetwork.Thisiswhysharesarethebettertoolstopreventcongestion.Ifthereisnone,theywillnotenforceanyprotocoltoslowdown.
Inthisexample,thereare500sharesfortheentirenetworkavailable.AllESXibasedtraffictypesgot50shares,whiletheVMtraffictypegot100.Thismeansthatinthecaseofcongestion,500Mbit(1/5th)ofthebandwidthwillbeavailableexclusivelytotheVMtraffic.Iftheothertraffictypesarenotusedinyourenvironment,youcansettheirsharestozero,butrememberthatthischangestheoveralloutcomeofallothertraffictypesaswell.
IfwesetVSANandiSCSIto0,wewouldenduphaving400sharesforthewholesystem,sowepromotedeveryotherprotocolmorebandwidthincaseofacongestion.OurVMtraffictypecannowuseupto750Mbit(1/4th)oftheoverallbandwidth.However,justtobeclear,ifyouuseVSANoriSCSIitmightnotbewisetosettheirsharessimplytozero.Thewholeideaistobalancewisely,sobecarefulwhenchangingthesesettings!
Note
Donotmisinterpretsharesassomekindofmaximumsettings.Ifthereisnocongestion,eachtraffictypecanconsumeasmuchbandwidthasavailable.However,ifvMotionwouldsaturatetheentireconnection,shareswillkickinandprovidefairnessoftraffictypes.
OftenmultipleDVSareusedinanenvironment,toseparatethemanagementnetworkswitchfromthepayloadnetworkswitch.ThisisalsodonetopreventhumanerrorsinceallportgroupsofaDVScanbeseenonanyparticipatingvSpherehost.However,thisisdependentonyourchosenvSpheredesignandgoodpractice.Buttypically,organizationstendtoruntheirownDVSformanagement,separatedfromtheonerunningallpayloadVMs.
ForanSDDCenvironment,theDVSisveryvaluablesinceitcanbeeasilyextendedtoaddedhosts.Also,itcanspanmultipleclustersanddatacentersinvCenter.SincetheDVSisrunningatthevCenterlevel,itisaveryversatileandeasytomaintainvirtualnetworkswitch.Givenanautomateddatacentermightbeextendedmoreoftenasatraditionaldatacenters,thiscanbeatimesaveraswellasagoodpracticeforautomationandstandardization.
Also,ifNSXisanoption,aVDSisaprerequisiteforanynetworkvirtualization.
HostProfilesVMwareHostProfilesareaconfigurationtemplateforvSpherehosts.TheprincipleistoconfigureabaselinehostandthenusethishosttocreateaHostProfilefromitssettings.TheseprofilescanbeattachedtoeitheranyindividualESXihostortoacluster.
Thisfunctionalityeasestheprocessofaddingresourcestoacluster.Assoonasthehostwillbeputintotheclusteritwillrunacompliancecheck.Afterthat,thehostcanbebroughtintomaintenancemodetoremediatetheHostProfile,whichwillsetalltheconfigurationchangesaccordingtothebaselinehost.
Tip
HostProfilesareagreatwaytokeepacommonconfigurationforallESXiHostsinavCenter.Theirusewillenhancetheflexibilityaswellasthescalabilityoftheenvironment.
Ifachangedconfigurationneedstobepushedtoallhostsinanenvironment(DNSchange,networksettings,andsoon)thiscaneasilybeaccomplishedbycreatingoreditingaHostProfile.
HostProfilesarealsoenablinganothervSpherefeature,whichiscalledAutoDeploy.AutoDeployisaservice,whichcaninstallandsetupvSpherehostsautomaticallyoncetheyboot.ItcaneitherfullyinstallESXionthelocaldisk/USBstick/SDcard,oritcandoafullnetworkbootofESXi.Inthecaseofthenetworkboot,HostProfilesareneededtoensurethehostisreadyandfullyconfiguredonceitisupandrunning.Sinceeveryrebootmakesthehostafreshinstall,HostProfilesarerequiredtoensureallconnectionandclusterinformationareavailabletotheHost.
AutoDeployistypicallyusedinaverylargeenvironmenttosupportrapidscalabilityandgrowthofthedatacenter.InanSDDCitcanbeusefultomaketheadd-onofahostassimpleandstandardizedaspossible.
vSphereconfigurationconsiderationsTheSDDCwillinfluencethewayyoumightconfigureandsetupvSphereinadatacenter.WhileanyvSphereenvironmentcanbethebaseforanSDDC,itmightmakesensetorevisitsomeofitssettingsandmakethemfitfortheSDDC.Basically,therearetwomajorapproachestothinkabout:
ThemanagementclusterandallthemanagementrelevantVMsandapplicationsTheenvironmentrunningallyourproduction/developmentortestVMsoftenreferredtoaspayload
Bothconfigurationsareimportantandneedtobewellthoughtthrough.InaclassicvSphereonlyenvironment,theneedofamanagementclustermightbenotasstrongasinanSDDCenvironment,sinceallitrunsisvCenterandmaybesomevirtualdesktopmanagers(ifapplicable).SoitcanoftenberunonsmallvSpherehostswithalow-performanceconfiguration.IfyouaddmonitoringlikevRealizeOperationsandLogInsighttheperformancerequirementsofthisclusterwillrisesincethesetwotoolswillrequireintensememoryandCPUpowertoservemediumorlargeenvironments.
SeparatemanagementclusterThisisageneralrecommendationfromVMware.EverybiggervSphereenvironmentshouldhaveitsseparatedmanagerclusterwhereallmanagementVMsareinstalledonto.InanSDDCenvironment,alltherequiredtoolstoruntheSDDCwillbeaddedintothemanagementclusteraswell.Therefore,itisimportanttoplanaccordinglyandprovideitwithallnecessaryresources.
SotherequirementsofyourmanagementclusterwillchangedramaticallyinanSDDC.IfyoualsointendtoaddNSXtothepicture,youneedtoruntheNSXmanageraswellasthinkaboutaseparateNSXEdgecluster.
HereisalistofVMsyouwillhavetofitinyourmanagementclusterforamediumsizeSDDCinstallation:
2xvRealizeAutomationappliance2xDEMworkerforvRealizeAutomation2xIaaSserverforvRealizeAutomation1x(or2x)vRealizeOrchestrator1x(or2x)vRealizeOperationsManager1x(or2x)vRealizeLogInsight1xvRealizeBusinessforCloud1xNSXManager(ifapplicable)3xNSXcontrollernodes1xvRealizeCodeStream(ifapplicable)1xvCenterserver
ThismeansthatyourSDDCmanagementserverwillhaveatleast16managementserverswithdifferentresourceandperformancerequirementstohost.SomeoftheseservicesrequireextensiveresourcessuchasdiskspaceorheavyCPUandmemoryworkloads.EspeciallyvRealizeOperationsandvRealizeLogInsightcaneasilyconsumeacoupleofterabyteofstorageandrequirehigh-performanceCPUandmemoryconfigurations.
Becauseofthisaddedduties,themanagementclustergetsmoreimportantandthereforeneedswellthoughtthroughhighavailabilitysettings.vSphereHAshouldbeconfiguredtoprotectallnecessaryVMstorunandmanageyourSDDC.However,keepinmindthatothermanagementserverscanrunonthisclusteraswell.ItisnotexclusivelyreservedforVMwareproducts.
Ifyouplantointroduceacampusormetroclustersetupwithsharedstoragebetweentwodatacenters,thisconceptneedstobeextendedtothemanagementclusteraswell.ThismightbelessimportantinapurevSphereenvironment,butfortheSDDCitisimperativetomakesuretheportalishighavailableandreachable.JustkeepinmindthatallconsumerswillhavetogothroughtheportaltomanagetheirVMsandotherorderedobjects.Iftheportalisdown,theyhavenooptiontointeractwiththeirinstallation.
AnotherimportantpointhereistheHARestartPriority.TheSDDCcomponentsmayrequireaspecialrestartorderafteranoutage.Otherwise,theymightbeupbuttheportalisnotrunning
becauseofmissingconnectionrequirements.Inthefollowingscreenshot,youwillfindasamplehowtoconfiguretherestartpriorityforanSDDCmanagementcluster:
Obviously,vCenterisalsoimportanttobeupandrunningasoneofthefirstVMs,butthatshouldbeagiveninanyenvironment.Besidesthat,thelogicforthisstartuppriorityisthefollowing:
1. StartvRealizeAutomationportalandDistributedExecutionMangers(DEM)firsttobringuptheportalandgeneralfunctionality.
2. StartvRealizeLogInsightwiththesamepriorityincaseslogsneedstobeanalyzed.3. StartupvRealizeOrchestratortomakesurethatanyadditionalworkflowsortheXaaS
componentscanwork.OrchestratorcanstartandregisteritselffineifvRAisalreadyrunning.
4. StartupvRealizeOperationsandvRealizeBusinesstorestorecapacityandanalyticsmonitoringaswellaschargebackandshowbackfunctionalities.
Tip
Inthecaseoftwodatacentersandastretchedmanagementcluster,itmightbeveryhelpfultosetanaffinityruletohaveallcomponentsrunninginthesamedatacenter.Thiswillpreventrandomoutagesincaseoneofthedatacentersiteshasanissue.However,ifyouuseaclusteredvRAsetup(aswellasothercomponents)makesurethateachsiterunsoneinstanceofit,insteadofhavingbothononesite!
ManagementclusterresourceconsiderationsItisstronglyrecommendedtohaveatleastthreehostsinyourmanagementcluster.Ifyouareusingacampusormetroclustersetup,makesurethatyouusehostgroupsandVMgroupstodistributetheVMsacrossbothsitesaccordingly.Threehostsareimportanttoalsocovermaintenanceevents.IfvSphereupgradesneedtobeapplied,thehostoftenneedstoberestartedoratleastbroughtintomaintenancemode.Duringthesetimesyourclusterresiliencyisdiminished.Ifyouwouldonlyhavetwohosts,thismeansthattherearenoresourcesleftincaseofafailedoftheotherhost.Therefore,itisstronglyrecommendedtohaveatleasta2+1configurationinplace.However,inanNSXusecase,themanagementclusterneedstohaveatleast6hosts(3persite)inordertohousetheadditionalrequiredNSXcontrollers(3persite,oneperhost).
SeparatemanagementVDS
Besidestheseparatemanagementcluster,itmightbeusefultoalsocreateaseparatemanagementVDS.Oneofthereasonstodothisistolimitthefailuredomain.
AVDSisnothingmorethanasoftwarecomponenttogiveaccesstothephysicalNetworkInterfaceCard(NIC)ofavSpherehost.Thisisdonebycreatingfailover(NICteaming)configurationsaswellasthroughaddingso-calledportgroups.Butsuchaswitchalsorepresentsitsownfailuredomain,whichmeansincasesomethingisgoingwrongwiththisVDS,itwillonlyaffectthemanagementcluster.Limitingyourfailuredomainisapassivemovewhichwillenhanceyouroverallresiliency.
Anotherreasonisoftentoaddsecurity.SinceallportgroupsinaVDScanbeusedonallparticipatingESXihosts,itmightbepossibletoaccidentallyaddaVMinthewrongportgroup.Ifthisportgroupispartoftheoverallmanagementnetwork-severeharmcouldbedonebyaccessingthisnetwork.TopreventthissituationaseparatemanagementVDShelpstologicallyseparatealltheproductionnetworksfromthemanagementnetworks.Basically,itcanalsoallbedonewithonesingleVDS,butsomeorganizationsmayrestrictthisduetosecurityregulationsandforcetohaveaseparationofVDS.
ThepayloadclusterThemainprincipleofanSDDCistoshareworkloadsonageneralpurposeinfrastructure.Thisisdonebyusinglogicalsoftwareconstructstocreatetheimpressionthataselectareaisprovidingresourcesfordeployedapplication.Typically,thiscanbedonebyeithercreatingownclusterstohostdifferentusecases,orbycreatingresourcepoolstocarveoutresourcesandperformancefromabiggercluster.
vSphereprovideshighflexibilityinwhattechniquetouse,buttherearedifferences,prosandconswitheachapproach.
TheresourcepoolapproachResourcepoolsareoneoptioninvSpheretoreserveandlimitresources.TheyalsooffersharestoensureafairprioritizationofCPUandmemory.Resourcepoolscanbeusedtocreateatieringapproachfordifferentworkloads.Theycanalsobeusedtoseparateworkloadclassesfromeachother.Someorganizationsuseresourcepoolstoseparatetest/devfromproductionworkloads.Theresourcepoolsactasaresourcebrokerandensurethateachclassgetstheresourcesitdemands.However,ifoneclassisexceedingitsresourcerequirements,theycanensurethattheotherclassstillgetstherequiredresources.
InanSDDCtheycanbeusedasareservation(ormultiplereservations)foratenant.Meaningallworkloadsofthattenantwillbedeployedinthesespecificresourcepools.
Althoughtheycanalsobeconfiguredtosetalimit,thislimitwouldbepermanent.Thismeansthateveniftheresourcesmightbeavailable,thelimitwillpreventallVMsintheresourcepooltoconsumemorethantheallowedresources.ThisisnottobeunderestimatedsinceamemorylimitinaresourcepoolcanleadtoVMsswappingouttheirmemorypagessincethereisnomoreRAMavailable.ACPUlimitcanleadtotheartificialslowdownoftheVMtoensuretheboundaryiskept.Thisisaveryforcefulwaytoensurethatanenvironmentisstayinginitsboundaries.
Resourceshapingshouldbedonebyusingshareswithinresourcepools.Thiswaygrantsthattheresourcepoolwillprovidethenecessaryresourcesincaseofcongestionbyusingtheshares.Ifthereisnocongestion,theVMscanusemoreresourcesthanthepoolisconfiguredfor.Assoonasthisconflictswithanotherresourcepoolinthesystem,thesharesareusedtodeterminetheprioritiesofthepools/VMstogettoresources.
Thisgrantsthat,ifthereisnocongestioninthesystem,VMscanuseasmanyresourcesasavailable.Ifthereiscongestion,thesharesensurethatthedifferentclassesgetexactlyasmanyresourcesasconfiguredintheresourcepool.Thismeansthatsharesofferamuchmoreflexiblewayofresourcemanagementthanlimits.
However,thesesharesneedtobeadjustedifyouaddaresourcepooltothecluster.Youshouldcomeupwithaformulatoaddsharestoapoolbasedonwhatitshoulddeliver.
Asimpleexamplemightbe:
Development=30%ofclusterresourcesTest=10%ofclusterresourcesProduction=60%ofclusterresources
Sinceyoucandefinesharesyourself,theycanbeeasilyusedtorepresentthesevalues.Tofurtheraddtothisexample,thefollowingsharesmightbeadded:
Development=3sharespervCPU/GBmemory(morevCPUsmeansmoresharestoadd)Test=1sharepervCPU/GBofmemory
Production=6sharespervCPU/GBofmemory
Somepeoplesimplyaddastaticnumberofsharestoaresourcepool,butthatcanleadtotheopposite,performancedegrade.Let'slookatanexampleofstaticsharesinpools:
Pooltesthas1000sharesandhouses50VMsPoolproductionhas6000sharesandhouses600VMs
Firstglanceseemsthatproductionhasmuchmoreresources(shares)availablethantest.ButifyoubreakitdowntotheVMlevel,atestVMgets20shares,aproductionVMgetsonly10shares.
Thismeansthatinacongestionevent,testVMsgettwiceasoftenaccesstoresourcesthanproductionVMs.
Thisisanimportantprincipletounderstand.Byapplyingtheeasypercentageapproach,thesharesperresourcepoolmustbecalculatedonaperVMlevel.IfyouaddVMstoaresourcepool,alsothenumberofshareshastobechanged,everytime!
Thisismaybeoneofthedownsidesofresourcepools,theyareflexibleandagile,buttheyneedtobeconfiguredaccurately.Thisisalsooneofthemainreasonswhyitisveryharmfultousethemasafolderstructure,evenifyouneverconfiguretheirshares,theywillforceVMstoaligntotheirconfiguration.TypicallythiscaneitherbedonebyusingvRealizeOrchestratororbyusingvSpherePowerCLIscriptswhicharecheckingandchangingsharesperpoolonaregular(hourly/daily)basis.
Prosandcons:
+DynamicandagileapproachtograntresourcestoVMs+Easyworkswithmultipleclustersizes+Nowastedcapacity-NeedscontinuousadoptionifnewVMsareadded-Needswell-structuredresourcetieringmodel-Needsadditionalautomation
TheclusterapproachPoolingresourcesacrossyourdatacentercanalsobedonebyputtingcertainworkloadsoncertainclusters.Ifyourenvironmentisbigenoughthismightbeanattractivewaytoensurethatdifferenttiersofworkloadsdonotaffectothertiers.Also,thisapproachisveryattractivefromalicensingperspective.Similarsoftwaremightbelicensedmoreeffectivelywhenrunningonthesamecluster.Inthiscase,thissetupisverycommon.
Typicallythisisdonebycreatingtierbasedclusterssuchastest,dev,orproduction.Eachclusterrepresentsoneworkloadclass/tierandwillonlyhosttherespectivetier.ThisiseasytohandlesinceyouphysicallyseparatetheworkloadsbylettingthemrunondistinctvSpherehosts.InanSDDCenvironment,atenantcanhaveoneormultipleclustersasareservation.Workloadsdeployedbythattenantwillthenalwaysendinoneoftheseclusters.
Basically,theclustercanbeseenasgiantresourcepools,thedifferenceisthatthereisnoneedtoconfigureanysharesorresourcereservation.
However,keepinmindthateachclustermustmeetallresiliencyandavailabilityrequirements.Ifthisexampleisusedinacampusormetroclusterenvironment,youneedenoughhoststodistributeacrossbothsides.Theminimalconfigurationforeachclusterissimilartothemanagementclusterrequirements:2+1.Otherwise,youcan'tensureresiliencyduringmaintenancewindows.Ofcourse,thismightbedonedifferentlyintestanddevenvironments.Inthiscase,atwo-nodeclustermightbeacceptableinordertoactintheinterestofbudget.However,keepinmindthattheresiliencyisdiminishedwiththissetup.Ifthetestordevclustersserveaproductionpurpose(can'tworkproductivelywithouttheseenvironments)thethree-nodesetupmightbemoreappropriate.
Thisimpliesthateachofyourtiersisrunningontheirveryowncluster.Sointhetest/dev/productionexample,oneclusterisneededforeachgroup.Soevenifyoustartsmall,youwouldneedatleastnineESXihost,tobeginwith.Thisisoneofthedownsidesoftheclusterapproach;itrequiresmoreresourcesthantheresourcepoolshaping.Also,keepinmindthatyouneedtomapdifferentVMFSvolumestoadifferentclustertostaywithinVMware'sbestpractices.Soitwillalsoincreaseyourstoragemappingeffortaswellasyouroverallstorageconsumption.Typicallythisapproachischosenforlargeenvironments,wherehundredsorthousandsofVMsrunintheselecttier.Inthiscase,itmightmakealotofsensetouseseparateclusters.Butinasmallerenvironment,itsimplyisn'tmuchcostattractive.
Prosandcons:
+Easyapproachtoclassifyusinghardwareresources+Goodandeasyscalabilitysincenochangesneedtobemade-Possiblewasteofresources,licenses,andthereforecost.-Needswell-structuredresourcetieringmodel-Eachtierneedsitsowncluster
BothoptionsworkwellwithvRealizeAutomation.Intheend,itisuptotherequirementsyouhavetofulfillwhichwayismoreappealingtoyou.Intermsofscalability,bothoptionsscaleverywell.Thebiggestdifferenceisthoughthattheresourcepooloptionscalesbeginningwith3hostsfor3tiers.
ItscalesdynamicandefficientlyasyouaddhostsifyoualwayschangetheresourcepoolsettingstoaccommodatenewVMsandresources.
Theclusteroptionscalesbeginningwith9hostsfor3tiers,soitaddedthreetimesthecost.Youscaletheindividualtiersbyaddinghoststotheirclusterswithoutanychangeortasktocomplete.
BothoptionscanscaleverywelluptoVMwareprovidedmaximumsforvSphere
Note
vSphere6.0scaleseasilyupto64hostsperclusterand10,000VMsaswellas1,000hostspervCenter
StoragePolicyBasedManagementStoragePolicyBasedManagement(SPBM)isrelativelynewtothevSphereworld.ItgotintroducedwithvSphere5.0andhasbeenquiteenhancedsincethen.ThebasicprincipleofSPBMistomanagethestorageinformofVMFSdatastoresbasedonprecreatedpoliciesinsteadoftryingtofigureouttheirfunctionbytheirname.
Typically,organizationspickedadistinctnameschemetoapplytothedatastorestoidentifytheircapabilities.Suchanamecouldlooklike:
S1PDR040
ThisisacodetoidentifywhatthisVMFSdatastorehastooffer.Translateditmeans:
S1=site1P=productionDR=disasterrecovery/replicateddatastore040=LUNIDtoidentifyinESXi/storagesystem
AlltheadminshavetoknowallthisabbreviationsandcodestoquicklyidentifywhereaVMshouldbedeployed.WhileStorageDRSaddsonesimplificationforthatsinceallVMFSofakindandsitecouldbeputtogetherinabigstoragecluster,SPBMaddsanothersolution.ItcancreatestoragepoliciesandmatchVMFSdatastoresordatastoreclusterstowardthatpolicies.
TheinterestingthingwithSPBMis,theycanbeappliedonaperVMDKlevel.SoeachdiskofaVMcanhaveitsveryownstoragepolicyattached.InsteadoftryingtodecryptcomplexdatastorenamesalltheadminhastodoknowispickingthefittingpolicypertheVMDKandthecompatibledatastorewillbeshowninthedeploymentwizard.
Foramanualdeploymentthatisatimesaverandalsopreventsdeploymentserrors(wrongdatastorepickedbecauseoflostintranslationissue).
InanSDDCwherestoragetieringmightbearequirement,thisfunctionalityisnotjustnicetohave,itisamuch-neededfunctionality.
SPBMdefinitionSPBMscanbedefinedinvariousways.ThisdescriptionishighlightingtwoeasytomaintainwaystocreatestoragepoliciestobeusedineithervSphereorvRealizeAutomationfortieringpurposes.ThisisoneofvSphereintegratedautomationfunctionalitieswhichshouldnotbeunderestimatedforanSDDCsinceitaddedvaluablefeatureswithoutmuchefforttoconfigure.
StaticSPBMconfiguration
Inthisconfiguration,youcanselectthedatastoreswhichshouldbecompatiblewiththepolicybasedontags.Thesetagshavetobeaddedtothedatastoresbeforeyoucancreatethepolicy.ToaddatagtoaVMFSdatastore:
1. ClickonHomeinthevCenterWebClient.2. GototheStorageoverviewinvCenterWebClient.3. Right-clickonthedatastoreyouwanttoaddthetagtoandselectAssignTag.4. Ifnotagsareavailableclickonthenewtagsigntocreateanewtag.5. Createanewtagcategoryifneeded(forexample,Storage).6. Selectthenewlycreatedtagtoassignittothedatastore.
Inourpreviousexample,tagscanbe:
ProductionReplicatedPerformanceclass(Gold,Platinum,Ultra)
ThesetagscaneitherbeassignedtoindividualVMFSdatastoreortoanentiredatastorecluster.Afteryoutaggedallyourdatastoresyoucanusethistagsinthestoragepoliciestomatchtheirrequirements.
Inourcase,thatwouldbeastoragepolicycalledProductionwhichrequiresthetags,Replicated,Production,andUltra.Tocreatethispolicy,dothefollowingtasks:
1. ClickonHomeinthevCenterWebClient.2. Intheoverviewscreen,clickonVMStoragePolicies.3. ClickontheCreateanewVMstoragepolicyiconattopleft.4. Giveitanameandadescription.5. Under2aRule-Set1selectAddtag-basedrule....6. Addallrequiredtagstothepolicy.7. Provideavaliddescriptionwhatthispolicyisincluding.8. Checkthecompatibledatastoresintheoverview.9. ClickFinish.
Youjustcreatedavalidstoragepolicybasedontags.IfthispolicyisselectedwithaVMdeployment,itwillonlyshowcompatibleVMFSdatastoresfortheVMdeployment.
DynamicSPBMconfiguration
Besides,theSPBMconfigurationbasedontagsthiscanalsobedoneonlivearraydata.Thisbringstheadvantagethatthestoragepolicycanbecreatedbasedoncapabilitiesdeliveredbythestoragearray.ItcouldincluderequirementssuchasMaxLatencyorMaxIOPsbasedonrealdataprovidedbythearray.
Tomakethisworkyouneedtoinstallaso-calledvSphereAPIforStorageAwareness(VASA)providerfromyourarrayvendor.Eachvendorhastheirownprovider,typicallytheyareeitheravApptodownload,ortheyarealreadyrunningononeofthearraycontrollers.Inanycase,youneedtoconnectvCentertotheVASAproviderbeforeyoucancreatesuchadynamicstoragepolicy.
FollowthesestepstoenabletheVASAproviderinvCenter:
1. GotothetreeviewinvCenter.2. ClickonvCenteratthetop.3. SelecttheStorageProvidertabonthefarrightinthemainwindow.4. Clicktheaddicon(green+)toconnecttoyourvendorsVASAprovider.
5. ClickOKandsavetheconnection.
Makesuretheconnectionisworking.DetailsonhowtoconnecttotheVASAprovidermayvarypervendor.
OnceyouhaveconfiguredyourstoragevendorsVASAprovider,youcanbegincreatingastorageprofilebasedonactualstoragecapabilities.Theconfigurationissimilartotheonewiththetags,exceptthatyounowcanselecttheVASAproviderasadatasource:
1. ClickonHomeinthevCenterWebClient.2. Ontheoverviewscreen,clickonVMStoragePolicies.3. ClickontheCreateanewVMstoragepolicyiconattopleft.4. Giveitanameandadescription.5. Under2aRule-Set1selectAddtag-basedrule....6. Addallrequiredtagstothepolicy.7. Provideavaliddescriptionwhatthispolicyisincluding.8. Checkthecompatibledatastoresintheoverview.9. ClickFinish.
Done,youjustcreatedastoragepolicybasedonstoragecapabilities.ThebeautyofthisisthattheVASAproviderandSPBMwillautomaticallydetectcompatibleVMFSvolumes/LUNs.
InvRealizeAutomation7,thesepoliciescanbeleveragedinIaaSblueprintsorevenselectedwhileorderingaVM.Inthiscase,theVMwillonlybedeployedontothepolicycompatibleVMFSvolumes.BeforeSPBMwasbuiltintovSphereandvRA;theserequirementscouldonlyberealizedbasedoncomplexvRealizeOrchestratorworkflowsoftencustomcreatedforeachscenario.
Now,thisfunctionalitycanbesimplypreconfiguredinvSphereandleveragedinvRA.ThissimplifiestheimplementationoftheSDDCalotandgrantsthateachVMisrunningontherightstoragetier.
IntegratedvSphereautomationvSpherealreadycomeswithveryrichandbuilt-inautomationfunctionality.Initially,allthiswasaddedtomaketheadministratorsliveseasier.UltimatelyitwasmeanttoeasethedailyoperationofmediumandlargevSpheredeployments.Overtime,theSDDCevolvedandbroughtupnewpossibilitiestodeployworkloadsinavSphereenvironment.
WiththisnewpossibilityalsorequirementsareraisedregardingbasicSLAsliketiering,performanceclasses,security,andsoon.
FortheSDDC,thefeatureswhichmadethevSphereadministratorsliveeasierhavebecomeahugetimesaverforanySDDCdeployment.ThinkabouttheeffortsavingsyougetbyusingallofthisautomationvSphereprovidesperdefault.
Thesefunctionalitiescansaveweeksofcustomworkflowscriptingorimplementationwork.JustrememberthatVMware'sengineersspentafairamountoftimedevelopingalltheirfunctionalitytoblendinperfectlyinthevSphereenvironment.DRS,StorageDRS,vMotion,HA,SPBMworktogetherinperfectunisontomakeagoodvSphereenvironmentaperfectbaseinstallationfortheSDDC.
ItisimportanttoleveragethealreadyintegratedautomationfeaturesvSpherebringswithit'soutoftheboxfunctionalities.AllfunctionswhichcanbeconfiguredandusedinvSphereareahugetimesaverfortheSDDCsincetheydonothavetobecreatedandprogrammedinvRealizeOrchestratorwithbigefforts.
DRSandStorageDRSisjustonebigexampleofmakingmaintenanceandinitialplacementofVMsanautomatedtaskofvSphere.Withoutthisfunctionality,itwouldrequirequiteanefforttoplaceVMsortosupporthostmaintenance.SincevMotiontakescareofevacuatingVMsfromhostsplannedformaintenancemode,thisistransparenttotheSDDCandthereforealsototheenduseroftheservice.
StorageDRSisagoodhelperinpreventingunplanneddowntimebyusingtheoutofspaceavoidancemovefunctionality;thisisnotjustanicefeature,itcanbealivesaver.Besidesthat,italsotakescareofplacingVMsontotherightdatastoreoutofadatastorecluster.ThisisanotherfunctionalitywhichhasnotbeenavailableinthepastandthereforecreatedquiteaneffortinvRealizeOrchestrator(orwithPowerShellscripts)tochoosetherightdatastoreforaVMtobedeployedonto.
Finally,resourcepoolsprovideagreatoptiontoshapetheenvironmentinthemostefficientwaybutneedsomeattentionontheirown.Ifyouarenotcompletelysurethatyourresourcepooldesignisexactlydoingwhatyouwantittodo,reviewitorthinkofchangingtotheclustershapingapproach.Resourcepoolscanbequiteacomplextopic,thatisalsowhyDuncanEppingandFrankDennemancreatedacompleteseriesofbooksaboutvSphereHAandDRS.ThisisahighlyrecommendedreadifyouwanttolearnallthedetailsaboutvSphereresourcepoolsand
howtheywork.
AllvSphereautomationfunctionalityshouldbetakenintoaccounttoease
BestpracticesandrecommendationsAhealthyandwellconfiguredvSphereenvironmentisaperfectbaseforanySDDCinstallation.Checkyourenvironmentandseeifyoucaneitheraddtheautomationfeaturesdiscussedorenhanceyourcurrentuseofthem.InanSDDCthereisnottoomuchspaceformanualtasks,thereforeanythingwhichcanbesolvedwithautomationandisrequiredfortheSDDCtoworkprobablyshouldbeconsidered.
SpendenoughtimetoevaluateyourvSphereenvironmentifitisactuallyreadyforcloud.Ifyouidentifymanualtasksorverystaticsettingswhicharecomplextoreplicateonaddedhosts,trytosolvethesebyusingtheprovidedtoolsetofvSphere.ItisimportanttoidentifyroadblocksbeforetheyaregettingdeadendsinanSDDCdeployment.
AnSDDCisaboutenhancingagilityinyourdatacenterandfulfillingyourbusinessesITdemandsinaquickandstraightforwardway.Itwillneedsomecustomizationforintegrationintothird-partymanagementtoolsinyourdatacenter.ButthiseffortshouldnotbespentonvSphereintegration.
BeforeyouidentifyataskwhichmightneedtobecustomizedinvRealizeOrchestrator,thinktwiceifthiscanbefulfilledwithstandardvCenterfunctionality.
Savinglicensecostbysacrificingsomeofthisfeaturesisactuallyratherburningcostthansavingit.Theproblemis,evenifyoufindaquickwayandreproducesomeofthesefeaturesinvRealizeOrchestrator,everytimeyouchangeathinginyourenvironmentyouhavetorecheckifyourvSphereOrchestratorworkflowisstillworking.ThismaybecomeahugeeffortandtimefactorwhileoperatingyourSDDC.
Thisiswhyusingbuilt-invSphereautomationisoneofthemostimportantbestpracticestofollowwhenpreparingyourenvironmentforinstallinganSDDC.
SummaryInthischapter,wediscussedthemainprinciplesofbuildinvSphereautomationandsomeofitsadvancedfeatures.FrombasicHAandresiliencytopics,allthewaytovSphereintegratedresourceshapingoptionsarevalidfunctionsfortheSDDC.ByleveragingalltheseincludedfunctionsinvSphereandbyensuringthatyourclustersaremeetingHAandresiliencystandardsthiswillformahealthyandcapableinfrastructurelayerforyourSDDC.
ThenextchapterwillhighlightSDDCdesignconsiderationstotakeintoaccount.ItwilldiscussthetoolsrequiredfortheSDDCbasedontherequirements.Furthermore,itwillhelpyoutomapbusinessrequirementstoactualSDDCdesignelementsandtoformproperdecisionswhichtoolsarerequired.ItwilltouchallcomponentsrequiredforanSDDCaswellascomponentstoenhancetheSDDCpossibilities.Also,itwillguideyoutobasicdesignprincipleswhichincludeassumptions,risksaswellasconstraintsyouhavetotakeintoaccount.
Chapter4.SDDCDesignConsiderationsIfyouhaveneverdoneanydesignbefore,thischaptershouldgiveyouagoodstartingpointandsomeusefulinsightsaboutwhatisgoodandprovenpractice.Itwilltalkaboutthebasicprinciplesyouwanttoputintoyourdesignaswellashowtodocumentanyassumptionsconstraintsandlimitations.
ThedesignisprobablyoneofthemostimportantthingsinanySDDCimplementation.However,thedesignitselfwillbeformedoutoftheactualrequirementsandbusinesscases.ThisisoneofthereasonswhyabusinesscaseoratleastausecaseforanSDDCisveryimportant.
TheusecaseorbusinesscasewillinfluencethewaytheSDDCisconfiguredandshaped,thereforeyoushouldputasmucheffortindocumentingthebusinessandusecases,asincreatingtheinitialSDDCdesignitself.
Anotherimportanttaskisthetranslationfromabusinesscaseintoafunctionaldesignaswellashowanytechnicalrequirementsaredirectlyorindirectlyrelatedtoabusinesscase.
Besidesthespecificusecasemapping,theSDDCneedstobeversatile,scalable,andcapableforfutureundertakings.Thereshouldberoomforadditionalfunctionalitiesaswellasroomforaddingresourcesasneededforthefuture.Intheend,anautomateddatacenterneedstoscaletransparentlyfromtheuser'spointofview.Therefore,itneedsalsotobedesignedtoscaleeasilyandunnoticedforanyportalusersorprogrammaticconsumptionusingitsAPI.
Thischapterwillcoverthefollowingpoints:
BusinessneedsandthedesignequivalentGenerallogicaldesignprinciplesBestpracticesontakingassumptionsScalabilityoftheenvironmentDo'sanddon'tswhendesigningautomationExampledesignconsiderationsWhatmustorwhatcanbeinthedesign
ThebusinessusecaseThisisalsooftenreferredtoasbusinessusecaseandshoulddescribeanITneedfromabusinessperspective.Manyorganizationshavesuchcases,butsomelackoftranslatingthemintoITneeds.Sometimes,thereissimplynocommunicationbetweenthelinesofbusinessandtheIT.Thisoftenendsinabadrelationshipbetweenthosetwodepartments.OftenthebusinessthinksITistooslow,complexandancienttounderstandtheirneedsanddeliverwhattheyaskfor.Ontheotherhand,theIToftengetsjustafractionoftheproblem,butthenithasalreadyescalatedafewtimesandnowonlycomplaintsreachtheITdepartment.
SinceasuccessfulSDDCisaboutcommunication(people,processes,technology)itisimportanttounderstandthebusinessneedsofanorganizationtocreateasolutionwhichiscapableofsupportingthemandevengivethemanadvantageoverthecompetition.ThefirststepofcreatingyourSDDCdesignistodocumentandquestionthatbusinessneed.Thenyoucantranslateitintoatechnicaldesignandimplementit,therefore.
Let'sdoasamplebusinesscasejusttogiveyouanimpressionwhattheflowofthistranslationmightlooklike.
ThebusinesschallengeXYZCorpisawell-knowninsurancecompany.Theyarearoundforquitesometimewithanestablishedandbroadcustomerbase.Theirservicesarebasedonpersonalcontactwiththeircustomersaswellaswell-trainedandexperiencedemployees.Sinceafewmonths,anothercompanyistakingtheirbusinessawaybyapproachingtheircustomersandmakingthemchangeovertothem.Ithasbeenidentifiedthatthisnewcompanyoffersarichmobileapplicationaswellassomeadd-onservicesXYZhasnotbeenconsideredyet.
Theapplicationfromthecompetitorcollectsallinsurancereportsandcanidentifyandalertitstermination.Also,itcanidentifyduplicatecontractsandthereforesavemoneyfortheclients.Allthisisincludedforfreeinthismobileapp.
TheCIOchallengeTheyidentifiedthisasarisktolosemorecustomersandinstructedtheirchiefinformationofficer(CIO)tofindasolutionandcomeupwiththeirownappincludingthefunctionalityofthecompetitor.TheCIOstasknowistofindoutifandhowtheITdepartmentcandeliverthisask.Basedontheirlastmeeting,theyusevirtualizationforquickVMdeployment.However,alltheseactionsaredonemanually.Theinstallationofservicesishandledbyadifferentdepartmentandthenthereistheoperationsunitwhorunsallproductionservices.Alloverallittakesthemalittlemorethan1-5monthstobringanewwebserverfarmup.Nottospeakaboutchangingthecapacityofarunningwebserverfarmandincorporatingallthevarioussecurityandregulatoryrestrictions.
Note
Thisisnotanunusualusecase,althoughmanyorganizationmighthavetheirownapp,notallareusingitasastrategicassettoactivelyattractcustomers.Therearevariousreasonswhythismightbecomplex,butintheend,thereisalwayssomeonewhohasdoneitandearnsallthecustomercreditwiththat.
Now,thetaskfortheCIOandhisteamistomatchthebusinessrequirementtoatechnicalrequirement/ITdeliverable.Therefore,theimportantbitsmustbeextractedandtechnicallytranslated:
AwebserverfarmforthemobileappisrequiredItneedstobescalableNumberofusersandadoptionisunknownOtherservicesneedtoexchangeinformationwiththisapplicationNeedstobejoinedwithexistingcustomerbaseDynamicdeploymentofadditionalservicesmightberequired
AlltheseareaspectsofanSDDC.Thescopeseemstobethemobileapp,whichshouldpossiblyserveallexistingcustomersofXYZCorp.Also,thereshouldbeawaytoputinnewfunctionalityovertimeandfeatureenhancementswithoutdisruptingtheusersorlongdevelopmenttimes.
Besidesthat,theserviceshouldbepre-configuredandeasytodeploy.Onceitisrunning,thereshouldbeanoptiontoeithergrowitmanuallyoraddamonitoringwhichaddssystemsbasedonitsusage.Thisshouldallhappenautomaticallyandwithoutinterruptingtheservice.Thisisamajorfactorsinceapplicationperformanceisalwaysseencriticalbyendusers.
TheCloudManagementPortal(CMP)shouldbecapableofdeployingthisserviceautomatically.ButthiswillonlybeusedbyalimitedsetofusersinXYZCorp.ProbablyfromtheITengineers,developersandoperationsgroupsonly.Sothedesignneedstofitforasmallsetofusers.
Also,inordertosetupawebserverfarm,theOSdeploymenthastobeautomated.TheCMP
shouldbecapableofdeployingInfrastructureasaService(IaaS)forOSonly,butalsotoinstallanapplicationafterthisdeploymenthashappened.
Also,XYZCorphasacoupleofthird-partysystemswhereanynewservicedeploymentneedstoregisterinto.Theautomationshouldfullyintegrateintothosesystemstopreventanymanualintervention.Andfinally,apredictiveresourceanalysismightberequired,topreventanyshortageofcompute,network,ormemoryresources.Thissystemshouldworkalertbasedandinformaboutapossiblebottleneckbeforeitoccurs.Thiscouldthenbeworkedintotheprocurementplanningtomakesureadditionalresourcesareordersandavailablebeforeanyimpactishittingtherunningservices.
Allthisshouldrunautomatedincludingabasicself-serviceportalwherenewservicescanbeordered/maintainedandremovedbytheportalusers.
Thiswasthefirststepofidentifyingwhatmightberequiredtosolvethisbusinesscaseefficiently.Thenextstepwouldbetodocumentallfactsandpossibilitiestofurthercreateadesignwhichtakesallthisintoaccount.
Constraints,assumptions,andlimitationsThesethreecomponentswillshapethewayyousetupandinstallyourSDDC.Let'sbrieflytouchonwhateachofthistermsmeansinadesignandhowtoidentifyanddocumenttheseterms.
Constraints
Aconstraintissomethingyoucannotinfluencenorchangeinthedatacenter.Sinceitisnon-changeableitshouldbedocumentedasaconstrainttoexplainwhyyoumighthavechosenthedesignyoudid.Constraintscanbevariousthings,theydonotneedtobeonlytechnical,alsoprocessesorpeoplecanbeaconstraint.Sinceaconstraintwillmassivelyinfluencethechosenpathofinstallationandconfiguration,theyshouldallbedocumentedinatableatthebeginningofthedesign.
Hereisasampleconstrainttable:
ConstraintID Description Impact
C001 DMZandproductionmustbephysicallyseparated
MorehostsaswellasacomplexdeploymentmethodarerequiredtoensurenoDMZworkloadcanberunonproductionorviceversa
C002AllIPaddressesmustbeobtainedfromacentralIPAM
IPAMneedstobeintegratedintothecloudmanagementsolution
C003AlldeployedVMsneedtoberegisteredwiththeCMDB
CMDBmustbeprogrammable(API)andwillbeintegratedwiththeautomaticVMdeployment
C004Everynon-standardchangeneedstobeapprovedanddocumented
Approvalpoliciesneedtobeusedandimplementedforpossibleservicechangesintheportal
C005NoVMtemplatedeploymentisallowedtobeused
ServicedeploymenthastobeconfiguredtodoPrebootExecutionEnvironment(PXE)bootforVMstoinstallanoperatingsystem
Thisisjustanexample,therecanbevariousotherthingsandthosedependontheorganization'sprocessesandoperationstructures.However,ifthereisachancetoeliminateaconstraintit
shouldbedone.SinceeveryconstraintmightlimityourSDDCcapabilities.
Thedocumentationofconstraintsalsooftenhelpstogetawareofthem.Sometimesonemightthink,thatishowitis,ormyfavoritequote,ithasalwaysbeenlikethat.Thinkoutofthesepatternstoidentifyifsomeoftheconstraintsarestillvalid.Whileeliminatingaconstraintcansometimesbeverydifficult(politics,people,processes)itcanalsobeakeyfactorinmakingtheSDDCsuccessful.Sothesecondpartofdocumentingconstraintsis,findthosewhichcanbeeliminated.
ToomanyconstraintscanputthewholeSDDCatrisksinceitmightendinanon-functioningornon-beneficialstate.ThethirdstepofgettingawareofyourconstraintsismakingsuretheyarenotpreventinganymajorSDDCfunctionality.DatacenterautomationmeanschangeandchangemeanthatmanytasksorprocessesneedtoberevisitediftheystillmakesenseinanSDDCenvironment.
Tip
Oneweirdprocessforacloudenvironmentwastoopenaticketfordeployingaservice.NottodocumentitsconfigurationinaCMDBorticketingsystem,butbecauseoftheoperatorshadthemandatetodoso.Iftheydidn't,theirmanagerwillgetanalertabouttheirproductivity.Sotheyrequestedthateachportalaction(deployaservice,changeaservice,andsoon)isopeninginaticketundertheirnamesandclosesitafterit'sdone.Thisisatypicalexampleofalegacyprocesswhichisnotfittingintotheautomateddatacenterworld.Whileitwaspossibletointegratethis,itwasquiteahighefforttoautomatethat.Sotheprojectwasmoreexpensivethaninitiallythough.Thisistheimpactofaconstraintwhichmighthavebeenabletobeeliminated.
Oncealltheconstraintshavebeenidentifiedlet'smoveontothenexttopic.
Limits
Alimitcanbephysicalorlogicalanddescribesacircumstancewhichcan'tbesimplychanged.Limitsareoftentechnical,butcanalsobeorganizationalorprocessrelated.Anorganizationwhichhasonlyonedatacenterhasthisasalimit.Itcannoteasilystandupaseconddatacenter.Whilethisisasomewhatextremeexample,therearemanylimitswhichsoundeasytosolvebutareasdifficulttoresolveasthedatacenterexample.
Theprocessforthelimitsisthesameasfortheconstraints.However,limitsandconstraintscanberelatedtoeachother.Aconstraintcancreatealimitandviceversa,alimitcanbepresentduetoaconstraint.
Asimpleexampleforthatis:
Theprojecthasafixedbudget,whichisacostlimitandcannoteasilyovercome.
Thiscreatesaconstraintdescribingadditionalcostscannotbecovered.Theimpactwouldbetokeepthedesignsimpleandremovesomeoftheplannedintegrationwork.
Hereisasamplelimitstable:
ConstraintID Description Impact
L001 Thecorenetworkcannotdelivermorethan10Gbit.
Inordertopreventcongestion,multiplenicewillbeusedtoseparatemanagement,backup,andproductiontraffic.
L002 PXEnetworkcannotsupportmorethan10simultaneousdeployments.
Globalservicedeploymentneedstobeconfiguredtonotexceed10simultaneousservicedeploymentsifPXEbootisinvolved.
L003 Linkspeedtothesecondarydatacenteris100Mbit.
AsynchronousreplicationneedstobeconsideredinordertoconfigureDRprevention.
L004
Pre-definedprojectdeadline,setbeforethedesign/projectplanwascreatedtohandoverthefullyinstalledandrunningsystem.
Scopeneedstobere-visitedandareverseprojectplanneedstobecreated.Somefeaturesmightnotbeimplementedduetothisdeploymenttimelimit.
L005 OnlytwoFTEswillsupportthisproject.
Implementationtimemightbelongergiventhelimitedresources.
Inthistable,youwillnoticethatC005:NoVMtemplatedeploymentisactuallyrelatedtoL002:PXElimitonsimultaneousOSinstalls.Thisisanexamplehowconstraintsandlimitsmightimpacteachother.Iftheconstraintwouldmoveaway,thelimitwouldalsobegoneatonce.Thiswouldactuallymaketheplatformmorecomprehensiveandcapable.
Limitsarenormallyquitehardorimpossibletoeliminate,excepttheyarerelatedtoconstraints.Thereforeagooddesignhastoacknowledgethemandtryingtoworkaroundthem.Itisimportanttohaveafullunderstandingofalllimitsbeforeyoustartyourdesign,otherwise,youmightplanforfeaturesandthennoticethattheycannotbeused.Itisalwayseasiertobewellpreparedandawaretocreateyourdesignaroundthat,thantryingtoimproviselateronwithoutjeopardizingthewholeintegrityandfunctionalityoftheSDDC.
Documentingthelimitsopensupthesameopportunityasdocumentingconstraints.Theycanbere-visited,discussedandmaybethereisalreadyasolutiontoovercometheminthedatacenter.Aswiththeconstraints,theimportantfactoristhatbasedonthedocumentedlimitsitismuch
easiertofollowupthanifthereisnothingbutguessing.
Assumptions
Eventhebestandwell-prepareddesignteamorSDDCarchitectneedstobeeducatedguessingsometimes.Itisjustimpossibletobeawareofeveryaspectandeveryrequirementbeforeyoucreateyourdesign.Therefore,aswellaswiththeothertwo,documentyourassumptionsandtheirimpact.Assumptionscanbere-visitedanytimeandcorrectedwheneverpossible.However,someofthemwillonlyrevealoncethedatacenterautomationhasbeensetup,oroncethefirstcoupleofservicesarerunning.Therefore,assumptionsshouldnotleadtoabsolutedesigndecisions.Theyshouldgiveyouadirectionandanideawhatmightberequired.Creatinganon-reversibleconfigurationwhichmightlimityourlateruseoftheplatformshouldbeprevented.
However,assumptionsareanimportantpartofthedesignsincetheywillunderlinewhycertainthingsinthesystemmightbeconfiguredastheyare.Itisimportanttorelatethemtodesigndecisionssincetheywillhelpthereaderofyourdesigntounderstandwhyyoutookcertaindecisions.Thismakesitmucheasiertoformasounddesignandalsotodefendtheconfigurationifrequired.
Assumptionscancoverallsortsofthings,beginningfromtechnicalassumptionstoprocessbasedassumptionsorapplication/servicebasedassumptions.Oftenassumptionsarealreadyabigpartofanydatacenter.Inabiggerorganization,theadminsometimesdoesnotknowwhatwillbeinstalledonaVM,sotheycreatethoseVMsbasedonassumptionsandbestpractices.
Inanautomateddatacenterthereisalotwhichcanbeassumed:Growth,deploymentsperday,portalusers,services,servicerequirements,servicescalability,resourceavailability,resourceconstraints,andsoon.
Thislistcouldgetverylong.Inordertorelatethattoadesign,itisimportanttolistonlyrelevantassumptionswhichalsohaveameasurableimpactonthedesignandsetupoftheSDDC.
Hereisasampleassumptionstable
ConstraintID Description Impact
A001 Theapplicationsupportsdynamicscale-out.
TheserviceneedstobedesignedtosupportaddingVMsondemand.
A002 Onlyonedepartment/groupisusingtheCMP.
Onlyonetenantandbusinessgroupneedtobesetuptosupportthis.
Backupisdoneseparatelyandwillnot Easierintegrationofserviceswithout
A003 beconfigurableintheCMP. advancedcustomizationrequirements.
A004 Noadvancednetworking/firewallrulesarerequiredbytheapplication.
Easierintegrationofserviceswithoutadvancedcustomizationrequirements.
A005Mixofdifferentsubnets/VLANspervSpherehostisallowedduetologicalnetworkseparation.
LesscostandeffortwiththevSphereimplementation.Nocustomservicedesignintheportalrequired.
Tip
A004isagoodassumption,butmightbeveryunusualformostprojects.VMware'sNSXcouldhelptoaddresspossiblerequirementsandfurtherautomatethedeploymentofcomplexapplications.Ifso,considerittobepartoftheinitialSDDCdesign.
Whilesomeoftheseassumptionsmightsoundobvioustoyou,itisimportanttounderstandthatinhugeprojectsthereisalwaysachanceofmisunderstandings.Soassumptionscanalsobeusedtodocumentsoftrequirements.IfyoulookatA002,itstatesthatonlyonedepartmentmightbeusingtheportal.Thedesigndecision,therefore,istocreateonlyonetenant.Thissaveseffortandprojecttime.Also,thedecisionofcreatingonetenantistiedtotheassumption,whichmakesitquiteeasytounderstand.Sometimespeoplechangetheirmindinthemiddleofaproject.Thisoftenleadstomissedmilestonesanddeadlines.Oftentherecanbeadiscussionthatthischangehasn'thadanyimpactonthedesign.Ifalltheassumptionsandthereforethescopeiswelldefinedinthebeginning,thosediscussionsdonotneedtohappen.
Soassumptionsaregoodtokeeptrackwithdesigndecisionsandalsotodeliveravalidpointwhythisdecisionhasbeentaken.Besidesofthat,theyhelptoguesswhatimpactachangeofthisassumptionsmighthaveontheSDDCimplementation/configuration.
Also,allassumptionsinthistablearelinkedtospecificsettings.Thosesettingscanbechangedanytime.However,theimpactmightbeconfiguration/projecttimeaswellascosts,butthesystemisnotlimitedtotheseconfigurations.Tryalwaystokeepthelimitingfactorofassumptionsanditslinkeddecisionsaslowaspossible.Sinceassumptionscanchangeratherquicklyyoumightneedtore-visittheconfigurationandadaptittothenewrequirements.
Whilethesearesomeworst-caseexamples,theyareallfromrealSDDCimplementations.Agooddesigniskeepingtrackoftheseaspects.ItisalsoagoodpracticetocreateanIDforeachdesigndecisionandmapittoanyofthesethreedescriptions.Itwillimprovethereadabilityandunderstandabilityofyourdesignifalldecisioncanbetrackedbacktoaconstraint,limitorassumption.
ScalabilityandfuturegrowthIfyouareabouttodesignyourVMwareSDDCyoushouldalwayshavegrowthandscalabilityinmindwhiledoingso.ThereisalotofoptionstoinstalltheneededVMwarecomponentsforsmall,mediumorevenlargeenvironments,butitisimportantthatallofthemarehavingtheirownrequirementsandlimitations.
Keepinmindthatalbeitthereisaverygoodimplementationofaself-serviceportalinvRealize,thewholeSDDCcanalsobeconsumedprogrammaticallyusingAPIs.ThereisAPIsforvRealizeAutomationanditspluginsaswellasforthevRealizeOrchestrator.Thismightincludeascenariowhereapplicationserversgetdeployedonaspecificdaytopreventadditionalpower.Aftertheirtaskisdonetheyaresimplyremovedfromtheenvironmenttofreeuptheresourcesfortheotherexistingworkloads.TheprogrammaticconsumptionofthewholeSDDCalsoneedstobeconsideredinagooddesigndocument.
BeforestartingcreatingadesignorevendeployingthetoolsitmightbeimportanttoexploreandunderstandeachofthecomponentsoftheSDDC.Typicallythefollowingcomponentswillberequiredtobuildthedatacenterautomationfoundation.
vRealizeAutomationThisservesasthecentralfrontend.OftenitisalsoreferredtoastheCMPwhereendusersoradministratorscanrequestservicestobedeployed.Butthisisoneofitsobviousfunctions,actually,itisdoingmuchmorethanthat.Italsousesso-calledDistributedExecutionManagers(DEM)tomonitorandexecuteworkflows.vRealizeAutomationtakescareofthebasicautomationtasksaswellasworkflowsfordeployingVMsandevenapplications.Also,itcanleverageandintegratewithadvancedfeatureslikeNSX.Itwillalsobetheinterfacewherealltheservicetemplates,calledblueprints,willbecreatedanddesigned.Thesecanbesimple,likeasingleVM,orcomplexlikeacoupleofVMsincludingasoftwaredeployment.
ThisisthecoreoftheSDDCandthereforequiteimportanttobedesignedandsizedcorrectly.
vRealizeCodeStreamThisservesasagoodadditiontovRealizeandmakestheSDDCfitforDevOpstasks.Itcanautomatethestagingofapplications.Furthermore,itfeaturesthecreationofcustomdevelopmentenvironmentsincludingVMs,applicationinstallation,andgatingrules.ThisiscalledapipelineinvRealizeCodeStream.Therulescandescribeifandwhenanapplicationcanreachthenextstage.AllthiscanbeautomatedbyintegratingeitheradevelopertoollikeJenkinsorbyleveragingscriptsorevenvRealizeOrchestratorworkflows.Whilethisadditionmightnotberelevantforthebusinessendusers,itwillhaveanimpacthowdeveloperscanmakeuseoftheSDDCandspeeduptheirworktoo.Thismakesitaveryusefultooltospeedupapplicationdeploymentanddiscovernewwaysofdeployingenterprisegradeservices.
vRealizeOrchestratorThisisthehiddenstaramongstallSDDCcomponents.VMwareisevenofferingvRealizeOrchestrator(vRO)includedinthevCenterlicenseforeverycustomer.However,thisisnotheavilyadvertisedsonottoomanycustomersareawareofthisbrillianttool.
Itsroleistorunworkflowsandorchestratetheirexecutionsfromacentralpoint.Thissoundsnotexciting,butactually,itisexciting.Itisatrueorchestrator,thatmeansthatitcandothisforallandeverythingwhichhasanAPIforitscontrol.ThereasontohaveitinanSDDCistointegrateintothenon-VMwaresoftware.Thiscanbeaticketingsystem,anIPAMorevenexternalloadbalancerorstoragesystems.Alltheseactionscanbecreatedinseparateworkflows,thesecanalsobecalledfromotherworkflows(nestedexecution).
ThesecondbigaddonwiththevRealizeOrchestratoristheabilitytocreateorderableservicesinvRealizeAutomationbasedonworkflows.ThismeansthatitisevenpossibletoprovideinnovativeworkflowsinthevRealizeAutomationportalwhichhavenottoomuchtodowithvirtualizationorVMwareitself.AnexampleofthisisADautomation,whereausercouldactuallyrequestauseraccountforanotheruser.
TheorchestratorisasimportantasvRealizeAutomationitself.Sincemanyworkflowsmightrunalsosimultaneouslyinabigenvironment,itisimportanttoalsoreflectthisinthedesignforthistool.
vRealizeOperationsManagervRealizeOperationsManager(vROps)hastwoprimaryfunctions.OneistheongoinganalyticsandmonitoringoftheSDDCenvironment,theotheristhecapacityplanningoptionsandpossibilities.BothofthesetasksarenotdirectlyimpactingthefunctionoftheSDDC,butstillcriticalfortheenvironment.Especiallythecapacitymanagementaspectshouldnotbeunderestimated.Sinceacloudenvironmentisinconstantchange,itisimportanttoknowandunderstandhowmuchmoreloadanenvironmentcantakeuntilitneedsfurtherresources.
Besidesthat,ifthereisanythingnotworkingasexpected,itisimportanttobeabletoquicklyidentifythefailingcomponentandhowitmightberelatedtootherprocessesandtasksinthesystem.ThatcanbedoneusingtheanalyticspartofvRealizeOperationsManager.Thisprovidesmorethanjustmetrics,itunderstandsrelationsandprovidesarelationalmappingandevencreatesapossiblerootcauseanalysis.Allthisisnotseenbytheenduserontheportal,butitisimportanttoguaranteeahealthyandfullyfunctionalcloudenvironment.
vRealizeBusinessThisistheshowbackorfinancialpartoftheSDDC.IttakescareofthecostofVMsandmakessurethattheseareseenbytheenduseroncetheVMsgetordered.Italsodoescostcomparisonbetweendifferentcloudofferingsifapplicable.Basically,thesizinganddesignofvRealizeBusinessshouldmatchthedesignandsizingforvRealizeAutomation.
Thisisagainoneoftheserviceswhichwillnotharmtheproduction,butitwillhaveaninfluenceontheoverallsystem.Ifrequestorsdonotknowhowexpensivearequestis,itmighthighlyirritatethem.Certainly,itwillforapprovers,iftheyneedtosignoffaVMrequestandtheyhavenoideaofthecost.SoitisanotherexampleofatoolintheSDDCwhichisnottechnicallyblockinganytasksorworkflows,butfromaprocesspointofview,itcanbeashowstopperissueifitdoesnotrun.
vRealizeLogInsightSimilarasvRealizeOperationsManager,vRealizeLogInsight(vRLI)isnotanactivecomponentintherequest/deployprocess.vRealizeLogInsightisanadvancedlogcollectingandsearchingtool.Itismeantforquicklyfindingmessagesinlogs.Theselogscanliterallycomefromeverywhere,aslongastheyaretextbased,vRLIwillbeabletoparseandsearchtheminaverypowerfulway.
Butitisnotonlyhypervisorlogs,allmanagementcomponentsinanSDDCshouldlogintovRealizeLogInsight.Thismeansallthesystems/tools/VMsrunningtheSDDCsendtheirmessagesandlogfilesstraightintovRealizeLogInsight.Thishasthehugeadvantagethatalllogsarecentralandeasilysearchable.Inacomplexcloudenvironment,thiscanbekeyinordertospeeduptroubleshootingoreventofindthefailingcomponent.AnSDDChasmanymovingparts,soasolutionlikethisisrequiredinordertobeabletodotroubleshootingandmonitoring.
Therefore,vRealizeLogInsighthastobesizedanddesignedtosupporttherestoftheSDDCasgoodaspossible.
NSXNSXisVMware'snetworkvirtualizationlayer.Itcanenabletrueon-demandnetworkingincludingsecurityfunctionality.Italsofeaturesadvancedroutingandprotocolmanagementfeatures.ItisnotjustanicetohaveiftheSDDCshouldbetrulyelasticandagileNSXisamusttosupportthedifferentneedsofthedeployedservices.Mostlyitisknownformicrosegmentation,whichmeansmultipleservicescansitonthesamenetworkwithoutbeingabletoinfluenceeachotheronthenetworksegment.
Anexampleofthismightbeawebserverandadatabaseserversittingonthesamenetwork.Butthewebservercanonlycontactthedatabaseserverthroughport80.However,NSXneedsalsotobedesignedcorrectlytoprovidetheneededperformanceandavailabilityfortheentireSDDC.SincethisisanentiretaskofitsowntherewillbeanownchapterofNSXdiscussingalltheoptionsandpossibilitiesofthisamazingpieceoftechnology.NSXshouldbeintheequationfortheentireSDDCdesign,eventhoughitneedsitsowndesignaswell.Therequirements,limits,andassumptionswillultimatelyalsoaffecttheNSXdesign.
AnSDDCisthesumofitscomponentsandmorethanjustasingleapplication/infrastructure,eachandeverycomponentshouldbedesignedforthesizeandthegrowthaccordingtotheestimatefortheentireenvironment.Thismeans,ifonedecidestodesignalargeinstallationofvRealizeAutomation,thisalsoneedstobereflectedinvRealizeOperationsManager,vRealizeOrchestratoraswellasvRealizeBusinessandfinallyvRealizeLogInsight.Sinceallofthesearecorecloudmanagementcomponentsandautomationsystems,allofthemneedtobeadoptedforservingalargeenvironment.
DesignandrelationsofSDDCcomponentsThesearebestpracticesandprovenpracticeshowadesignforallcomponentsintheSDDCmightlooklike.Itwillhighlightapossibleclusterlayoutincludingadetaileddescriptionwantneedstobeputwhereandwhyacertainconfigurationneedstobemadelikethat.
Typically,everydesignshouldhaveanoverviewtoquicklyunderstandwhatthesolutionisgoingtolooklikeandhowthemajorcomponentsarerelated.IntheSDDConecouldstartdrawingtheusedvSphereClustersincludingtheirfunctions.
LogicaloverviewoftheSDDCclustersThisfollowingimagedescribesanSDDCthatisgoingtoberunonthethreeclusterapproach:
Thethreeclustersareasfollows:
ThemanagementclusterforallSDDCmanagingservicesTheedgeforNSXclusterwhereallthenorth-southnetworktrafficisflowingthrough
TheactualpayloadclusterwheretheproductionVMsgetdeployedonto
Tip
NewerbestpracticesfromVMware,asdescribedintheVMwarevalidateddesigns(VVD)version3.0alsoproposeatwo-clusterapproach.Inthiscase,theedgeclusterisnotneededanymoreandalledgeVMsaredeployeddirectlyontothepayloadcluster.Thiscanbeabetterchoicefromacostandscalabilityperspective.However,itisimportanttochoosethemodelaccordinglytotherequirementsandconstraintsfoundinthedesign.
Thedetailofthisoverviewshouldbeonlyascomplexasnecessarysinceitspurposeistogiveaquickimpressionoverthesolutionanditsconfiguration.Typically,thereareafewoftheseoverviewsforeachsection.
ThisformsabasicSDDCdesignwheretheedgeandthemanagementclusterareseparated.AccordingtothelatestVMwarebestpractices,payloadandedgeVMscanalsorunonthesamecluster.Thisbasicallyisadecisionbasedonscaleandsizeoftheentireenvironment.Oftenitisalsoadecisionbasedonalimitorarequirement(forexample,edgehostsneedtobephysicallyseparatedfrommanagementhosts)
LogicaloverviewofthesolutioncomponentsThisisasimportantastheclusteroverviewandshoulddescribethebasicstructureoftheusedSDDCcomponentsincludingsomepossibleconnectionstothird-partyintegrationlikeIPAM.
Also,itshouldprovideabasicunderstandinghowtherelationshipbetweenthedifferentsolutionsis.
Itisimportanttohaveanunderstandingofthesecomponentsandhowtheyworktogether.ThiswillbecomeimportantduringthedeploymentoftheSDDCsincenoneofthesecomponentsshouldbeleftoutorconfiguredwrong.EspeciallyforthevRealizeLogInsightconnectsthatisimportant.
Note
IfnotallcomponentsareconfiguredtosendtheirlogsintovRealizeLogInsight,therewillbegapswhichcanmaketroubleshootingverydifficultorevenimpossible.Aplan,whichdescribestherelation,canbeveryhelpfulduringthisstepoftheSDDCconfiguration.
Theseconnectionsshouldalsobereflectedinatabletoshowtherelationshipandcontrolifeverythinghasbeensetupcorrectly.Thebetterthedetailisinthedesign,thelowerthechancethatsomethinggetsconfiguredwrongorisforgottenduringtheinstallation.
ThevRealizeAutomationdesign
Basedonthedecisionandtheusecasetherearetwosetupmethods/designsvRealizeAutomation7supportswhenbeinginstalled.
Small
Smallstandsforaverydenseandeasytodeploydesign.Itisnotrecommendedforanyenterpriseworkloadsorevenforproduction.ButitisidealtobeusedinaProofofConcept(PoC)environment,orforasmalldev/testenvironmenttoplayaroundwithSDDCprinciplesandfunctions.
TheclueofthesmalldeploymentisthatalltheIaaScomponentscanresideononesingleWindowsVM.OptionaltherecanbeadditionalDEMsattachedwhicheasesfuturescale.However,thissetuphasonefundamentaldisadvantage:Thereisnobuilt-inresilienceorHAfortheportalorDEMlayer.
ThismeansthateveryglitchinoneofthesecomponentswillalwaysaffecttheentireSDDC.
Enterprise
AlthoughthisisamorecomplexwaytoinstallvRealizeAutomationthisoptionwillbereadyforproductionusecasesandismeanttoservebigenvironments.AllthecomponentsinthisdesignwillbedistributedacrossmultipleVMstoenableresiliencyandhighavailability.
Inthisdesign,thevRealizeAutomationOVA(vApp)isrunningtwice.Toenabletrueresiliencealoadbalanceneedstobeconfigured.Theusersaccesstheloadbalancerandgetforwardedtooneoftheportals.VMwarehasagooddocumentationonconfiguringNSXasaloadbalancerforthispurpose,aswellasF5loadbalancer.Basically,anyloadbalancercanbeused,aslongasit
supportsHTMLprotocolchecks.
Note
DNSaliasorMSload-balancingshouldnotbeusedforthis,sincethesemethodscannotproveifthetargetserverisstillalive.AccordingtoVMware,therearechecksrequiredfortheloadbalancertounderstandifeachofthevRAAppsisstillavailable.IfthesechecksarenotimplementedtheuserwillgetanerrorwhiletryingtoaccessthebrokenvRA
InadditiontothevRealizeAutomationportal,therehastobealoadbalanceralsoforthewebservercomponents.Also,thesecomponentswillbeinstalledonaseparateWindowsVM.TheloadbalancerforthiscomponentshasthesamerequirementsthantheoneforthevRealizeAutomationinstances.
TheactivewebservermustonlycontainoneWebcomponentofvRA,whilethesecond(passive)webservercancontaincomponent2,3,andmore.
Finally,alsotheDEMworkershavetobedoubledandputbehindaloadbalancertoensurethatthewholesolutionisresilientandcansurviveanoutageofanyoneofthecomponents.
Tip
Ifthisdesignisused,theVMsforthedifferentsolutionsneedstorunondifferentESXihostsinordertoguaranteefullresiliencyandhighavailability.Therefore,VMaffinitymustbeusedtoensurethatneverbothDEMs,webserverorvRAappliancesrunonthesameESXihost.Itisveryimportanttosetthisrules,otherwise,asingleESXioutagemightaffecttheentireSDDC.
ThisisoneofVMware'ssuggestedreferencedesignsinordertoensurevRAavailabilityforusersrequestingservices.Althoughitisonlyasuggestionitishighlyrecommendedforaproductionenvironment.Albeitallthecomplexity,itoffersthehighestgradeofavailabilityandensuresthattheSDDCcanstayoperativeevenifthemanagementstackmighthavetroubles.
Tip
vSphereHAcannotdeliverthisgradeofavailabilitysincetheVMwouldpoweroffandonagain.ThiscanbeharmfulinanSDDCenvironment.Also,tocomebackupoperations,thestartuporderisimportant.SinceHAcan'treallytakecareofthatitmightpowertheVMbackonatasurvivinghost,buttheSDDCmightstillbeunusableduetoconnectionerrors(wrongorder,stalledcommunication,andsoon).
Oncethedecisionwasmadeforoneofthisdesignsitshouldbedocumentedaswellinthesetupsection.Also,takecarethatnoneofthelimits,assumptions,orrequirementsareviolatedwiththatdecision.
AnothermechanismofresiliencyistoensurethattherequiredvRASQLdatabaseisconfiguredasanSQLcluster.Thiswouldensurethatnosinglepointoffailurecouldaffectthiscomponent.
TypicallybigorganizationshavealreadysomeformofSQLclusterrunning,wherethevRAdatabasecouldbeinstalledon.Ifthispossibilityisnotexistent,itisstronglyrecommendedtosetupsuchaclusterinordertoprotectthedatabaseaswell.ThisfactshouldbedocumentedinthedesignasarequirementwhenitcomestothevRAinstallation.
InfrastructuredesignexamplesTheSDDCdesignshouldalsoincludethelogicalinfrastructuredesigndescriptions.Thisshouldcoverthecomputesector,storageaswellastheapproachtothenetworkdesign.Allthesedecisionsanddescriptionsshouldbetakenwiththebusinesscaseinmindandultimatelyenablethiscase.
Inthisexample,thebusinesscasewasanewmobileappwhichshouldbeflexibleandquicktodeployandscale.Sincethereisnodata,howmanyuserswillactuallyleveragethisappshouldalsobeflexibleintermsofperformance.Theimportantquestiontosolvefornowis:Whatmighttheinfrastructureneedtoprovideinordertoservethisusecase.
Network
TheSDDCwilluseNSXasasoftware-definednetworkprovider.Thisisrelevantfortheusecaseforvariousaspects:
ThewebapplicationwillneedmultiplenetworkswithfirewallandsecurityneedsThesenetworksmightneedtobeprovisionedon-demandThefirewallrulesneedtobeattachedtotheapplicationandremovediftheapplicationisscalingdown/addedifscalingupSinceitisimpossibletopredicttheusernumber,theactualnetworkrequirementscan'tbeforecasted
SincetheedgeclusterisalreadyinthedesigntheNSXfunctionalityneedstobeaddedtovRealizeAutomation.Whensettingup(designing)NSXitisimportanttosticktothisrequirements.
InvRealizeAutomation,thesefunctionscanbeaddedtoablueprint(aservicetemplate)andthereforethereisnoneedtopre-definethemintheSDDCdesignitself.Ifthereisaseparatesectionfortheblueprintdesign,thisiswherethenetworkfunctionsneedtobedocumentedandmanaged.
Storage
Theremightbedifferentperformanceclassesavailableregardingthestorageinthedatacenter.vSpherecandifferentiatestorageclassesbyusingtheSPBM,whichwasdescribedearlierinthisbook.
ByusingtheSPBMfunctionality,vRAcancreateSLAorratecardserviceclasses,whichcanbeusedbyblueprints.ThedesignshouldhighlighttheseclassesanddecisionssotheycaneasilybeconfiguredoncethebaseinstallationofvRAisdone.
Thisisanexampleofdefiningthesesstorageclasses:
Policyname Diskdrivesused Performanceguarantee
Ultra Allflashdrives 500IOPs/TB
Gold SASdrives 100IOPs/TB
Capacity SATAdrives 15IOPs/TB
Tip
Foreasierconfiguration,theseclassesshouldbedefinedinvSphereusingSPBMandmatchingdatastores(orVASA).IfthoserulesarepresenttheycanbeleveragedwithinvRealizeAutomationbysimplyaddingthemtotheinfrastructureconfiguration.
Inourbusinesscase,theapplicationmightrunthewebserversfromtheCapacitytier,butthedatabasesmightallrunontheUltratier.Thiscanalsobesetrightwithintheblueprint.Ifthisisdonelikethis,theuserwillnothavetochoosetherightstorage.Also,anautomation,whichmightdeploymoreinstances,isalwaysdoingtherightsetup.
Basedonrequirementsorbusinesscasetheremightbemanymorestorageclassestobedefined.TherecouldalsobeextraclasseslikeUltraReplicationor,whatismorecommon,thatthemostexpensiveclassfeaturesalsoreplicationandHAcapabilities.Whilethemostaffordabletiermightbesimplystoragewithoutanyresiliencyoravailabilityguarantee.
Note
Thisisafavoriteoptionusedbypubliccloudprovidersinordertomaketheirofferlookmuchmoreaffordable.Ifonedigsdeeperintothat,itmightbediscoveredthattheofferedstorageisnotevenpersistent.
Compute
Liketheothertworesources,therearewaystocarveoutcomputeresources.ThisislesscommonbutcanbedoneusingvRealizeAutomation.Asdescribedearlier,iteitherusesawholevSphereclusterascomputeresourceorresourcepools.
Byusingresourcepoolsperformanceclassescouldbeintroduced.Thismightbeveryhelpfulforthebusinesscasewearelookingatsincetheappneedstobedevelopedsomewhere.Andthisappdevelopmentworkloadshouldmostcertainlynotinfluencetheproductionworkload.
Therefore,atest/devresourcepoolcouldbeaddedtotheavailablevRealizeAutomationresources,oraseparatetest/devcluster.Thishighlydependsonthevolume.Inthiscase,thevolumeoftheappisnotknown,soalsotheresourceneedsfortest/devandproductionareunknown.Themostefficientwaywouldbetousepre-configuredresourcepoolsinorderto
provideflexiblebutfairresourcestothetwodifferentworkloads.
Thedefinitionofthesecouldlooklikethis:
Policyname Resourcepool Shares Performance
Production Prod 10000 Unlimited/sharescontrolled
Development&Test Test/dev 2000 Unlimited/sharescontrolled
AllthesevSphereresourcescanbetransformedtoresourcereservationswhichthencanbeusedinvRealizeAutomationtoformtheusableinfrastructure.
DesigningthetenantsOneofthebuildinfunctionalitiesofvRealizeAutomationistheseparationofclients.Thisisoftenreferredtoasmultitenancyanddescribesalogicalseparationofresources,users,andservices.
Smallerorganizationsareoftenusingonesingletenantandorganizetheseparationofdepartments,ifapplicable,inso-calledbusinessgroups.Biggerorganizationsmighthavetheneedforastricterseparationandthereforeusetenantstoseparatedifferentsubsidiariesfromeachother.ThismightberequiredsinceallthesesubsidiariescanhavedifferentADscontainingtheusers.
IntheSDDCdesign,itisnecessarytodescribethesetenantsandhowtheyrelatetoeachother.Again,itdependsonthebusinesscaseandtheusecasedrivingtheSDDCinstallation.Inourexample,theremightonlybeonetenantrequiredbutmultiplebusinessgroups,asfollows:
XYZCorp'stenant,connectedtotheADTestanddevbusinessgroupwithdedicatedresourcesProductionbusinessgroupwithdedicatedresources
ThiswouldfitthebusinesscasebutisalsobasedontheassumptionthatallrequiresusersareinthesameADorthatthereisatleastatrustbetweenADs.Ifthatisnotthecaseanothertenantmightberequiredfortestanddevelopment.
Fromasecurityaspect,itisnotrecommendedtoseparateintenants,businessgroupsaremeantforthatpurpose.Eachtenantcomeswithitsownadministrationandrole-basedaccessstructure.ThemoretenantsthemorecomplexthisconfigurationgetandthemoreoperationaleffortanSDDCneeds.Thegoldenruleis,aslessaspossibleasmuchasneeded.
Tenants,businessgroups,andinfrastructurefabrics
ThetenancyandbusinessgroupconfigurationneedstobedescribedintheSDDCdesign.Sometimesitmightbenecessarytoalsogiveashortexplaintheactionofwhatiswhatandwhyitisneeded.Likeforallotherdesigndecisions,itisrecommendedtolinktheassumptions,limits,andrequirementsalsotothetenantlayout.
ThisisasampleimagewiththreedifferenttenantsandshouldexplainhowseparationisaccomplishedintheSDDC.
Whatisatenant?
Atenantisalogicalseparationandcanbeassignedtoanorganization.TypicallyitconnectstoaspecificADtoimportuserrolesandaccessrights.EachtenantcanbeconnectedtoadifferentAD,alsothisAD'sdonothavetorelatetoeachother.Thisisimportantsinceitmightbethatall
theseorganizationsalsodonotrelatetoeachother.AveryprominentexampleoftenantsisCocaColaandPepsirunninginseparatetenantsbutonthesameSDDCinfrastructure.
Eachtenanthasalsoanowntenantadmin,thisrolecandefineandadministerthebusinessgroupsandassignrolestodifferentusersinthetenant.Thoserolesareasfollows:
BusinessGroupManager:Isreliableofmanagingresourcesandserviceswithinthebusinessgroupaswellasuserprivileges.Thisrolecannominateotheruserstobeadesigner,anapprovalmanagerorasimpleconsumerFabricadmin:Isreliableoftakingcareoftheinfrastructure(calledfabric)thetenantcanaccess.Thisrolewillalsotakecareofthereservations,whicharecreatedforeachbusinessgroup.Areservationisasmallerlogicalseparatedpartoftheavailableresourcesfortheentiretenant.Thisishelpfultocontrolhowmanyresourcesabusinessgroupmighthaveaccessto.Oftennotallresourcesaremadeavailabletobeabletoeasilyexpandifnecessary.IaaSadmin:Thisroleisabletocontrolandprovidetheso-calledinfrastructurefabric.TheinfrastructurefabricisasetofallavailableresourcestotheSDDC.Thiscanevenincludeexternalcloudstoenableahybridmodeorphysicalmachines.TheIaaSadminmakessurethattheseresourcesareavailableandcanbeusedbythefabricadminsofthetenants.
Whatisabusinessgroup?
Thebusinessgroupisbasicallyalogicalseparationwithinatenant.Itismeanttogivedifferentdepartmentsinanorganizationtheirownspacewithinthetenant.Tostayinourexample,theremightbeaProductionbusinessgroupandoneforTestandDevelopment.
IntheCokeexample,thebusinessgroupsmightbe"Finance,Development,IT,Legal".However,itisimportanttodesignthisagainaccordingtothebusinesscaseandtoyourorganizationalprocesses.businessgroupsshouldbedesignedwiththesameruleinthebackgroundastenants:Keepitsimple,asmuchasneeded,asfewaspossible.
Userscanbepartofmultiplebusinessgroupsandcanseeanddeploydifferentservicesasaresultofthis.AusercouldbepartofDev&TestandProductionandcoulddeployservicesinbothgroups.Servicescanbeassignedtoaspecificgrouportomultiplebusinessgroupstobeavailableinaglobalform.ThismakessensefordefaultIaaSserviceslikeadeploymentofaVMincludinganOS.
Whatisafabricgroup?
ThisisthelogicalpartoftheIaaSfabricabusinessgroupcanconsume.Thefabricgroupisfurtherdivided(ifapplicable)inso-calledreservations.Asdescribedinthepreviousimage,abusinessgroupcanholdareservationfortheirtenant'sfabricgroup
Asdescribedearlierinourexample,thesereservationswouldactuallyreflecttheresourcepoolspreviouslycreatedinvSphere.However,invRealizeAutomation,reservationscanbefurthergranularconfigured:
MaxnumberofCPUpowerandmemorycanbedefinedperreservationMaxnumberofavailablestoragespacecanbedefinedperreservationGeneralVMquota(limit)canbedefinedperreservation
ThissettingmightbeimportanttoensuretheflexibilityandavailabilityoftheSDDC.Aquotacanmakesurethattheenvironmentisnotbroughtdownbymassdeployments.Furthermore,alimitonmemory,CPU,anddiskcanensurethatthephysicalresourceswillnotbeoverloaded.Incasethelimitisreacheditcanbesimplyreset.Ifaphysicalresourceisfullyloadeditwillbemoredifficulttoresolvethiscondition.
Inourexample,itisabitdifficulttosetalimitsincetheactualresourceusageisnotknown.Therefore,thedesignshouldassumeabigreservationprovidingmostoftheresources.Also,aflexibleapproachwillbeneeded,incasethedeployedserviceswillrequiremoreresourcesthanoriginallyconfigured.
Whatistheinfrastructurefabric?
Theso-calledinfrastructurefabricisacombinationofallresourcesavailabletotheSDDC.TheseresourceswillbeattachedtovRealizeAutomationbyso-calledendpoints.ThoseendpointswillgivevRealizeAutomationdirectaccesstotheattachedresources.Thisisalistofdefaultendpointsforcloudandhypervisors:
Infrastructure:vCenterKVM(REVM)MicrosoftHyper-V
Cloud:vCloudAirvCloudDirectorAmazonWebServicesMicrosoftAzureOpenStack
Foreachoftheseendpoints,resourcescanbeaddedtotheinfrastructurefabric.Thesecanbefurtherusedwithinthereservationsofthefabricgroups.
Therearealsoresources,whichmightnotneedoruseanendpointandcanstillbeused.ThismightincludetheprovisioningofphysicalserversusinganAPIcall.SuchservicesaretypicallycreatedbyusingvRealizeOrchestratorworkflowsandwillbeincludedinvRealizeautomationbyusingtheXaaSfunctionality.
Inthiscase,noendpointisneededsincevRealizeAutomationistriggeringtheworkflowinvRealizeOrchestratortoactuallyprovisiontheservice.However,withthistypeofservice,itisalsorequiredtothinkaboutreservationontheworkflow/blueprintlevel,sincebusinessgroupreservationscannotbeappliedtoXaaSservices.
Thepurposeofallthisistodescribeitinyourdesignandincludeeverydecisionmadeinthatdocument.Itisalsoimportanttofurtherbrieflydescribeafunctionalityandthedesigndecisionsothatthiscanstillbeunderstoodifreadyearslater,orbymaybe,lesstechnicallyfocusedpeople.
WhatmustbeincludedinthedesignInagoodSDDCdesign,allconfigurationsanddecisionsaredocumentedandcanbeeasilydefended.ItwillalsoincludeallothercomponentsbesidesforvRealizeAutomationifthereareanydesigndecisionsmadewhichinfluencetheirstandarddeployment.
Ifresilienceisarequirement,itshouldbeincludedanddescribedthroughtheentiredesign.SinceanSDDChasquitealotofmovingparts,thedesignshouldbethebaselinehowtheyareinstalledandworkingtogether.Finally,thebusinesscaseshouldbedescribedattheverybeginningofadesign.Also,themappingofconstraints,limitsandassumptionsisimportantandshouldbereflectedineverydesigndecision.
Also,itwillmakesensetodesignatestordevelopmentenvironmentatasmallerscale.Theseenvironmentscanbeusedtorehearseupdatesorupgradesaswellastodevelopnewservicesandintroducethemtotheproductionenvironmentatalaterstage.Especiallyifitcomestoupgrades,theprocedureshouldbetestedbeforedoingitintheproductionenvironment.Intheinterestofbudgetandresources,thoseenvironmentsdonotneedtobeascomplexandresilientastheproduction,buttheyshouldbeassimilaraspossibleinordertogetreasonableresults.Thisisanimportantaspectandshouldnotbeunderestimatedwhenitcomestotheoveralldesign!
WhatifthevSphereenvironmentisalreadyrunning?
IfanSDDCiscreatedontopofarunningvSphereenvironment,itisimportanttoeitherincludetheoldvSpheredesignasanattachment.Iftherearenewclusterscreatedtohouseeitherpayload,edgeoreventhemanagement,allthesechangesshouldbedocumentedaswellinanextrasection.ItisOKtorefertothealreadycreateddesign,butitshouldbeeasilyunderstandable.
Tip
Alotofexternalreferencestoanattachmentwilldistractthereadersflow.Also,itmightbedifficulttokeeptheoverviewiftherearealotofpointerstoanexternaldocument.Usebriefdescriptionsoftheoriginaldesignandonlypointtoittomakethereaderawarethattheremightbemoreinformationavailable.
SummaryInthischapter,wecoveredthemainprinciplesofadesignincludingsomeexamples.WelookedatafictivebusinesscaseandlearnedhowitsrequirementscouldbetranslatedintoatechnicalSDDCsetup.Also,wetouchedsomeimportantdesignprinciplesaroundassumptions,constraints,andlimitsaswellasgotaglimpseofwhatvRealizeAutomationmighthavetooffer.
ThenextchapterwillprovidedeepdiveknowledgeregardingvRealizeAutomationandfurtherdiscussitspossibilitiesandfunctionalities.Beginningfromtipsforitsinstallationitwillhighlighthowtorealizeservicedeployments,approvalworkflowsaswellasexternalprocessintegration.Also,servicedefinitionscalledblueprintswillplayabigpart.
Chapter5.VMwarevRealizeAutomationTheCMPoftheSDDCisoneofthemostimportantcomponentsintheentireinstallation.Itisthefirstpointofinteractionforusers,admins,andevenapplicationsiftheyorder/requestnewservices.Also,itneedstobeeasytoconsume,quick,andscalable,aswellasresponsiveandintuitivetouse.InaVMwareSDDC,thistooliscalledvRealizeAutomation(vRA)andittriestocombinealloftheseassetsintoasingleportal.Also,behindthecurtain,itneedstofulfillseveralotherrequirementssuchasmultitenancyaswellasbusinessandtechnicalapprovalsforservicerequestsandtheirpolicy-basedplacement.
Theanotherstrongdeliverableofaself-serviceportaloraCMPistheabstractionofcomplextasksintosimplerequestableserviceswhichdonotrequireanytechnicalskillsfromtheuser.Thinkofitlikeyourorganization'sAppStorewhichsimplyenablesthedeploymentofcomplexandlesscomplexapplications.Alltheuserhastodoisclickonaniconandprovideminimalinput,andtheservicegetsdeployedautomatically.
Besidesthat,vRAmightalsoworkasacloudbroker,whereservicescannotonlybedeployedonpremises,theycanalsobedeployedononeofthevariouspubliccloudofferings.AllthiscanbecontrolledandenabledbyconfiguringvRAaccordingtothedesignandusecaseyouidentifiedforyourorganization.SincethereisalotofcustomizationandconfigurationwhichcanbedoneusingvRA,itisrecommendedtosticktothecreateddesignfortheinitialconfigurationtonotgetlostinalltheoptions.
ThischapterwillexplainthemostimportantoptionsandconfigurationsforvRAinanSDDCenvironment.Also,itwillfurtherexplainsettingsandconfigurationbasedontheidentifiedusecasefromearlierchapters.
Thefollowingpointswillbecovered:
InstallationtipsandtricksDescriptionofvRAconceptsConfigurationexamples
vRAinstallationInvRAversion7,VMwaremadetheinstallationoneofthesimplestinthehistoryofthetool.Beforethat,itwasnotasimpleinstallation.SometimesevenVMwareProfessionalServicesOrganizationtookmorethanadaytoinstallthetool.ThankstotheengineeringeffortVMwareputintotheshinyandnewinstallationroutine,thiscanbeaccomplishedinacoupleofhours,dependingonthechosensetup(smalllaborenterprise).
Theverynicethingaboutthenewinstalleristhatitguidestheadminthroughallthestepsandevents,andprovidesacontrolledwayofrollingbackafteranerrorbyusingVMwaresnapshots,justfollowthesuggestedprocedureoftheinstallerandthereshouldbenobadsurprises.
FirstthingsfirstTogetstarted,vRAneedstobedownloaded(thevApp)fromVMware.ThevAppcanthenbeimportedintotheseparatevSpheremanagementcluster.Theimportwillbringupaconfigurationwizardwherethemostimportantspecsforthedeploymentneedtobeputin:
IPaddressAdminpasswordDNSnameDefaultgatewaySearchdomain
Note
BeforethedeploymentofthevRAappliance(s),theDNSshouldbesetup.Nameresolutionisveryimportantforthistoolandcanmakethedifferencebetweensuccessandfailure.Itisveryimportanttocheckbothforwardandreverselookupbeforeproceeding.
Basedonthechosensetup,vRAwillneedoneormoreWindowsVMstodeploytheDEMandIaaScomponentsinto.ItisrecommendedthattheseVMsalsogetprovisionedupfronttobereadytouseoncethevRAvApphasbeenfullydeployed.Besidestheverystraightforwardsetupguide,VMwarealsorenewedtheinstallationguideforvRAtocoverallthenecessarystepstomakesurethatvRAgetsdeployedsuccessfully.Inthecaseofenterprisedeployment,additionalconfigurationoutsideofvRAisrequiredtobeabletousethisdeployment;thismainlyincludestheconfigurationoftheloadbalancerfortheIaaS,DEMs,aswellasforthevRAinstancesthemselves.
TheIaaSserver(s)needsaMicrosoftSQLdatabasetoworkproperly.EitheraseparatedatabaseinstanceoratleastadatabaseregisteredonanexistingMSSQLserver.ThevRAinstallationwizardwilltakecareofsettingupthedatabaseincludingtherequireddataschema.
Note
EveryWindowsVMinthevRAecosystemneedstohaveMSDTCenabled/installedinordertofunctionproperly.Sometimesitisrequiredtoreregister/reinstallthisontheDEMworkersorontheSQLdatabase:
1. Openanadministratorcommandprompt.2. Runthefollowingcommand:msdtc-uninstall.3. Rebootthevirtualmachine.4. Openaseparatecommandpromptandrunthefollowingcommand:msdtc-install
<manager-service-host>(managerservicehostisoptional).
Onceeverythingisprepared,thedeploymentcanbegin,fromthispointon,itwillbeguidedandshouldbewellfolloweduntilthevalidationstep.
Togettheinstallationstarted,awebbrowserisneededtoaccessthenewlydeployedvRAvApp.
Note
ToaccessthevRA7webinstaller,openabrowserandconnecttothefreshlyinstalledvRAapplianceusingthisformat:https://vra-a.yourdomain.local:5480
ThiswillopenthevRAappliancewebconfiguration,whichwillstartguidingyouthroughthefurtherinstallation.InordertoassistwiththeconfigurationoftheWindowsVMs/components,theagentneedstobedownloadedfromthevRAvAppanditneedstobeinstalledonallparticipatingvRAWindowsVMs.ThisensuresthatvRAcanconfigureandinstallmissingproductsusingtheagentrightatthemomentofsettinguptheportal,prettyneat.
Note
Takenoteofallnamesandconfigurationsprovidedduringthesetup.SomeofthemwillberequiredafterwardtosetupvRAcorrectly.OneimportantnametowritedownisthevCenterendpointname.ItwillbesetupattheDEMworkerconfig.TheDEMwillhaveatextfieldtoenterthename(thedefaultisvCenter).ThisnameisrequiredtoaddtheendpointlatertovRA.ItcannotberetrievedfromtheDEMonceithasbeenset.Ifthisnameiswrong,vRAcannotsuccessfullyaddtheendpoint!
IfvRAfindsmissingconfigurationandpiecesontheWindowsVMs,itwillprovideanoptiontofixthese.ThisisaveryhandyfunctiontopreventconnectingtoeachWindowsVManddoingitmanually.Mostly,itworksfineandaddsthemissingconfiguration/roles/toolsdirectlytotheWindowsVMs:
Onceallthisissettledandsolved,thesetupwillsuggestmakingasnapshotofallcomponents(vRAappliance(s)aswellasallinvolvedWindowsVMs).Itishighlyrecommendedtofollow
thisinstructionforallcomponents.Thesnapshotwillbeusedasarollbackoptionincasesomethinghasgonewrongwiththesetup.Ifthisisnotdoneatthispoint,theentiresetuphastoberevisited.
AdvancedinstallationconfigurationOnceallcomponentshavebeensuccessfullysetup,itistimetocreatetheothernecessaryconfigurationforthecomponents.Inthecaseofasimplelabdeployment,nothingelsehastobedonehere.Inthecaseofanenterprisedeployment,theloadbalancerfortheDEMs,IaaS,andforthevRAapplianceVMshastobeconfiguredproperly.
Thisisrequired,sincetheusershouldonlyhaveoneunifiedURLtouse,nomatterwhethervRA-aorvRA-bisservingitsrequest.Theapplicationitselfiscluster-aware,sonoOSclusterhastobecreated;thisincludestheWindowscomponentsaswell.However,theSQLdatabaserequiredforvRAshouldalsobeclusteredusingMicrosoftbestpractices.RefertoyourSQLdatabaseadminsortheMicrosoftdocumentationformoreinfoonSQLclusters.
TheconfigurationoftheloadbalanceriswelldocumentedbyVMwareandwouldbetoomuchtobedescribedindetailhere.TheactualdocumentationforvRA7,includingtheloadbalancerconfiguration,canbefoundattheVMwaresupportsite.
Tip
Loadbalancerwhitepaper:http://pubs.vmware.com/vra-70/topic/com.vmware.ICbase/PDF/vrealize-automation-70-load-balancing.pdf
Aftereverythinghasbeensetupandcontrolled,besuretoremovethesnapshotsfromtheVMs.Atthisstage,vRAwillbefullyfunctionalfromaportalpointofviewandisreadytobeconfiguredforthefirsttime.
Oncethesetupiscomplete,thesystemwilltellyouthatthereisaspecialusertologontovRAnamedconfigurationadmin,usingthepasswordprovidedearlierintheinstallationwizard.ThisuserwillbethefirststepofconfiguringvRA;evenforthat,thereisanautomationVMwareisofferingrightinthefreshlyinstalledportal.
LoggingontothesystemwiththatuserwillbringupavRAportalandtherewillbeoneserviceunderCatalogwhichwillautomatethesetupandconfigurationofthefirstordefaulttenantofvRA.Eventhisstepcannowbedonewithafewsimpleclicksifdesired.Itisassimpleasrunningtheservice,puttinginallthenecessaryinformation,andwaitingforvRAtocompleteconfiguringitself.However,albeitthisisveryhandy,itishighlyrecommendedtofirstunderstandtheprinciplesincaseanythinghastobealteredoraddedmanually.
vRAconceptsIfthisisthefirstencounterwiththetool,itwillthrowalotofnewtermsatadministrators,yettobeunderstood.WhileitfollowsVMware'smethodologyandnamingconventions,thereareacoupleofthingswhicharenotusedbyanyothertoolintheVMwareecosystem.
vRA'slittlehelperBesidestheportalitself,vRArequiressomehelperservicestoactuallygetthingsdoneintheunderlyingenvironment.Duringthesetup,thoseareconfiguredandalignedtoworktogetherwithvRAtobeabletoautomatetheunderlyinginfrastructure.
DEM
DEMissometimesalsoreferredtoasthemanagerservice.Basically,thiscomponentisconnectingvRAtopossibledeploymenttargetsforVMs.ThiscanbevCenter(assuggestedduringthewizard-driveninstallationforvRA)butitcanalsobeotherhypervisortargetssuchasHyper-VorKVM.Besidesthat,vRAwillalsobeabletoconnecttoexternalcloudssuchasAmazonWebServices(AWS),vCloudAir(VMware),andMicrosoftAzure,aswellasOpenStackinstallations.MostofthesetargetsneedtohaveaDEMworkerconfiguredtoaccessthose.ThisconfigurationcaneitherbeaddedtoanexistingDEMoranewDEMforthesetargetstobedeployed.
Note
Therearealsoso-calledDEMworkerswhichshouldalwaysbeinstalledonseparateVMs.UseatleasttwoDEMworkersforaproduction-gradeenvironment.
TheIaaSserver
Basically,thisisthewebservercomponentofvRA,whichprovidestheportalaswellasitsbasicfunctionality.Insmallenvironments,itcanbeinstalledtogetherwiththeDEMonthesameVM/OS.Inenterpriseenvironments,itistypicallyinstalledasaseparateVM.TheIISconfigurationisdonebythevRAsetuproutine,whichtakescarethatallrequiredfunctionsfortheportalareavailable.
vRealizeOrchestrator
vRealizeOrchestratorisoneofthemostimportantcomponentsinavRAsetup.ThevRAself-configurationserviceisbasicallyavROworkflow,whichisaddedasaso-calledXaaSservicetothefreshlyinstalledvRA.AnythingasaService(XaaS)basicallymeansthatanythingwhichcanbeautomatedcanbearequestableserviceinvRA.vROisincludedinthevRAapplianceorcanberunseparatelyasitsownvApp.Inlargeenvironments,itmakessensetoseparatevROfromvRAtosharetheloadofthetools.vROcanalsobeinstalledinanHAsetupandsyncitscontenttomultiplevROtiers.
TheInfrastructuretabUnderthistab,vRAofferstheinfrastructureoptionsandconfigurations.Dependingontheuserrole,itwilldisplaymoreorfeweroptionstobeconfigured.TheInfrastructuretabwillcovereverythingwhichhastodowiththeavailableresources,whethertheyarephysicalorcloudresources.
Endpoints
AnendpointisaninfrastructuretargetonwhichvRAcandeployVMs.ThefirstandmostimportantendpointwillbevCenter.TheendpointnamehastobeexactlythesameastheoneprovidedtotheDEMduringitssetup.Thismeansthenamewillalsobecase-sensitive.vRAcanhavemultipleendpointsincludingcloudsaswellasotherhypervisors.Endpointswillactuallyformtheso-calledinfrastructurefabricfromwhichresourcescanbecutoutintheformofreservationsandofferedtoportalusers.
ComputeResources
EitherbyhighlightinganendpointandhoveringoverthearrowsymbolorbyclickingontheResourcesmenuattheleft-handpan,theportalwilldisplayallcurrentlydiscoveredresources.IntermsofvCenter,thesewillbevSphereclusters,includingtheirstorageconfigurationsuchasdatastoresorevendatastoreclusters.Inthismenu,resourcesfromanendpointcanalsobeexcluded.
ThisespeciallymakessenseifthemanagementclusterispartofthesamevCenter,butshouldnevershowupasaresourceavailabletoendusersinvRA.Inthiscase,itcanbesimplyunelectedbyun-tickingthebox:
Reservations
Thishandlesthereservedcapacityforatenant/businessgroupbasedontheactualavailableresources.Forexample,notallresourcesfromtheclustermightbemadeavailableforagivenaudience:
Resources:Clusterhas4TBofmemory,20TBofdatastores,and120GHzofCPUavailableReservation:Clusterhas2TBofmemory,5TBofdatastores,and70GHzofCPUavailable
ThisreservationwillbeenforcedbyvRAandisunknowntovSphereorvCenter.Also,ithasnothingtodowithresourcepoolreservations.However,avSphereresourcepoolcanalsobechosenasaproviderinsteadofanentirecluster.Theideaofareservationistoguaranteeaselectpartoftheinfrastructurefabricwithoutexposingallofitscapabilities.Reservationscanbedynamicallyincreasedandshrunk.
ManagedMachines
Underthisoption,vRAwilllistallcurrentmanagedVMsdeployedusingtheportal(orimported).ThisisespeciallyusefulsincenotalluserswillseeallVMsdeployed,theywillonlyseetheirownVMs.Ifthereisanincidenttoanalyze,anadministratorwiththeappropriaterole
assignedcouldusethistotracewhethervRAisabletoreachtheVM.Besidesthat,itwillalsolisttheownerandthestateofalldeployedandcurrentlymanagedVMsforquickidentification.
TheAdministrationtabUnderthistab,vRAprovidesglobaland/ortenant-relatedadministrationoptionsdependingontheuser'srole.Theseoptionscontroltheglobalconfigurationofatenant.ThisincludesconnectingtoanAD,definingdefaulthostnames,andconfiguringbusinessgroups,aswellasothersettings.
ApprovalPolicies
Approvalsareimportanttokeepanautomateddatacentercleanandstructured.Ifeverythingwasfreeandinstanttodeploywithoutapprovals,userswouldkeepcreatingmachinesuntilthedatacentereventuallyranoutofspace.Therearealsoprocessandregulatoryreasonstohaveapprovalpolicies.Thismenuwillallowapprovalstobedefinedbasedonvariousdifferentconditions.
Approverscanbedefinedbyusernameorgroup;additionally,vRAcantrytofetchthemanagerofarequestinguserrightfromAD.
Approvalsaredistinguishedintwomajorgroups:preapprovalsorpostapprovals.Preapprovalsarerunbeforearequestisprocessed.Therewillbenoprovisioninguntiltherequesthasbeenapproved.
Postapprovalsareissuedaftertherequesthasbeenprocessed.Iftheapproverdeniestherequest,allprovisionedresourceswillbedeletedinstantly.Bothcanbeusedatthesametime.Therearescenarioswhereitmakessensetousebothtypesofapproval.
Ifthetechnicalapproverneedstoensurethatarequestcanbefulfilledtechnicallyorcapacity-wise,itwillmakesensetoaddthisasapreapproval.Ifthereisafinancialdecision-makerwhoneedstoapprovetheuseofresources,itmightmakesensetodothisaftertheresourcehasbeenprovisioned.Bydoingthat,itwillbeinstantlyavailabletotheuser/groupafterithasbeenapproved.
Finally,approvalscanbesetonmanydifferentactionsanditemsinvRA,fromcreatingsnapshotstodeployingmachines,allthewaytodestroyingadeployment.Alltheseactionscanhavedifferentapprovalrulesaswellasdifferentapprovers.
Notonlycanthedifferentcategoriesbeapproved,butapprovalswillalsobeabletobesetbasedonconditions.Forexample:
2vCPUand4GBRAMrequiresatechnicalpreapprovalTheservicehasbeenrequestedtwotimesinsteadofoneTheserviceisexceedingacertaincostlimitTheserviceiscomingformadistinctuserorgroup
Also,aconfigurationispossiblewhereallapproversneedtoapprove,oranyapprovercandothis.
DirectoriesManagement
ThissettingensuresthatvRAcanbeaddedtoauserdirectorysuchasMicrosoftActiveDirectory.ItisusedtobrowseusersandgrantaccesstocertainvRAfunctionalities.Directoryaccesscanbesetonaper-tenantbasis,whichmeansthateverytenantcanbeconnectedtoadifferentuserdirectory.Thisensuresthatseparateorganizationscanusetheirownuserdirectoryanddonothavetoduplicatethisdataintoanylocalportaluserdirectory.
HerealltheusersandgroupsgetmatchedtovRA'srole-basedaccessmodel.Thereareseparaterolesinthesystem,fromasimpleusertoadesigner,aswellasatenantadmin.Accordingtotherole,theycanaccomplishdifferenttasksinvRA:
User Role
Systemadministrator
(Doesnotfollowthemultitenancyconcept)
Thisroletypicallyownstheentireconfiguration.Itwillensurethatnewtenantsarecreatedaswellasnewusersgetassignedtothesetenantsastenantadministrator.
IaaSadministrator
(Doesnotfollowthemultitenancyconcept)
Thisroletakescareofalltheattachedresourcessuchascloud,vSphere,network,andsoon,andwillorganizeitintotenant-levelfabricgroups.Thesecanthenbepointedtowardfabricadministrators.
Tenantadministrator
(Doesnotfollowentirelythemultitenancyconcept)
Typically,thisroleisclosetothebusiness.Itisresponsibleforconfiguringthetenant,includingitsbranding,aswellasaddingtenantusersandgroupmanagement.Also,resourceusagecanbetrackedbythetenantadministrator,whocanthenusethisdatatotriggeraresourcereclamationrequest.
Fabric
Responsibleforthemanagementofphysicalmachinesandcomputeresourcesassignedtotheirfabricgroups.Theyalsotakecareofthecreationandmanagementofreservationsandpolicieswithintheirtenant.Additionally,they
administrator managepropertygroupsaswellasthemachineprefixesandthepropertydictionarythatareusedacrossalltenantsandbusinessgroups.
Blueprintarchitect
(Doesnotfollowentirelythemultitenancyconcept)
Thisrolecancreateblueprintsdesignedfortheconsumertoberequestedthroughtheservicecatalog.Typically,thisroleisassignedtoITarchitectswithinanorganization.
Catalogadministrator Managestheservicecatalogsandalsodecidesthenewservices.
Approvaladministrator
Managesapprovalpolicies.Thesecanbeaddedtocatalogsanddefinewhatarequestorcanorderwithorwithoutanapproval.
Approver Canapprovecatalogrequestsfromotherusers.
Businessgroupmanager
Managesoneormoreso-calledbusinessgroups.Aspartofthis,theycanentitleusersorgroupsintheirtenant/businessgrouptoservicecatalogs.Also,theycanrequestandmanageitemsonbehalfoftheusersintheirbusinessgroup.
Supportuser Theycanrequestandmanagecatalogitemsonbehalfofotherusersintheirgroup.Typicallyfulfilledbysupportadministratorsaswellasoperators.
Businessuser
Thisisthetypicalconsumerrole.Theycanrequestservicesfromacatalogandmanagethoseprovisionedresourcesintheportal.
Ofcourse,theserolescanbecombinedaswell.Therearesomenotablesideeffectswhencombining,sothisfeatureshouldbeusedwithcare.Onesideeffectisthatifthefabricadministratorroleiscombinedwithasystem-widerolesuchasIaaSadministrator,itcancontrolallthefabricitemsforALLtenantsinthesystem.System-widerolesarecommentedwithDoesnotfollowmultitenancyconceptinthistableforbetterunderstanding.
Tip
Theblueprintarchitectrolecanseeassetseveniftheyarenotpartofthetenantitislocatedin.Indetail,ablueprintarchitectcanseeallreservationpolicies,storagereservationpolicies,
networkprofiles,machineprefixes,propertydictionaryaswellasbuildprofiles.Again,theycannottamperwithassetsnotbelongingtotheirtenant,buttheyhaveasortofreadallability.Thisiswhythisroledoesnotfollowthemultitenancyconceptentirely.
Thetenantadministratorrolehasasimilarcapabilityifafabricgroupissharedamongdifferenttenants.Eventhougheachtenanthasitsownreservations,thetenantadministratorcanseethereservationoftheothertenants.Again,read-only,butitisrevealed,though.
CatalogManagement
vRAorganizesServicesinso-calledcatalogs.Theycanbeseenascategoriesandthereforeholdmayservicesofakind.Catalogsareusefultoorganizetheserviceofferings,butalsotogivetherightusersorgroupsaccesstotheirservices.Insteadofentitlingeachandeveryservice,thewholecatalogcanbeentitled.
Categoriesofcatalogsmaybe:
InfrastructureasaService:OSdeploymentsofVMsormultipleVMswillbeaddedtothiscatalogPlatformasaService:ApplicationdeploymentsincludingOSdeploymentswillbeavailableunderthiscatalogDirectoryservices:IfthereisanyADself-serviceforusers,thismighthavebeenshownhere
PropertyDictionary
vRAmaintainsadictionaryofproperties.Thosecanbeusedasinputsfortheservices.Typically,propertiesholdinformation,whicharerequiredforpreorpostprocessingofservicerequests.ThisinformationcanbeusedtorunavROworkflowoncetheVMisdeployed,ortoaddacustomhostnameduringprovisioning.Also,theycanbeusedtoinstructthevRAagent,alsoreferredtoastheGuestAgenttoruncertainscriptsaftertheVMdeployment.AllusablevRAbuilt-inpropertiesandtheirmeaningcanbefoundinthevRAinstallationdocumentationfromVMware.ItishighlyrecommendedtomakeyourselffamiliarwiththoseinordertousethefullpotentialofvRA.
Additionally,propertiescanalsobeuser-definedtoaskforspecificsettingstobeusedinvRealizeOrchestratorworkflows.Itisrecommendedtouseauniquepresettoquicklyidentifycustomproperties,also,thishelpstopreventusingsystem-widepropertiesinsteadofcustomones.
ClickonPropertyDefinitionstodefinecustomproperties.Also,apropertygroupneedstobedefinedinordertousecustompropertiesinblueprints.Thisisjustalogicalcontainertowhichmultiplecustompropertiescanbeadded.
Reclamation
Thisisbasicallythefunctionalitytoreclaimso-calledwastedspacefromtheenvironment.If
vRealizeOperationsisused,itcanbeconnectedtothisserviceandwilldeliverdataandsuggestionsonVMswhichcanbereclaimed.Areclamationrequestcanbestartedatthismenubasedonthedataprovided.IfvRealizeOperationsisnotused,vRAwilluseitsownalgorithmtodisplayreclaimableVMs.
Branding
Foratenantadmin,thisiswherethelookandfeeloftheportalcanbechangedtosupportanycustomeridentity.Colors,logos,andtext,aswellastheloginscreenandevenalogonboxcanbecustomizedtofullyblendintoanorganizationalenvironment.Thesecustomizationscanbedonepertenant.
Notifications
Underthismenu,mailserversforinsideandoutsidenotificationscanbesetup.vRAwillsende-mailstowardusersforallkindofevents.Typically,thoseincludetheexpirationofaservice,orifsomethingisnotgoingasitshould.Theserversandthee-mailaccounttouseforthesemailingscanbesethere.Also,undertheScenariossubmenu,allthenotificationactionscanbeactivatedorsuspended.Thisisespeciallyimportantifapprovalsshouldalsoworkwithe-mailreplies,therefore,thissettingshouldbeconfiguredverycarefully.
Events
ThiscanbeusedtodisplayeventlogsofvRA.Inthislistview,allvRAeventsaredisplayedplusadditionalcontent.Itcanbeseenastheaudittrailoftheentirecloudportal.Itisusefultoanalyzeortroubleshootuserrequests.
ThesecondmenuiscalledSubscriptionsandcontainsaverypowerfuloptionofvRA7.Inpreviousversions,VMprovisioningcouldbetweakedbyaddingso-calledworkflowstubs.ThesestubsareboundtospecificVMdeploymentstatessuchaspreapproval,postapproval,provisioning,ordeleting.Theseworkflowstubswereusedtoaddthird-partysystemfunctionalitysuchasIPAMfunctionalityorimplementingabackupworkflow.
However,invRA7,theseworkflowstubshavebeenreplacedwithso-calledsubscriptions.Thesearemoreflexibleandcanbeaddedeasierthanworkflowstubs,sincevRAcandecidetorunthembasedonaseriesofcriteria,whichtheusercanset.Thesecanalsoincludecustomproperties,whichmakesiteveneasiertoruncustomizationworkflowsduringaVMdeployment.
vROconfiguration
ThisisthepartwherethevRealizeOrchestratorinterfaceissetup.UnderServerConfiguration,itcanbedecidedtouseanexternalvROinsteadofthebuilt-invROserver.Inlargeenvironments,itisrecommendedtohaveatleastoneexternalvROserverforexecutingallthenecessarycustomizationworkflows.Also,ifvROisalreadyusedfordailyautomationinanenvironment,itmakesalotofsensetousethesamealsoforthecloudautomation.
Tip
TheembeddedvROcomeswithaseriesofpluginspre-set-upalready.ThesearenecessarytouseallfeaturesofvRA7integration,suchasNSX.IfallthesepluginsneedtobetransferredtotheexternalvRO,thereisasimpletrickhowtodownloadthese:
1. OpenWinSCPoranotherSCPcopytoolofyourchoice.2. ConnecttothevRAapplianceusinguserrootandyourchosenpassword.3. Navigatetothefollowingdirectory:/usr/lib/vco/app-server/plugins.4. Allplugin.darfilescannowbedownloadedandimportedintotheexternalvRO.
vRAconceptsSomeofthevRAconceptshavebeenalreadyaddressedinChapter4,SDDCDesignConsiderations.However,thereareafewconceptsofvRAwhicharecriticaltounderstandinordertocreateasoundconfigurationoftheportalanditsfunctionalities.Themostimportantconceptistheserviceconcept.ItcanbeseenasthecentralpointofvRAandthereforeshouldbewellunderstood.
vRAorganizesdeploymentsinso-calledservicesandservicecatalogs.AserviceisfarmorethanjustoneVM;itcanconsistofvariousdifferentconstructs.However,aservicealwaysstartswithablueprint.
AsaServicesynonymsInthecloudspace,therearemanyasaServicedefinitionsaround.Unfortunately,notallofthemmeanthesamething,eveniftheyusethesameacronym.ThisisalistofthemostpopularandmostusedacronymsandhowtheyaretranslatedintovRA.
IaaS
InfrastructureasaService(IaaS)andisprobablythemostpopularcloudabbreviation.Normally,iforganizationsrefertoIaaS,theymeansimpledeploymentssuchasasingleVMwithorwithoutanoperatingsysteminstalled.Orabaremetaldeployment,alsowithanoperatingsysteminstalled.Itshouldcoverallconfigurationandinstallationstepsforthosedeploymentsuntilitcanbefullyusedbyanenduser.Inmostofthecases,thisisthesimplestwaytostartwithautomation,eventhoughtherearehiddencaveatswiththismethod.
However,thisisthemoststandardterm,sinceitalwaysmeanstoprovisionsomeinfrastructure-relatedservicesperauser'srequest.
InvRA7,IaaSisoftenreflectedusingVMtemplatestoclonenewVMs.However,someorganizationsprefertousePXEbootenvironmentsinordertodeployVMsandkeepusingtheirlegacyprocesses.Thiscanbeimportantincombinationwiththird-partyapplicationinstallationframeworkssuchasPuppetorSalt.
PaaS
PlatformasaService(PaaS).Thistermisprobablythemostmisusedterminregardstocloudcomputing.Theproblemis,aplatformisnotawell-describedasset.Itcanbealotofthingsandthereforetheabbreviationisusedforalldifferentcaseswherevendorsororganizationsthinkitmightbeagoodfit.EspeciallyintheDevOpsworld,thistermhasanentirelydifferentmeaningfromatechnologypointofview.
HereareafewexampleswherePaaSmightbeused:
AservicedeploymentcontainstheOSaswellastheapplicationlayerformultipleVMsAservicedeploymentcreatesaVMincludingOSandSQL-DBconfiguration,readyforotherVMsconnectingtheDBAservicedeploymentcreatesanentireJavadevelopmentenvironmentAplatformwhichrunsaJavaenvironment,readytorun.jarpackagesondemandAplatformwhichrunsaJavaenvironmentincludingevenNo-SQLDBsandallothernecessarycomponentstorunJavaprograms
Tip
ToavoidalostintranslationissuewithPaaS,itisalwaysrecommendedtounderstandtheexpectationsaswellastheusecase.Oncetheseareclear,themutualunderstandingofPaaSmightbeclearaswell.
InvRA,currently,PaaSisexecutedasapplicationinstallationondemandusingapplicationautomationservices.
XaaS
XaaSisbasicallyaVMwaredefinition.ThemeaningofthisistounderlinetheadvancedfunctionalitiesofvRAinconjunctionwithvRealizeOrchestrator.AnythingcanbasicallyrunasaworkflowonOrchestratorandthereforecanbebroughtintovRealizeasaXaaSblueprint.
vRAhasitsownmenusectiontodefineXaaS.TheworkitselfisdonebyvRO,whichmeansthatalsotheworkflowmustbepre-existingtobeincludedinvRA.
EverythingwithanAPIcanbeautomatedandturnedintoarequestableXaaSinvRA'sservicecatalog.ThatcanstartwithanADadd-onfunctionsuchasaddingnewusers,allthewaytocallingnon-VMwarehardwaretostartup/installanOS.
InvRA,XaaSisusedtodirectlyincludeandrequestvROworkflowsintheportal.
BlueprintsInvRA,blueprintsarethebuildingplansofservices.Basically,theycanbeseenastemplatesforVMdeployments.However,theycancontainfarmorethanjustVMstodeploy.AcomplexblueprintcandeployVMs,networks,securitysettings,andfirewallrules,aswellasloadbalancersandmore.
InvRA7,VMwarehasintroducedabrand-newblueprintdesigner.ThisdesignerisalsoknownastheConvergedBlueprintDesignerandcombinesafantasticnewfeatureofvRA7,multiendpointblueprints.Inthepast,itwasnotpossibletohaveblueprintsdeployingmachinesorservicesindifferentinfrastructurefabrics.EachblueprintwaslockedtoanendpointinvRA.Inordertoachievethat,therewasaseparatemodulecalledapplicationautomationwheredifferentvRAblueprintscouldformanapplicationblueprintwhichwouldhavethatpossibility.
However,invRAIaaS,withouttheapplicationautomationcomponent,thatmeantthatifablueprintwasmadeforvSphere,itcouldnotbeusedforAWSorHyper-Voranyotherendpoint.
InvRA7,VMwaredecidedtoworkaroundthatlimitationbyallowingalsoIaaSblueprintsincludingmultipledifferenttargets.SoevenanIaaSblueprintwithtwoVMscannowbedeployedon,forexample,vCloudAirandvCenteratthesametime.Itwillbepresentedintheportalassingleservice.
However,forsingleVMs,thelimitationstillexistsandusersmightseeaportalwheretherearethreedifferentWindowsVMs:oneforvSphere,oneforAWS,andoneforvCloudAir,forexample.
Toeasethewholeprocess,though,VMwaredecidedtocreatetheConvergedBlueprintDesigner,whichcancombinedifferentendpointtargetsaswellasapplicationautomationtasks:
VMwaretypicallyhasdifferentcategoriesforservicesorblueprintsinvRA.Eachofthesecategoriesreferstoaverydifferenttypeaswellascoveringdifferentfunctionalityandusecases.
Singlemachineblueprints
Thisistheeasiestblueprintconfiguration.Asthenameimplies,itreferstoasinglemachineplusthenecessaryadditionsuchasanetwork.ThequickestwaytoprovisionavirtualmachineisusingvCentertemplatesintheblueprint.However,vRA7supportsmanyotherpossibilitiessuchasWMI(Windowsimagefile)andKickstarter,aswellasusinganexternalvROworkflowformachineprovisioning.ItdependsontheprocessesandstandardsrequiredtoprovisionVMs.Whatevermethodmaybepreferred,ablueprintinvRAcanbeconfiguredtousethismethodandautomateallthesteps.Eventhoughitmightbearelativelyslownetworkinstallation,theaddedautomationwillstillenhancetheoverallprocess.
Multimachineblueprints
Similartosinglemachineblueprints,theycanhaveadifferentdeploymentmethod.ThemaindifferenceistheycanhaveadifferentdeploymentmethodperVMusedintheblueprint.IfsomeVMsmightendonacloudversusothersmightbedeployedinternally,theycanandmusthavedifferentdeploymentmethods.Allthiscanbeconfiguredinaunifiedblueprintbyusingtheeditor.
IfVMsshouldbeprovisionedoutsideofvCenter,itisimportanttomakesurethatthechosenprovisioningmethodisalreadyworking.Forinstance,ifcloningfromatemplateischosenfor
vCloudAir,thetemplateshouldbealreadyconfiguredandreadyinvCloudAir.ThesameistrueforvCenterandotherendpoints,ofcourse.
Iftheprovisioningmethodisset,usingthegraphicaleditorcanalsosettheorderinwhichtheVMsaregoingtobeprovisioned.Thismightbeimportantifsoftwarecomponentsareinstalledaswellonthemachines.Todefinethis,thegraphicaldesignerhasafunctiontodrawanarrowfromthedependentmachinetothecomponent/machineitdependson.Thiscanbedonebyclickingonthelittleroundiconappearingintheupper-leftcorneroftheVM.
Thedependentmachinewillbedeployedafterthedependingcomponentisfullyavailable.Inthefollowingfigure,theAWSmachinewillbedeployedafterthevSpheremachineisupandrunning:
Applicationautomation
BeforevRA7,applicationautomationwasaseparateservice,runningonaseparatevirtualappliance.Blueprintshadtobelinkedwiththisservice,whichthencouldusethislinktoprovideaGUItomanageandinstalladditionalapplications.ThishasnowbeenmergedintothegeneralblueprintdesigninvRA7.
TheheadingSoftwareComponentsunderCategoriesinthetop-leftcornercontainspredefinedsoftwareinstallments,readytobeusedinblueprints.Beforetheycanbeselectedthere,theyhavetobesetupinvRA7.
Thesearethestepstosetupasoftwarecomponent:
1. OpenthevRAportaleitherasconfigurationadminorasanotheruserwithanappropriaterole.
2. ClickontheDesigntabandthenonSoftwareComponents.3. ClickontheNewbuttontoaddanewcomponent.
4. Giveadescriptivename(IDgetsauto-generatedfromthename).5. Selectthecontainertype,forexample,Machine.6. Providepropertiesifnecessary,forexample,databasename,username,password,andso
on.7. Under3.Actions,providethenecessaryinstallationactions.ThesecanbeeitherInstall,
Configure,Start,orUninstall.AllofthesecanbeusingeitherBashorPowerShellorCMDscript,dependingonthesoftwareandOSitshouldrunon.Typically,theinstallationscriptisalsodownloadingthesoftwaresourcepackage.
8. ProvethenewlyaddedsoftwarecomponentandclickFinishtosaveit.9. Inordertobeusablebyblueprintarchitects,itmustbepublished.Thisisdonebyselecting
itandclickingonthePublishbutton.
ThecontainertypedefineswhatvRAwillallowtobedonewiththisapplication.Furthermore,ittellstheGUIwhereandhowthesoftwarecomponentcanbeused.TherearethreedifferenttypesavailableinvRA:
Machinecomponent:Thismeansthesoftwarecanbeinstalledonamachineonly.Itisnotpossibletoinstallthissoftwareontopofothersoftwareinstallments.Softwarecomponent:Inthiscase,thesoftwareismeanttobeinstalledonother,alreadyrunningsoftwarecomponents,forinstance,likeawebserversetupontopofanalreadyinstalledApacheWebServer.Namedsoftwarecomponent:Thisallowsoneofthealreadydefinedcomponentstobepicked.Thissoftwarewouldthenbeanaddition/installmentonlyforthiscomponent.Thiscanbe,forexample,aJavaprogramtobeinstalledontopofthebasicbutspecificJavainstallation.
Tip
Ifthereisnosoftwarecomponentdefinedyet,onlytwooptionswilldisplay-MachineComponentandSoftwareComponent,sincetheNamedSoftwarecomponentneedstobepresentbeforeitcanbeselected.
Typically,theusedscriptsfortheactionsarepre-existingfortheselectedsoftware.Theapplicationteammayalreadyusethesescriptstoconductunattendedinstallations.Toeasethereuseofthesescripts,vRAsupportsthemostusedscriptinglanguages,suchasPowerShell,Bash,andCMD.
SampleconfigurationsThissectionwilldescribehowtoconfigureablueprint,addittoaservicecatalog,andmakeitorderableforusersinagivenbusinessgroup.Itwillcoverthefollowingpointsingreaterdetail:
CreatingandpreparingatemplateinvCentertobeusedforablueprintCreatinganetworkpooltobeusedwithapre-existingVLANCreatingasetofpropertiestobeusedwiththeblueprintCreatinganIaaSblueprintforaVMPublishingtheserviceforagivenbusinessgroup(entitlements)
TemplatepreparationinvCenterBeforetheblueprintcanrelyonthetemplate,afewthingshavetobecheckedinvCenterinordertomakeitasuccessfulandstraightforwarddeployment.Hereisalistofthingswhichshouldbeconsideredforthetemplate:
ThemostrecentVMwaretoolsshouldbeinstalledinthetemplateThevRAGuestAgentshouldbeinstalledsuccessfullyinthetemplateIfitisaWindowstemplate,itshouldNOTbepartofadomain(onlyaworkgroup)ForWindowsorLinuxVMs,thereshouldbeavalidcustomizationspecificationavailableinvSphere.Thetemplateshouldhavealimitedsize,forexample,40GBforWindowsServer2012-withonedisk.Ofcourse,thisdependsalsoonprocesses,standards,andpoliciesfromtheorganization.Allnecessarysoftwarewhichcanandshouldbepre-fittedisalreadyinstalled(forexample,AVscanner,backupclient,andsoon)
Thepartwiththecustomizationspecificationispossiblyoneofthemostimportant.EspeciallyforWindowsVMClones,itisimportanttohavethisreadyforvRA.ThiswillbeusedwitheverydeploymentandensurethatallWindowsVMsarecorrectlyactivatedandaddedtothedomainifnecessary.
However,alsoforLinux,thosespecificationsettingsareimportant,sincetheytakecareofresettingtheinterfaceconfiguration(ifcfg)filestoensurethenetworkcomesupcorrectly.AdetailedinstructiononhowtosetupaspecificationsettingcanbefoundintheVMwarevSpheredocumentation.
Tip
Makesuretonotethenameofthespecification;vRAwillreferenceitbythenameonly,whichisofcoursealsocase-sensitive.
CreatinganetworkpoolNetworkpoolsarerequiredtoattachthedeployedVMtoapre-existingLANenvironment.Typically,theydescribeaportgrouponvSphere.However,itisrecommendedtoeithernamethemidenticallytotheportgrouptheyattachto,oratleasteasilyidentifiable.
NetworkpoolscanadditionallycontainreservedIPaddresses.Inasense,vRAdeliversapoorman'sIPAMwhereablockofIPscanbereservedforvRAandeverytimeaVMisdeployeditwillgetanIPoutofthislist.ThisistypicallyusedinlegacyenvironmentswithoutNSXpossibilities.
Also,theuseofanexternalDHCPissupported;inthiscase,noIPsarereservedandtheVMsarejustdeployedrelyingontheexternalDHCPtodeliveranIPaddress.Also,itispossibletointegrateanIPAMserviceusingvROworkflows.
InvRA7.2,theInfobloxintegrationworksoutofthebox:
Tocreateanetwork,pleasefollowthesesteps:
1. OpenvRAandlogonwithaprivilegeduser(atleasttenantadmin).2. ClickonInfrastructureandthenonNetworkProfiles.3. ClicktheNewbuttonandselectExternal.4. Provideadescriptivename-bestpracticeistoincludetheVLANIDifany.5. ProvidetheVLANaswellassubnetinformationforthepool.6. ClickonIPRangeandenteravalidIPrangeforyournetwork,forexample,192.168.0.2
-192.168.0.250.
7. Savetheconfiguration.
Beforecontinuing,ensurethatthenewlycreatednetworkpoolisassociatedwithavSphereportgroupundertheInfrastructure|Reservationstab:
8. ClickontheInfrastructuretab.9. ClickonReservationsintheleft-handmenu.10. Choosethereservationregardingyourtenant.11. ClickontheNetworktab.12. Checkthenetworkpath(VDSportgroup)whichrelatestothecreatednetworkprofile.13. ChoosetheNetworkProfileinthedrop-downlist.14. ClickOKtosavetheconfiguration.
CreatingasetofpropertiesAsdescribed,propertieswillbeusefultointegratethird-partysolutionssuchasbackup.Let'screatearetentionpolicyproperty,wheretheusercouldchoosehowlongthemachinewillbekept:
1. OpenvRAandlogonwithaprivilegeduser.2. ClickontheAdministrationtab.3. ClickonPropertyDictionary.4. ClickonthePropertyDefinitionsmenuontheleft-handside.
5. ClickontheNewbuttontoaddtheproperties.6. Enteradescriptivepropertyname,remembertousecustomprefixessuchasExample-note
thatthelabelcanbedifferentthanthename!7. Chooseadatatype,forexample,String.8. Definethedisplayadvice,forexample,Dropdown.9. ChoosePre-DefinedValues.10. Enterthedesiredbackupretentionvalues,forexample,1month,3months,1year.
Createapropertiesgroupifnotalreadypresent.Thiswillenablethepropertiestobeusedalsoinblueprintsbyaddingsimplythepropertiesgroup.Toaddagroup,followthesesteps:
1. ClickonPropertiesGroupintheleft-handmenu.2. ClickontheNewbutton.3. Provideadescriptivename(maybewiththesameprefixastheproperty).TheIDgets
generatedautomaticallyoutofthename(needstobeunique!).4. InthePropertiesfield,clickonNewandusetheselectortochoosethepreviouslycreated
property.5. ClickonShowinRequestsotheuserisabletochoosefromthepropertyvalues.6. ClickOKtosavetheproperty.7. ClickSavetosavethepropertygroup.
CreatingtheIaaSblueprintNow,sincewehavecompletedallthepre-work,thedesignoftheblueprintitselfcanbedoneusingthepreconfiguredassets.Inthiscase,itwillbeaWindows2012blueprintwhichwillbeaddedtoadistinctnetworkinapresetVLAN.Forbackupoptions,therewillbeaselectableamountofretentionperiodfortheuserinthestepsof1month,3monthsor1year:
1. OpenvRAandloginwithaprivilegeduserholdingatleastthedesignerrole.2. ClickonBlueprintsintheleft-handsidemenu.3. ClickontheNewbutton.4. Provideadescriptivename,suchasWindows2012.5. Giveitadescription;thiswillbeseenbytheuserrequestingtheservice.6. SetArchivedays.7. Settheminimumandmaximumleasetime:
Tip
Archive(days)willbethetimeframeduringwhichvRAkeepstheVMonadisk,eveniftheVMhasexpireditslease.Itcanbesetto0,whichmeansifaVMexpires,itgetsinstantlydeleted.
8. UnderthePropertiestab,clicktheAddbuttononthePropertygroupstabandselectthepreviouslysetupPropertiesgroup.
9. ClickOKtogettothegraphicaldesigner.10. InthedesignerUI,dragavSphereMachinefromtheleft-handsideintothecanvas.11. Inthetop-leftcorner,attheCategoriesarea,clickontheNetworkandSecurityoption.12. DraganddropanExistingNetworkintotheblueprint.
13. Clickonthenewlyaddednetworkicontoopenitspreferencesatthebottomofthecanvas.14. UnderGeneral,clickonthebuttonandchoosethepreviouslycreatednetwork.15. ClickonthevSphereMachineonthecanvastoopenitspreferencesatthebottomofthe
canvas.16. IntheGeneraltab,provideanID(nospaces)aswellasadescription.17. SelecteitherGroupDefaultorapresetmachinenameprefixfromthedrop-downfield.18. Settheminimumandmaximumcountofinstancesallowedintheblueprint.Leavingthat
blankisequivalenttonolimit.
Afteryouhaveaddedallthis,itistimetoconfiguretheinstallationmethodfortheblueprint.Thereshouldbeatemplateintheenvironmenttouse;thisishowtoconfiguretheblueprintinstallationleveragingvSpheretemplates:
1. ClickontheBuildInformationtab.2. SelectCloneintheActiondrop-downmenu.3. UnderClonefrom,clickonthebuttonwiththethreedotstotheWindows2012template
fromthevCenterendpoint.4. UnderCustomizationSpec,writeexactlythenameofthevCentercustomizationspec,
includingupper-andlowercaselettersandpossiblespaces.Tip:GotopoliciesinvCenter,selectit,andcopyandpastethenametopreventtypos!
5. UndertheMachineResourcestab,theminimumandmaximumvCPU,memory,andstorageconfigurationcanbeset.
6. UndertheStoragetab,thetemplatediskshouldshowupasagiven.Themachinecannotbesmallerthanthetemplatedisksize.Additionaldiskstoaddcanbeconfiguredhere.
7. ClickontheNetworktabandthenontheNewbutton.8. SelecttheaddednetworkyourVLAN-asassignmenttype,selectDHCPandclickOK.This
willensuretheVMgetsaVLANfromthepreviouslycreatedpool.9. ClickSaveandthenFinish.10. Theblueprintissuccessfullyconfigured:
PublishingtheblueprintasaserviceNow,sincetheblueprintisconfiguredandusingalltheotherservices,itistimetopublishit.Thislaststepwilladdittothecatalogandthereforeitcanberequestedbyusersondemand:
1. WhilestillloggedontovRA,intheDesigntab,selectthenewlycreatedblueprint.2. ClickonPublishintheheadingrow.3. TheblueprintstatuswillchangetoPublished.
Now,sincetheblueprintispublished,itcanbeseenunderCatalogItems.Toaddittoacatalog,dothefollowing:
1. ClickontheAdministrationtab.2. SelectCatalogItemsintheleft-handmenu.3. ClickonthenewlyaddedWindows2012blueprint.4. Inthesettingsscreen,pickaservice(probablyIaaS)andselectaniconforyourblueprintif
applicable.5. ClickNewandnoteworthytomakethenewlyaddedservicestandout:
SummaryCongratulations,thiswastheconfigurationofyourfirstblueprint,includingadvancedparameters;thenewserviceisnowreadytobeorderedusingthecatalogmenu.ThisconcludesthechapteronvRA.Itwasmeanttoprovidepowerfulinsightsofwhatthistoolcanachievewiththerightconfiguration.
Althoughitisimpossibletodescribeeveryfunctioningreatdetailinthischapter,thisshouldbeanoverviewofthemostimportantfunctionalities.Finally,thechapterconcludedinaseriesofsampleconfigurationstocreateafirstWindowsserviceblueprintforapre-existingcatalog.
Inthenextchapter,thefocuswillbeonvRealizeOrchestrator.ThisisthepowerfulcounterparttovRAandwillenhancethedeploymentofVMsbyrunningindividualworkflowsbasedonproperties.Also,itcanbeusedtocreatecompletelynewservicesbasedonworkflowswhichwillbeimportedasXaaSservicestobeorderedusingthevRealizeportal.
Chapter6.vRealizeOrchestratorAllinfrastructureautomationneedsacentralelementwhichcontrolstherestoftheinfrastructure.InaVMwareSDDC,thisroleisfulfilledbyvRO.
ButvROdoeswaymorethancontrollingthevirtualcomponentsoftheSDDC.ItcanbeusedtocontrolliterallyanythingwithanAPIandadescriptionofhowtouseit.Inatypicaldatacenter,thereisalmostneveragreenfieldinstallationpossible.Thismeansevenifeverythingisrestartedfromscratch,thereisalmostalwayssomeservice,process,ortoolwhichrequiresintegration.Beitforbilling,formonitoring,orjustforsimpleIPaddressmanagement,integrationiskey.
ProbablyoneofthebestargumentsforvROisitsprice.VMwareincludesvROineveryvCenterlicense,withoutanyadditionalcharge.
Note
Moredocumentation,plugins,andinfoaboutvROcanbefoundhere:http://www.vmware.com/products/vrealize-orchestrator.html
Besidesthat,itisamatureandversatileorchestrationplatform,whichofferswaymoreintegrationthanonlytheVMwareecosystem.vROcanbeextendedbyusingso-calledplugins.ThesecanbedownloadedfromtheVMwaresolutionexchange.Also,uploadsarepossibletothisspace.ItcanbeconsideredasvRO'sappstore.Pluginsmaybefreeofchargeorcomewithlicensing,whichdependsonthevendorandthefunctionoftheplugin.Often,hardwareorsoftwarevendorsprovidetheseforfreewiththeirsolutions,buttherearealsofamousexampleswhereapartnerhascreatedapluginforacertaintoolandchargescustomersalicensefeeforusingitinvRO.
Thischapterwillcoverthefollowingtopics:
vRealizeOrchestratorprinciplesanditsbasicdatamodelWorkflowcreation101IntegrationbetweenvRealizeOrchestratorandvRealizeAutomationSamplevRealizeOrchestratorblueprintintegrationconfigurationvRealizeOrchestratorandexternalservices(XaaS)
vRealizeOrchestratorprinciplesTheorchestratorisinstalledasavirtualappliancewhichcanbeobtainedfromtheVMwarewebsite.Onceinstalled,ithastobeconnectedtotheVMwarevCenterbyusingthevSphereIdentityAppliance.
WorkflowelementsanddesignInvRO,allautomationtasksaremanagedinso-calledworkflows.Aworkflowisanumberofactionsanddecisionswhichwillbeexecutedinastructuredandpresetorder.Workflowscanalsocallotherworkflowstoaccomplishtasks.Theworkflowcallingsubworkflowswillalwayskeeptrackofthestatusofallelementsithasinitsexecutionpath.However,eveniftherearevirtuallynolimitsonhowmanynestedworkflowsaworkflowcancall,itmakesthereadingandunderstandingofafunctionquitecomplex.Thisfeatureshouldbeusedwithcareinordertokeepthehumanreadabilityhighenoughforeasytroubleshooting.
InvRealizeAutomation,itmightbenecessarytocreatecustomworkflowsforthird-partyintegrationortorealizetaskswhicharerequiredbyestablishedprocesses.vRealizeOrchestratormakesiteasytocreate,manage,andupdateworkflows.However,itcomeswithprincipleswhichshouldbeknowntomakethisaneasyandstraightforwardtask.
Thereforethedatamodel,variablebehavior,andbestpracticesshouldbeknownbeforecreatingcustomworkflows.
BesidesvRO'scapabilitiesincallingworkflowsinastructuredmanner,itisalsoveryimportanttodevelopandcodetheseworkflowsinastructuredandsimplemanner.TherearevariousguidesfromVMwareonhowtocodeandensurethatnoteverythinggetspackedintoagiantscriptedtask.
Functionsshouldbeseparatedinsmallchunksofscriptedtasks(ifnecessary).Iftheygetusedmoreoften,itmightbeworthittocreateso-calledactionswhichcanbeusedindifferentworkflowsindependently.ThefirststeptosuccessfulvROworkflowsistoembracethedifferencefromtraditionalscripting.Bybreakingcomplextasksintomultipleelementswithinaworkflow,vROcanplayallitsstrengthstomaketheseworkflowseasytomaintainandtotroubleshoot.Thefollowingsectionwilldiscusstheelementsandthecreationofasimpleworkflow.However,itisjustanexample;formoredetailedguidanceoncodingandworkflowcreationinvRealizeOrchestrator,thereisaverygoodVMwarewhitepaper,vRealizeOrchestratorCodingDesignGuide.
Note
TheVMwareworkflowcodingguidecanbeobtainedfromthisweblink:http://pubs.vmware.com/orchestrator-70/topic/com.vmware.ICbase/PDF/vrealize_orchestrator_coding_design_guide.pdf
Also,thereisaveryhelpfulwebblogcalledthevCOTeamwhichcanbefoundunderwww.vcoteam.info,ithasgoodexamplesforbeginnersandadvancedworkflowcoders.
Attributes,inputs,andoutputs
EachworkflowinvROknowsthreebasicvariabletypes.Theseareimportanttopassondata
betweeneitherworkflowelementsorsubworkflows.Therearemajordifferencesbetweenthosevariablesinhowtheycanbeusedwithinaworkflowdefinition.
Ingeneral,vROhasdifferentvariabledatamodelstooffer.Thesearebasedontheinformationthevariablemightstore.Thisisquitesimilartoscriptinglanguagesorvirtualbasicscript,wheredifferentvariablemodelsneedtobeusedforthesamereason.
vROcoverstheobviouscontenttypes,suchastext,number,andboolean.Butthereisalsoaproduct-anduse-case-specificdatatypessuchasVC:VirtualMachineorVC:HostSystem.ThesetypesareintroducedbytheirpluginsinvRO.Otherpluginscanintroducenewtypes;thereisalsoapossibilitytocreatedynamictypestobuildadatamodelforasyetunknownthird-partysystems.
CreatingacustomJavaplugincaneitherdothisorbyusingtheDynamicTypesplugin,whichwillautogenerateacustomvROpluginbasedonanythird-partyAPIcalls.
Besidesthat,variablescaneitherbeasingleitemoranarrayofthosethings.ItisimportanttodeclaretherighttypesinceotherwisevROwillerrorout.Anarraycannotbeassignedtoasingleitemvariable,viceversamightbepossible,butneedsadaptercodeinJavaScript.
Note
Ingeneral,alltheseparameterscanbeassignedtoworkflowelementsforfurtherprocessing.InputparameterscanonlyassignontheINtabofaworkflowelement;outputparameterscanonlybeassignedontheOUTtab.AttributescanbeassignedontheINortheOUTtabofanelement.
Inputs
Iftheworkflowneedsinformationpriortorunning,thesearedeclaredasinputs.Inputscanalsobeoptionaltoprovideadditionalfunctionality.AworkflowwhichwillmigrateaVMtoaselecthostwillhavebasicallytwoinputs:
VMtomigrateDestinationhostsystem
TherecouldalsobeoptionalinputssuchaschangingtheVMDKformatwhilemigratingortheoverallcriticalitytousewhilemigratingtheVM.Buttorunatleastthesetwoinputsmustbeselectedbytheuser.
Ifaninputreflectsaplugintypevariable,theselectioncanbebasedonbrowsingtheknownvROenvironment.InthecaseoftheVM,itwillallowtheusertobrowsethroughvCenterandselecttheVMbyclickingonit.Thiscomestrueforthehostsystemaswell.
Anicefunctionwiththismethodisthattheworkflowwillbasicallynotallowanyfalseentries.AVMcannotbeselectedasaninputforthehostsystem.ThisisaveryimportantfactatvRO,thevariabletypecanbecriticaltoasuccessfulworkflow.
Attributes
Attributesareaformofglobalvariables,activeforstoringvaluesduringtheworkflowruns.Sameasforinputs,theywillhavedifferenttypes,butgenerally,theyareusedtostoredynamicinformation,asitmightbeneededwhiletheworkflowisrunning.Theycanbeseenastheshort-termmemorytoholdsuchthingsasarrays,text,oreventype-basedinformation.
Tostoreandforwardinformation,workflowelementscanreadattributes(INtab)orstoreinformationintoattributes(OUTtab).Ifanelementisconfiguredtostoreinformationintoanattribute,everythingwhichhasbeenstoredbeforeinthisattributewillbeoverwritten.Tomakesureinformationstaysvalidthroughouttheendoftheworkflow,individualattributesneedtobeused.
Outputs
Outputparametersareimportanttoactuallyreturnaresultbasedonanactionwithinaworkflow.Someautomationtasksneedtoproduceoutputs.Anexamplecouldbeaworkflowwhichmightwaitforacertaineventtoconclude.Itwouldproduceanoutputtotellwhoeverissuedtherunwhatstatusthateventmightbecurrentlyin.Anotherexamplecouldbeaworkflowwhichgeneratesalistofitemsbasedonfiltercriteria.Theoutputparameterwouldbeanarraycontainingthatlist.Also,theoutputwillbeavailableeventhoughtheworkflowhasfinished(hencethename)andcanbeusedforotherworkflows.Mostly,thistechniqueisusedforworkflowscallingsubworkflows.Tounderstandtheoutcome,itisrecommendedthatthesesubworkflowscomebackwithanoutputwhichcanthenbeusedintheoriginalworkflowcallingthesub.
Configurations
Configurationsarebasicallypresetinputsforaworkflowtorun.Theybecomehandyifthereareacoupleofworkflowsusingsimilarinputseachtimetheyrun.Aconfigurationcanbeusedtostorethatinformationcentrally.
Also,configurationsexistoutsideofworkflows,whichmeansthatinputsforworkflowscanbelinkedtothecontentofconfigurations.Forexample,let'sassumeane-mailaddressstaysthesameforallworkflowstonotifyanadministrator.Inthiscase,thiswouldbeaninputvariablewithtypestring.Topreventputtingthatineachandeveryworkflow,aconfigurationcanbecreatedtoholdthatdata.Eachworkflowcanthenbelinkedwithitse-mail-inputparameterbasedonthisconfiguration.
Ifatanytimethee-mailaddressneedstobechanged,onlytheconfigurationneedstobealteredtoholdthenewe-mail.Alltheworkflowswillautomaticallyusethenewvalue.Thisisaveryimportantfeatureifmultipleworkflowsmightusethesamedata.Itcanbeahugetime-saverandalsoreducescomplexityandeffortalotwhenworkingwithmultipleworkflowsinsemi-complexandcomplexenvironments.
Workflowelements
Workflowscontainmultipledifferentelements.Alloftheseelementshaveadifferentfunctionaswellasdifferentrequirements.Themosthelpfulelementsarethefollowing:
ActionelementsScriptabletask(Custom)decisionWorkflowelementSwitch
Therearemuchmorewhichwillhelptocreateameaningfulworkflow,thosearetheonesmaybeusedmostoftenandthereforeinterestingtodigdeeperinto.
Actionelements
vROcomeswithmanypresetandpreprogrammedactions.Theycanbeseenapreconfiguredscriptsperformingadistinctaction.Eachpluginmaybringitsownactionstomakethecreationofautomationtaskseasier.
However,itisalsopossibletocreateyourownactionsinvROtobeusedwithcustomworkflows.Ifathird-partyAPIdoesnotcomewithapluginbutacertainfunctionalitymightbeusedfrequently,thiscanbecomeveryhandy.Similartoconfigurations,actionsareonlylinkedwithworkflowsasanelement.Therefore,ifthecodeoftheactionchangesandtheversionnumberofithasbeenincreased,theupdatesarepickedupbyalltheworkflowsusingtheaction.
Thisisanotherreasonwhyanactionmightbebetterasacoupleofscriptedtasksrepeatingcodeinaworkflow.Workflowswithactionswillbefarsimplertomaintainandmanage.
Updatesforvendor-createdpluginscanalsoeasilybeintroducedusingactions.Theworkflowswillpickupthenewversionjustbyaccessingthelatestactionelement.
Tocreateyourownactionitems,vROhasitsownmenuandfolderstructureforit.ItcanbefoundundertheActionsmenuitem(vROneedstobeintheDesignview).Theiconlookslikeagearwithaplaysymbolinit.
Withinthismenu,afoldercanbegeneratedinreverseDNSstandardsubdomain.company.function.Forinstance,acertaininternalfunctionforacme.localmightbecalledlocal.acme.aircon.
Withinthisfolder,allactionsformanagingacme'sairconditionmightbecreated.Theactionelements(actions)arewritteninJavaScript.Ifanyoutcomedatashouldbeprovidedbytheaction,thereturn<value>;commandneedstobeusedtooutputvariablecontent.
Scriptabletask
Ascriptabletaskisusedinaworkflowtoaccomplishthingswhichcannotbecoveredbyanyoftheotherworkflowelements.Itisimportanttofirstsearchforwhatneedstobedoneinthe
librarytobesurethatascriptedtaskisneeded.
Scriptedtasksarethemoststaticbitsinaworkflow.Theycanonlybechangediftheentireworkflowisedited,whichmakestheworkflowmoredifficulttomanage.Onlyverystraightforwardandsimplethingsshouldbecoveredinscriptedtasks.
TheyuseJavaScriptasascriptinglanguageandalsotheINandOUTtabstoreadorwriteintovROvariables(inputs,outputs,orattributes).Mostly,theymaybeusedtosearcharraysforspecificdataandthenpassitonintooneoftheworkflowvariables.
Sometimestheyneedtobecreatedsinceaspecificoperationisnotcoveredanyactionsorworkflowelement.TheycanbeusedtoaccessAPIsthroughaplugin-providedscriptingclass(forexample,vcPlugin)toaccomplishthesetasks.Ifascriptedtaskiscreated,vROwillofferrichanddetailedhelpforallavailableplugin-basedandJavaScript-basedcommands.Thishelpscreencanbebrowsedwhileeditingthecodeinthesamewindow.
Decision
Thiselementisusedmuchlikeanif-statementinascript.Basedonacriterionoractionelement,itcaneitherfollowupthetruebranchorthefalsebranch.Thetermtrueorfalsebranchisusedtoidentifywhichwaytofollow.Literally,aworkflowcancontinuesuccessfullyeventhoughthefalsebranchistakenbythedecision.Thathighlydependsonthedesignoftheworkflowandwhatneedstobeaccomplishedusingthedecision.Therearethreetypesofdecisionelements:
DecisionDecisionactivityCustomdecision
Thebasicdecisiontakesaworkflowvariable(booleantype)asinputand,basedonitsoutput,itwilleithercontinuethesuccessbranch(true)orthefailurebranch(false).Thecontentofthevariablehastobepre-setatsomestageintheworkflow(orasaninput).
Thedecisionactivityisbasedonato-be-selectedactionelement.Theactionelementmustreturntrueorfalseinorderforthedecisiontoworkproperly.Itfollowsupthebranchesbasedonthesameprincipleasthenormaldecision.
ThecustomdecisionoffersatabcalledScriptinginwhichJavaScriptcanbeusedtoformthedecision.However,itshouldnotuseextensivescriptingtoreturntrueorfalse.OftenthisisusedtowriteanifstatementandalsoworkwithprovidedvROvariables.However,adecisionhasnoOUTtab,thereforealteredinformationcannotwritebackintoavariable.Ifmorescriptingisrequired,itisrecommendedtousethesimpledecisionanduseascriptedtaskforthecomplexJavaScriptelements.
Workflowelement
Thisisusedtocallotherworkflowsinthecurrentworkflow.Itjustneedstobedraggedintothe
executionlineandthenaworkflowtocallcanbesearchedfor.IfthisworkflowrequiresadditionalINparameters,vROhasafunctiontoautomaticallyputthemintotheparentworkflowasrequirements.Ifthisisthecase,ablackbarwillappear,askingtoaddtheactivitiesparametersasinput/outputtothecurrentworkflow.Onthefar-rightside,therewillbeabuttonlabeledSetup.Itcanbeusedtocontrolthenameofthevariables.Ifnonamesareapplied,theoriginalnamesfromtheselectedsubworkflowwillbeused.Ifthecalledworkflowhasanoutparameter,thiscanbeusedforfurtherprocessingintheoriginalworkflow.
Callingworkflowscanbeveryhandyifmultiplecomplextasksneedtobeaccomplished.Insteadofcreatingonebigandcomplexworkflow,thetaskcanbebrokenupintosmallerbitsandthereforeeachcanbeaccomplishedbyasingleworkflow.Inordertobringthebigpicturebacktogether,amasterworkflowcanbeusedtokeeptrackandcallallthesubworkflowstoaccomplishthetask.
Thistechniquemayalsobeusedifabiggerteamisworkingonautomationandnotallmembershavethesameskillsandfunctions.Theycanaddtheirworkasself-containedworkflowsforotherswhomightrequiretheiroutputtofulfilltheirtargets.
Ifoneisfamiliarwithanobject-basedprogramminglanguage,thisisasimilarapproach.Thesubworkflowscallabasicallytheirownobjectswiththeirowndescriptors,inputs,andoutputs.
Switch
Thiselementisusedtoswitchbetweendifferentworkflowbranchesbasedonvariablecontent.Itcanbeseenasacasestatement.Basedontheselectvariable,itdeliversaneasy-to-configurestatement.Itcandovariousdifferentcomparisonsbasedonthevariabletype.IfthevariabletobecheckedisfromtypeVC:VirtualMachine,thecomparisoncanbetheVMname,whetherthevariableisemptyornot,thepowerstate,theguestOS,andsoon.
Thismeansitbasicallyunderstandsthevariabletypeanddeliversanumberofcheckswhichcanbeperformedonthevariable.Basedontheirsuccess(trueorfalse),adistinctbranchwillbechosentocontinuetheworkflow.
Workflowcreation101WorkflowsinvROtypicallyliveinafolderstructureundertheworkflowstab.Tocreateanewworkflow,itisrecommendedtocreateafolderfirst,maybewiththenameofacertainprojectorthedescriptionoftheworkflowtypesitmayhold.Mostvendorsjustusetheproductnameasthefoldernameandthendosubfolderstodistinguishdifferentfunctionalities.
Oncethelocationisset,theworkflowitselfcanbecreatedinthefolderbyright-clickingonitandselectingNewworkflow.
CreatingtheworkflowBeforestartingtocreatetheworkflow,itspurposeshouldbeclear.Let'screateonebasedonasimpleexample.Let'sassumeabackupsystemisbackingupVMsbasedonwhatfoldertheyarelocatedin.Also,thefolderisaplaceholderfortheappliedretentionpolicy.ThisisaprovenpracticeandmanybackuptoolscouldactuallysupportsuchasetupwiththeirvCenterintegrationusingVADP.Also,thisworkflowmightbetriggeredbyvRealizeAutomationbasedonauser'schoice.
Therearethreefolders:
1month:VMsinthisfolderwillbeavailableforupto1monthaftertheirdeletion3month:VMsinthisfolderwillbeavailableforupto3monthsaftertheirdeletion1year:VMsinthisfolderwillbeavailableforupto1yearaftertheirdeletion
WhenauserinvRealizeAutomationisorderingaVM,theblueprintwillofferaparameterwheretheretentionpoliciescanbechosen.TheyareidenticaltothefoldersinvCenter.TheparameterscanbehandedoverbyvRAtovRObyusingso-calledcustomproperties.ThesepropertiesareprovidedbyvROwhenusingaworkflowsubscriptiontocallavROworkflow.TheseconceptshavebeendiscussedinChapter5,VMwarevRealizeAutomation.
Theworkflowshouldhaveoneinput:thevRApropertiescontainingtheVMnameasastringandthefoldernameasastring.Basedonthatinput,itshouldsimplymovetheVMintothegivenfolderinvCenter:
1. Tocreatetheworkflow,theorchestratorclientneedstobesettotheDesignmode.Undertheworkflowtab,thefolder,whichshouldcontaincanbeselected/createdbyexpandingtheLibraryfolder.
2. Right-clickonthefolderandselectNewworkflow.3. ProvideameaningfulworkflownamesuchasVMBackupmover.4. Theorchestratorclientwillnowopenthenewworkflowineditingmode.Thecanvaswill
beshownwheretheworkflowcanbeconstructed:
Ontheleft-handsideofthepane,alltheselectableworkflowelementsareshown.Ontheright-handside,thecanvasisshownwheretheoverallflowandstructureoftheworkflowcanbeconstructed.Elementscanbesimplyaddedbydraggingthemonthebluearrowpointingfromthestarttotheendworkflowelement.
5. DragtheiconforActionelementintothecanvas.Intheappearingsearchbox,lookforthegetAllVmsactionelement.ThiswillgatherallVMsintheconnectedvCenterserver.
6. Hoverovertheactionelementandclickonthepencilicontoedititsmetadata.Intheappearingwindow,clickontheOUTtab.TheActionitemhasayetunbindactionResultvariable.Itneedstobeboundtoanewlycreatedattributeintheworkflowinordertobeuseableforotherelementsinit.
7. AclickunderSourceparameteronnotsetwillopenanothersmallerwindow.Inthiswindow,anattributecanbecreateddynamicallytostoretheoutputoftheactionResult.
8. AclickonCreateparameter/attributeinworkflowwillopenawindowcalledCreateparameterwhereanameneedstobeprovided.Adescriptioncanbeadded,suchasContainsallvCenterVMs.Thetypeandarraysettingswillbepreselectedbasedontheactionelementsoutputsettings.IntheCreatesection,CreateworkflowATTRIBUTEwiththesamenameshouldbeselected.OnceOKhasbeenclicked,thesystemwillbindandcreateanewattributewiththeprovidedname:
GetthepropertiesfromtheserviceinvRA.Thisisdoneinmultiplesteps,fornow,thesearethestepsinvROtomakesurethedatafromvRAcanbeprocessed:
1. Draganddropascriptabletaskintotheworkflow.
2. Clickonthepencilicontostarteditingit.3. ClickontheInfotabtoprovideameaningfulnamesuchasProcessVMProperties.4. ClickontheINtabtodefineaninputvariable.Theprocedureissimilarasfortheaction
elementsoutput.Therearethreeicons:alinewithtwodots,twolineswithtwodots,andanX.
5. Clickonthelinewithtwodots(firsticon)toaddavariable.6. ClickonCreateparameter/attributeinworkflow.7. Enteranamesuchasmachineandselecttypestring.8. IntheCreatesection,makesureCreateworkflowINPUTPARAMETERwiththesame
nameisselected.9. ClickOKtosaveandproceed:
10. ClickontheOUTtabtodefinetheattributesthescriptabletaskwillstoreitsdateinto:1. ClickontheBindtoworkflowattributeicon(far-lefticon,linewithtwodots).2. ClickonCreateparameter/attributeinworkflow.3. ProvideavariablewiththenameparsedMachinewiththetypeany.4. SelectCreateworkflowATTRIBUTEwiththesamename.5. Repeatthesestepsuntilenteringtheattributename,createonecalled
retentionPolicywithtypestring.
Note
Attributesarecase-sensitive;itisimportanttorespectthecaseanduseexactlythespellinginallscriptabletasks.Otherwise,theattributeswillnotberecognizedbyvRO.
11. ClickontheScriptingtabtoaddthefollowingJavaScript:
//GetthepropertiesfromvRA
varparsedMachine=JSON.parse(machine);
retentionPolicy=parsedMachine["properties"]["Backup"];
System.log("Foundbackupproperty:"+retentionPolicy+"onVMname
"+parsedMachine["name"]");
Thecodewillparsetheinput(machine)intoaJavaScriptObjectNotation(JSON)object(parsedMachine).ThiswillbeeasiertoaccessthanastringoranXML.ThiswillonlyworkifthecodeisJSON-compatible;vRAofferspropertiesinJSONformat,sothisworkswellwiththismethod.
Afterthat,theretentionpolicy(retentionPolicy)willbeparsedoutoftheJSONobjectwhichwillbethetargetfoldername.ThebracketsareusedtonavigatethroughtheJSONobjectandfindtherightidentifiertowriteintothevariable.Sincethenameofthefolderisastring,thevariableretentionPolicyisoftypestring.AJSONobjecttypeisnotdefinedinvRO,thereforetheparsedMachineisstoredastypeany.
ThelastlineistologtheoutputfordebugginginvRO.12. CreateanotherscriptabletaskandnameitPreparefolderobject:
1. BindtheretentionPolicyasanINparameterontheINtab.ClickontheBindtoworkflowparameter/attributeiconatthefarleft.
2. SelecttheretentionPolicyattributefromthelist.3. ClickontheOUTtabandclickontheBindtoworkflowparameter/attributeicon.4. ClickontheCreateparameter/attributeinworkflowlink.5. Enterameaningfulnamesuchasfolder.6. Selectastype:VC:VmFolderandCreateworkflowATTRIBUTEwiththesame
name.7. ClickOKtobindthenewattributetothescriptabletask.
13. ClickonScriptingtoaddthefollowingcode:
Varfolders=VcPlugin.getAllVmFolders();
for(iinfolders)
{
if(folders[i].name==retentionPolicy)
{
folder=folders[i];
}
}
System.log("Foundfolder:"+folder)
ThiscodewillreadallavailablefoldersinvCenter.Sincethereisnoactionelementtoaccomplishthis,theVcPluginscriptingclasswasused.ThecommandprovidesanoutputasVC:Folderinformofanarray.Thisarrayisdefinedinthefirstline.Thenextlinewillcreateaforlooptoaccessalliterationsofthearray(allfolders).Foreachfolder,itwillcheckwhetherthenamefitsthenameofthechosenretentionpolicyattribute.Oncethisisaccomplished,thefolderatthispositiongetswrittenintothefoldersattributeforfurtherprocessing.
Thelastlineisforloggingtheoutputinordertoeasierdebugthecode.
14. CreateanotherscriptabletaskandnameitPrepareVMobject:1. BindallVMsandparsedMachineasanINparameterontheINtab.ClickontheBindtoworkflowparameter/attributeiconatthefarleft.
2. SelecttheallVMsattributefromthelist.3. RepeatthisstepsfortheparsedMachineattribute.4. ClickontheOUTtabandclickontheBindtoworkflowparameter/attributeicon.5. ClickontheCreateparameter/attributeinworkflowlink.6. Enterameaningfulnamesuchasvm.7. Selectastype:VC:VirtualMachineandCreateworkflowATTRIBUTEwiththe
samename.8. ClickOKtobindthenewattributetothescriptabletask.
15. ClickonScriptingtoaddthefollowingcode:
//identifythevmtomove
for(iinallVMs)
{
if(allVMs[i].name==parsedMachine["name"])
{
vm=allVMs[i]
}
}
System.log("FoundVM:"+vm.name)
ThisshortscriptwillloopthroughallfoundVMstoidentifytheonevRAhascreated.ThenameoftheVMwillbeinthepropertiesvRAsendswhencallingtheworkflow.TheforloopwillprocessallVMsandcomparetheirnametothenameinthevRAproperties.TheifclausewillidentifytherightpositionintheallVMsarrayandassignittothevmattribute.NowthisisnolongertextbutaVMtypeattributeholdingallneededinformationtomanipulateavirtualmachine.
Finally,thelogwillbepreparedtooutputthefoundVM'snamefordebuggingpurposes.16. CreateasubworkflowbydraggingintheWorkflowelementintothecanvasontheblue
line.17. Inthesearchbar,searchforMovevirtualmachinetofolderandselectthisworkflowonce
found.18. Clickonthepencilicontoedittheworkflow.19. ClickontheINtabandaddvmaswellasthefoldervariablebyusingtheBindtoworkflow
parameter/attributeicon.20. ClickOKandthenclose.TheworkflowisnowreadyformovingVMsintospecified
foldersbasedonauser'sselectioninvRA.
SincethereisanalreadyrunningandprovenworkflowtomoveaVMintoafolder,thisworkflowiscalledbythejustcreatedone.
Oncealliscreated,theworkflowshouldhavethefollowingattributesundertheGeneraltab:
vm
folder
allVMs
retentionPolicy
parsedMachine
UndertheInputtabthefollowinginputsarelisted:
machine
ThetabcalledOutputswillbeemptyforthisworkflow.
Onceeverythinglookslikeitshould,theworkflowcanbesavedbyclickingonSave"atthefarrightbottomcorneroftheclient.
vROsavesworkflowsandautomaticallyaddsversionnumberstothem.Itishighlyrecommendedtoalwaysincreasetheversionnumberifsomethingshavebeenchanged.Iftheversionnumberwouldnotchange(forcedoverwrite),allotherworkflowscallingthechangedonewouldstillworkwiththeolddata-hencetheversionthatremainedthesamecan'ttellthefilesapart.Therefore,itishighlyrecommendedandbestpracticethateachchangetoaworkflowalsoincreasestheversionnumberofthatworkflow.
IntegratingtheworkflowintovRAAworkfloweventsubscriptioncanbeaddedtoacertainstatusofarequest.Forinstance,theycanberuneverytimetheVMisdeployedorupandrunning.Therecanbetriggerandtargetsdefined;targetsareusuallyworkflows,triggerscanbebasedonpropertycontentorothervariables.WorkflowsubscriptionshavealreadybeencoveredinChapter5,VMwarevRealizeAutomation.
InordertomaketheworkflowworktogetherwithvRA,thefollowingstepshavetobedoneinthevRAportal:
1. OpenthevRAportalandlogonwithanadministrativeuser.2. ClickontheAdministrationtaskandthenonPropertyDictionary.3. Clickonthe+Newbuttontoaddanewpropertydefinition:
1. ProvideameaningfulnamesuchasBackup.2. Providealabel(theuserwillonlyseethelabel)suchasBackupretention.3. SelectStringattheDatatypefield.4. SetRequiredtoNo(backupisnice,butnotrequired).5. Ontheright-handside,selectDropdownatDisplayadvice.6. AttheValuesarea,selectthePredefinedvaluesradiobutton.7. AtPredefinedvalues,usethegreenplussigntoaddallthreefoldernames.Thevalues
ofthesepropertiesshouldbeidenticaltothenamesofthefoldersinvCenter.Thisincludesuppercase/lowercasenames!
8. ClickOKtostorethenewproperty:
Oncethisiscompleted,apropertygroupshouldalsobecreatedforeasierassignmentofanumberofpropertiestoablueprint.TocreateapropertiesgroupinvRA,followthesesteps:
1. ClickonPropertyGroupswhilestillintheAdministration|PropertyDictionarymenu.2. Clickonthe+Newbuttontocreateanewgroup.3. Provideameaningfulname,suchasacompanynameandanidentifierforthegroup's
content.4. Selectthedesiredvisibility(alltenantsoronlythetenantcurrentlymanaged).5. UnderProperties,clickthe+Newbutton.Intheappearingrow,clickthedrop-downarrow
toselectthepreviouslycreatedBackupproperties.6. BeforeclickingOKtoaddtheline,theShowinRequesttickboxshouldbeselectedforthe
lineentry.7. ByclickingOK,thesystemwillstoreanewpropertiesgroupwiththeBackuppropertyasa
member.
Afterthepropertiesandpropertygrouphavebeensuccessfullycreated,aneventsubscriptionneedstobeconfigured.ThisisalsodoneinthevRAAdministrationtab.ThefollowingstepswilladdaworkflowsubscriptiontomoveaVMaftercreationtoauser-definedfolder(theBackupcreationworkflow):
1. ClickonAdministrationtonavigatetoEvents.2. ClickonSubscriptionsandthenclickthe+Newbutton.
3. SelectMachineprovisioningundertheEventTopictabandclickNext.4. SelectRunbasedonconditionsandchosethefollowingoptions:
1. ExpandDatausingtheplussignnexttoit.2. ExpandLifecyclestateusingtheplussignnexttoit.3. SelectLifecyclestatename.4. SelectEqualsinthenextbox.5. Clickonthedownarrowinthelastbox,leaveConstantselected,atthenesteddrop-
downboxinthebox,searchforWPSMasterWorkflow32.MachineProvisioned.6. ClickNext.
5. IntheWorkflowtab,opentheLibraryfolderandbrowsetotheworkflowearliercreatedtoselectit.
6. ClickNext,controlthesummaryscreenandclickFinishtostorethenewlyaddedeventsubscription.
7. Intheoverview,selecttheneweventsubscription(clickontheline)andclickonPublish,otherwisethesubscriptionwillnotbeuseableinanyblueprints.
Addingthepropertiestotheblueprint
Afterallthepropertieshavebeencreatedsuccessfully,theyhavetobeaddedtotheblueprintinordertotakeeffect.Thefollowingstepswilladdtheproperties:
1. LogontovRAwebinterfacewithanadministrativeuserorablueprintdesigneruserrole.2. SelecttheWindowsblueprintcreatedpreviouslyinChapter5,VMwarevRealizeAutomation.
3. ClickonEditinthetoprowtoedittheblueprint.4. ClickontheWindowsVMinthedesigncanvas.5. Intheconfigurationmenuonthefarright,clickonthePropertiestab.6. Atthepropertiesgroup,clickonthe+Addbuttonandselectthepreviouslycreated
propertiesgroup.7. SelecttheCustomPropertiestabandclickthe+Newbutton.8. EnterthefollowingtextunderName:
Extensibility.Lifecycle.Properties.VMPSMasterWorkflow32.MachineProvisioned.
Beverycarefulwhenwritingthatsincethewholetermiscase-sensitive.9. AttheValuecolumn,enterbackup*.
Note
SincetheMachineProvisionedpropertyforwardsalotofdataforthevirtualmachine,itissimplertofilterfortheBackupproperty.Thisiswhatthisentrywilldo.InsteadofcreatingacomplexfilteronalotofdatainvRO,thefilteriscreatedatthesourceandmakeseverythingmoreefficient.
10. ClickFinishtosavethechangesintheworkflow:
NoweverythingissetforavRAtovROworkflowintegrationbasedoneventsubscriptions.IfanewVMisrequestedinvRA,adrop-downfieldwillappeartoselectthebackupretentionpolicy.
Basedontheselectedpolicy,theworkflowwillmovetheVMinthepresetfolder.ThisisdoneimmediatelyaftertheVMfinishesprovisioning.ThecompletedworkflowrunscanbecontrolledinvROincludingvariablecontentandlogoutput.
ThiscanbedoneinthevROclientbyexpandingthearrownexttotheworkflow.Byclickingonaworkflowrun,allthecollectedinformationwillbeshownintheclientwindow:
Thisisagoodfunctiontoprovewhethertheworkflowisrunningcorrectlyandallthefunctionsareworkingasexpected.vROwouldalsolistscriptingerrorsorparsingerrorsifany.Inthiscase,theworkflowrunwillbemarkedasfailedusingaredXinsteadofagreencheckmark(successful).
ExternalservicesAnotherusecaseforvROisthecreationofso-calledexternalservicesorXaaSasVMwarecallsit.InvRA,XaaSmeansbasicallyanythingwhichcanbeautomatedandisorderableasaservice.
ByusingvROasaplatform,aworkflowcanbeaneasy-to-createbutyetpowerfulassettoprovidethird-partyfunctionalities.Also,thereareplentyofvROplugins,whichbringtheirownworkflowsforspecificvendorproducts.ByleveragingtheXaaSfeature,itismucheasiertoincludethosevendorsandtheirproductsintothevRAportal.Thismeansthatalsotheirofferingscanbeorderableasservicesbyagivenenduser.
AcoupleofthingsareveryhelpfulwhenusingtheXaaSfeatureofvRAwithvRO:
AnitemisonlyshowninvRAiftheworkflowhasanoutputparameterwhichvRAcanunderstand.ActionsonXaaSservicescanbedefinedseparatelyinvRAandassignedtotheservice.TheseactionsareworkflowsontheirowninvRO.Ifanitemshouldbedestroyedaftertheserviceisdeleted,itneedstousevRA'sdisposalfeature.TheinputmaskoftheXaaSworkflowisbasicallytakenfromtheinputsinvRO.However,themaskcanbeeditedinvRAtobemoreconsumer-friendlyifrequired.IfnooutputvariablesuitsvRA,acustomsetofresourcescanbedefinedinordertostillassignanXaaSservicetotheitemstab.vROneedstounderstandthedatatypeinordertoforwardittovRA.Toaccomplishthis,vROhasafeaturecalleddynamictypes.ThesecanbeusedtocreateanintegrationpluginwhichisthenparsingagivenAPItocreateanobject/relationconstruct.ThiscanthenbeusedtoadvertisefunctionalitybacktovRA.
ProbablyvROisusedforthird-partyintegrationtoafairextent.ButalsotocreatenewservicesandmakethemorderablethroughvRealizeAutomation,vROcanbeusedquiteeasilyandstraightforwardly.Notalwaysdotheseworkflowshavetobecreatedbytheenduser;someofthemareincludedintheavailablevROplugins.TocreateanaddausertoAD"service,allnecessaryworkflowsandactionsarealreadyinstalledinvROgiventheADpluginisactivated.ThiscanbeaneasyandstraightforwardwaytoimplementadditionalandhelpfulservicesintovRA.
ConnectingvROtovCenterOncethatiscompleted,thevROservicecanalsoberegisteredtovCentertorunvROworkflowsrightoutofvCenterusingtheright-clickmenu.TorunworkflowsusingtheVMwareAPIandtoenabletheright-clickcallfeature,vROhastoberegisteredwithvCenter.Actually,runningaworkflowinvROdoesthis:
1. UseabrowserandputintheaddressoftheVROserver.2. ClickeitheronStartOrchestratorClientoronDownloadOrchestratorClient.3. Ifyouhavedownloadedtheclient,uncompressitandopentheOrchestratorClientJava
executable.4. LogonwithanadministrativevCenteruser(sinceitislinkedtoSSOvSphereadminwork).5. MakesuretheorchestratormodeiseitherinRunorinDesign,otherwisetheworkflow
viewwillnotbeavailable.Therunmodeischangedusingthedrop-downfieldrightnexttothevRealizeOrchestratorlogo.
6. Inthetop-leftcorner,locatetheworkflowsicon(bluesquarewithwhiterhombusinit).7. ExpandtheLibraryfolderandlocateasubfoldercalledvCenter.8. ExpandtheConfigurationfolderundervCenter.9. Right-clickontheworkflowAddavCenterServerInstanceandclickonStart
workflow....10. PutinallthenecessaryvCenterinformation,selectYesonthequestiontoorchestratethis
instance.11. Onthesecondscreen,itisrecommendedtoshareasessionforalluserstovCenter.This
meansselectingNoonthefirstquestion.12. PutinthevCenterusertoconnectwith.Remember,iftheuserdoesnothaveallprivileges,
alsothevROworkflowswillhavelimitedprivileges.13. HitSubmitandvROregisterswithvCenter:
Note
ItisalsopossibletopassanindividualusertovCentertoruntheworkflow.However,thismeanstheuserrunningtheworkflowmusthaveallprivilegesassignedtocompleteallworkflowsteps-otherwisethiswillfail.Typically,oneuserisrunningtheworkflowslikeaproxyforallothers.
Afterthishasbeensuccessfullyaccomplished,vROneedstoregisteritsextensionwithvCenterinordertoconnectproperly.Thisisalsodonebyrunningaconfigurationworkflow:
1. LocatetheworkflownamedRegistervCenterOrchestratorasavCenterextensionworkflowinthevCenter,configurationdirectory.
2. Right-clickonitandselectStartworkflow....3. ClickonNotsettobrowsetothevCenterinstancetoregisterwith.4. Leavetheadvertisingaddressfieldblank.5. TheworkflowwillnowregisterthevROextensionwithvCenter,thisisnecessarytousethe
vCentervROpluginwhichenablesadminstoattachworkflowstovCenterobjectsandrunthemdirectlybyusingaright-clickmenu.
ToprovewhethertheextensionhasbeensuccessfullyregisteredwithvCenter,itisthebestandmostefficientwaytochecktheextensionmanager.ThiscanbeaccomplishedbestbybrowsingthevCenterManagedObjectBrowser(MOB)orManagedObjectReference(MoRef)APIdescriptor:
1. OpenabrowserandputinthefollowingvCenteraddress:https://my.vcenter.local/mob.
2. PutinthevCenteradmincredentialstoopentheMOBpage.3. ClickonContent.4. FindandclickontheExtentionManagerlinkinthelist(exactspellingincludingupper-and
lowercase).5. IntheextensionList,locatethelinkcalledextensionList["com.vmware.vco"].6. Ifthislinkexists,thevROserverissuccessfullyregisteredasanextensiontovCenterWeb
Client:
Note
vCOistheoldname(vCenterOrchestrator).However,itcanstillbefoundatmanyreferencesinvCenterandalsoinvROitself.VMwarerenamedtheproductin2013tovRealizeOrchestratorinordertocreateaunifiedproductfamilybrandforallorchestrationandautomationproducts.Iftipsforworkflowsareneeded,itisstillrecommendedtousealso"vCO"inGoogleinordertomaximizethesearchresults.
Ifallofthiscompletedsuccessfully,vROshouldberegisteredwithvCenteranditsworkflowsshouldalsobebrowseablebyvCenterserver.
UndervCenter,itisavailablebyclickingonthevRealizeOrchestratoricon.UndervROhome,itshouldshowupasconnected(Summarytab).NowvROworkflowscanbeaddedtovCenterandcanberunonso-calledobject-basedconditions.Forinstance,onecouldcreateaworkflowwhichisaddinganewhosttoacluster.Theworkflowcanbeonlyrunontheclusterobject.
AllthiscanbeconfiguredusingtheManagementtab.Ofcourse,theworkflowshavetobealreadypresentinvROinordertobeattachedtoobjectsinvCenter.
vROcontextactionsinvCentervCenterandvROmakeapowerfulconnection.Basedonthis,VMwarehasdecidedtomakeiteveneasiertorunvROworkflowsonvCenterobjectsbyintroducingtheso-calledcontextaction.Withthisfunctionality,administratorscandefineasingleworkfloworasetofworkflowswhichcanrunonaselectvCenterobject.RegisteringthevROextensioninvCenterwillenablethisobjectlinkage.Also,vCenterwilldocumentanddisplayallworkflowrunsundertasks,whichmakesthemeasiertomonitor.
Findingandenablingcontextactions
ThisconfigurationisdoneinvCenterWebClient,whichwillbeusedtomanageandenablethecontextactions.LookingfortheorangeorchestratoriconcaneasilyidentifythismenuinvCenter.ThisiconcanbefoundeitherintheHomescreenintheInventoriessectionorbyclickingonthehomeicon(top-leftcornernexttovSphereWebClienttext)andselectingthemenudirectly.
Onceinthemenu,thecontextactioncanbedefinedbyselectingvROHomedirectlyundervRealizeOrchestratorintheleft-handsidemenu.Toaddorchangeanaction,theManagetabneedstobeselected.
Enablingacontext-basedworkflow
Toenableacontext-basedworkflow,performthefollowingsteps:
1. InthevROHomescreen,selecttheManagetab.2. Clickonthegreenplusicontoaddacontext-basedworkflow.3. IntheAddnewworkflowwizardontheleft-handside,expandthevROServerstoselecta
workflow(treeview).4. BrowsetothevCenterfolderandopenVirtualMachineManagement/Moveand
Migrate.5. SelectMassmigrateVirtualMachineswithvMotion.6. ClickAddtomakesuretheworkflowappearsunderSelectedworkflowsinthetopsection
ofthewizard.7. Ontheright-handside,selecthost,whichistheobjectwheretheworkflowshouldbe
applied.8. ClickOKtoassigntheworkflowascontextaction:
Oncethesestepsarecompleted,theworkflowcanbeexecutedbyright-clickingonanyhostintheenvironment.TherewillbeamenuoptioncalledAllvRealizeOrchestratorActionsandtheassignedworkflowwillappearinthismenu.Sincethisisacontext-basedaction,itwillnotappearifaoneissuesaright-clickonaVMoracluster:
ItisnotnecessarytosetthisupforvRealizeAutomation,butitisaverygoodoptiontointroducedailymanagementautomationtasksintovCenter.GiventhatvROisconfiguredtouseaproxyuserforallworkflows,alsoadmins,whichmighthaveminorprivileges,couldruncontrolledautomationtasksusingthisoption.Also,allworkflowswillappearinvCenter'stasksoverview,whichalsosimplifiesmonitoringtheexitstateofanyrunworkflow.
SummaryThischaptertouchedonthebasicdatamodelaswellasvariabletypesofvRealizeOrchestrator.AlthoughallthisisonlyscratchingthesurfaceofvRO,itgaveadeepinsightintohowworkflowsarecreatedaswellashowtheycouldbelinkedwithvRAinordertoenablepowerfulandrichthird-partyintegrationpoints.ThisisprobablyoneofthevRO'sstrongestcapabilities.
Also,thescriptingcomponentsbasedonJavaScriptwherediscussed.Giventhewell-implementedhelpforJavaScriptandallscriptingclasses,itshouldbepossibletogetuptospeedonJavaScriptafteralittlewarm-upphase.
Inthenextchapter,thefocuswillbeonthecreationofarichservicecatalog.TheservicecatalogisthemostimportantfunctionalityoftheSDDC.Theserviceshavetobeeasytouseaswellasvaluableandusefultotheendusersbasedontheirbusinesscase.ThechapterwillalsodiscusshowservicesandservicecatalogswillbecreatedandmaintainedinvRA.Butnotonlywillthecatalogitselfbeunderdiscussion,alsothecontentandserviceswhichcanbeaddedwillbeexplored.
Chapter7.ServiceCatalogCreationTheservicecatalogisthecentralelementofeachcloudenvironment.Basedontheusecasesidentifieditwillprovidetheneededfunctionalitytoempowerthebusinessandspeedupdeployment.Thiswillenhancethetimetomarketsignificantlyandenablethewholecompanytobeabletoreacttomarkettrendsfaster.
Buttoenableallthesebenefits,itisimportanttounderstandthatthiscanonlybeaccomplishediftheservicesofferedinthecatalogarevalidandneededbytheendusers.
Thischapterwilldiscusstheservicecatalogcreation,differenttypesofservicecatalogs,aswellasdetailedexamplesofsimpleandcomplexservicedesigns.
Also,itwillcoverindetailhowservicecatalogsarecreatedinvRAandhowtheycanbeassignedtoaspecificbusinessgrouportenant,butalsobeavailableacrossdifferenttenants.Thelateroptionisnecessaryifsomeverybasicservicesmightbeworthsharing.AnexampleforsuchservicecatalogscanbeasimpleOSdeployservice.Eventhougheachtenantmightbeadifferentcompanyordivision,theywillallneedsomeformofWindowsorLinuxdeployment.SosharingaservicecatalogacrosstwoormoretenantsforthisbasicservicecanbeusefulinordertolowerthemaintenanceandoperationeffortfortheSDDC.
Thischapterwillcoverthefollowingtopics:
ServicedefinitionandclassesServicecatalogcreationinvRADesignexamplesusingvRABestpracticesandgoodpracticeforservicecatalogcreation
ServicecatalogsThisbasicallyreflectstheshopfrontendofvRA.Servicecatalogsarecategoriesandcontaintheirvariousservices.vRAdoesnotlimitthenumberofservicecatalogs,northeirnameorfunctioninanymatter.TherecanbenumerousServicecatalogsbecreated.Allthenamesarebasicallyfreeformtext,however,therearesomebestpracticesandstandardswhichmaymakesensetofollow,sinceallcloudproviderwillhavesimilarnamingandfunctionality.
InChapter5,VMwarevRealizeAutomationthethreemostusedcategorieshavebeenbrieflydiscussed,thosearebasicallyIaaS,PaaSaswellasXaaS.ThelattercategoryisaVMwareintroducedtermanddescribesAnythingasaService.
BesidestheasaServiceending,thereareendlesspossibilities.Therearealsoothercategoriesinthemarketsuchas:
SoftwareasaService(SaaS)TheseareofferingslikeGmail,Salesforce,Office365
BackupasaService(BaaS)StorageasaService(STaaS)DatabaseasaService(DBaaS)
Thisoftenmeanseithertwothings(either-or-both)InstallingaDBondemandandmakingitavailableCreatinganinstance/DBonanalreadyrunningDB(orDBcluster)
DesktopasaService(DaaS)OfteninconjunctionwithacloudportalwhereausercanorderanewdesktopondemandMostlyreferredtoandusedinVirtualDesktopInfrastructureenvironments
NetworkasaService(NaaS)High-PerformanceComputingasaService(HPCaaS)
ThislistisjustafractionofpossibleasaServicecategories.Eachtopicmightbeaseparateservicecatalog.Theideabehindthatabbreviationswasinitiallytointroduceacommonlanguageandstandardtoorientto.However,thereisnorequirednamingorcontentofaservicecatalog.Sometimesserviceswillalsobuilduponeachother.
AgoodexampleforthatistheSaaSmodelwhichmightbestackedontopofothercategories:
DefiningacatalogThecatalogdefinitionisbasedonvariousdifferentfactors.Itscontentshouldbeeasilyguessedbyitsname.Also,thecontentshouldbesharingcharacteristics,whichwillenabletoeasilyidentifyitaspartofadistinctservicecatalog.
Hereareafewexamplesofservicecatalogsandtheirpossiblecontainedservice:
IaaS:NormallythisisacatalogprovidingonlyOSinstallswithnofurthersoftwareinstallationorothercustomization.ThiscatalogmayofferaquickwaytodeployanOS(withIP,domainjoin,securityhardening,andsoon)butnothingmorethanthat.
Typicalservicesare:
Windows(differentversions)Linux(differentversions)Baremetalresources(installWindows/Linuxonabladeorrackserver).
TypicallyanIaaSservicecatalogisthefirsttostartwithsinceitdeliversafundamentalfunctionalityofeverySDDC.ItcaneasilydeployaVMcontaininganOSofchoiceincludingtheintegrationintothethirdpartymanagementframework.AlthoughthereiscurrentlyabighypeforDevOpsandCloudNativeAppsthiscanalreadybeahugetimesaver.
Directoryservices:ThiscancontainadditionalservicewhichmayonlyrefertoADorLDAPactions.SinceanSDDCcandomorethanjustprovisioning,thismightenableausertorequestanewuser,changeorresetpasswords,lockordeleteanexistinguser.Thismightbeusefulinbiggerenvironmentstospeeduptheonboardingofnewemployees.Servicesmightbe:
Create/change/deleteanADuserBlockanADuserResetADuserpassword
ACMEbusinessapplications:ThiscanbeamixofaPaaSandSaaScatalogandonlyreflectingrequiredandnecessaryservicetoenableacertainbranchofthebusiness.Sincethisisacompletecustomcategory,thereisnopredefinedcontent.Asmentionedthecontentneedstobeeasytoidentifyandshouldmakesenseinthecatalogscontext.Examplescouldbe:
Create/manageaCustomerResourceManagement(CRM)applicationDeployproductionwebserver/farm(LAMPstack:Linux-Apache-MySQL-PHP)Otherrequiredinternalbusinesssystems
MultiplecatalogsDefiningonecatalogmightbeeasyandstraightforward,whenitcomestomultiplecatalogsthereareafewdesignbestpracticestofollow.Thesewillnothaveafunctionalinfluence,butthesuccessoftheSDDCliesinitsuseradoption.Creatingcomplexanddifficulttooperateportals(fornontechnicalusers)willleadtolessadoption.Iftheportalispopulatingservicestraightfromthebusinessunits.
Catalogs:Aslessaspossibleasmanyasrequired
ThisisafamousbestpracticeforvirtualswitchesinvSphere.Thesameprinciplecomestrueforservicecatalogs/servicesinvRA.Iftherearetoomanyservicecatalogscreatedwithtoomanyservicescontainedtheusermightendupratherconfusedthanenabled.Thebestruletofollowhereiskeepitassimpleaspossible.Evenifthissoundslikeanalreadyknownruleofthumb,keepcheckingyourdesignagainstit.Oftencomplexservicecatalogcreationscanbeavoidedbycreatingmultipurposeblueprintsorcatalogitems.
AnexampleistheIaaSservicecatalog,VMsorBareMetaldeploymentswillcontainanOSandarefullyorpartiallyintegratedintotheecosystemafterdeployment.TheremightbenoneedtocreateaservicecatalogforeachOSfamily(WindowsorLinux).Also,theremightonlybetwoblueprintsneededtosatisfytherequirementsoftheusers/LOBs/adminsrequestingthisservice.
Providebasiccatalogsaswellasspecificcatalogs
AbasiccatalogcanbeIaaS,giventhatonecompanyhasmanydifferentdepartments,butallneedtofollowthesameITprocesses,itmightmakesensetohaveauniversalIaaScatalog,relevantforallbusinessgroups.
Foraprovider,thesituationissimilar.Basically,everycustomerneedstodeployeitherWindowsorLinuxVMstogetstarted.Soauniversalservicecatalog,providingthisfunctionality,shouldbeavailable.
Byintroducingaservicecatalogsharedacrosstenants,alotofmaintenanceeffortcanbesaved.Thistiesbackintothefirststatementaswellaslessaspossible.
Ontheotherhand,theremightbeapplicationservicesorspecialXaaSofferings,whichareonlyvalidforonedepartment,orevenagroupinadepartment.Thereforethisgroupscanbeentitledseparatelytoaservicecatalogtoensurethatnooneelsecanaccessthesecatalogs.
Anexampleforthatcanbesuperusers,whomighthavethepermissiontoresetanotheraccountspasswordusingtheself-serviceportal.First,onlytheseusersshouldbeentitledtosuchakindofservicecatalog.Second,thesemightbeveryspecialoperationsperdivision,soalsothecatalogandcontentmightbedifferentfromotherdepartments/tenants.
Chooseadescriptiveandshortname
Itisalsogoodtonamethecatalogaccordingtoitsfunctionalitiesandservicesitcontains.Thisislikethedepartmentinagrocerymarket,ButcherandMeatwillcontainexactlythis,whileBakeryandCakeswillcontaindifferentobjectsforthecustomers.
Thisshouldbeoneofthekeyprincipleswhencreatingcatalogs.IaaSshouldcontainallIaaSrelevantservices,butnothingelse.Ifthisismixedwithsomeapplicationinstallationservice,itmightbecomeverydifficultfortheusertofindtherightcatalog.
Itisagoodtricktoimaginebeingauserandclickingthroughtheavailablecatalogs.Ifthereissomethingunclear,arethinkofthecatalogdesignmightbeuseful.Today'susersareveryusedtothatconcept,giventhatAmazonwillalwaysdisplayBlu-raysbyclickingonthisrespectcategory.ThesameuserexpectationswillbepresentforaninternalSDDC.IfsomeoneclicksonIaaS,thecatalogshouldcontainonlyinfrastructurerelatedservices.
Outcome-orientedversustechnology-oriented
Aperfectself-serviceportaldeliversoutcome-oriented,insteadoftechnology-orientedservices.ThisisoftendifficultforverytechnicalfocusedspecialistssincetheretheworldisallabouttheOS,theapplicationthemiddleware,andsoon.
However,forabusinessuser,itisallaboutgettingthesupportforthebusiness,whichisneeded.Sotheuglytruthis:TheydonotcaretheslightestabouttheunderlyingOS,theyalsoprobablydonotcareabouttheDBversionorifitisusingJavaorPHPtodisplayanycontent.Forabusinessuser,allthatcountsistheoutcome.Inthiscase,areadytouseapplicationsupportingthemwiththeirrequirements.
Knowyouraudience
Therefore,theservicecatalogshouldbealsocreatedwiththeendusergroupinmind.Foramoretechsavvyaudience,anIaaScatalogmightbefine.
Inthiscase,itcouldprobablysimplybenamedIaaSandcouldcontaintimeslike:
LAMPStack(Linux+MySQL+Apache+PHPisusuallycalledLAMP).Windowsserver2012R2CentOS7.1
Foradministratorsoramoretechnology-focusedaudiencesuchasoperators,possiblyalltheyreallyneedisanOSorabitofsoftwaredeployedonanOStofulfilltheirrequirements.Inthiscase,suchacatalogwouldbefine,theaudiencewillexpectthis.MostoftheSDDCprojectsarerunandusedbyatech-savvyaudience,sooftentheserviceslooklikethis.
Foramorebusiness-orientedaudience,theservicecatalogmightlooktotallydifferent.Allthetoolswillstillbecontainedintheblueprint,butthistimetherequestorismoreinterestedintheoutcome,whichisthefinalservicetobeused.
AsillyexamplecouldbedeployingWordPress.Theusermightnotbeinterestedintheversionof
WordPressnorintheOSortheuseddatabase.Theimportantdeliveryistheapplicationitselfandthatitisfullyupanduseableafterithasbeenrequested.Anotherexampleistheappstoreofamobiledevice.Noneoftheusersasksthemselves:AretheyrunningaSolariswebfarmtosupportAngryBird?
Alltheycareistheoutcome,whichistheapprunningontheirdevicefulfillingitspurpose.
Basedonthat,acatalogforbusinessorientedusersalsoneedstoservetheirneedsandmeettheirexpectations.Theywillexpectapplicationslike:
ExternalconsumerportalenvironmentBusinessapplicationXYZCustomerorderportalextension
Thetitleoftheserviceblueprintsshouldrevealitsoutcome/purpose.Ifthebusinessneedstoextendtheconsumerportalenvironment,theymightlookforaservicetoordertodoso.IftheywanttodeployapplicationXYZitmighthelptonametheserviceexactlylikethewantedapplication.
ServicecatalogcreationinvRAThispartofthechapterwilldescribeindetailhowtocreateandmanageaservicecataloginvRealizeAutomation.Basedonthepreviousdescriptionsitwillcreateasamplecatalogandexplainhowtopopulateitwithservice.Also,multimachineandPaaSservicewillbedescribedinmoredetails.
Firststep:CreatingthecatalogInvRealizeAutomation,theservicecatalogcreationisdoneundertheAdministrationtab.Thistabisonlyvisibleforeitheraserviceadministrator,tenantadministratororforthevRAsystemadministrator.Tostartwiththecatalogcreation,itisimportanttohaveauserwiththerelevantprivilegesforit.
1. OpenvRealizeAutomationinabrowser,logonwithaprivilegeduserandclickontheAdministrationtab.
2. Intheright-handmenuselectCatalogManagement.Thiswillopenanothermenuwherefourpossibleselectionsarepresented:
Services:ThismenucontainstheactualcatalogsorcategorynamesinvRA.Inhere,newcategoriescanbecreated.Also,alltheitemsofexistingservicescanbemanagedusingthisentrypoint.CatalogItems:Thisshowsalistofpossiblecatalogitems,alsocalledblueprints.Notallblueprintsinherecanbepublishedtoaservice.Exceptions,whichcan'tbepublishedtoaservice,istheso-calledsoftwareservice.ThesearepackagestobeusedinablueprinttoinstallandconfiguresoftwaredirectlyontoaVM.Actions:Theseareelementswhichcanbeentitledtoaservicecatalogitemtoexecutespecificfunctions.Therearemanagementandmaintenanceactionslikepowercycleadeployment/VM.Buttherearealsodestroyorreprovisionactions,whichcanbeassigned.
3. ToaddanewserviceclickonthebuttonlabeledwithNew.Thiswillopenanentrymaskwherethenewservicecanbedescribed:1. ProvideavalidservicenamesuchasBusinessApplications.2. Provideanoptionaldescription.3. Aniconcanbechosentorepresenttheservice.Ifthereisafamiliariconavailable
whichisalreadyusedandknownitishighlyrecommendedtoreusetheseicons.4. Theservicestatus,thiscanbeActive,InactiveorDeleted.Aservicecanbesetto
inactiveinordertoprovidemaintenanceortochangeitscontent.Also,ifaserviceis
notneededanylongeritcanbesettoDeleted.Thiswillmaketheserviceunavailabletoanyusers,butitwillstillremainintheservicemenu.
5. Also,operationalhourscanbeprovided.Ifthisisafullyautomatedservice,thatmightnotbeuseful.However,ifitrequiresmanualintervention,operationalhourscantellauseratwhichtimetherequestisgoingtobeprocessed.
6. Owner:Theowner/manager/administratoroftheserver.ItistypicallyamanagerialrolewhoalsoownsservicesinvRA.
7. SupportTeam:Thatcanbeateamofoperationaladminsordesignersresponsibleforsupportingtheblueprintsaswellastheinstalledcomponents.
8. TheChangeWindowwillbeatimeframewherethecatalogisbeingmaintainedandupdated.Itcanbepredefinedandisbeingdisplayedinaninfoboxforthecatalogusers.Withinachangewindow,ausercannotordercatalogitems.
4. IfallinformationiscorrectclickOKtocreatetheservice.Itwillthenappearinthelistofservices.Aslongastherearenoitemsentitledtothisservice,itwillnotshowupintheuser'scatalog.
Secondstep:PublishingcatalogitemsInChapter5,VMwarevRealizeAutomation,thecreationofablueprintwasdescribedinsomedetail.Attheendofthechapter,italsocoveredbrieflyhowtodeployablueprinttoanalreadycreatedcatalog.Basically,allpublishedblueprintswillshowupaspotentialcatalogitems.Thefollowingstepswilldescribehowtoaddablueprinttoaservice.
1. WhilestillintheadministrationmenuwithCatalogManagementselectedclickonCatalogItemsintheleft-handsidemenupane.
2. Selecteitheralineofacatalogitemorclickonitsnametoconfigureit.3. Intheopenedconfigurationscreen,providethefollowingdetails:
Icon:sameprincipleaswiththeservicecatalog.Status:ItcaneitherbeActiveorInactive.Catalogitemscanbesettoinactivewhiledevelopersmightaddsomeworkortestanewconfiguration.Ifsettoinactive,itwilldisappearfromtheuser'sservicecataloguntilitissettoactiveagain.Quota:Thiscanlimitthenumberofdeploymentsperuserorgroup.Typicallyquotasarealsosetatthereservationlevel.Ifthereisaneedforaquota,itisrecommendedtosetitatonelevel.
Note
TherearemanyparametersinvRA,whichcanbesetondifferentaccesslevels.Sometimesitiswisetosetitatthelowestlevel(individual)-sometimesitisrequiredtosetitatahigherlevel,toensureeverydeploymentfollowsthesamerules.However,beawarethatsettingdifferentparametersforthesameconfigurationisalsopossibleinvRA.Thesystemwilltrytojointhesesettingstoavoidconflicts.
4. Attheverybottom,theServicecanbeselected.Thiswillthenaddthecatalogitemtotheselectservice.Also,oncetheservicecontainsitemsitwillappeareventuallyinauserscatalogoverview.However,beforeausercanseeacatalogtochoosefrom,thisneedstobeentitledtotheuserorthegroup.
5. NewandnoteworthywillmarkanewservicecatalogitemforusersandmakeitappearontheirhomescreeninvRA.
6. ClickOKtosaveandaddtheitemtotheselectedcatalog.
7. Oncetheservicehasbeencreatedanditemshavebeenpublishedtotheserviceitistimeforthenextsteptomakeallavailabletoaselectbusinessgroup(ormultiplebusinessgroups).
Thirdstep:EntitlingaserviceInvRA,serviceneedstobeentitledtoabusinessgroupinordertobevisiblefortheusersofthisbusinessgrouportenant.Anentitlementcontainsmorethanjustthemappingofservicetoauser.Itcanalsobeusedtodefinetherequiredapprovalpoliciesforaservice,aswellastheavailableactionsausercouldperformonapublishedresourceoutofthisservicecatalog.
Toaddoreditanentitlementfollowthesesteps:
1. WhilestillintheadministrationmenuwithCatalogManagmentselectedclickonEntitlementsintheleft-handsidemenupane.
2. EitherchooseanexistingoneorclickonthebuttonlabeledNewatthetopofthelisttocreateanewentitlement.
Note
Entitlementsareboundtoabusinessgroup.Whileaservicecanbepartofmanydifferententitlementssimultaneously,anentitlementisalwayssettoonesinglebusinessgroups.However,thesamebusinessgroupcanhavemultipledifferententitlements.Thiscanbeusedtoprovideusersofonebusinessgroupdifferentserviceswithdifferentsecurityaccessprofiles.
3. Startprovidingadescriptivenameandadescription.4. Entitlementscanhaveanexpirationdate.Ifthisisset,theentitlementwillchangeitsstate
fromactivetoinactiveautomatically.Ifanentitlementisinactive,theuseraccesstocontainedservicesisrevoked.
5. SetthestatustoActive.
Anentitlementcanhavethreestatevalues:Active:Theentitlementisuseableanduserscanrequestitscontainedservices.Inactive:Theentitlementisnotusable,userscan'trequestitscontainedservices.Theentitlementwasonceactivebeforeitwassettoinactiveeitherbyauseroranexpirationdate.Draft:Theentitlementisindraftstate.Userscannotrequestservicesusedinthisentitlement.Theentitlementwasneveractivebefore.Onceanentitlementhasbeensettoactiveitcannotbesetbackintothedraftstatus.
6. Selectthebusinessgroup,whichshouldbeaddedtotheentitlement.Thisselectioncannotbechangedafterward.
7. Ontherightsideofthismenu,theusersofthebusinessgroupcanbeadded.Usethesearchfieldtolookforspecificusersorgroups.Also,beawarethatonlyuserswhoaremembersoftheselectbusinessgroupshouldbeadded.
8. Oncetheusersandthebusinessgroupareset,clickonNextattherightbottomcornerofthescreen.
9. ThisopenstheItemsandApprovalstabwheretheservicesorspecificserviceitemscanbeaddedtotheentitlement.
10. UnderEntitledServiceschosetheservices,whichshouldbepartofthisentitlement.Also,anappropriateapprovalpolicycanbechosenfortheentireservice.Ifaseparateapprovalpolicyisrequiredforadistinctitem,usetheplussignatEntitledItemstoaddtheitemandchoseadifferentapprovalpolicy.
Note
Ifonlytheserviceisselected,theselectapprovalpolicyisrelevantforallitsitems.Ifspecialitemsrequireadditionalapprovalpolicies,theycanbeaddedattheEntitledItemssections.Ifanyitemisadded,itwillover-ruletheservicesApprovalPolicysetting.Oftenusersdouble-entitleandchosetheservicepluschoseallitsitems.Inthiscase,ifnoapprovalpolicyisselectattheitems,theapprovalpolicyselectedattheentitledservicewillnotbeusedfortheadditionallyselecteditems.
11. TheEntitledActionssectionatthefarrightcanalsoaddadditionalapprovalpoliciesforseparateactions.Thismightbenecessaryforthedestroyaction,inordertopreventauserfromaccidentlydeletingadeployment.Butalsootheractionscanbeconfiguredwithanapproval.ThisdependsontheusecaseandhowtheSDDCisoperated.
12. OnceallissetclickonFinishtosavetheentitlement.Ifallsettingsarecorrect,theusersfortheselectusergroupshouldnowbeabletoorderservicesusingtheservicecatalogundertheirCatalogtab.
13. Thisisthefinalresult,theusercanseethecatalognamedBusinessApplicationsandcanorderaservice.Inthiscase,itisnotreallyabusinessapplication,itismoreIaaSonly.Inordertochangethat,thenextsectionwilldescribehowtosetupanexampleLAMPstackwhichreflectsabasicDBwebserverapplicationstack.
MultimachineblueprintdesignexampleCreatingablueprintforasingleVMcontainingjusttheOSisonething.ButtherealvaluecomeswithblueprintscontainingmultipleVMsandalsopreinstallingacompleteapplicationlandscape,allondemand.Thesearethehigh-valueservicesinacatalogsincetheusercanrequestanoutcome,areadytouseapplication.Typicallyfullyintegratedintotheenvironment.
However,thesearealsothecomplexdesignsandconfigurations.Theyneedmultiplenetworks(possiblyalsoNSX),alsotheyrequireusersettableparameterswhichmightbeprovidedfromonesoftwaretooltoanother.Ifthereisaclient-serverconnectioninvolvedlikeinaDB-Appserverrelationship,theIPorhostnameneedstobeconfiguredintheapplicationVM,otherwise,itcan'taccesstheDB.UsersandsoftwareconfigsneedtobesetaswellasOSsecuritysettingsneedtobechanged.
Beforeavalidmultimachineblueprintdesignmightbestarted,itisimportanttounderstandalltheimportantbasicsofvRealizeautomationblueprinting:
HowtousetemplatesHowtouseworkflowsubscriptions(ifany)HowtousenetworkintegrationHowtoworkwithproperties.
Allthoseaspectshavebeendiscussedintheformerchapterstoprovidethisvalidbackgroundforamultimachineblueprintcreation.ThissectionwillnowgointothedetailsanddiscusshowtobuildabasicLAMPstackwithaworkingAPPtoDBconnection.Itwillbeanexamplesetupbutprovidesallthenecessarystepsrequiredtodesignarealapplicationwithaclient-serverrelationship.
SoftwarecomponentsvRAsoftwarecanbeorganizedintoso-calledsoftwarecomponents.Theybasicallyrepresentsoftwarecomponentsuseableinblueprints.Typically,thesoftwareisinstalledusingindustrystandardscripts.Also,thesoftwaremightbedownloadedfromacentralrepositoryinsteadofcopiedontoanyofthevRealizecomponents.
vRAallowstomanagethreecategories,alsocalledContainer,ofsoftwarecomponents:
Machine:ThistypecanbeinstalledontopofVMs.Itshouldbeusedforbasesoftware,whichdoesnotrequireanyothersoftwaretobeinstalledprioritsinstallation.AnexampleintheLinuxworldisApache(httpd),MySQL,PostgreDB,orotherstandalonecomponents.SoftwareComponent:Thismeansthatthiscomponentcanonlybeinstalledontopofothersoftwarecomponents.Itcannotnativelyrunonanakedsystemwithoutanyothersoftwarecomponentinstalled.BasicexamplesforthismightbePHP(makesmoresenseifhttpdisalreadyinstalled),SQLscriptstosetupaDB,JavaprogramswhichrequireJavatobeinstalled,andsoon.SpecificComponent:Thisisaspecialcontainer.Inthiscase,onecanchooseanindividualsoftwarecomponent.Thenewcomponentcanthenonlybeinstalledontopofthatspecificcomponent.Anexampleforthismightbe:
APHPscripttosetup.phppages.ItmakessensetoletthisonlyinstallifPHPisinstalledfirst(notjustanysoftwarecomponent)AspecificSQLScriptforMySQLorPostgreSQLAnytoolwhichspecificallyrequiresothernamedcomponents
Besidesthisthreecontainerversions,aSoftwareComponentalsocontainsProperties.Thesecanbeeitherusersettableduringtherequest,orstaticinordertostandardizetheinstallation.Theuseofthis,propertiesinasmartwaywillreducetheamountofmaintenanceasoftwarecomponentneeds.Agoodexampleisvariablevalues,forinstance,ifacertainusernameisusedforaccessingtheDBandtheuserchangesovertime.InsteadofchangingtheActionsalladesignerneedstochangeisthePropertiesandthat'sit.Muchlikescriptvariablesusedinhugebatchscripts.Insteadofsearchingthewholescriptfordata,allwhichneedstochangeisthevariableatthebeginning.
However,thesepropertiesalsohaveasecondmuchmoreimportantrole.Theycanalsoreceiveinformationfromothercomponents,likeanIPAddressfromanotherVMintheblueprint,orastringlikeausernameorapassword.Thisiscalledparameterbinding.Itwillbeusedinmultimachineblueprintstoconveyinformationfromonecomponenttotheother.
Finally,SoftwareComponenthasActions.Thesearebasicallyscriptingblock.Eachcomponentwillhavefourdifferenttypes:
Install:UsedtodotheprimaryinstallofthecomponentConfigure:UsedasconfiguringthecomponentafterthefirstinstallStart:Bringstheapplicationupforthefirsttime.
Uninstall:Removestheapplicationfromthesystem
Whileitdoesmakesensetofollowthisguide,itisnotrequired.AsoftwarecomponentcanalsohaveonlyaninstallActionset,withouttheotherthreeandeitherwork.However,ithastohaveatleasttheInstalltypeset.
Toactuallyinstallandsetupthesoftware,scriptsareused.vRAsupportsthethreeindustrystandardsforWindowsandLinux:Bash,CMD,andPowerShell.
However,vRAwillnotbeawarewherethecomponentisbeingusedandusingbashforinstallingawindowscomponentwillobviouslyfail.Thescriptinglanguagehastobeavailableonthetargetsystem.However,vRAwillpreventdesignersfromusingCMDorPowerShellitemsonLinuxsystemsandviceversa.
Thesupportofthisstandardsisactuallygoodnews.Sincealotoforganizationsmighthavealreadyusedscriptingtosomeextenttoautomatetheirsoftwaredeployment,thesescriptscannowbereusedfortheSDDC.
ThescriptswillberunusingtheGuestagent,thisagentshouldbeinstalledoneveryWindowsandLinuxtemplateanditshouldbeabletoreachtheDEM(IaaSserver).
Note
TheIaaSserverreachisveryimportantwhendeployingatemplateinanexternalnetwork.IftheIaaSservercannotreachtheVM/itsGuestagent,thesoftwarecomponentcannotbeinstalled.
AtrickmightbetoputtheVMinaninstallationnetworkandmoveitaftertheinstallwassuccessful.AnotheristomakesurethattheDEMworkercanbereachedfromallVMnetworksthroughsecurerouting.ButthiscanbetrickyinaDMZenvironment.TheGuestandtheIaaSserveruseport443(SSL)tocommunicatewitheachother.
SampleapplicationdesignBasedonallthisinformationasampleapplicationdesigncanbecreated.ThescenarioisasimpleLAMPstackbasedonCentOS.ItwillhavetwoVMs,oneinadifferentnetworkthantheother.However,theVMscanreacheachotherthroughsecurerouting.
OneVMwillbeaMySQLDBserverwithadatabaseschemetobeinstalledcontainingtheinstallationtimestamp.TheotherVMwillbeaweb/appserverwithApacheandPHPinstalled.It
willrunaPHPscript,whichwillquerytheDBserveranddisplaytheinstallationtimestampfromtheDBserver,aswellasitscurrenttime.
TheapplicationwillbecreatedforanexampleorganizationcalledFlexibleSoftwareToolsIndustries.ThisorganizationwillbecalledFSTIndustriesfromnowon.
Whilethismightsoundsupersimple,itwillrequirealotoftechniquesusedformuchmorecomplexdeployments.Themaindifferenceinthisscenarioistheeasyscriptsandthelightsetup.Butallthestepswillbesimilarforotherapplications.
Definingthecomponents
Tostartwiththeapplicationallthesoftwarecomponentshavetobedesignedandcreated.Inordertocreatethesoftwarecomponentsfollowthesesteps.
Apachewebserver
ThefirstsoftwarecomponenttocreateisApache.Sincethiscomponentwillnotneedanyparametertoinstallsuccessfully,itisratherquicktodefine.
1. OpenvRealizeAutomationinabrowser,logonwithaprivilegeduserandclickontheDesigntab.
2. Intheleft-handsidemenuclickonSoftwareComponents.1. PutinApacheasname,theIDwillbecreatedautomatically.2. Provideavaliddescriptionsuchas:InstallsApacheonaRedHatbasedLinux
machine.
Note
ItishelpfultodisclosetheOStype.Sinceallworksusingscripts,theremightbedifferencesinLinuxdistributions.ARedHat-orientedscriptwillnotworkonUbuntuandviceversa.
3. Choseacontainer.Inthiscase,thecontainershouldbeofthetypeMachine.4. ClickNextatthebottomrightcornertogettothePropertiesscreen.
ThisapplicationisinstallingplainApache(httpd)ontopofLinux.Forthistask,nopropertieswillbeneeded.
5. ClickNextatthebottomrightcornertoaccesstheActionsscreen.6. AttheInstallstage,selectBashandclickonClickheretoedit.
1. IntheEditorwindow,putinthefollowingbashscript:
#!/bin/bash
Log=/tmp/httpd-install.log
#Installtheserverbits
/bin/echo/echo"StartInstallationofhttpd">>$Log2>&1
/usr/bin/yum-yinstallhttpd>>$Log2>&1
#Marktheservertostartintheselectrunlevels
echo"Settingtherunlevel...">>$Log2>&1
/sbin/chkconfig--levels235httpdon>>$Log2>&1
echo"Apacheinstallationiscompletenow.">>$Log2>&1
/sbin/servicehttpdstart
Note
ThisrequiresafunctionalYUMservertobereachable,eitherthroughtheinternetorfromalocalrepository.Typically,organizationsdohavelocalYUMrepositoryserverstomanagertheirCentOS/RedHatfarm.
2. SincethisisjustasmallLinuxpackage,thestartcommandwillbeusedwithintheinstallscript.
7. ClickonOKandthenonNexttocontinuetotheReadytocompletescreen.8. ReviewtheinformationandclickFinishtocreatethesoftwarecomponent.9. Inthelistoverview,selectthelineofthenewApachecomponentandclickonPublishinthe
headrow.Otherwise,thecomponentcan'tbeselectedwithinablueprint.10. Ifallthatwassuccessful,thenewsoftwarecomponentwillbeavailable.
PHPwebcomponent
ThenextsoftwarecomponenttocreateisPHP.ThiswillrequireApachetobepresentinordertoworkproperly,sothecontainersettingwillbecomemuchmorerelevantforPHP.
1. RepeatallstepsfromtheApachecomponentforPHPuntilstep3.2. ForContainerclickthedropdownandselectApache.
PHPcannowonlyinstalledifApacheisalsousedwithintheVM.3. ClickNexttogettothepropertiesscreen.
Nopropertiesarerequiredforthiscomponent.4. ClickNextatthebottomrightcornertoaccesstheActionsscreen.5. AttheInstallstage,selectBashandclickonClickheretoedit.
IntheEditorwindow,putinthefollowingBashscript:
#!/bin/bash
Log=/tmp/php-install.log
#Installthephpbits
/bin/echo"StartInstallationofphp">>$Log2>&1
/usr/bin/yum-yinstallphp-mysqlphp-develphp-gdphp-pecl-
memcache
php-pspell
php-snmpphp-xmlrpcphp-xml>>$Log2>&1
echo"Settingtherunlevel...">>$Log2>&1
echo"PhPinstallationiscompletenow.">>$Log2>&1
6. AttheConfigurestage,selectBashandclickonClickheretoedit.
IntheEditorwindow,putinthefollowingBashscript:
#!/bin/bash
Log=/tmp/php-config.log
#Configthephpbits
/bin/echo"RestartWebserver">>$Log2>&1
/sbin/servicehttpdrestart>>$Log2>&1
echo"PhPconfigurationiscompletenow.">>$Log2>&1
7. Beginningfromstep7asdescribedintheApacheinstall,completethoseforthiscomponenttoo.Don'tforgettopublish!
MySQLwebcomponent
ThenextsoftwarecomponenttocreateisMySQL.Thiswillrequirenoothercomponentstobepresentinordertoworkproperly,sothecontainersettingwillbeMachineagain.ItisrecommendedtouseMySQLasnameandgivethesamedescriptionaswiththeformercomponents.
1. RepeatallstepsfromtheApachecomponentforMySQLuntilstep6.2. AttheInstallstage,selectBashandclickonClickheretoedit.
IntheEditorwindow,putinthefollowingbashscript:
#!/bin/bash
#Updatethesystempriortoperforminstallation
Log=/tmp/mysql-install.log
echo"Startupdate">$Log2>&1
#Installtheserverbits
/bin/echo"StartInstallationofmysql">>$Log2>&1
/usr/bin/yum-yinstallmysql-server>>$Log2>&1
#Marktheservertostartintheselectrunlevels
echo"Settingtherunlevel...">>$Log2>&1
/sbin/chkconfig--levels235mysqldon>>$Log2>&1
echo"MySQLinstallationiscompletenow.">>$Log2>&1
/sbin/servicemysqldstart
SincethisissimilartotheApacheinstall,thestartcommandwillbeusedwithintheinstallscript.
3. Beginningfromstep7asdescribedintheApacheinstall,completeallthoseforthiscomponenttoo.Don'tforgettopublish!
FSTIndustrieswebcomponent
ThenextsoftwarecomponenttocreateistheFSTIndustrieswebcomponent.ThiswillrequirePHPtobepresentinordertoworkproperly,sothecontainersettingwillbePHPagain.ItisrecommendedtouseFSTIndustries_WebComponentasnameandgivethesamedescriptionaswiththeformercomponents.Thiscomponentwillinstall/createa.phpscripttoaccesstheDBandquerythetablecontainingthetimestamp:
1. OpenvRealizeAutomationinabrowser,logonwithaprivilegeduserandclickontheDesigntab.
2. Intheleft-handside,menuclicksonSoftwareComponents.
1. PutinFSTIndustries_WebComponentasname,theIDwillbecreatedautomatically.2. Provideavaliddescriptionsuchas:InstallsonaRedHatbasedLinux
machinewithPHPalreadypresent.
3. Chooseacontainer.Inthiscase,thecontainermustbeofthetypePHP.4. ClickNextatthebottomrightcornertogettothePropertiesscreen.
Thiscomponentrequirespropertiestorun.InordertoquerytheDBacoupleofvariablesneedtobepresent:1. ClickonNewandcreateapropertycalledDB_UsernamewithatypeofString.
OverrideandRequiredshouldbeticked.2. ClickonNewandcreateapropertycalledDB_AddresswithatypeofString.
OverrideandRequiredshouldbeticked.3. ClickonNewandcreateapropertycalledDB_PasswordwithatypeofSecureString.
Encrypted,Override,andRequiredshouldbeticked.4. ClickonNewandcreateapropertycalledDB_NamewithatypeofString.Override
andRequiredshouldbeticked.5. Donotputvaluesinthesevariables.
5. ClickNextatthebottomrightcornertoaccesstheActionsscreen.6. AttheInstallstage,selectBashandclickonClickheretoedit.
IntheEditorwindow,putinthefollowingBashscript:
#!/bin/bash
#CreatethephpFileondemand
touch/var/www/html/index.php
FILE=/var/www/html/index.php
cat>$FILE<<-EOM
<?php
\$dbhost="$DB_Address";
\$dbuser="$DB_Username";
\$dbpass="$DB_Password";
\$dbname="$DB_Name";
\$conn=mysql_connect(\$dbhost,\$dbuser,\$dbpass);
if(!\$conn){
die('Couldnotconnect:'.mysql_error());
}
\$sql='SELECT*FROMFST_Install';
@mysql_select_db($DB_Name)ordie("Unabletoselect
database");
\$retval=mysql_query(\$sql,\$conn);
if(!\$retval){
die('Couldnotgetdata:'.mysql_error());
}
while(\$row=mysql_fetch_array(\$retval,MYSQL_NUM)){
echo"ID:{\$row[0]}<br>".
"Data:{\$row[1]}<br>".
"SetupTimestamp:{\$row[2]}<br>".
"--------------------------------<br>";
}
mysql_free_result(\$retval);
echo"Fetcheddatasuccessfully\\n";
echo"\\nCurrenttime:".date('ljS\\ofFYh:i:sA');
mysql_close(\$conn);
?>
EOM
7. AttheConfigurestage,selectBashandclickonClickheretoedit.
IntheEditorwindow,putinthefollowingBashscript:
#!/bin/bash
#Turnofffirewalltoenablewebserveraccess
echo"ConfiguringfirewalltoallowHTTPDaccess"
/sbin/serviceiptablesstop
#SetSELinuxtoallowhttpddbconnects
echo"SettingSELinuxtoallowDBconnects"
/usr/sbin/setsebool-Phttpd_can_network_connect_db=1
Note
Thisisfortest/demopurposesonly.Inaproductionenvironment,itisstronglyrecommendedtosettherightfirewallruleusingiptablescommand!
8. Beginningfromstep7asdescribedintheApacheinstallcompleteallthoseforthiscomponenttoo.Don'tforgettopublish!
FSTIndustriesDBcomponent
ThenextsoftwarecomponenttocreateistheFSTIndustriesDBcomponent.ThiswillrequireMySQLtobepresentinordertoworkproperly,sothecontainersettingwillbeMySQL.ItisrecommendedtouseFSTIndustries_DBComponentasnameandgivethesamedescriptionaswiththeformercomponents.Thiscomponentwillinstall/createaSQLscripttocreateaDBandatablecontainingtheinstallationtimestampinformation:
1. OpenvRealizeAutomationinabrowser,logonwithaprivilegeduserandclickontheDesigntab.
2. Intheleft-handsidemenuclickonSoftwareComponents.1. PutinFSTIndustries_DBComponentasname,theIDwillbecreatedautomatically.2. Provideavaliddescriptionsuchas:InstallsonaRedHatbasedLinuxmachinewith
PHPalreadypresent.
3. Chooseacontainer.Inthiscase,thecontainermustbeofthetypeMySQL.4. ClickNextatthebottomrightcornertogettothePropertiesscreen.
Thiscomponentrequirespropertiestorun.InordertoquerytheDBacoupleofvariables
needtobepresent:1. ClickonNewandcreateapropertycalledDB_UsernamewithatypeofString.
OverrideandRequiredshouldbeticked.2. ClickonNewandcreateapropertycalledDB_PasswordwithatypeofSecureString.
Encrypted,Override,andRequiredshouldbeticked.3. ClickonNewandcreateapropertycalledDB_NamewithatypeofString.Override
andRequiredshouldbeticked.4. Inthiscase,defaultvaluescanbeputinsuchas:dbadmin(USER),dbadmin(PWD),
FST_DB(DBName).
Note
Itisnotrecommendedtousethesamepasswordastheusernameinaproductionenvironment,thisisjustfortestpurposes!
5. ClickNextatthebottomrightcornertoaccesstheActionsscreen.6. AttheInstallstage,selectBashandclickonClickheretoedit.
IntheEditorwindow,putinthefollowingBashscript:
#!/bin/bash
Log=/tmp/FST-configure.log
MYSQL=/usr/bin/mysql
/bin/echo"CreatingDBwiththename$DB_Namewithuser
$DB_Username
accessingit">>$Log2>&1
$MYSQL-uroot-e"CREATEDATABASEIFNOTEXISTS$DB_Name;"
#$MYSQL-uroot-e"CREATEUSER'$DB_Username'@'%'IDENTIFIEDBY
'$DB_Password';"
$MYSQL-uroot-e"GRANTALLON$DB_Name.*TO'$DB_Username'@'%'
IDENTIFIEDBY'$DB_Password';"
$MYSQL-uroot-e"FLUSHPRIVILEGES;"
#createthesqlcontentfile
/bin/touch/tmp/sqlcommand.sql
T1=/tmp/sqlcommand.sql
/bin/cat>$T1<<-EOM
use$DB_Name;
CREATETABLEFST_Install(idINTNOTNULLAUTO_INCREMENTPRIMARY
KEY,
dataVARCHAR(100),created_atTIMESTAMP(8));
INSERTINTOFST_Install(data)
VALUES('Thetimeofcreationis:')
EOM
/bin/echo"CreatingTimestamptableusingsqlfilestoredad$T1"
>>
$Log2>&1
$MYSQL-uroot<$T1
/bin/echo"FinishedconfiguringFST$DB_Namewith$DB_Username
accessingit"
>>$Log2>&1
#/bin/rm$T1
7. AttheConfigurestage,selectBashandclickonClickheretoedit.
IntheEditorwindow,putinthefollowingBashscript:
#!/bin/bash
#Turnoffiptablesforappserveraccess
/sbin/serviceiptablesstop
Note
Thisisfortest/demopurposesonly.Inaproductionenvironment,itisstronglyrecommendedtosettherightfirewallruleusingiptablescommand!
8. Beginningfromstep7asdescribedintheApacheinstallcompleteallthoseforthiscomponenttoo.Don'tforgettopublish!
IfallthecomponentsaredefinedtheSoftwareComponentsscreenshouldlooklikethis:
Definingtheblueprint
Afterallthecomponentsarecreatedanddefined,themulti-machineblueprintcanbecreated.ThisisdonesimilartotheblueprintcreationdescribedinChapter5,VMwarevRealizeAutomation,underCreatetheIaaSblueprint.
FollowthesamestepsasintheIaaSexample.Theonlydifferenceisthatthisblueprintwillhavetwovirtualmachines.Also,itwillrequiretwodifferentnetworks.Thesenetworksshouldhaveanetworkprofileattachedandshouldbepreset.
Onceallthisisdone,thesoftwarecomponentsneedbeincludedintheblueprint.Thesearethestepsrequiredtocompletethis:
1. Inthedesigncanvas,selectSoftwareComponents.Thiswillbringupthelistofdefinedandpublishedcomponentstobeinstalled.
2. DraganddropApacheonthewebserverVM.MakesuretonametheVMsaccordinglytobeabletodistinguishbetweenDB_ServerandWEB_Server.
3. DraganddropPHPontopofApache(itwillnotworkonothercomponents,giventhecontainertypeisApache).
4. DraganddropFSTIndustrieswebcomponentontopofPHP.5. AssignMySQLtothedatabaseserver.6. Finally,chosetheFSTDBcomponentanddropitontopofMySQLontheDBserver.7. Thereisonlyoneminorsteplefttocompletetheblueprint.Somehowthewebservershould
beawareoftheIPandaccessrightsoftheDBserver.Thisiswherethepropertybindingkicksin.
8. WhencreatingtheFSTcomponents,propertieshavebeencreated.TheDBcomponenthasusername,DBname,andpasswordwithpresetvalues.Thesewillshowupasdefaultvaluesonceauserorderstheservice.TheWEBcomponenthasthesamepropertieswithoutdefaultvalues.
9. InvRAthereisafunctioncalledbindinginordertogetinformationfromonecomponentpropertyandlinkittoapropertyofanother.
Inordertoactivatethebindingforthewebcomponent,clickonthecomponentinthecanvas.Atthecomponentoverview,clickonthePropertiestab.
Thiswillbringupthelistofthepreviouslydefinedproperties.NexttotheValuecolumnthereisacolumncalledBinding.
1. SelecttheUsernamelineandthenclickontheEditbutton.2. Inthevalue,fieldusethedownarrowkeytogetalistofavailablecomponents.3. SelecttheFSTDBcomponent.4. Usethe~sinetoaccessthepropertiesoftheselectedcomponent.5. SelectDB_UsernameandclickOK.6. RepeatthisfortheDB_PasswordandDB_Nameline.7. AttheDB_Addressline,select_resource~DB_Server~ip_address.Thiswilladdthenew
IPaddressfromthecreatedDBserverasvalueintothepropertyfortheFSTwebcomponent.
8. Afterall,componentsaresettotheappropriateserverVM.Usetherelationshiphandle(littledoticonatthetopleftoftheVM)todrawitfromthewebServertotheDBserver.ThatwillensurethattheDBserverissetuppriortothewebserver.
9. Ifallthiswassuccessfultheblueprintcanbepublishedtoacataloglikedescribedearlierinthischapter.TheusercannowrequestthisapplicationandevensetDBname,DBadmin,andDBpassword.
Thisisthescreenauserwillseewhenorderingthisservice.OncetheuserclicksSubmitthesystemwillsetupthetwoVMsusingtheVMtemplatesandinstallallthesoftwarecomponentsusingthescriptsprovided.Theapplicationwillcomeupandrunning,justwaitingfortheusertoexploreit.
SummaryThischapterdescribedthebasiccatalogdesignaswellasthedifferentcatalogtypes.Thebusinesscaseandtheexpectationsaremaindriversforfillingacatalogwiththerightservices.Also,thedifferencebetweentechnology-focusedandoutcomefocusedcatalogshasbeendescribed.ThemainpartwasalsotodescribehowtosetupandcreateanoutcomefocusedblueprintinvRAwhichwillprovideafullyrunningserviceondemand.
Inthenextchapter,thefocuswillbeonnetworkvirtualization.ThisisahugetopicinanSDDCsinceitcanenhanceflexibilityandsecurityaspectsofadatacenter.Nevertheless,itwillalsoincreasecomplexitysinceitaddsanotherlayertotakecareof.ThechapterwilldiscussNSXbasicsanddescribeitsmainfunctionsandfeatures.Furthermore,itwilldescribehowtoincludeNSXnetworksinblueprintsandhowtocreateondemandnetworkswhileprovisioningVMresources.
Chapter8.NetworkVirtualizationusingNSXThischapterwillfocusonthenetworkvirtualizationtechnologiesavailablefortheVMwareSDDC.Networkvirtualizationisanewtopicthathasbecomeimportantfortheagileandflexibledatacenter.Whendeployingservices,thenetworkpartisoftencrucialsincetherearevarioussecurityrequirementsthatneedtobemetwithanapplication.Also,theremightbepre-existingnetworkrequirementsthatneedtobefulfilledwhenportingtheapplicationtotheenvironment.Finally,itwillharmtheoverallagilityifthewholeOSdeploymentandstoragedeploymentcanbedoneautomatically,butthenetworkpartmightactuallyrequirehumaninteraction.Atrueend-to-endautomationisnotquitepossiblewithoutnetworkvirtualization.Ifitisnotinplace,itmaycausedelaysandevenroadblocksinSDDCprojects.
Thischapterwillrequirebasicnetworkknowledgesincesomemediumtoadvancednetworkconfigurationwillbediscussedinhere.Itwillnotprovidebasictrainingaboutnetworktechniques.ItishighlyrecommendedtobefamiliarwiththemostcommonnetworktermsandfunctionsbeforeintroducingNSXintoadatacenter.Also,VMwareoffersowncertificationsandtrainingsforNSXinordertobeabletodeployandmanageit.ItishighlyrecommendedtotakesuchaclassbeforestartingwithanNSXproductiondeployment.
Furthermore,thechapterwilldiscusnetworkvirtualizationprinciplesanditsmainusecases.Also,itwillexplainhowavirtualizednetworkworksandwhatbenefitsithastoofferfortheSDDC.Furthermore,therewillbeexampleconfigurationstoexplainhowtocombineNSXwithvRealizeandcreateon-demandblueprintsusingsomeofNSX'sadvancedfeaturestocreateyetcomplexbuteasytoorderblueprints,providingadvancednetworksecurityandavailability.
However,thisisabasicintroductiontoNSXanditscapabilities.Therearesomeadvancedfunctionalitiessuchassecurityprofiles,securitytags,andtheintegrationofthird-partyvendorsdirectlyintoNSX,whichwouldbesimplytoomuchtocoverinthischapter.Formoreinformationaboutthesefunctionalities,pleasemakesuretovisitVMware'swebsitefortheadvancedNSXdocumentation.
Thefollowingtopicswillbediscussedingreaterdetail:
Networkvirtualization101NSXfunctionsandprinciplesTerminologyandbestpracticesBasicNSXinstallationandconfigurationConnectingNSXwithvRealizeAutomationUsingNSXinvRealizeblueprintsUsingvRAfornetworkcreationon-demand
NetworkVirtualization101Maybe,networkvirtualizationisthenewestmemberinthedatacentervirtualizationfamily.Aftercomputevirtualization(VMwarevSphere)andstoragevirtualization(fromvariousstoragevendorssuchasIBM,HitachiDataSystemsandDataCoretonameafew)itisaddingadditionalfunctionsandfeaturestothenetworksegment.NSXenablessimilarthingsfornetworkingasESX/vSpherehasenabledforcompute.Itcreatesanabstractionlayerthatenablesvariousnetworkfunctionstorunontopofanyphysicalswitchhardware/vendor.Thisisahighlydisruptivetechnology,whichchangestheentirenetworkingsector.JustasmuchascomputevirtualizationoncewaswhenVMwareintroduceditintheearly2000s.
Theimagedisplaysacomparisonbetweencomputevirtualizationandnetworkvirtualization.Althoughtheseconceptsarequitedifferent,theysharesomecommonsense,whichmightbebeneficialtohighlighttounderstandthetechnology.
Bothconceptsintroducedifferentlayersofabstraction.Atthebottom,thereisthephysicalinfrastructure,whichbecomesinterchangeableduetovirtualization.VMware'svSpherecanrunonvirtuallyanysupportedhardware.NSXcanrunonanyvendor'sphysicalnetworkswitches.
Theabstractionlayeristhesoftwarecomponent.ForcomputethatiswhatvSphereis,fornetworkthisiswhatNSXdelivers.
Inthecomputeworld,thecontainerlayeriswhereVMsarecreatedtoactasvirtualinfrastructureforoperationsystems.IntheNSXworld,thiswouldbeVXLANtoactasvirtualinfrastructureforvirtualnetworks.So,VXLANcanbeseenasthecontainerforthevirtualnetworkscreated.Itisalsoreferredtoastheoverlaynetwork.
TheworkloadlayerisincomputeabovethecontainerandisthespacewheretheOSandapplicationsrung.Inthevirtualnetworkworld,thisistheadvancedfunctionalityNSXbringstothetablesuchasmicrosegmentation,advancedaccesscontrol,andotherfeaturesonlyavailableinnetworkvirtualization.Itisanotherlayerofgranularitytocontrolnetworkflowandsecurityaspects.
Infactitmightbeabitsimplistictocompareitdirectlytocomputevirtualization,butitsbasicdeliverablestendtobesimilar:
Decoupleadvancedfunctionalityfromhardwarevendors.Comparison:VMcanrunonanyhypervisoronanysupportedvendorshardware.
Movenetworkconfigurationsbetweennetworkdevicesseamlesslyandtransparent.Comparison:AVMcanbevMotionedfromonesupportedservervendortotheother(giventhearchitectureissimilar).
Makeamigrationeasybybridgingvirtualtophysicalnetworks.Comparison:AphysicalservercanbevirtualizedbyusingP2V(physicaltovirtual)converter.
Additionalfunctions,onlypossibleonvirtualnetworks(VMsecuritypolicies,VM-to-VMfirewallrules,VM-to-VMroutingandaccess,highavailability,andsoon).
Comparison:VMCloning,vMotion,Snapshots,HA,andsoon.FunctionsthathavebeenintroducedbyvSphereandhaveenhancedthewaytorunserversandapplicationeversince.
Abigadvantageisalsomicrosegmentation,whichisawaytosecuretwoworkloadseveniftheyresideinthesamenetworkwithinthesamesubnet.
Comparison:ManyVMscanrunonthesameESXihost,buttheyaretrulyisolatedfromeachother.
Thislistisbyfarnotcompleteandshouldhelptounderstandthebasicofferingscomparedwithcomputevirtualization.Naturally,therearefeaturesprovidedbynetworkvirtualization,whichlackacomputecounterpart.
Besidestheniceandnewfeaturesnetworkvirtualizationadds,itisactuallyrequiredtobuildatrulyautomatedandagiledatacenter.Withoutnetworkvirtualization,thingscangetsocomplexthattheyareprettyhardtohandle.So,itismorethanjustanicetohave,itcanbearequirementforasuccessfulSDDC.Beforewecanexplorewhynetworkvirtualizationissuchagamechanger,itmightbeworthrecappingtraditionalnetworking.
CurrentnetworkinginfrastructuresFirstofall,itisimportanttobasicallyunderstandhownetworkingworkstoday.Thereisabasicmodeltodistinguishdifferenttraffictypesandtheirfunctionalities.ThismodeliscalledtheOSI7layermodelandexplainsthevariousdifferentprotocolsandtraffictypesusedinnetworking.Sinceafairshareofthischapterwillmentiontheselayers,itisworthwhilerecappingwhateachlayerstandsforinnetworking:
Layer Protocoldataunit Function/examples
Layer1 Bit Physicalconnection,Cable/NIC/DSL/ISDN
Layer2 Frame TransmissionlayersMAC,LLTP,L2TP,PPP,MPLS,andsoon
Layer3 Packet MultinodenetworkstructureIPv4,IPv6,ICMP,IPSec,CLNP,
andDDP
Layer4
SegmentTCP/datagramUDP TransmissionofsegmentsTCP,UDP,andNBF
Layer5 Data SessionmanagementRPC,SCP,andPAP
Layer6 Data Presentation/Translationbetweennetworkandapplication
S/MIME,TLS
Layer7 Data High-levelAPIsHTTP,HTTPS,NFS,FTP,Telnet,SMTP,
SSH,andsoon
Note
Networkadminsoftenrefertotheselayerswhenitcomestocertainfunctionalities.Ifnotalreadyfamiliar,itisrecommendedtoreadmoreabouttheOSImodelthoughtobetterunderstandhownetworkingworksandwhatthedifferentlayersprovide.
Typically,adatacentertodayhasoneofthetwopossiblenetworkarchitecturesapplied:
CentralL2designusinganetworkcoreswitchesthatrouteallnetworktrafficthroughtheentiredatacenter(typically2HA-enabledcoreswitches)
Thismeansthatallnetworksandtrafficareroutedthroughthecoreswitch,makingitthemostimportantcomponentintheentireorganization.Ifthecoreswitchgoesdownforsomereasontheentirecompanywillbecutofthenetworkandpossiblyanyexternalaccessaswell.
However,italsomeansthatnetworkscanbestretchedacrossmanydifferentswitchesandendpoints.StretchedL2networkingisusedtohavethesameIPsubnetintwodifferentdatacenters,toenableapplicationstorunoneithersidewithoutre-IPingthem.InEurope,thisflexibilitybecamealmoststandardforthelastyearswhenitcametoVMwaredeploymentsusing
sharedstoragebetweentwodatacenters(StorageMetroCluster).ToenableVMstoroamfreelybetweenthesetwosides,theIPsegmenthastobethesame.AnIPchangeafteravMotionwouldbreakmostoftheapplications,makingthebenefitofvMotiondisappear.
Thisiswhy,mostorganizationsstartedtocreatehugeL2networkinstallations.However,suchanL2installationhasnotonlybenefits,buttherearealsodrawbacksandrisks,especiallywithlargeL2architectures,makingthenetworksomewhatweakandfragile.
Oneofthemostdangerousthingsispossiblyabroadcaststormaffectingmoreandmorenetworksthroughthecoreswitch.Broadcaststormscanhappenduetovariousreasons,therearetechnologiesinplacewhichshouldpreventthemfromhappening,butsometimes,itisassimpleasawrongcommandonthewrongCLIandthenetworkgoesallblack.SinceanL2installationissharingallconnectsthroughacoreswitch,abroadcaststormaffectingthecoreswitchcanbringdownanentirenetworkofanorganization.
VLAN:Networkvirtualizationknownforalmost30yearsVirtuallogicalareanetwork(VLAN)andhasbeenintroducedin1984.Itisamethodtoseparateaphysicalnetwork/switchinmultiplevirtualnetworks.EachVLANisseparatedfromeachotherthroughso-calledVLANIDs(alsocalledtags),whichuniquelyidentifythesegment.Thereare4096VLANtagsavailable.However,VLAN0isreservedandisusedassimpleprioritytagwhileVLAN4095isusedasawildcardVLANsearch/address.InVMwarevSphere,VLAN4095isusedasatrunkallVLANIDsoption.Giventhesereservations,total4094VLANscanbeused.
Note
Althoughthissoundsalotinthefirstplace,itmightbeeasytoreachitslimitsifappliedataproviderscaleorinbigorganizations.Giventhattheycanhavehundredsofcustomers/departments,andeachcanhavehundreds(oreventhousands)ofVLANs,thislimitwillbereachedfast.
VLANsarebasicallyjustvirtualnetworkcontainersandareabletocarryanynetworksubnets.TheycanalsobeusedformultiplesubnetshavingthesameVLANtag,makingitpossibletodivideaVLANinsmallersegments.However,allthisrequiresextensiveroutingandalsolimitsthenumberofdevicesasegment/VLANcansupport.
Sinceanetworksegmentalwaysneedstohaveabroadcastaddressaswellasanetworkaddress,thesetwoaddressescan'tbeusedforclients.Ifanetworkisseparatedinmultiplesegments,eachsegmentrequirestwoaddressesforthesefunctions,limitingtheoverallusableaddresses.
Example:
Subnetmask:255.255.255.0orreferredtoas/24
Networkaddress:192.168.0.0
Networkbroadcast:192.168.0.255
Thismeansthat254addressescanbeusedforthisnetwork.Ifthenetworkwouldbesplitinfoursegments,thenumberofusableaddresseswoulddecreasebyeightinsteadoftwoaddresses:
Subnetmask Networkaddress Networkbroadcast
255.255.255.192or/26 192.168.0.0 192.168.0.63
192.168.0.64 192.168.0.127
192.168.0.128 192.168.0.191
192.168.0.192 192.168.0.255
Intheprecedingtable,only62addressesareusablepersubnetmakingtotal248addressesavailable.ThismeansusingthesubnetmethodtosplitnetworkscanbecomefairlycomplexandreducestheamountofusableIPaddressespernetworkdrastically.
TraditionalroutingandsecurityAnotherbigtopicinnetworkingisobviouslyroutingandthesecurityaspect(firewalls,packetinspection,andsoon).
Eachdeployedworkloadwillrequiresomeroutestoreachotherservicesaswellaspossiblesecuritysettingslikefirewallrulestoenablecommunicationintoprotectedareas.AgoodexampleforsuchaconfigurationisaLAMPstack.ThewebserverwillrequireaccesstotheDBserverinordertodisplayinformation.Normally,theDBserverwillbelocatedsomewherewithintheinternaldatacenternetworks.AwebservertypicallyislocatedinaDMZoutsideoftheinternalorganizationalnetwork.Thecommunicationbetweenbothserverswillhappenthroughafirewall.ButtomakethatworkarulehastobeaddedforeachwebservercommunicatingwithitsDBpendant.Thismeansthateachpairwillhavetheirownfirewallrules,andthisisjustasimpleexample,tobecreatedbasedontheirIPaddressandtheportsusedtocommunicate.
Note
Mostorganizationshavealreadysomanyfirewallrulesthatitisnearlyimpossibletotidythemup.Also,oftenrulesdonotgetdeletedsincetheriskofbreakingsomeimportantapplicationsismuchhigherthanthebenefitacleanrulestablewouldprovide.
Inanautomatedenvironment,wherealsoapplicationdeploymentsareplanned,itisrequiredthatthesetasksbealsocompletedoncetheservicehasbeendeployed.
ModernnetworkapproachSincecomplexityinadatacenterhasincreasedandalsotheamountofserversorVMshasincreased,therequirementstoadatacenternetworkhavechangedtremendously.
Theservervirtualizationhaschangedthewaynetworkingandsecurityneedstowork.SinceVMscanmigratefromonephysicalhosttoanother,thenetworkhastoprovidethisfunctionalityaswellinordertopreventre-IPingofVMs.Also,firewallsandsecurityrulesneedtobeconfigureddynamicallyorIPbasedinordertosupportthisbehavior.Staticport-basedrulesorsecuritysolutionsdidnolongerworkforthevirtualenvironment.
ThenewSDDCcapabilitiescreatenewrequirementstonetworkingandsecurity.Giventhatservicesandserverswillnotbecreatedondemandandalsodeletedondemandthenetworkhastogrowandshrinkwiththem.PreprovisioningofVLANsisanoption,butrequireshugepoolsofVLANswaitingtobeusedinthefuture.ThismightworkforVLANsandIPsegments,butfirewallrulescanhardlybepresetandassignedasneeded.Newservicesmaybedeployedondemand,butthenITsecuritykicksinandthewholeprocessmightslowdownsinceahandoverhappenstomanuallycreateDMZandsecurityrulesfornewservices.
Also,asdescribedearlierinthischapter,abigL2networkhasitsdownsidesaswell,forexample,abroadcaststorm,acoreswitchoutage,andsoon.Allthiscanaffecttheconnectivityandbythisalsotheproductioncapabilityofanorganization.Abignetworkingoutagecanbeseenasproductionoutageendangeringthewholebusinessofanorganization.
L3Networking-thenewarchitecture
Comparedwithlayertwonetworks,thenewfavoritedesignisalayerthreeleaf,spinearchitecture.Eachaccesszone(singleormultipleracks)willhaveitsownL3domainandconnectstoaleaf.Theseleavesthenconnectuptomultiplespinestogetconnectivitytotheotherleaves.Thismeansthatthereisnocoreswitchanymorewhereallthetrafficgoesthrough.
ThereareacoupleofbenefitsinL3networkarchitectures:
Itwillpreventglobalbroadcaststorms,sinceeachaccesszonehasitsownbroadcastdomain/can'tbroadcastacrossallleaves(giventhereisnobroadcast/multicastrouting).Itisenhancingthenetworkavailabilitywhileeasingtheconfigurationneededsincegrowingthenetworkdoesnotrequireareconfigurationofthecoreswitch.Maintenancegetseasiersinceeachleafconnectstomultiplespines,thosecanputofflineforpatchingandthenetworkstaysstillonline.Ifacoreswitchneedstobeupdated,itgeneratesrisksincethereisonlyoneothercoreleft;ifthiscorefailsthenetworkgoesdark.Securityisenhancedsinceeachaccesspodisrequiredtopassarouterorevenfirewalltoconnecttoanotheraccesspod(optionalbutpracticaltoconnectleaves).EachaccesspodhasitsownL2netsegment,whichisnotstretchedtoother,leavesor
accesszones(asshowninthepictureusingexemplarynetworkaddresses).TheL2bridgeisattheleaflevel,whereastheL2bridgeinacoreswitchingenvironmentistypicallyatthespinelevel.
However,thedownsideofthisnetworkingdesignisthatifaVMwouldnowtravelfromoneracktoanother,oroneaccesspodtoanother,ithastochangeitsIPaddresssincethisrepresentsanotherL2segment.Thisiswhy,thissetupisfairlycomplexwithtraditionalVLAN-basednetworking.IteliminatesthefreedomofroamingVMsbetweenracks(accesspods)orevensites.
Networkvirtualizationfortherescue
Thisiswherenetworkvirtualizationcomesintoplay.GiventhatthephysicalL3/L2architectureprovidesallthesebenefitsbutalsointroducestheaccesspoddilemma,networkvirtualizationcanaddmanymoretothisdesign:
On-demandnetworkcreationNetworksspreadacrossaccesspodsStretchednetworksacrosssitesNetworkswithinaccesspods(nonorth-southtraffic)On-demandsecurityrulesVM-to-VMcommunicationlimitswithinsamenetwork(microsegmentation)
Justtonameafew,asetupwithanL3/L2networkdesignplusnetworkvirtualizationwouldlooksomewhatsimilartothefollowingpicture.
Inthiscase,thephysicalL2domainisstillperaccesspod,butvirtualnetworkscanbespreadacrosseachpods.ThisworkssincenetworkvirtualizationlikeNSXusesaso-calledtransportzone.Thistransportlayerusespacketencapsulationtoputanewheaderaroundanetworkpacketandsendittoitsdestination.ThedestinationwillbeaVTEPofaNSX(VXLAN)-enabledESXihost.ThisisthekeyfunctionalityofNSXandenablesgreatflexibilityincreatingnetworks.EvennetworkswiththesameIPsubnetcanbecreatedandconnectedtodifferentvirtualroutersyetexistentonthesameESXihostorinthesameaccesspod.
Thegraphicshowsseveralvirtualnetworkseitherspanningallpodsorjustexistentwithinasinglepod.However,withNSX,allthesenetworkscanhaveexternalaccesstothephysicalnetworkortoeachotherovertheintegratedvirtualrouterexistentoneveryESXihost.Thisopens
aworldofpossibilitiestonotonlyputVMsintovirtualnetworksandprovidethemjustenoughaccesstofunctionbutalsoenhancetheoverallsecurity.
Also,configurationsaswellasthesetupcanbeeasilybackedupandrestoredonanyphysicalnetwork;sinceallofthisisvirtual,itisabsolutelyindependentfromthevendoraswellastheunderlyinghardware.
Anotherbenefitofnetworkvirtualizationisthedecreaseofnorth-southtrafficforroutednetworks.Inatraditionalnetworkwithacoreswitch,ESXihostshavetosendthetrafficthroughanexternalrouterifoneVMwantstocommunicatewithanotherVMinanothersubnetonthesamehost.ThepacketshavetopassthroughtheESXinetworkinterfacethroughtherouter,backintotheESXiandtotheotherVM.Thisaddsalotofso-callednorth-southtraffic.
Thisreferstonetworktraffic,whichleavesapodnorthboundandreturnssouthboundinordertoreachanetworkclientcontainedinthesamepodbutinadifferentnetwork.
Besidesnorth-southtraffic,thereisalsoeast-westtraffic,whichiseverythingwhichstayswithinapod.IfaVMtalkstoanotherVMinthesamenetworksubnetbutonadifferentESXihost.Thetwohostswillcommunicatedirectlywitheachotherwithoutsendingthetrafficthrougharouter.IftheseVMsareonthesamehost,thenetworkpacketsarenotevenleavingtheESXihoststhroughthevirtualNIC.Thisdecreasestheloadonmoreexpensivenetworkhardwaresuchasswitchesandingeneralreducestheoverallnetworktrafficsprawl.ThefollowingpictureshowsexampleshowNSXwilldramaticallyreducetheamountofnorth-southtrafficandhelptoenhancenetworktrafficaswellasoverallnetworkperformancebyreducingtheamountofneededhops.
NSXterminologyNSXcomeswithitsownterminology.Itmightbegoodtogetfamiliarwiththesetermsinadvancetobetterunderstandtheirmeaningandfunctionalityifreferencedlaterinthischapter.
VXLAN
TheVXLANIEEEstandardisusedasthetransportnetworkforallvirtualnetworkscreatedinNSX.InNSX,itisalsoreferredtoastransportzone.ItcarriesthenetworkpacketscontainingthevirtualnetworkinformationfromoneNSX-enabledESXihosttoanotherusingthespeciallycreatedkernelportinESXi.TheVXLANencapsulationisshowninthefollowingimage:
Theaddedinformationisthefollowing:
VXLAN-specificcontentlikeVXLANNetworkIdentifier(VNI).OuterUDPandIPheader(comingfromtheencapsulatinghost).Fullouterethernetheadercontainingallinformationfromthesendinghosttothereceivinghost.ThereceivinghostiseitherdeterminedduetomulticastrequestsorbytheVTEPtable.IntotalaVXLANencapsulationaddsanother50bytestoadefaultnetworkpacket.Giventhis,theMTUdefaulthastobechangedfrom1500toatleast1550orhigher.ThisMTUchangeisamustsincethenetworkframeswillbelargerthaninatraditionalLAN.ThisneedstobeconfirmedwiththephysicalswitchconfigurationaswellsinceotherwisetheywilldroptheselargerframesiftheydonotfittheirsetMTU.
Tip
Generally,itisthebestpracticetoenablejumboframesfortheVTEPsandthetransportzone.ItisextremelyimportanttoensurethatthephysicalswitchescanhandlethehigherMTUsize;otherwise,NSXwillnotwork!
EDGE
AnEdgeistypicallyagatewayintoanothernetwork.MostofthetimetheEDGEisthegatewayfromthevirtualnetworksinaphysical,externalnetwork.Itcanbeseenastheaccesspointintoandoutofthevirtualworld.TherearefollowingtwotypesofEDGEdevicesavailableinNSX:
TheDistributedLogicalRouter(DLR)inNSXisarouterthatisinstalledoneachparticipatingESXihost.ItwilltakecareofroutingtrafficofVMsbetweenvirtualnetworkseveninsideanESXiorbetweendifferentESXihosts.AlthoughitisalsoaVMdeployedintheEDGEcluster,itsyncsitsconfigwithallparticipatingESXihosts.TheEDGEServiceGateway(ESG)istypicallytheconnectionbetweenthephysicalandthevirtualnetworkingworld.AnESGisnormallyconnectedtoaDLRtoenableittorouteoutsideofNSX.However,italsooffersotherfunctionssuchasaloadbalancer,NAT(SourceNATandDestinationNAT),aswellasVPNconnections.
LogicalSwitches
ALogicalSwitchinNSXisavirtualnetworkwhereVMscanbeconnected.Logicalswitchesarealsooftenreferredtoasvirtualwire.
InvSphere,theywillshowupasportgroupswithuniqueIDnames(numbercombination).However,NSXmanagesandmaintainsthesevSphereportgroups.AdminsshouldnottemperwiththemoutsideofNSX.
EachswitchgetsasegmentIDasidentifier(similartoVLANtagsintraditionalnetworking).Thesegmentrangecanbecustomized;themaximumnumberofsegments(switches)is16,777,216.
VTEP
Virtualtunnelendpoint(VTEP)andrepresentsbasicallyoneoftheESXikernelportsinthetransportzoneexchangingNSXtraffic.TheVTEPlearnswhichVMsitsonwhichESXihostand
createsaforwardingtable.InordertofindtheVMsNSXusesoneofthethreemethodstoaskwhereVMsare:
UNICAST:EachESXihostwithaVMwantingtotalktoanotherVMaskseachotherhostinatransportzoneifthepeerknowsthisotherVM.ThistypicallygeneratesalotoftrafficuntiltheVTEPlearnswhereVMsare(iftheymove,theprocedurebeginsagain).TheNSXcontrollersareusedtocoordinatethisandtomaintaintheVTEPtable.AbenefitofthismethodisthatARPsuppressioncanbeenabled.MULTICAST:EachESXihostwithaVMwantingtotalktoanotherVMsendsamulticasttoallhostsinatransportzone.IfoneoftheotherESXihostsrunstherequestedVMitsimplyrespondstothemulticastrequest.ThisdoesnotrequireanNSXcontroller.However,thenetworkneedstosupportmulticastaswellasmulticastroutingneedstobeenabled.ThisistypicallymoreeffortaswellasmorecomplextophysicallyconfigurethantheUNICASTmethod.HYBRID:Thisisthebestofbothworlds.ItusestheNSXcontrollerstobuildandmaintainaVTEPtableandworkswithARPsuppression.Sinceitcanmakeuseofthecontrollers,multicastroutingisnotrequired,whichmakesthephysicalswitchconfigurationmucheasier.All,whichisrequired,isanigmpquerieraddressandmulticastIPaddresses.Ifthepeerhostisnotinthesamemulticastdomain(can'tbereachedwithoutrouting),NSXwillrevertbacktounicastandthecontrollerwilladdthediscoveredconnectiontotheVTEPtable.
NSXcontroller
ThisisoneofthreeVMs(threearerequiredasaminimum)toruncontrolcommandsandsyncconfigurationsbetweenandwithESXihosts.ThecontrollersalsomaintaintheVTEPtable(inUNICASTorHYBRIDmode)/BUMtraffic.Thecontrollerswillalwaysdeployinacontrollercluster.
Note
TheNSXcontrollersneedtodoLayer2communication.Ifspreadacrossclusternodesindifferentracks,thishastobetakenintoaccount.TolearnmoreabouttheVTEPtable,BUMtraffic,andARPsuppression,youcanvisittheVMwareblogaboutadvancedNSXfunctionalitiesathttp://blogs.vmware.com/vsphere/2013/05/vxlan-series-how-vtep-learns-and-creates-forwarding-table-part-5.html.
NSXsetupandpreparationToconnectNSXtovRAandworkwithitintheSDDC,itneedstobesetupandinstalledfirst.ThispartgivesanoverviewaboutbasicconsiderationsandtaskstosuccessfullyinstallNSXinavSphereenvironment.ItisstronglyrecommendedtochecktherequiredsettingsforHYBRID(Multicastneedstobeenabledontheswitches,anigmpquerierneedstobesetup,andsoon)withthenetworkingdepartment.Ifthesesettingsareincorrect,NSXmightnotworkcorrectly.Ifthesesettingsareunclearorimpossibletoconfigure,UNICASTmodeneedstobeused.
Tip
VMwaredemandsthatcertifiedconsultantsfromeitherapartnerorVMware'sPSOmustinstallNSXinaproductionenvironment.Theinstallationmethodprovidedinthischapterwillwork,butmaynotbebestpracticeforeveryenvironment.Also,beforeinstallingNSX,adesignneedstobecreatedwithassumptions,risks,andconstraintstomakesurethatitfitsthepurpose.
ESXiprerequisitesforVXLAN/NSXBeforeNSXcanbeinstalledintheenvironment,somestepshavetobeconcludedinordertocomplywithallprerequisites.Firstofall,thetransportzonerequiresitsownVLANincludinganIPaddressschemefortheVTEPkernelports.ItisimportanttohavetheseIPaddressesbeforetheNSXinstallationsincethosearerequiredtocompletethesetupandmakeeachESXihostworkwithNSX.
Note
TheVTEPscanbeinaVLANusingatraditionalL2network.However,theycanalsobeindifferentnetworksasinanL3setup.Whatevermethodischosen,allVTEPsarerequiredtoreacheachothereitheroverroutednetworksorwithintheL2network.
ThenumberofIPaddressesobviouslydependsonthenumberofhosts.ButthereisalsothechancetohavemultipleVTEPsperhostforhighavailabilityandloadbalancingreasons.BasedonthenumberofESXihostsandthenumberofVTEPstouse,itcanquicklyexceedatypical/24network.ItisrecommendedtoplanaheadsincethisisnoteasilychangeableafterNSXhasbeendeployed.
Forexample,128ESXihostswith2VTEPswillrequire256IPaddresses.AclassCnetwitha/24netmaskwillprovideonly254addresses.InordertosatisfytherequirementabiggernetworksegmentneedstobeusedforprovidingtheVTEPIPs.
Inthiscase,a/23classCnetwillberequired,providing510IPaddressesintotal.
NetworkprerequisitesforNSXAVLANhastobepreparedinordertoputtheVTEPsintoit.However,itisnotrequiredtocreateaVDSportgroup,thiswillbedonebyNSXoncethetransportzonegetssetup.Also,NSXdoesrequirethevirtualdistributedswitchtobeavailable.IfthevSphereLicensingdoesnotcovertheuseoftheVDS,theNSXlicenseautomaticallywill.
OncetheVLANIDispreparedandalsotheVLANisconfiguredonallphysicalswitchesinordertoenablesuccessfulcommunicationbetweenalltheESXihosts(VTEPs),theNSXsetupcanbegin.
Step1:InstallingNSXmanagerTheNSXmanagercomesasOVAandcansimplybedeployedinavCentermanagementcluster.AsdescribedinChapter4,SDDCDesignConsiderations,itisagoodpracticetohaveaseparateNSXEDGEclusterready.ThisisimportantwhenitcomestotheNSXnetworkingcomponentdeployment.However,insmallormediumenvironments,thosecomponentscanalsobedeployedinthepayloadclustertomaximizeefficiency.
TheEDGEclustertypicallycontainsESGsandDLRs.AlsotheNSXcontrollercanrunintheEDGEcluster.Itisimportanttounderstandthatallnetworktraffictonon-NSXnetworks(externalnetworks)willflowthroughtheseedgedevices/ESXihosts.ThismeansthatthehostsintheEDGEclusteraremainlyforwardingandreceivingnetworktraffic.
Tip
IMPORTANT:ItispossibletohavemultipleEDGEclustersandaddthemovertime.Also,theuseofvMotionforESGsispossibleaslongastheyareonaLayer2network.ItisnotpossibletomigrateESGsonLayer3fromoneEDGEclustertotheotherusingvMotion.Inthiscase,anymigrationofanESGwillcausedowntimeforallitsconnectedvirtualnetworks.Also,thisisamanualtaskandisnotrecommended.
OncetheNSXmanagerisdeployed,itneedstoberegisteredwithvCenterinordertoenableNSX.ThisregistrationisdoneusingtheNSXmanagerwebinterface:
1. LoginusingadminandtheprovidedpasswordduringtheOVAdeploy.2. ClickonManagevCenterRegistration.3. AtvCenterserverclickonEdittoentertheconnectiondetailsandthecredentials.Itis
importanttoconsiderusinganNSXadminaccountwiththecorrectrolesassigned.Also,makesurethatitspasswordisnotexpiring!
Note
ItisimportanttoconfigureNTPandtheDNSnetworksettingsfortheNSXmanagerappliance.Especially,theNTPconfigurationisveryimportantinordertoensurethatallconnectedcomponentsarehavingthesamedateandtime.Otherwiseerrorsmayoccurandthecommunicationbetweencomponentsmightbedisrupted.
4. OnceNTP,theDNSsettings,thecertificates(ifrequired),andthebackuphasbeenset/changed,therestoftheconfigurationwillbedoneusingthevCenterclient.
Tip
ThebackupsettingrequiresaTFTPserverinordertosavetheconfigurationautomaticallytothisshare.ItishighlyrecommendedtouseandconfiguretheNSXBackupservice!
Step2:SettingupthecomponentsIfthemanagerisinstalledcorrectlyandtheregistrationwithvCenterwassuccessful,therequiredcomponentscanbeinstalledbyusingthevCenterwebclient.
Tip
ThereisnoNSXintegrationinthelegacyC-Sharpclient(desktopclient).TheonlywaytoconfigureNSXisusingthewebclient,besidesitsAPI.
ToconfigureNSX,openthevCenterwebclientusingaprivilegedadministrativeuserandnavigatetotheNetworking&Securityitemonthehomescreen:
OncetheNetworking&Securityscreenopens,clickonInstallationintheleft-handmenupaneandperformthefollowingtasks.
PreparetheESXihosts1. MakesurethattheHostPreparationtabisselected.2. ForeachclusterwhereNSXisneeded,selectInstallintheInstallationStatuscolumn.3. Oncetheinstallationiscompleted,theNSXversionnumberisdisplayedintheInstallation
StatuscolumnandtheFirewallcolumndisplaysenabled.Agreencheckmarkwillalsobeshown.
Note
IfvSphereautodeployisused,thisinstallationmethodwillnotwork.InordertoenableNSXwithautodeploy,itisrequiredtoincludetheesx-vxlan.vib,andtheesx-vsip.vibareincludedintheautodeployESXiimage.ThesevibscanbeobtainedfromtheNSXmanagerdirectly.Tolearnmorehowtoconfigureautodeployanddownloadthevibs,visitthefollowingVMwareKBarticleathttp://kb.vmware.com/kb/2092871.
4. Oncetheimagehasbeenrepackagedwiththesecomponents,theESXihostshavetoberebootedstartingfromthenewimages.
DeploytheNSXcontrollernodes
ThenextstepistodeploytheNSXcontrollernodes.Toperformtheirinstallation,followthesesteps:
1. InthevSpherewebclientstillunderNetwork&Security,makesurethatInstallationisstillselectedontheleft-handpanemenu.
2. MakesurethattheManagementtabisselected.3. AttheNSXControllernodesmenulocatedatthebottom,clickontheplusbuttontoadda
newcontroller.4. Provideallnecessaryinformationinordertodeploythefirstcontroller:
1. Chooseavaliddatacenter.2. ChoosetheEDGEormanagementcluster.3. Provideadatastore(adedicatedEDGEdatastoreisnotneeded,butrecommended).4. Provideahost,makesurethateachcontrollerisdeployedonadifferenthost.5. ProvideaVMfolder(chooseDiscoveredvirtualmachineorcreateaseparateEDGE
folderifdesired).6. Chooseaportgrouptoconnectthecontrollerto.Itisimportantthatthecontrollerneeds
tobetoreachtheNSXmanager.ThismightbeeitherthrougharoutednetworkorthecontrollerislocatedinthesamenetworksegmentastheNSXmanager(recommended).
7. SelectanIP-Pooltoprovideandaddresstothecontroller.Ifnopoolhasbeencreated,thewizardallowstocreateapoolwithoutleavingthewindow.
5. Repeatstep3untilthreeNSXcontrollershavebeendeployed.RemembertochoosethreedifferentESXihoststodeploythecontrollersonto.
DefiningthesegmentID
Afterthehostshavebeenpreparedandthecontrollershavebeensetup,thesegmentIDneedstobedefined.Asdescribedearlier,eachlogicalNSXswitchgetsitsownsegmentID.So,thesegmentrangewilldescribehowmanyLogicalSwitcheswillbepossible.TosetupthesegmentIDrange,performthefollowingsteps:
1. InthevSpherewebclientstillunderNetwork&SecuritymakesureInstallationisstillselectedonthe-lefthandpanemenu.
2. MakesurethattheLogicalNetworkPreparationtabisselected.3. SelecttheSegmentIDbuttonandclickonEdit.4. Inthewindow,provideasegmentIDandamulticastaddressrangeifMULTICASTor
HYBRIDmodeisused.1. ProvideavalidsegmentIDpool,forexample,5000-10000.2. CheckEnableMulticastaddressingandprovidevalidmulticastaddresses,for
example,239.40.0.0-239.41.255.255.
5. ClickonOKtosavethesegmentIDandmulticastaddresses.
Configuringthetransportparameters
InordertosendtrafficacrossESXihostsanddifferentL3networksegments,atransportzonehastobeconfigured.Inordertodothat,followthesesteps:
1. InthevSpherewebclientstillunderNetwork&Security,makesurethatinstallationisstillselectedontheleft-handpanemenu.
2. MakesurethattheHostPreparationtabisselected.3. ForeachclusterwhereNSXisneeded,clickonConfigureintheVXLANcolumn.4. Intheconfigurationwindow,selecttheswitchtowhichtheclustershouldbemapped.5. EnterthetransportVLANID(asdescribedinthepreparationsection).6. EnteravalidMTU,atleast1550orhigher,fortheVDS.7. IntheVMKNicIPAddressing,theIPpoolforthemanagementandEdgeclusterneedstobe
defined/selected.8. TheIPPoolcanbecreatedwithinthiswizardtobeselectedfortheIPaddresses.Theseare
theVTEPIPs,asdiscussedearlierinthischapter.EnsurethatthereisenoughIPsavailableforalldesiredVMKNics.
9. EdittheVTEPnumber.Ifthisissetto2,therewillbetwoVTEPsperESXihostinstalled(forredundancyandscalability).
10. ClickonOKtosavethechanges.
Afterthat,theVMKNics(VTEPS)willbeconfiguredandgettheIPsassignedasdefinedintheIPpool.
Note
ItisrecommendedtoconsiderNICteaminginordertoenhancetheresiliencyaswellastheperformanceoftheVTEPs.Makesurethattherightteamingpolicyisselectedinordertofulfilltheserequirements.
Setupthetransportzone1. InthevSpherewebclientstillunderNetwork&Security,makesurethatInstallationisstill
selectedontheleft-handpanemenu.2. MakesurethattheLogicalNetworkPreparationtabisselected.3. ClickonTransportZonesandthenclickontheplusbutton.4. Providethefollowinginformationintheconfigurationwindow:
1. Zonename,forexample,MyOrgTransport.2. Meaningfuldescription.
3. Replicationmode(MULTICAST,UNICAST,orHYBIRD),forexample,Hybrid.4. Selectallparticipatingclusterforthattransportzone.
5. ClickonOKtosavetheconfiguration.6. Afterthetransportzonehasbeenconfigured,NSXisreadyforpayloadtrafficandtocreate
virtualwires.
Step3:Virtualnetworking101IfallthesettingsfromsteptwohavebeenappliedsuccessfullyNSXisreadytobeconfiguredfortheSDDC.Thebasicsofthisconfigurationare:
SettingupaLogicalSwitchSettingupaDistributedLogicalRouterSettingupanEdgeServiceGateway
EachLogicalSwitchcanbeseenasanetworkoratleastasegmentofanetwork.VMsconnectedtothesamelogicalswitchcancommunicatewitheachotherwithoutanyroutingrequired(exceptthereisasecuritypolicyconfigured).
IfVMsrunondifferentLogicalSwitcheswithdifferentIPaddresssettings,aDistributedLogicalRouterisrequiredinordertolettheVMscommunicatetoeachother.TheLogicalrouterconnectsdifferentLogicalSwitcheswitheachotherinordertoenableadvancednetworkcommunication.
Ifanexternalaccesstothenetworkisrequired,anEDGEalsoreferredtoasESG,willprovidethisfunctionality.ItbasicallyhasaconnectiontotheexternalnetworkaswellasaconnectiontothevirtualwiresusingtheDistributedLogicalRouter.Thisway,itcanbeconfiguredwhichvirtualnetworkscanaccessthephysicalnetworksusingtheDistributedLogicalRouteraswellastheESGasagateway.
Thefollowingimageisanexampleofthisconfigurationandshouldhelpforabetterunderstandingoftheconfiguration:
TheApplicationLogicalSwitchandtheDatabaseLogicalSwitchwillbeinternalLinktypesconfiguredattheDLR.WhiletheEdgeServiceGatewaywillbeauplinktypeconfiguredattheDLR.Thisenablesaccessforbothvirtualwirestotheexternalphysicalnetwork.
AddaLogicalSwitch
BeforewecanaddadvancednetworkfunctionssuchasarouterandaESGweneedtohavelogicalswitchespresent.FollowthesestepstoaddalogicalswitchtotheNSXenvironment:
1. InthevSpherewebclientstillunderNetwork&Security,makesurethatLogicalSwitchesisselectedontheleft-handpanemenu.
2. ClickontheplusbuttontoaddanewLogicalSwitch.3. Providethefollowinginformationinthecreationwizard:
1. Switchname,forexample,Application.2. Meaningfuldescription,forexample,Switchfortheapplicationserver
environment.3. SelectatransportzonebyclickingonChange.4. Selectanappropriatereplicationmode(bestpracticeistoselectthesameasforthe
transportzone).5. EnableIPDiscoveryand/orMACLearning.MACLearningwillintroduceARP
suppression.
4. ClickonOKtocreatethelogicalswitch.
Repeatthisstepuntilalldesiredlogicalswitcheshavebeencreated.Itisagoodtesttostartwithtwo,sincethenthedistributedlogicalroutercanbetestedaswelltovalidateitsfunctionality.
Also,itmightbenecessarytocreatethetransportswitchfromtheDLRtotheESG.Thisisaspecialvirtualwire,whichwillonlybevalidforESGandDLRinterfaces.
AddaDistributedLogicalRouter
Inordertoroutebetweenthevirtualwires,adistributedlogicalrouterisnecessary.ThisisanEDGEdevicewhichwillhaveinterfacesinalllogicalswitcheswhereroutingisdesired.Thesearethestepstoaddadistributedlogicalrouter:
1. InthevSpherewebclientstillunderNetwork&Security,makesurethatNSXEdgesisselectedontheleft-handpanemenu.
2. ClickontheplusbuttontoaddanewLogicalSwitch.3. SelectLogical(Distributed)Routerandprovidethefollowinginformation:
1. Aname,forexample,Example-DLR.2. Ameaningfuldescription.3. DeployEdgeAppliance(leavedefault.AnEdgeapplianceisneededfordynamic
routing.Withoutit,theDLRisonlycapableofstaticrouting).4. SelectEnableforHighAvailabilityifrequired.5. ClickonNexttocontinue.
4. Provideavalidusername(leavedefault)andanadminpassword.MakesurethatSSHaccessischecked.
5. Selectthedatacentertodeployto.IfHAhasbeenselected,chooseCompact,Large,X-Large,orQuardLarge.UnderNSXEdgeAppliance,clickontheplusicontoaddtheESG.Providethefollowinginformation:1. Clustertodeployto(selectEDGECluster).2. Datastoretochoose.3. Optional:Hosttodeployto.
4. Optional:vSphereFoldertoputtheDRLinto.
6. AttheConfigureinterfacesofthisNSXEdge,addthelogicalswitches,whichneedstobeconnected(routed):1. Clickontheplussigntoaddaninterface.2. Provideaname,forexample,Application_IFfortheApplicationLogicalSwitch.3. AtConnectedTo,clickonchangeandselecttheApplicationlogicalswitch(the
switchcreatedinthepriorstep).4. AtTypeselectInternal.5. UnderConfiguresubnets,clickontheplussignandprovideaLIFIPandSubnet
prefixlength,forexample,172.16.10.1and24.ThiswillbethevirtualgatewayIPfortheApplicationnetwork.
7. Atthefifthstep,choosethevNICforthedefaultgatewayandprovidethedefaultgatewayIPaddress.
8. Attheready-to-completestep,reviewthesettings.Ifalllookscorrect,clickonFinishtocreatetheDLR.
AddaEDGEservicesGateway
Oncethatcompletedsuccessfully,thefirstDLRshouldbeappearingunderNSXEdges.ThenextstepmightbetocreateanESGgatewayforexternalaccess.ThisissimilartotheDLRconfiguration.However,inordertoconnecttheDLRtotheESG,thetransportvirtualwireisrequired(nottobeconfusedwiththetransportzone!).
FollowthesestepstoaddanESGandconnectaDLRtoit:
1. FollowallthesamestepsasdescribedintheAddaDistributedLogicalRoutersectionuntilstep3.SelectEdgeServicesGateway.
2. Followsteps4-6fromtheAddaDistributedLogicalRoutersection.3. ClickontheplussigntoconfigureEDGEinterfaces.
1. Provideavalidname,forexample,Transport_IF.2. AtTypeselectInternal.3. UnderConnectToclickonChangetoselecttheTransportLogicalSwitch(orsimilar
namecreatedfortheESGtoDLRtransportnet).4. ProvideavalidIPaddressandsubnetprefixinthetransportnetwork,for
example,192.168.0.2and29.5. LeavethedefaultsandclickonOK.
4. Addanuplinktotheexternalnetwork.ThismeanstheESGneedstoconnecttoaVLAN-backedvSphereportgroup.Also,anIPaddressshouldbeavailableinthephysicalnetworktoconnectto(twoifHAisrequired).1. Followstep3,provideavalidname(includetheportgroupname,for
example,Uplink-IF-VLAN100.2. AtTypeselectuplink.3. UnderConnectToclickonChangetoselecttheVLAN-backedphysical/external
portgrouptoconnectto.ClickonDistributedPortgroupinordertoseethose.
4. ProvideavalidIPaddressandsubnetprefixintheselectednetwork.5. LeavethedefaultsandclickonOKtosavetheconfiguration.
5. FinishthestepsasdescribedintheAddaDistributedLogicalRoutersection.6. NowtheESGhasbeendeployedsuccessfullyandshouldbeconnectedtotheDLR.All
LogicalswitchesconnectedtothesameDLRwillnowbeabletomakeuseoftheservicesoftheESGsuchasLoadBalancing,NATing(SourceandDestinationNAT),thestaticVPNfunctionalityandmanymore.
7. ThisconcludesthebasicNSXsetup.Itisnowreadyforworkloadstousethevirtualwires.Also,withthisbasicsetup,vRAcanbeconnectedtoNSXtomakeuseofadvancednetworking.
Dynamicroutingbetweenvirtualandphysical
Inordertobeabletoperformdynamicrouting,NSXsupportsvariousprotocolssuchasOSPForBGP.Inordertohaveafullyfunctionaldynamicrouting,itisrequiredtoconfigurethosecorrectlyandcorrelatethemwiththeexternalvirtualgateways.Otherwise,eachandeveryroutefromNSXtophysicalandviceversahadtobeaddedstatically.Sincethisisnotpractical,thedynamicroutingprotocolsareamusttoconfigurecorrectly.
SinceprofoundroutingknowledgeisrequiredtoconfigureOSPForBGP,thischapterwillnotgointodetailsabouttheseconfigurationsteps.However,ifmoreinformationregardingtheseconfigurationsarerequired,pleaserefertoVMware'sNSXinstallationandconfigurationguidesunderhttp://www.vmware.com.
ConnectingvRealizeAutomationSinceNSXisinstalledandconfiguredforbasicfunctionality,vRAcanbeconnectedtotheNSXmanagerinordertomakeusageofsomeadvancedNSXfunctionalities.
InordertoconnectvRAtoNSX,itisrequiredtologonusingauserwiththetenantadministratorroleactive.
Note
IftheintegratedvROisused,nothingelseisrequired.IftheexternalvROisused,makesurethatallnecessarypluginsareinstalled,suchastheNSXpluginforvRA.Otherwise,theconnectionwillnotwork.
FollowthesestepsinordertoenableNSXforvRA:
1. LogintothevRAportalusingthetenantadministratorrole.2. ClickonInfrastructureandthenonEndpoints.3. HoveroverthevCenterendpointandselectEdit.Intheconfigurationwindow,addthe
followinginformation.1. SelectSpecifymanagerfornetworkandsecurityplatform.2. PutintheNSXmanageraddress,forexample,https://nsx.example.com.3. ProvidevalidNSXcredentials,ifnotalreadyexistentusetheNewicontocreatethose.
4. ClickonOKtosavethechanges.5. Oncethathasbeencompleted,verifythattheNSXdatacollectionisworking.Inordertodo
that,hoveroverthevCenterendpointagainandselectComputeResources.6. IntheComputeResourcesoverview,hoverovertheappropriateresourcesandselectData
Collection.LookforNetworkandSecurityInventoryandmakesurethattheStatusstates:Succeeded.Itcantakeacoupleofminutesuntilthestatusisdisplayed.ClickonRequestnowtorunanewcollectiontaskifnecessary.
NetworkreservationsOncevRAissuccessfullyconnectedtoNSX,someconfigurationchangeneedstobedoneunderReservations.UnderAdvancedsettings,thetransportzoneneedstobesetaswellaspossiblesecuritygroupsandroutedgateways(acreatedDLR).
Inordertodothis,followthesesteps:
1. LogintothevRAportalusingthetenantadministratorrole.2. ClickonInfrastructureandthenonReservations.3. SelecttheNetworktabandcheckthefollowingsettings.
1. UnderAdvancedSettingsandTransportzone,makesurethatthepreviouslycreatedNSXtransportzoneisselected.
2. AtSecuritygroups,selectpossiblesecuritygroupstouseifany.3. AtRoutedgateways,makesuretoselectanyDLRtoinclude,atleasttheone
previouslycreated.
4. ClickonOKtosavethechanges.
Ifallthissucceededsuccessfullythesystemisreadytocreatenetworkprofilescontainingthenewfunctionsandfeatures.
SettingupNSXnetworkprofilesWithNSXanewformofnetworkprofilescanbeused.ThenamingofthoseprofilesinvRAisunfortunatelysomewhatconfusing.Hereisashortdescriptionofthethreetypesofprofilestobeused.
Theexternalprofile
Underthisname,allnetworkswithapre-existingportgrouporvirtualwirearereferredto.ForvRA,everything,whichhasbeenpreprovisioned,isanexternalnetwork.TheLogicalSwitchescreatedearlierinthischaptercanbeaddedtovRAbydefininganetworkprofileofthistypeandaddingittotheNSXportgroupunderreservations.ThisprofilewillbeusedtoaddVMstoalreadydefinednetworkssuchasinternalDBnetworksorapplication-specificnetworks.
TheNATprofile
ThiscreatesaNATnetworkondemandusinganNSXEDGEtodefinetheNATrules.TheNATcanbecreatedasone-to-oneorone-to-many.Thisissetwiththeprofileandwillthenbevalidforanyblueprintusingthisprofile.ThiswillbeusedtoaddVMsintoaNATprofileondemand.
Theroutedprofile
Thisisthemostconfusingtypeatfirstglancesinceitsfunctionisnotself-explanatorysuchaswiththeothertwo.Theroutedprofilewillcreateaseparatevirtualwirebasedontheaddedinformation.VMsusingthisprofilewillbeputintothatvirtualwire,whichthenisconnectedtoaDLRtoaccessNSXexternalnetworks.Thecreationofthisnetworkhappensondemand.However,eachVMwillcreateitsownvirtualwire.Thismeansthattwoservicesrequestedwiththeroutedprofilesetwillnotlandinthesamenetwork.
Tocreatethesenetworks,theroutedprofilehasadifferentsetupmaskaskingforasubnetmaskandarangesubnetmask.Thesubnetmaskwilldefinethesizeofthecreatedpool.Therangesubnetmaskwilldefinethesizeofthesegmentswithinthepool.Hereisanexampleofsubnetmaskandrangesubnetmask:
Subnetmask:255.255.192.0Rangesubnetmask:255.255.255.240BaseIP:172.30.50.0
Thismeansthatthisprofilewillgeneratearound3306IPsin224networkswith15IPseach.TheIPswillstartwith172.30.50.1andendwith172.30.63.254.
Thismeansthatitcanbeusedinblueprintstofitupto15VMNICsinoneoftheseondemandnetworksconnectedtoaDLR.Thenetworkwillbecreatedwiththeservicedeploymentanddeletedwhentheservicegetsdestroyed.ItisalsopossibletocreatelargernetworksinordertofitmoreVMsintoit.ThatisallamatteroftheSubnetmaskandtheRangesubnetmask.
Inthiscase,theusedsubnetisa/18andtheusedrangetosplititisa/28.Butitcanalsobeacombinationofa/18anda/24resultinginfewernetworkswithmorespaceforVMs.
SuchasetupcanbeusedtocreateDMZnetworksondemand,ortocratelabnetworksfortobedeployedrightwiththeservice/blueprint.
UsingNSXnetworkprofilesinblueprintInordertouseNSXnetworkprofilesinblueprints,allrequiredisdraganddroppingthenetworktype(nat,routed,andexternal)intotheblueprintdesignerandselectingtherightnetworkprofiletouse.
Also,atthecreationorthesettingstaboftheblueprintundertheNSXtab,thetransportzonehastobeselectedinordertouseNSXwithintheblueprint.ThatisallrequiredafterNSXhasbeensetupproperlyandvRAhasbeenconnectedcorrectly.
SummaryThischapterdescribedbasicnetworkprinciplesandcomparedtraditionalnetworkingapproacheswiththenewSDNapproach.Also,ittouchedNSXbasicsaswellasdescriptionshowNSXworksandwhatnetworkvirtualizationcandelivertoaSDDC.Furthermore,ittouchedthebasicinstallationandconfigurationtogetquicklyupandrunningwiththefirstvirtualnetworkincludingroutingandaccesstotheexternalphysicalnetworkthroughaDLRandESG.
Inthenextchapter,thefocuswillbeonDevOpsanditspossibilitiesandopportunities.ItwillstartwithadefinitionwhatDevOpstypicallymeansandwhatusecaseswillbefulfilledbyaDevOpsplatform.Also,itwilldiscusspossibleinstallationsfittingintheSDDCandpossibilitiesfordevelopersandcompaniesusingthisnewapproachindevelopingandrunningapplications.
Chapter9.DevOpsConsiderationsThischapterwilldiscussgeneralDevOpstopicssuchaswhatcanbeunderstoodasDevOpsandwhythismightbeagamechangerinapplicationdevelopmentandrunningbusinesses.ItwilldescribethebasicfunctionsandfundamentsinregardtoDevOpsaswellasitsradicalnewapproachestodevelopingandoperatingnewapplications.
Itwillrequiresomefamiliaritywiththebasicsofsoftwaredevelopmentaswellassomebasicsinregardtopubliccloudofferingsandknowledgeaboutsoftwarecontainers.
Basedonthesepoints,thechapterwillalsohighlightintegrationpointsbetweenanSDDCforlegacyapplications(allnon-cloud-nativeapps)andaDevOps-readyinfrastructure.ItwillhighlighthowthesetwodifferentapproachescancoexistandwhatahybridSDDCunlocksintermsofoptionsandpossibilitiesfromabusinessaswellasatechnologyperspective.
Thefollowingtopicsarecoveredingreaterdetailinthischapter:
WhatisDevOpsRadicalnewITapproachWheredoesDevOpsapplybest(benefitsandrisks)Containers:Virtualization2.0PaaSaspartofDevOpsPossibilitiestoconnectDevOpswithvRAExamplesforjointservicesandblueprints
WhatisDevOpsThetermDevOpsisanartificiallycreatedwordandjoinsdevelopmentandoperationstogetherinoneterm.InatraditionalITenvironment,twoormoredifferentteamsperformthosetwodisciplines.Oneteamisresponsiblefordevelopingtheapplicationsandtheirpatchesandfixes.Theoperationsdepartmentistypicallyresponsibleforrunningtheapplicationandprovidingtherequiredenvironment(physicalorvirtualinfrastructure,networks,storage,andsoon).
Typically,suchenvironmentsareVMswithsomekindofOSinstalledandthenecessaryadditiontosupporttheapplication.IncaseofJava,theywouldhavetherequiredbinariesready,sothedevelopercanstartusingtheenvironmenttoruntheJavacode.
Althoughthisisworkingforyears,itisaverystaticapproachandcanleadtosomehandoverissuesbetweentheteams.AnITadminmightnotknowtheapplicationingreaterdetailandthereforecanonlyfollowthedeveloper'srequirementsininstallingneededsoftwareontheOS.
Ontheotherhand,developerssometimescarelessaboutthehardware,OS,drivers,orneededsoftwarepackages.Theyarefullyengagedinmakingtheapplicationsuperior.Thismightsometimesinvolvefurthertestingwithdifferentsoftwarecomponentsintheenvironment.Sometimes,theyalsojustrequireacoupleofhundredsystemstorealizeanartificialloadtestortocheckwhethertheapplicationdoesscaleasexpected(ifscalingisanoption).
Allthisrequiresthetwoteamstoworkseamlesslytogether-thedevelopersneedtoarticulatetheirneedsloudandclearandtheoperationteamneedstofollowthisrequirementsandneedtoprovideastablebutyetflexibleandagileenvironment.
Also,theenvironmentneedstofollowinternalITregulationsandprocessinordertobereadyforthedatacentersproductionenvironment.
AgilitymeetspoliciesBecausetheoperationsdepartmentofanyorganizationalsoneedstofollowtheirpoliciesandregulationstorunservicesinadatacenter,themixbetweenDevOpssuchasagilityandmeetingpoliciesandregulationsoftencreatestensionbetweentheteams.
BecausethedeveloperssometimesfeelthepressureofthebusinessmuchmorethantheIToperationsteams,theytendtopushforuntestedandundocumentedchangesinthedatacentertorunandtesttheirlatestcode.
Becausetheoperationsteamdealswiththepressureofthesecurityandregulationsdepartmentmuchmorethanthedevelopers,theytendtopushbackonuntestedorunstructuredinstallationapproachesforthesakeofthedatacentersecurityandresiliency.
Naturally,thesetwointerestsneedtocollidebecauseitishardtofollowallregulationsandprovideextensivetesting,butalsodeliveragilityandflexibilityforbleedingedgeapplicationsnobodyhascreatedbefore.
Also,supportandtroubleshootingplaysabigroleinmodernorganizations.Ifthemostimportantapplication(fromabusinessperspective)suddenlyquitsworking,thetwoteamsneedtoworktogetheronasolution.Insomeorganization,thatmightworkquitewell;inotherorganizations,theoperationsteamstartfiddlingwiththeirinternalissuesandthedevelopersstartcheckingtheirapplications.Oftenthereislittletonocommunicationbetweentheteams,whichcanleadtolongerfixingtimes.Also,fingerpointingwillhappenfastinsuchanenvironment,tryingtoidentifytheotherpartyastherootcauseoftheissueandthelongfixingtimes.Surely,everyonehasfoundhimselfinsuchasituationonceinhisorherITlife.
However,thebusinesscouldnotcarelessifithassomethingtodowiththedevelopersorsomethingwiththeoperationsteam.Alltheywantisgettingbacktoworkasquicklyaspossibletominimizethefinancialimpactoftheoutage.
AlltheseexamplesdescribewhyDevOpswasbroughttolive.Itisamixbetweenoperationsanddevelopmentandprovidesaplatformthatisreadyforboth.
HowdoesDevOpsworkBasically,theideaistohaveaready-to-runplatform,whichisavailabletodevelopersthroughanAPIorevenconnectedintotheircodingtools.ThedevelopmentteamisnotrequiredtosyncwiththeoperationsteamoncreatingOSinstances(orVMs)anymorebecausetheplatformprovidesaself-serviceinterfaceforprogram/applicationdeployments.
Withasimplecommandorclickondeploy,developerscaninstalltheirapplicationsintothisenvironment.Also,updatingisassimplebecausetheywillbeabletoredeployorupdaterightoutoftheircodingtools.
TheclueofDevOpsisthattheyarealsoresponsibleforrunningthecodeinsidethisplatform(operations).Ifanewversionisready,theywilltakecareofeitherredeployorupdatetherunningcode.Incaseofanoutage,theywillworkthroughthedeployedapplicationandcheckallnecessaryfixroutinesfortheapplicationthemselves.Ifitturnsouttobetheplatform,theycansimplyredeploytheapplicationtoadifferentplatforminordertoquicklyfixtheissue.
Fortheoperationsdepartment,itisanenhancementtoo.Alltheyhavetoprovideistheplatformforthedevelopers.Theplatformcanhaveitsownpoliciesandregulations.ItdoesnotrequiretheinstallationofsingleserversorOSestowork.AlltheoperationsunitneedstotakecareofisthattheinfrastructureservicesareconnectedsuchasDNS,authentication,securityaswellasotherITbasics,andworkfortheentireplatform.Thisplatformcanbeinstalledinasupported(bypoliciesandregulations)environmentandprovidetheadvanceddeveloperfunctionsbysoftwareabstraction.
DevOpsistheapproachtoprovideagility,speed,andflexibilitybutinacontrolledandsupportedmanner.OneofthebiggestsupporterandproviderintheDevOpsspaceisAmazonWebServices.Basically,two-thirdsoftheEC2offeringsaretargetedtowardDevOpsanddevelopers.Also,oneofthebiggeststrengthisthatitissuperquicktosetupanenvironmentendgettingthefirstdeploymentgoing.Everyonecantryitthemselvesjustwithacreditcardand10minutestospare.
Whatarecontainers
TheDevOpsmovementhasalsointroducedanewoldplayerinthedatacenter,containers.ContainersarefundamentallydifferentfromVMs,andtheyservemorethepurposeofamicroservicearchitecture.InsteadofinstallingeverythingthatanapplicationrequiresinaVM,allthesecomponentscouldbecontainersonacontainerhost.
ThebestknowncompanyprovidingacontainerframeworkisprobablyDocker.However,albeitDockerisafairlyyoungcompany,containertechnologyitselfiswell-knownsinceacoupleofyears.ContainersarebasedontheLxCextensionintheLinuxkernel,whichhasbeenaroundsinceitwasdevelopedin2008.However,Dockercreatedaveryeasy-to-useandlightweightframeworkaroundLxC,whichmadeitmuchsimplertouseandadoptit.Withthesenewcapabilities,itnowcanbeeasilyusedasaneasy-to-controlandflexiblewayofapplicationdelivery.Thisisthemainfocusofcontainers;theyareaboutflexibleandagileapplicationdelivery.Theunderlyingarchitectureisfromlessinterest;itisallabouttheapplicationsandthecapabilitytodeliverandrebuildondemand.ThisapproachissomewhatcontrarytothetraditionalIT,wherealotofenergygoesintotheinstallationofanOSandtheautomationofapplicationdeployment.
ContainersarenotVMs
AbroadmisbeliefisthatacontainerandaVMaresomewhatsimilar.Thatisbyfarnotthecase;bothtechnologiesintroduceuniqueadvantagesandchallenges.However,virtualizationhasbecomecommodity,soitisonlynaturaltocompareittothenewadditionssuchascontainers.ThefollowingtableshowssomeofthemaindifferencesbetweencontainersandVMs:
VirtualMachine Container
Permanentvirtualdisk Stateless
SeparateOSperVM OSsharedbycontainerhost
CompleteEthernetstack Port-basedcommunication-networksharedwithcontainerhost
Allapplications,monolithicandLegacy
CloudNativeorthird-platformapps.Notsuitableforlegacyapps
RequireguestOSandapppatching Nopatchingrequired-destroyandrebuild(respin)
VMwarealsointroducedtheirentryinthecontainermovementbyannouncingtwodifferentproductstoleveragecontainersonvSphere:
vSphereIntegratedContainers(vIC)
ProjectPhoton
vICisshakingupthedefinitionbetweenacontainerandaVMquiteheavilysinceVMwareintroducedamicrocontainerOStoruninaVM.ThiscreatestinyVMsforeachsinglecontainertorunonavSpherehost.TheadvantageofthistechniqueisthattheycanuseallvSpherefamilyfeaturesandfunctionstorunthisenvironment.ThisenablesnotonlyNSXtoworkwithcontainersforenhancedsecurity,butalsovRealizeOperationstodoadvancedmonitoring.SincethebaseisaVM,VMwarecanintegratethisfairlywellintotheexistingecosystemoftheSDDC.InthelatestvRealizeAutomationversion,thereisevenanintegrationintotheportaltoorder(vSphereIntegrated)containersrightoutoftheportal.
ProjectPhotonisdifferentthough.ItisanopensourceprojectwhichoffersphotonOS,acontainerruntimeplatform.ByleveragingVMwaretechnologies,itcanbeusedtobringupcontainerhostsusingthecommandline.Furthermore,italsooffersadvancedsecurityfunctionalitiessuchasauthorizingcontainerstorunonlyonalsoauthorizedhosts.ItsfunctionisveryclosetoacontainerhostandusestheVMwareecosystemtoprovideadditionalvalueinsecurity,reliability,andavailability.Furthermore,itintegrateswellwithdifferentcontainerframeworks,suchasDocker,rkt,andGardenfromPivotal.
Containersareaflexiblewaytosharesinglehostresourcesformicroservices.ThismeansthatacontainerhostisalwaystheOSbaseforallthecontainersithouses.Inahypervisor,theOSisalwaysuniquetotheVM.ThehypervisorpatchlevelwillnotaffecttheVMOSorviceversa.Therefore,aVMismoreisolatedthanacontainer.Onacontainerhost,theOSpatchandsecuritylevelwillalsoalwaysaffectthecontaineritself.
Theprecedingimageshowsthemaindifferencesbetweenthosetwoarchitectures.ThecontainershavetheabilitytoaccessthehardwareofthehostdirectlyduetothefactthattheOSresourcesaresharedamongallofthem.Therefore,theOS(Linux)willdispatchanyaccesstotheunderlyinghardwaresuchasnetworkcardsandSANcontrollers(ifpresent).
Inahypervisor,thehardwareismadeavailablethroughvirtualizationoroftenparavirtualizationofthecomponent.NetworkisavirtualNICdriver;storageisavirtualSCSIdriver;andsoon.
Containerhost:Virtualorphysical
Thereiscurrentlyadebatewheretoruncontainersbest.Somepeoplesaythathardwareistheperfectchoice.SincecontainerswillusetheunderlyingOSandtheincludedOSabstractionstoaccessthephysicalworld,thereisonlylittleimpacttoperformance.ThenativeOSdriverscanbeused.Also,sincecontainersarestateless,theydonotrequireastatefullfailoverincasesomethinggoeswrong.Alltheyneedisanothercontainerhostwheretheygetaccesstotheirdata(ifany).
Buttherearealsochallengeswiththisapproach.Thesecurityandmonitoringframeworkforcontainersisdifferentthanforvirtualenvironments.Allthiswouldhavetoberecreatedfor
containerhosts.Also,themaintenanceofthehostsisdisruptive.Sincethecontainercannotbemigratedwhiletheyarerunning(likeVMs)maintenanceonthecontainerhostalwaysmeansthatthecontainersneedtoberestartedonadifferentcontainerhost.
Toruncontainerhostsontopofahypervisor(inVMs)willhavetheadvantagethatitcanbeeasilyandquicklydone.Soifthecontainermovementinanorganizationismoreorlessfromscientificnature,virtualizationistheeasychoicesinceacontainerhostcanbeeasilydeployedasaVM.
Containerhostsontopofahypervisorwillalsohavebenefitswhenitcomestoenterpriserequirementslikeuninterruptedmanagement.Inthiscase,containerhostscouldbeevacuatedusingvMotionwithoutanyinterruption.ThissavestimeandeffortalsoinaDevOpsenvironment.OtherfunctionalitieslikeHAwillhelptomakeacontainerhostquicklyavailableafterahardwareoutage.
However,thisalsomeansthattheslightoverheadofthehypervisorplustheoverheadofthecontainerframeworkmightaffectthecontainerperformanceinaway.Unfortunately,therearenorealnumberstoputagainst.Typically,aVMwarevSphereoverheadisintheone-digitrangedependentontheapplication.TheDockerorLxCoverheadisalsoverylow,butcanbeaffectedbythenumberofcontainerstorunandthesettingsused(reservationofresources).
LikeinotherSDDCdecisions,thisdecisionshouldbetakenbasedontheintendeduseofcontainers.Ifthereisawell-establishedvSphereenvironmentwhereallthemonitoringandalotofautomationisalreadyworking,itmightbetherightthingtodeploythecontainerhostontopofthehypervisor.
DevOpsandShadowIT
GiventheagilityandflexibilityplatformslikeAmazonprovide,somedevelopersgetfrustratedwiththeirinternalITsincetheycannotdeliversuchanoffering.Thisiswhy,insomeorganizationsdevelopersturntowardproviderslikeAmazontoruntheirDevOpsenvironmentthere.Asdescribedearlier,thesetupisquickandeasy,andalldevelopersreallywantisdevelopingtheircodequickeranddeployingtheirassets/artifactsfaster.
TheproblemisthattheytendtobypassITcompletelyfromthatprocess,whichalsomeansbypassingregulationsanddatasecuritypolicies.Ifanorganizationisidentifiedtoputcustomerdataprotectedbyprivacylawsonthepubliccloud,feescanbeashighasmillionsofdollars,nottospeakfromtheimagedamagethiscouldcause.
OtherrisksarethatthepublicenvironmentisnotasprotectedastheinternalIT,whichmightmakeiteasierforhackerstostealprotecteddataonthoseenvironments.
Ingeneral,suchabypassiscalledShadowITsinceitcreatesasecondaryITenvironmentnotnecessarilyfollowinganypoliciesorrulesandregulations.Sometimes,theseShadowITprojectsareevenforcedbythebusinesstogetsomeresultsquickerasusual.
Besidestheregulatoryissuesandpotentialsecurityflaws,shadowITcanalsohaveanegativeimpactonanorganizationsbudget.Althoughtheinitialstartmightbeeasyandcheap,thereisatippingpointwhereitbecomesquiteexpensivetoruneverythingonanexternalcloud.Also,ifitbecomesnecessarytomigratedatabackfromthepubliccloudintotheowndatacenter,itmightbeaverycostlyoperation.Manyprovidersdohaveadditionalchargesinplaceifdataisleavingtheirpremises(download).
Thisiswhy,amodernorganizationcannotignorethepossibleneedforaDevOpsenvironmentsincethismightleadtoShadowIT.Inordertoprovidedevelopersthespeedandagilityofsuchanenvironment,itispossibletocombineitwiththeSDDCtoenablethebestofbothworlds.Suchahybridsetupwouldbeabletosupportlegacyapplicationsaswellasthenewestgenerationofapplications,createdusingDevOpsprincipals(alsoreferredtoasCloudNativeApplicationsorCNA).
RadicalnewITapproachDevOpsisaradicalanddisruptivewayofdoingIT.Itfocusesonapplicationsandittendstoignorehardwarebeneaththeapp.ThissoundsharshcomparedtotheclassicITapproachwhereserversandtheOSisinfocusinordertoprovideagood,secure,andscalableenvironmentfortheapplications.
InDevOps,applicationsbecomestatelesssincetheystorethedataelsewhere;thatmightbeanobject-basedstorageoraNAS/SANmountintothecontainer.Thismeansthecontainercanspinupwhereveritneedstobe,giventhatitcanaccessitsdata.Thereisnomeansinpatchingcontainers-justthecontainerdefinition(thepackage)willbeupdated.Todeploythispatchtheoldcontainerwillbedestroyedandanewcontainerwillbestartedwiththeupdatedservice/applicationcode.
Also,containersinDevOpsarenotaplacetoinstallanentirelegacyapp.Ideally,theyhousejustpartsofanappso-calledmicroservices.Thesemicroservicescanbeusedtoformanappmodularly.Thiscanbeimaginedasfollows:
IfanapplicationrequiresaPHPcomponentandaJavacomponentandawebservercomponent,allthesecanbetheirowncontainer.Theycanthenbeworkingtogetherinprovidingtheservicestotheapplication(theJavacomponent).Ifthereisaneedforasecondorathirdwebserver,developerscanjuststartanewhttpcontainerandincludeit.Also,iftheJavaappneedstostoredata,developerscaneithermountavolumeintheJavacontainerordirectlyaccessobject-basedstoragethroughhttpscalls.
ThisapproachiswaydifferentfromaclassicapplicationtoservermodeleveryoneinIThasbeenusedtountiltoday.Therefore,itchangestheentirewayofprovidinganenvironment.However,italsochangestheentirewayforprocesses,monitoring,security,andsoon.Itisatrulydisruptiveandinnovativeapproachinrunningservicesandapplications.
Also,sincecontainersarenotboundtohardware,theycanrunvirtuallyeverywhere.Thedevelopmentcanhappenonapubliccloudwhereitischeapandquicktospinupnewcontainersandalsomasstestathousandinstancesjustforoneday.Afterthatiscompletedthewholeconfig
canbeportedtoaninternaldatacenterwheretheapplicationthanrunsinproduction.
Newversionsofitcanbecreatedbycloningtheproductioncontainersandintroducingchangeinanisolatedenvironment;oncethatiscompletedthechangescanbebroughtintoproductionjustbyredeployingtheupdatedcontainerdefinitions.
Nowonderdevelopersloveallthesefeaturessincetheymaketheirdailylifesomucheasier.Nomoreticketstogetserver,nomorerequestsforaVMneededonlytoputtheircodeon.
CattleversuspetsThereisaveryfamousanalogyfortraditionalITandthenewapproachwithDevOps.Itgoeslikethis:Traditionalserversarelikepets:Whentheyareill,webringthemtothedoctor,wecareaboutthemindividuallyandmakesuretheygetalltheyneedtoliveahappylife.
DevOpsislikecattle:Itisahugeherd;theindividualwillnotreceiveanyspecialtreatment.Evenifonecowisill,theherdcanstillmoveon.Onecaresabouttheentireherdandnotabouttheindividualcow.
DevOpsandespeciallycontainersareseenlikeaherd.Ifonecontainerhasaproblem,itwillnotberepairedinthecontainer.Thedeveloperwillsimplyspinupanotherversionofittoseeifitisfixed.Ifrequired,fixesareappliedtothecontainerdefinitiononly.
Althoughthataddsalotofflexibilitytothedevelopmentanddeploymentlifecycle,itmightalsointroducetensionbetweenthetraditionalITandthenewDevOpsteams.IntraditionalIT,issuesgetanalyzedbyopeningaticket,lookingfortherootcausetopreventapossiblereoccurrenceandthenfinallyfixingtheproblem.
SinceaDevOpsenvironmentismeantformassivescale,thisprocedurewouldnotbesimple.Ifonehasthousandsofcontainersrunning,itisvirtuallyimpossibletocheckeverysingleincidentandtrytofindarootcause.However,containersdoalsointroducenewchallengestotheITteam.
Changingtheorganizationalculture
ADevOpsapproachisnotjustanothertoolinIToranotherwayofdoingapplicationdevelopment.Itintroducesaculturalchangewithinanorganization.Fromthebusinessallthewaytothedevelopers,DevOpswillchangethewaytheyareworkingwitheachother.Itismeantasanagilewayofdevelopingandrunningbusinessrelevantapplications.Forthattofunctionmanyestablishedbusinessprocessesarerequiredtoberevisitedandrewritten.Traditionalprocessesandstructureswillnolongerworkorberelevant.MuchlikeinanSDDCenvironment,whereoldprocesseshavetoberefreshedandadoptedtothenewautomation,inDevOpsentirely,newprocesseshavetobeestablished.Thiscanstartwithsimplethingslikemonitoring.
Containerscan'tbemonitoredlikeastandardvirtualinfrastructure.Theyneedtheirownmonitoringframeworkandprocesses.Whetheritbeperformanceorerrormonitoring,thereareacoupleoftoolsalreadyavailableinthemarket.However,manyofthemaretargetingaspecificcontainerframework.Thismeansthattherightmonitoringsolutionhastobeappliedtoaspecificcontainerframework.Ifthecontainerframeworkchanges,themonitoringhastochangeaswell(oronehastohavemultiplemonitoringinstances,onepereachcontainerframeworktheyuse).
Also,performancemonitoringneedstobeultimatelydecoupledfromtheunderlyinghardware.Sinceacontainercanrunvirtuallyanywhere,itisirrelevantiftheunderlyinghardwarecanbemonitored;ultimately,itisthecontainerperformanceontheplatformthatneedstobemonitored.
Thisalsointroducesnewinsightsfordevelopers,sincethehardwarehasbecomesointerchangeable,theycannotblameaspecificOS,driver,orhardwareimplementationifanapplicationisnotperformingasintended.Sinceitcanbeeasilydeployedondifferentenvironments,theperformanceoftheapplicationitselfismuchmoretransparentthanintraditionalenvironments.Thisaddspressuretosomedeveloperteamssinceitnowdependsonhowtheyusethecontainertechnologytoperformwell.DiscussionssuchasaddmoreRAMormoreCPUtomakeitfastermightbesoonobsolete.
Ontheotherhand,theinfrastructurebecomessupertransparentaswell.Ifanapplicationdoesnotperformlocally,butrunsfineonthecloud,theunderlyinginfrastructureisnowidentifiedasbottleneck.Therefore,thelocalITneedstoreactandimprovetheenvironmenttoperformasexpected.
However,besidesallthisbenefits,DevOpsisaculturalchangeinanorganization,whichrequiresalldepartmentstoultimatelyworktogether.ITgetsclosertothedevelopers.Thedeveloperswillneedtospendsometimewithsecurityconsiderations.Andfinally,thebusinesswillspendmoretimeinordertomakesurethattheircasesandrequirementsareclearfortothedevelopers.Thiswillhelpcreatingtheapplicationsquicker,anditwillalsoenhancetheteamworkofeachdepartmentinanorganization.
IfsomeonetriestoenableDevOpsandonlytalkstothedevelopers,itmightfailorcreateaShadowITwithsecurityrisks.Ifthebusinessisnotinvolvedindecisions,thebusinessimpactindoingDevOpsmightbenotasbigasexpectedandtheorganizationmightfailtocompete.IfITisnotinvolvedandcan'tdelivertherequestedenvironmentorintegration,developersandthebusinesswillgoelsewherelookingforanalternative.
PaaSaspartofDevOpsPaaSisthemostconfusingterminanSDDCsincedifferentpeoplerefertoitfordifferentdescriptionsanddifferentpartsoftheSDDC.Basically,itcanbebrokendownintothefollowingtwomajormeanings:
InstallingoneormultipleVMsandputtingsoftwareontopofit,readyforconsumption.Providingaplatformreadyfordeveloperstodeployapplicationsinto.Thisplatformwillprovideseveralspacesortenantssuchasdevelopment,qualityassurance,andproduction.Allthedeveloperwillneedisanaccessanditsapplicationtoupload.
ThischapterisaboutDevOps,andthistermisnotsetinstoneandcandescribedifferentimplementationsorfunctionalityofSDDCservices.ThefirstpartdiscussedcontainersascornerstoneofDevOps.Often,thisisalsothefirstthoughtofanydeveloperwhenitcomestoapplicationdeliveryautomation.However,thereareotherimplementationsavailable,whichwilldeliverevenmoreflexibilityandeaseofusethananakedcontainerhost.
Forcontainers,onehastobeveryLinuxsavvy.EvenifadistributionlikeDockerisused,itdoesnotworkwithouttheLinuxbashcommandlineoratleastagoodunderstandingofLinuxandhowitworks.ContainerframeworkssuchasDockerSwarmorMesospheretrytoprovideamanagementinstanceacrossmanycontainerhoststomakeadistributionofcontainersorapplicationpossible.Thisnormallyaddsacloud-scale-likeabilitytocontainerframeworks.However,thisisstillverycontainerfocused.Tomanagedifferentstagesorcreatedifferentfolders/zonesortenantstheseframeworksareclunkytouse.
Thisiswhythereareotherimplementations,leveragingthecontainertechnologybuthidingallitscomplexityfromtheuser(thedeveloper)plusaddingotherfunctionalitieslikemultitenancyandstagingofapplications.
TheCloudFoundryframeworkCloudFoundryisaframeworkdevelopedbyacompanynamedPivotal.PivotalwaspartofVMwareforawhilebeforeithasbeenspunoffintoitsownorganization.ItstillispartoftheEMC(DellTechnologies)familyoforganizations.Itprovidesaframeworkforrapidandeasyapplicationdevelopment.
Theframeworkisbasedoncontainersaswell,butitsfeaturesareready-to-useCLIfor
developersaswellasbuilt-inmultitenancyandso-calledstages.Stagesareusefulformodelingthecycleofapplicationdevelopment.Eachapplicationwillbeinadevelopmentstage,afterthatitmightenterthequalityassurancestage.Finally,itmightgetintotheproductionstageonceallothertestshavepassed.
TheDropletExecutionAgent(DEA)ofcloudfoundryhandlesthestagingprocess.Also,itperformsthefollowingkeyactions:
Managingthewardencontainers:Thisrunsapplicationsinthecontainers.Stageapplications:OnceanewapplicationoranupdatedversionispushedtoCloudFoundry,theCloudControllerselectsDEAfromapooltostagetheapplication.DEAusesanappropriatebuiltpacktocreateadroplet.Rundroplets:ManagedbyaDEA,itreflectsthelifecycleofanapplication.TheCloudControllercaninstructDEAtostartorstoporadroplet.Also,aDEAcanmonitorthestateofastartedapplicationforbroadcastingit.
Note
TolearnmoreaboutCloudFoundryvisitdocs.cloudfoundry.organdreadthroughthedocumentation.Thereisalotofusefulinformationinthesedocuments,whichcangetanydeveloperupandrunningwithCloudFoundryquitequickandeasy.
However,anapplicationmighthavemanymorestages;thisisreallyjustanexample.Thismightbearelicfromtheolddays,butDevOpsdoesnotmeanthatsoftwaredoesn'tneedtobetestedorapprovedanymore.Itmeansthatthecyclebetweenthesestagesisashortandasautomatedaspossible.
Besidesthat,itoffersmanyotherfeatureslikeready-to-useservicesusingthebuilt-inservicebroker.Theseservicescannowbesimplyconsumedbythepushedapplications.ThismeansthatadeveloperdoesnotneedtoaskforDBtobedeployedanymore;theycansimplyusewhatCloudFoundryhastooffer.AndtherearecertainlymoreservicesavailablethanjustdatabasesorNoSQL.
CloudFoundrycanalsointegratewithobjectstorageandmakeitavailablethroughtheservicebroker.Giventhatadeveloperdoesnothavetobotherwithallthesethings,alltheydoispushtheirapplicationintotheplatformandconnectittotheprovidedservices.Thiscanbeseenasagiantplatform,readyforanymodernapplication.Insteadofcreatingafarmtohostallrequiredservicesbyvariousapplications,CloudFoundrycandynamicallyreacttowhateverthedevelopersneed.
CloudFoundryhaseasy-to-usetoolsandacompletecommand-lineinterfacetomigrateanapplicationbetweenallthesethree(ormore)stages.Eachstagecanhaveitsowndataservice(eitherDBordatastorage)aswellasitsownnetworkandsecuritypolicies.Thismakesiteasyfordeveloperstoensurethattheapplicationgetstherightsecurity-levelbasedontheselectedstage.
CloudFoundryandtheSDDC
TheframeworkcanrunonmanypubliccloudsaswellasonthevSpherehypervisordirectly.Itislightweightandrelativelyeasytosetup.Onceupandrunningitcanbeusedtoimmediatelyservenewapplications.
Givenallthisdescriptions,itsoundslikeitsupersedesthetraditionalSDDCwithitsframework,containers,andstages.However,whilethismightbetrueforcloud-nativeapps,legacyaswellasbigmonolithicapplicationswillstillneedatraditionalenvironment.
Therefore,itispossibletocombinebothworldsandprovidethebestpossiblesolution.DeveloperscanusethePaaSframework;vRealizeAutomationcanbeusedtoprovisionsupportiveCloudFoundryservicessuchasDBsorotherneededapplications.Also,ifdevelopersrequireanyadditionalservice,whichisnotyetexistent,thiscouldbeprovisionedusingacombinationofCloudFoundrycommandlineaswellasvRealizeAutomationRESTAPI.
AnexampleforthismightbeaMSSQLDBserver,whichisnotincludedinCloudFoundry.ThisSQLservicecouldbeavailableasablueprintinvRA,anddeveloperscantriggeritsdeploymentonceitisneededforagivenspaceorstage.
Toaccomplishthis,itispossibletoconnectCloudFoundrywiththevRARESTAPI.Thisconnectioncanbeanewservice/appwithinCloudFoundrywhichtriggersthedeployment.ThedeveloperwouldnotneedtologintothevRAportal,theycanstayinCloudFoundryandstillusetheirdevelopmenttoolsetortheCloudFoundrycommandline.Thiscreatesanicebridgebetweentheenterpriseorlegacyworldandthenewcloudnativeappsapproach.However,VMwarehasalsosomethingtoofferwhenitcomestoanautomatedapplicationdevelopment.
vRealizeCodeStream:DevOpswithoutcontainersThisisVMware'sapproachtomakeDevOpsreadyfortheenterpriseusingasmartanddeveloper-orientedportalnamedvRealizeCodeStream.Itismeantforappdevelopmentinahighlyautomatedenvironment.ThismightbethebridgebetweentheSDDCanditsautomateddeliveryofservices,aswellastherequirementsandneedstoday'sdeveloperhave.Thetrickisthatitcanachievethiswithoutacontainerframework,byleveragingtheexistingenvironment.
vRealizeCodeStreamneedsvRealizeAutomationtobeinstalledupon.So,itisanadd-ontoanexistingVMwareSDDCenvironment.Also,itintegrateswithmanyapplicationdevelopmentframeworksgiventhatitcomesprepackedwiththeJForgArtifactory.
Usingthis,itispossibletocreatecustomrepositoriescontainingcodeorscriptartifactsforautomatedprovisioning.Fortherepositoryservice,thereisalsoanAPI,whichcouldbeusedusingmanydevelopmenttools.Thisenablesadevelopertoupdateartifactsrightoutoftheirdevelopmenttoolofchoice.Furthermore,itmeansthatapipelinecanautomaticallyalwaysusethemostrecentartifactoutofthatrepository.
SincetherepositoryandvRCSitselfsupportso-calledparameters,anartifactorcodecanhaveadistinctnumber;oncethisnumberiscalleduponexecution,onlytheartifactmatchingthatpropertywillbeprocessed.
Allaboutthepipeline
InvRealizeCodeStream,itispossibletocreateaso-calledpipeline.Thepipelinedescribesanapplicationdevelopmentlifecycle.SimilarasinCloudFoundry,itispossibletocreatestages.Butinsteadofmanuallymovingandapplicationfromonestagetoanother,itispossibletoachievethisbyusingautomatedandprogrammableguards.
Thismeansthatifanapplicationpassesadefinedtestinagivenstage,itwilladvanceautomaticallytothenextstage.ThiscanbedefinedbasedonvariousdifferentconditionsfromatestperformedbyJenkinsoveraworkflowoutputuptoamanualapproval.
Thisautomatesthewayofqualityassuranceofanapplicationinanenvironment.Insteadofrunningallthistestsmanuallyandthenmovingaservicetothenextstageoncesuccessful,asimplecheckcanperformthisnowautomatically.
Eachstagecancontainvariousdifferentobjects.ItcandeployaVMbasedonavRAblueprint,itcaninstallanapplicationfromtherepository(JFrogArtifactory).ItcanevenintegratewithJenkinsorotherprogrammer'stoolsandestablishadirectdevelopmentlinktothedeployedenvironment.Then,adevelopercandefinethecriteriaofthegatekeepertolimitifandwhenanapplicationcanreachthenextstage.
Typically,anapprovalissettomoveanapplicationfromtheQAstageintotheproductionstage.Thisapprovalcanbeaccomplishedusingthebuilt-invRAapprovalfunctionalities.OncetheQA
wassuccessful,theappmayentertheapprovalstate.Iftheapprovalisgranted,itwillautomaticallymergeintoproduction,nohumaninterventionrequired.
Theprecedingimageshowsthedifferentstages.Thebluearrowsrepresentthegatekeepers.Onceallcriteriaaremet,theapplicationcanmigrateautomaticallytothenextstage.Theshownpipelineworksasfollows:
Stage0:ThetestenvironmentdeploysanewVM,installstheapp,configuresitandrunssometestsanddeployments.Thisisrepeatedasoftenasnecessarytodeveloptheactualapp.Stage1:ThereisalreadyaVMrunning(therunningsystem)theappgetsreinstalled,configured,andQAtestswillruntoensurethatthedevelopmentsfromStage0arestable.Stage2:Thismightbetheproductionstage.Theappgetsreinstalled(likearespinwithcontainers)andconfigured.Nowitisfinallyrunning,nomoretestsarenecessary.
Althoughthisisaverybasicexample,itshowshowpowerfulthismethodofapplicationdevelopmentcanbe.Ofcourse,itisalsopossibletomodelmorecomplexapplicationpipelinesinordertoautomatethem.Thereisnolimitonhowmanystagescanbeused,albeititmightget
verymessyiftherearetensorhundredsofstagesinapipeline.
However,thesystemdoesmorethanonlyautomatingthedeployment.Eachpipelinerunisloggedandcanbereviewed.Eachstagewillhaveastatusforeachstep.Thisisintendedtomaketroubleshootingaseasyandstraightforwardaspossible.Adevelopercanevengetoutputfromthedifferentactionallthewayuptobashscriptingoutput.
Thisismeantforanyapplicationdevelopmentprocesstogetfullyautomated.ItcreatesabridgebetweenthenewDevOpsworldandthelegacyapplications,whichmightnotyetarereadytorunincontainers.Giventhisapproach,anyapplicationcanbemadeDevOps-ready.
However,asdescribedearlier,eachpipelinecreatesitsowndevelopmentenvironmentbydeployingVMsorinstallingadditionalsoftwareonalreadyrunningVMs.ThismeansthatitultimatelyisdeployingacoupleofVMsperdevelopmentorQArun.Iftherearemanydevelopersactivelyusingthistodeploytheirveryownapplicationdevelopmentenvironment,thismightputheavyloadonthecloudportalaswellasthevirtualinfrastructurebeneathit.ItisimportanttounderstandthatfactorinordertodesigntheunderlyingvSphereinfrastructuresincetheCodeStreamrequirementmightbetotallydifferentfromtheenterpriseSDDCrequirements.
vRealizeCodeStreamintegration
vRealizeCodeStreamdoesnotonlyuseVMwarevSphereasanendpoint,itcanalsobeintegratedwithmanyotherservicesaswellasotherDevOpsframeworksinordertoautomatethebuildandprovisioningworkflow.
AsdescribedintheCloudFoundrysection,thereistheconceptofstages(orspaces),butthereisnogateautomationavailableasinCodeStream.However,itmightstillmakesensetouseCloudFoundryasaplatformfordevelopers.Inordertoachievethebestofbothworlds,vRCScanintegratewithCloudFoundry.
Thisisdonethroughtheso-calledPlug-InInstances.Theycanberegisteredwithvariousendpoints.AsofvRealizeCodeStreamversion2.1,theendpointsare:
AJenkinsServerendpointThisenablesanyJenkinstestorjobtoruninthepipeline.ItcanalsoinvokeaJenkinsbuildjobduringthemodeling/executionofthereleasepipeline.vRealizeAutomationServerendpointThispluginsenablesthemodelinganddeploymentofvRAresourceswithinapipeline.MultiplevRealizeinstancescanbeprovisionedinasinglepipelineusingthisplugin.vRealizeOrchestrator
Workflowforacustomtask:ThisenablestheconnectiontovRealizeOrchestratorworkflowtorunwithinthepipeline.Alsoconfigurationaswellaspassingonvaluesforparameterswillbepossible.Serverendpoint:ThistriggersanyworkflowsonanexternalvROfromwithinthereleasepipeline.Workflowforagatingrule:ThiscantriggeravROworkflowtoactasagatingruleinordertoautomatethereleasetoanewstage.
MicrosoftTeamFoundationServer
ThisenablestheconnectiontoaTeamFoundationServerinordertomanagebuildprojects.CloudFoundryServerendpoint
ThisisusedtodeployandmanagelifecycleofanapplicationintoCloudFoundry.BambooServerendpoint
ThisisusedtoruntestsandotherplansaswellascustomautomationandscriptsinBamboo.Thiscanalsoinvokeabuildplanduringthemodelingandexecutethisplanwithinthereleasepipeline.BugzillaServerendpoint
ThisgeneratesorupdatestasksinBugzillafromwithinthereleasepipeline.JIRAServerendpoint
ThisgeneratesandupdatesGIRAtasksorissuesoutofareleasepipeline.
Giventhisrichintegration,itshouldbepossibletousevRealizeCodeStreaminavarietyofdevelopmentenvironments.WiththepluginforCloudFoundry,itisevenpossibletoautomatethereleasemanagementanduseCloudFoundryasnativePaaSoffering.
AlsovRealizeOrchestratorwillbeamightytoolforreleaseautomation.SincevROisalsofeaturingarichpluginavailabilityandarchitecture,itwillbeeasytomodelseveraldifferenteasyandcomplexgatekeeperrules.
TheJenkinsandBamboointegrationmightbethemostinterestingoneforthedevelopers.Thesetoolsareoftenusedforcodingandthecreationofartifacts.Theabilitytodirectlyconnectapipelineanddeploymenttoolistremendouslyenhancingthedeploymentspeed.
WhiletheJIRAandBugzillaintegrationismore,targetingcontinuousimprovementandprojectmanagement.
OneintegrationthathasnotbeenmentionedyetistheintegrationinSocialcast.Socialcastisacommunicationtooloftenusedforcompanyinternalpurposes.IthasfeaturessimilartoFacebookandcanbeseenasacompanyinternalsocialmediaplatform.
vRealizeCodeStreamhastheabilitytopostupdatesfromagivenpipelinerightintoaSocialcastgroup.Whilethismightsoundabitawkwardinthefirstplace,itactuallycanprovidealotofvalue.Basically,itisaneasywaytomakepipelineexecutionstransparentforabroaderusergroup.Thisisawayofsharingprogressinaneasyandstraightforwardway.
vRealizeCodeStreamfromVMwarefortheSDDCismeanttojoiningtwodifferentworlds:TheworldofDevOpswiththeworldofenterpriseIT.
Byprovidingsmartandeasyintegrations,itcanbeseenasabridgebetweenthesetwodifferent
worldsandtheoptiontotrulybeabletofulfillthedeveloperneedsaswellastheenterpriseITrequirements.
SDDCandDevOps:AmixedworldTheSDDCisperhapsoneofthebiggestenablerforDevOpsaswellasforrunninglegacyapplicationsmoreagileanddynamic.However,formostorganizations,theSDDCisawayofrunninganddeployingtheirwell-establishedandoftenstillrequiredlegacyapplications.
GivenallthechangesaDevOpsenvironmentintroduces,itwillcollidewithestablishedandrequiredpoliciesandprocessesinanenterpriseenvironment.TheclassicapproacheswillnotworksincetheypossiblyslowdownDevOpsoperationsandalsocreateunnecessaryoverheadtosuchanenvironment.
AnexampleforthiswillbeanIPAMandCMDBsolution.Giventheshortandtemporarylifeofadevelopmentenvironment,itmightnotbenecessarytotrackthehostnameandIPaddressfromalltheVMsintheenvironment.Also,itmightnotberequiredtoaddallOSandsoftwareconfigurationitemstotheCMDBsincetheycanchangeonaday-by-daybasis.Therefore,alltheseprocesseshavetobeignored;otherwise,theenvironmentmightbecometooslowfordeveloperssothattheyhaveagaintocomeupwithadifferentsolution.
DevOpsrequirementsForpurecontainerenvironmentsuchasCloudFoundryorDockerSwarm,thisisevenmoretrue.ItmakesnosensetoregisteracontainerhostinaCMDBorlogitsIPaddressusingIPAM.Thecontainerswillcommunicatewitheachotherusingnetworkports.Also,containersaretemporaryandstateless,thereisnoneedtotracktheirstatusinaCMDB.ThepureapproachtomakeallthisworktogetherwithlegacyprocessesandtasksinanyorganizationmightaswellkilltheDevOpsapproach.
However,ITILdoesnotbecomeirrelevantjustbecauseofDevOps.Butitisnecessarytoadoptittothisnewworld.Changesinaproductionenvironmentshouldstillbeannounced,approved,anddocumented.Giventhatsomeofthesecontainersrunoncontainerhostsinproduction,theycouldbetreatedasiftheywerevSpherehostsinacluster.Itmaybeimpossibletoknowexactlyonwhichhostthecontainerruns,butmaybeitmakessensetotrackonwhichswarm/clusterthecontainertendstorun.
Theresourcesshouldbeeasilyavailableandflexibleinitsdeployment.Althoughthecontainerhostisrunningonphysicaloronvirtualservers,thereshouldbeenoughflexibilityavailableinordertoquicklyaddresourcestoagivenswarmorcluster.
InaCloudFoundryworldorPaaSworld,thereshouldbeoptionsinordertoquicklyonboardnewservicesinordertomakethemavailablethroughtheservicebroker.Ifittakesseveralweeksinordertoestablishanewservice,thiswillruinthewholecaseofhavingtheplatformavailablefordevelopers.
Besidesthetechnologyaspect,DevOpswillalwaysintroduceachangeinthewayofrunningthecurrentITenvironment.ItisliterallyimpossibletooperatethesenewenvironmentsifalltheboundariesarestilltobemettointegrateintothelegacyprocessescomingfromadifferenteraofIT.
EnterpriserequirementsInearlierchaptersofthisbook,enterpriserequirementoflegacyapplicationshavealreadybeendiscussedbriefly.AnenterpriseapplicationmightneedtofollowstrictITILrulesinordertobeintegratedinanexistingdatacenter.TheresometimesneedstobeanIPAMinplaceaswellasaCMDBinordertostoretheconfigurationandsetupofalltheseapplications.Alsoaticketingsystemmightberequiredinordertokeeptrackofpossibleincidentsandproblemsintheenvironment.
Withtheuseofautomation,thesetaskscanbecompletedwithouthumanintervention,whiletheapplicationisbeingdeployed.Aticketcanbeopenedandloggedrightoutofthecloudportal.Giventhattheseapplicationsarequitestatic,itmakessensetoautomatethedataexchangebetweenCMDB,IPAM,andaticketingsystem.Theapplicationisprobablygoingtostaticallyrunforalongerperiodsothedatawillstayrelevantaswell.
Onceanapplicationisgoingtobearchivedordeleted,alsothedatacanbeautomaticallyupdatedtomarktheapplicationasarchivedintheCMDBandreleasetheIPaddressagaininIPAM.ThisautomationmakessurethatnoresourcesarewastedandthatIPaddressescouldbereusedoncetheiroriginalownerhasdisappearedfromthedatacenter.
Tip
Albeitthisispossible,thereareorganizationshavingrulesthatIPaddressesandespeciallyhostnamesmustnotbereusedwithnewservices.Thisisnormallydonetopreventerrorsbasedonhostname/IPconfusion.
TheremightbestillcolleaguesthinkingthatagivenIPorhostnameispartofadistinctservice.Iftheservicebehindthehostname/IPisanewone,thismightleadtosevereerrorscausedbyhumaninteraction.
LegacyandDevOps:CoexistenceinoneenvironmentGivenallthedifferencesbetweenDevOpsandthelegacyworld,onemightthinkitisimportanttocreateaseparatedenvironmentforeachtype.
Thisistypicallynotrecommended.Separateenvironmentsleadtoislandsolutionswithinadatacenter.Eachislandneedstobemanagedandcontrolledseparately.Theyneedtobemonitoredandrunbyadifferentteamorthesameteam.However,givenalltheefforttoseparatetwoenvironmentswithinadatacenter,itmightnotbeefficientoragiletodothiswithaDevOpsinstallation.
AlsotheintegrationfromDevelopmenttoOperationsmightbedifficultiftheproductionenvironmentissomewhatseparatedfromthedevelopment(rememberthestages).Therefore,separatingenvironmentsisnotagoodoptionsinceitcanactuallyleadtoaslowerdeploymentinsteadofspeedingupdevelopmentanddeploymenttimes.
Asdescribedintheearliersections,thereisacoexistencewithvRealizeAutomationpossible.ItisnotonlypossiblebutshouldbeachievedinordertominimizeeffortinrunningtheenvironmentandenablingtheDevOpsteamtoreallyusewhattheSDDChastooffer.
Eveniftherearealotofthingspossiblewithcontainers,therearealwayssomeapplicationsthatcan'tbeeasilystuffedintothisnewwayofrunningsoftware.Theremightberequirementsforon-demandDBcreation,forobject-basedstorage,fore-mailconnectivity,orforotherlegacyservices.TheseservicescanbedeployedandautomatedusingthetraditionalSDDCmethodslikedeployinganapplicationontopofaVMorusingautomationtoregistertheseservicestoaservicebroker.
Also,theSDDCisempoweringDevOps.Itismoreasymbioticrelationshipthanacompetitiveone.ThereareseveralthingsthatmightnotbeaseasilypossibleinaDevOpsinstallationifthereisnoSDDCrunningsidebyside.
UseDevOpsprinciplestomanagetheSDDCBesidesthepuredevelopersviewofDevOpstorunapplicationintheSDDC,thereisanotherpointofviewworthwhiletocover.TheSDDCitselfconsistsofblueprints,whichwilldeployservices.Theseblueprintsarebasicallysoftwareoratleastcodedefinitionsofinfrastructure.Inaproductionenvironment,itisverycommontohaveadevelopmentSDDCandaproductionSDDC.OncenewservicespassalltestandqualityassurancecriteriainthedevelopmentSDDC,theycanbetransformedtotheproductionenvironment.However,thistaskhadtobedonemanuallyinthepastorbytheuseofcomplexcommand-linetoolswithouttheabilitytoversioncontrolorrollbackincaseofanerror.
ThisisquiteclosetowhatdevelopersdoinsoftwareandwhyDevOpsissopopular.Theysimplywanttobeabletoquicklyreapplyanupdatedversionoftheirsoftware.Thesameprinciplecomestrueforblueprints;itwouldbeveryhandytodevelopasimpleblueprintandthenputitinproduction,butfullyautomatedwiththepressofabutton.
ThisiswherethevRealizeCodeStreamManagementPackforITDevOpscomesintoplay.ThiswasformallyknownasprojectHoudinibyVMwareanddoesapplyDevOpsprinciplestomanagingblueprints.
ItisbasedonvRealizeCodeStreamandisavailableasanadd-onservicecataloginvRealizeAutomation.ThetargetaudienceisblueprintdesignersandSDDCadminswhowanttodevelopservicesinonevRAinstanceandthensimplytransformtheseintotheproductionvRAinstance,onceready.
ItsVersion2.1.1supportsthefollowingblueprinttypes:
IaaSblueprints(vSphereonlyatthemoment)ASDblueprintsandactionsvROworkflowsandactionsXaaSblueprints
Furthermore,itallowstheteamstoselectablueprintincludingallitsdependenciesandconfigurationsandtransformsiteithertoanothertenantoreventoanothervRAinstance.Itwillresolvealldependenciesandensurethatthesearealsoinstalledandreadyinthetargetsystem.Additionally,itcanruntestsofthatblueprintifdesiredbytherequestor.Onceallthatiscompletedsuccessfully,theblueprintwillbeavailableatthenewvRAinstanceortenant.
Thebigadvantageisthatalltheseoperationsarestoredinaversioncontrolledcentraldatabase.Soeachupdateorchangecaneasilybetrackedandalsoberolledbackifnecessary.Thisisahugeadvantagesinceiteasespublishingnewservicesandtremendouslyreducesrisksintheeventoffailures.
TheseinfrastructureasacodepackagescanalsobemanagedandwillappearundertheItemstabinvRealizeAutomation.Alloftheseareabletobedeployedtodifferenttenants,vRA
instances(includingvRO),orevenvRAinstancesindifferentdatacenters.
ThisisaverypowerfulwaytoapplytheDevOpsprincipletoinfrastructureandleverageitsfullagilityinordertocreate,test,anddeployservicewithintheSDDC.ThepluginisavailablethroughVMwarefreeofcharge,butrequiresvRealizeCodeStreamtobeconfiguredandinstalled.
SobesidestheapplicationDevOpsapproach,itshoulddefinitelyconsideredtoalsorunaninfrastructureDevOpsapproachusingthesetechnologiesinordertohavethesameefficiencyandagilitywhenitcomestothedevelopmentofnewSDDCservices.
SummaryThischapterdescribedDevOpsingeneral.ItspurposeandwhatdifferencesitmightbringtoanSDDC.ThegeneralmeaningandpurposeofDevOpswasdiscussedinordertounderstandthatthiswayofcreatingapplicationsrequiresdifferentapproaches.Italsolistedseveralapproachestoruncloud-nativeapplicationsandlistedwaystofurtherautomatetheirreleaseandtests.Also,itlistedtoolstointegrateinvRAinordertobeabletoprovidethebestofbothworldsforDevOpsaswellfortheclassiclegacyITapplication.Finally,ithighlightedawayofapplyingtheDevOpsprincipletotheSDDCservicedevelopment,inordertoleverageitsagilityandflexibilityforthecreationanddistributionofinfrastructureblueprints.
Inthenextchapter,thefocuswillbeoncapacitymanagementinanSDDC.ItwillhighlightwhyitisimportanttodopredictivecapacityplanningaswellaswhichtoolintheVMwarefamilycanbeusedtofurtherprovidethisfunctionality.Also,itwillhighlighthowtooperatevRealizeOperationsManagerandcreateso-calleddashboardsinordertoprovideaquickcapacityoverviewoftheSDDCenvironment.
Chapter10.CapacityManagementwithvRealizeOperationsThischapterwilldiveintocapacitymanagementfortheSDDC.Sincerequeststhroughthecloudportalnowdrivesthedeploymentandconsumptionofservices,usersexpectthatthereareelasticornearlylimitlessresourcesavailable.Similartoapubliccloudprovider,whereresourcesarevirtuallyendlessandalwaysavailable.Thebigcloudproviderstypicallyhaveapredictiveanalyticsmodeltounderstandwhenifandhowtheyneedtoprovideadditionalresourcestobacktheusersdemand.
Typicallyforacloudprovider,thisisaccomplishedcompletelytransparentinthebackground.Itistheirdesiretokeeptheillusionoflimitlessandendlessresourcesalivefortheircustomers.Intheend,thisiswhatalotofcustomersarelookingfor:quickandeasyonboarding.Nowaitingtimeuntilsomephysicalinstallationisgoingtobefinished.
ThisimpliesthatcapacitymanagementinahighlyautomatedenvironmentliketheSDDCisaveryimportanttopic.Beinginformedabouttheresourceconsumptionisnottheonlyimportantaspect;thecapacityplanningshouldalsobetieddirectlyintotheordermanagementprocess.Whiletheideaofasystemself-orderingitsresourcessoundsalittlebitfrighteninginthefirstplace,thisisactuallyhowthebigprovidersaredoingit.Theyhavepredictivealgorithmstoinformthemthatbasedonthecurrentusagetheywillneedxamountofserversinthenextxweeks.Thisallowsanordertobeplacedtohavetheserversshippedandupandrunningbeforethedemandactuallycatchesupwiththeavailableresources.
Now,arguablycloudproviderwillhaveadifferentbusinessmodelthananorganization,whichisonlyrunningitsownIT.However,capacityplanningisalsocrucialforthisenvironment.Ifeverauserwillbehinderedtoprovisionaservicebecausetherearesimplynotenoughresources,thiswillharmthetrustandreputationintothelocalITdepartment.Itcouldharmtherelationshipsobadly,thatusersmightactuallyconsiderprovisioningtheirservicesexternallyinsteadofinternally.
Inthispart,thefollowingtopicswillbecovered:
WhycapacitymonitoringneedstochangeinanSDDCvRealizeOperationsManagercapacitymanagementprinciplesOverviewofreportsanddashboardsforcapacitymanagementHowtocreateprojectstopredictfuturecapacitySetupofexamplereportsanddashboardsforcapacitymonitoringinanSDDC
CapacitymonitoringintheSDDCMostorganizationsdoaverybasicbutwell-establishedformofcapacityplanning.Typicallyresourcesaretiedtoprojectsortoabiggerdatacenterinitiative.Groupsparticipatingthatinitiativemayprovideabudgetandgrowthplan.Theseplansareusedtobuyrequiredhardware,whichwillbeavailablefortheentireprojecttimephase.Sometimes,ifmoreresourcesarerequiredasexpected,therewillbeadditionalserversshippedtofulfillthisdemandduringtheprojectruntime.Allthisrequiresaproperplanningandabigamountofhumaninteraction.Alsoitrequiresbeingawareofwhatisgoingoninthedatacenterandagoodamountofpreplanning.
TraditionalmonitoringandcapacityplanningtoolsmightnotbeabletodealwiththedifferentrequirementsaSDDCintroduces.Furthermore,usinglegacycapacityplanningtoolsmightincreasetheoverheadfortheworkforceandinworstcasesmaybeevenlimitthewaytheSDDCcanbeconsumed.
SincetheSDDCenvironmentitselfisconstantlychangingduetotheautomateddeploymentofworkloads,thetoolstoactuallykeeptrackofthesechangesshouldbeabletoautomaticallyadapttotheseenvironmentalchanges.
Thelegacyprojectapproachdoesonlypartiallyworkhere,sincetheremightbeusersorgroupswhosimplygotaresourcepooltodeployinto.Sometimeseventheteamsthemselvesdonotknowhowmuchcapacitytheymightneed.However,theycantracktheirconsumptionintheportalwatchingtheirresourcepoolfillingup.Butalltheseresourceshavetocomefromapowerfulandwell-managedbackend.Andthisbackendneedstobeconstantlycheckedforpossiblecapacityconstraints.
Onesolutionforthiscouldbetohavedozensofemptyserversrunningincasetheirresourcesareneeded.Butthisobviouslyisaveryexpensivewayofprovidingresourcesondemand.Sincealltheseserverswouldneedtobepreinstalledandpreconfigured,butintheend,iftheyarenotneeded,donotprovideanyvalue.
Theotheroptionistohaveanautomatedresourcedemandmanagementduetocapacitymonitoring.Inordertodothis,itisimportanttouseasystem,whichcanprovidealsopredictiveanalysis.Thisisneededtogetacapacityalertbeforetheenduserisaffected.Thesystemneedstobeabletopickupatrend,interpolatethattrendandthenprovideaforecastwhenthedemandwillbehigherthanthebackingresources.Ideallyitprovidesanalertwaybeforethatpointinordertopreparetheinfrastructureteamtoreplenishhardwareupfront.
Thisapproachissimilartowhatmoderncarmanufacturersaredoingtoday.Insteadofhavingallpartsalwaysavailableinabigwarehouse,theycalculatewithtransporttimesandincludethetruckshavingthepartsintheirpreordersystem.Thelogisticdepartmenttakescarethatthescheduleismetandthatpartsarriveexactlyastheyareneeded.Thiswaytheycansignificantlyreducetheirwarehousecostandbeflexibleintheirmanufacturingprocess.
AnSDDCworksquitesimilarlikethisexample.VMsorfurthermoreservicesaredeployedondemand,therecanbedayswheremoreofthemareneededanddayswherelessofthemaredeployed.However,thebackingresourcesneedtobeavailableastheservicesrequirethem.Thisimpliesthatinafullyautomateddeploymentenvironmentalsotheresourceorderingandinstallationprocessesneedtobeautomated.
Thismeansthatitwouldnotonlybehelpfulbutrequiredifthesystemisabletoreorderwithoutanyhumanintervention.Obviouslyanapprovalwillmakesenseforthisautomation.
Inordertoaccomplishthat,itisnotonlyrequiredtohaveacapacitymonitoringinplacewhichcanpredictdemandandcreatetrustworthyforecasts,itisalsorequiredtochangetheestablishedorderingprocessinanorganization.
SoaSDDCrequiresadifferentapproachtocapacitymonitoringthanatraditionaldatacenter.Itneedsapowerfulforecastandpredictiontool.Basedonthatforecastitwillalsorequireachangedorderingprocess.Insteadofmodelingresourcesinaproject,theyarenoworderedbasedondemandpredictionsandactualresourceconsumption.
vRealizeOperationsManagervRealizeOperationsManagerisoftenreferredtoasVMware'smonitoringsolution.Butitprovideswaymorethanjustsimpleresourcemonitoring.Notonlythatithasfullcapacitymanagementcapabilities,itisalsoisalearningsystem,whichcanself-adapttoachangingenvironment.ThismakesittheperfectsolutionfortheSDDC,sinceitcanautomaticallypickupchangesinanenvironment.AdditionallyitcanalsolearnthestandardbehaviorofVMsandservices.Thisenablesthetooltorecognizeachangeinthebehaviorandtriggeranalertbasedonthatbehavior.
Traditionalcapacitymanagementtoolsmightonlybeabletoworkwiththresholds.Whilethissoundsperfectlyacceptableinthefirstplace,itcanintroduceissuesinadynamicenvironmentsuchastheSDDC.Sincethevaluesconstantlychangeitwillbeveryhardtosetvalidthresholdsforacapacitymanagementtooltokickin.Also,athresholdneedstobewellthoughtthrough,giventhatthesupplymanagementchainneedstimetoorderanddelivertherequiredresources.
vRealizeOperationsManagerissolvingthisdilemmabyusingacompletelydifferentapproach.Itdoesnotnecessarilylookforfixedvaluesitlooksforusagepatternsandcreatesestimatedgrowthrates.Thisisapowerfulwayofmonitoringcapacity,sinceitcanalsosolvethesecaseswheretraditionalsystemsmighthavetroubles.
Forexample:InaSDDCenvironment,theremightbeanewbusinessprojectcomingup.AgivendepartmentmaybestartstoaddtensorhundredsofVMs.vRealizeOperationswillpickupthisbehavioralchangeandwillissueacapacityalertifnecessary.Thealertwilltelltheoperationsteamthatifthistrendcontinues,theyhavetoaddmoreresourcesinXamountofdays.
Atraditionalcapacity-planningtoolmightbetriggeredat90%resourceusageandsendanalert,butthatmightbetolateinordertoguaranteethatthereisnoresourceconstraint.Thefollowingworkflowpresentsatypicalorderworkflowuntilthegearisavailableinthedatacenter:
Orderisprocessedandsenttothevendor/partnerAfter3-6weekstheresourcesisarrivingtheorganizationAfter2-3weeksthekitisreadytobeconfiguredinthedatacenterAfter1-2weekstheresourceswillbecompletelyconfiguredandreadytobeused
Thatmeansthatthecapacityheadsupneedstobeatleast10weeksahead,shortest6weeksaheadoftheactualrequirementsforthoseresources.OtherwiseuserswillexperienceshortcomingsandpossibledegradedperformancewhileusingtheSDDC.Thismayleadtolessadoptionorevenforceuserstolookforalternativewaysofrunningtheirworkflows.
Note
NeverunderestimatetheimportanceofcapacityplanningandsupplychainmanagementinordertokeeptheSDDCfunctionalandresourcesavailable.Anynotabledisruptionintheservicemightdiminishtheusabilityfortheend-userswhichmayleadtolossoftrustintheservice.
vROps6.3deploymentworkflowThedeploymentofthetoolisverystraightforward.ItisprovidedasavAPPandtosuccessfullydeployitallanadministratorhastodoisfollowthenecessaryonscreenmenu.Version6.3hasmajorimprovementsovertheolderversionsandcomesasasingleVM,insteadoftwoVMsinavAPP.ThisreducestheoverallcomplexityofvROpsandmakesiteasytoinstall.
ThefirstthingtodoafterasuccessfuldeploymentistoconnectittovCenter.Thisisdoneintheso-calledSolutionsmenu:
1. OpenvROpsinawebbrowserbypointingittohttps://vrops.example.local.2. Logonwiththegivenadmin(localusers)nameandthepasswordprovidedduringthevROps
installation.3. ClickontheAdministrationiconlocatedatthetoprowofthelefthandcolumn.Theiconhas
alittlegearsymbol.4. ClickonSolutionsintheleft-handcolumn5. SelecttheVMwarevSpheresolutioninthetableandclickontheConfigureiconinthe
Solutionsarea.6. IntheManageSolution-VMwarevSpherewindow,enterthefollowingdetails:
DisplayName:vCenterDescription:vROPsmonitoredvCentervCenterServer:vcenter.example.localCredentials:1. Clicktheplusicontoaddcredentials.2. Enteracredentialnameforexample,vCenter.3. EnteravalidvCenterusername.4. Providethepasswordfortheselecteduser.5. ClickOKtosetthecredentials.
7. ClickontheTestConnectionbuttonandwaitforapositivefeedback8. ClickonSaveSettingstostoretheconfiguredconfigurationforthesolutionsadapter.
Note
vROpscanalsobeinstalledinHAmodewithmorethanoneinstance.Thissetupisalsocontrolledduringtheinitialinstallation.However,itrequiresmoreresourcesandsomepreconfigurationtaskstomakethatrunning.TolearnmoreaboutthisexpertsetuppleaserefertothevROpsinstallationguideathttps://pubs.vmware.com/vrealizeoperationsmanager-63/index.jsp.
AftervROpsissetupandthevCenterlinkisestablisheditisreadyforbeingusedforanalyticsandcapacitymonitoringatthevCenterlevel.
Tip
TherearemanymoresolutionadaptersavailableforvROpstoconnectitalsotothenon-VMwareworld.Itcanbeconnectedtovariousstoragevendors,SANswitchesaswellasnetworkinggear.ButalsoexoticusecasessuchastemperaturesensorsorpowerconsumptioncanbemonitoredandforecastedwithvROps(ifasolutionproviderispresent,orcouldbecustomized).Thismightnotbenecessaryforcapacitymanagement,butforadvanceddatacenteranalyticsthatmight
becomeveryhandy.
Afterallconsideredsolutionshavebeensetupitwillstartcollectingdata.Thetoolneedsawhiletogetmeaningfuldatatoprovidetrendsanddetectpatternsinthedatacenter.Usuallythistimeisabouttwotothreeweeks.SoifvROpsisnotshowinganyusabledataattheseconddayaftertheinstallation,bepatientandwaituntilthereisenoughdataavailableforvaluableoutput.
Also,theguessesandtrendswillgetbetterovertime,sincethetoolcanlearnfromlong-termpatternsaswell.
CapacitymonitoringTostartwiththecapacitymonitoringitmightbehelpfultounderstandthegeneralstructureofvROpsandhowitisorganized.Pleasebeawarethatthisstructurediffersbetweenthebasic/standardsystemandtheadvanced/enterprisesystem.ThedescribedlayoutreferstotheadvancedandenterpriseversionofvRealizeOperations.
Firstofall,ifauserwhohasadminprivilegesassignedaccessesvROpsusingawebbrowser,itwilldisplaytheenvironmentaloverviewscreen.Thistypicallyincludesallsolutionadaptersandalldata.Ittriestofocuseverythingwhatisgoingonintheenvironmentononesimpledashboard.
Thisoverviewcontainsthreemajorbadges:
Health:Thisismainlyusedformonitoringandanalyticspurposes.Risk:Thiswillprovideaforecastofpotentialissues,thesewillincludecapacityconstraints.However,thedataisalwaysanestimatebasedonthecollectedrawdataandtrendforecasts.Efficiency:Thisisbasicallyshowinghowefficientresourcesarebeingused.IfEfficiencyislowitisagoodindicationthatresourcesareoverprovisionedthismeansaVMmighthasmoreRAMorCPUconfiguredthanitactuallyneeds,verycommon.Thisisusedforcapacitycontrolandmonitoringpurposesaswell.Badefficiencyrateswillaffectcapacityaswell(wastedresources).
Unfortunatelythesevaluesareshownforallgathereddata.Whilethissoundshandyinthefirstplace,itmeansthatalotofvalueswillactuallydeludeindividualcapacityissues.Thefollowing
diagramdescribesthisdilemma:
Thedarkredlinedisplaystheindividualriskvalueforeachcluster.BylookingatthediagramitisprettyclearthatClusterCmighthaveanissueofsomesort.Theotherclustersaredoingwellsofar.WhatvRealizeOperationsisnowdoingiscalculatingtheentireriskofthedatacenter,includingallclusters.Thiswillleadtoalossofdetailsfortheindividualrisk.Thelighterbluelineshowstheoverallriskcalculatedforthedatacenter.Giventhatallotherclustersaredoingjustfine,theoverallriskisquitelow,notreallyalarming.
Sothegeneraloverviewincludingallmetricsanddatacannotbeseenastheultimatedatacenterrisk/healthorefficiencydisplay.Itismoreahintandtriestoprovideaslightinsightthatoveralleverythingisdoingwell.
Note
Ifthisviewcontainssevereriskvalues(orangeorred)somethingseriousmighthavehappenedintheentiredatacenter.Giventhehighleveloverview,thingsneedtobeseverelybadtohaveabiginfluenceinthatview.Sointhatcaseitishelpfultoidentifythattheremightbeaglobalissuegoingoninthedatacenter.
TheruleofthumbforvRealizeOperationsis:Donotjudgetheenvironmentbasedonthe10,000feetoverviewgivenwhenloggingontothesystem.
InearlierversionsofvRealizeOperationsManager,thesebadgesdidalsoshownumbers.Sothehealthvaluecouldbe98,risk8(lowerisbetter),andefficiency95.However,VMwaredecidedtoremovethisnumberscores,sincetheyconfusedalotofpeopleandthecapacityplanningteamhadtoanswerquestionslike:
Whyisourefficiencyonly95andnot100?Whydowehaveariskof8;istheresomethingwrong?Doesahealthof98meanthat2fractionsofourenvironmenthaveproblems?
Whilethenumberswherejustdisplayedtobackthecolors(100-80green,80-60orange,60-45yellow,45-0red)theyhadnothingtodowithactuallydisplayingproblems.Ascoreof8riskmightjustmeanthatsomesystemsarepotentiallyexceedingtheirassignedresources,butnotthatthereisactuallyarealissue.
However,togetthisproblemsolvedVMwareappliedasimplefixtoallnewvROpsManagers:Nomorenumbersinbadges.
OverprovisioningandresourceallocationBesidestheoverviewdashboard,thesystemcomeswithhundredsofdetailedviewsandreports,whichcanbeusedtogetagoodunderstandingaboutresourcedemandandresourceavailability.Togetstarted,itisrecommendedtolookatanindividualgroupofitemstoexaminetheircapacityneeds.However,ultimatelythesystemshouldsendawarningpro-actively.Basedonthiswarningitthanmightmakesensetoexaminethementionedresourcescloser.Resourcewarningsandrelatedactionswillbediscussedlaterinthischapter.
InordertobeingabletounderstandwhatvROpsisdisplayingitisimportanttobeawareofhowvirtualresourcemanagementandprovisioningworksinvSphere.Thefollowingexampleisbasedonanextremelyoverprovisioneddatastore:
Itholds10VMDKsEachthinprovisionedwith500GBConsumedspaceis0.5TB
Note
InvSphere,onespeaksofoverprovisioningifmoreresourcesareallocated(provisioned)thanactuallyavailable.WhilethisiscommonpracticeforCPUsandevenmemoryvirtualization,fordiskspaceitneedssomeextraeffort.IftheCPUormemoryresourceisconstraint,theVMmightoperateslower.Ifdiskspaceissuddenlynolongeravailable,mostOSesstopoperatingatall.ThereforediskspaceisamorecriticalresourcethanCPUormemory.
Thesetupintheprecedingimageisveryrisky.Someapplicationshavehighresourcerequirementsbutthantheyeventuallyneverusealltheallocatedresources.However,thereisnoguaranteethatanapplication/VMwillnotstartusingallitsallocatedresources.
Someprominentexamplesforunforeseenuseofresourcesarequitetrivial:
OSupdatescanconsumealotofdiskspaceApplicationbasedbackup(forexample,databasedumps)Applicationupdates
Softwaremaintenance(newinstalls)
Insomeenvironmentsthismighttakeawhile,butbepreparedthatthedatabaseadminmaybebesidestomorrowtomovefromasimpletoafullbackuppatternforsomereason.Orjustthetheadditionaldatabasedumpaccordingwiththebackup,sincethereisenoughdiskspaceleftintheOS,right...?
Normally,vSpheredoesallowsettingalimitonoverprovisioning.ThiswouldthanpreventputtingtomanyVMDKsontoadatastore.Theselimitsaretypicallysetinpercentageofthedatastore'scapacity.Soifadatastorehas2TB,alimitcanbesetto150%,whichmeansthatitwillallowanallocationof3TBoranoverprovisioningof50%.
Inthiscase,suchalimithasnotbeenset.ThedatastorehappilysupportseverysingleVMDKaslongasthereisenoughphysicalspaceleft.However,theoverprovisioningisa5TBona2TBdatastore.Thismeanstheresourceis250%overprovisioned.
AsmentionedinChapter3,VMwarevSphere:TheSDDCFoundation,vSpherewillhavesomespecialabilitiestoprotectVMsfromstoppingtooperateduetooutofstorageissuesbyusingstorageDRSoutofspaceavoidancemoves(ifconfiguredandenabled).However,thisfunctionneedsotheravailableresourcetobouncetheVMsoffto.Thiseitherrequiresattachedemptydatastore,whichwillharmtheefficiency,oranintelligentprocesstoaddresourcesbasedonthegrowingdemand.Giventhis,isimportanttounderstandthatwiththeover-allocation,thereisoneimportantmetrictolookafter:resourcedemand.
DemandiscreatediftheVMsstarttotouchmoreandmoreoftheirallocatedresources.Thismeanstheyeventuallystarttophysically(wellvirtuallyactually)consumetheallocatedspace.Andfromthisdemandatrendcanbecalculated.
vRealizeOperationsManagerwillcloselymonitortheallocationandthedemandandprovideinsightsandatrendforboth.Whilecapacitytrendmightnotchangesoquickly,thedemandcanchangeveryquickly.
ThefollowingscreenshotshowsanexampleviewinvRealizeOperationshowsuchadatastorewouldlooklike.TheviewisprovidedattheCapacityRemainingtabonaselectvSpherecluster:
vRealizeOperationshasalreadyhighlightedtheareaslimitingtheclusterscapacity.InthiscaseitistheDiskSpace:
Thetotalcapacitysays6.41TB(including70%overcommit)Thesystemdetectedthatalready5.57TB(96.89%)hasbeenallocatedtoVMsThephysicalavailablestoragespaceis4TB
vROpswillnotonlyhighlightthevalues,itwillalsosende-mailalertnotificationstomakesurethatthisstatusisnotmissedbyanybody.However,bylookingonthedemandgraph,itshowsthatthedemandhasbeenprettyflatforthelast30days.
Also,theDemandrowshowsallthediskdetails:
TotalCapacity:3.91TBUsableCapacity:3.51TB(includesHAbuffer)CapacityRemaining:1.95TBRecommendedSize:1.73TBAverageDemand:1.56TB
SoinrealitytheVMsonlyconsume1.56TBfrom3.91TB,whichmeansthatroughly45%oftheavailabledatastorespaceisutilizedbyalltheseVMs.However,theVMscouldconsumeallthewayupto6.41TB,whichis2.41TBmorethanavailable.
Theriskofthisdisasteroccurringcancurrentlybeseenatthedemandchart.Itisflatforthelast30days.SeemsthatthisisoneofthecaseswherealotofresourceshavebeenprovidedtotheVMs,buttheapplicationsdonotneedallthosecurrently.
However,ifthedemandrises,immediateactionisrequiredtopreventanydisruptiontotheapplications/VMs.
Ontheotherhand,thisisaveryefficientwaytomakeuseofresources;risky,butefficient.
Note
ThishasbeensetupinalabenvironmentandisNOTrecommendedforproductionbyanymeans.Theriskofsuchasetupwillalwaysbewaytohighnomatterhowhightheefficiencybenefitmightbe.
NavigatingvRealizeOperationsManagervRealizeOperationsManagerisaverymightytoolforboth,capacityplanningaswellasdatacenteranalytics.Thereforeithasaveryrichuserinterfacefullofdataandobjectstoinspect.ThecapacityplannerwillproperlyneeddifferentmenusanddashboardsthanthevSphereadministratororthedatacenteranalyst.Thissectionshouldprovideanoverviewofusefulfunctionsforcapacityplanningandwheretofindtheminthetool.
Capacityremaining
Thishasbeendiscussedearlier,thecapacityremainingdashboardisavailableforvSphereresourceslikehosts,clustersanddatacenters.Togettothisviewfollowthefollowingsteps:
1. OpenvRealizeOperationsManagerwebUIinyourbrowser.2. InthehomescreenclickonEnvironmentintheleft-handpane.3. Attheupdatedview,clickonvSphereHostsandClusters.4. ExpandvSphereWorld|expandthevCenter|expandthedatacentertofinallyclickonto
thedesiredclustertoview.5. InthemaindashboardclickonAnalysis.6. SelecttheCapacityRemainingdashboardintheAnalysistab.
Thiswillprovideadetailedoverviewoftheclusteranditsresourcesasshowninthefollowinggraphic:
Likeintheformerexample,thisoverviewprovidesaquickaneasywaytocheckthecapacitydemandsandrisksfortheselectedobject.Inthiscase,itisapayloadclusterprovidingresourcesfortheSDDC.Thereisalsoaverybasicscenariobasedwhat-ifanalysisavailableattheWhatWillFittopsection.ItshowssomerectangleswithVMcountsinthem.Thenumbersarebasedonaworkloadprofile.Eachrectanglesymbolizesaseparateworkloadprofiles.However,defaultswillneverreallyfitallcustomerssoitisalsopossibletocreatecustomVMprofilesbasedonactualworkloads(VMs)runningintheenvironment.
OneoftheseprofileshasbeencreatedandiscalledSDDCVM.ThisisnotjustsomeCPU,memory,anddiskspaceprofile.Ittakesalltheworkloaddata(includingdemand,performancebehavior,andsoon)andstoresit.Thanitcomparesitwiththecapacityremaininginthecluster.GiventhatitisusingtherealdatafromtheactualdeployedVMs,itisfarmoreaccuratethanthedefaultprofiles.
Tocreateoneoftheseprofiles,followthesesteps:
1. Clickontherectanglewiththeplussign.2. Intheconfigurationwindowprovideavalidprofilenameanddescription.
3. ClickEnablethisprofileforallPoliciesifdesired.4. IntheMetricssectiondecideforafiltermode.EitherAllocationorDemandorboth.5. NowclickonPopulatemetricsfrom....6. AtExistingVirtualMachineselectaVMtoactasastandard.TrytoselectaVM
configurationdescribingthemostusedblueprintoftheSDDCenvironment.7. ClickOKtosavetheprofileconfiguration.
Theprofileisnowavailable,howeveritmighttakealittlewhileuntilitshowsanumberofVMs.
Tip
IfAllocationhasbeenselected,thenumberofVMswillbecalculatedbasedontheirallocatedresources.
IfDemandhasbeenselected,thenumberofVMswillshowhowmanyofthemwillfitbasedontheirresourcedemand.Inotherwords,basedontheircurrentlyusedresources.
Ifbothisselected,thesystemtakesbothconsiderationsintoaccountandtrytogivethebestprediction
Asoftodaytheseprofilescannotbeeditedaftertheyareadded.Ifyouneedtochangetheprofile(forexample,fromAllocationtoDemand)itneedstobedeletedandrecreatedfromscratch.
Note
TheseprofilesareagoodwaytoensurethattheresourcesareavailablegiventhespecificSDDCVMconfiguration.Thiswillriseaccuracyandthereforemakesiteasiertoreacttopossibleresourceconstraints.
RightnexttotheCapacityRemainingdashboardthereisalsoaTimeRemainingdashboard,whichwillbasicallyinterpolatethetimeremaininguntiltheresourcewillbe100%used.Ifthisvalueisbiggerthanoneyear,itwillsimplystate>1yr.
Theresourcesinthetablecanbeexpandedbyclickingontheirdownarrow.IncaseofDemand,adiagramwilldisplaycurrentandfuture(interpolated)demand.Basedonthatfuturedemandtheremainingtimewillbecalculated.
Theprecedingimageshowsagrowingmemorydemand.Basedonthelast12weeksthesystemdetectsanongoingtrend.Thistrendwillbeaddedtotheforecast.Givenallthismetricsthesystemcanpredictwhenthecurrentresourceswillnolongerbeabletoservethedemand.ThecurrentresourcescalledUsableCapacityareshowninthegraphicaspurpleline.Theredareaisthecurrentandfuturedemand.Whentheredareaandthepurplelineiscrossingthismarksthetimetoaddresourcestofulfillfurtherdemand.Inthiscasethispointisfurtheraheadthanayear,soitisnotshowninthegraph.
Theseconditionscanchangeveryquickly.IfauserdeploysmultipleVMsintothisclusterthememorydemandwillchange.Thiswillleadtoarecalculationofthetimeremainingestimate.Thereforealertscanbedefinedbasedontimeremainingnotifications.Ifthismightdropto3monthforexample,analertcouldbesendtotheprocurementdepartmentinordertomakethemawareoftheupcomingresourceconstraint.
Eventuallythealertcouldautomaticallytriggerapurchasingmanagementsystemtoorderadditionalresources.Thefinancialdepartmentwillonlybeinvolvedtoapprovetheorder.Inthiscasesystemwouldbeeconfiguredasself-healing(orselforderinginthiscase)tosolveindividualissues.
Whilemostorganizationswillnotliketheideaofmachinesorderingmachines,itcouldstillbedonebutwithasimpleapprovalchain.ThiswouldbeanopportunitytoaddaXaaSservicetovRealizeAutomation,whichtriggersaserverordering.ThisservicerequestcouldthanbetriggeredbyvRealizeOperations.
UnfortunatelythisfunctionalitydoesnotcomeincludedinvRealizeOperations,butthereisafreealertplugin,whichcantriggerRESTcalls.TheseRESTcallscanbeusedtolaunchthevRARESTAPIandrequesttheservice.
Note
PleasebeawarethatVMwaredoesnotofficiallysupportthepluginforthecustomRESTactionforvRealizeOperations.
CapacityplanningSofarthemonitoringandpredictionofusedcapacityhasbeendiscussedinthischapter.Butthereisalsoaplanningaspecttopreventloworriskyresourcesituations.vROpswillalsoallowforthiscapacityplanningtaskswithanextratabcalledProjects.
Atthebeginningofthischapter,itwasexplainedthatresourceswhereoftenaddedorboughtbasedonprojectsandthatthisisnolongeraccurateforanSDDC.Thisstatementwasreferringtolargeprojectsrequiringalsohardwareresourcestobebought.Basedonthisprojectsentireareasofdatacentermighthavebeenfilledwithservers,storageandcompute.
InanSDDC,projectsarestillrelevantandeventuallywillevenincreasepopularitysincetheycanbemuchquickerberealized.Thisisalsoreferredtoastimetomarketorsometimes,timetovalue.SincetheSDDCisofferinginfiniteresourcesondemandwithasimplemouseclick,itistheidealplatformforanyproject.
Inreality,thisillusionisonlypossibleifthereisaverygoodcapacityplanningandmonitoring.Themonitoringaspectshavebeendiscussedsofarandaregoodtokeepanoverviewabouttherunningenvironmentandpredictanyfuturepotentialconstraints.Theplanningisneededtopreventanyconstraintsintroducedinaveryshortamountoftime.
ThefollowingexamplemighthelptobetterunderstandwhatprojectsareforinvRealizeOperationsManagerandhowtheycanbeusedtogetherwithvRealizeAutomation.
Adevelopmentteamdecidestheyneed:
10databaseVMs25applicationserverVMs100webserverVMs
Thosearerequiredinordertotestforaspecificapplicationscenario.InordertoquicklygetallthisdeployedtheSDDCistheperfectstartingpoint.Sotheywillgoaheadandrequest135VMstobedeployedinaveryshortamountoftime.TheseVMswillcomewithdifferentprofilesanddifferentrequirements.
TomakesuretheSDDCisnotblindlydoinganything,whichhasbeenrequested,approvalshavebeenintroduced.InChapter5,VMwarevRealizeAutomation,theseapprovalsarediscussedingreaterdetail.Fromacapacityplanningperspective,approvalsareinterestingtopreventsprawlandtomakesurethatthesystemcanhandletheintroducedloadwellenough.
Tip
Besidesthecostandregulatorynatureofapprovals,theyarealsoneededinordertomaintaintheSDDCresilientandresponsive.ImaginewhatwouldhappenifauserwouldorderasmanyVMstobringtheSDDCsresourcesdown.Alluserswouldbeaffected.Thisisanotherreasonwhy
approvalsshouldbetakenseriouslyinordertoprotectSDDCfunctionalityandguaranteeflawlessoperation.
Additionally,beingawareofsuchmassiveVMprovisioningrequestswillmakeiteasiertoorderresourcesevenbeforethevROpstimeremainingmonitoringfeaturemighttriggerawarning.
ProjectsinvRealizeOperationsManagerLetsassumethedevelopersfilledintheirrequesttovRealizeAutomationandthisisnowsendforapprovaltotheSDDCoperationsteam.Thisteamisalsoresponsiblefortheresourcemanagementandavailability.AssoonastheapprovalcomesintheycanusethedetailsoftherequesttomodelthedataintovROpstoseeifthecapacitywillbesufficientforsuchaproject.
Forthisusecase,vROpshasitsownfunctionalitycalledprojects.Tomodelsuchaproject,followthesesteps:
1. OpenvRealizeOperationsManagerwebUIinyourbrowserby.2. InthehomescreenclickonEnvironmentintheleft-handpane.3. Attheupdatedview,clickonvSphereHostsandClusters.4. ExpandvSphereWorld|expandthevCenter|expandthedatacentertofinallyclickonto
thedesiredclustertoview.5. InthemaindashboardclickonProjects.
Atthelowerhalfofthisdashboard,therewillbeatableshowingallcurrentlyconfiguredprojects(ifany).Ifnoprojectshavebeenconfigured,thistablewillbecompletelyempty.
Tocreateanewproject,followthesesteps:
1. Clickontheplussigninthelowerhalfofthedashboard.2. Provideavalidname,description,andselectPlanned-nobadgesaffected.
Note
Projectscanalsoberetro-modeled.ThisiswhatStatusCommitted-badgesaffectedinthecreationwizardstandsfor.
3. ClickonScenariosatthebottomleftofthescreentobringuptheprojectmodeler.4. Makesurethecorrectobjectisselected,intheexampleitwillbeanSDDCcluster.Butit
canbedifferentvirtualobjectssuchasdatastores,hostsorevenVMs.5. IntheAddDemandsectiondragaddVirtualMachineintheScenariosarea(rightnextto
theleftcolumn)6. Nowtheprojectparameters(VMparameters)canbecreated,fillinallnecessarymetrics.It
isimportanttotrytobeasaccurateaspossible,sincethepredictionwillonlybeasgoodastheprovideddata.
7. Intheconfigurationarea(righttotheScenariosarea)provideallknownparameterstomodeltheanticipatedVMresourcedemand.Makesuretofillinconsumedversusprovisionedcorrectly.Forthedatabasesitisasaveassumptionthatmemoryconsumedequalsmemoryallocated.Forthewebservers,thememoryallocationmightbe4GBbutthesystemmightonlyconsume3GB.Itisrecommendedtomakeaneducatedguesshere.Buttrytostaybalancedbetweentocarefulandtorisky(with4GBRAMallocated,2.5GBisprobablyconsumed).
8. ClickSavetostoretheprojectdata.
OncetheprojectissaveitwillnowappearintheProjectstabundertheprojecttable.Asseenintheimage,therearesomeshortcomingswithresourcesforthisproject.Especiallydiskspaceisaproblem.The135VMsconsumewaymoredatastorespacethancurrentlyassignedtothiscluster.
Luckily,thismightbeaneasyfixifthereisstillenoughphysicalstoragespaceavailable.ThesolutionwouldbetoadddatastorestotheclusterinordertomakeroomforallthisnewVMscreated.
However,thegraphautomaticallyshowsthemostconstraintresource,butitisworthwhilecheckingalsotheotherresourceslikememoryorCPUtoseehowtheyfitintothecurrentenvironment.CPUormemoryissuesaremuchmoredifficulttosolve,sincethatliterallymeansthathostseitherneedtobeaddedtoacluster,ortheirmemoryorCPUsneedtobeupgraded(thatisveryrare,typicallyorganizationsaddhostsinsteadofupgradingthem).
Tip
IntheimageCPUdemandisnotconfigured.ThatisbecauseCPUdemand(actualMhzorGhztheVMneedstorun)isquiteimpossibletopredict.Ifvalueswouldbeenteredhere(suchas1.5Ghz)vROpswillcalculatethatasfixedvaluetheVMalwaysneeds.ThiscanleadtoaCPUconstraintinfographic,whichwouldonlybetrueifalltheVMswouldhaveexactlyasmuchCPUdemandasputintotheproject.Sothissettingandmodelshouldbetakenwithagrainofsalt.
Thisisaquickandeasywaytoidentifypossibleconstraintsandreactinatimelymanortoresolvethem.IntheexampletheteamcanadddiskstotheclusterandgivetherequestfromtheQAteamago.vRAwillautomaticallyprovisiontheVMsonthenewlyavailableresourcesandalltheteamsarehappy.
Ideallythisisallcompletedinaveryshortamountoftime.GiventheeasymodelingcapabilitiesofvRealizeOperations,suchcalculationscanbedoneliterallyinnotime.
Iftheprojectisthanrealized(theVMsaredeployed)itispossibletosetacreatedprojectfromPlannedtoCommitted.Thiswillthanaffectthehealth,risk,andefficiencybadges.Alsotheprojectcanbemonitorediftheforecastandtheactualresourcedemandpossiblymatch.
ReportsinvRealizeOperationsManagerBesidestheprojectstohelppro-activelyplanforcapacity,thereisalsoareportsfunctionality,whichwillcreatecustomreportsandsendthemasPDForCSVattachmentviae-mail.ThereareacoupleofpresetreportsinvROps,butitisalsopossibletocreatecustomreportstocontainexactlytheamountofinformationrequiredtoberelevantforthereceiver.
Reportscustomizationincludesanorganizationalbrandingandlogos.ThemostcommonusecaseistosendthosetotheheadofoperationsoreventotheCIOleveltoprovidesomelevelofinsightintothedatacenter.
TheyareespeciallyniceifthecapacityplanningteamisnotabletoaccessvROpsonaregularlybase.Reportscanbescheduledonaregularbasis(daily,weekly,monthly,andsoon).
Definingareportisquitesimple:
1. OpenvRealizeOperationsManagerwebUIinyourbrowserby.2. InthehomescreenclickonContent(iconlookslikealittlenotebook)intheleft-handpane.3. ClickonReports.4. ClickontheplussignunderReportTemplates.5. Provideameaningfulnametothereport.6. ClickonViewsandDashboardstoconfigurethecontentofthereport.7. BrowsforrequiredViewsoraddevencontentfromadashboardintothereport.8. MakesureCSVandPDFisselectedunderFormats.9. Oncethecomposingiscompleted,clickonSave.10. NowthenewreportcanberunandthaninspectedinvROps.
Oncethecustomcreatedreportisavailable,itwillshowupintheReportTemplatestable.
Inordertorunthereportinstantly,clicktheRunTemplateiconatthattopofthereportstable(ithasalittlegreenplayicon).OncethereportwasexecutedsuccessfullyitcanbeaccessedbyclickingonGeneratedreports(1).
AtthisoverviewthereportwillbeselectabletodownloadinPDForCSVformat.
Reportscanalsobescheduledrepeatedexecution.Whilestillinthereportsscreen(Content)dothefollowing:
1. Selectthedesiredreporttoschedule.2. ClickthelittlegeariconatthetopofthereportstableandselectSchedulereport...fromthe
dropdownmenu.3. IntheSelectanObjectscreen,selecttheobjectthereportshouldrunon(forexample,a
SDDCcluster)andclickNexttocontinue.4. IntheDefineSchedulewindow,selectthepreferredweekday,recurrence,timeandtime
zone.5. AtthePublishingarea,makesuretoenteracorrecte-mailaddresstosendthereportto(or
mailinglist).
Note
Inordertosendane-mail,vROpshastobeconfiguredtouseanexternalwebserver.
6. ClickFinishandthereportisscheduledforexecution.
ViewsinvRealizeOperationsManagerViewsarenotonlyavailabletobeputintoreportstheycanalsobeshownindashboards.Dashboardsareaquickwaytodisplayallrelevantmetricsforacertaintopic.Also,theycandisplayamixofavailablemetricsanddata.However,hismetricsdatatodisplayneedstobeavailableasaView.
ViewsarethesmallerbuildingblocksofvROpsinformationdisplay.Asdescribedearliertheycanbeputintoareportlikelittlemodulestodisplaydesiredinformation.vROpscomeswithanumberofprecreatedviewsbutthereisalsothepossibilitytocreatecustomviewsonresources,yetnotalreadypresent.
Designingacustomviewisassimpleascreatingacustomreport:
1. IntheContentscreenclickViews.2. Clickontheplussignintheviewstabletoaddaview.3. Provideameaningfulnametotheview.4. ClickonPresentationatthebottomofthewizardandselectaformofpresentationforthe
view,forexample,Trend.5. ClickonSubjectstocontinue.Pickanobjecttogetmetricsfrom,forexample,Cluster
ComputeResource.6. ClickonDatatoselectthedatatobeincluded.ItshowsalistofallvROpsmetrics.For
example,DiskSpaceEffectiveDemand%andDiskSpaceCapacityRemaining%.Makesurethatthesearenotalreadyexistentinapresetview.
7. ClickonVisibilitytoconfigurewheretheviewcanbeused.Ifdesired,itcanbeaddedtofurtheranalysistoinfluencethedisplayedsections.
8. TofinishtheconfigurationclickonSave.
ThisnewViewcannowbeusedindashboardsandreports.Thereisalwaysapossibilitytoreedittheviewifthedataisnotshownasintended.
ViewsdoaddalotofflexibilitytovRealizeOperations.BasicallytheycanbeseenasLegobricksaddingcustomcapabilitiestofiteveryorganizationsneeds.Especiallywhenitcomestocapacitymanagement,someofthisdataisnotexistentintheprecreatedviews.Thisisanicewaytoaddthisdataandevencreateownreportsorcapacitydashboardstodisplaythesemetrics.
SummaryThischapterdescribedcapacitymanagementintheSDDC.ItwastalkingaboutusefultechniquestostayontopoftheunpredictablenatureoftheSDDCdemand.Italsodiscussedsomeresourcemanagementbasics,whicharenecessarytogainabetterunderstandingofvRealizeOperationsMangerdisplayedgraphics.Finallyitdiscussedsomepro-activetaskslikecapacityplanning.Thelastsectiondiscussedhowtousereportsandviewsinordertocreatecustomdataproviders.Alsoschedulingaspectsofreportswherediscussedinordertoensurethatdatacanbeproactivelysenttoacapacitymanagementteam.
Inthenextchapter,thefocuswillbeontroubleshootingandmonitoringoftheSDDC.Itwillintroduceconceptsbasedonbestpracticesandexperiencetoavoidworst-casescenarios.AlsoitwilldiscussvRealizeOperationsfromananalyticsstandpointtodetectanomaliesandreportthose.Furthermoretheuseofactionsattachedtoalarmsisdiscussed.Finallyitwillalsodiscusstheimportanceofacentrallogmanagementsystem,inordertobeabletoquicklyidentifyproblemsacrosstheboundariesofmultiplehardwareandsoftwaresystems.ItwillshowhowtoconfigurevRealizeLogInsightandprovidespracticalexamplesonloganalysisanddashboards.
Chapter11.TroubleshootingandMonitoringThischapterwilldiscusstroubleshootingandmonitoringtechniquesinanSDDCenvironment.First,itisimportanttonotethattheSDDCitselfisacomplexenvironment,whichhidesthiscomplexityfromtheuser.Thisisdonethroughauserportalwithyeteasy-to-requestservices.Althoughthisisperfectfortheenduser,itcanbecomequicklyverydifficulttotroubleshootforoperatorsoradministrators.AnSDDCismorethanjusttheVMwarecomponentssuchastheportal,thehypervisors,andthevirtualnetworking.Itisalsousingtheorchestratorforthird-partyintegrationtoexternaltools.Apowerfulandyeteasy-to-consumemonitoringneedstobeinplaceforalloftheseprocessesandtriggers.
Ifaservicedeploymentisfailing,itisimportanttoquicklyidentifytherootcausetofixit.Thebestcaseisthatitcanbefoundwiththeerrormessagethedeploymentgenerates.Theworstcaserequiresamonitoringsystemthatisabletocorrelateactionstoidentifyasinglethreadoflogsperdeployment.Thatsoundsverycomplex,butthischapterwillshowhowallofthisispossibleintheSDDC.
Besidesmonitoringthedeploymentprocessofservices,itisalsoimportanttomonitorthehealthofthedeployedsystemsaswell.ThiscreatesnewchallengesforalegacymonitoringsystemsincetheusecaseftherequestedserviceorVMisunknown.Thismeansthemonitoringsystemneedstounderstandhowthedeployedserveroperatesinordertodetectanyfailureorproblem.Asimplethreshold-basedmonitoringsystemwillnotbeabletodeliverthisfunctionality.Infact,themonitoringsystemitselfhastohavesomeintelligenceinordertounderstandtheservicebehaviorandwhentheserviceisactuallyfailing.Thissoundslikefictionforservermonitoring,butitistheoperationaltruthfortheSDDC.Themonitoringneedstobeasagileandflexibleastheplatformitself.Yet,theloginformationmanagementandloghandlingneedstobelossless.Also,itneedstogatherallmessagesfromallusedsystemsintheentireSDDCevenifthosesystemsareexternaltothecoreSDDCapplications.SuchsystemsareIPAddressManagement(IPAM),ConfigurationManagementDatabase(CMDB),applicationinstallationservice,andsoon.
EverythingthatispartofthedeploymentorlifecycleprocessinanSDDCneedstobemonitored.Allthisinformationneedstobesearchableandprocessableinaquickandeasywayinordertofindpossibleproblemsbeforetheyimpacttheproductionenvironment.Allthiswillbecoveredinthischapterincludingthefollowingpoints:
MonitoringconceptsfortheSDDCAdvancedanalyticsandmonitoringMessageloggingandtherecommendedlogconfigurationLoganalysisandwhyitisimportantFeedbackmonitoringdatatovRealizeautomationTroubleshootingexamplesintheSDDCSDDCself-healingcapabilities
MonitoringandanalyticsintheSDDCAsdiscussedatthebeginningofthischapter,theSDDCintroducessomechallenges,whichcannotbeeasilyovercomewithtraditionalmonitoringsystems.ThisbecomesclearifonelooksatthetraditionalversustheSDDCwayofdeployingservicesandworkloads.
Inthetraditionaldatacenter,workloadsareoftendeployedinformofprojects.Theyhaveadistinctfunction(webserver,applicationserver,database,andsoon)aswellasforeseeableworkloadprofile.Basedonthis,themonitoringadmincansetasetofthresholdstomakesurethattheworkloadisworkingwithinitsexpectedrange.Normally,thesethresholdsareCPUusage,memoryusage,swapping,diskspace,andsoon.
Amonitoringsystemisawareofthenewserverandisassociatingallthesethresholdstotheserver.Ifoneofthesevaluesareviolated,itwillsendawarningoranalarmtothemonitoringteamortheadministrator.Thishasbeenusedforyearsinthedatacenterandisawell-knownandprovenpractice.
However,overthepastyears,thedatacentercomplexityhasbeenincreasedandalsotheusecaseofserversisnotasclearanymoreasbefore.Thistrendhasbeenintroducedbyvirtualization.CreatingaVMissoeasy,itmayisnotattachedtoaprojectanymore.MaybeadeveloperjustrealizedthatoneadditionalVMisneededfortestingtheircode.ThecreationisquickandeasyandalltheinfrastructureteamneedstoknowistheCPUcount,thememory,andthedisksize.Givenallthatflexibility,itisdifficulttomodeleachandeveryVMinamonitoringsystem,sothesystemsstartedtoapplydefaultvaluestotheservices.Now,themonitoringwasnotadjustedtotheserverworkloadanymore,itwasmorecreatedwithaonefitsallideainthebackground.Examplesforthesedefaultthresholdsare:
80%CPUusage=Warning,90%=Alert80%memoryusage=Alert85%diskusage=Warning,95%=Alert80%netusage=Warning,95%=Alert
ThisisaneasyprofiletoapplytoallVMs,butitisalsoonethatmaycreatealotoffalsepositivesinanenvironment.
TheriskoffalsepositivesTherearetwoworst-casescenarioswhenitcomestomonitoringasystem:
NotpickingupanerrorleadingtoanoutageReportingalotoffalsepositives
Thefirstproblemcanbeaddressedbyhavinganautodiscoveryacrossallsystemsinadatacentertoensurethatallareregisteredwiththemonitoringserver.Furthermore,itcanbehandledbyapplyingadefaultprofile(thresholds)toallthesesystems.
Thesecondproblemissomewhatmorecomplextoaddressandisdefinitelyasdangerousasmissingarealoutage.Falsepositivesareactuallymonitoringalarmsorwarnings,whichgottriggered,butthereisn'tactuallyanissuewiththeVM.Anexampleforthiscouldbe,anapplicationserverisrunningat95%CPUspeed,whichtriggerstheCPUalert.Butactually,itisrequiredthattheapplicationserverrunsatthisspeedinordertofulfillitstasksuccessfully.AdefaultmonitoringprofilemightreporttheCPUascriticaltoanadmin.Iftheprofileisnotchangedthismighthappentimeandtimeagain.Thesefalsealarmsmightleadtoanignorebehaviorofthemonitoringadminandarealissuecanactuallybemissed.
Sincetheremightbeacoupleofhundred(oreventhousand)systemsinthedatacenter,thesefalsepositivealarmscanalsobeacoupleofhundredsperday.Inallthisfalsealarmnoise,anactualalarmmightnotbeseenandthereforemayleadtoamajoroutageintheproductionenvironment.Tofixthisnoiseproblem,alarmsbasedonwrongortolowthresholdscanbehandledbythemonitoringadmin.Iftheyseethathappenfrequently,theycanadoptthethresholdtoonlyreportonhigher,forexample,CPUloadsandtheproblemseemssolved.
Thesilentfalsepositivesarefarmoredangerousandarealsoquiteimpossibleforthemonitoringadmintodetect.Imaginethatallservicesarereportedasgood(green)implyingeveryserviceseemstobeOK.Wouldanybodysay:Hey,thatlooksodd,let'schecktheactualconditionofallthisgreenservices.No,sincethatiswhatmonitoringstandsfor.Ifallisgood,allisgreen.Ifsomethingiswrong,itturnsyelloworred.
Thisistheotherdilemmaoffalsepositives,theycanalsohappensilently.Giventhis,afaultyservicemightbereportedasgreen.Imaginethattheapplicationserversuddenlydropsto1%CPUusage.ThemonitoringsystemwillinterpretthisasgoodbasedonthefactthatCPUusageiswaybelow95%.However,theapplicationservermightbeindeeptroublesinceitactuallystoppedworking.Maybethewebserverisdownornotgettinganyrequests,orthesoftwareintheapplicationserverhascrashed.However,allthiswillbeunseenbythemonitoringteamsincethefalsepositivewillreportitasgreen.
Thisispossiblythemostdangerousconditionsinceitwillautomaticallyleadtothefirstworst-casescenario:amissederrorcondition,possiblyleadingtoaproductionoutage.
SointheSDDC,itshouldbeapriorityforanymonitoringsystemtopreventfalsepositives.Not
onlytokeeptheservicequalityhigh,butalsotokeepandincreasethetrustusershaveintheplatform.Therefore,adifferentbreedofmonitoringsystemisrequired,anintelligentone,whichisabletolearnandunderstandthedefaultbehaviorofaworkflow.Also,itwouldbeimportanttofindrelationsbetweenworkloadsandalsodifferentinfrastructuretypes.Thisabilitycouldhelpinquicklyidentifyingnoisyneighborissuesorotherpossiblesideeffects.
ManagementversuspayloadmonitoringIneveryautomateddatacenter,therearetwokindsofmonitoringnecessary.Managementmonitoringisensuringthatthecloudsuiteofsystemsisrunningandthatnoissuesareimpactinganyuser.Thiskindofmonitoringmaybedonebytheteamrunningthecloudinfrastructureandmaybepartoftheiroperationalprocedures.
Payloadmonitoringistakingplaceafteraservicehasbeendeployedandismorearoundperformanceandgeneralhealthtopics.Typically,usersexpectthattheycanalsogetaneasyreportonthehealthoftheirdeployedservices.Theseservicesbringdifferentrequirementsandneedtobeprocesseddifferently.Also,normallytheworkloadisunknownbeforedeployment.Thismeansthatitishardtopredictanyusefulwarningoralarmthresholds.
Managementmonitoring
However,thiskindofmonitoringneedsfarmorethanlookingatCPUormemorythresholds.Ithastomonitoreachtaskorprocessinthesystemtoensurethateverythingworksseamlesslytogether.Ifthereisahangingtaskblockingadeployment,itisimportanttoquicklyfindandresolvetherootcause.Thesearetoughrequirementstoanymonitoringsystemsintheindustry.SincetherearesomanymovingpiecesintheSDDC,itisthemissionofthemonitoringtooltokeeptheoverviewofalloftheseelements.Inordertodothis,actuallyseveralsystemsarerequired.Notonlyadynamicmonitoringsystembutalsoaverypowerfullogmanagementandanalyticsengineisrequiredtohandlethistaskwell.
Tip
ItisimportanttohighlightthattheworkloadsinthepayloadclusterwillhavedifferentmonitoringrequirementsthantheSDDCcomponents.IntheSDDC,itiskeytotrackallprocessesanddetectanyglitches.Forthepayload,itisimportanttoidentifythebehaviorandreportifitchangesdrastically.
WhentheSDDCisbuiltanddesigned,itisnecessarytoalsodesignthemonitoringsettingswithit.ThismeansthatallcomponentsintheSDDCshouldbeabletoreporttoacentralmonitoringsystem,whichcandetectandanalyzethedataefficiently.Furthermore,specificconditionssuchasworkflowmonitoringorthethird-partyintegrationmightbesetaswell.Inthiscase,theservices,servers,andprocessesarewell-knownandalsotheirfunctionshouldbeknownbythemonitoringteaminordertosupervisethem.
So,besidestheplanningfortheservices,thecreationoftheapprovalsortheimplementationofthethird-partysoftware,theconfigurationofthemonitoringsystemisequallyimportant.Therefore,anSDDCdesignshouldalsoalwayscontainamonitoringdesign.
Tip
Itisveryimportanttoimplementthisthoughtfullyandineverydetail.
DetectingerrorsinanSDDC,tightlyintegratedinthedatacentermightbealengthyandcumbersomeprocess.Unfortunately,thereisoneresource,whichisneveravailableduringanissue,whichistime.
FirstandforemostallthemanagementsystemsinanSDDCshouldbeconfiguredtosendalltheirdatatothemonitoringorlogmanagementsystem.Thisincludesalsoallthephysicaldevicessuchasnetworkswitches,rackservers/blades,chassis,storagesystems,andFCswitches,practically,everyhardwarecomponenttheSDDCisusing.
Besidesthephysicalresources,alsoallthevirtualresourcesneedtobeconfiguredtosendtheirlogandmonitoringdata.Thislistincludesthefollowing:
AllvSpherehosts(ESXi)SyslogtargetvCenter/VCSAOSlogsandtasksvRealizeAutomationDEMworkers,IaaSserver,agents,andsoonvRealizeOrchestratorIncludingworkloadandsystemlogs,workloaddebugs,andrunningstatesNSXSysLogforward,messages,andsoonAllincludedthird-partysoftware(IPAM,CMDB,andsoon)
ItisimportanttoensurethatallpartsoftheSDDCareconsistentlyandentirelymonitored.Ifonesystemisnotpartofthismonitoring,itmaymakeaquickerroranalysisimpossible.
Hereisanexamplewhyitissoimportanttohaveallthisinplaceforthemanagementenvironment:
AusertriestologontotheportalandgetstheerrormessageAnerroroccurred:12005-contactyouradministrator.Now,theadminteamneedstofindoutwhaterror12005mightactuallybe?TheyputintheerrornumberandthecorrespondinglogontimeoftheuserinthepreconfiguredlogmanagementsystemtosearchalllogsatthisdatefromallsystemsintheSDDC.
AfterthesearchcamebacktheyfoundthatthereisacorrelatingerrormessageinthelogindicatingthattheloadbalancerforthevRAportalisnotcomingbackcorrectly.Anothercolleaguelogsontheloadbalancerandaffirmsthatitisnotworkingasitshould.
ItturnsoutthattheyneedtoreconfiguretheloadbalancerandrebootthetwovRAIaaSwebservers.Afterthishasbeencompleted,theerrordisappearedandtheusercanloginagain.
Thewholeanalysistooklessthan10minutesandthefixtookanother10minutes.Sofromabadlogintoafullyrunningsysteminonly20minutes.
AllthiswouldbeimpossibleifthelogfromtheloadbalancerortheIaaSmessageswouldn'tbeeasilysearchable.InanSDDCenvironment,noadmincanaffordtologontodifferentsystemstolookthroughlogfiles.Thismethodcan'tscale,anditisalsoquiteimpossibletocorrelatethedifferentlogfilestoaneventatagiventime.Itispossible,butnotinashortamountoftime.
Payloadmonitoring
Surveillanceofrandom,dynamicpayloadservicesisadifferenttasktoaccomplishforaclassicmonitoringsystem.Asdescribedearlier,aclassicmonitoringsystemrequiresquiteagoodunderstandingoftheapplicationfromthemonitoringadmin.IntheSDDC,theownermightnottellthemonitoringadminwhatexactlyisinstalledonarequestedVM.Itcanbeawebserver,itcanbeaMySQLDB,orevenacontainerframework.Thefactis,theteammonitoringtheSDDCmightnotknowwhatthedeployedVMsarebeingusedfor.
Besidesthisfact,thepayloadmonitoringismostlyaboutperformanceandresiliency.Aservicerequestorwilldefiantlysleepbetteriftheycanlookatthestatusoftheirserveratanygiventime.Nottocheckforanoutage,buttochecktheperformanceoftheserviceandifitisstillacceptable.Besidesthat,thesystemshouldbeabletoforeseeunforeseeableissues,suchasaVMfilesystemrunningfull.Ideally,everythingworkswithoutevertouchingasingleVM.SincetheSDDCisallaboutautomation,newservicesneedtoberegisteredautomaticallywiththemonitoringsystem.
Note
Thisisclearlyprovingthechallengesofoldermonitoringsystems.Asimplethresholdsettingwillleadtofalsepositivesortomissedissuesandproblems.Therefore,itisrecommendedtouseasmartmonitoringsystem,whichsupportstheserequirements.
However,payloadmonitoringcanalsogetcomplexwithouttheSDDC.Therearedifferenttechniquestomonitordifferentservices.ADBservermightrequireanagentwhichisabletolookintothedatabaseandcheckifallseemsvalidandworking.Sameisforamailserverorotherspecialapplicationservers.Itisimportanttodistinguishapplicationmonitoringfrominfrastructuremonitoring.
Applicationmonitoringwilloftenrequireadeepviewintotheinstalledservice.TherearespecialagentswhichcouldmonitorhowjavaworksontheOSorwhatprocessesarerunningorifadistinctprocessisstillalive.Obviously,thesemonitoringfeatureswillrequireanOSagenttobeinstalled.Thiscouldbedonebypreparingtheblueprintimagesothattheagentisalwaysdeployed.However,itisimportantthattheusedmonitoringsystemdoessupportsuchapre-installedagent.
Tip
SomemonitoringsystemsrequiretoregistertheagentwithauniqueID.Iftheagentispre-installedontheblueprint,thisIDmightbethesameforalldeployedservices.Insuchacaseitisrecommendedtoinstalltheagentasapost-deploymentaction,wheterusingasoftwaredeploymenttoolorvRAApplicationAutomation.
Also,thesethingsmightbetrickytosetasthresholds,thereforetheyrequirealsoanintelligentwaytorecognizeerrorsoratleastabnormalbehaviorofthesoftware.
Payloadmonitoringbecomesquitecomplexifaserviceconsistsoutofmultipledifferentapplications.Theservicemightbeacompany'swebpage,butthedifferentapplicationscanbewebservers,applicationserversnandDBservers.Thewholeservicemightnotsuffermuchifoneofthewebserverorapplicationserverscutout,butiftheDBisnotreachable,theexternalwebsitemightnotworkproperlyanymore.Obviously,thiskindofmonitoringneedsalwaysanunderstandingfortheserviceandwhatsystemsworkwitheachother.Itisquitecomplextomodelinatraditionalmonitoringsystem,butcouldstillbedoneifthismonitoringsystemwouldletanadminsetKPIsinsteadofthresholds.
KPIsversusthresholds
Mostapplicationsinadatacenterarepartofabiggersystem.Thissystemnormallyisaservicethatdeliversspecificfunctionstoendusers.Thiscanbeawebsite,amailserver,anactivedirectory,acontentresourcemanagementsystemoranyotherbusinessrelevantservice.
MostoftenmonitoringinITreferstotheinfrastructure(health,resiliency,performance,andsoon).Sometimes,itincludestheapplications(processes,runningservices/daemons,respondingtoqueries,andsoon).Bydoingthis,typicallythresholdsareusedtoqualifytheresponsetothenformasimpletrafficlightindicator(green/yellow/red).
However,thisisveryhardtobedoneforanentireservice.Ifmultipleserversandapplicationsformaservice,whenandhowistheserviceaffectedbyaserverorapplicationoutage?Thisisaquestionthatcan'teasilybeansweredbyaddingthresholdstoallservice-relevantinstances.
Tounderstandtheimpact,theissuetypeaswellasthesystemwheretheissueoccursmightberelevant.
Thescenarioshownintheprecedingimageshowsasimplifiedversionofacompanywebsiteservice.Oneoftheapplicationserversandtwoofthewebserversaredown.
ShouldITbeworriedifthewebservicestillworks?Isthisalreadyaworstcasescenarioandtheserviceisnotfunctioningproperlyanymore?
Thesesimplequestionsarequitecomplextoanswer.TheanswercanonlybegiveniftheKeyPerformanceIndicator(KPI)ofthisserviceisknown.KPIscanbedifferentthingsandarealsooftenusedbythebusinesstodescribeaperformanceofaproduct(sellability,andsoon).However,KPIsbecomemoreandmoreimportantformonitoringsystemsaswell.
Now,tomodeltheKPIforthewebserver,itisimportanttounderstandwhatitssolepurposeis.Inthiscase,itisquitesimple,thatis,displayingthecompany'swebsite.SotheKPIforthisparticularservicecouldbethequeryresponsetimeofthewebsite.
Onemightthink-Sohowisthatdifferenttoathreshold?Well,athresholdisasinglefiltervaluesetonametric.AKPIisabaselineindicatorforahealthyservicebasedonvariousdifferentfactors.Inthiscase,theKPIisnotonlybasedonthehealthofalltheinfrastructureservices,itincludesalsothenetworkinfrastructureaswellasotherfactors.
GiventhatallthisdifferentfactorsaremodeledintotheKPI,theITdepartment(withthehelpofthemonitoringsystem)canfinallyjudgeifanoutageliketheonedescribedinthepicturebeforeisaffectingthewebsite.Ofcourse,theoutageneedstobefixed,butifeveronehasbeeninadatacenterwhenredalertistriggeredknowsthatthisisoneoftheworstworkingconditions.So,theKPIhelpstotriggertherightalarmandreportsthetrueriskeasiertoanystakeholder.
Therefore,themonitoringsystemoftheSDDCshouldalsobecapableofdigestingKPIsormultiplesystemsmonitoring;inshort,itshouldsupportservicemonitoring.
Note
DespitethefactthatvROpsdoessupportKPIsforservices,itisnotreplacinganITSMtool,whichwillperformfullservice-levelagreement(SLA)orservice-levelmanagement(SLM)checks.Thesecanbemuchmorecomplexandincludemorethan"just"thetechnicalaspects.So,ITSMtoolswillbestillrelevantintheSDDCwhenitcomestoSLAandSLMchecksforthedeployedworkload.
vRealizeOperationsManagerIntheVMwaresuiteofproductsnecessaryforaSoftwareDefinedDataCenter,thesetoolsareactuallyamust.vRealizeOperationsiscoveredinChapter10,CapacityManagementwithvRealizeOperationswhenitcametocapacitymonitoring.Butactually,itcandeliversomuchmoreincludingperformanceanalytic,anomalydetectionaswellasrelationalmappingofitems.ItisalsocapableofmodelingKPIs,anditcreatessupermetrics(metricsconsistentoutofmanyotherstodeliverasinglebaseline)Tocompletethesetofsupportingtools,vRealizeLogInsightforlogmanagementandanalyticsmakesaperfectadd-ontothemonitoringtoolset.Itcanhandleaveryhighamountoflogsandmakethemsearchableinaquickandeasyway.Itfeaturesthecreationofcustomlogdashboardsaswellasniceprecreatedvendoradapters.
AnalyticsusingvRealizeOperationsManagerEventhoughthisentirechapterisaboutmonitoring,vRealizeOperationsManagerisactuallyabrilliantanalyticstool.Besidesclassicalmonitoringelements,itmakestheanalysisofanissueveryeasy.Infact,itcanevenunderstandsimpleissuesandproposearesolutionautomatically.Beforewediveintotheworldofanalytics,metrics,andmonitoringAI,itmightbegoodtounderstandhowvRealizeOperationsManagerisworking.
ExploringvRealizeOperationsManageranomalies
vROpsdoesreportonso-calledanomalies.Thesereflectanybehavioralchangeofamonitoredasset.Tounderstandthatthenewmetricsaredifferentthantheoldmeasureddata,itusespowerfulalgorithmstobuildastandardbehavior.Thisstandardbehaviorisdisplayedaslightgrayareainmetricsgraphs.
ThepictureshowsagraphwherevROpshasbeenabletodefineadefaultbehavior.Inthiscase,itistheCPUusageinpercentage.
Thelearnedbehaviorisdisplayedinthegraphaslightgrayarea,everythingwhichstaysinthisareaisseenasnormal.Additionally,thereisaboxexplainingwhatthelearneddefaultsare.Thedouble-endedarrowhasbeeneditedinthepicturetomarkthatarea.
AnychangeoftheCPUusagehigherorlowerthanthisareaisseenasananomaly.Theseanomaliescanbealsoseeninthegraphinformoflittleorangedots.EachdotmarksapointintimewhenthelearneddefaultbehaviorwasviolatedbyaCPUmetricsspike.
Ananomalydoesnotalwaysmeanthereisanerror,butitmeansthatsomethingforcedtheservicetochangethelearnedbehavior.SincevROpscan'tknowifthischangeisgoodorbad,itisreportingitasananomaly.However,noteverysingleanomalygetsreported,sincethatmightagainleadtomonitoringnoiseandpossibleignorancebytheadmins.
Eachdayaservicerunsinadatacentermightbeslightlydifferent.Muchlikenoteverydayisthe
sameintheoffice,adatacenterwillhavesomevariance.Maybethereismoretrafficonthenetwork,maybetestsareinfluencingthestorageperformance.Factis,aVMcannotbehaveexactlythesameeachandeveryday.vROpsdoestakethatintoaccountandisusingitsownalgorithmstomeasureitsowncreatedanomaliescountperservice.ItcanbeseenbylookingattheSelf-TotalAnomaliesgraphfromthemonitoredobject.
Nowthisgraphhasaredtopline,whichiscallednoiseline.ThisnoiselineiscalculatedbyvROpsandmarksthemaximumnumberofanomaliesbeforetheygetreported.Thenoiselineisspecifictoeachandeverymonitoredasset.Ifitisverydynamic,thenoiselinemightbehigher.Ifitismoreorlessstatic,itwillbelowerlikeinthisexample.
Thisisaverysmartwayofpreventingfalsepositives.Thenoiselinecanbeseenasabarriertopreventrandomalertingwheneversomethingisdifferentthanthedaybefore.Also,ifasystemsbehaviorischangingonpurposeandthischangeispermanent,vROpscanlearnthataswellandtakesitautomaticallyintoaccount.Itwillimmediatelyreporttheanomalyandthechangedstateoftheservice.Ifthesystemkeepsitsnewbehavior,iteventuallywillbelearnedagainasthenewbaselinebehavior.
ThissystemcouldbeseenasifvROpssetsautomaticallyKPIsforitsmonitoredentities.Andinmanywaysthatistrue,albeitamanualsetKPIshouldalwaysreflectabusinessrelevance.Inthecaseofthewebsite,thisistheresponsivenessthatisdirectlyaffectinghowtheorganizationisseenbytheaudiencevisitingthewebsite.Ifonevisitsawebsiteofacompanyandtheexperienceisallslow,whacky,andunpleasant,thecompanymighthavebeenperceivedbythispersoninthesameway.Therefore,theresponsivenessofacompany'swebsitemighthaveadirectrelationtotheoverallbusiness.
However,inmanyways,anomaliesinvROpsaretreatedlikeKPIs.Theysharethefollowingsameprinciples:
ManyfactorsarereducedtoonebaselineNoteverymetricchangeaffectstheoverallbaselineIftheoverallbaselineisaffected,thereisprobablysomethinggoingwrong
Thealgorithmtodetectthebehaviorisverypowerfulandcanalsohandlemorecomplex
situations.Infact,vROpsusessevendifferentarithmeticformulastolearnthebehaviorofasystem.Theeighthoneisusedtobenchmarkthebest-calculatedbehaviorfromtheothersevenoperations.
Anexamplehowallthisworksmightbeapaychecksystem,whichneeds90%ofitsCPUresourceseveryendofthemonth,buttheother3weeksofthemonthitneedslessthan10%ofitsCPUresources.
Overtime,vROpswilllearnthatthisbehaviorisalwaysrepeated.Therefore,itbecomestheexpectedbehaviorofthissystem.Ifthispatternsomehowchanges,vROpswilldetectananomaly.Let'sassumethatitisthefourthweekofthemonthandtheCPUisstillonly10%used.Inthiscase,vROpswilldetectananomalyandwillnotifythesystemadministrators.Infact,thischangemightaffectthesysteminmanywayssothatmoreandmoreanomaliesgetdetected,andvROPstheneventuallytriggeranalerttoreportthediminishedhealthofthemonitoredservice.
ThisisoneofthemanyusefulfunctionsofvROps,whichhelpstomonitoranunknownenvironment.Iftheanomalycountriseshigherthanthenoiseline,vROpswilldisplaythehealthoftheserviceasdegraded.Thelogicbehindthisisthatevenifitisaverydynamicsystem,iftheanomaliesrisetoacertainlevelvROPsassumesthatsomethingmighthasgonewronganddegradesthehealthscoreautomatically.
Badgesandwhattheydescribe
TheBadgesofvROpsarebrieflydescribedinChapter10,CapacityManagementwithvRealizeOperationsofthisbook.Inthisdescription,theirpurposesweresolelybrokendownfromacapacityperspective.Fromamonitoringandperformanceperspective,thesebadgesareimportantaswell;whichiswhy,thischapterfeaturesamoredetaileddescriptionofwhattheyareandhowtoreadthem.
Asdiscussedearlier,vROpscreatesthreebadges,whicharealwayspresentatthesummarypageofanyselectedobject.Healthisprobablythemostinterestingonefromaperformanceandresiliencyperspective,followedfromRiskandthenfinallyEfficiency.Chapter10,CapacityManagementwithvRealizeOperationshascoveredefficiencytoquiteanextentalready.
TheHealthbadgeandhowtoreadit
Theintentionofthisbadgeistogiveaquickandrelevantoverviewoftheselectedobjects'healthscore.Thisscoreiscalculatednotonlyfromthenumberofanomaliesbutalsofromeventualalertsandwarningsoccurredsofar.Itsummarizesmanymetricstoonesinglebadgeandwillonlyshowacolorindicator.ThevaluewhenthecoloractuallychangesisuserstableandisstoredintheappliedvROpspolicy.
Asdescribedearlier,thisindicatortriestodisplayinasmartwaythehealthofanobjectbyanalyzingmorethanonlythresholdsandinfrastructuremetrics.Ifthebadgeisgreenthatmeansthatnothingsuspiciousishappeningbasedonthelearnedbehaviorpatternoftheselectedobject.
Ifthebadgeturnsyellow,vROpsmighthasdetectedanomaliescrossingthenoiselineorothereventsaffectingtheoverallhealthoftheobject.Theseothereventscanalsobeindicatorsknownfromtraditionalmonitoringlikefilesystemspace.ForVMs,vROpscanreadthesevaluesautomaticallyandwithouttheinstallationofanagent.Itwillwarntheuserthattheguestfilesystemmightrunoutofspaceshortly.
Ifthebadgeturnsred,someseriousissuesmightaffecttheselectedobjects.Itisclearthattheanomaliesarewayhigherthanthenoiseline.Also,maybeotherfactorsmayaffecttheoverallbehavioroftheobjectinoneortheotherway.Suchconditionscanhappenifthereisanoisyneighborproblemoccurring.AnoisyneighbordescribesaVMthatisusingitsresourcessoheavythatothersiblings(VMsonthesamelayer/datastore,host,andsoon)arenegativelyaffected(byitsnoise).
ThisoftenaffectsstoragesincesomeVMstendtoissuethousandsofIOs,whichleavesothersnoroomfortheirexecution.ThiscanaffectthehealthofallsiblingsaswellasthehealthofthenoisyVMitself.Inthiscase,vROpscannotonlyreportthehealthandthemostlikelyusecaseoftheproblem,itwillalsoidentifyallVMsinvolvedandevencorrelatethedatastore.Somorethanoneobject'shealthbadgewillbeaffected.ItwillshowalltheVMsasaffectedplusthedatastore,plusthevSpherehostattachedtothatstore.Thisrelationalmappingshouldhelptheadministratortoperformquickcorrectiveactionstoresolvethisissue.
Allthishappenswithoutanyactivethresholdconfiguration.ThisiswhatasmartmonitoringandanalyticstoolneedstodeliverinanSDDC.
TheRiskbadgeandhowtoreadit
Rightnexttothehealthbadge,theRiskbadgeisshowninthesummarypage.Likethehealthindicator,itscolors/statechangescanbesetinthevROpspolicy.Thisbadgetriestolookintothefutureandprovideanindicationhowlikelyitisthatissuesmightoccur.Thisindicationisagainbasedonarithmeticalgorithmstoforeseethelikelyfutureoftheobject.Toaccomplishthistask,itworkswithforecastsbasedontrendsandtheanalyzedbehavior.Althoughthissoundslikemagicinthefirstplace,itcanbeexplainedonasimpleexample.Ifwepickupthecaseofthefillingguestfilesystemagain,vROpswillpicknoticethatthefilesystemisfillingupatasteadyrateperweek.Basedonthis,itcancalculatethedatewhenthefilesystemisgoingtobefull.Ifthetrendcontinues,theriskofafullguestfilesystemis100%atthisdate.This,amongothermetrics,willaffecttheRiskbadgefortheVM,anditwillalsogiveanexplanationhowtoreducetheRisk.
TheRiskisaninterestingparameterforcapacitymanagementANDmonitoringofthesystem.ItismaybesimpleonaVMobject,butbecomesverypowerfulwhenusedonaclusterobjectorevenanentiredatacenter.Butbeware,themoreobjectsthesebadgesgathertogether,thelesserthedetailswillaffectthescore.SinceafillingupVMfilesystemmightnotaffectanentirevSphereclusteratanystage.
Wheneverariskisaffectinganobject,vROpsiscalculatingthescoreforthisbadge.Thehigher
therisk,thehigherthenumber,sotheriskbadgeisonebadgewhereascoreof0isperfectandascoreof100isworstcase.Eventhoughthebadgesdonotshowthescoresanymore,forthisbadgetheruleis,thelowerthebetter(green).
TheEfficiencybadgeandhowtoreadit
ThisispossiblythemostdiscussedfunctionofvROpssinceithasbeenintroduced.Thisbadgeistryingtogiveanoverviewofusedresources.InsteadofsimplyreportingwhichVMisusinghowmuchCPUormemoryitwillalsogivehintsonimprovingtheirconfiguration.Thisiscalledreducingwaste.AresourcethatisconfiguredforaVMandstaysunusedisseenaswasted.Theproblemisthateventhoughvirtualizationhassomeverysmartwaysofsharingresources,falseconfiguredresourceswillalwaysaffecttheentiresystem.TherearealotofbooksdiscussingtheimportanceofthoughtfullyandcorrectlyconfiguredVMs.TheefficiencybadgetriestoidentifybadresourceconfigurationsbasedontheVMsusageofitsresources.
AnexamplemightbeaVMwithfourvCPUsconfiguredand16GBofRAM.BasedonitslearningoftheVMbehavior,vROpsmightnoticethatthreeCPUsand12GBofRAMareneverused(reallynever,notevenall3weeks).ThesystemratestheefficiencyforthisVMdown.Ofcourse,thisisasimplifiedexample,andtherearemanyotherfactorsthanonlydiskCPUandmemoryusage.
Althoughallthissoundsverylogical,thereareunfortunatelymanyfactorsaffectingaVMsconfiguration.Somemaybeperformancerelevant,butothersmayberequirementsforaninstalledsoftware.SoftwarevendorsstartedtosetrequirementsforOSconfigurationssinceages;thisistrueforVMstoo.Oftentheserequirementsaresettosatisfyawiderangeofperformancecases.Thevendorswanttopreventthattheirsoftwaremightbeperformingbadlyinstresssituations.Therefore,thesesettingscansometimesbequitehigh.Evenifthetoolisnoteventouchingatenthofthesetresources,theycannotbereducedsincethosearerequiredtosupportthesoftware.
Besidesthat,thebehaviorofpreallocatingresourceshavebeenadoptedbyusersaswell.Wanttobepreparedforanygivensituation-theremightbeamomentwherealltheseresourcesarerequiredandtheneveryonewillbehappythattheyareavailable.AlthoughvROpscandisplaythatthiseventmightnothaveoccurredinayear'speriod,thereisstillthepossibilitythatitmighthittheVMinthefollowingyear.
Besidesthesetwofactors,thereisalsoathirdfactorthatshouldnotbeunderestimated,cost.Ifachargeback/showbackmodelisinplace,itmightalsoaccountauserorbusinessgroupforusedresources.IftheychoosetoburntheirmoneyonVMsneverusingtheirresourcesbutcouldjustincase-sobeit.Thisisaverycommonbeliefintheindustry.Theuserpaysforit,sowhychangeit.
Well,theproblemwithallthisisthatmisconfiguredresourcesarenotonlyawasteofresourcesandmoney,buttheycanalsoaffecttheoverallsystemperformance.ThevSpherehypervisorhastodealwithalltheseconfigurationsinthebestpossibleway.ThememoryschedulerneedstodecidewhichVMmightgetaccesstosharedmemoryfromanotherVM.TheCPUschedulerneeds
toplaceallvCPUsofaVMperfectlyononeNUMAnode(ifpossible).Thingslikerelaxedco-stoppingmightnotsavethescheduleralwaysfromdoingthisforallallocatedvCPUsforaVM,nomatterifonlyoneofthemisused.
Inthephysicalworld,thereisasimpleruleofthumbforresources-Addmore,getmore.Unfortunately,inthevirtualworld,thiscouldleadto-Addmore,getless.Becauseofalltheseimplicationsandproblems,introducedbytheresourcewaste.ThisiswhyvROpstriestolimittheseconfigurationstoanecessaryminimum.Itactstotheprinciple-aslessaspossible,asmuchasneeded.TheAdminteamneedstoreconfigurethepointedoutVMsanddecideifthesewastedresourcecanbeofabetteruseforotherservicesinthedatacenter.
Thisiswhy,theefficiencybadgeisalwaysdiscussedandsometimesignored.However,trytoactassmartaspossiblewiththeprovidedinformation.Intheend,itmightleadtoawin-winsituation.
Tip
Evenwiththebudgetexample,theremightbeawin-win.Ifresourcesarefreedup,moreVMscanbedeployed,resourcesareusedmoreefficiently,whichleadstoahigherVMdensitythatwillincreaseVMpayments.Fororganizationswherethecosthasonlyashowbackfunction,thismightmeanthattheycanrunevenmoreserviceswiththesamebudget.
Thebadgeitselfwillrevealitsfindingsbyshowingalistofresourcesaffected,includingsomeexampleshowtoreconfigurethem.Ittriestobeasintelligentaspossiblewiththeserecommendationsbasedontheactualresourcedemandofthemonitoredservice.
ServicehealthinformationinvRealizeAutomationIfauserrequestsaserviceintheSDDC,itmightbebeneficialfortheusertoseeifthedeployedresourceishealthy.Besidesthetechnicalbenefit,italsohasapsychologicaleffect.
Theusergetsastatusrightnexttotheoptionsforthatservice.
Toprovidethisservice,vRAcanconnecttovROpsasametricsprovider.ThisneedstobeconfiguredinvRAusingthefollowingsteps:
1. LogontovRealizeautomationwiththesystemadministratorrole.2. SelecttheAdministrationtab.3. SelecttheReclamationmenuattheleft-handside.4. SelecttheMetricsProvidermenuattheleft-handsideasametricsprovider.5. ClickonvRealizeOperationsManagerendpoint.6. ProvidethecredentialtovROps.Theuserdoesonlyneedtohaveread-onlyprivileges.Itis
recommendedtocreateaseparateuserforthisaction.7. ClickonSavetostorethisconfiguration.
Fromnowon,allVMsdeployedwilldisplaytheSDDChealthbadgeintheVMsoverviewpage.Thebadgewillnotshowanynumbers,itwillonlybegreen,yellow,orred.
Theotherusecaseofthissettingistoidentifyunderutilizedmachinesinatenantandsendreclamationrequeststotheusers.ThiscanbedonebythevRealizeautomationtenantadmin.ThefunctioncanbefoundintheReclamationmenuunderTenantMachines.Inthisview,vRAwillgetalistofmachinesfromvROpswhereresourcescanbereclaimed.
LogmanagementintheSDDCAlthoughvROpsisaperfecttooltoanalyzeandmonitoranyworkload,ithasitslimits.Bydefault,itisnotconfiguredasalogreceiverorasyslogserverofanytype.Asdescribedearlier,logsareanimportantpartfortroubleshootingandrootcauseanalysis.NotonlyforthecorecomponentsbutalsoforallthesubasksandworkloadsrequiredbytheSDDCtorunsmoothly.Manycompaniesdohavealreadysyslogserversrunningsincetheyhavebeenaroundforyears.Thetypicalsyslogserverisaglobaltargetforallotherserverstosendtheirlogsto.Thereasontodothisistospeeduptheprocessofanalyzinganerrorsincetheadmindoesnothavetoconnecttoeachaffectedsystemtoseeitslogs.
MillionsoflogentriesAlthoughthissoundsgreatintheory,therealityissomewhatdifferent.Systemscancreateahugeamountoflogsperday.Multiplesystemsloggingtoonesingleserverwillquicklyproducemillionsorevenbillionsofloggedevents.Forthepooradmin,itisliterallyimpossibletolookthroughalltheseeventsinordertomakesenseofthecode.Additionally,maybeitismorethanonesystemtheadminneedstolookthroughinordertomakesenseoutofthelogs.Maybeitis10systemlogstheadminneedstoworkthroughandsearchforeventshappenedataspecificpointintime.
Allthisisquitedifficulttobeachievedwithastandardsyslogserver,whosesolepurposeisoftenjusttostorethelogsinsteadofmakingthemeasilysearchable.Also,logcontentcomesinvariousdifferentformsandformatsforthehumanbeing.Mindthatitisquitedifficulttoquicklyadjusttodifferentlogformatsandcorrelatethemtootherlogsfromthesameperiodoftime.
ThisisanexampleofanerrorintheSDDCandhowitmightbetrackedusingatraditionalsyslogserver:
AVMdeploymentfailsataspecificstate,theVMiscreatedinvCenterandalsotheOSseemstobeabletostart,butthenthedeploymentstopsandtheVMgetsdeletedbyvRA.
Note
DeletingaVMifoneormoredeploymentstepsfailisthedefaultbehaviorofvRA.Afunctionlikethismakessurethatifsomethinghasgonewrong,noleftoverskeepspaceonthesystem.
AllinformationtheSDDCadministerhasisthetimeofthedeploymentandanerrormessagebythesystemsaying:Couldnotfinishdeployingresource,contactyoursystemadministrator.
Now,theSDDCissendingalllogstoacentralsyslogserver.Theadmintriestoreadthroughthelogsofthisspecificpointintime.However,albeitallLinuxsystemssendtheirlogstothisserver,thewindowssystemsdonot.SohehastoexaminethelogsfromthewindowscomponentsoftheSDDC(DEM,IaaSserver,andsoon)separately.
Sincetheircloudenvironmentisquitelargeandtheyaredoingaround5-10deploymentsperhourthereisalsoalotofnoiseinthelogsfromallotherdeployments.
Inordertoanalyzetheerror,theadminmighthavetoreadthrough200MBoflogdata.Thataremoreorless3.2millioncharacterstoreadthroughandlookfortheerror.NottomentiontheextraefforttogointotheWindowsVMsandreadthroughtheireventsaswell.Iftheadmincanreadsuperfast(around250wordsperminutes),itmightstilltakemorethan34hourstoreadthroughallthatlogs.
Thisshowsthattraditionallogviewingandreadinginacloudenvironmentdoesnotscale.Theadminneedsasystemtosupporthiminlookingthroughallthatlogsandsearchingfortheright
entries.Otherwise,atroubleshootingorrootcauseanalysismaytakeseveraldaysifnotweekstocomplete.
GiventhattheSDDCisallaboutperformance,agility,andefficiency,suchatroubleshootingshouldnottakelongerthanacoupleofhoursoraday.Buthowcanthatbeachievedgivenallthischallengesandthehugeamountoflogs?
LogmanagementfromthebigdataperspectiveCurrently,alotofITtalkblogsandarticlesarearoundbigdata.Typically,theexamplesforbigdataarearoundpersonalizedadvertisement.Theymightpickupthekindofgoodsacustomerbuysandbasedonthatanalgorithmtriestocalculatewhatthisparticularcustomermightbeinterestedinadditionally.
Also,everybodywhoisusingAmazonknowsthefeaturewheretheonlinestoresuggestsotherthingsonemightbeinterestedin.Or,thingsotherbuyersofthecurrentarticleboughtaswell.Allthesefunctionsarebasedonmassiveamountsofdata,simplifiedandthencalculatedtoprovidethesesuggestionsfortheenduser.
GiventhechallengesinanSDDC,logcollectionisalsoproducingmassiveamountsofdata.Althoughherethedataanalystspeaksofstructureddatasincelogfilesfollowasimilarscheme:Time/Date|Machine|Severity|Message.
Thereisalwayssomedelimiterbetweenthesesections,andthereisalwaysatimeandadatestampineachmessage.Theotherfieldsmayvary,butthemostlogsaresimilarinthewaytheyaredisplayed.
ThefollowingexamplesshowdifferentlogsfromdifferentsystemswithinanSDDC:
Oct2100:33:05vrovco:c1416a88-1b18-4aaa-ae59-3e8ac27ac5f0prio:INFO
thread:WorkflowExecutorPool-Thread-36context:
token:4028e58a55a0a3bf0157e424d2be1eedanctoken:wf:Auto_CleanUp_DataStores
wfid:a88ae19f-f92a-4f9d-993b-e8650e8d0831user:[email protected]
cat:WorkflowHandlermsg:Endofworkflow'LogTest'
(4028e58a55a0a3bf0157e424d2be1eed),state:completed
#####
Thecomputerattemptedtovalidatethecredentialsforanaccount.
AuthenticationPackage:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
LogonAccount:VCENTER$
SourceWorkstation:VCENTER
ErrorCode:0x0Enterlogexampleshere
Althoughhumansmayhavedifficultiestoquicklybeabletoreaddifferentlogformatsfromdifferentsystems,acomputermostlydoesnothavethese.Thisisactuallythesweetspotofbigdata:readingthroughmillionsofbytesofdata.Thebigdataapproachismostlyusedforunstructureddatasuchase-mail,socialmedia,allsortsoftextevents,andpapers.
However,thesameprinciplescanbeusedforstructureddatalikelogsaswell.Sincethecoreusecaseofbigdataistofilterreasonabledatafromthenoiseandmakeitaccessibletotheenduser.ThesamebenefitmightapplytologmanagementintheSDDCaswell:Displayaspecificpointintimeandlookforapossibleerrorinmillionsoflinesandmultiplelogs.ThisiswaytheSDDCneedsalogmanagementtoolwiththesecapabilitiesinordertoenablequicktroubleshootingandrootcauseanalysis.
vRealizeLogInsightVMwarehassuchatool,anditisalsoincludedinmostofthevCloudSuiteeditions.ThistoolisoftenunderestimatedandcanbeseenasaverysmartmemberintheVMwareproductfamily.Itcanbedeployedinacoupleofminutes,anditsconfigurationisveryeasyandstreamlined.Infact,allonehastodoisdeployanOVFintotheenvironment,provideacoupleofgigabytesforthelogstorageandthetoolstartsworkingimmediately.
Therearepluginsavailablefordifferentvendorsandusecases,butitcanalsobeusedwithoutanyvendorpluginsatall.Itisverysimilartoasyslogserversinceallsystemsshouldsendtheirlogstologinsight.Butatthesametime,itcomeswithaverypowerfullogsearchandindexenginetomakeitpossibletosearchthroughlogsinsecondsforspecificeventsoroccurrences.
Inordertogetalllogsandeventsintothiscapabletool,itcomeswithready-to-useLinuxandWindowsagents.TheLinuxagentisnotarequirement,butcomeswithnicefeaturessuchascustomizableloglocationstoforwardtovRLI.Thisisespeciallyhelpfulifapplication-specificlogsonaLinuxhostshallbesenttoLogInsightaswell.
IntheWindowsworld,theagentisnecessarytosendalltheWindowsEventstoLogInsightinordertoprocessthemaswell.TheagentisquitelightweightandsmallandcanbedownloadedfromthedeployedLogInsightinstancedirectly.TheonlyconfigurationduringtheinstallationoftheagentisthehostnameoftheLogInsightservertosendthedatato.
SDDCcomponentstoaddtovRealizeLogInsight
BeforeconfiguringthelogreportsortheagentsinvRLI,itisimportanttoensurethattherightnumberoflogsisarrivingandavailabletoanalyze.IntheSDDC,itisveryimportanttomakesurethatalloperationalimportantcomponentsforareloggingintothissystem.Themoredataisavailable,themorecompletethetroubleshootingresultsget.Also,donotonlythinkaboutOSlogs,maybethereareotherlogsandmessagesrelevantaswellinordertoidentifypotentialissues.
YoumusthaveVMwareSDDCcomponentsforwardinglogstovRLI:
vRealizeAutomationappliancesyslogforwardingcanbeconfiguredintheapplianceadminmenu.ThereisalsoaseparatesettingforvRLI(agentcomespreinstalledbyVMware).IaaSandDEMworker(andagents).TheAgentforWindowsneedstobeinstalledinordertologintoLogInsight.ThereisavRAcontentbackavailablewithpresetagentconfigurationsforthesecomponentsaswell.vRealizeOrchestrator,likeinthevRealizeAutomationappliance,thiscanbeconfiguredintheadministratorportaloftheorchestratorappliance(externalvROaswellasintegratedvROwithvRA).ThereisaLogInsightcontentpackavailableforvROaswell.NSXManagerandcomponents(DLR,ESG,Controller,andsoon)needtoforwardalltheirlogstologinsight.ThereisanNSXcontentpackavailableaswell.MS-SQLserverholdingvRAcomponentsDBtheagentforWindowshastobeinstalledon
theDBhostrunningtheMS-SQLDB.ThereisacontentpackavailableforMS-SQLinordertochoosetherightDBinstancetogetlogsfrom.vRealizeBusinessApplianceSyslogforwardingcanbeconfiguredintheapplianceadminmenu.ThereisalsoaseparatesettingforvRLI(agentcomespreinstalledbyVMware).vRealizeOperationsManagerapplianceSyslogforwardingisconfigurableintheapplianceadministrationinterface.
Tip
Besidesthesecomplements,syslogforwardingortheWindowsAgentshouldalsobeinstalledonallotherSystemstheSDDCisintegratingtoorinteractingwith.Forexample,ifthereisanexternalIPAMused,itisamustthatlogsfromthissystemsareavailableinLogInsightaswell.Otherwise,itcannotbedetectediftheremightbeanerrorinthesesystemssincethelogsmaynotexist.
MostofthissystemsforwardtheirlogsinoverttobeabletodetectanerrororissuehappeningintheOSofthecomponent.However,thevRADEMandIaaSwebservercomponentsaswellasvRealizeOrchestratorhavemorethanjustOSlogstooffer.
SincealotofIaaSautomationrunsthroughthevRAWindowscomponents,itisimportanttoalsogetthelogsoftheseautomationtasksintovRLI.ThisisveryhelpfulifaVMdeploymentmightfailatthevRAlayer,anditisunclearwhatishappening.ThesecomponentlogstypicallyincludecommunicationeventstovRAaswellascommunicationtothedeployedVM.
However,theyalsoincludevRAtaskssuchasresourcecollectionrunsandmore.TohaveacompleteoverviewaboutwhatisgoingoninsightofvRAitisimportanttohavetheseeventsaswellavailable.
vRealizeOrchestratorisalsoaspecialcandidateforlogmonitoring.Ofcourse,itisimportanttobeawareoftheOSoforchestratorandifeverythingisOK,butthestatusoftheworkflowsisfarmoreinterestingthanthis.AsdescribedinChapter6,vRealizeOrchestrator,vROisaveryuniversaltoolwhenitcomestotheintegrationoftheSDDCintothedatacenterenvironment.Itcanbeusedtoinstructandautomateexternalsystemsinordertomaintainrequiredprocesseswhenaserviceisdeployed.However,thisintegrationiscrucialtothefunctionalityoftheSDDC.IfanexternalIPAMsystemisrequired,buttheworkflowsomehowfailstoreserveandacquireanIPaddress,theVMcannotbedeployed.Inordertofindoutwhatisgoingwrong,theworkflowoutputaswellasthelogsfromtheIPAMsystemaremosthelpful.
Inversion7.xofvRA,VMwarehasaverygoodintegrationofvROintoLotInsight.ItautomaticallyforwardstheIDandoutputofallrunningworkflows.Thisfeaturemakesiteasyforanadministratortogetaholisticviewovertheentireorchestrationsystem.Giventhis,LogInsightcanbeusedtofiltervROworkflowoutputstofindapossibleerrorduringanyservicedeploymenttask.
Tip
ThisisnotonlyhelpfulfortroubleshootinganySDDCproblems,butitbecomesaverynicefeaturetohaveifaservicedesignerrunsserverallworkflowstotestanewdeployment.InsteadofcheckingalloftheiroutputsinvRO,thiscannowalsobedoneinvRLI.Furthermore,thedesignercouldcreateaseparateviewtomonitorexactlytheworkflowrunsinrealtimewhilethetestingisongoing.
HowtoanalyzelogsusingvRLI
Onceallthelogdataisflowingin,itisreadytobeanalyzed.Thetoolitselfcanbeusedfortwomainfunctions:Pro-activeanalyticsandreactivetroubleshooting.
MostsyslogtoolsareusedforReactivetroubleshootinginordertoidentifyerrorandwhytheyhappened.Thiscanbeduetoanalertfromamonitoringsystemorduetoareportedoutage.TodoananalysisoflogdatainvRealizeLogInsight,itofferstheso-calledInteractiveAnalyticsView.
UsingtheInteractiveAnalyticsView
Thisviewshowsallincominglogsfortheselectedperiodoftime.Theperiodcanbe5minutesallthewayupto7daysorevenalltime.Also,acustomperiodcanbechosenbasedonadateandtime.Italsohasabargraphicsontoptoshowthenumberofeventscominginatagivenpointoftime(perminute,5minutes,20minutes,andsoon).
Usingthisanalysisviewisverysimilartousingawebsearchengine.Inasense,thisisexactly
whatitis,apowerfulsearchengineforyourlogs.
Inthemainsearchwindow,thereareacoupleoffunctions,whichareimportantforquickersearchresults:
UnderthesearchbarisabuttonnamedAddFilter.Usethistofurtherfilterthesearchamongspecificevents,hosts,messages,andsoon.Notethatmorethanonefiltercanbeappliedtoasearchquery.Attherightendofthesearchbaristhetimeselector.Itisimportanttobeawareoftheselecttimeframe.Sometimes,itisgoodtodouble-checkthissinceitmayonlyshowthelast5minutes.
Theareatodisplaythelogsalsohasalottooffer.Itisnotonlyshowingtheentries,itcanbeusedtobuildaninteractiveanalysisoflogsinordertofindthingsevenquicker:
Selecttexttolookforandchoose:ContainsorDoesnotcontainthiswillautomaticallycreateanewsearchwithanappliedfilterontheselectedtext.Selecttextinalogandchoose:ExtractfieldThiswillopenadialogattheleft-handsideofthewindownamedFields.Here,anamecanbegivenaswellasotherparameterslikeacustomregularexpression.Also,iftheuserhasprivilegestodoso,itcanbechosentowhomthefieldisavailable:MeOnlyorAllUsers.Ontheleftsidetoeacheventisalittlegearsymbol.Thisallowstolookforeventslikethis(ornegateit),oritcanenablehighlightingifthesameeventoccurredinthesearch.Also,itcanbeusedtosetatimerangefortheshownevent.Thevieweventincontextmodedisplaysthecontinuousstreamoflogsfromthesourcewheretheeventcamefrom.
BesidesallthatLogInsightisalsoextractingfieldsfromlogmessagesautomaticallyanddisplayingthemasbluelinksunderneatheachevent.Thesefieldscanbeextendedbytheearlierdescribedextractfieldmethod.However,analgorithmfromloginsightisguessingfieldnamesbasedonlogcontenttomakethesearcheveneasier.
Fieldsareaverypowerfulfunctionofloginsightsincetheycannotonlybeseenandhighlightedinthelogdisplayview,theycanalsobeusedasfiltersinthesearchbar.Sowheneveranewfieldisidentifiedorcreated,itwillbeavailableasafiltertosearchthroughallthelogs.Thismakescreatingacomplexsearchquiteeasyandstraightforward.
Creatingandusingdashboards
BesidestheInteractiveAnalyticsView,vRealizeLogInsightalsooffersdashboards.Thesedashboardscancomefromplugins,whichcanbedownloadedandinstalledforvariousvendorsforfree,ortheycanbeself-created.
Toaccessthecustomdashboards,openLogInsightandclickontheDashboardsbuttonatthetop-left.Then,chooseoneentryfromtheCustomDashboardssection.
Therearetwotypesofcustomdashboards:MyDashborads(onlyavailableforoneuser)andSharedDashboards,whichareavailabletootherusers.
Dashboardscanbecreatedoutofaninteractiveanalytics.Theyarebasedonqueriesofspecificeventsandshowtheiroutcomeinagraphicalmanner.Anexampleforthiscouldbelookingforspecificerrors.Thedashboardcouldcontainagraphicaboutallerrorevents.
TocreateadashboardinvRealizeLogInsight,completethefollowingsteps:
1. LogontovRealizeLogInsight.2. ClickonInteractiveAnalysistogettothelogsearchview.3. Buildthequeryuntilthedesiredresultisdisplayed(addfilter,searchforspecificoutcomes,
andsoon).4. Nexttothesearchbar,clickontheAddDashboardbutton.5. Provideavalidnameandadashboardtoincludethechartin.6. ClickonAddtosave.
Oncethequeryisavailableasachartonthedashboard,itcanfurtherbeedited.Thelookandthestyleofthedashboardcanbechanged.Itcanbeabarchartoranareaorjustaline.Also,theinteractiveanalysisonwhichthechartisbasedcanbechangedanytime.
Theentiredashboardcanbeusedinpresentationmode.Inthismode,LogInsightwillautomaticallyupdatethechartcontentsofallchartsbasedontheselecteddatatimerange.Notethatthisdoesnotworkwithacustomtimerange.
Thismodecanbeusedtoputtheupdateonamonitoringscreeninanoperationscentertoseeifanythingsuspiciousmightbegoingoninthedatacenter.
Thepro-activeanalyticsfeatures
Besidestheinteractiveanalytics,LogInsightalsohasapro-activecomponent.Ifsomeeventsarewaytooimportanttomissthemhappening,itoffersanalertfunctionalitybasedonacreatedsearch.
1. Thesetupworksquitesimilarlikethedashboardcreation.Allauserneedstodoisbuildthequerywithallfiltersapplied.InsteadofclickingontheAddDashboardbutton,thereisaCreatealertfromquerybuttonrightnexttoit.
2. ThisoptionenablesLogInsighttosendoutalertnotificationstoane-mailaccount,butalsotovRealizeOperationsManagerinordertologananomaly.InthecaseofvROpsalerts,thedefaultobject(wherethealertshouldoccur)canbechosenaswellasthecriticality.
Tip
InordertoletvRealizeLogInsight,sendalertstovRealizeOperationsManager,thosetwotoolshavetobeconnectedtogether.ThiscanbedoneintheAdministrationviewofLogInsightunderIntegration.ThehostnameandauserforvROpsarerequiredtointegrateLogInsight.Withthis,vROpswillalsobeabletodirectausertoaloginsightquerybasedonvROpsobjects.
SummaryInthischapter,themonitoringandanalyticsmethodsfortheSDDChavebeendiscussed.ItwasnotonlyexplainedhowtousethetoolsetfromVMware,butalsothattherearenewconceptsrequiredinordertoidentifyissuesbeforetheyharmtheenvironment.Themissionofalltheseconceptsandtoolsistolimittheimpactontheuser.Inaperfectworld,therewillbenone,thesemethodsandtoolswillsupporttheoperationsteamsofanSDDCtoachievethisdifficultgoal.
Thenextchapterwilldiscusstheneedforcontinuousserviceimprovement.AlotofprocedureshavebeenchangedinordertomaketheSDDCrunproperly,butthisisjustthebeginning.AnagileandhealthySDDCisalwayschanging;therefore,itisimportanttorevisitchangesfromtimetotimeinordertomakesurethattheyarestillrelevant.ThischapterwilldiscusshowtoconsistentlyandcontinuouslyimprovetheservicequalityinordertostayrelevantfortheSDDCuser.
Chapter12.ContinuousImprovementThischapterwilldiscussthecontinuousimprovementprocess,whichisrequiredinordertokeepthesoftware-defineddatacenter(SDDC)working.InChapter2,IdentifyAutomationandStandardizationOpportunitiesofthisbook,theprincipleofautomationandstandardizationwasdiscussed.Also,thebusinessprocessesinanorganization,whichneedtobeadoptedinordertosupportthedifferentrequirementsoftheSDDC.TherequiredchangestomaketheSDDCrunsuccessfullyarenotstatic,though.TheyneedtobeasflexibleandagileastheSDDCitself.
TherearerumorsthatInformationTechnologyInfrastructureLibrary(ITIL)isnolongerneededintheSDDCsincethisisnowperformingallthesetasksrequiringdocumentationandcontrol.Butactually,theSDDCisanoutcomeofITIL.Itistheautomatedwayofrunningadatacenter,whichforcesorganizationstostandardizeandtoautomateasmuchaspossible.TheservicecatalogiswhatITILcalledthelibraryandoffersreadytodeployversionsofapplicationsoroperatingsystems.TheintegrationintotheCMDBorIPAMisanothercommonfactbetweenITILandtheSDDC.
Basedonthis,itisalsoagoodideatobeawareofanimportantprincipleintheITILframework:ContinualServiceImprovement.
Thiswillbecapturedinthischapter,includingthesepoints:
RevisitestablishedservicesReviewautomationprocessandservicetemplatesRecheckbusinessrequirementsandreapplythosetothesolutionEnhanceservicequalityanddelivery
ContinualServiceImprovementTheITILdescribesstandardprocessesoccurringinmostorganizations.Actually,anSDDCisawayofautomatingITILandenforcestandardizationandrepeatableactionsacrosstheentiredatacenter.OftenITILisreducedtoaspecifictoolsetoractionwithinthedatacenter,forexample,ticketingsystems.Butthatisonlyasmallfractionofwhatitdoes.ItbasicallytriestoprovideaframeworktostandardizeandstreamlinethedeliveryofITservices.Furthermore,italsoprovidesoptionstopredefineservicessotheycanbedeliveredmultipletimesinasimilarformat.
Besidesthat,italsoregulateswhatachangeisandwhattheactionsareinordertomakechanges.DatacentersacrosstheglobehavemadegreatuseofthesesuggestionsinordertostreamlinetheirITtasksandmakesurethatmaintenancecanbepredicted.Also,thiskindofdocumentedchangesisnecessaryinordertopreventanyunforeseenconsequenceswhenitcomestoincorporatepatchesandupdates.
However,beforetheSDDCallthishadtobedonewithadditionaltoolsandoftenintroducedalotofextraworkfortheadministratorortheoperator.Ticketshadtobefiledandsendbackandforthbeforeeventhefirstactioncouldbedone.Also,somepeoplethoughtthateverysuggestioninITILissetinstoneandneedstobeexactlyexecutedasdescribedintheframeworkwithineverydatacenter.TheideaofITILwasnevertobeabibleforITdeployments.Theideawastobeacollectionofgoodpracticestofollow.Itwasintendedtobeaframework,notahow-toguide.Thatmeansthatitholdssuggestionsonhowthingsmightworkout,butintheend,everyonehastofindouthowtoadoptthesesuggestionstotheirowndatacenterandprocesses.
OncetheSDDCisupandrunningandallthetoolsareworkinginperfectunisontheymarkthenewstandard.Togettothisstate,alotofprocesseshaveeitherbeenadoptedorcompleterecreatedinordertoenableautomatedservicedeployment.Processes,whichmighthavebeenintroducedlongbeforetheSDDCandhavebeenincludedbecausetherewasnotimetochangeorquestionthem.
ContinualServiceImprovementisdoingexactlythis:askingifacertainwayofdoingthingsisstilltherightwaytodoit.WhilethisisoneofthemainITILprinciples,itisoneoftheleastusedinorganizations.However,itbecomesverypracticalinanSDDC.
Thegraphicexplainshowtheprincipleworks.ThismodelhasoriginallybeendevelopedbyW.EdwardsDemingandiscalledTheDemingCycle:
Plan:ThisisthedesignphaseoftheSDDC.Butitcanalsobeseenasthedesignphaseforanewblueprintorserviceoraprojectphaseforanenhancement.Do:Thistypicallydescribestheimplementationphase.Basically,thisiswherethedesignbecomesreality.EitherbycreatinganSDDCenvironmentorbyconfiguringanewblueprinttobedeployedautomatically.Check:Aftertheimplementationiscompletedsuccessfullythisphaseisneededforquality
assurance.Itwillproveifthedesignandtheconfigurationmatchaswellasiftheintendedqualitytargetwasmet.Also,thisphaseensuresthatthedesignsolutionissolvingthebusinesscaseasintended.Act:Thisistheimprovementmodule.Ifanydeviationsareidentifiedinthecheckphase,thosearegoingtobecorrectedintheactphase.Itismakingsurethatchangescanbeimplementedintothewholeprocessbasedontheotherthreeoptionsofthismethod.
Thismodelhasbeenintroducedinordertopreventacyclerollingbackdownthehillafterimplementation.ItsacronymisCSI,whichstandsforacontinuousimprovementoftheofferedsolution.Itrequiresthatateamisworkingonthatschedules,butintheend,itwillensurethattheSDDCrunsflawlessly.
Theprecedingimageshowstheconstantcycleofimprovementsinaservice.Thesearethesixsteps:
1. Thebusinesscaseshouldalwaysbethedriverfortheprocessorproject.Itisimportanttounderstandtherequirementsandprovidethenecessaryresourcesortechnologiestofulfillthem.
2. Beforeanychangeisintroduceditisimpossibletounderstandallstrengthsandweaknesses.Inordertobeabletodoeffectivechange,thisstepshouldnotbeunderestimated.
3. Thisphasepicksuptherequirementfromstep2andagreeswithwhatshouldbedelivered.
Theremightalsobenewerfindingsbroughtintointhisstep,tofurtherimprovetheservicequality.
4. Thisisthephasewheretheprocessesandtoolsmayneedtobechangedinordertogettothedesiredstate.Itislikeaplanningphaseinaproject.Thisisoneofthekeyphasestounderstandwhatchangesarerequiredtotheprocesses.
5. BycheckingtheKPIsandperformanceindicatorsthisstepwillpointoutifthegoalhasbeenachievedornot.Thisisanimportant(QAQualityAssurance(QA)stepandcheck,notonlysinglecomponentsbuttheentireimplementation.
6. Thefinalstepensuresthatthereisconstantchange.Bygettingallresultsfromtheformerstepsitensuresthatthesestepsarecompletedasoftenaspossibleinordertodeliverthedesiredandrequiredoutcome.
Thereasonwhyitisimportanttofollowthisprinciplecanbedescribedwithasimpleexample:
InSteve'sorganization,itisrequiredtofileaticketbeforeaservicecanbedeployed.Therequestorgetsaticketnumberandthisnumberenablesthetrackingoftheentireprocess.NowtheITdepartmentannouncedthattheywillhaveaself-serviceportal,whichenablesStevetoorderservicesondemandusingtheportal.Steveisquitehappybecausetheanotherprocesswasclunkyandslow.
Ashelogsontotheportalandrequeststhefirstserviceheisdisappointed.TherequestformintheportalaskshimabouttheticketID.HenowneedstocreateatickettodeployaserviceandthengototheportaltoputintheticketIDtorequesttheservicewhichthengetsdeployedautomatically.ThisisquiteaneffortforSteveandheisnotveryhappywiththeprocess.Whilehegetshisrequestedservicesfasterasbefore,healsohastofilloutmoreformsandbureaucracyhasslightlyincreasedtogetservicesdelivered.
Inthiscase,theITorganizationfromStevehassimplyadoptedtheoldmodeltotheSDDC.Whilethisisaneasywaytoincludeaservicewithoutchangingittoomuch,itmightnotmakesenseforanautomatedenvironment.Thesolution,inthiscase,couldbethatthesystemiscreatingtheticketautomaticallywhenauserisrequestingaservice.Theauto-generatedticketIDcanthenbefeedintotheoriginalsystemandstillbeusedtotrackthedeployment.
However,thisisexactlywhatismeantbythecontinuousimprovementcycle.Ultimately,itisquestionableiftheoldprocessisstillneeded.Intheexample,allrequestsarestoredinthecloudportal.Theportalcouldbequeriedforrequestedinformationanditalsoknowsthestateoftherequest(successful,failed,inprogress,andsoon).SotheITdepartmentcouldevolvetheprocessovertimetomakeiteasierfortheendusersaswellasforthemselves.
Byrevisitingthepurposeandquestioningifitisstillneeded,theITentersthecheckphase.Thenextphasewouldbetoplanthechangesandincludethemintothesystem.Thiswouldbethefirstofmanyimprovementsbroughtintothesystem.Butthereforethefeedbackfromtheusersaswellasacriticalviewonpresentprocessesisrequired.
Also,changingprocessesarenormallynotdoablebyonedepartment.TypicallymultipledepartmentsareinfluencedwhenitcomestoITprocesses.Thereforeitishelpfultosyncwithallpartiesanddecidewhatthebestwayforwardcouldlooklike.InChapter1,TheSoftware-DefinedDataCenter,ofthisbook,theSDDCcenterofexcellence(CoE)wasexplained.Itisavirtualteamconsistentofmultipledatacenterdivisionswithdifferentrolesinordertorunthenewautomationenvironment.
ThesameteamneedstoworkonthecontinuousimprovementandhastoworkwithotherteamsintheorganizationinordertoensurethatprocessesaroundthedeploymentandintegrationcanbebroughtuptospeedtomatchthenewwayofrunningIT.
TechnicalassuranceBesidestheprocesses,itisalsonecessarytoquestiontheusedtechnicaldeliverymethods.Areallservicesdeliveredusingstateofthearttechnologiesinordertoachieveagilityandflexibility?
Sometimes,inordertogettheSDDCdonequicker,thesedeliverymethodsarecompromisesbetweentheoldandthenewworld.Theproblemwiththisassumptionis,thatiftheusersaccepttheSDDCandwhatithastooffer,theywillmoreandmorerelyonitsdeploymentquality.Ifnowthesedeploymentmodescan'tkeeppacewiththeuser'sdemand,theyneedtochangeagaintofulfillthenewrequirements.
Goodexamplesforbadcompromisesare:
TheVMinstallationmethodisstillusedasifitwasaphysicalserver(PXEboot).Thebackup/restoreisstilldoneasifitwasaphysicalserver(OSclient,andsoon).TheIPaddressmanagementisdonemanuallybyaddingittoaworksheet.EachVMgetsastaticIPbasedonaspecificpatternandusecase,noautomatedIPpools.NormallythesecompromisesaredonetomaketheinitialdeploymentoftheSDDCfaster.ButthereisahighriskthattheyarenotfastenoughchangedinordertokeepupwiththeexpectationsoftheSDDCusers.Oncethebusinessisusedtothequickerdeploymentstheywillstarttoexpandtheiruseoftheportal.Inmanycases,datacenterautomationwillincreasethenumberofdeployedservices.Thismeans,thatiftherearecompromisesinplace,whichwilllimitthisefficiencydramatically,thiswillberecognizedoncetheSDDCisbeginningtogrowmoreandmoreimportantforthebusiness.Inordertopreventadisruptiontotheservice,whichmightdiminishthetrustoftheusers,itisrecommendedtoimprovecompromisedintegrationsassoonaspossible.
Reviewingblueprints
TheblueprintsarekeycomponentsintheSDDC.Theirfeasibilityneedstobecheckedfromtimetotimeinordertoensuretheyarestillrelevant.
Ifadeploymentfromthetemplateischosen,thereareacoupleofgoodpracticesinordertoensurethesetemplatesstayasuptodateaspossible:
UpdatethetemplateOSonceperquartertothemostrecentpatchlevel.ThispreventslongwaitingtimesafterdeploymentiftheOSneedstodownloadandinstallatonofpatches.Ensurethateventuallyincludedsoftware(AV,backup,andsoon)isuptodate.Thiscanbedonewhilethetemplateiscontinuouslypatched.Ifsoftwarepackagesareincluded,checkperiodicallyiftheinstallmethodisstillvalidforthemostrecentversion.ThisisespeciallyimportantformostWindowsinstallationsusingPowerShell.IfXaaSblueprintsareused,periodicallycheckiftheworkflowinvROisuptodateandifthecounterpart(thethird-partyitcontrols)isstillacceptingthesamecommands.
Ifaworkflowsubscriptionisused,thesameprincipleasforXaaSapplies.Also,ensurethatifanythird-partyintegratedtoolisupdatedalltheworkflowsrelyingonthattoolarequalitycheckedasquicklyaspossible.Besidestheupdatesandensuringthatthesubscribedneededworkflowsarestillworkingitisalsoimportanttoreviewthepurposeoftheentireblueprint.Maybeitisnolongerrequiredinthisform.AnexamplecouldbethattheserviceshavechangedandinsteadofinstallingsingleVMsnow,everyoneisdeployingentireapplicationenvironments.Therefore,asingleOStemplatemightnotberelevantanymore.OrthetechnologyhasmadaleapandtheOSversionisnolongerneeded.ThereforetheblueprintneedstopointtoanewerOSversion.AllthesetasksarepartofthecontinuousimprovementofthetechnicalbaselayersintheSDDC.Iftherewouldbenoimprovementtheenvironmentmightbecomeoutdatedquitequicklyandwouldlooseitsrelevancetothebusiness.
Reviewingautomationandintegration
Automation,standardization,andintegrationarethebaserequirementsforanSDDC.Chapter2,IdentifyAutomationandStandardizationOpportunities,ismostlyconcentratingonidentifyingopportunitiestoautomateandstandardizeinordertomakethewholeinstallationandintegrationoftheSDDCpossibleatall.However,itisalsoimportanttorevisittheseautomationtasksfromtimetotimetomakesuretheystillservetheirpurposeandworkreasonably.
AlotofvSpherefunctionscanprovideawidespectrumofautomation.AcoupleofthesehavebeendiscussedinChapter3,VMwarevSphere:TheSDDCFoundation.Itiswisetonotduplicateanautomationprinciple,whichmightbealreadypresentinvSphereorvCenter.However,vSphereversionswillchangeeveryyear.Evenifonlytheversioneverysecondyearcontainsmajorchanges,itisworthcheckingifanyofthecustomautomationmethodscannowbedonebyvSphere.
ThesideeffectofthisprocedureisthatallintroducedvSpherefeaturesare100%maintainedbyVMware.FromnowonVMwarehastotakecarethatthealgorithmdoesnotbreakduetoanupdateorupgradeofthehost.Thislowerstheeffortfortheoperationsteamandincreasestheagilityandefficiency.Althoughmanypeoplemighthavebeenputalotofworkintheautomationofcertaintasks,itishighlyrecommendedtodropthecustomautomationinfavoroftheindustrializedonecomingwithVMware'sproducts.
TherearesomeprominentexamplesofautomationtasksbakedintovSphereovertime:
vSphereDistributedResourceScheduler(DRS):MovesaVMbasedonitsresourcedemandtodifferenthostsinordertofulfillthose.Thishappensautomaticallybyaspecialscheduler,whichmonitorsthedemandintheclusterandprovidesrecommendations.StorageDRS:Automaticallymigrationofworkloadsbetweendatastoresbasedoncriterialikeperformanceorspaceleft(outofspaceavoidancemove).StoragePolicyBasedManagement(SPBM):InsteadofmatchingdatastorespernamepoliciescanbecreatedtofittherightdatastoretotherequirementsoftheVM.ThetechnologyisbasedonVMware'sVASAadapter,whichisconstantlyimprovedtodeliver
evenmoreinsightstotheunderlyingstorage.vSphereHighAvailability(HA):ItbeganwithaverysimpleVMrestartprocedureandhasnowevolvedintoapowerfulHAtoolset.NotonlycanHArestartVMsfromafailedhost,itcanalsomonitortheVMheartbeat(basedontheVMtools)andrestartaVMifithasenteredabluescreenorkernelpanic.ThereareevenapplicationspecificHAadaptersinordertorestartaprocesswithinaVM.Autodeploy:WhileitisoneofthemostcomplextoolsofVMwareitprovidesgreatefficiencyandagilitywhenitcomestothebiggerscaleinstallationofESXihosts.AllitneedsisaPXEenvironmentandvSphereHostProfilestowork.OnceanewhostisstarteditcanbeautomaticallycomeupwiththerightvSphereversionandcanbebroughtintotherightcluster.
WhiletheSDDCmightbealreadybuiltbasedonthisvSpherefeaturesandfunctions,itisrecommendedtostayuptodatewithVMware'slatestadditionsandenhancements.MaybethereisavSpherefeaturereplacingacomplexbutrequiredautomation.Inthiscase,itshouldberevisitedifnotthevSphere-integratedautomationisabetterchoiceforthepreviouslyoutlinedreasons.
Butitisnotonlythehypervisor,whichshouldbeperiodicallychecked.Theothertaskswhereautomationwasappliedonarenecessarytorevisitaswell.Anexampleforthisisachangedbusinesscase(oranadd-on)whichmayrequirenotthesameamountofautomation/integrationoracompletelynewapproachinordertobesuccessful.
DevOpsisoneofthecandidatesclashingwithmostofthetraditionaldatacenterintegrations.However,sincethismightbeachangethebusinessisaskingfortheSDDChastobeimprovedinordertosupportthisusecaseaswell.
ButwhatdividesDevOpsfromstandardITworkloads?
TheideaofDevOpsistobefast,agileandefficient.Theremightbe3to5differentapplicationversionsperweek.Also,theymightusecontainersoratleastacontainerframeworktoworkproperly.AsdescribedinChapter9,DevOpsConsiderations,itisfundamentallydifferentfromrunningtraditionalIT.
Also,allisabouttheapplication.TheinstallationandtheOSprovidingtheresourcesaresecondaryanddefinitely,donotconcernthedeveloperinanymeans.Infact,frameworkslikeCloudFoundationrunaproprietaryOSasVMsonahypervisor.Ontopofthat,theyusecontainerstohousetheapplicationandbeingabletoactasquickandflexibleasneeded.
IPAMintegrationisquiteuselessforaDevOpsenvironment.Also,itdoesnotneedaCMDBandwouldcertainlynotworkwellwiththisprinciple.Thesetwo(automated)integrationsareirrelevanttothisusecaseoftheSDDC;thereforetheyshouldeithernotbeadoptedorchangedinawaytosupportDevOps.
WhileDevOpsisaprominentexampletheremightalsobeenterpriseITchangeswhichmight
forcetheteamtochangeorevencompletelyrecreatetheautomationprocesses.SincethebusinessandtheITareconstantlymoving,soistheintegrationeffortinanSDDC.
RevisitingthebusinesscaseAstheimplementationoftheSDDCmighthavetakenquitesometimeitisimportanttorevisitthebusinesscaseandseeifitstillfits.Thebusinessmighthavechangeditsdemandsandthereforethedatacenterautomationmightalsoneedachangeoranupdate.Theinitiallycreatedservicemightstillberelevant,buttheremightbenewservicesrequiredtoserveothercases.ThereforeitiswisetokeepthebusinessclosetotheITinordertobeawareofactualrequirements.
InthenewSDDCenvironment,theintroductionofnewservicesshouldbesimplerasinthenon-automateddatacenter.However,thatdoesnotmeanthatthisworkswithoutplanninganddesigning.Theremightbeadominoeffectifasingleblueprintischangedaffectingalsoothersystems.
Suchachangemightbetheintroductionofanewservice,whichincludestheautomatedinstallationofallcomponents.Itmightbeabusinesssystem,whichcanbeorderedondemandandiscompletelydeployedbytheSDDC.Alltherequestorhastodoisconnecttothesystemandstartworkingafterithasbeendeployed.Inordertoaccomplishthis,anumberoftasksneedtoworkflawlesslytogether.ThebasiswillbeavailableintheSDDC.Thereneedtobevariousothertasksdoneinordertoenableafull-serviceinstallation.Thesoftwareinstallationmightbedoneusingeitherapre-existingtoolorvRealizeAutomationApplicationServices.Toformthisdecisionallfactorsshouldbetakenintoaccount.Anexistingtoolmightbeusedbecauseitalreadyhashundredsofapplicationsreadytobeinstalled.vRAmightbeusedbecauseitcanalsodoallthenicheinstallationsatraditionaltoolmightcannot.Maybeamixofbothtoolsisneededtodeploytheapplicationasquickestaspossible.
Thewholeideaofaservicecatalogthoughistobeflexibleandagile.Itneedstoreflecttheactualrequirementsanddesiresofthecustomerusingtheportal.
SincethebusinessnowhasalotofinfluenceontheITdesign,itisrecommendedtohaveadirectcontactwiththebusinesstolearnabouttheirrequirementsandplansaccordingly.Thisshouldnotbeoftechnicalnature,buttounderstandwhattheyareplanningandwhattheymightneedtobesuccessfulwiththeirprojects.
TheprincipleoftheITAmbassador(intheprecedingimage)ismaybeclosetoaninternalITsalesperson.ThismightbeagoodpracticetodrivethecontinuousimprovementthroughthenewdemandsandexpectationsthebusinesshastowardstheIT.Also,itmightstrengthentherelationshipbetweenthosetwodepartments.SincetheSDDCcapabilitiesaredesignedtohelpthebusinessinsucceedingintheirdailyworktherelationshipbetweenthesepartiesisveryimportant.AhealthyrelationshipwillleadtoagoodteamworkandmakeagoodSDDCan
outstandingSDDC.IfthetrustcanbebuiltthatwiththehelpoftheITdepartmentthereisnowchallengethebusinesscan'ttacklethatwouldbeawin-winfortheentireorganization.
Thereforeitmightbeagoodapproachtohavesuchafunctionandtoreviewthebusinesscaseandtheexpectedfunctionalityatbestonceaquarterbutatleasteveryhalfyear.
ITILintheSDDCThecreationofanSDDCisfarmorethanonlytheconfigurationofaviewsoftwaretools.ItbeginswithfindingtherightteamfortheSDDCoperations.Thisteamhastobeinter-disciplinaryintermsoftechnologytoensurethatallaspectsoftheSDDCcanworkflawlesslytogether.Oncesuchateamisbuilt,ithastoidentifytasksandprocessestoeitherautomateorsubstitutewithnewerwaysofcompletingITrequest.ThisisnotaneasytasktocompletebutnecessarysinceitwillensurethatfurtherchangesandrequirementscanbeeasierfulfilledbytheSDDC.
MatchingtherequirementstothesolutionAfterallofthishasbeenoutlinedthesolutionhastobedesignedinordertofulfilltherequirements.Thiswillbethelaterfoundationfortheconfigurationandinstallationandshallincorporateallfeaturesandcapabilitiesthesolutionneedstoofferafteritiscompleted.Comparedtootherdesigns,whichmayonlyincludeasinglecomponent,thisoneneedstoincludeallnecessarytoolsandeventheintegrationautomationpiecesfortheentireSDDC.
Afterthedesignissetandthedecisionshavebeendocumentedonintegration,allthedifferenttoolshavetobeconfiguredinordertoformthefoundationfortheservicedeployment.Amongsttheportalandtheorchestrationsystem,theremightbenetworkvirtualizationinthemix.Thisenhancesthespeedandflexibilitywhendeployingcomplexservicestappingmultiplenetworks.However,giventhiscapability,itwillbepossibletoautomaticallydeployentirelabsorthemostcomplexservicesusingdifferentnetworksforapplication,databaseorwebfrontendcomponents.
TobefuturereadytheSDDCshouldalsobereadyforDevOpsanditschangedrequirementstowardsatraditionaldatacenter.Ifthebusinessrequiresamuchquickerapplicationdevelopmentcycle,thereisnochancetoachievethiswithtraditionalapproaches.However,theagilityandautomationofthesystemwillalsobereadytohandleDevOpsrequirements.Thiswillultimatelyhelpthebusinesstostayrelevantandcompetitive.
Finally,themonitoringandanalysisnotonlyfortheinternalplatformcomponentsbutalsothedeployedservicesneedtoberethought.ThereforeVMwarehaspowerfultools,whichcanadapttonewsituationsquicklyandlearnthebehaviorofentireapplicationsinordertolookforanomalies.
Thisisasmartwaytodetecterrors,evenwhentherearenothresholdsdefined.InachangingandquicklyadoptingSDDCatraditionalmonitoringcannotkeeppace.Therefore,intelligenttoolsneedtobeused,whichcanadoptandlearnthedatacenterbehaviorstounderstandwhatisnormalandwhatiscritical.AllthisdefinestheSDDC,butitdoesnotmeanthatthisissetandforget.
ApplyingcontinuousserviceimprovementtotheSDDCTocreateanSDDCwithallitsautomationandintegrationprocessesmeansthatthesecan'tstaystaticforever.Iftheseprinciplesareincorporatedthoughtfullyitwillleadtoasmoothrunningdatacenter,whichdeliversexactlytheservicesrequiredtoitsendusers.Thebuiltteamsrunningthisnewdatacenterwillbeusedtothiscontinuousimprovementprocedureandthereforechangescanbeintroducedmuchquickerthanintheoldstaticdatacenterdays.
SincealltheautomationandintegrationtasksintheSDDCarecreatedwithagilityandefficiencyinmind,itshouldalsobepossibletochangethoseinordertofurtherimprovethesetwomajorcharacteristicsoftheSDDC.
Keepinmindthatthisisaflexibleandagileenvironment.Thereforeitneedstobemanagedandoperatedinthesameway.
TheseprinciplesareolderthanSDDC,buttodaytheyareeasiertofollowthanever.Inthetimetheyhavebeencreateditwasquitecomplextoautomateeventheslightestdeploymentinadatacenter.Today,withthepoweroforchestrationandnetworkvirtualizationitismuchsimplertoautomate,thereforetheseprinciplesshouldbeconsideredineverydatacenter,butespeciallyintheSDDC.
SummaryThischapterwasexplainingtheneedtorevisitdesigns,processes,andservicesinordertomakesurethattheyarestillrelevantforthebusiness.Also,itdiscussedbasicprinciplesofITILandhowitmatchestotheSDDCarchitectureanddesign.Itdiscussedmethodsandwaystokeepthecontinuousserviceimprovementupandalsotocreateanactiveandongoingdialogwiththelinesofbusiness.Further,itdescribedtheneedtorevisitthecreatedautomationtasksaswellastheblueprintsandservices.SincethereisconstantchangeintheITandintheeconomicsthesedaysithighlightedtheimportanceofembracingthatchangeandgrowtheSDDCwithit.