lhc3375bes vmware cloud on aws hybrid cloud architectural ...€¦ · wen yu, partner solutions...
TRANSCRIPT
Wen Yu, Partner Solutions Architect (AWS)Aarthi Raju, Partner Solutions Architect (AWS)
LHC3375BES
#VMworld #LHC3375BES
VMware Cloud on AWS Hybrid Cloud Architectural Deep Dive: Networking and Storage Best Practices
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
2#LHC3375BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Let’s Get On-boarded toVMware Cloud on AWS
VMworld 2017 Content: Not fo
r publication or distri
bution
Quick Refresher on AWS Account Structure
• VMware Cloud on AWS SDDC account
– Dedicated, single-tenant AWS account created for each customer on sign-up
– Owned, operated and paid by VMware
– Contains all of the ESXi hosts for a given deployment
• Customer AWS account
– Is owned, operated, and paid directly by the customer
– Can be an existing AWS account, or a new account created for just for this purpose
– Private Connectivity to VMware cloud SDDC is established using Elastic Network Interface(ENI)
– Has full access to the entire catalog of native AWS services
#LHC3375BES CONFIDENTIAL 4
VMworld 2017 Content: Not fo
r publication or distri
bution
Creating Your SDDC
5#LHC3375BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
4 Step Onboarding Process
1. Connect Customer AWS Account to the VMware Cloud on AWS SDDC Account
2. Define SDDC properties
3. Select VPC and Subnet to use in the Customer AWS account
4. Configure management network
#LHC3375BES CONFIDENTIAL 6
VMworld 2017 Content: Not fo
r publication or distri
bution
Connection Workflow to Customer AWS Account
#LHC3375BES CONFIDENTIAL 7
VMworld 2017 Content: Not fo
r publication or distri
bution
Connection Workflow to Customer AWS Account
#LHC3375BES CONFIDENTIAL 8
VMworld 2017 Content: Not fo
r publication or distri
bution
Connection Workflow to Customer AWS Account
#LHC3375BES CONFIDENTIAL 9
user
template
role
AWS Managed Policy
A ‘cross-account’ role
is created and VMW
is granted access to
assume this role
using STSAWS
CloudFormation
Customer AWS Account
VMworld 2017 Content: Not fo
r publication or distri
bution
Connection Workflow to Customer AWS Account
#LHC3375BES CONFIDENTIAL 10
VMworld 2017 Content: Not fo
r publication or distri
bution
Defining SDDC Properties
#LHC3375BES CONFIDENTIAL 11
VMworld 2017 Content: Not fo
r publication or distri
bution
Selecting VPC and Subnet
#LHC3375BES CONFIDENTIAL 12
VMworld 2017 Content: Not fo
r publication or distri
bution
Configuring Management Network
13#LHC3375BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Details on Linked VPC
#LHC3375BES CONFIDENTIAL 14
VMworld 2017 Content: Not fo
r publication or distri
bution
Key Things to Remember
• The cross-account role allows VMware to perform operations required to connect to your AWS VPC
• You have full control over this role
• You maintain access control of the transit path using standard AWS security practices (Security Groups, NACL, Flow Logs, etc.)
• You have the ability to audit cross-account role using AWS CloudTrail
15#LHC3375BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Connecting to Your SDDC
VMworld 2017 Content: Not fo
r publication or distri
bution
Internet Connectivity to Management (MGW) andCompute Gateway (CGW)
#LHC3375BES CONFIDENTIAL 17
VMworld 2017 Content: Not fo
r publication or distri
bution
L3VPN Connectivity to MGW and CGW
#LHC3375BES CONFIDENTIAL 18
VMworld 2017 Content: Not fo
r publication or distri
bution
Architectural Deep Dive
VMworld 2017 Content: Not fo
r publication or distri
bution
Provision VMware Cloud VPC
#LHC3375BES CONFIDENTIAL 20
Customer Data Center
vSphere Environment
Non-vSphere Environment
ESXi
ESXi
Amazon EC2
VMware Cloud on AWS
MGW & CGW
VMworld 2017 Content: Not fo
r publication or distri
bution
Establish Your L3VPN
#LHC3375BES CONFIDENTIAL 21
Customer Data Center
vSphere Environment
Non-vSphere Environment
ESXi
L3 IPSEC VPN
ESXi
Amazon EC2
VMware Cloud on AWS
MGW & CGW
VMworld 2017 Content: Not fo
r publication or distri
bution
Connect to Your AWS VPC from On-prem
22
Customer Data Center
vSphere Environment
Non-vSphere Environment
ESXi
L3 IPSEC VPN
ESXi
VMware Cloud on AWS
AWS
Direct
Connect
Private
VIF
MGW & CGW
Customer AWS
Account
VPC subnet
VPC subnet VPC subnet
Amazon EC2
VMworld 2017 Content: Not fo
r publication or distri
bution
Establish Connectivity to Your VPC
2323
Customer Data Center
vSphere Environment
Non-vSphere Environment
ESXi
L3 IPSEC VPN
ESXi
VMware Cloud on AWS
AWS
Direct
Connect
elastic network
interface
Customer AWS
Account
VPC subnet
VPC subnet VPC subnetPrivate
VIF
Amazon EC2
MGW & CGW
VMworld 2017 Content: Not fo
r publication or distri
bution
Network Path: VM to EC2
2424
Customer Data Center
vSphere Environment
Non-vSphere Environment
ESXi
L3 IPSEC VPN
ESXi
VMware Cloud on AWS
AWS
Direct
Connect
Private
VIF
Customer AWS
Account
VPC subnet
VPC subnet VPC subnet
elastic network
interface
Amazon EC2
CGW
VMworld 2017 Content: Not fo
r publication or distri
bution
Network Path:VM – Internet Connectivity
25
Internet
Customer Data Center
vSphere Environment
Non-vSphere Environment
ESXi
L3 IPSEC VPN
ESXi
VMware Cloud on AWS
AWS
Direct
Connect
Private
VIF
Internet
IGW
elastic network
interface
Customer AWS
Account
VPC subnet
VPC subnet VPC subnet
Amazon EC2
CGW
VMworld 2017 Content: Not fo
r publication or distri
bution
Network Path:VM – Amazon S3
26
Customer Data Center
vSphere Environment
Non-vSphere Environment
ESXi
L3 IPSEC VPN
ESXi
VMware Cloud on AWS
AWS
Direct
Connect
Private
VIF
IGW
elastic network
interface
Customer AWS
Account
VPC subnet
VPC subnet VPC subnet
Amazon EC2
CGW
Amazon S3
VMworld 2017 Content: Not fo
r publication or distri
bution
Network Path:VM to Amazon S3 Endpoints
2727
Customer Data Center
vSphere Environment
Non-vSphere Environment
ESXi
L3 IPSEC VPN
ESXi
VMware Cloud on AWS
AWS
Direct
Connect
Private
VIF
Customer AWS
Account
VPC subnet
VPC subnet VPC subnet
elastic network
interface
Amazon EC2
CGW
Amazon S3VMworld 2017 Content: N
ot for publicatio
n or distribution
Key Considerations
• Route tables for EC2 are updated by VMW to allow access to your logical networks
• Do not modify any interfaces that have a description ‘VMWare Cloud on AWS'
• You have an option to use VPC Endpoints or Internet Gateway for S3 Connectivity
• S3 VPC Endpoint requires configuration of both IAM and bucket policy
• Make sure you have the right Security Group rules configured
28#LHC3375BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Integrated Storage Services
Amazon
Instance Store &
Elastic Block Store
Amazon
Storage Gateway
(File Gateway)
Amazon S3
Block FileObject
#LHC3375BES CONFIDENTIAL 29
VMworld 2017 Content: Not fo
r publication or distri
bution
Block Storage Services
• Locally attached
• NVMe Flash
• Data Encryption at Rest
Amazon Instance Store Amazon Elastic Block Store
• Block storage as a service
• Create, attach volumes through an API
• Service accessed over the network
#LHC3375BES CONFIDENTIAL 30
VMworld 2017 Content: Not fo
r publication or distri
bution
Block Storage Integration: EBS and Instance Store
Disk Group 1 Disk Group 2
Write buffer
Capacity
Tier
esxi-01 VSAN
vSAN Configuration:• VMware Ready for vSAN certified• All-Flash, pre-configured
Key Considerations
• Default vSAN Datastore policy• Flexibility of RAID-1 or Erasure Coding• IOPS limits per vdisk
EBS Volume for boot
#LHC3375BES CONFIDENTIAL 31
VMworld 2017 Content: Not fo
r publication or distri
bution
Object Storage: Amazon S3
32
Amazon S3
What is Amazon S3?
• Designed for 11 9’s durability
• Highly scalable, reliable, low
latency, infinite capacity
• Standard, IA and Glacier
#LHC3375BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
33
Object Storage Integration: Amazon S3
Amazon
S3
ESXi
Amazon EC2
VMware Cloud on AWS
Customer AWS
Account
VPC endpointelastic
network
interface
CGW
Customer use cases:
• File Services
• Data Protection
• Big Data Analytics
#LHC3375BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Customer Amazon S3 Use Case: File Services
343434
ESXi
Amazon EC2
VMware Cloud VPC
AWS Storage Gateway
AWS Storage Gateway:• Unlimited storage• File storage durability (11 9’s)• Built-in data protection
vSAN:• Primary storage for storage gateway• Performance acceleration• Storage gateway resilience
NFS file share
OS
Read/Write Cache(local reads/writes)
vSAN Datastore
Writes &Cache misses
Amazon
S3
#LHC3375BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Backup to the Cloud
35
Customer Amazon S3 Use Case: Data Protection
Backup in the Cloud
ESXi
Amazon EC2
VMware Cloud VPC
Backup Server
Customer
S3 Bucket
Partner
Solution
EC2
Instance
Customer VPC
Amazon
Glacier
Amazon
S3
Backup Server
Corporate Datacenter
#LHC3375BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
36
Backup to the Cloud (Gateway Appliances)
Amazon
S3
Customer Data Center
vSphere Environment
ESXi
AWS
Direct
Connect
Public
VIF
Backup Server
Backup Proxy
Gateway Appliance
Dell/EMC
Cloudboost
AWS Storage Gateway
NetApp Altavault
#LHC3375BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
37
Backup to the Cloud (Cloud Connectors)
Amazon
S3
Customer Data Center
vSphere Environment
ESXi
AWS
Direct
Connect
Public
VIF
Backup Server
Backup Proxy
Partner solutions
#LHC3375BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
38
VM Restore in the Cloud
Amazon
S3
VM Proxy (cloud connector)
Backup Repository
/bucket/VM1backup/bucket/VM2backup…
Dell/EMC
Cloudboost
AWS Storage Gateway
NetApp Altavault
#LHC3375BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
39Customer VPC
VPC subnet
VMware Cloud VPC
ESXi
Amazon EC2
Amazon
S3
NetApp AltaVault
elastic network
interface
vSphere Environment
ESXi
Veeam Backup ServerL3 IPSEC VPN
1
2
/bucket/VM1backup/bucket/VM2backup…
3
S3 VPC endpoint
VeeamProxy
CGW
4
VM Restore in the Cloud: Partner Storage Appliance
#LHC3375BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
40Customer VPC
VMware Cloud VPC
ESXi
Amazon EC2
Amazon
S3
elastic network
interface
vSphere Environment
ESXi
L3 IPSEC VPN
2
/bucket/VM1backup/bucket/VM2backup…
3
S3 VPC endpoint
CGW
4
VM Restore in the Cloud: Partner Cloud Connector
CommServe Media Agent
1
#LHC3375BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
41Customer VPC
VMware Cloud VPC
ESXi
Amazon EC2
elastic network
interface
Avamar/Networker
CGW
Backup in the Cloud
Dell/EMC DDVE
#LHC3375BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
42Customer VPC
VMware Cloud VPC
ESXi
Amazon EC2
elastic network
interface
Veeam Backup Server
CGW
Backup in the Cloud
NetApp AltaVault
Amazon
S3
#LHC3375BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
43
Customer VPC
VMware Cloud VPC
ESXi
Amazon EC2
elastic network
interface
CGW
Backup in the Cloud
Amazon
S3
Media Agent
#LHC3375BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Customer Amazon S3 Use Case: VM Data Analytics
Amazon Kinesis–
enabled app
Amazon Kinesis
Firehose
Amazon
Athena
Amazon
QuickSight
Amazon
Redshift
SQL Client
Amazon
S3
#LHC3375BES CONFIDENTIAL 44
VMworld 2017 Content: Not fo
r publication or distri
bution
Key Considerations
• vSAN: Focus on storage policies
• vCenter Server: Enable external access for backup software
• AWS Storage Gateway:
– Use ACL
– Enable versioning
– Enable Cross Region Replication
• S3:
– Control access to bucket
– Enable access logging and Cloudtrail
– Leverage STS and lifecycle policy (if available from partner solutions)
45#LHC3375BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
In Summary….
46
AWS IAMAWS STS
permissionsrole
AWS
CloudTrail
Amazon
S3
AWS Storage
Gateway
Amazon
VPC
OnboardingWorkload Migration
Data Protection
Workload analysis
Amazon
S3
AWS
CloudFormation
Amazon
Glacier
Amazon
Kinesis
Amazon
Athena
Amazon
QuickSightAWS Storage
Gateway
Amazon
Redshift
AWS
Direct
Connect
#LHC3375BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Don’t Forget to Attend These Sessions
• AWS Native Services Integration with VMware Cloud on AWS: Technical Deep Dive [LHC3376BES]
• VMware Cloud on AWS: An Architectural and Operational Deep Dive [LHC3174BE]
• Creating Your VMware Cloud on AWS Data Center: VMware Cloud on AWS Fundamentals [LHC1547BE]
• And a lot more …..
Don’t Forget to Stop by Our Booth
• Microsoft Application
• Mission Critical Applications
• Data Analytics
• Native Service Integrations
#LHC3375BES CONFIDENTIAL 47
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution