Tuesday, November 26, 2013

Part 1 - Architecting vSphere Clusters - A scoop from my vForum Prezo!

A few days back, I got an opportunity to present at vForum 2013 in Mumbai, the Financial Capital of India. With more than 3000 participants across 2 days of this mega event, it was definitely one of the biggest customer events in India. I along with my team was re-presenting the VMware Professional Services at vForum and I was given the opportunity present on the following topic:-

"Architecting vSphere Environments - Everything you wanted to know!"

When we finalized the topic, I realized that the presenting this topic in 45 minutes is next to impossible. With the amount of complexity which goes into Architecting a vSphere Environment, one could actually write an entire book. However, the task on hand was to narrate the same in form of a presentation. 

As I started planning the slides, I decided to look at the architectural decisions, which in my experience are the "Most Important One's". These are important decisions as they can make or break the Virtual Infrastructure. The other filtering criterion was to ensure that I talk about the GREY AREAS where I always see uncertainty. This uncertainty can transform a Good Design into a Bad design. At the end I was able to come out with a final presentation which was received very well by the attendees. I thought of sharing the content with the entire community through this blog series and this being the Part 1, where I will give you some key design considerations for designing vSphere Clusters.

Before I begin, I would also want to give the credit to a number of VMware experts in the community. Their books, blogs and the discussions which I have had with them in the past, helped me in creating this content. This includes books & blogs by DuncanFrankForbes GuthrieScott LoweCormac Hogan & some fantastic discussions with Michael Webster earlier this year.

Here is a small Graphical Disclaimer:-

Here are my thoughts on creating vSphere Clusters!!

The message behind the slide above is to create vSphere Clusters based on the purpose they need to fulfill in the IT landscape of your organization.

Management Cluster

The management cluster refers here to a 2 to 3 host ESXi host which is used by the IT team to primarily host all the workloads which are used to build up a vSphere Infrastructure. This includes VMs such as vCenter Server, Database Server, vCOps, SRM, vSphere Replication Appliance, VMA Appliance, Chargeback Manager etc. This cluster can also host other infrastructure components such as Active Directory, Backup Servers, Anti-virus etc. This approach has multiple benefits such as:-

  • Security due to isolation of management workloads from production workloads. This gives a complete control to the IT team on the workloads which are critical to manage the environment.
  • Ease of upgrading the vSphere Environment and related components without impacting the production workloads.
  • Ease of troubleshooting issues within these components since the resources such as compute, storage and network are isolated and dedicated for this cluster.

A quick tip would be to ensure that this cluster is minimum a 2 node cluster for vSphere HA to protect workloads in case one host goes down. A three(3) node management cluster would be ideal since you would have the option of running maintenance tasks on ESXi servers without having to disable HA. You might want to consider using VSAN for this infrastructure as this is the primary use case which both Rawlinson & Cormac suggest. Remember, VSAN is in beta right now, so make your choices accordingly.

Production Clusters

As the name suggests this cluster would host all your production workloads. This cluster is the heart of your organization as this hosts the business applications, databases, web services, literally this is what gives you the job of being a VMware architect or a Virtualization Admin. J

Here are a few pointers which you need to keep in mind while creating Production Clusters:-

  • The number of ESXi hosts in a cluster will impact you consolidation ratios in most of the cases. As a rule of thumb, you will always consider one ESXi host in a 4 node cluster for HA failover (assuming), but you could also do the same on a 8 node cluster, which ideally saves 1 ESXi host for you for running additional workloads. Yes, the HA calculations matter and they can be either on the basis of slot size or percentage of resources.
  • Always consider at least 1 host as a failover limit per 8 to 10 ESXi servers. So in a 16 node cluster, do not stick with only 1 host for failover, look for at least taking this number to 2. This is to ensure that you cover the risk as much as possible by providing additional node for failover scenarios
  • Setting up large clusters comes with their benefits such as higher consolidation ratios etc., they might have a downside as well if you do not have the enterprise class or rightly sized storage in your infrastructure. Remember, if a Datastore is presented to a 16 Node or a 32 Node cluster, and on top of that, if the VMs on that datastore are spread across the cluster, chances that you might get into contention for SCSI locking. If you are using VAAI this will be reduced by ATS, however try to start with small and grow gradually to see if your storage behavior is not being impacted.

·    Having separate ESXI servers for DMZ workloads is OLD SCHOOL. This was done to create physical boundaries between servers. This practice is a true burden which is carried over from physical world to virtual. It’s time to shed that load and make use of mature technologies such as VLANs to create logical isolation zones between internal and external networks. In worst case, you might want to use separate network cards and physical network fabric but you can still run on the same ESXi server which gives you better consolidation ratios and ensures the level of security which is required in an enterprise.

Island Clusters

Yes they sound fancy but the concept of Island clusters as laid down in my slides is to run islands of ESXi servers (small groups) which can host workloads which have special license requirements. Although I do not appreciate how some vendors try to apply illogical licensing policies on their applications, middle-ware and databases, this is a great way of avoiding all the hustle and bustle which is created by sales folks. Some of the examples for Island Clusters would include

·    Running Oracle Databases/Middleware/Applications on their dedicated clusters. This will not only ensure that you are able to consolidate more and more on a small cluster of ESXi hosts and save money but also ensure that you ZIP the mouth of your friendly sales guy by being in what they think is License Compliance.

·    I have customers who have used island clusters of operating systems such as Windows. This also helps you save on those datacenter, enterprise or standard editions of Windows OS.

·    Another important benefit of this approach is that it helps ESXi use the memory management technique of Transparent Page Sharing (TPS) more efficiently since with this approach there are chances that you are running a lot of duplicate pages spawned by these VMs in the physical memory of your ESXi servers. I have seen this going up-to 30 percent and this can be fetched in a vCenter Operations Manager report if you have that installed in your Virtual Infrastructure.

With this I would close this article. I was hoping to give you a quick scoop in all these parts, but this article is now four pages J. I hope this helps you make the right choices for your virtual infrastructure when it comes to vSphere Clusters.

Stay tuned for the other parts in the near future…

As always – Share & Spread the Knowledge!!

Thursday, November 21, 2013

Site Recovery Manager and vSphere Replication Network Ports Required - Simplified!

Firewalls have been a nightmare for me lately, not because I hate security, but because I hate hunting down the ports which are required to implement solutions successfully. In one of my recent engagement, I came across a heavily fire-walled environment across sites and within sites. As the title of the post suggests, this implementation was of Site Recovery Manage (5.1.1) and vSphere Replication Appliance (VRA 5.1.1).

The use case was simple. It was to use vSphere Replication for workload replication from Site A (Primary or Protected Site) to Site B (DR or Recovery Site).

The vCenter Server, SRM Server and vSphere Replication Appliance are on one VLAN while the ESXi servers are on a different VLAN within Site A. Same is the case with Site B as well.

After going through a number of articles and diagrams, I wanted to simplify these ports with a site naming convention as it is much more easier to remember and correlate with a reference rather than using the product names. So without further a-do here is my simplified list of ports for the setup which I explained above.

In case you still need the exhaustive list then there are some fantastic articles like this or this on VMware KB Portal. Hope this helps you simplify one of your deployments.

Share & Spread the Knowledge!

Saturday, November 16, 2013

The story of the Chicken Soup. Trust me it's not Virtual !

Yes.. you read it correctly. It is Chicken Soup which I am going to discuss today. All this while you have been reading about my experiences on different projects which I have done around Virtualization & Cloud Computing. Unlike my other projects, this Statement of Work was given to me by my better half and the deliverable was to make "Chicken Soup".

To everyone's surprise it came out really well.. And here is how it looks.

Would have taken a better picture, if I was aware that I would be asked to pen down the Recipe :-)

Without further ado, here is how I manage to deliver the soup.. Hopefully this article will help you implement the recipe successfully in your kitchen ;-)

Disclaimer - I am by no mean a professional cook or a recipe book writer. The author of this article is not responsible for anyone replicating this dish for their wives :-p

Here You Go!!

ü  Prepare Chicken Stock by boiling 1 kg of Chicken Bones with 2 Liters of Water. Add Salt to taste and Lemon Grass for fragrance. Bring it to Boil and let it simmer for 40 minutes.

ü  In another pan boil chopped carrots and corns with salt. Bring it to boil and simmer for 15 minutes.

ü  Strain the Chicken Stock in another pan where you will give it the final touches.

ü  Smash some basil leaves and add them whole to the strained stock. Add shredded chicken which is pre-boiled with salt.

ü  While the strained stock is on simmer, add 1 egg white which is beaten with some salt. Stir the stock while adding the egg white. Add boiled carrots and Corn.

ü  Add 3 Tablespoon of Vinegar, freshly ground pepper and salt to taste.

ü  Leave the dish on simmer for 15 more minutes.

ü  Serve it hot and Call me or Email me and let me know if it worked for you.

Have a great weekend :-)

Wednesday, November 13, 2013

Using the vSphere Replication Capacity Planning Appliance!

A few days back I wrote an article introducing a Fling by VMware Labs called vSphere Replication Capacity Planning Appliance. I would recommend that you read that post before going through this one. Here is the link:-

As I mentioned in that article, I finally got an opportunity to deploy the appliance and run it to capture traffic and replication requirements for one of my lab virtual machines. Here are the steps to download and configure this appliance and to get the results you need:-

1- Download the appliance from this link.

2- Deploy the OVA template in your environment using the vCenter Server. Please remember, this is the site where you have the VMs running. (Also, it is recommended that there are NO vSphere Replication Appliances deployed in this environment)

3- The Appliance needs an IP Address which needs to be configured after the appliance powers on. You can login to the appliance using username as 'root' and password as 'vmware'.

4- Once the IP is set you can login to the appliance using the following url - 

https://<ip Address of appliance>:5480

Here is a screenshot from my environment. The username is root and password is vmware as mentioned before.

5- Please ensure to setup the correct time zone for correct results.

6- Now take an ssh session to the appliance using 'putty' or an equivalent tool. Username - root and Password is vmware. Once logged in you need to browse to the following directory:-

cd /opt/vmware/hbrtraffic/bin

7- Run the command located in this directory to see the usage. Here you can see all the options available to run with this command.


8- Now I will use this command to capture the data changes for a VM in my lab named "VMWSUDRSNVC01"

That's it. You need to configure this for all the VMs for which you need to do capacity planning for replication bandwidth requirements.

Once done, you can check out the results after 15 minutes or so by opening the URL: 

https://<ip Address of appliance>:5480/vr-graphs/

We can get data about this VM by clicking on the link listed on this page. Here are some screenshots from my lab. It clearly shows the Network Traffic Requirements and Data size of the "lwd". LWD is the light weight delta which is calculated by vSphere Replication as the amount of data which needs to be replicated to maintain the defined RPO. Remember the RPO in this case in 15 minutes by default. You can setup the RPO which you have planned for your workload in the ssh command where you enable replication modelling.

Like other capacity planning tools, it is important to run this for atleast 3 to 4 weeks to capture all the peaks and lows of the workload and estimate its replication requirements. Hope this helps you calculate the bandwidth requirements and data change rates which are crucial for setting up DR using vSphere Replication and Site Recovery Manager.

Share and Spread the Knowledge. 

Monday, November 11, 2013

Bitdefender Cloud Security - Providing Security As a Service to Small & Medium Sized Enterprises!

A few days back I wrote about Bitdefender's GravityZone-in-a-Box as an on-premise security solution for protecting endpoints within an organization. I also showcased as to how you can deploy the solution in your infrastructure in another article. While I was evaluating the product as an on-premise solution for end-point security, I also got an opportunity to lay my hands on a cloud based solution of Bitdefender which is tailor made for small and medium sized businesses. The solution is called Bitdefender Cloud Security. 

In the past few years of working with customers I realized that whether its Enterprise organizations or Small and Medium enterprises, securing the end point and server workloads has been one of the biggest worry for any organization. To add to this worry, Desktop and Server Virtualization has completely changed the landscape of the traditional datacenter, requiring the organizations to re-model there security procedures and policies. Having said this, all the SMB customers I work with have other major challenges to face, which includes, cost of procuring security solutions, complexity in deploying such solutions and skill-sets/resources required to manage and run such solutions. Bitdefender Cloud Security focuses on solving similar issues and more for small and medium sized businesses. 

As per my experience, SMBs are the biggest target for hackers as they are usually easy to break into due to none or lack of good anti-virus solutions, no dedicated security teams and lack of security policies. This exposes them to a number of threats. This can range from the most common one's such as Email Attachments to Phishing and Worm attacks.

Diverse Threat Landscape

Although the challenges and the threats mentioned above have always been a headache for customers, I  have realized that small or medium enterprises can also build up endpoint security which matches up with the standards of a large organization with the use of Bitdefender. This is possible because like any other Cloud Based Service, Cloud Security is available as a service from Bitdefender which not only makes it inexpensive to own, but also easy to deploy and manage.

I signed up for the service for 30 days trial and it was quick and easy to setup. Let's see how we can use Cloud Security.

1- After signing up for the 30 day trial here, you will receive your username and password along with the link to log in to the Cloud Security Console.

2- Once you are logged in to the Security Console, you will be on the Dashboard Tab which will showcase all the resources which you have added for endpoint security. My dashboard is empty since I just started.

Here you can do a number of tasks of creating new policies, add new resources, create multiple accounts etc. Let's start with adding a few resources.

3- Click on Computers -> Installation Area

On the next page you will see the following options:-

You can see that you have a number of options which you can use to install the AV agent on your Desktops or Servers. You can either do a manual installation or a remote installation. While the options are quite easy and self-explanatory, I would want to highlight a great feature which allows me to customize an installation package. This feature allows you to select the modules which you want to install and also set a uninstall password. See the screenshot below:-

4- I chose the option "Use Installation Link". You can either open the link directly on the machine where you want to install the agent or you can email the link as well as shown below.

5- Now select the type of agent you want to install, based on the operating system of the end-point or server.


6- Once you select the package, it will start the download and installation automatically. Once completed, the icon of Bitdefender would be visible in the notification area of windows.

7- Open the console to see the details. You can also perform the first scan manually or wait for it to kick off based on the configured schedule.

8- Once the Scan is done, you can check the status of the system by clicking on the Status Tab.

9- Finally let's log in to the Cloud Security Console and you will see that the server where I have installed the client is visible in the centralized console and I can monitor all the virus and malware activities from this console.

This was just an example which showcased, how easy it is to adopt endpoint security by using Bit-defender's Cloud Security. All this without the need of investing money in buying the software and then deploying and maintaining the same. At the same time, you are able to centralize the deployment from a single portal, which will help you manage security for all the endpoints and servers of your entire organization. While all this sounds great, the best feature I like is that these endpoints can be in an office premise, on the field or in a remote datacenter.

I also looked at the licensing model of the product and was happy to see that it comes with a true cloud consumption model with following options:-

Free trial: 30 day period, after which product ceases to function 
Subscriptions for 1 / 2 / 3 year models 
Partners can implement flexible monthly licensing based on consumption 
Special discounts apply for education, government, competitive upgrade and renewal 
Licenses per endpoint (same price for server or workstation)

To summarize:
  • The license model is OPEX based and the product can be consumed as a service.
  • It is the simple-most anti-virus deployment I have ever seen. Took me minutes to get going.
  • Zero management overhead as everything is centralized and placed on a single portal.
  • Not just Anti-Virus but a 2 way firewall with Intrusion detection, anti-phishing, web filtering & device scanning.
  • Automatic updates unified security policies; users can’t change settings or deactivate AV.

If you looking for an anti-virus solution, just go ahead and sign-up for trials and see if this meets you needs. I hope this review would be helpful in choosing and deploying Bitdefender Cloud Security and secure your endpoint and server workloads in your organization.