VMworld 2017 US General Session Day 2

….. This update is a bit late going up because Tuesday evenings is 5-a-side footie for me…. =)

So what was the General Session on Day 2 all about… well it kicked off with a fireside chat between Pat Gelsinger and Michael Dell, answering a few questions that were submitted the previous evening from attendees. In my opinion there wasn’t any major revelations or probing questions asked/answered, what we do know is that Michael Dell likes Peanut Butter & Chocolate… =P

It’s interesting that Dell thinks that we’re in for some exciting times with AI and machine learning…. although he didn’t quite pin his flag like Zuckerberg and Musk recently… =)
The amount of data created from IoT is stupendous, and the possibilities of using that data are endless – however, companies need to start thinking about how to use the vast amounts of data they have to try and improve processes, products and services – if they don’t then they could be left behind (Just like Elastic Sky Pizza were)!

However, one of the more memorable quotes from Pat was that “Today is the slowest day of technological evolution of the rest of your life!” Great quote, and how true it is…. In IT we live in an ever-changing world!

One thing I did pick up on was VMware Skyline – a new and innovative support technology which will offer pro-active support for VMware solutions. It will consist of a Collector appliance that end-users deploy, it then sits there securely collecting environmental-data from different VMware components (such as configuration, performance, and product usage) whilst performing machine-learning analytics to ensure the overall solution functions correctly. If it detects any changes, events or patterns that will cause a deviation from best practices or validate designs then it will alert the customer. Skyline is aimed at improving support experience through data analytics.

Both Pat and Dell were then joined on stage by Rob Mee (CEO of Pivotal) – it was really interesting to hear that Pivotal Cloud Foundry was being used in over 50% of the Fortune 500 – I wonder what the percentage is in the UK FTSE? Pivotal has be “pivotal” (excuse the pun) in helping enterprises and their digital transformation – how to run legacy production workloads alongside developing new cloud-native applications, yet still providing the availability and security whilst also reducing cost! Pivotal Cloud Foundry addresses all these issues.

The biggest announcement of the day was the unveiling of Pivotal Container Services (PKS) – a partnership between VMware, Pivotal and Google Cloud. Pivotal has been working with Google for a while – Project Kubo – and now with the partnership with VMware, PKS will enable enterprises to deliver production-ready Kubernetes on VMware vSphere and Google Cloud Platform (GCP), with compatibility to Google Container Engine (GKE) – all secured by – yup you guessed it – NSX. Pat went on to say that they’re not stopping there and will start to integrate other VMware products such as vRealize Automation and Operations, along with Wavefront (who VMware acquired in May – it’s a “real-time metrics monitoring and streaming analytics platform designed for developers to optimize their clouds and modern applications that rely on containers and microservices”)

PKS-Image

Pat, Dell and Rob were joined on stage by Google’s Sam Ramji (VP of Product Management – Developer Platforms). It’s interesting how Google are pouring in vast amounts of their knowledge on containers into Kubernetes – a way of giving back to the community! Sam also announced that Pivotal and VMware were to become as Platinum Members of the Cloud Native Computing Foundation – home of Kubernetes.

The rest of the General Session involved a fictitious company called “Elastic Sky Pizza” which was stuck in the past and needed assistance in transforming their business. Loads of demos and presentations showing how VMware’s suite of Cloud products work – including PKS, AppDefense, NSX, Pulse IoT (Edge LIOTA).

 

PKS looks amazing, but I do still think that containers is an enterprise play – which kind of goes against one of the questions during the fireside chat about looking after the SMB market… this is probably going to be priced above what SMBs can afford!

Advertisements

VMworld 2017 US General Session Day 1

If like me, you’re stuck in a sweltering London enjoying the bank holiday and watching the Game of Thrones season 7 finale, you may have forgotten that over in Vegas the city is just getting over the big fight of Mayweather vs McGregor and is now inundated with people looking to attend VMworld 2017 US.

It’s great that VMware live stream their keynotes, as it gives everyone an opportunity to hear first hand what VMworld will be about this year and also what is being announced!

And it’s of no surprise that VMware have continued to strengthen their vision on “Any Device, Any Application, Any Cloud” with the keynote by Pat Gelsinger. Whilst heterogeneous is a great thing that leads to the consumerisation of IT, it plays havoc with IT admins who’s key focus is to contain and secure a company’s data – and it’s worth noting how much emphasis is being placed on security within VMware – NSX is intrinsic to every solution that was mentioned during the keynote!

Vision

The first thing that was covered was how the digital transformation is affecting end users – the goal for any company is to ensure that their employees are well connected, yet the challenge is a complex one when you realise how many different technologies an end user has access to – smartphones, tablets, laptops – even smartwatches and cars now! So how do you deliver an unified workspace securely across multiple technologies?

Simple – Workspace ONE – piecing it all together to give companies a “consumer simple but enterprise secure” solution. Delivered in 3 areas:

  1. Apps and Identity – applications with a consistent feel across multiple devices. Secured by a common identity framework with a simple Single Sign-on experience.
  2. Management and Security – IT in control, delivering consistent management & security. Drastically improving  tasks that were previously costly, time consuming, and resource intensive, whilst still in control of data by combining identity and device management to enforce Data Security and Endpoint Compliance.
  3. Desktop and Mobile – Device Management and Compliance provided by AirWatch Unified Endpoint Management, protecting sensitive data as well as conditional access to how that data can be consumed by end-users.

workspaceone

Next Pat went on to explain that virtualisation has led to end-users deploying a private cloud within their own data centres, yet making such a transition is not an easy step – deployment isn’t straight forward, lifecycle management and day 2 operations isn’t always easy, and trying to secure different technologies of a private cloud is painful!

VMware’s goal is to “make Private Cloud Easy and that’s where Cloud Foundation comes along – a fully integrated SDDC stack that ‘just works’…. simple… agile… secure! version 2.2 was announced and is now GA.

Pat was then joined by Andy Jassy, CEO of AWS, to announce the General Availability of VMware Cloud on AWS. Announced as a tech preview at last years VMworld, it should be noted that it’s currently only available today in the US West Coast region Availability Zone, it will then be rolled out across the East Coast AZ before rolling out to the rest of the AWS global AZs by the end of 2018. So I guess we’re going to expect it in the UK late 2017/early 2018!

VMware Cloud on AWS allows you to seamlessly take a workload running on vSphere in your data centre and migrate it to AWS Public Cloud running a VMware stack – using the same tools (vCenter Server) to manage both your private and your public cloud workloads from a single pane of glass! A consistent feel no matter where your workload resides. What Andy Jassy said was correct – in the past customers hated the fact that if they wanted to consume public cloud, there was no easy way of migrating workloads across without some form of translation occurring. It was also painful and costly to manage as you couldn’t use a single tool to manage both private and public cloud.

VMware’s Cloud Strategy is as follows:

cloud

The first 7 VMware Cloud Services were announced as available for consumption.

VMware Cloud Services

NSX Cloud is an interesting service that addresses networking and security operational challenges inherent with using multiple public clouds. Unfortunately at launch it’s only available on AWS to protect EC2 workloads (ie native AWS workloads – not vSphere workloads which is what VMware Cloud on AWS gives). It differs from on-premise NSX as it is delivered as a service and managed by VMware.

As I previously said, NSX is a key foundation to every solution at VMware currently:

nsx

Security is hugely important… and Pat breaks it down into 3 components:

  1. the need to build it into the infrastructure
  2. the need to integrate with the current security vendor ecosystem
  3. the need to ensure good cyber hygiene and ensure security policies are in place. The 5 pillars of Cyber Hygiene are:
    • Least Privilege
    • Micro-segmentation
    • Encryption
    • Multi-factor authentication
    • Patching

Two years ago, VMware first began talking about the concept of the “Goldilocks Zone” where the hypervisor sits at the ideal location in the network to improve security. During the keynote VMware announced a new product named AppDefense which looks to be the fruition of Project Goldilocks.

AppDefense allows a virtual machine to learn its manifest and understand what is a good and secure process, it’s then able to determine whether the runtime behaviour of a VM or application deviates from its intended state. Finally it’s able to trigger an automated/orchestrated response to remediate or quarantine any detected anomalies.

appdefense

 

Strange that searching the VMworld Europe Content Catalog for AppDefense doesn’t bring up any sessions…. which is a shame as I was hoping to schedule a session after hearing the keynote and reading about it.

Roll on Day 2….

 

vExpert 2017 Announcements

Congratulations to those who have been recognised as vExperts and will be joining the group for the 2nd half of 2017!

https://blogs.vmware.com/vmtn/2017/08/vexpert-2017-second-half-announcement.html

Also congratulations to existing vExperts who have been recognised as experts in the 2 sub categories – NSX and vSAN!

https://blogs.vmware.com/vmtn/2017/08/vexpert-nsx-2017-award-announcement.html

https://blogs.vmware.com/vmtn/2017/08/vexpert-2017-vsan-announcement.html

 

I’m fortunate enough to be once again considered as a vSAN vExpert for this year! =)

vSphere 6.0 update 3 released

With all the news around vSphere 6.5, one might forget that the majority of customers are still probably running 6.0….. at least VMware haven’t forgotten about you guys! =)

vSphere 6.0 Update 3 was released last week and with it updates to vCenter Server, vSAN, vSphere Replication.

I can’t see anything major within the new update for vSphere/vCenter – minor update to ESXi Host Client, and support for Transport Layer Security (TLS) protocol.

Biggest update seems to be with vSAN 6.2 with some important fixes to aid with vSAN performance issues relating to large sequential writes and large file deletes when vSAN data services is turned on (such as dedupe and compression). Optimisation has also been made to the checksum code path. Details are available through VMware KB article vSAN performance enhancements delivered with vSphere 6.0 Update 3

 

Other products released:

VMware NSX – IOChain and how packets are processed within the kernel

During a meeting with a client when I was going over how packets are processed within the IOChain between a VM and a vSwitch, I was asked a question that stumped me…. what happens at Slot 3?

It’s common knowledge that the first 4 and last 3 slots in the IOchain are reserved for VMware and slots 4-12 are reserved for 3rd parties where services are inserted (or traffic redirected).

During my discussions I’ve only ever spoken about Slots 0-2 and 4-12…..

After much digging around and questioning the NSBU SEs, I was told that there was no real answer apart from it’s probably a VMware reserved slot for future use. =)

It’s also worth noting that Slot 15 used to be classed as a “reserved slot for future use” but is now intended to be used for Distributed Network Encryption when it becomes available (makes sense that encryption is the last thing that happens on the IOChain for packets leaving a VM, and decryption being the first for packets entering the VM).

Anyways, decided it’s probably worth blogging about IOChain slots. =)

 

So when a VM connects to a Logical switch there are several security services that each packet transverses which are implemented as IOChains processed within the vSphere kernel.

Slot 0: DVFilter – the Distibuted Virtual Filter monitors ingress/egress traffic on the protected vNIC and performs stateless filtering and ACL.

Slot 1: vmware-swsec – the Switch Security module learns the VMs IP/MAC address and captures any DHCP Ack or ARP broadcasts from the VM, redirecting the request to the NSX Controller – this is the ARP suppression feature. This slot is also where NSX IP Spoofguard is implemented.

Slot 2: vmware-sfw – this is where the NSX Distributed Firewall resides and where DFW rules are stored and enforced (so firewall rule and connection tables).

Slot 3: reserved for future use by VMware

Slot 4-12: 3rd party services – this is where traffic is redirected to 3rd party service appliances

Slot 13-14: reserved for future use by VMware

Slot 15: Distributed Network Encryption (when it becomes available)

vSphere 6.5 Product Interoperability – brain fade moment!

So it’s probably worth reminding everyone that there are still VMware products that are not yet supported on vSphere 6.5!

I unfortunately found out the hard way when I broke my work’s demo environment (or at least half of it).

Now even though I’ve blogged about compatibility issues previously eating too many mince pies and drinking too much bucks fizz over the Christmas and New Year festivities has obviously taken its toll on my grey matter, and coming back to work in the new year I decided it would be a nice idea to upgrade a part of my works demo environment to vSphere 6.5 so that we can use it to demo to customers!

The problem was I upgraded the part of the lab running NSX and when I got to the point of trying to push the NSX VIBs onto the ESXi hosts (when preparing the hosts to join the NSX cluster), it was having none of it and failing! After several unsuccessful attempts, it slowly dawned on me that NSX was one of those ‘unsupported’ products that doesn’t work with vSphere 6.5…..

Damn…..

Fortunately I didn’t destroy my old vCenter Server 6.0u2 appliance so was able to roll back by re-installing the ESXi hosts with 6.0.

 

Anyways, the products still not supported are:

  • VMware NSX
  • VMware Integrated OpenStack
  • vCloud Director for Service Providers
  • vRealize Infrastructure Navigator
  • Horizon Air Hybrid-Mode
  • vCloud Networking and Security
  • vRealize Hyperic
  • vRealize Networking Insight

 

Definitely worth keeping an eye on this VMware KB: Important information before upgrading to vSphere 6.5 (2147548)

And if you do end up upgrading to vSphere 6.5, then make sure you follow the recommended upgrade sequence in this VMware KB: Update sequence for vSphere 6.5 and its compatible VMware products (2147289)

MTI/IDG Whitepaper

My company – MTI Techology – recently undertook an engagement with IDG to produce a whitepaper highlighting how VMware NSX could be used to address Security, Automation and Innovation within the Financial market.

TBH, the whitepaper can apply to any market who are experiencing the same business challenges!

http://www.idgconnect.com/view_abstract/41130/security-automation-innovation-steps-drive-success-financial-services

EDIT: Forgot to mention that you need to sign up for a free account in order to download the whitepaper. =)

VMworld 2016 US – Day 2 General Session Overview

One of the issues with working and having a young family is you end up doing a full days work and going home to a baby who wants loads of attention who then doesn’t let you sleep because she’s teething….. Yup, the joys of being a parent…. but I wouldn’t give it up for anything!!

So this blog comes a few days late because I didn’t have much time to finish watching the replay of Tuesday General Session and write a blog due to already mentioned circumstances. =)

Tuesdays’ General Session replay is now available here:

So Monday was all about the transformation of the data centre, making it cloud friendly and able to support workloads wherever they’re deployed (so Any Cloud).

Tuesdays’ session was more around the End Users experience, Any Application on Any Device and I have to admit that I thought Sanjay Poonen’s demo of Workspace ONE was pretty awesome – I’ve not seen a full demo of the products capabilities but I was struck by how much you could do with the suite of products and how integrated it all was – Infrastructure, VDI, Mobile Device Management, Identity Management, Security…… Control yet Choice!!

We’ve all seen the demos of AirWatch integration, how single sign on has been implemented, we’ve seen the demos of Horizon View on tablets, etc…. what I’ve not seen before was how security could be implemented to prevent unauthorised data being published…. like the conditional-access demo of how financial data taken from a spreadsheet in Office 365 was blocked from being copied into Twitter (which was an unmanaged application). What was even more impressive was the NSX integration to use conditional-access policies (ie changes to firewall rules for a particular group of people) to prevent data being presented in a dashboard depending on whether the user is accessing it inside the corporate firewall or externally.

And I was impressed with the VMware Trustpoint demo of endpoint visibility and management, looked very simple to use to implement endpoint security.

Finally, VMware introduced a brand new technology that represents the next phase of their digital workspace vision – VMware Unified Endpoint Management (UEM) – a new architecture that brings app, desktop and mobile management together with next-gen security and identity interwoven throughout, delivering a simpler but more secure digital workspace!

 

Next up was Ray O’Farrell and Kit Colbert to talk about containers…. and how admins can extend management, monitoring and security to containers. It looks like VMware vSphere Integrated Containers will have 2 new features:

  • Admiral – which is a Container Management Portal to allow developers and app teams to manage their repositories and images.
  • Harbor – which is a Container Registry (based on Docker Distribution) which allows developers and app teams to securely store their images including management and access control.

The demo was interesting as it showed the integration between VIC and NSX and how network security can be applied to containers, as well as the integration between VIC and vROps for monitoring of containers. The demo went one step further and showed how vRA was used to automate the deployment of container hosts as well as showing access to the Container Management Portal.

There wasn’t much on Photon Platform that we didn’t already know – VIC allows IT to extend the existing infrastructure to accommodate container-based applications alongside traditional apps, and Photon Platform allows IT to build a complete computing platform solely for containers and cloud-native apps.

 

Next up was the new GM/EVP of Networking and Security to talk about NSX. If I’m honest, I found Rajiv Ramaswami a bit wooden – far different from the charisma of Matin Casado…. which is a shame as the one product everyone should get excited about this year is NSX! I have to agree with Rajiv when he says that “the single greatest infrastructure transformation he has seen” is with Network Virtualisation. Networking is undergoing a huge transformation with vendors and customers looking at transitioning from hardware-centric to software based solutions.

Not much was said about NSX that we didn’t already know….

  • Security – it does Micro-segmentation to allow you to provide fine-grained security to every VM and helps you architect security as an essential part of the data centre
  • Automation – it allows you to automate workload provisioning and cuts down deployment time because network and security can be quickly provisioned in software and attached to VMs (policy-based management)
  • Application Continuity – it enables your applications and data to reside and be accessible anywhere. In addition it can reduce your RTO when integrated into your Disaster Recovery solution.

One thing that was new was the demo of vRealize Network Insight used to create NSX pre-assessment reports. Those of you following the news will know that this has come about from the acquisition of Arkin a few months back. I’ve had a play with the Arkin tool as the VMware NSX SEs in the UK were recommending it as a Network Assessment tool for partners to use when trying to sell NSX (prior to the acquisition and release of vRNI). I really like how it graphs traffic flow and patterns, tracing network traffic between VMs and giving you deeper insight into what goes on inside your virtual environment (ie the East-West traffic flows). The other clever thing is how it is able to carry out flow analytics to provide recommendations for grouping VMs together when planning for micro-segmentation. The only issue is it needs vSphere Distributed Switches!

I quite liked the NSX Planning tool tech preview – how flows can be captured, then analysed and grouped into traffic patterns and security groups. The application map can then be used to create firewall rules based on what the tool discovered. Very clever stuff!

 

 

Finally Yangbing Li talked about Hyper Converged Infrastructure and VSAN. VSAN has come a long way since its launch a few years ago, and I see it as an enterprise-ready storage offering! HCI is a very hot topic this year, customers are now looking at HCI solutions when it comes to new projects or hardware refreshes. Hardware vendors are aware of this and there are so many different types of HCI solutions in the market today! I’ve been involved in a number of discussions with my customers around HCI and EMC/VCE VxRail in particular!

A couple of new features were introduced during the VSAN demo: software-based Encryption and Analytics. The VSAN demo with vRA showed how the performance analytics engine could pro-actively inform users that a VM should be migrated from a VSAN hybrid cluster to an all-flash cluster, and through changing the storage policy in vRA the VM was automatically migrated (in the demos case, the VM was migrated to a public cloud!). What this also underlined was how NSX was also involved in moving the network and security policies as the VM was migrated to the public cloud (although you didn’t see it in the demo). So not only did the demo show the analytics engine working, it also showed how the VMware Cloud Foundation platform could be used.

 

I don’t know if it’s just me, but it seems that everything mentioned during the two keynote sessions always reverted back to network and security, it felt that NSX was underpinning everything (Cross-Cloud Services, Workspace ONE, containers, etc). VMware are putting a lot of emphasis on Cross-Cloud capabilities and how data management and governance will play a key part of cloud consumption. I guess the VMware vision of Any Device, Any Application, Any Cloud really does require something that can govern where data sits and how it’s being consumed!

VMware NSX 6.2.4 released

So after the huge cock-up with 6.2.3, VMware have turned around a new version of NSX in a matter of weeks to fix all the bugs!

http://blogs.vmware.com/kb/2016/08/vmware-nsx-vsphere-6-2-4-now-available.html

Of major concern was the whole HA issue that meant DLR nodes got stuck in a ‘split-brain’ mode after 24 days of operations – and every 24 days after that! It also didn’t help that the previous version was causing VMs to lose network connectivity if the pMAC of the DLR was the MAC address in the default gateway.

Anyways, hopefully all the bugs have been ironed out and the new release is more stable!

Release Notes can be found here.

For some of my customers, the release of 6.2.4 brings back the vShield Endpoint management support which is great given vCNS and vShield Manager is going end of general support on the 19th Sept!

For more info about this, read my previous blog entry: NSX 6.2.3 Released – support for vShield Endpoint Management

NSX 6.2.3 pulled by VMware

Hmm…. well that was unfortunate timing….. I’ve been penning the last blog post for the past 2 weeks after I downloaded 6.2.3 and played around with it…. and I didn’t really double check my blog post before publishing it.

Turns out there are quite a number of bugs in 6.2.3 which was causing loss of connectivity to VMs and also issues applying DFW rules using Security Groups…. so VMware pulled the distribution last Friday!

TBH, I didn’t really encounter any issues during my deployment – probably because it’s in a lab/demo environment with not much going on. =)

Anyways, 6.2.2 is the now the latest version available for download. Only issue is I don’t think it supports vShield Endpoint/NSX Guest Introspection….. so at present vCNS 5.5.x is still required!

More info on why 6.2.3 was pulled can be found here: http://pubs.vmware.com/Release_Notes/en/nsx/6.2.3/releasenotes_nsx_vsphere_623.html