VMworld 2018 US – Day 1 General Session Round Up

So the great thing about VMworld US is that they live stream the General Session for the rest of us who can’t make it over to Vegas… whilst you can’t get the whole VMworld US experience just by watching the GS live stream, at least you get to hear the same news as those in Vegas.

Pat Gelsinger opened up the GS by showing the world his bad-ass “VMware” tattoo… not quite sure if it’s real – many commenting on VMware’s tweet that the tattoo gun doesn’t look like it has ink in it… =P
https://twitter.com/vmwarenews/status/1034109813129535488

A nice little montage to celebrate the 20th anniversary of VMware… 1998… long time… From Server Virtualisation to EUC to Network Virtualisation to Cloud and now Hybrid/Multi-Cloud.

VMware’s Vision is still the same – Any Device, Any App, Any Cloud… and we’re told businesses are still on a multi-cloud journey! The thing is, so many companies have a ‘cloud’ strategy, but many just can’t execute that cloud adoption because they are stuck trying to migrate workloads off their traditional DC into the public cloud!
This is where VMware stands apart with their partnership with AWS and their Cloud Foundations solution! Move your on-prem DC to a SDDC and then “ruthlessly automate everything!!” =)

Project Dimension was quickly mentioned as a Tech Preview that will extend VMware Cloud to the data center, ROBO and edge. It combines VMware Cloud Foundations with HCI and a VMware Cloud managed service to deliver an SDDC solution, end-to-end, operated and supported by VMware. The solution will simplify cloud deployments handling all aspects of configuration, security, and management – leaving customers to worry-less about infrastructure and focus more on their business innovations!

Dimension

There were a few nice VMC on AWS announcements…

  • firstly the rollout of its services in Sydney to serve APJ
  • secondly that vSAN will be using Amazon Elastic Block Storage (EBS) allowing customers to independently scale compute and storage requirements (and effectively allowing users to deploy storage-dense workloads)
  • thirdly Amazon Relational Database Service (RDS) on VMware making it easy for customers to set up, operate, scale and migrate Relational DBs on-prem and in VMC on AWS.

It’s amazing how far the partnership has come in a single year!

Roadmap for further rollouts:
vmconaws.png

More here: https://cloud.vmware.com/community/2018/08/26/vmware-cloud-aws-charging-ahead/

Finally there was an announcement of the acquisition of CloudHealth Technologies… From what I can see, CloudHealth Tech delivers a SAAS platform that offers Cloud Operations across AWS, Azure and GCP – it helps customers to analyze, manage cloud costs, usage and monitor performance across multi-clouds. This looks like a CMP on steroids and should complement VMware’s existing CMP and SAAS offerings (vRealize/Cloud Automation Services and Wavefront). CloudHealth will become ‘the’ Cloud Operations Platform of choice for the industry…. allowing customers to control, analyze the costs, compliance and performance of their compute environments across on-prem and public clouds!

To end it all, VMware’s CTO – Ray O’Farrell – came on stage to demo several of the new announcements and new products:

  • Migrating workloads from on-prem to the cloud – demo’ing bulk migration of an entire data centre using vSphere replication and then vMotion – with no downtime!
  • Project Dimension showing how cloud services can be ‘stretched’ between VMC on AWS and a customers on-prem DC. Also how both on-prem and edge infrastructure can be monitored as part of VMware’s managed service.
  • Short Amazon RDS demo showing the service running on-prem and in AWS.
  • A mention of something called Project Magna which leverages AI and Machine Learning to self-optimize a virtual environment…. changing the SD in SDDC from Software-Defined to Self-Driving!
  • A demo of VMware PKS showing the integration of NSX with PKS and how you can automate security of kubernetes.
  • A nice demo showing vROPs monitoring workloads requiring GPUs and the new feature of vMotion for GPU enabled VMs (a limitation previously of Horizon/vSphere)
  • Blockchain is everywhere!! Project Concord is an open source infrastructure for Enterprise Blockchains focusing on performance and scalability.
  • Dell EMC’s new factory-provisioning service for VMware Workspace ONE, where devices will ship ready for integration as end-points.
  • Workspace ONE intelligence, advising IT operations of problems with incompatible applications and patches (automate patch testing to predict whether a new patch will work).
  • A demo to show the support of ESXi on 64-bit ARM platforms.

And to close the GS, two major annoucements around security, one for compute and one for Network…

  • Firstly – vSphere Platinum, packaging AppDefense with vSphere ESXi. This new offering will have AppDefense built in which uses machine learning and a variety of other inputs to baseline known good states of a VM. AppDefense can then act on deviations of that baseline, executing automated actions – such as changing firewall settings, alerting, offloading for deeper network packet inspection.
  • Secondly – Adaptive Micro-Segmentation, integrating AppDefense and NSX. Security solutions should “Learn, Lock and Adapt” to threats… AppDefense will offer the dynamic learning and adaption looking into the VM and applications, NSX will offer the Lock.

 

And with that…. I end my summary of the first day’s GS…. =)

 

EDIT: Day 1 General Session is now available for replay: https://www.vmworld.com/en/us/learning/general-sessions.html

Advertisements

VMware vSphere 6.7 & 6.5 update 2 – Resources

Just over a fortnight ago VMware released their latest version of vSphere and vSAN – 6.7…. unfortunately for me, I was neck-deep in a tender response and was in Paris for a number of days for a meeting – so spent most of my travels looking at a small mobile phone screen trying to read up on what’s new… (mental note: time for a new phone with a bigger screen – must be getting old as my eyesight isn’t as good as it was).

When I finally got back online and started thinking about what to write about, I realised that the net was already inundated with bloggers writing about “What’s new in vSphere 6.7”. I quickly realised that I didn’t just want to regurgitate the same thing as a lot of the ‘newer’ bloggers were doing, so I decided to spend some time pulling together all the good resources that I have read over the last few weeks and write a blog about where people should go to learn about vSphere/vCenter and vSAN 6.7.

Note: This blog article has actually been in draft mode for 2 weeks as I’ve been waiting for the vSphere 6.7 lightboards to be re-released by VMware marketing – if you didn’t already know, it was posted onto VMware’s YouTube channel a week before launch and then quickly disappeared!! I’ve been waiting for them to turn up again before posting this article but for some reason they haven’t re-appeared (makes me wonder if marketing deleted the only copy they had of the lightboards… lol).
https://www.theregister.co.uk/2018/04/09/vsphere_6_7_vids_vanish/

 

The Knowledge Journey

The most obvious place to start your knowledge journey is none other than VMware’s own vSphere Blog and Virtual Blocks blog, the best blogs are:
https://blogs.vmware.com/vsphere/2018/04/introducing-vmware-vsphere-6-7.html
https://blogs.vmware.com/vsphere/2018/04/introducing-vcenter-server-6-7.html
https://blogs.vmware.com/virtualblocks/2018/04/17/whats-new-vmware-vsan-6-7/

These were the first blog posts I read to understand what new features were in the latest release, and they’re very good summaries.

As always, Duncan Epping was one of the first to release his articles on “What’s new” and they were very concise articles going over some of the more interesting features:
http://www.yellow-bricks.com/2018/04/17/whats-new-vsan-6-7/
http://www.yellow-bricks.com/2018/04/17/vsphere-6-7-announced/

I then started reading around the other products released as well:
What’s New with SRM and vSphere Replication 8.1 – https://blogs.vmware.com/virtualblocks/2018/04/17/srm-vr-81-whats-new/
What’s New in vRealize Automation 7.4 – https://blogs.vmware.com/management/2018/03/whats-new-vrealize-automation-7-4.html

If you want a deep-dive into all things vSphere/vCenter, then head over to Emad Younis’s blog: http://emadyounis.com.

For a deeper-dive into all things related to security, head over to Mike Foley’s blog: https://www.yelof.com.

All finally, there’s the vSphere Blog: https://blogs.vmware.com/vsphere/launch

 

KB article on Update sequence for vSphere 6.7 and compatible products – https://kb.vmware.com/s/article/53710
KB article on Important information before upgrading to vSphere 6.7 – https://kb.vmware.com/s/article/53704
Blog article on upgrading vCenter Appliance from 6.5 to 6.7 – https://blogs.vmware.com/vsphere/2018/05/upgrading-vcenter-server-appliance-6-5-6-7.html

Note: Upgrades from vCenter Server 6.0 and later to vCenter Server 6.7 is supported. To upgrade from vCenter Server 5.0, 5.1 or 5.5, you must first upgrade the vCenter Server instance to version 6.0 or later releases, and then upgrade to vCenter Server 6.7.

These products are not compatible with vSphere 6.7 at this time:

  • VMware NSX
  • VMware Integrated OpenStack (VIO)
  • VMware vSphere Integrated Containers (VIC)

 

Some YouTube videos:
vSAN 6.7 Technical Overview Video – https://youtu.be/Ss5KWAtGvXo
vSAN 6.7 What’s New Technical – https://youtu.be/YzurWX5m4m8
Faster Host Upgrades to vSphere 6.7 – https://youtu.be/8fqE5zsnkTQ

So here’s a list of all new product releases:

  • vSphere ESXi & vCenter Server 6.7
  • vSAN 6.7
  • vSphere Replication 8.1
  • Site Recovery Manager 8.1
  • vRealize Operations Manager 6.7
  • vRealize Automation 7.4.0
  • vRealize Orchestrator Appliance 7.4.0
  • vRealize Log Insight 4.6.0
  • vRealize Business for Cloud 7.4.0
  • vRealize Suite Lifecycle Manager 1.2
  • vRealize Code Stream 2.4
  • NSX SD-WAN Edge by VeloCloud 3.2.0
  • Horizon 7.4.1 Enterprise

Finally here’s list of all the documentations:

 

It’s worth noting that last week VMware also released vSphere 6.5 update 2 which back-ports a few of the new features in 6.7 into 6.5. For more information point your browsers here: https://blogs.vmware.com/vsphere/2018/05/vsphere-6-5-update-2-now-available.html

Additional updates:

Dell EMC updates VxRail software to address Spectre

So Dell EMC have finally released the patches for their VxRail appliances, I know many of my customers were asking about these patches – in a way it’s good it was slightly delayed given how many normal VMware customers experienced issues when patching and how one patch was pulled by VMware!

The good thing about VxRail is that any software patches or updates released have been tried and tested by the Dell EMC CPSD engineering team, so they should be ready for roll out with minimum disruption!

Updates 4.0.401 and 4.5.150 are now available to download from Dell EMC’s support portal.

Release notes can be found here:
https://support.emc.com/docu80740_VxRail-Appliance-Software-4.0.x-Release-Notes.pdf?language=en_US
https://support.emc.com/docu86659_VxRail-Appliance-Software-4.5.x-Release-Notes.pdf?language=en_US

It’s worth noting that at present this patch only contains 2 of the 3 required fixes for Intel to address the Speculative Execution vulnerability (Spectre – Meltdown doesn’t really affect VMware and hence VxRail). The 3rd fix has not yet been released by Intel and Dell EMC basically decided they couldn’t wait any longer as Intel drag their heels!

Spectre & Meltdown Update

So it seems that the microcode patches released by VMware associated with their recent Security Advisory (VMSA-2018-0004) have been pulled….
https://kb.vmware.com/s/article/52345
So that’s ESXi650-201801402-BG, ESXi600-201801402-BG, or ESXi550-201801401-BG.

The microcode patch provided by Intel was buggy and there seems to be issues when VMs access the new speculative execution control mechanism (Haswell & Broadwell processors). However, I can’t seem to find much around what these issues are…

For the time being, if you haven’t applied one of those microcode patches, VMware recommends not doing so and to apply the patches listed in VMSA-2018-0002 instead.

If you have applied the latest patches you will have to edit the config files of each ESXi host and add in a line that hides the new speculative execution control mechanism and reboot the VMs on that host. Detailed information can be found in the KB above.

 

Finally William Lam has created a very handy PowerCLI script that will help provide information about your existing vSphere environment and help identify whether you have hosts that are impacted by Spectre and this new Intel Sighting issue: https://www.virtuallyghetto.com/2018/01/verify-hypervisor-assisted-guest-mitigation-spectre-patches-using-powercli.html

Spectre & Meltdown Vulnerabilities

So at the beginning of the new year, news broke via The Register that there could be a potential security vulnerability to Intel processors (Meltdown) and how it was a problem which couldn’t be easily fixed by a microcode update because of how the Intel architecture does speculative execution of code (in a nutshell this is how modern processors try to ‘predict’ the code it needs to execute next, before the current executing code produces a result – all modern processors do this to some extent in order to fill its internal pipeline and speed up processing)…. this quickly blew up into a storm where additional vulnerabilities were identified (Spectre) which affects Intel, AMD and ARM processors!

Three closely related vulnerabilities involving the exploit of speculative execution in CPUs were made public:

Variant 1 & 2 have been branded as Spectre, with Variant 3 known as Meltdown.

The fallout is spectacular…. lawsuits being filled against Intel…. videos of exploits (proof of concepts) already on youtube….. customers going crazy that Russians/North Koreans could be stealing data from their systems….. all this because chip manufacturers tried to outdo each other by putting speed of processing above security.

The best article I’ve read that explains how Speculative Execution works and how these vulnerabilities could be exploited can be found here: http://frankdenneman.nl/2018/01/05/explainer-spectre-meltdown-graham-sutherland/

It seems that at the moment the only way to minimise your exposure to potential exploits is to patch the OS or Hypervisor, however this isn’t without issues as people have started reporting that it adds an overhead to performance. In all honesty, I doubt personal users will notice a performance hit on their day to day usage (home/office applications or games), it will however impact anyone that undertakes high IO or system-call intensive applications (such as DBs, email, Big-data/data-mining)… a performance hit of between 5-30% depending on application!!

VMware have stated that at present they don’t believe Meltdown to be an issue to their products because ESXi does not run untrusted user mode code, and Workstation and Fusion rely on the protection that the underlying operating system provides. For Spectre, they have released an article detailing their response to the issues and 2 Security Advisories which addresses the vulnerabilities and how they can be mitigated, VMSA-2018-0002 has been superseded by VMSA-2018-0004.

From what I can see, the first Security Advisory consists of security patches to ESXi that addresses the vulnerability to mitigate against leakage from the hypervisor or guest VMs into a malicious guest VM – these were patches made available late last year before the news broke (which makes you wonder how long the industry have known about it).

The second Security Advisory is a full minor update to vCenter (5.5, 6.0 and 6.5) in order to support both newer vSphere ESXi patches and Microcode/BIOS patches to hardware. This seems to be what they call “Hypervisor-Assisted Guest mitigation” which virtualises the new speculative-execution control mechanism for guest VMs so that a Guest OS can mitigate leakage between processes within the VM – and this mitigation requires specific microcode patches from platform vendors which seem to introduce these new ‘speculative-execution control features’. More information on how to apply this Security Advisory can be found here: https://kb.vmware.com/s/article/52085.

Note: The update patches found in VMSA-2018-0004 will mean that these new CPU features will be exposed to Guest VMs and as such vMotion to ESXi hosts without the microcode or hypervisor patches applied will be prevented. However, if you have an EVC cluster, it looks like vCenter will suppress the new features from VMs to enable vMotion compatibility until all hosts have been upgraded (after which it will enable those features) – unpatched hosts will not be allowed to join an EVC cluster that has been patched.

It’s worth noting that Guest VMs should also have their OS updated with the latest security patches for effective mitigation of these known vulnerabilities!

Finally, VMware have released an article regarding these vulnerabilities and whether their virtual appliances are affected: https://kb.vmware.com/s/article/52264. It currently looks like vSphere Integrated Containers and vRealize Automation have not been patched yet.

vSphere Central – new resource centre

A little while back I caught the vSphere blog about vSphere Central being launched and ended up bookmarking the portal to have a look at a later date. I had totally forgot about it till today when I needed to look up the PSC topology diagrams and Google sent me to the new vSphere 6.5 Topology and Upgrade Planning Tool (more on this later). Turns out this portal is exactly like Storage Hub (resource portal for everything vSAN, SRM and storage related)!

Everything technical you need to know about vSphere and vCenter can be found on this portal:

  • How to install vCenter and vSphere
  • How to migrate to vCSA
  • How to upgrade vCenter and vSphere
  • vCenter and PSC architecture
  • SSL certificate management
  • PSC Deployment Types
  • Product Interoperability Matrix
  • All the new features in 6.5 explained (vCenter HA, Backup/Restore, etc)

It really is a great resource portal, and even better you can download each section as a PDF! Beats the documentation site for vSphere as it’s far more easier to navigate!

The content is in a range of formats, most of it is text taken from the technical pdf documents, but there are videos and walkthrough demos also scattered throughout the topics.

One of the things launched with vSphere Central was the vSphere 6.5 Topology and Upgrade Planning Tool.

This tool aims to help customers plan and execute both upgrades to vSphere 6.5 as well as new deployments. With this initial release, the tool is focused on the most common upgrade paths and deployments of vCenter Server 6.5. The tool works by asking a series of questions while providing some guidance along the way to help answer those questions eventually making some recommendations on topology and upgrade and deployment steps.

In the past I used to refer to the VMware KB on deployment topologies: https://kb.vmware.com/kb/2147672

Some of the guys in the vSphere technical marketing team then came up with the PSC Topology Decision Tree which was a large poster – https://blogs.vmware.com/vsphere/2016/04/platform-services-controller-topology-decision-tree.html

This tool was inspired by the Decision Tree poster and extends its capability.

What I especially like about the tool is that after answering a series of questions regarding how I’m planning to design the vCenter/PSC deployment it gives me a recommended Topology diagram and then explains the steps to go about deploying the solution:

topology

Anyways, it’s a great tool…. and the portal is a brilliant collection of resources! Go use it! Bookmark it now…! =)

Goodbye vCenter Server for Windows and Flash-based vSphere web client!

Hmm…. it’s not even VMworld yet and VMware decide to make 2 big-ish announcements.

Although tbh, since vSphere 6.5 was released these 2 announcements have long been coming!

Finally, after loads of speculation, VMware had announced that vCenter Server for Windows and the Flash-based vSphere web client is to be deprecated with the launch of the next version of vSphere. Updates to 6.5 will continue supporting the 2 features, but come vSphere 7.0 it will be no more….

https://blogs.vmware.com/vsphere/2017/08/farewell-vcenter-server-windows.html

 

“vCSA-exclusive capabilities such as file-based backup and restore, unified update and patching, native vCenter High Availability, and a significant performance advantage mean that the VCSA has become the platform of choice for vCenter Server.  Additionally, due to the integrated nature of appliance packaging, VMware is able to both better optimize and innovate vCenter Server at an accelerated pace.  Finally, with the VCSA, VMware can provide support for the entire vCenter Server stack including the vCenter Server application, the underlying operating system (Photon OS), and the database (vPostgres). By doing so, VMware can ensure that customers can focus on what matters most while having a single source for updates, security patches, and support.  The VCSA model is simply a better model for vCenter Server deployment and lifecycle management.”

That pretty much sums up why VMware are 100% behind the vCSA, although they miss out the whole “screw you Microsoft licensing!!” part! Plus given that 6.5 ships with a migration tool that helps you move/upgrade from a Windows vCenter to an Appliance vCenter, it’s no surprised that more and more people are moving over when it comes round to upgrade time!

In fact ever since 6.5 was released, I’ve not even deployed a single Windows vCenter Server – all my customers have been moved over to the vCSA.

https://blogs.vmware.com/vsphere/2017/08/goodbye-vsphere-web-client.html

With regards to the vSphere Web Client, loads of people found the flash-based version was frustratingly difficult to use – it was slow, it was notoriously prone to crashing and frankly it was based on in-secure Flash technology (not to mention that Adobe themselves are dropping flash). HTML5 is the way to go baby!

So with those announcements in mind….. I may think about changing some of my VMworld sessions to jump on the vCSA and Web Client update sessions!!

 

RIP…..

VMware vSAN 6.6 launched – so What’s New?

Earlier this year it was announced that vSAN had grown to over 7000 customers since launch, which is a pretty decent number given the product went GA just over 3 years ago and we’re on the 6th iteration! What’s even more impressive is how quickly VMware are turning these updates around (almost every 6 months we get an update of sorts), we only got vSAN 6.5 at VMworld last year and 6 months later we now have version 6.6 – what’s funny is half my customers haven’t even started implementing their 6.5 upgrade plan yet and now they will have to re-write that plan…. Lol… =)

In fact I see the number of customers growing quite significantly this year given the huge drive towards HCI – something that I’m seeing within my company’s customer-base (and in the market in general)!

Today sees vSAN 6.6 go GA, and it amazes me on how many new features VMware have packed into this release – features that make vSAN more faster, cost effective and much more secure! And to think that this is just a “minor” patch release! With vSAN 6.6, customers can now evolve their data centre without risk, control IT costs and scale to tomorrow’s business needs (sorry, that was a marketing blurb that I just had to fit in somewhere as it sounded good).

vSAN features

(Note: I know that slide says “Not for distribution”. However, the vSAN vExperts have been given permission to use the material in their blogs)

The biggest features in my opinion are vSAN Data-at-Rest Encryption, Unicast communication and Enhanced Stretched Clustering with Local Protection – these are the 3 features I’m going to concentrate on within this post, trying to expound on all the new features would involve me writing a lengthy technical whitepaper! =)

That said, other new features are as follows:

  • ESXi Host Client (HTML-5) – management and monitoring functionality available on each host in the case where vCenter server is offline.
  • Simpler installation/configuration – The ability to create a single node vSAN datastore by using the vCSA installer and then allowing you to deploy vCSA/PSC onto that vSAN datastore.
  • Enhanced rebalancing – allowing large components to be split up during redistribution.
  • Site Affinity in Stretched Clusters – a new Affinity policy rule allows users to request where a VM gets deployed to, although this is only applicable when the PFTT is set to 0. Although it’s worth noting that DRS/HA rules should be aligned to data locality!
  • Always-On Protection – Enhanced repairs with Re-sync traffic throttling – allowing vSAN to respond to failed disks/nodes more quickly, intelligently and more efficiently. New Degraded Device Handling (DDH) intelligently monitors the health of drives and proactively evacuates data before failures can happen.
  • Maintenance Pre-Check – enhanced checks to ensure there are enough resources for vSAN when entering maintenance mode (or decommissioning vSAN nodes).
  • Stretched Cluster Witness Replacement UI – simpler method of changing the Witness host without having to disable the Stretched Cluster.
  • vSAN Cloud Analytics – pro-active, real-time support notifications and recommendations with real-time custom alerts through the vSAN health Service.
  • API enhancements – vSAN SDK updated to handle all new features, with additional enhanced PowerCLI support.
  • vSAN Config Assist / Firmware Update – Enhanced health monitoring and HCL checks using health-check assistant to ensure the vSAN hardware has the latest firmware and drivers installed.
  • Enhanced Performance – up to 50% higher all-flash IOPs performance per host and Health Monitoring
  • New Hardware Support – Support for Intels new Optane technology, NVMe SSDs and larger 1.6TB SSDs for cache drives.
  • Support for Photon Platform 1.1 as well as a Docker Volume Driver – great for customers (ie DevOps) who prefer working with micro-services/containers. This allows customers to use vSAN as storage for Docker VMs giving them the ability to apply storage based polices (such as FTT, QoS, access permissions, etc) to the VM, it also gives customers the ability to support persistent storage to allow stateful container apps to be built (such as DBs).

 

Data-at-Rest Encryption

EMC love calling this by the acronym D@RE…. But this hasn’t quite filtered down to the VMware team…. =)

VMware vSAN 6.6 introduces the industry’s first native HCI security solution with software-defined data-at-rest encryption within the hypervisor. Data-at-rest encryption is built right into the vSAN kernel, and is enabled at the cluster allowing all vSAN objects to be encrypted (ie the entire vSAN datastore).

In my opinion this is one of the most important new feature in vSAN 6.6 – we all know that security within IT has become top priority, featuring very high on a company’s risk-register, but IT Admins have always been reluctant to either deploy encryption at the OS level or let application owners encrypt their apps and data. Data-at-rest encryption takes away that decision by encrypting when the data resides on your vSAN Datastore.

It’s hardware-agnostic which means you can deploy the storage hardware device of your own choice – it doesn’t require the use of expensive Self-Encrypting Drives (SEDs)!

vSAN DARE

vSAN Encryption is available for both All-Flash and Hybrid configurations and integrates with KMIP 1.1 compliant key management technologies. When vSAN Encryption is enabled, encryption is performed using an XTS AES 256 cipher and occurs both at the cache and capacity tier – wherever data is at rest, which means you can rest assured that if a cache or capacity drive is stolen the data is encrypted! Plus vSAN Encryption is fully compatible with vSANs all-flash space efficiency features, like dedupe, compression and Erasure Coding, delivering highly efficient and secure storage – as data comes into the cache tier it’s encrypted, then as it de-stages it’s decrypted and any relevant dedupe or compression occurs to the data (4k blocks) before it’s re-encrypted as it hits the capacity tier (512b or smaller blocks). As it’s data encryption at rest, I believe that vSAN traffic traversing the network maybe sent in the clear which means you will need to ensure vSAN traffic is protected accordingly.

It’s worth mentioning that whist the cryptographic mechanics are similar to VM encryption that was introduced in vSphere 6.5 (ie it requires a KMS and uses the same encryption modules), there is a vast difference in the way they’re implemented – VM encryption is per-VM (via vSphere API for IO filtering – VAIO), whilst with vSAN encryption it is the entire datastore. Also you get space-saving benefits from vSAN encryption as previously mentioned. The other major difference is that vSAN encryption can carry on functioning if vCenter Server is lost or powered off because the encryption keys are transferred to each vSAN host and via KMIP each host talks directly to the KMS, whereas VM encryption requires you to go through vCenter Server to communicate to the KMS. Not to mention VM-encryption does have some performance impacts and requires Ent Plus licenses.

Turning on vSAN encryption is as simple as clicking a checkbox within the settings of the vSAN cluster and choosing your KMS (which does need to be setup prior to enabling encryption). However, it’s worth noting that a rolling disk reformat is required when encryption is enable which can take a considerable amount of time – especially if large amounts of data residing on the disks must be migrated during the reformatting.

vsan-encrypt

With the enhanced API support, customers who like to automate their infrastructure will be able to setup an encrypted vSAN cluster with all the relevant KMS configuration via scripting – great for automating large scale deployments!

 

Removal of Multicast

vSAN Multicast

Another big announcements with vSAN 6.6 is that VMware are switching from multicast to unicast for their communication mechanism. This obviously makes networking a lot simpler to manage and setup as customers won’t need to enable multicast on their network switches, or IGMP snooping, or even PIM for routing. It may even mean that customers could use cheaper switches (which may not handle Multicasting very well).

Bit of background:

Typically IP Multicast is used to efficiently send communications to many recipients. The communication can be in the form of one source to many recipients (one-to-many) or many sources to many recipients (many-to-many).

vSAN used multicast to deliver metadata traffic among cluster nodes for efficiency and to optimise network bandwidth consumption for the metadata updates. This eliminates the computing resource and network bandwidth penalties that unicast imposes in order to send identical data to multiple recipients. vSAN depended on multicast for host discovery – the process of joining and leaving cluster groups, as well as other intra-cluster communication services.

While Layer 3 is supported, Layer 2 is recommended to reduce complexity. All VMkernel ports on the vSAN network subscribe to a multicast group using IGMP. IGMP snooping configured with an IGMP querier can be used to limit the multicast traffic to only the switch ports where the vSAN uplinks are connected to – this avoids unnecessary IP multicast floods within the Layer 2 segments.

Although one of the issues that could occur was when multiple vSAN clusters reside on the same layer 2 network – the default multicast address should be changed within the additional vSAN clusters to prevent multiple clusters from receiving all multicast streams.

I believe vSAN now relies on vCenter Server to determine cluster membership, however I haven’t yet read about how the vSAN team have managed to implement unicast communication as that information is still in limited supply. It’ll be interesting to understand how they have done it considering multicast was an efficient and easy way of replicating instructions to multiple nodes within the vSAN cluster when a node needed to perform an action. Although one thing worth noting is that unicast communication probably lends itself to cloud platforms a lot easier than trying to implement a multicast solution!

 

Local Protection for Stretched Clusters

Stretched vSAN Clusters were introduced back with vSAN 6.1 and built on the foundations of Fault Domains, it was basically a RAID-1 configuration of a vSAN object across two sites – which basically means a copy of the data in each site with a witness site for cluster quorum type services during failure events. The problem was if 1 site failed you would only have a single copy left and an additional failure could lead to data loss. It also meant that if a single host failed in any of the sites then the data on that host would need to be resynced again from the other site (to rebuild the RAID-1).

vSAN ESC

This new enhancement to Stretched Clusters now gives users more flexibility with regards to local and site protection. For example, you can now configure the local clusters at each site to tolerate two failures whilst also configuring the stretched cluster to tolerate the failure of a site! Brilliant news!

When enabling Stretched Clusters, there are now two protection policies – a “Primary FTT” and a “Secondary FTT”. Primary FTT defines the cross-site protection and is implemented as a RAID-1. It can be set to 0 or 1 in a stretched cluster – 0 means the VM is not stretched whilst 1 means the VM is stretched. Secondary FTT defines how it is protected within a site, and this can be RAID-1, RAID-5 or RAID-6.

One thing to note is that the witness must still be available in order to protect against the loss of a data site!

This new feature doesn’t increase the amount of traffic being replicated between sites as a “Proxy Owner” has been implemented per site, which means instead of writing to all replicas in the second site, a single write is done to the Proxy Owner and it’s then the responsibility of this Proxy Owner to write to all the replicas on that local site.

 

So that’s about it for now…. if you require more information then pop along to the following sites:

Duncan Epping (Chief Technologist in the Office of CTO for the Storage & Availabiliy BU at VMware) has created some great demos of vSAN 6.6 which can be found on his blog site: http://www.yellow-bricks.com

Things to Note

The underlying release for vSAN 6.6 is vSphere 6.5.0d which is a patch release for vSphere 6.5. For existing vSAN users upgrading to vSAN 6.6, please consult VMware Product Interoperability Matrices to ensure upgrading from your current vSAN version is supported.

Please note that for vSAN users currently on vSphere 6.0 Update 3 – upgrade to vSAN 6.6 is NOT yet supported.

The parent release of vSAN 6.6 is vSphere 6.5 and as shown by VMware Product Interoperability Matrices, an upgrade from 6.0 U3 to vSphere 6.5 (and hence vSAN 6.5) is NOT supported. Please refer to this KB Supported Upgrade Paths for vSAN 6.6 for further details.

 

p/s: I’ve always liked Rawlinson Rivera‘s Captain vSAN cartoon!! =)

VMware sells off vCloud Air to OVH

Hmm…. so that was an interesting announcement from VMware last week!….. although if I’m honest it makes perfect sense!

OVH Group announcing it’s intent to acquire the vCloud Air Business from VMware: https://www.vmware.com/radius/vmware-cloud-air-evolves/

Last year when VMware announced their tie up with AWS – vCloud on AWS – many had already started wondering what that partnership would do to VMware’s own cloud offering. The talking point was made more real when VMware also announced their Cross-Cloud Architecture which would allow a customer to choose which cloud platform to deploy their workloads onto – all from a single common operating environment. Then to make things worse, VMware announced VMware Cloud Foundation on IBM Cloud (or what was Softlayer)… an SDDC stack running VMware goodies on IBM Cloud compute!

That triple whammy pretty much made everyone think that vCloud Air’s time was up!!

I had a number of discussions at VMworld Europe last year where we talked about whether VMware would just shut down vCloud Air, or would they migrate it all onto AWS. Although the general consensus was that maybe they would sell off/spin off that part of their business – after all, VMware is a software business and vCloud Air was always seen as a ‘weird’ sibling…. not to mention that it competed against all it’s vCAN (VSPP) partners who were offering their own cloud services built on VMware technology!

I guess there’s no shame in what VMware are doing, Cisco, Dell and HP tried and failed to do what Amazon and Google are doing well at… although surprisingly Microsoft have managed to get Azure up and running well!

In a way, VMware are getting rid of what they probably saw as a hefty investment on infrastructure and hosting for little returns (I doubt there were many customers using vCloud Air to justify the expense of keeping it). Makes more sense to sell it to an existing cloud provider who knows how to sell Public Cloud services and IaaS! Although, I kind of have to wonder what OVH will do given VMware hosted vCloud Air in Equinix/Telstra data centres around the world….. guessing they’ll run down the contract with those providers and bring it all back in house!

In my opinion, selling off vCloud Air is probably a smart move….. VMware’s vision is to enable a customer to run “Any Application on Any Cloud, accessed by Any Device”, and it was going to be difficult to be Cloud-Agnostic if they owned a Public Cloud service! The whole Cross-Cloud Architecture would have produced a conflict of interest if they kept vCloud Air…. now that they’re shot of it, they can concentrate on pushing out their vCloud stack onto Azure and maybe even GCP given that they’re well on their way with the AWS partnership. Why try and beat them at their own game? It’s far easier to embrace them and partner!!

VMware are positioning themselves to be the broker of cloud services…. a single management point that allows end users to decide which public cloud is best for their workloads! In a way it’s a clever move, firstly because it puts the decision-making back with the end user, and secondly it now means that VMware can state that it’s the only virtualisation company that doesn’t tie you into a single cloud vendor (much like how Microsoft tries to ram Azure down the throat of Hyper-V customers).

Interesting times ahead……