There are several recommended areas to focus on to prepare you for the experience of stepping out of an airplane in flight. This includes training and informing you on potential dangers you may face.
The same is true for working with a VMware Master Services Competency partner. You know that you will be working with a highly skilled partner that can walk you through all the steps involved to meet your business needs and objectives.
In 2018, VMware announced the new master services competencies for partners interested in deepening their practices and/or building additional practice areas. VMware master services competencies require achieving advanced technical certifications and proof of high-level service capability and expertise as validated by the partner’s customers.
These competencies allow partners to differentiate in four specific solution areas:
Russ Kaufmann, National Partner Manager for VMware, says, "As customers embrace digital transformation and shift towards adopting cloud technologies, it is important that partners are able to demonstrate expertise around delivering these type of solutions. This includes next-generation VMware solutions like digital work-spaces, software defined data centers, and cloud services like VMC on AWS. The Master Services Competencies (MSCs) provides a framework to enable partners like Sirius around these solutions but also recognizes their expertise having demonstrated successful delivery. As customers look to “reduce risk” and “accelerate time to value” when adopting VMware solutions identifying partners with MSC designation would be a great starting point."
Since 1980, Sirius has been helping organizations solve complex business challenges so they can meet their business objectives. To achieve their position as a top solution provider, they've built a nationwide consulting, sales and services organization that provides best-of-breed technologies from across the full spectrum of information technology, including hardware, software, storage, networking, security, cloud and voice.
Sirius has obtained multiple VMware master services competences in Data Center Virtualization, Network Virtualization, and Desktop & Mobility. This achievement demonstrates to customers that Sirius is dedicated, invested, and have validated expertise in advanced VMware technologies.
According to Deborah Bannworth, Senior Vice President of Strategic Alliances & Inside Sales, “Sirius is making significant investments to support our client's VMware solutions. The master services competencies only help to accelerate our capabilities and skills for our clients. It also recognizes Sirius for the investments we are making to support our field and clients.”
By leveraging these service capabilities, customers of VMware can rest assured that master services competency partners have the repeatable and successful deployments of VMware business related use cases that can meet their business objectives, across multiple solution areas.
For more information on the program click here.
VMworld 2018 kicked off with a packed general session and this years theme is all about you, with flashes across the main screen of "Choice Begins with You", and "Possible Begins with You."
VMware's CEO Pat Gelsinger took the stage and kicked things off talking about the theme of this VMworld, "You". Pat said that you are the VMware Community, you are the VMware Team, you are the Partners. Collectively we are wake makes VMware from its workers, to the community of customers, to the partner community assisting their customers through education, architecture, deployment, and further growth of their infrastructure.
This is VMware's 20th Birthday and as Pat states, they are almost old enough to go out for a drink.
Twenty years of innovation and being disruptors to the world of technology and that has not changed. VMware demonstrated at this years VMworld, that they are just as committed to being innovative within their own product lineup, and with the calculated partner decisions like AWS. Pat Gelsinger demonstrated his commitment to VMware and to moving the company to the next level through his newly minted VMware tattoo.
Pat Gelsinger spoke about VMware's unique role within the industry, bridging across silos through multiple iterations.
Act one, as he stated it, was the "Server Wars", where VMware changed the industry with virtualization of the compute. Act two, was the introductions of "Virtual Desktop" technology supporting BYOD. Act, three was "Network Virtualization". Act four is "Cloud Migrations," for private and public clouds. What is the next act, you ask, "Multi-Cloud" through partnerships with the Super Powers of Technology, Amazon, Microsoft, Google, and IBM with each being a super power on their own but stronger together. These partnerships make VMware the Tech Super Power for Cloud, Mobility, AI/ML, and Edge/IoT. Each of thes
Pat spoke about how through cloud you can rent cores by the hour and how with a swipe of an AMEX the industry has been transformed. Through mobility VMware has been able to reach over half of the humans on the earth although the most impoverished have not been and that VMware is committed to reaching them to. That is a lofty commitment but VMware wants to drive change, not just within technology but throughout the global communities, helping to elevate and change the lives of those in need. Through AI/ML VMware is bridging healthcare and designer treatments. Through partnerships with Mercy Ships, which run their infrastructure on VMware, and bring change to global communities that otherwise would not have access to some of the care we take for granted.
There was a lot of new announcements that came out of this first general session. Pat talked about the partnership with Amazon continues to transform and making VMware Cloud Foundations available to their partners to build cloud infrastructures.
Andy Jassy, CEO of Amazon Web Services joined Pat on stage to further discuss the relationship with VMware. He mentioned that the VMC on AWS offering is powerful in that it allows customers to utilize the technology they are familiar with along with all its benefits. The offering is growing at an astonishing rate, doubling every quarter.
The number one use case for the VMC on AWS offering is for migrating on-prem applications to the cloud and gave an example of how MIT migrated over 3000 applications in a very short time. Disaster recovery for companies like BRINKS, is the next use case.
The offering continues to expand into other regions across the globe with Sydney Australia being the latest announced. The number one request coming from customers is to have the VMC on AWS offering available in all AWS regions and in the Gov. Cloud. VMware is committed to accomplishing this goal by the end of 2019.
Three nodes for VMC on AWS along with vSAN utilizing Amazon EBS storage was also announced. This will reduce the initial entry costs into the hybrid-cloud and is in tech preview now. Another announcement was around bulk migrations along with a demonstration.
Amazon also announced Amazon Relational Database Service (RDS) on VMware for on-prem deployments. VMware and Amazon are ramping up their offerings together with NSX and Direct Connect, Enterprise Application and License Migrations, Kubernetes, and much more.
VMware announced Project Dimension which delivers VMware cloud simplicity to data center and edge. Project Dimension will extend VMware Cloud to deliver SDDC infrastructure and hardware as-a-service to on-premises locations. Because this is will be a service, it means that VMware can take care of managing the infrastructure, troubleshooting issues, and performing patching and maintenance. This in turn means customers can focus on differentiating their business building innovative applications rather than spending time on day-to-day infrastructure management.
Another announcement out of VMworld was around the CloudHealth Technologies acquisition. CloudHealth provides VMware with a crucial multi-cloud management platform that works across AWS, Microsoft Azure and Google Cloud Platform, giving customers a way to manage cloud cost, usage, security and performance from a single interface.
This VMworld was packed full of great product enhancements, further partner integrations, and a lot more announcements. This clearly demonstrates that VMware is remaining a disruptive innovator in the industry; With enhancements in Workspace One, to announcements with a Blockchain project called Concord which is an open source project that promises to provide a more efficient approach to processing smart contracts based on distributed ledgers, to Dell Provisioning services for Workspace One, to integrating AppDefense with vSphere Platinum.
There is no short of exciting things for everyone to dive into this VMworld and I look forward to the rest of the days to come.
Back in October of 2016, VMware announced vSphere 6.5. This introduced a lot of changes to their flagship hyper-visor; you can see an earlier blog I wrote about that here. Now it is that time again for a new vSphere to be announced. The announcement of vSphere 6.7 came with a lot of new features and I will go over each of them in this blog. Let's take a look at these new features:
Let's quickly discuss migration paths. The new version supports upgrades and migrations from vSphere 6.0 or 6.5 only and the current supported migration paths to version 6.7 are as follows:
vSphere Client (HTML-5)
This is the long awaited update that everyone has been waiting to be 100% complete and unfortunately VMware is only 90/95% feature complete. I have personally been using it in my home lab for the past 12 months and I am very pleased with how it has turned out. The performance has been improved and provides a more intuitive look and feel. The Web Client now has the Platform Services Controller integrated in for an easier management. In vSphere 6.5, VMware had a list of the functionalities not yet supported in the vSphere Client; hopefully the company will do the same for vSphere 6.7.
vCenter Appliance Improvements
I like the new vSphere Appliance Management Interface (VAMI) a lot and since it is functionally equivalent to the Windows-based vCenter Server, it would take a lot to convince me to use the Windows-based one instead.
The VAMI interface has been improved with new features and tabs focused on monitoring and troubleshooting. These changes in the monitoring tab are very useful along with the services tab. Now, on the monitoring tab you can see the disk partitions and available space so you can immediately see when a particular disk is running out of space and its utilization. You can also restart a particular service in the “Services” tab.
The update section has also been improved to provide for a more flexible patching and update option allowing you to stage or stage and install a patch or update from the VAMI. The changes include more information about what is included in each patch or update as well as type, severity, and if a reboot is required.
All of these new features bring better visibility to CPU, memory, network, database utilization, patching & updates, and are great improvements and resources for administrators.
Improved vCenter Backup Management
Introduced back in vSphere 6.5, was File-based backup. This has been improved in vSphere 6.7 with new native scheduler included in the UI with the retention option available. This was a huge lack in features when first introduced and left administrators having to write scripts to schedule these as reoccurring.
Now in the Appliance Management UI you can simply create a schedule for backup and the file-based restore is now provided with a browser that displays all your backups simplifying the restore process.
ESXi Single Reboot Upgrades
The vSphere upgrades can now be completed with one single reboot. With server reboots typically taking anywhere between 10-15 minutes each, this can add up in lost time. vSphere 6.7 now allows you to do a "quick boot" where it loads vSphere ESXi without restarting the hardware because it only restarts the kernel. This feature is only available with platforms and drivers that are on the Quick Boot whitelist, which is currently quite limited.
ESXi Quick Boot
The Quick Boot feature allows a system to reboot in less than two minutes as it does not re-initialize the physical server BIOS. Not just for reboots, but also for upgrades and updates too. You can create a second ESXi memory image and have it updated when rebooting by simply switching over, However, Quick Boot is only supported on certain systems and does not work with systems that have ESXi Secure Boot enabled.
Note that by default, Quick Boot is enabled if the system supports it.
4K Native Drive Support
Not a lot to write about other than vSphere now supports the larger 4K drives if you want to use them and so does vSAN. There is a nice FAQ talking about 512e and 4K native drives for VMware vSphere and vSAN (2091600) I recommend taking a look at.
Persistent Memory - NVDIMM controllers per VM - 1
Persistent Memory - Non-volatile memory per virtual machine - 1024GB
Storage Virtual Adapters and Devices - Virtual SCSI targets per virtual SCSI adapter - 64
Storage Virtual Adapters and Devices - Virtual SCSI targets per virtual machine - 256
Networking Virtual Devices - Virtual RDMA Adapters per Virtual Machine - 1
Fault Tolerance maximums - Virtual CPUs per virtual machine - 8
Fault Tolerance maximums - RAM per FT VM - 128GB
Host CPU maximums - Logical CPUs per host - 768
ESXi Host Persistent Memory Maximums - Maximum Non-volatile memory per host - 1TB
ESXi Host Memory Maximums - Maximum RAM per host - 16TB
Fibre Channel - Number of total paths on a server - 4096
Common VMFS - Volumes per host - 1024
iSCSI Physical - LUNs per server - 1024
iSCSI Physical - Number of total paths on a server - 4096
Fibre Channel - LUNs per host - 1024
Virtual Volumes - Number of PEs per host - 512
Day 1 began with the general session, where VMware Executives presented to the partner community and reinforced the importance of the partner as the unsung heroes helping to drive the VMware business and most importantly driving value for their customers.
VMware's Brandon Sweeney, Senior Vice President , WW Commercial and Channel Sales took the stage to a packed room and began the day talking about the journey VMware has taken over the past 20 years. Founded in 1998 VMware has continued to innovate and be a disruptor in the industry. Introducing vMotion in 2001 to NSX and Airwatch, the leading mobility platform to-date, to vSAN being introduced in 2003 and now the VMware and AWS partnership which is leading the transformation for customers to a hybrid cloud infrastructure.
Brandon spoke about the tremendous growth of the product lines such as NSX up 50%, EUC up 30%, and vSAN up 130%. These products are the fastest growing portions of VMware's business making up for more than 65% of their business.
He spoke about how VMware has again transformed their business and this transformation involves deeper partner ecosystem. VMware is changing the way they do business within the partner community, with things like the Center for Advanced Learning.
Robin Gunn, Vice President of Global Education Sales and Delivery took the stage to discuss how VMware is investing in its partners through technical enablement which is where the Empower event came from, giving partners their own technical event.
The Center for Advanced Learning will allow partners to have access to the same training that VMware gives to its own employees. This also includes things like Live Fire events which are hands-on training for products like VMC, NSX, and SDDC. I have taken several of these and can state that these are of high quality. There are several of them at the Empower event.
Robin spoke about a new Learning Zone which is a social platform being launched where participants can earn points that can be used toward things like exam vouchers and passes to VMworld.
Matt Stepanski, Vice President of WW Professional Services, joined the stage after Robin to talk about how VMware is transforming their business to really focus with partners on "Solutions and Outcomes" to business challenges. Customers are transforming and VMware is transforming to better align with the business needs of its customers through better partnership within the building blocks to Partner-Led Service Delivery.
Matt spoke about one example in particular, the PS credit program, where VMware will transfer PS credits to its partner to deliver solutions such as EUC, NSX, and VMC. PS credits are part of the ELA sold to a customer with the expectation that those get transferred to a Partner to do the work.
VMware continued the general session, bringing Chris Wolf, Vice President & CTO on stage to talk with partners about the products driving transformation within the business.
Chris started by talking about Cloud-to-Edge principles for things like Native API access, Docker, Openstack, Service APIs, and embracing opensource, and Kubernetes.
VMware wants to deliver consistency across all these platforms in a safe and secure way to deliver the best value to the developer community while maintaining operational consistency and control for IT.
Workspace One is an example of this, delivering over 1.5 million applications, whether it be Windows, Virtual Apps, SaaS, Legacy, or Mobile applications across a unified platform while allowing for IT to maintain Identity, Security, and Compliance.
Connecting people to content, applications and each other through a combination of AirWatch, the market leader in mobility, and Horizon.
VMware Cloud is another example of how VMware is helping customers deliver consistency to Run, Manage, Connect, and Secure Any App on Any Cloud to Any Device. With VMware Cloud Services delivering the cloud management, allowing for Visibility, Operations, Automation, and Security to the cloud environments while allowing for choice in the cloud infrastructure with partnerships with AWS, IBM Cloud, OVH, Microsoft Azure and Google.
Chris spoke about the VMware Cloud Services offerings which cover things like Wavefront a metrics monitoring and analytics platform, NSX Cloud, Network Insight, Workspace One, Cost Insight, and Appdefense, and how these tools are helping customers transform their hybrid-cloud to gain better visibility into the costs associated with cloud, securing the infrastructure with NSX, and gaining better insight into how to best deliver a hybrid-cloud infrastructure with products like Network Insight and Wavefront.
Chris spoke to the complexities of making applications "Cloud Ready", and how costly that can be. With VMC on AWS customer's gain native a native platform running linked mode vCetners with further integration with native AWS services without the complexities and costs associated with re-architecting applications.
VMware is on a very aggressive roadmap to delivery more abilities faster and faster.
He then spoke about one of the latest acquisitions of VeloCloud and how this is solving a problem for customers around SD-WAN. This is a cloud-delivered SD-WAN which enables enterprises to securely support application growth, network agility, and simplified branch and end-point implementations while delivering high-performance, reliable access to cloud services, private data centers and SaaS-based enterprise applications.
Chris also spoke about containers and how they are helping to transform how customers build and service applications through Opensource Kubernetes, and Pivotal Container Services. He describes NSX as the fabric bringing full automation to these environments automating the network for Cloud-Native applications.
Chris ran through a demo of containers on VMware as you can see from the above video.
Chris ended with talking about Partner-Led Solutions and what VMware's vision is for this. He spoke about edge computing, where the digital and physical worlds collide, and how IoT is driving this along with the importance of data analytics, machine learning, artificial intelligence, and augmented reality. He spoke about the drivers being time, data, network, privacy, and of course control in this new age of technology where products like VeloCloud and SD-WAN play an integral role bringing a consolidated solution for IoT which includes the management of IoT infrastructure itself, automation, and operational technologies.
Overall this was an excellent general session for the first Empower event, which is meant to empower VMware's partners to deliver the best solutions in the market to their customers.
The movement toward a hybrid cloud, software defined data center, has been on-going for years now. We have seen the virtualization of compute, storage, and now networking. In this blog, I will be discussing this journey: where we started, where we are going, and why you want to be on this journey.
Traditional data center models are still very prevalent and accepted by organizations as the defacto model for their data center(s). If you have ever managed a traditional data center model, then you know the surmounting challenges we face within this model.
What comprises the traditional data center model? A traditional data center model can be described as heterogeneous compute, physical storage, and networking managed by disperse teams all with a very unique set of skills. Applications are typically hosted in their own physical storage, networking, and compute. All these entities-physical storage, networking, and compute- increase with the growth in size and number of applications. With growth, complexity increases, agility decreases, security complexities increase, and assurance of a predictable and repeatable production environment, decrease.
Characterizations of a Traditional Data Center:
Challenges around supporting these complex infrastructures can include things like slow time to resolution when an issue arises due to the complexities of a multi-vendor solution. Think about the last time you had to troubleshoot a production issue. In a typical scenario, you are opening multiple tickets with multiple vendors. A ticket with the network vendor, a ticket with the hyper-visor vendor, a ticket with the compute vendor, a ticket with the storage vendor, and so on and so on. Typically, all pointing fingers at each other when we all know that fault always lies with the database admins.
The challenges aren't just around the complexities of design, day to day support, or administration, but also include challenges around lifecycle management. When it comes to lifecycle management, we are looking at the complexities around publishing updates and patches. If you are doing your due diligence, then you are gathering and documenting all the firmware, bios, and software from all the hardware involved for the update/patch and comparing that information against Hardware Compatibility Lists and Interoperability Lists to ensure that they are in a supported matrix. If not, then you have to update before going any further. This can be extremely time consuming and we are typically tasked with testing in a lab that doesn't match our production environment(s) ensuring we don't bring any production systems down during the maintenance window.
The first attempt at reducing the complexities we face with the traditional model was when we witnessed the introduction of converged infrastructure. Converged introduced us to a pizza delivery model for infrastructure. Meaning, we gather our requirements, place an order, and have it delivered ready to be consumed on premise. This new model to infrastructure brought with it a reduction in complexities that are inherent with the traditional model.
What is converged infrastructure? Converged infrastructure is an approach to data center management that packages compute, storage, and virtualization on a pre-integrated, pre-tested, pre-validated, turnkey appliance. Converged systems include a central management software.
These pre-built appliances reduce concerns with support issues due to the fact that the vendor supports the entire stack. You gain that "one throat to choke" when issues arise. You are no longer required to open multiple tickets with multiple vendors. One call to the supporting vendor and they handle troubleshooting for the hyper-visor, compute, and storage. This can increase resolution time when issues present themselves.
You gain a reduction in data center footprint which, in turn, reduces power and cooling costs. I worked with a customer and reduced their multi-rack traditional data center to a single rack solution. The cost savings were tremendous, as they were able to reduce the costs of not only the power and cooling, but also the space they paid for at the collocation.
With converged, you also gain a reduction in lifecycle management. When an update comes out from the vendor, they have already pre-validated and pre-tested the update/patch and know how it will affect your production environment. This means that you can gain back all the time it takes for you to check the firmware, bios, and software against the HCL, etc. This can be a tremendous benefit allowing you to deploy new updates/patches with assurance.
VMware Validated Designs was also introduced to provide comprehensive and extensively-tested blueprints to build and operate a Software-Defined Data Center.
With the VMware Validated Designs, VMware also allows for more flexibility with a build your own solution. Think of Validated Design as a prescriptive method to SDDC. You follow the detailed guides and are ensured of a specific outcome. Unlike the vendor pre-validating and pre-testing the solution, then building it for you in an appliance approach, VMware handles everything but the build.
This approach has four benefits:
The converged model does still present some challenges. You may not be able to move to the latest hyper-visor software when it comes out but most don't like to be the guinea pig anyway.
Another challenge is with storage. Although storage is packaged and supported in this model, you still have to manage it as with traditional storage arrays. For example, if you need to build a new VM, typically we need to:
To further simplify the traditional model of infrastructure, VMware brought us the Software Defined Data Center (SDDC) vision with the hyper-converged model.
What is hyper-converged infrastructure (HCI)? Hyper-converged infrastructure allows the convergence of physical storage onto industry-standard x86 servers, enabling a building block approach with scale-out capabilities. All key data center functions run as software on the hyper-visor in a tightly integrated software layer, delivering services that were previously provided via hardware through software.
Reducing the complexities of traditional storage administration while taking the intelligence of the array and bringing it into the software layer. Take the previous example above. Now, when we provision a VM, the storage is provisioned along with it. There is no need to log into the storage array and provision the LUN, or zoning and masking, to present the newly created storage to the hyper-visor environment.
Management of the storage is performed through the vCenter server web interface that you use to manage the rest of the hyper-visor environment.
The hyper-converged environment further reduces the footprint at our data center(s) and the complexities we have in both traditional and converged environments. This new model of deploying an infrastructure gains us five benefits:
With hyper-converged, we have moved compute and storage into software defined. This simplifies the environment while gaining all the benefits from a converged infrastructure.
To recap, we have talked about where we began with the traditional data center model and all the challenges listed above with administering a traditional environment. Along with all the added benefits of converged and now hyper-converged infrastructures. Remember, that at this point, we have software defined the compute and the storage, but what about the network?
In 2012, VMware acquired Nicira and one year later introduced network virtualization with NSX. To further the SDDC vision of an all software defined data center, VMware virtualized the network. We now have compute, storage, and networking in the software stack.
This year at VMworld 2017, VMware introduced the next logical iteration to the journey of SDDC with VMware Cloud Foundations.
VMware Cloud Foundations, encompasses the best of VMware Validated Design and all the benefits of hyper-converged. It brings the three software defined solutions, compute, storage, and networking into a single packaged managed by the SDDC Manager. I wrote a previous blog about VMware Cloud Foundations you can find here to gain more insight.
Why do we want to be on this journey? VMware Cloud Foundation provides the simplest way to build an integrated hybrid cloud. They do this by providing a complete set of software defined services for compute, storage, network, security and cloud management. Allowing the user to run enterprise apps- traditional or containerized- in private or public environments along with being easy to operate with built-in automated lifecycle management.
This new model has four use cases:
To begin your journey toward this new infrastructure model and future proofing your data center for cloud, you begin with upgrading your current vSphere 5.x environment to 6.5. By upgrading to vSphere 6.5, you put your current infrastructure in an optimal place to take advantage of the latest vSAN and NSX deployments along with the following benefits you gain from the new features in 6.5.
Benefits of vSphere 6.5:
As you can see from the picture above the journey doesn't end with VMware Cloud Foundation but continues to progress toward the true hybrid-cloud solution that was announced this year out at VMworld 2017. The new announcement was a new partnership between VMware and Amazon.
This new offering is an on-demand service that will allow you extend your on-prem data center to the Amazon cloud, which is running VMware Cloud Foundation on physical hardware in Amazons cloud data center. This means no converting of workloads in order to take advantage of a cloud architecture because this is running the same SDDC applications you are running today.
VMware Cloud on AWS is ideal for customers looking to:
VMware Cloud on AWS is delivered, sold, and supported by VMware as an on-demand, scalable cloud service.
This new model is the most flexible and agile model for future data centers. This will allow you to transform your business from hardware dictating where applications reside to applications driving the business in a hybrid cloud model and gaining the ability to easily migrate applications to where it makes most since in alignment with the business requirements and objectives.
It's that time again and I highly suggest joining in. Not only will you be a part of a great community learning new products but you'll get the chance to offer your input into the direction.
This beta program is different from the past programs in that it is not tied to a specific version or release. This is a new beta program that includes a new beta community. The beta program will continue through multiple releases of vSphere. Participants can expect to see new functionalities and capabilities added on as the program continues on. Participant are expect to:
This program enables participants to help define the direction of the most widely adopted industry-leading virtualization platform. The vSphere team will grant access to the program to selected candidates in stages. This vSphere Beta Program leverages a private Beta community to download software and share information. VMware will provide discussion forums, webinars, and service requests to enable you to share your feedback.
You can expect to download, install, and test vSphere Beta software in your environment or get invited to try new features in a VMware hosted environment. All testing is free-form and you are encouraged to use the software in ways that interest you. This will provide VMware with valuable insight into how you use vSphere in real-world conditions and with real-world test cases, enabling them to better align with your business needs.
Some of the many reasons to participate in this beta opportunity:
You can register for the Beta Program Here!
Security these days can be more of that traditional, needle in a haystack approach, than a true centric security approach to include analytics and alerting. VMware is again shifting to a new paradigm, and that was evident from all the products and messaging that came out of VMworld 2017.
Security is on the forefront of all of our minds and VMware, as the leader in data center technologies, wants to lead the conversation and be the foundation that you are laying down to protect your data, along with adding significant value to you with their partnerships in the security space, like the new partnership announced with IBM around their security products like QRadar.
With increasing attacks on our data centers, take Equifax for example, we must first look at one of our most significant portions of our security foundation, ESXi and work to secure that. We typically start with securing the physical and the edge, throw in some anti-virus and call it secure, but are we secure?
When it comes to data center security, we must start with our foundation, ensure that we have designed it to follow recommended best practices, then evaluate the gaps, and add in products to get us the rest of the way there. This also includes following best practices for end-user access of the environments and not being "lazy" admins just to skip a few steps. We have to lean on trusted partners like Sirius that have developed a security practice that can help us navigate the waters of security because the landscape of security products is immense, as you can see from the picture below.
So where do we begin? I believe that we must start with VMware. VMware is no longer just a hyper-visor running your vms, but the most integral part of your data center security strategy and if you don't get that foundation right, then the rest will crumble too. We must secure the infrastructure, build and architect the data.
After we get the infrastructure secure we move into securing the entire ecosystem like controls, automation, validations and the security solutions.
Last we must get back to the basics and as VMware's CEO, Pat Gelsinger stated, "Learn from sport teams who follow the basic regimen over and over again. Every major breach in the last five years that made headlines happened because a simple cyber hygiene wasn’t followed somewhere.” VMware is working with the government to set cyber hygiene standards for the tech industry to simplify the security solutions, as Gelsinger stated that, “The role of the governments globally in making stronger cyber policies is equally important to ward off data breaches."
VMware has shifted to becoming a security centric company. With added features in their base product VMware ESXi 6.5 which represents a move toward "secure by default" and allows for a truly secure foundation to build the rest of the house. Let's take a look at these features.
ESXi Secure Boot
Secure Boot now leverages the capabilities of the UEFI firmware to ensure that ESXi not only boots with a signed bootloader validated by the host firmware but that it also ensures that unsigned code won’t run on the hypervisor. UEFI, or Unified Extensible Firmware Interface, is a replacement for the traditional BIOS firmware that has its roots in the original IBM PC.
ESXi is comprised of a number of components. There is the boot loader, the VM Kernel, Secure Boot Verifier and VIBs, or “vSphere Installation Bundles”. Each of these components is cryptographically signed.
You can read more about UEFI on wikipedia.
Virtual Machine Secure Boot
SecureBoot for VM's is simple to enable. Your VM must be configured to use EFI firmware and then you enable Secure Boot with a checkbox. (Note that if you turn on secure boot for a virtual machine, you can load only signed drivers into that virtual machine.)
Secure Boot for Virtual Machines works with Windows or Linux.
vSphere 6.5 introduces enhanced logging. Logs have traditionally been focused on troubleshooting and not security.
Complete logs are now sent via the syslog stream for actions like "VM Reconfigure". Logs now contain more complete information, so notices of something changing you will now see what changed it changed from and what it changed to. You can then take actions against the information collected like rollback the change if it caused an issue.
You will now see logs for actions like adding more memory to a vm. The associated logs will show you what it was before and after the change. From a security perspective you can see much more information like who made the change and with integrations with VMware Log Insight you will be able to parse the data quicker bringing you to faster remediation.
VM Encryption/vMotion Encryption
VM encryption works by applying a new Storage policy to a VM. It is Policy driven. You’ll be able to encrypt the VMDK and the VM home files.
There are no modification within the guest OS. You can run different OS's like Linux, Windows, etc. and can be run from different storage like NFS, block storage, and VSAN. The encryption is happening outside of the Guest OS and the guest does not have access to the keys.
The encryption works also for vMotion but both the source and the destination hosts must support it.
After you apply an encryption policy to a VM, the VM receives a randomly generated key for each VM, and that key is encrypted with a key from the key manager.
When you power-on the VM which has the Encryption Storage policy applied to, vCenter retrieves the key from the Key Manager, sends that to the VM encryption Module and unlocks that key in the ESXi hyper-visor.
Encrypted vMotion works by having the randomly generated key added to the migration information, this is sent to each of the hosts participating in the vMotion process, the data going across the network is encrypted with the randomly generated key only for the migration process, and is one-time generated random key, which is generated by vCenter.
vSphere Security Guide for vSphere 6.5
The new security guidelines have changed to a subset of things to focus on. This is changing from the traditional "Hardening Guides," from VMware to a "Security" guide. I will not go into the entire guide in this post but you can read the post from VMware here.
Along with these new settings, government work, and a new security guide being introduced, I think its time to shift into the products that support VMware security model.
The first of these is NSX. With organizations spending more on security than ever before, see Gartner, NSX becomes the next integral step to securing your production data center. I have written several blogs now on NSX so I will just write a quick recap as to what NSX is.
VMware NSX provides a platform that allows automated provisioning and context-sharing across virtual and physical security platforms. Combined with traffic steering and policy enforcement at the virtual interface, partner services, traditionally deployed in a physical network environment, are easily provisioned and enforced in a virtual network environment, VMware NSX delivers customers a consistent model of visibility and security across applications residing on both physical or virtual workloads.
To further enhance NSX VMware introduced at VMworld 2017, AppDefense. AppDefense adds data center threat detection and response to the micro-segmentation capabilities delivered by NSX.
NSX prevents threats from moving freely throughout the network, while AppDefense detects anything that does make it to an endpoint and can automatically trigger responses through integrations with NSX and vSphere. The idea is to prevent, detect, and respond.
AppDefense uses machine learning technology, were it learns application behavior and if the application deviates from that behavior, it is quarantined. This is very different from the traditional approach with anti-virus solutions. Anti-virus solutions use definitions to secure the vm. If a new attack has been brought to the attention of your provider then they will create a new definition, once they have had time to analyze it, and then you are responsible for pushing the new definition out to all you vms. This can cause a gap in your protection.
See this video below to learn more about AppDefense.
VMware has a dedicated internal team responsible for developing and driving software security initiatives across all of VMware’s Research and Development organizations to reduce software security risks; The VMware Security Engineering, Communications & Response group (vSECR).
The vSECR group takes a full lifecycle approach to product security from product inception to product end of life. VMware, through vSECR, is committed to the ongoing security of their products and the safety of their customers data.
VMware is also active in the greater security community, and is a member of SAFECode (the Software Assurance Forum for Excellence in Code) and BSIMM (Building Security In Maturity Model). For more details about VMWare product security, please refer to the VMware Product Security White Paper.
You may also be interested in the following resources:
Lastly, remember to reach out to your VMware Partner, like Sirius, who can help you with security health checks, education, and help you gain confidence in your production data center environment(s) is configured correctly.
Sirius can help you prevent, detect, and respond to security threats and secure your data.
I have been a VMUG Leader in Rochester NY for 5 years, and recently became a leader of two other groups, Syracuse, and Capital District which collectively covers a large portion of Upstate New York. Did I mention that I love being involved in my local communities?
At its basics, VMUG leaders coordinate the activities for their local VMUG communities and being a leader is an amazing opportunity to give back, build awareness of VMware products, while building your resume and sharing your knowledge. The requirement to become a VMUG leader is that you must be a VMUG member and serve in a technical role with a VMware Customer Company. VMUG is a global organization as you will see from this blog.
Being in this role for sometime now, I decided to reach out and talk with leaders from around the globe to get an idea of what they thought it means to be a VMUG leader and gain some insights into how they run their groups. If you are a current VMUG member looking to become a leader and are wondering what is involved, I hope to answer any questions you may have within this blog.
I have a passion for technology, and for VMware technologies to be more specific. Joining VMUG as a leader has been a great opportunity for me to take my love for VMware products, and have a platform to evangelize within my communities along with the social aspect of it.
I love bringing technologists together to build a strong technical community, and I always think about the collective knowledge we have as a community, and how we can utilize that to help us through the projects we find ourselves working on.
Think about it, you attend a VMUG on a subject like VDI, because you are working on a VDI initiative at work, and now have an opportunity to gain some knowledge along with making local connections with other technologists that are working on the same project or have completed their own project. That is what's great about attending local meetings, you can learn from others or step up to assist others within your community. Of course, this is only one aspect of the benefits of joining VMUG as a member or a local leader.
One of my colleagues at Rolta Advizex runs a very successful VMUG in Cleveland, Ohio. Patrick Stasko works as a Solutions Architect and like me has a passion for technology. I decided to reach out to him to discuss being a VMUG leader.
I started out asking him about why he became a VMUG leader and his response was similar to my own. Patrick said, "I wasn’t filling fulfilled or challenged in my current role at the time. I recently moved back to Cleveland for a new opportunity and I was trying to determine which way can I make an impact. In my quest to wrap my arms around the Cleveland’s IT Community, it lead me to the Cleveland VMUG community which was going through some troubles. I’m passionate about people and technology. This is a perfect platform for both of those."
That passion for technology and community seems to be a resounding theme that I found when talking with leaders for this interview and really hit home with my own experience too. This was also true for another leader I interviewed, Valdecir Carvalho from São Paulo, Brazil.
When I asked him the same question Valdecir responded, "First of all, VMUG it's all about community and I’m a community lover. I'm from São Paulo, Brazil and when I first heard about VMUG I've rushed to vmug.com to look for a São Paulo chapter and that place was dead. Then I start to talk to some other friends and vendors to find out why, but long story short I sent a mail to VMUG HQ and applied. And I'm really glad I did!"
There are some great benefits to becoming a VMUG leader and for me, one of those benefits is exposure to the communities I lead, as a thought leader within the industry.
I also spoke with the New Jersey VMUG Leader, Ben Liebowitz and he mentioned that, "It has gotten me many more contacts in the community, all over the world!" That is so true and I have also experienced this. As stated above, VMUG is a global community and because of that you can meet other technologists from around the globe.
VMUG has many opportunities to connect with and get to know other leaders from around the globe, like through the VMUG site. Each group has its own community page where we can come together to share knowledge and discuss VMUG, along with other opportunities. VMUG also has online event meet-ups and opportunities, along with events like the annual VMworld members party, and Leaders meet-ups at VMworld. VMworld is also a great place to gain knowledge and meet our local leaders at the VMUG booths located throughout VMworld.
As mentioned there are many benefits to becoming a VMUG leader. I asked Patrick what he thought was the benefit and he said, "The biggest impact is the rapid ability to connect and network within the local community and other VMUG circles across the world. I especially enjoy and look forward to the VMUG activities at VMworld. " As mentioned already, connecting at VMworld is another great benefit not only to leaders but to all members. Some other advantages or benefits are things like, receiving a VMUG Advantage subscription.
VMUG Advantage is the best way to gain the technical skills to accelerate your success with exclusive access to VMware applications and discounts on training, certifications, VMworld registration and more! You are also given access to the EVALExperience, which gives you exclusive access to 365-day evaluation licenses for a selection of VMware solutions, for personal use in a non-production environment and includes these products:
This leads me to how we run our local groups. I have found that most leaders run their groups in very similar fashions but that we all learn from each other. When I asked the leaders how they run their local groups, Valdecir replied, "I do not run it alone. I'm happy to have other leader who is a great partner and together we are doing our best to make VMUG more and more relevant to our members. VMUG São Paulo, is a new group, we have "revamped" the group 8 months ago, so we are still learning from others Leaders, from VMUG HQ and most of the time, discovery things by ourselves by trying and error. Also, our focus is our members, so we try to hear what they want, what they need and they feedback, so we can improve our chapter more and more."
Of course talking wth Patrick, he has taken is skills as a Solution Architect and really formalized how his group is run as you can see from the layout he created below.
One of the challenges we have as a leader is how we drive attendance to the meetings and grow our groups. I use things like social media sites, like Facebook, Twitter, and LinkedIn. I can setup my groups and send out information about events along with utilizing marketing features from Facebook to bring awareness to the communities I lead.
Every leader has their own challenges which can be things like location as Valdecir mentions, "It's difficult, mostly because VMUG and other technology groups are not so well deep in our culture. First of all, we are trying to get people understand what VMUG is, what are the VMUG values and benefits. We choose to start small and delivery only the best, so when people realize what VMUG is and start to talk about it things will be easy."
Another example from Patrick was, as he mentions utilizing VMware. Patrick mentions that "The local VMware TAMs and SEs have done a terrific job relaying meeting information to their customer base which has been a game changer." I have found this to be helpful too and always make it a point to invite VMware to our events.
Choosing topics for our events is arguably the most important thing you can drive as a leader. It is imperative to listen to what is happening in the industry and to your members and as Patrick mentions, "We encourage the community to provide topic ideas. We make our best attempt to listen and provide a platform for those topics. Our leadership and ambassador weigh the agenda, location, costs, potential attendance reach and sponsor into consideration determining whether that topic idea has the ability to convert to a formalized meeting."
Standing out from other technology groups within our communities is always a challenge. Technologists only have so much time to pick which events they can attend due to time restraints and time away from work. Patrick mentions that, "Within the VMUG circles, I believe we were one of the first groups to develop our own brand & logo. Secondly, we created software (http://github.com/tkrn/pivmugc) for all VMUG communities to use upon meetings to help track check ins, attendance, reporting and printing of name tag labels." As you can see Patrick has been busy and this is driven from his love for technology and community.
The last point I want to discuss is why you as a technologist should care about VMUG. The resounding response from the interviews was that VMUG is about community and as Valdecir mentioned, "VMUG is all about people. Be part of and care about VMUG is a great opportunity to learn and get connected with other people from the industry. It's a chance to meet new people, learn, teach, hire someone, find a new job, be promoted in your current job, make new friendships for life, and the list goes on."
If you are interested in becoming a VMUG Leader or a VMUG member I have posted some resources below. I highly recommend getting involved and if there isn't a VMUG in your local community, think about starting one.
Thanks to all the VMUG leaders that participated in this blog.
vRealize Network Insight or vRNI is the newest addition to the range of products from VMware. vRealize Network Insight integrates with VMware's network virtualization platform, NSX. vRNI delivers intelligent operations for your software defined network environment. vRNI does for your virtualized network what vRealize Operations does for your virtualized environment, but only to the SDN environment. With the help of this product you can optimize network performance and availability with visibility and analytics across virtual and physical networks. Provide planning and recommendations for implementing micro-segmentation security, plus operational views to quickly and confidently manage and scale VMware NSX deployment.
Let's take a step back and discuss, briefly, what VMware NSX is and why you should, as a technologist, care about it.
NSX is an innovative approach to solving long-standing network provisioning bottlenecks within the data center, and it allows for the integration of switching, routing and upper-layer services into an integrated application and network orchestration platform. With an overlay solution that may not require hardware upgrades, NSX offers customers a potentially quicker way of taking advantage of SDN capabilities by decoupling the network from hardware into a software abstraction layer allowing the end-user to programmatically create, provision and manage networks.
Essentially, NSX is doing for your network what vSphere did for your compute environments and we have typically virtualized the compute and storage with vSAN, so adding network virtualization brings the full vision of SDDC giving you a lot of benefits like single pain of glass to manage your environments within vCenter, which a lot of us are already familiar with.
With NSX you gain visibility into your network that you may not have today while allowing for division of duties in a secure manner. NSX technology inception is on the rise and as of today, VMware has over 2,600 customers that have implemented NSX and over 50% increase in license bookings.
You can learn more on NSX from a previous blog here.
You might be familiar with vRealize Network Assessment (vNA) and be asking yourself, what is the difference between vRealize Network Insight (vRNI) and vRealize Network Assessment (vNA)? The difference is that vNA only gives you the report/preview portion of the product, which takes 30-minutes to install. It takes more time to install the full-product. vNA only needs to connect to the vCenter and can be ran with a Solutions Provider like Rotla Advizex. vRNI, in addition to the vCenter, you also need to connect it the hardware, firewalls, etc.
As mentioned above vRNI addresses the need for deeper, richer NSX operation and traffic analytics in the fast growing virtual networking market. vRNI transforms operations for NSX based on SDDC across your virtual, physical, and cloud.
Using vRNI and vNA, Rolta Advizex can help remove the guesswork from micro-segmentation deployments with a global net flow assessment, gain operational insights needed to quickly and confidentially manage and scale your NSX deployment with vRealize Network Insight.
What's New in 3.4
VMware recently updated vRealize Network Insight on June 01, 2017.
The new and enhanced features in this release are as follows:
I received some questions from VMware and thought that it would be fun to write this blog as a mock interview, but first let's begin with learning a little about VMware certification tracks.
VMware offers certifications in cloud management and automation, data center and network virtualization, and desktop and mobility. As a leader in the virtualization space, VMware certifications are a must-have for many IT professionals, especially those who work in data centers and/or support virtual environments.
VMware certifications are based on a version of the associated technology, which means VMware certifications change in response to technology changes. Be aware, though, that certification updates lag behind the release of new virtualization technology.
VMware Version certifications fall into four categories:
Associate certifications typically require passing a single exam to achieve certification. Candidates for Professional and Advanced Professional certifications must either take a training course or earn a prerequisite certification and pass an exam. To obtain a VCIX, candidates must earn two VCAP credentials.
Achieving a VCDX certification is more involved. Candidates must first obtain multiple prerequisite certs, then create a production-ready VMware solution and defend it in front of a panel.
Now that we have discussed the certification tracks let's jump into the interview about certifications from VMware and AdvizeX.
This interview is held between VMware and AdvizeX employees Chris Miller who is a Principal Architect and Brandon Seymour, a Virtualization Architect, Patrick Stasko, a Solutions Architect, and Jamie Carlson a Principal Networking Lead. You can find out more information on Chris and Brandon from a previous blog on being a vExpert that I wrote.
VMware: Why did you decide to take your first test and what was your motivation?
Chris Miller, AdvizeX Principal Architect: The first certification test(s) I took was the MCSE NT 4.0. My motivation at the time was enhancing my resume, gaining knowledge from the associated training, and giving my early career a boost by obtaining a certification that was in high demand at the time.
Brandon Seymour, AdvizeX Virtualization Architect: I wanted a career in IT and so I pursued my MCSE in NT 4.0. This also included training and certifications in Novell, and A+ through a technology school after the military. My first VMware certification was VCP-DCV5.0 and was taken to enhance my career in virtualization while working as a Enterprise Systems Administrator for a local University.
Patrick Stasko, AdvizeX Solutions Architect: Career Advancement.
Jamie Carlson, AdvizeX Principal Networking Lead: In 1998, it seemed one of the best set certifications out there was a combination of having the Novell Certified Engineer and being a Cisco Certified Network Professional. It was a great combo. It opened a lot of doors as I was leaving the Navy in 2000. My first exam was a Certified Novell Administrator.
VMware: What was your journey for the first test?
Chris Miller, AdvizeX Principal Architect: My journey for all of the test, involved a 4 week boot camp in Atlanta, GA. It was very interesting to me because I had not traveled out of state much up until that point (I was only 21 years old at the time). My employer at the time, an Internet ASP (I think we call this SaaS now :) ), offered to pay for boot camp training since we had big plans and our application was built on Microsoft technologies. Having certified folks on staff also helped lend credibility when we attempted to secure funding for future growth. We had an opportunity to receive a big discount on the training and I took it.
Brandon Seymour, AdvizeX Virtualization Architect: My journey was similar to that of Chris in that I also attended a boot camp for my MCSE and for my VMware certification I started with my employer at the time sending me to a local VAR for a week of training.
Patrick Stasko, AdvizeX Solutions Architect: A lot of book studying. Cramming. Memorizing port numbers and other facts that you would normally reference anyways.
Jamie Carlson, AdvizeX Principal Networking Lead: I had a lot of experience managing a Novell network that ran on Cabletron and later Cisco switches. It didn’t take much for me to self-study and take the Novell exam to start me as a CNA.
VMware: Were you nervous, how did you study?
Chris Miller, AdvizeX Principal Architect: I wasn't nervous but mostly because I've been a good test taker throughout high school and college. In the boot camp, the format was 3 or 4 days of 10-hour-per-day training and taking an exam the morning of the 4th/5th day. I believe there were 5 total exams and most of the evenings were spent studying further, so I didn't get to enjoy my trip very much outside a day or so on the weekend. Throughout the boot camp training class, I focused very hard on the material and payed close attention to the instructor. Outside of class there were attempts to study, but the friends I made while there the first week and I moved our study sessions outside to the hotel pool and productivity took a dive w/ the rest of us.
Brandon Seymour, AdvizeX Virtualization Architect: I put in a lot of time studying in groups with others pursing the MCSE certification. My VMware certification journey was a bit different in that I utilized a lot on online communities like vBrown Bag.
Patrick Stasko, AdvizeX Solutions Architect: Read. Highlight. Write important facts/figures I needed to memorize down on a notebook to commit to my internal.
Jamie Carlson, AdvizeX Principal Networking Lead: I was really nervous. I was doing it all on my own. A test was like $65 at the time. No one reimbursed me for their cost, and if I failed I’d have to take it again. The funny thing was that Novell at the time used exams that gave weighted questions based on previous answers. So, if you could answer a couple of hard questions, you could breeze right through. The shortest Novell test was five minutes long and it consisted of eleven questions. The Microsoft test takers would be crying as the Novell test takers would come in and leave. The joke eventually was on the Novell folks. After all, “what’s Novell?”
VMware: How did it benefit your career as well as your community?
Chris Miller, AdvizeX Principal Architect: The impact on my career wasn't immediately obvious. I returned home to the same job, spent a year working until like many other dotcoms we went bankrupt, and began looking for another job in a saturated market. The certification played zero role in finding my next job as I took a position with a bank where I knew folks in the IT department based on a past business relationship w/ the bank's IT group (the dotcom hosted some services in their data center). However my personal knowledge swelled considering my background was mostly networking until I attended the boot camp. The training helped tremendously with my daily job responsibilities, especially troubleshooting, but since I spent 7 years at the bank and didn't keep the certification current, I don't feel the certification had much of an impact on my career. The lesson here is that training and knowledge is more valuable than the cert once you get the job, and for most people it would help you find a job provided the entire technology economy didn't just crash and burn 4 months earlier.
Brandon Seymour, AdvizeX Virtualization Architect: I was hired right out of school by a internet provider and it wasn't what I had imagined. I was responsible for troubleshooting internet connections issues for dial-up customers and also built websites for customers. I will always remember this one call in which the customer kept dropping calls whenever his wife used the bathroom, which shared a wall with the computer and modem on the other side. When she would run the hair dryer the modem would lose connection. My VMware certification help change the direction of my career which at that point was just enterprise systems administration. My journey into virtualization led to me becoming an evangelical for VMware in my community. I currently serve as the local Rochester VMUG Leader and of course I blog.
Patrick Stasko, AdvizeX Solutions Architect: It solidified knowledge as internal IT worker that I was the VMware guy. In a sales role now, it’s a required check box. I believe it had more benefit to me when I was internal IT than in pre-sales.
Jamie Carlson, AdvizeX Principal Networking Lead: I would never had been able to obtain my first position at UUNet in 2000 if I had not received my CCNA and CNE. I quickly moved up and received my CCDP and CCNP in 2001. I never re-certified any of my Novell certifications going heavily into Cisco Systems networking. I later moved out to Juniper Networks, Meru Networks wireless, HP Networking, and finely Aruba Networking. It became apparent that understanding a set of vendors in a focus area was much more advantageous than being a vendor expert.
VMware: Knowing what you know today, what are some of the pain points in this certification that you can share with your audience?
Chris Miller, AdvizeX Principal Architect: The biggest pain point IMO with at least the MCSE (at the time), and my understand is this problem is greater now due to the algorithms involved with the test, is dealing with an adaptive test. It seems when you are doing well the test pulls questions from the deepest, darkest corners of the training material and can prove challenging. Also the sheer number of trick questions and questions that are worded such that multiple answers really would apply makes testing difficult. Be ready for anything and if you are testing for a technology you can obtain and practice with, do not hesitate to do so. Also never give up. Failing a certification test should be considered a $200 practice round, do not let it demotivate you. Later in my career my #1 testing strategy was to take a test without studying, see how well I do, try to remember what I struggled w/ the most, and to study in this context. It also gives you a good idea how "tricky" the creators of the exam are with respect to content.
Brandon Seymour, AdvizeX Virtualization Architect: I agree with Chris in that if you fail the first time don't be discouraged and remember that others have gone before you so reach out for support. A lot of these certification tests are progressive in that they change up depending on how well you are answering the questions so you need to know the information. Take advantage of communities like vBrown Bag because they put on study sessions to assist.
Patrick Stasko, AdvizeX Solutions Architect: You will need to memorize what I would normally consider reference-able material which is a pain in the butt.
Jamie Carlson, AdvizeX Principal Networking Lead: Know the exam and also know the job or technology. In the Cisco Systems world, and I assume there are many vendors like this, there are three answers to every test question. There is the wrong answer. There is the correct answer. But, most importantly, there is the correct Cisco Systems answer. Some vendors are worse than other. Instead of testing you on how to implement and manage the technology, they also want you to know how to increase their market share and lower others. Cisco Systems was always very good at that.
For more information on certifications with VMware please visit MyLearn.