Build a Digital Manufacturing Platform with the VMware Edge Compute Stack

Build a Digital Manufacturing Platform with the VMware Edge Compute Stack

VMware revealed their edge computing vision at VMworld 2021. In VMware’s view the multi-cloud extends from the public clouds to private clouds to edge. Edge is about bringing apps and services closer to where they are needed, especially in sectors like retail, transportation, energy and manufacturing.

In verticals like manufacturing the edge was always important. It’s about producing things than you can sell. If you cannot produce, you lose time and money. Reliability, stability and factory uptime are not new requirements. But why is edge becoming so important now?

Without looking at any analyst report and only providing experience from the field, it is clear why. Almost all of the large enterprises are migrating workloads from their global (central) data centers to the public cloud. At the same time, customers are looking at new innovations and technologies to connect their machines, processes, people and data in a much more efficient way.

Which requirement did all my customers have in common? They didn’t want to move their dozens or hundreds of edge infrastructures to the public cloud, because the factories should work independently and autonomously in case of a WAN outage for example. Additionally, some VMware technologies were already deployed at the edge.

VMware Edge Compute Stack

This is why VMware introduced the so-called “Edge Compute Stack” (ECS) in October 2021, which is provides a unified platform to run VMs alongside containerized applications at the far edge (aka enterprise edge). ECS is a purpose-built stack that is available in three different editions (information based on initial availability from VMworld 2021):

VMware Edge Comput Stack Editions

As you can see, each VMware Edge Compute Stack edition has the vSphere Enterprise+ (hypervisor) included, software-defined storage with vSAN is optional, but Tanzu for running containers is always included.

While ECS is great, the purpose of this article is about highlighting different solutions and technologies that help you to build the foundation for a digital manufacturing platform.

IT/OT Convergence

You most probably have a mix of home-grown and COTS (commercial off-the-shelf) software, that need to be deployed in your edge locations (e.g., factories, markets, shops etc.). In manufacturing, OT (operational technology) vendors have just started the adoption of container technologies due to unique technology requirements and the business model that relies on proprietary systems.

The OT world is typically very hardware-centric and uses proprietary architectures. These systems and architectures, which were put into production 15-20 years ago, are still functional. It just worked.

While these methods and architectures have been very good, the manufacturing industry realized that this static and inflexible approach resulted in a technology debt, that didn’t allow any innovation for a long period of time.

Manufacturing companies are moving to a cloud-native architecture that should provide more flexibility and vendor interoperability with the same focus in mind: To provide a reliable, scalable and flexible infrastructure.

This is when VMware becomes relevant again with their (edge) compute stack. VMware vSphere allows you to run VMs and containers on the same platform. This is true for IT and OT workloads, that’s IT partial IT/OT covergence.

You may ask yourself how you then would  design the network. I’ll answer this topic in a minute.

Kubernetes Operations

IT platform teams, who design and manage the edge have to expand their (VMware) platform capabilities that allow them to deploy and host containers. Like I said before, this is why Tanzu is included in all the VMware Edge Compute Stack editions. Kubernetes is the new Infrastructure-as-a-Service (IaaS) and so it makes only sense that the container deployment and management capability is included.

How do you provide centralized or regional Kubernetes management and operations if you don’t have a global (regional) data center anymore?

With a hybrid approach, by using Tanzu for Kubernetes Operations (TKO), a set of SaaS services that allow you to run, manage, connect and secure your container infrastructure across clouds and edge locations.

IT/OT Security

Now you have the right platform to run your IT and OT workloads on the same hypervisor or compute platform. You also have a SaaS-based control plane to deploy and manage your Kubernetes clusters. 

As soon as you are dealing with a very dynamic environment where containers exist, you are having discussions about software-defined networking or virtualized networks. Apart from that, every organization and manufacturer are transforming their network and security at the edge and talk about network segmentation (and cybersecurity!).

Traditionally, you’ll find the Purdue Model implemented, a concept model for industrial control systems (ICS) that breaks the network in two zones:

  • Information Technology (IT)
  • Operational Technology (OT)

The Purdue Model of Computer Integrated Manufacturing

Source: https://www.automationworld.com/factory/iiot/article/21132891/is-the-purdue-model-still-relevant 

In these IT and OT zones you’ll find subzones that describe different layers and the ICS components. As you can see as well, each level is secured by a dedicated physical firewall appliance. From this drawing one could say that the IT and OT world converge in the DMZ layer, because of the bidirectional traffic flow.

VMware is one of the pioneers when it comes to network segmentation that helps you driving IT/OT convergence. This is made possible by using network virtualization. As soon as you are using the VMware hypervisor and its integrated virtual switch, you are already using a virtualized network.

To bring IT and OT closer together and to provide a virtualized network design based on the Purdue Model including a zero-trust network architecture, you would start looking at VMware NSX to implement that.

In case you are looking for a software-defined load balancer or application delivery controller, have a look at NSX Advanced Load Balancer (formerly known as Avi).

PLC Virtualization

In level 2 of the Purdue Model, which hosts the systems for supervising, monitoring and controlling the physical process, you will find components like human-machine interfaces (HMI) and supervisory control and data acquisition (SCADA) software.

In level 3, manufacturing execution systems (MES) can be found.

Nowadays, most companies already run their HMIs, SCADAs and MES software in virtual machines on the VMware vSphere hypervisor.

The next big thing is the virtualization of PLCs (programmable logic controller), which is an industrial computer that controls manufacturing processes, such as machines, assembly lines and robotic devices. Traditional PLC implementations in hardware are costly and lack scalability.

That is why the company SDA was looking for a less hardware-centric but more software-centric approach and developed the SDA vPLC that is able to meet sub 10ms performance.

This vPLC solution is based on a hybrid architecture between a cloud system and the industrial workload at the edge, which has been tested on VMware’s Edge Compute Stack.

Monitoring & Troubleshooting

One area, which we haven’t highlighted yet, is the monitoring and troubleshooting of virtual machines (VMs). The majority of your workloads are still VM-based. How do you monitor these workloads and applications, deal with resource and capacity planning/management, and troubleshoot, if you don’t have a central data center anymore?

With the same approach as before – just with a cloud-based service. Most organizations rely on vRealize Operations (vROps) and vRealize Log Insight (vRLI) for their IT operations and platform teams gain visibility in all the main and edge data centers.

You can still use vROps and vRLI (on-premises) in your factories, but VMware recommends using the vRealize Cloud Universal (vRCU) SaaS management suite, that gives you the flexibility to deploy your vRealize products on-premises or as SaaS. In an edge use case the SaaS-based control plane just makes sense.

In addition to vRealize Operations Cloud you can make use of the vRealize True Visibility Suite (TVS), that extends your vRealize Operations platform with management packs and connectors to monitor different compute, storage, network, application and database vendors and solutions.

Factory VDI

Some of your factories may need virtual apps or desktops and for edge use cases there are different possible architectures available. Where a factory has a few hundred of concurrent users, a dedicated standalone VDI/RDSH deployment might make sense. What if you have hundreds of smaller factories and don’t want to maintain a complete VDI/RDSH infrastructure?

VMware is currently working on a new architecture for VMware Horizon (aka VMware Horizon Next-Generation) and their goal is to provide a single, unified platform across on-premises and cloud environments.  They also plan to do that by introducing a pod-less architecture that moves key components to the VMware-hosted Horizon (Cloud) Control Plane.

This architecture is perfectly made for edge use cases and with this approach customers can reduce costs, expect increased scalability, improve troubleshooting and provide a seamless experience for any edge or cloud location.

VMware Horizon Next-Generation 

Management for Enterprise Wearables

If your innovation and tech team are exploring new possibilities with wearable technologies like augmented reality (AR), mixed reality (MR) and virtual reality (VR) head-mounted displays (HMDs), then VMware Workspace ONE Unified Endpoint Management (UEM) can help you to securely manage these devices!

Workspace ONE UEM is very strong when it comes to the modern management of Windows Desktop and macOS operating systems, and device management (Android/iOS).

Conclusion

As you can see, VMware has a lot to offer for the enterprise edge. Organizations that are multi-cloud and keep their edge locations on-premises, have a lot of new technologies and possibilities nowadays.

VMware’s strengths are unfolded as soon as you combine different solutions. And these solutions help you to work on your priorities and requirements to build the right foundation for a digital manufacturing platform.

VMware Cloud on AWS – The Power of VMware and AWS

VMware Cloud on AWS – The Power of VMware and AWS

VMware Cloud on AWS (VMC on AWS) brings VMware’s software-defined data center (SDDC) stack to the AWS cloud. By using the same vSphere-based virtualization/cloud technology on-premises and in the public cloud, you can create a true hybrid cloud architecture, that enables you to get consistent operations by using consistent infrastructure.

VMC on AWS Overview

This solution comes with optimized access to the AWS services and is delivered, sold and supported by VMware, AWS and their partner networks.

As you can see above, VMC on AWS comes with the same VMware tools and integrates the VMware Cloud Foundation stack (vSphere for compute, vSAN for storage, NSX for networking) along with vCenter for management.

VMware Cloud on AWS runs on dedicated Amazon EC2 bare-metal infrastructure.

Instance Types

VMware Cloud on AWS comes with two different host configurations, which both require a minimum of two hosts per cluster.

VMC on AWS Instances

For identifying the right host types for specific use cases, check out the VMware Cloud on AWS sizer.

Note: 99.9% SLA for non-stretched clusters, 99.99% for stretched clusters

Single Host Starter Configuration

VMC on AWS allows you to deploy a starter configuration with a single host only (not available with i3en.metal hosts).

This small SDDC configuration allows customers to get their first experiences with this hybrid cloud offering during a 60-day time period. Such a setup is only appropriate for test and development or proof of concept use cases. You can run production workloads on this small VMC on AWS environment if you scale up to the minimum of two hosts before the 60-day period ends, otherwise your evaluation ends with you losing data.

Note: Not all features of the standard VMC service offering are available in this limited setting. The VMC on AWS service level offering also does not apply to this one-node offering.

Included VMware Software

The following software is included in single host and production configurations:

Single Hosts (non-production environments) Production (minimum 2 hosts)

Includes

  • VMware SDDC software: vSphere, vSAN, NSX-T, vCenter Server
  • VMware HCX
  • Dedicated Amazon EC2 Bare Metal Instances
  • VMware Global Support

Purchase separately

  • VMware Site Recovery
  • VMware Cloud Disaster Recovery
  • VMware vRealize Automation Cloud
  • VMware vRealize Operations Cloud
  • VMware vRealize Log Insight Cloud
  • VMware vRealize Network Insight Cloud
  • VMware Tanzu Standard

Not supported

  • Lifecycle management by VMware (updates, patches and upgrades)
  • High Availability (HA) and Stretched Clusters
  • Service Level Agreement (SLA)

Includes

  • VMware SDDC software: vSphere, vSAN, NSX-T, vCenter Server
  • VMware HCX
  • VMware Tanzu Services: TKG Service + TMC Essentials
  • Dedicated Amazon EC2 Bare Metal Instances
  • VMware Global Support
  • Lifecycle management by VMware (updates, patches and upgrades)
  • Support for High Availability (HA) and Stretched Clusters
  • Service Level Agreement (SLA)

Purchase separately

  • VMware Site Recovery
  • VMware Cloud Disaster Recovery
  • VMware NSX Advanced Firewall
  • VMware vRealize Automation Cloud
  • VMware vRealize Operations Cloud
  • VMware vRealize Log Insight Cloud
  • VMware vRealize Network Insight Cloud
  • VMware Tanzu Standard

VMware Cloud on AWS Outposts

If you want to get the agility and innovation of (VMware) Cloud in your own data center, delivered as a service, then VMC on AWS Outposts is for you.

VMC on AWS Outposts is a fully managed on-premises as-a-service offering, that stretches VMC on AWS to your data center or edge location. You’ll get dedicated Amazon Nitro-based EC2 bare-metal instances delivered on-premises with VMware Cloud Foundation running on top.

VMC on AWS Outposts

What’s included in the offering?

  • AWS Outposts 42u rack (we can also expect a half-rack offering in the future)
    • 3-8 hosts configurations based on i3en.metal
    • Dark host capacity included (for remediation, EDRS, scale-out and lifecycle management purposes)
    • Installed by AWS
  • AWS managed dedicated Nitro-based i3en.metal EC2 instance with local SSD storage
  • VMware managed SDDC software – vSphere, vSAN, NSX-T, vCenter Server
  • VMware HCX
  • VMware Cloud Console
  • Support by VMware SREs
  • Supply chain, shipment logistics and onsite installation by AWS
  • Ongoing hardware monitoring with break/fix support.

Use Cases

VMware Cloud on AWS Outposts is made for multiple use cases:

  • Data/App Locality
  • Low latency
  • Local data processing
  • Data sovereignty/compliance
  • Infrastructure modernization
  • Branche Office or large edge modernization

But this offering and VMC on AWS in general come with multiple other use cases which help orgnaizations to fulfill their cloud strategy.

App Modernization

VMware Cloud on AWS provides an infrastructure platform option for customers to modernize their existing enterprise applications on and enables them to run their enterprise workloads of today and tomorrow. With VMware Cloud on AWS, customers can run, monitor, and manage their Kubernetes clusters and virtual machines – all on the same infrastructure. VMware Tanzu Kubernetes Grid provides a consistent, upstream-compatible distribution of Kubernetes, that is tested, signed, and supported by VMware. Tanzu Kubernetes Grid is central to many of the offerings in the VMware Tanzu portfolio.

Solution Brief

Cloud Migration / Data Center Extension

VMC on AWS can help customers to expand to new locations. Maybe it’s an unplanned project or there are temporary or seasonal capacity needs. Some customers are also using such an offering to build a flexible test, lab or training environment in the public cloud.

Solution Brief

Cloud VDI

Adopt a robust, feature-rich cloud platform for virtual desktops and applications that can be used to deliver complete VDI infrastructure from the cloud. Or you can extend an existing on-premises VDI environment for desktop bursting, protection or proximity to applications running in AWS. Optimize infrastructure costs with flexible, consumption-based billing while paying only for what you use.

Solution Brief

Disaster Recovery

Another typical use case is disaster recovery. Customers are looking for an offsite approach with which they can prepare themselves for different kind of scenarios with “warm standby” or “active/active” configurations. There are different architectural options and also different solutions from VMware available, e.g.:

Hybrid Cloud Extension (HCX)

How can you bridge the gap between on-premises data centers and VMC on AWS to enable application migrations or workload mobility? HCX creates an encrypted, high-throughput, WAN-optimized, load-balanced, traffic-engineered hybrid interconnect automates the creation of network extensions.

In short: VMware HCX can interconnect different vSphere-based clouds and with that you achieve a fabric for workload mobility by using vMotion over different clouds. It even preserves existing network connections!

Imagine how much easier and faster application migrations can be done now.

Let’s see if there is a future, that customers need full workload mobility where regular migrations from and to different clouds can be done. Maybe there is a customer, who migrates workloads today from on-prem to VMC on AWS, tomorrow to Azure VMware Solution, the next week to Google Cloud VMware Engine, and in the end back to an on-premises data center where another fully managed service like VMC on Dell EMC is deployed. 😀

VMware Cloud on AWS with Tanzu Services

It was mentioned above already, VMware Cloud on AWS includes “Tanzu Kubernetes Service” and “Tanzu Mission Control Essentials”.

VMware Cloud with Tanzu Services has been introduced at VMworld 2021 as the “Easy path to enterprise-grade Kubernetes on a fully managed, multi-cloud ready IaaS and CaaS platform”:

VMware Cloud with Tanzu Services

 

This was also when Tanzu Services became available for VMC on AWS with the following capabilities:

  • Managed Tanzu Kubernetes Grid Service: Provision Tanzu Kubernetes clusters within a few minutes using a simple, fast, and self-service experience in the VMware Cloud console. The underlying SDDC infrastructure and capacity required for Kubernetes workloads is fully managed by VMware. Use vCenter Server for managing Kubernetes workloads by deploying Kubernetes clusters, provisioning role-based access and allocating capacity for Developer teams. Manage multiple TKG clusters as namespaces with observability, troubleshooting and resiliency in vCenter Server.
  • Built in support for Tanzu Mission Control Essentials: Attach upstream compliant Kubernetes clusters including Amazon EKS and Tanzu Kubernetes Grid clusters. Manage lifecycle for Tanzu Kubernetes Grid clusters and centralize platform operations for Kubernetes clusters using the Kubernetes management plane offered by Tanzu Mission Control. Tanzu Mission Control provides a global visibility across clusters and clouds and increases security and governance by automating operational tasks such as access and security management at scale.

VMware Cloud with Tanzu Services

Take a look at the VMware Tanzu Mission Control Feature Comparison Chart to better understand the feature set of TMC Essentials.

Did you know that the Tanzu Mission Control Standard Package is included with TMC Essentials?

As of November 2021, new clusters registered with TMC will have the Carvel package manager (the kapp-controller), deployed within the cluster. The “Catalog” page in the Tanzu Mission Control console allows you to view packages available from the Tanzu Standard repository (and your own custom Carvel package repositories) and install them in your Kubernetes clusters.

Tanzu Mission Control Packages

Application Transformer for VMware Tanzu for VMC on AWS

VMware announced the tech preview for Application Transformer for VMware Tanzu for VMware Cloud on AWS in September 2021.

Application Transformer for VMware Tanzu is a tool that aids organizations in discovering application types, visualizing application topology, choosing a modernization approach based on scores, and containerizing and migrating suitable legacy applications to enhance business outcomes. As an agentless tool, Application Transformer for Tanzu utilizes the VMware vCenter API to introspect VMs across an entire vSphere or VMware Cloud on AWS-based data center.

Application Transformer can help you to convert virtual machines and application components to OCI-compliant container images, that then can be deployed into the Tanzu Kubernetes stack.

There are several ways how customers get access to Application Transformer for VMware Tanzu:

Good news for everyone is that Application Transformer for VMware Tanzu became generally available in February 2022. With this, VMware Cloud on AWS customers also have limited access to this offering from now on. The access is through integration with VMware Cloud console. If customers desire full access to Application Transformer, they need to buy Tanzu Standard, Tanzu Advanced, Tanzu for Kubernetes Operations, or App Navigator.

Features & Roadmap

VMware provides a lot of information about the features and roadmap of VMware Cloud on AWS.

VMC on AWS FAQ

There is a large collection of FAQs available than can be found here.

VMworld 2021 – My Content Catalog and Session Recommendation

VMworld 2021 – My Content Catalog and Session Recommendation

VMworld 2021 is going to happen from October 6-7, 2021 (EMEA). This year you can expect so many sessions and presentations about the options you have when combining different products together, that help you to reduce complexity, provide more automation and therefore create less overhead.

Let me share my 5 personal favorite picks and also 5 recommended sessions based on the conversations I had with multiple customers this year.

My 5 Personal Picks

10 Things You Need to Know About Project Monterey [MCL1833]

Project Monterey was announced in the VMworld 2020 keynote. There has been tremendous work done since then. Hear Niels Hagoort and Sudhansu Jain talking about SmartNICs and how they will redefine the data center with decoupled control and data planes – for ESXi hosts and bare-metal systems. They are going to cover and demo the overall architecture and use cases!

Upskill Your Workforce with Augmented and Virtual Reality and VMware [VI1596]

Learn from Matt Coppinger how augmented realited (AR) and virtual reality (VR) are transforming employee productivity, and how these solutions can be deployed and managed using VMware technologies. Matt is going to cover the top enterprise use cases for AR/VR as well as the challenges you might face deploying these emerging technologies. Are you interested how to architect and configure VMware technologies to deploy and manage the latest AR/VR technology, applications and content? If yes, then this session is also for you.

Addressing Malware and Advanced Threats in the Network [SEC2027] (Tech+ Pass Only)

I am very interested to learn more cybersecurity. With Chad Skipper VMware has an expert who can give insights on how the Network Detection and Response (NDR) capabilities if NSX Advanced Threat Prevention provide visibility, detection and prevention of advanced threats.

60 Minutes of Non-Uniform Memory Access (NUMA) 3rd Edition [MCL1853]

Learn more about NUMA from Frank Denneman. You are going to learn more about the underlying configuration of a virtual machine and discover the connection between the Generapl-Purpose Graphics Processing Unit (GPGPU) and the NUMA node. You will also understand after how your knowledge of NUMA concepts in your cluster can help the developer by aligning the Kubernetes nodes to the physical infrastructure with the help of VM Service.

Mount a Robust Defense in Depth Strategy Against Ransomware [SEC1287]

Are you interested to learn more about how to protect, detect, respond to and recover from cybersecurity attacks across all technology stacks, regardless of their purpose or location? Learn more from Amanda Blevins about the VMware solutions for end users, private clouds, public clouds and modern applications.

5 Recommended Sessions based on Customer Conversations

Cryptographic Agility: Preparing for Quantum Safety and Future Transition [VI1505]

A lot of work is needed to better understand cryptographic agility and how we can address and manage the expected challenges that come with quantum computing. Hear VMware’s engineers from the Advanced Technology Group talking about the requirements of crypto agility and VMware’s recent research work on post-quantum cryptography in the VMware Unified Access Gateway (UAG) project.

Edge Computing in the VMware Office of the CTO: Innovations on the Horizon [VI2484]

Let Chris Wolf give you some insight into VMware’s strategic direction in support of edge computing. He is going to talk about solutions that will drive down costs while accelerating the velocity and agility in which new apps and services can be delivered to the edge.

Delivering a Continuous Stream of More Secure Containers on Kubernetes [APP2574]

In this session one can see how you can use two capabilities in VMware Tanzu Advanced, Tanzu Build Service and Tanzu Application Catalog, to feed a continuous stream of patched and compliant containers into your continuous delivery (CD) system. A must attend session delivered by David Zendzian, the VMware Tanzu Global Field CISO.

A Modern Firewall For any Cloud and any Workload [SEC2688]

VMware NSX firewall reimagines East-West security by using a distributed- and software-based approach to attach security policies to every workload in any cloud. Chris Kruegel gives you insights on how to stop lateral movement with advanced threat prevention (ATP) capabilities via IDS/IPS, sandboxing, NTA and NDR.

A Practical Approach for End-to-End Zero Trust [SEC2733]

Hear different the VMware CTOs Shawn Bass, Pere Monclus and Scott Lundgren talking about a zero trust approach. Shawn and the others will discuss specific capabilities that will enable customers to achieve a zero trust architecture that is aligned to the NIST guidance and covers secure access for users as well secure access to workloads.

Enjoy VMworld 2021! 🙂

 

VMware Carbon Black Cloud Workload – Agentless Protection for vSphere Workloads

VMware Carbon Black Cloud Workload – Agentless Protection for vSphere Workloads

At VMworld 2020 VMware announced Carbon Black Cloud Workload (CBC Workload) as part of their intrinsic security approach.

For me, this was the biggest and most important announcement from this year’s VMworld. It is a new offering, which is relevant for every vSphere customer out there – even the small and medium enterprises, which maybe still just rely on ESXi and vCenter only for their environment.

CBC Workload introduces protection for workloads in private and public clouds. For vSphere, there is no additional agent installation needed, because the Carbon Black sensor (agent) is built into vSphere. That’s why you may hear that this solution is “agentless”.

Carbon Black Cloud Workload Bundles

This cloud-native (SaaS) solution provides foundational workload hardening and vulnerability management combined with prevention, detection and response capabilities to protect workloads running in virtualized private cloud and hybrid cloud environments.

Carbon Black Cloud Workload Protection Bundles

Note: Customers, that are using vSphere and VMware Horizon, should take a look at Workspace Security VDI, which has also been announced at VMworld 2020. A single-vendor solution with the combination of VMware Horizon and Carbon Black.

If you would like to know more about the interoperability of Carbon Black and Horizon, have a look at KB79180.

Carbon Black Cloud Workload Overview

Customers and partners have now the possibility to provide a workload security solution for Windows and Linux virtual machines. The complete system requirements can be found here.

“You can enable Carbon Black in your data center with an easy one-click deployment. To minimize your deployment efforts, a lightweight Carbon Black launcher is made available with VMware Tools. Carbon Black launcher must be available on the Windows and Linux VMs.”

Carbon Black enable via vCenter

Carbon Black Cloud Workload consists of a few key components that interact with each other:

CBC Workload Components

You must first deploy an on-premises OVF/OVA template for the Carbon Black Cloud Workload appliance (4 vCPU, 4GB RAM, 41GB storage) that connects the Carbon Black Cloud to the vCenter Server through a registration process. After the registration is complete, the Carbon Black Cloud Workload appliance deploys the Carbon Black Cloud Workload plug-in and collects the inventory from the vCenter Server.

The plug-in provides visibility into processes and network connections running on a virtual machine.

As a vCenter Server administrator, you want to have visibility of known vulnerabilities in your environment to understand your security posture and schedule maintenance windows for patching and remediation. With the help of vulnerability assessment, you can proactively minimize the risk in your environment. You can now monitor known vulnerabilities from the Carbon Black Cloud Workload plug-in:

vSphere Client Carbon Black

The infosec guys in your company would do the vulnerability assessment from the CBC console:

CBC Vulnerabilities

Carbon Black Cloud Workload protection provides vSphere administrators a full inventory, appliance health and vulnerability reporting from one console, the already well-known vSphere Client.

Carbon Black vSphere Client Summary

Cybersecurity Requirements

According to the NIST Cybersecurity Framework the security lifecycle is made of five functions:

  1. Identify – Cloud & Service Context, Dynamic Asset Visibility, Compliance & Standards, Cloud Risk Management
  2. Protect – Services / API Defined, Cloud Access Control, Network Integrity, Data Security, Change Control & Guardrails
  3. Detect – Cloud-Speed, Inter-connected Services, Events & Anomalies, Continuous Monitoring
  4. Respond – DevOps Collaboration, Real-time Notifications, Automated Actions, Response as Code
  5. Recover – Templates / Code Review, Shift Left / Pipeline, Exceptions and Verification

Workload Security Lifecycle

CBC Workload focuses on identifying the risks with workload visibility and vulnerability management, which are part of the “Workload Essentials” edition.

If you would like to prevent malicious activities to protect your workloads and replace your existing legacy anti-virus (AV) solution, then “Workload Advanced” would be the right edition for you as it includes Next-Gen AV (NGAV).

Behavioral EDR (Endpoint Detection & Response), also part of the “Advanced” bundle, belongs to “detect & respond” of the security lifecycle.

Workload Security for Kubernetes

Carbon Black Guardrails and Runtime Security

You just learned that Carbon Black Cloud gives workload protection for virtualized Windows or Linux virtual machines running on vSphere. What about container security for Kubernetes?

In May 2020 VMware officially closed its acquisition of Octarine, a SaaS security platform for protecting containers and Kubernetes. VMware bought Octarine to enable Carbon Black to secure applications running in Kubernetes.

Traditional security is no longer relevant for the security of Kubernetes, because Kubernetes is so powerful and hence risky, networking is very complex and a total different game, because static IPs and ports are no longer relevant. And you need a new security approach which is compatible with IT’s organizational shift from traditional to a DevSecOps approach.

VMware’s solution covers the whole lifecycle of the application from building the container to the app running in production. It is a two-part solution with the first one being “Guardrails“. It is able to scan container images for vulnerabilities and Kubernetes manifests for any misconfigurations.

Carbon Black Cloud Guardrails Module

The second part is runtime protection. When the workloads are deployed in production, the Carbon Black security agent is able to detect malicious activities.

Carbon Black Cloud Runtime Module 

Let’s have a look at the different features the Kubernetes “Guardrails” provide for each phase of the application:

  • Build: Image vulnerability scanning, Kubernetes configuration hardening
  • Deploy: Policy governance, compliance reporting, visibility and hardening
  • Operate: Threat detection and response, anomaly detection and least privilege runtime, event monitoring

And these were the key capabilities and benefits, which have been mentioned at VMworld 2020 for “Guardrails”:

Carbon Black Kubernetes Guardrails Features

For “runtime” security the following key capabilities and benefits were mentioned:

  • Visibility of network traffic
  • Coverage of workloads and hosts activity
  • Network policy management
  • Threat detection
  • Anomaly detection
  • Egress security
  • SIEM integration

Customers will be able to have visibility of all the workloads running in the local or cloud-native production clusters and how they interact with each other. They will also see which services are exposed to ingress traffic, which services are exiting the cluster and where this egress traffic is going to. It is also going to be visible which communication is encrypted and what type of encryption is used.

Note: The Carbon Black Cloud module for hardening and securing Kubernetes workloads is expected to be generally available until the end of 2020.

The launch of Carbon Black Workload was the first important step to let the intrinsic security vision become more a reality (after VMware acquired Carbon Black). Moving on with Kubernetes and bringing new container security capabilities is going to be the next big move forward, that VMware can become a major security provider. 

Stay tuned for more security announcements!

Additional Resources

If you would like to know more about Carbon Black Cloud Workload and security for Kubernetes, have a look at:

Introduction to Alibaba Cloud VMware Solution (ACVS)

Introduction to Alibaba Cloud VMware Solution (ACVS)

VMware’s hybrid and multi-cloud strategy is to run their Cloud Foundation technology stack with vSphere, vSAN and NSX in any private or public cloud including edge locations. I already introduced VMC on AWS, Azure VMware Solution (AVS), Google Cloud VMware Engine (GCVE) and now I would like to briefly summarize Alibaba Cloud VMware Solution (ACVS).

VMware Multi-Cloud Offerings

A lot of European companies, this includes one of my large Swiss enterprise account, defined Alibaba Cloud as strategic for their multi-cloud vision, because they do business in China. The Ali Cloud is the largest cloud computing provider in China and is known for their cloud security, reliable and trusted offerings and their hybrid cloud capabilities.

In September 2018, Alibaba Cloud (also known as Aliyun), a Chinese cloud computing company that belongs to the Alibaba Group, has announced a partnership with VMware to deliver hybrid cloud solutions to help organizations with their digital transformation.

Alibaba Cloud was the first VMware Cloud Verified Partner in China and brings a lot of capabilities and services to a large number of customers in China and Asia. Their current global infrastructure operates worldwide in 22 regions and 67 availability zones with more regions to follow. Outside Main China you find Alibaba Cloud data centers in Sydney, Singapore, US, Frankfurt and London.

As this is a first-party offering from Alibaba Cloud, this service is owned and delivered by them (not VMware). Alibaba is responsible for the updates, patches, billing and first-level support.

Alibaba Cloud is among the world’s top 3 IaaS providers according to Gartner and is China’s largest provider of public cloud services. Alibaba Cloud provides industry-leading flexible, cost-effective, and secure solutions. Services are available on a pay-as-you-go basis and include data storage, relational databases, big-data processing, and content delivery networks.

Currently,  Alibaba Cloud has been declared as a Niche player according to the actual Gartner Magic Quadrant for Cloud Infrastructure and Platform Services (CIPS) with Oracle, IBM and Tencent Cloud.

Alibaba Gartner CIPS MQ

Note: If you would like to know more about running the VMware Cloud Foundation stack on top of the Oracle Cloud as well, I can recommend Simon Long’s article, who just started to write about Oracle Cloud VMware Solution (OCVS).

This partnership with VMware and Alibaba Cloud has the same goals like other VMware hybrid cloud solutions like VMC on AWS, OCVS or GCVE – to provide enterprises the possibility to meet their cloud computing needs and the flexibility to move existing workloads easily from on-premises to the public cloud and have highspeed access to the public cloud provider’s native services.

ACVS vSphere Architecture

In April 2020, Alibaba Cloud and VMware finally announced the general availability of Alibaba Cloud VMware Solution for the Main China and Hongkong region (initially). This enables customers to seamlessly move existing vSphere-based workloads to the Alibaba Cloud, where VMware Cloud Foundation is running on top of Aliyun’s infrastructure.

As already common with such VMware-based hybrid cloud offerings, this let’s you move from a Capex to a Opex-based cost model based on subscription licensing.

Joint Development

X-Dragon – Shenlong in Chinese – is a proprietary bare metal server architecture developed by Alibaba Cloud for their cloud computing requirements. It offers direct access to CPU and RAM resources without virtualization overheads that bare metal servers offer (built around a custom X-Dragon MOC card). The virtualization technology, X-Dragon, behind Alibaba Cloud Elastic Compute Service (ECS) is now in its third generation. The first two generations were called Xen and KVM.

X-Dragon  NIC

VMware works closely together with the Alibaba Cloud engineers to develop a VMware SDDC (software-defined data center based on vSphere and NSX) which runs on this X-Dragon bare metal architecture.

The core of the MOC NIC is the X-Dragon chip. The X-Dragon software system runs on the X-Dragon chip to provide virtual private cloud (VPC) and EBS disk capabilities. It offers these capabilities to ECS instances and ECS bare metal instances through VirtIO-net and VirtIO-blk standard interfaces.

Note: The support for vSAN is still roadmap and comes later in the future (no date committed yet). Because the X-Dragon architecture is a proprietary architecture, running vSAN over it requires official certification. 

Project Monterey

Have you seen VMware’s announcement at VMworld 2020 about Project Monterey which allows you to run VMware Cloud Foundation on a SmartNIC? For me, this looks similar to the X-Dragon architecture 😉

Project Monterey VMware Cloud Foundation Use Cases

Data Center extension or retirement. You can scale the data center capacity in the cloud on-demand, if you for example don’t want to invest in your on-premises environment anymore. In case you just refreshed your current hardware, another use case would be the extension of your on-premises vSphere cloud to Alibaba Cloud.ACVS Disaster Recovery

Disaster Recovery and data protection. Here we’ll find different scenarios like recovery (replication) or backup/archive (data protection) use cases. You can use your ACVS private clouds as a disaster recovery (DR) site for your on-premises workloads. This DR solution would be based on VMware Site Recovery Manager (SRM) which can be also used together with HCX. At the moment Alibaba Cloud offers 9 regions for DR sites.

Cloud migrations or consolidation. If you want to start with a lift & shift approach to migrate specific applications to the cloud, then ACVS is the right choice for you. Maybe you want to refresh your current infrastructure and need to relocate or migrate your workloads in an easy and secure way? Another perfect scenario would be the consolidation of different vSphere-based clouds.

ACVS Migration to Alibaba Cloud

Multicast Support with NSX-T

Like with Microsoft Azure and Google Cloud, an Alibaba Cloud ECS instance or VPC in general doesn’t support multicast and broadcast. That is one specific reason why customers need to run NSX-T on top of their public cloud provder’s global cloud infrastructure.

Connectivity Options

For (multi-)national companies Alibaba Cloud has different enterprise-class networking offerings to connect different sites or regions in a secure and reliable way.

Cloud Enterprise Network (CEN) is a highly-available network built on the high-performance and low-latency global private network provided by Alibaba Cloud. By using CEN, you can establish private network connections between Virtual Private Cloud (VPC) networks in different regions, or between VPC networks and on-premises data centers.  The CEN is also available in Europe in Germany (Frankfurt) and UK (London).

Alibaba Cloud Cloud Enterprise Network

Alibaba Cloud Express Connect helps you build internal network communication channels that feature enhanced cross-network communication speed, quality, and security. If your on-premises data center needs to communicate with an Alibaba Cloud VPC through a private network, you can apply for a dedicated physical connection interface from Alibaba Cloud to establish a physical connection between the on-premises data center and the VPC. Through physical connections, you can implement high-quality, highly reliable, and highly secure internal communication between your on-premises data center and the VPC. 

Alibaba Cloud Express Connect

ACVS Architecture and Supported VMware Cloud Services

Let’s have a look at the ACVS architecture below. On the left side you see the Alibaba Cloud with the VMware SDDC stack loaded onto the Alibaba bare metal servers with NSX-T connected to the Alibaba VPC network.

This VPC network allows customers to connect their on-premises network and to have direct acccess to Alibaba Cloud’s native services.

Customers have the advantage to use vSphere 7 with Tanzu Kubernetes Grid and could leverage their existing tool set from the VMware Cloud Management Platform like vRealize Automation (native integration of vRA with Alibaba Cloud is still a roadmap item) and vRealize Operations.

Alibaba Cloud VMware Solution Architecture

The right side of the architecture shows the customer data centers, which run as a vSphere-based cloud on-premises managed by the customer themselves or as a managed service offering from any service provider. In between, with the red lines, the different connectivity options like Alibaba Direct Connect, SD-WAN or VPN connections are mentioned with different technologies like NSX-T layer 3 VPN, HCX and Site Recovery Manager (SRM).

To load balance the different application services across the different vSphere-based or native clouds, you can use NSX Advanced Load Balancer (aka Avi) to configure GSLB (Global Server Load Balancing) for high availability reasons.

Because the entire stack on top of Alibaba Cloud’s infrastructure is based on VMware Cloud Foundation, you can expect to run everything in VMware’s product portfolio like Horizon, Carbon Black, Workspace ONE etc. as well.

You can also deploy AliCloud Virtual Edges with VMware SD-WAN by VeloCloud.

Node Specifications

The Alibaba Cloud VMware Solution offering is a little bit special and I hope that I was able to translate the Chinese presentations correctly.

First, you have to choose the amount of hosts which gives you specific options.

1 Host (for testing purposes): vSphere Enterprise Plus, NSX Data Center Advanced, vCenter

2+ Hosts (basic type): vSphere Enterprise Plus, NSX Data Center Advanced, vCenter

3+ Hosts (flexibility and elasticity): vSphere Enterprise Plus, NSX Data Center Advanced, vCenter, (vSAN Enterprise)

Site Recovery Manager, vRealize Log Insight and vRealize Operations need to be licensed separately as they are not included in the ACVS bundle.

The current ACVS offering has the following node options and specifications (maximum 32 hosts per VPC):

ACVS Node Specifications

All sixth-generation ECS instance come equipped with Intel® Xeon® Platinum 8269CY processors. These processors were customized based on the Cascade Lake microarchitecture, which is designed for the second-generation Intel® Xeon® Scalable processors. These processors have a turbo boost with an increased burst frequency of 3.2 GHz, and can provide up to a 30% increase in floating performance over the fifth generation ECS instances.

Component Version License
vCenter 7.0 vCenter Standard
ESXi 7.0 Enterprise Plus
vSAN (support coming later) n/a Enterprise
NSX Data Center (NSX-T) 3.0 Advanced
HCX n/a Enterprise

Note: Customers have the possibility to install any VIBs by themselves with full console access. This allows the customer to assess the risk and performance impacts by themselves and install any needed 3rd party software (e.g. Veeam, Zerto etc.).

If you want to more about how to accelerate your multi-cloud digital transformation initiatives in Asia, you can watch the VMworld presentation from this year. I couldn’t find any other presentation (except the exact same recording on YouTube) and believe that this article is the first publicy available summary about Alibaba Cloud VMware Solution. 🙂

Google Cloud VMware Engine (GCVE)

Google Cloud VMware Engine (GCVE)

In June 2020 VMware and Google made the announcement that Google Cloud VMware Engine (GCVE) is generally available. Almost exactly one year ago, the market received the information that VMware’s Cloud Foundation (vSphere, vSAN and NSX) stack will come to Google Cloud.

With this milestone VMware is now present on top of all the so-called “big three” hyperscalers.

GCVE has the same goals like the other similar offerings like VMware Cloud on AWS or Azure VMware Solution and belongs to the VMware multi-cloud strategy – to seamlessly migrate and run applications in the public cloud. In this case in Google Cloud! Run your applications in the public cloud exactly the same way as you already do now withh your on-premises VMware environment. With the very important addition, that you have high speed access to Google Cloud services like Cloud SQL, Cloud Storage, big data or AI/ML services.

To be able to run VMware workloads on top of the Google Cloud global infrastructure, Google acquired CloudSimple (with which they partnered with already) last November 2019.

At the moment of writing, the VMware hybrid cloud experience on Google Cloud is sold, operated and supported by Google and their partners.

Many customers are already looking at this very interesting offer, which is going to be available in more regions until the end of 2020. But there are also already a few customers using the joint offering. Google just published a customer reference story about the “Deutsche Börse Group”, a large and international financial organization, which extended their on-premises environment to Google Cloud with Google Cloud VMware Engine. One of the reasons why Deutsche Börse went for this vSphere-based cloud approach, was, to keep migrations to the cloud easy. I expect we can hear more about this success story at VMworld 2020.

Cloud Migration and Workload Mobility

A lot of customers underestimate the amount of work, time and costs involved in refactoring or re-platforming applications and the overall challenges when it comes to migrations from on-prem to the cloud. To build this secure hybrid cloud extension with GCVE, you’ll need VMware HCX, which is included in the GCVE offering.

There are different options available to connect both worlds:

GCVE Connectivity Options

  • VPN Gateway for point-to-point connections, used for the secure admin access to vCenter. Useful for the initial setup of the GCVE environment.
  • Cloud VPN for site-to-site connections, a secure layer 3 connection over the internet. This is one of the lower cost options for use cases, that don’t require high bandwidth.
  • Dedicated Cloud Interconnect with a direct traffic flow to Google with 10Gbps or 100Gbps circuits with 50Mbps to 50 Gbps connection capacities. This direct connection is required for HCX and the preferable connectivity option for customers requiring high speed and low latency.
  • Partner (Cloud) Interconnect is another option of a Cloud Interconnect, where your traffic flows through one of the supported service providers (e.g. Colt, Equinix, BT, e-shelter, Verizon, InterCloud, Interxion, Megaport)

Note: One unique feature of GCVE is the ability to route between different GCVE environments in the same region, without the need for additional configuration. 

Use Cases

These use cases, if you made yourself already familiar with a hybrid cloud approach, shouldn’t be new to you.

Data Center extension or retirement. You can scale the data center capacity in the cloud on-demand, if you for example don’t want to invest anymore in your on-premises environment. In case you just refreshed your current hardware, another use case would be the extension of your on-premises vSphere cloud to Google Cloud.

Disaster Recovery and data protection. Here we’ll find different scenarios like recovery (replication) or backup/archive (data protection) use cases. You can also still use your existing 3rd party tools from Zerto or Veeam to replace or complement existing DR locations and leverage the Cloud Storage service. You can also use your GCVE private clouds as a disaster recovery (DR) site for your on-premises workloads. This DR solution would be based on VMware Site Recovery Manager (SRM) which can be also used together with HCX.

Cloud migrations or consolidation. If you want to start with a lift & shift approach to migrate specific applications to the cloud, then GCVE is definitely right for you. Maybe you want to refresh your current infrastructure and need to relocate or migrate your workloads in an easy and secure way? Another perfect scenario would be the consolidation of different vSphere-based clouds.

Application modernization. Re-architecting or refactoring applications is not that easy. Most customers start with a partial approach to modernize their applications and leverage cloud-native services (e.g. databases, AI/ML engines).

Interesting: Did you know that Google’s on-prem GKE (Google Anthos) is running on vSphere?

VMware Horizon on VMware Engine

The advantages of a public cloud like Google Cloud are the “endless” capacity, agility and high-bandwidth connections. These items are very important for a virtual desktop infrastructure (VDI) and specially during disaster scenarios, when onboardings have to happen fast or if you look for on-demand growth.

Another regular example could be a merger & acquisition use case, where we the main infrastructure doesn’t have the necessary physical resources to onboard to new company and their employees.

Because something like this has always happen as easy and fast as possible. Running virtual desktops in Google Cloud VMware Engine can help in such situations. Together with VMware Horizon, organizations could install a VDI environment in GCVE and connect it to their Horizon on-premises infrastructure using the Cloud Pod Architecture (CPA). 

Note: When migrating applications to the cloud (GCVE), it is a best practice to keep the virtual desktop close to the application, which is a general use case we see when talking about application locality.

Horizon Global Pod GCVE

With the release of Horizon 2006 (aka Horizon 8) it is also possible to choose “Google Cloud” as deployment option during the connection server installation.

C:\\Users\\mrebmann\\OneDrive - VMware, Inc\\cloud13\\2020 - Google Cloud VMware Engine\\Horizon on GCVE.png

In case you need a load balancer (for your Horizon components and in general) for your on-premises environment and the public cloud, have a look at NSX Advanced Load Balancer.

GCVE Node Specs

When planning your GCVE resource needs, be aware of the following specifications and limits:

CPU: Intel Xeon Gold 6240 (Cascade Lake) 2.6 GHz (x2), 36 Cores, 72 Hyper-Threads

Memory: 768 GB

Storage (vSAN): 2 × 1.6 TB (3.2 TB) NVMe (Cache), 6 × 3.2 TB (19.2 TB) NVMe (Data)

Number of nodes required to create a private cloud: 3 (up to 64 hosts per private cloud)

Number of nodes allowed in a cluster on a private cloud: 16

3rd party tools compatibility: Yes, you can use existing tools (elevated privileges allow you to install 3rd party software)

Interesting facts: It only takes about a half hour to spin up your private cloud with three nodes! The addition of a new node takes approximately 15 minutes.

GCVE Elevated Privileges

Software License and Versions

Please find the current software versions and licenses below used for the GCVE offering (purchased with a 1- or 3- year commitment). The listed software versions are fixed and all updates are managed by Google. Google is responsible for the lifecycle management of the VMware software, which includes ESXi, vCenter and NSX.

Component Version License
vCenter 6.7 U3 vCenter Standard
ESXi 6.7 U3 Enterprise Plus
vSAN 6.7 U3 Enterprise
NSX Data Center (NSX-T) 2.5.1 Advanced
HCX 3.5.3 Advanced

Shared Responsibilities

Google Cloud VMware Engine is coming with all components you need to securely run VMware natively in a dedicated private cloud. Google takes care of the infrastructure (service) and their native service integrations. As a customer you only need to take care of your virtual machines or containers with your applications and data. Besides that, you also need to make sure that your configurations, policies, network portgroups, authentication and capacity management are properly configured.

GCVE Shared Responsibilities

If you want to know and learn more about Google Cloud VMware Engine, have a look at the following resources: