My day 1 at KubeCon Europe 2022 started early and my expectations are high. I arrived after 7.30am and I was impressed how easy and fast the check-in was even I had to show my ID and COVID certificate, which would allow me to get inside to the badge printer.
The event location is quite huge and it is very important that you check the map before you enter the building. I had to learn it the hard way and had no clue where I find the breakout rooms or the event center, which was even a different building. The helpdesks were busy with a long queue of people who probably also were running around like me, like a headless chicken. 😀 But after a half day of running from one room to another, I found my way to the sessions.
65% of the KubeCon and CloudNativeCon visitors are first-timers like me!
The number if CNCF projects is growing fast
In 2016, the first KubeCon in North America had around 700 people
KubeCon 2022 Europe has >7’000 people onsite and >10’000 joining virtually
Priyanka’s message was about collaboration for long-term success. The CNCF is about a large continuously growing community that must work together, and each person can contribute in her/his own way.
These were the four big announcements she presented during the keynote session:
KubeCon Europe 2023 is going to happen in Amsterdam
After that Boeing presented their company and mission and we heard Mercedes Benz telling their story of “7 years running Kubernetes”. Mercedes Benz operates more than 900 Kubernetes clusters and 3’500 machines all over the world. They also mentioned that they migrated their clusters to Cluster API, a Kubernetes project with VMware as one of the main contributors.
After a short break it was time for my scheduled breakout sessions.
West Side CD: The Deployment Ballet Goes On
Benoit Moussaud from VMware Tanzu presented a different way of CI/CD with Cartographer, which ” is a Kubernetes-native Choreographer providing higher modularity and scalability for the software supply chain”:
Overview and State of Knative
The next session was in the event center building, which hosted the presentation of Mauricio Salatino, VMware and Carlos Santana, IBM. They gave an overview of the Knative philosophy of being “Kubernetes native”.
Knative offers a simplified developer experience deploying and managing stateless and event-driven applications. Maurico mentioned the following Knative features:
Simpler Abstractions
Autoscaling
Progressive Rollout
Event Integrations
Event Handling
Pluggable
From Kubernetes to PaaS to … Err, What’s Next?
The third session I would like to highlight was from Daniel Bryant, Ambassador Labs. The key message of his presentation was about the “golden path” aka a paved platform. Â
At the beginning of his presentation Daniel started with the “real question” how much you should build yourself and how you should you assemble the control plane for effective use. Before going deeper into that topic he also joked around, and we know that 50% of all jokes are true, that the CNCF landscape and each KubeCon is not helping very much to make things for developers and operators easy:
It was very interesting and important to hear from him, that you cannot provide a good developer experience without a good user experience. Enterprises and platform teams need to treat the platform as a product and focus on tooling and interoperability.
Daniel said, that you need to think and design in/for different personas, user research is key and that you should watch your users doing things or using tools. Then you understand how you need can provide a good user experience for platforms. I personally believe that design thinking is key here.
Another interesting fact he mentioned is how the focus changed from the past KubeCons to the actual one. People focused mostly on operations and realized that the platform as a product mindset and approach is the way forward to provide also a good developer experience.
The VMware Tanzu Labs platform-as-product approach combines Product Management (PM), User-Centered Design (UCD), Agile, eXtreme Programming (XP), and Site Reliability Engineering (SRE) practices. A dedicated, balanced platform team uses these practices to both build and run the platform product.
Conclusion
It was a long day with a lot of impressions and new information. 😀 I definitely felt the spirit and the expertise of this large community! I am already excited and curious about tomorrow! Enjoy KubeCon Europe 2022!
PS: Are you looking for a job? KubeCon and the community got you covered!
VMware revealed their edge computing vision at VMworld 2021. In VMware’s view the multi-cloud extends from the public clouds to private clouds to edge. Edge is about bringing apps and services closer to where they are needed, especially in sectors like retail, transportation, energy and manufacturing.
In verticals like manufacturing the edge was always important. It’s about producing things than you can sell. If you cannot produce, you lose time and money. Reliability, stability and factory uptime are not new requirements. But why is edge becoming so important now?
Without looking at any analyst report and only providing experience from the field, it is clear why. Almost all of the large enterprises are migrating workloads from their global (central) data centers to the public cloud. At the same time, customers are looking at new innovations and technologies to connect their machines, processes, people and data in a much more efficient way.
Which requirement did all my customers have in common? They didn’t want to move their dozens or hundreds of edge infrastructures to the public cloud, because the factories should work independently and autonomously in case of a WAN outage for example. Additionally, some VMware technologies were already deployed at the edge.
VMware Edge Compute Stack
This is why VMware introduced the so-called “Edge Compute Stack” (ECS) in October 2021, which is provides a unified platform to run VMs alongside containerized applications at the far edge (aka enterprise edge). ECS is a purpose-built stack that is available in three different editions (information based on initial availability from VMworld 2021):
As you can see, each VMware Edge Compute Stack edition has the vSphere Enterprise+ (hypervisor) included, software-defined storage with vSAN is optional, but Tanzu for running containers is always included.
While ECS is great, the purpose of this article is about highlighting different solutions and technologies that help you to build the foundation for a digital manufacturing platform.
IT/OT Convergence
You most probably have a mix of home-grown and COTS (commercial off-the-shelf) software, that need to be deployed in your edge locations (e.g., factories, markets, shops etc.). In manufacturing, OT (operational technology) vendors have just started the adoption of container technologies due to unique technology requirements and the business model that relies on proprietary systems.
The OT world is typically very hardware-centric and uses proprietary architectures. These systems and architectures, which were put into production 15-20 years ago, are still functional. It just worked.
While these methods and architectures have been very good, the manufacturing industry realized that this static and inflexible approach resulted in a technology debt, that didn’t allow any innovation for a long period of time.
Manufacturing companies are moving to a cloud-native architecture that should provide more flexibility and vendor interoperability with the same focus in mind: To provide a reliable, scalable and flexible infrastructure.
This is when VMware becomes relevant again with their (edge) compute stack. VMware vSphere allows you to run VMs and containers on the same platform. This is true for IT and OT workloads, that’s IT partial IT/OT covergence.
You may ask yourself how you then would design the network. I’ll answer this topic in a minute.
Kubernetes Operations
IT platform teams, who design and manage the edge have to expand their (VMware) platform capabilities that allow them to deploy and host containers. Like I said before, this is why Tanzu is included in all the VMware Edge Compute Stack editions. Kubernetes is the new Infrastructure-as-a-Service (IaaS) and so it makes only sense that the container deployment and management capability is included.
How do you provide centralized or regional Kubernetes management and operations if you don’t have a global (regional) data center anymore?
With a hybrid approach, by using Tanzu for Kubernetes Operations (TKO), a set of SaaS services that allow you to run, manage, connect and secure your container infrastructure across clouds and edge locations.
IT/OT Security
Now you have the right platform to run your IT and OT workloads on the same hypervisor or compute platform. You also have a SaaS-based control plane to deploy and manage your Kubernetes clusters.Â
As soon as you are dealing with a very dynamic environment where containers exist, you are having discussions about software-defined networking or virtualized networks. Apart from that, every organization and manufacturer are transforming their network and security at the edge and talk about network segmentation (and cybersecurity!).
Traditionally, you’ll find the Purdue Model implemented, a concept model for industrial control systems (ICS) that breaks the network in two zones:
In these IT and OT zones you’ll find subzones that describe different layers and the ICS components. As you can see as well, each level is secured by a dedicated physical firewall appliance. From this drawing one could say that the IT and OT world converge in the DMZ layer, because of the bidirectional traffic flow.
VMware is one of the pioneers when it comes to network segmentation that helps you driving IT/OT convergence. This is made possible by using network virtualization. As soon as you are using the VMware hypervisor and its integrated virtual switch, you are already using a virtualized network.
To bring IT and OT closer together and to provide a virtualized network design based on the Purdue Model including a zero-trust network architecture, you would start looking at VMware NSX to implement that.
In level 2 of the Purdue Model, which hosts the systems for supervising, monitoring and controlling the physical process, you will find components like human-machine interfaces (HMI) and supervisory control and data acquisition (SCADA) software.
In level 3, manufacturing execution systems (MES) can be found.
Nowadays, most companies already run their HMIs, SCADAs and MES software in virtual machines on the VMware vSphere hypervisor.
The next big thing is the virtualization of PLCs (programmable logic controller), which is an industrial computer that controls manufacturing processes, such as machines, assembly lines and robotic devices. Traditional PLC implementations in hardware are costly and lack scalability.
That is why the company SDA was looking for a less hardware-centric but more software-centric approach and developed the SDA vPLC that is able to meet sub 10ms performance.
This vPLC solution is based on a hybrid architecture between a cloud system and the industrial workload at the edge, which has been tested on VMware’s Edge Compute Stack.
Monitoring & Troubleshooting
One area, which we haven’t highlighted yet, is the monitoring and troubleshooting of virtual machines (VMs). The majority of your workloads are still VM-based. How do you monitor these workloads and applications, deal with resource and capacity planning/management, and troubleshoot, if you don’t have a central data center anymore?
With the same approach as before – just with a cloud-based service. Most organizations rely on vRealize Operations (vROps) and vRealize Log Insight (vRLI) for their IT operations and platform teams gain visibility in all the main and edge data centers.
You can still use vROps and vRLI (on-premises) in your factories, but VMware recommends using the vRealize Cloud Universal (vRCU) SaaS management suite, that gives you the flexibility to deploy your vRealize products on-premises or as SaaS. In an edge use case the SaaS-based control plane just makes sense.
In addition to vRealize Operations Cloud you can make use of the vRealize True Visibility Suite (TVS), that extends your vRealize Operations platform with management packs and connectors to monitor different compute, storage, network, application and database vendors and solutions.
Factory VDI
Some of your factories may need virtual apps or desktops and for edge use cases there are different possible architectures available. Where a factory has a few hundred of concurrent users, a dedicated standalone VDI/RDSH deployment might make sense. What if you have hundreds of smaller factories and don’t want to maintain a complete VDI/RDSH infrastructure?
VMware is currently working on a new architecture for VMware Horizon (aka VMware Horizon Next-Generation) and their goal is to provide a single, unified platform across on-premises and cloud environments. They also plan to do that by introducing a pod-less architecture that moves key components to the VMware-hosted Horizon (Cloud) Control Plane.
This architecture is perfectly made for edge use cases and with this approach customers can reduce costs, expect increased scalability, improve troubleshooting and provide a seamless experience for any edge or cloud location.
Â
Management for Enterprise Wearables
If your innovation and tech team are exploring new possibilities with wearable technologies like augmented reality (AR), mixed reality (MR) and virtual reality (VR) head-mounted displays (HMDs), then VMware Workspace ONE Unified Endpoint Management (UEM) can help you to securely manage these devices!
Workspace ONE UEM is very strong when it comes to the modern management of Windows Desktop and macOS operating systems, and device management (Android/iOS).
Conclusion
As you can see, VMware has a lot to offer for the enterprise edge. Organizations that are multi-cloud and keep their edge locations on-premises, have a lot of new technologies and possibilities nowadays.
VMware’s strengths are unfolded as soon as you combine different solutions. And these solutions help you to work on your priorities and requirements to build the right foundation for a digital manufacturing platform.
Intrinsic security is something we heard a lot in the past from VMware and it was mostly used to describe the strategy and capabilities behind the Carbon Black portfolio (EDR) that is complemented with the advanced threat prevention from NSX (NDR), that form together the VMware XDR vision.
I see similarities between intrinsic security and workout I am doing in the gym. My goal is to build more strength and power, and to become healthier in general. For additional muscle gain benefits and to be more time efficient, I have chosen compound exercises. I am not a fan of single muscle group exercises, which involve isolation exercises. Our body has a lot of joints for different movements, and I think it’s just natural if you use multiple muscle groups and joints during a specific exercise.
Therefore, when you perform compound exercises, you involve different muscles to complete the movement. This improves your intermuscular coordination of your muscles. In addition, as everyone would tell you, these exercises improve your core strength and they let your body become a single unit.
While doing weight training, it is very important to use the proper technique and equipment. Otherwise, the risk for injuries and vulnerabilities increases.
This is what intrinsic security means for me! And I think this is very much relevant to understand when talking about DevSecOps.
Understanding DevSecOps
For VMware, talking to developers and talking about DevOps started in 2019 when they presented VMware Tanzu the first time at VMworld. The ideas and innovation behind the name “Tanzu” should bring developers and IT operators closer together for collaboration.
DevOps is the combination of different practices, tools and philosophies that should help an organization to deliver applications and services at a higher pace. In the example above it would mean, that application developers and operations teams are not working isolated in silos anymore, they become one team, a single unit. But technology plays very important role to support the success of the new mindset and culture!
DevOps is about efficiency and the automation of manual tasks or processes. You want to become fast, flexible and efficient. When you put security in the center of this, then we start talking about DevSecOps. You want to know if one of your muscles or parts of the body become weak (defect) or vulnerable.
Depending on where you are right now on this application modernization journey, doing DevSecOps could mean a huge cultural and fundamental change to how you develop applications and do IT operations.
For me, DevSecOps is not about bringing security tools together from different teams and technologies. If DevOps and DevSecOps mean that you must change your mindset, then it is maybe also about time to consider the importance of new technology choices.
If DevSecOps means that you put security in the center of a DevOps- or container-centric environment, then security must become an intrinsic part of a modern application supply chain.
The VMware Tanzu portfolio has a lot of products and services to bring developers, operations and security teams together.
Where do we start? We need to “shift left” and this means we need to integrate security already early in the application lifecycle.
Code – Spring Framework
Before you can deliver an application to your customer, you need to develop it, you need to code. Application frameworks are a very effective approach for developing more secure and optimized applications.
Frameworks help to write code faster and more efficient. Not only does a framework can save your developers a lot of coding effort, but it also comes with pre-defined templates. They incorporate best practices and help you simplifying the overall application architecture.
Why is this important? To achieve better security or a more secure cloud native application, it makes sense to standardize and automate. Automation is key for security. Standardization makes it easier to understand or reuse code. You can write all the code yourself, but the chances are high that someone else did parts of your work already. Less variability reduces complexity and therefore enhances security.
There is the open-source Spring Framework for example, which uses Java as the underlying language (or .NET for Steeltoe). Both projects are managed by VMware and millions of developers use them.
What happens next? You would now run your continuous integration (CI) process (integration tests, unit tests) and then you are ready to package or build your application.
Build – Tanzu Build Service (TBS)
So, your code is now good for release. If you want to deploy your application to a Kubernetes environment, then you need a secure, portable and reproducible build that can be checked for security vulnerabilities, and you need an easy way to patch those vulnerabilities.
How are you going to build your container image where you application is going to be built into? A lot of customers and vendors have a dockerfile based approach.
TBS is constantly looking for changes in your source code and then automatically builds an image based on that. This means with TBS you don’t need any advanced knowledge of container packaging formats or know how to optimally construct a container creation script for a given programming language.
Tanzu Build Service knows all the images you have built and understands all the dependencies and components you have used. If something changes, your image is going to be rebuilt automatically and then stored in a registry of your choice. More about the registry in a second.
What happens if a vulnerability comes out and one of your libraries, operating systems or components is affected? TBS would patch this vulnerability and all the affected downstream container images would be updated automatically.
Imagine how happy your CISO would be about this way of building secure container images! 🙂
Build – Harbor
We have now pushed our container image to a container repository, a so-called registry. VMware uses Harbor (open-source cloud native registry by VMware, donated to the CNCF in 2018) as an enterprise-grade storage for container images. Additionally, Harbor provides static analysis of vulnerabilities in images through open-source projects like Trivy and Clair.
We have now developed our applications and stored our packaged images in our Harbor registry. What else do we need?
Build – VMware Application Catalog (VAC)
Developers are not going to build everything by themselves. Other services like databases or caching are needed to build the application as well and there are so many known and pre-packaged open-source software freely available online. This brings additional security risks and provides malicious actors to publish container images that contain vulnerabilities.
How can you mitigate this risk and reduce the chance for a critical application outage or breach?
In 2019, VMware acquired Bitnami, which delivers and maintains a catalog of 130+ pre-packaged and ready-to-use open-source application components, that are “continuously maintained and verifiably tested for use in production environments”.
Known as VMware Application Catalog (VAC, formerly also known as Tanzu Application Catalog), VAC as a SaaS offering provides your organization a customizable private collection of open-source software and services, that can automatically be placed in your private container image registry. In this case in your Harbor registry.
Example apps that are supported today:
Language Runtimes
Databases
App Components
Developer Tools
Business Apps
Nodejs
MySQL
Kafka
Artifactory
WordPress
Python
PostgreSQL
RabbitMQ
Jenkins
Drupal
Ruby
MariaDB
TensorFlow
Redmine
Magento
Java
MongoDB
ElasticSearch
Harbor
Moodle
How does it work?
There are two product features that I would like to highlight:
Build-time CVE scan reports for container images using Trivy
Build-time Antivirus scans for container images using ClamAV
Your application, built by Tanzu Build Service and VMware Application Catalog, is complete now, and stored in your Harbor registry. And since you use VAC, you also have your “marketplace” of applications, that is curated by a (security) team in your organization.Â
Note: Yes, VAC is a SaaS hosted application and you may have concerns because you are a public/federal customer. That’s no problem. Consider VAC as your trusted source where you can copy things from. There is no data stored in the public cloud nor does it run anything up there. Download your packages from this trusted repository over to you air gapped environment.
Run – Tanzu Kubernetes Grid (TKG)
Your application is ready to be deployed and the next step is in your pipeline is “continuous deployment“. We finally can deploy our applications to a Kubernetes cluster.
Tanzu Kubernetes Grid or TKG is VMware’s own consistent and conformant Kubernetes distribution that can run in any cloud. VMware’s strategy is about running the same Kubernetes dial tone across data centers and public cloud, which enables a consistent and secure experience for your developers.
TKG has a tight integration with vSphere called “vSphere with Tanzu”. Since TKG is an enterprise-ready Kubernetes for a multi-cloud infrastructure, it can run also in all major public clouds.
If consistent automation is important to you and you want to run Kubernetes in an air gapped environment, where there is no AWS, Azure or any other major public cloud provider, then a consistent Kubernetes version like TKG would add value to your infrastructure.
Manage/Operate – Tanzu Mission Control (TMC)
How do we manage these applications on any Kubernetes cluster (VMware TKG, Amazon EKS, Microsoft AKS, Google GKE), that can run in any cloud?
Some organizations started with TKG and others already started with managed Kubernetes offerings like EKS, AKS or GKE. That’s not a problem. The question here is how you deploy, manage, operate, and secure all these different clusters.
VMware’s solution for that is Tanzu Mission Control, which is also a SaaS-based tool hosted by VMware, that is the first offering I’m going to cover, that is part of a global Tanzu control plane. TMC is a solution that makes your multi-cloud and multi-cluster Kubernetes management much easier.
With TMC you’ll get:
Centralized Cluster Lifecycle Management. TMC enables automated provisioning and lifecycle management of TKG cluster across any cloud. It provides centralized provision, scaling, upgrading and deletion functions for your Kubernetes clusters. Tanzu Mission Control also allows you to attach any CNCF-conformant Kubernetes cluster (K8s on-prem, K8s in public cloud, TKG, EKS, AKS, GKE, OpenShift) to the platform for management, visibility, and analytic purposes. I would expect that we can use TMC in the future to lifecycle managed offerings like EKS, AKS or GKE.
Centralized Policy Management. TMC has a very powerful policy engine to apply consistent policies across clusters and clouds. You can create security, access, network, quota, registry, and custom policies (Open Policy Agent framework).
Identity and Access Management. Another important feature you don’t want to miss with DevSecOps in mind is centralized authentication and authorization, and identity federation from multiple sources like AD, LDAP and SAML. Make sure you give the right people or project teams the right access to the right resources.
Cluster Inspection. There are to inspection that you can run against your Kubernetes clusters. TMC leverages the built-in open-source project Sonobuoy that makes sure your cluster are configured in a conformant way with the Cloud Native Computing Foundation (CNCF) standards. Tanzu Mission Control provides CIS Benchmark inspection as another option.
Tanzu Mission Control integrates with other Tanzu products like Tanzu Observability and Tanzu Service Mesh, which I’m covering later.
Connect – Antrea
VMware Tanzu uses Antrea as the default container network interface (CNI) and Kubernetes NetworkPolicy to provide network connectivity and security for your pods. Antrea is an open-source project with active contributors from Intel, Nvidia/Mellanox and VMware, and it supports multiple operating systems and managed Kubernetes offerings like EKS, AKS or GKE!
Antrea uses Open vSwitch (OvS) as the networking data plane in every Kubernetes node. OvS is a high performance and programmable virtual switch that not only supports Linux, but also Windows. VMware is working on the achievement to reach feature parity between them, and they are even working on the support for ARM hosts in addition to x86 hosts.
Antrea creates overlay networks using VXLAN or Geneve for encapsulation and encrypts node-to-node communication if needed.
Connect & Secure – NSX Advanced Load Balancer
Ingress is a very important component of Kubernetes and let’s you configure how an application can or should be accessed. It is a set of routing rules that describe how traffic is routed to an application inside of a Kubernetes cluster. So, getting an application up and running is only the half side of the story. The application still needs a way for users to access it. If you would like to know more about “ingress”, I can recommend this short introduction video.
While a project like Contour is a great open-source project, VMware recommends Avi (aka NSX Advanced Load Balancer) provides much more enterprise-grade features like L4 load balancing, L7 ingress, security/WAF, GSLB and analytics. If stability, enterprise support, resiliency, automation, elasticity, and analytics are important to you, then Avi Enterprise, a true software-defined multi-cloud application delivery controller, is definitely the better fit.
Secure – Tanzu Service Mesh (TSM)
Let’s take a step back and recap what we have achieve until here. We have a standardized and automated application supply chain, with signed container images, that can be deployed in any conformant Kubernetes cluster. We can also access the application from outside and pod-to-pod communication, so that applications can talk to each other. So far so far good.
Is there maybe another way to stitch these services together or “offload” security from the containers? What if I have microservices or applications running in different clouds, that need to securely communicate with each other?
A lot of vendors including VMware realized that the network is the fabric that brings microservices together, which in the end form the application. With modernized or partially modernized apps, different Kubernetes offerings and a multi-cloud environment, we will find the reality of hybrid applications which sometimes run in multiple clouds.
This is the moment when you need to think about the connectivity and communication between your app’s microservices. Today, many Kubernetes users do that by implementing a service mesh and Istio is most probably the most used open-source project platform for that.
The thing with service mesh is, while everyone thinks it sounds great, that there are new challenges that service mesh brings by itself. The installation and configuration of Istio is not that easy and it takes time. Besides that, Istio is also typically tied to a single Kubernetes cluster and therefore Istio data plane – and organizations usually prefer to keep their Kubernetes clusters independent from each other. This leaves us with security and policies tied to a Kubernetes cluster or cloud vendor, which leaves us with silos.
Tanzu Service Mesh, built on VMware NSX, is an offering that delivers an enterprise-grade service mesh, built on top of a VMware-administrated Istio version.
The big difference and the value that comes with Tanzu Service Mesh (TSM) is its ability to support cross-cluster and cross-cloud use cases via Global Namespaces.
A Global Namespace is a unique concept in Tanzu Service Mesh and connects resources and workloads that form the application into a virtual unit. Each GNS is an isolated domain that provides automatic service discovery and manages the following functions that are port of it, no matter where they are located:
Identity. Each global namespace has its own certificate authority (CA) that provisions identities for the resources inside that global namespace
Discovery (DNS). The global namespace controls how one resource can locate another and provides a registry.
Connectivity. The global namespace defines how communication can be established between resources and how traffic within the global namespace and external to the global namespace is routed between resources.
Security. The global namespace manages security for its resources. In particular, the global namespace can enforce that all traffic between the resources is encrypted using Mutual Transport Layer Security authentication (mTLS).
Observability. Tanzu Service Mesh aggregates telemetry data, such as metrics for services, clusters, and nodes, inside the global namespace.
Monitor – Tanzu Observability (TO)
Another important part of DevSecOps with VMware Tanzu is observability. What happens if something goes wrong? What are you doing when an application is not working anymore as expected? How do you troubleshoot a distributed application, split in microservices, that potentially runs in multiple clouds?
Image an application split into different smaller services, that are running in a pod, which could be running in a virtual machine on a specific host in your on-premises datacenter, at the edge, or somewhere in the public cloud.
You need a tool that supports the architecture of a modern application. You need a solution that understands and visualizes cloud native applications.
That’s when VMware suggests Tanzu Observability to provide you observability and deep visibility across your DevSecOps environment.
Tanzu Observability has an integration with Tanzu Mission Control, which has the capability then to install the Wavefront Kubernetes collector on your Kubernetes clusters. The name “Wavefront” comes from the company Wavefront, which VMware acquired in 2017.
Since Tanzu Observability is only offered as a SaaS version, I would like to highlight that it is “secure by design” according to VMware:
Isolation of customer data
User & Service Account Authentication (SSO, LDAP, SAML)
RBAC & Authorization
Data encryption at rest and in transit
Data at rest is managed by AWS S3 (protected by KMS)
Certifications like ISO 27001/27017/27018 or SOC 2 Type 1
Summary – Tanzu Portfolio Capabilities
The container build and deploy process consists of the Spring runtime, Tanzu Application Catalog and Tanzu Build Service.
The global control plane (SaaS) is formed by Tanzu Mission Control, Tanzu Service Mesh and Tanzu Observability.
The networking layer consists of NSX Advanced Load Balancer for ingress & load balancing and uses Antrea for container networking.
The foundation of this architecture is built on VMware’s Kubernetes runtime called Tanzu Kubernetes Grid.
Another solution that might be of interest for you is Carbon Black Container. CB Container also provide visibility and control that DevSecOps team need to secure Kubernetes clusters and the application the deploy on top of them.
This solution provides container vulnerability & risk dashboard, image scanning, compliance policy scanning, CI/CD integration, integration with Harbor and supports any upstream Kubernetes like TKG, EKS, AKS, GKE or OpenShift.
Conclusion
DevSecOps with VMware Tanzu helps you to simplify and secure the whole container and application lifecycle. VMware has made some strategic acquisitions (Heptio, Pivotal, Bitnami, Wavefront, Octarine, Avi Networks, Carbon Black) in the past to become a major player the world of containerization, Kubernetes and application modernization.
I personally believe that VMware’s approach and Tanzu portfolio have a very strong position in the market. Their modular approach and the inclusion of open-source projects is a big differentiator. Tanzu is not just about Kubernetes, it’s about building, securing and managing the applications.
If you have a strong security focus, VMware can cover all the layers up from the hypervisor to the applications that can be deployed in any cloud. That’s the strength and unique value of VMware: A complete and diverse portfolio with products, that provide even more value when combined together.
Don’t forget, that VMware is number 1 when it comes to data center infrastructures and most of the customer workloads are still running on-premises. That’s why I believe that VMware and their Tanzu portfolio are very well positioned.
The customers I worked with last year were large enterprises with a multi-cloud strategy and they have just started their application modernization journey. Typically, VMware customers interested in Tanzu would take a look at the Standard edition first, which gives you:
Tanzu Kubernetes Grid Runtime
Tanzu Mission Control Standard
Avi Essentials (NSX Advanced Load Balancer)
Antrea (open-source) for container networking
and some other open-source software like Prometheus, Grafana, Fluent Bit, Contour
A lot of my customers were interested in Tanzu Advanced, but they were asking for something in between these editions. Tanzu Standard sounded very interesting, but almost all of them asked the followings questions:
What if I don’t build or modernize my own applications yet and get my application as a container from my ISV?
Prometheus and Grafana are nice, but I would like to have something more enterprise-ready for observability. How can I get Tanzu Observability?
Avi Essentials sounds great, but I am thinking to replace my current load balancer. Is it possible to replace my F5 or Citrix ADC (formerly known as Citrix NetScaler) appliances?
Contour seems to be a nice open-source project, but I am looking for something with built-in automation and analytics capabilities for ingress. Can’t I get Avi Enterprise for that as well?
I am looking for zero trust application security. How can you help me to encrypt traffic between containers or microservices, which could also be hosted on different clouds (e.g., on-prem and public cloud)?
The answer to these questions is Tanzu Kubernetes for Operations. Tanzu for Kubernetes Operations (TKO) is a bundle of VMware products and services to meet the requirements of cloud platform teams. It provides a centralized, consistent and simplified container management and operations across clouds and currently includes the following products and services:
Tanzu Standard Runtime (includes Tanzu Kubernetes Grid + open-source software from Tanzu Std), licensed per core
Antrea Advanced, licensed based on core (Antrea feature comparison can be found here)
NSX ALB (Avi) Enterprise, licensed based on service cores (not included, separate TKO SKU expected for end of Q1 2022)
Tanzu Activation Services for TKO deployment and configuration, includes migration of one upon-agreed application (not included in the TKO SKU, coming as an add-on)
Important Note: The VMware product guide says that “a Core is a single physical computational unit of the Processor which may be presented as one or more vCPUs“. So, if you plan a CPU overcommit of 1:2 (cores:vCPU) for your on-premises infrastructure, then you have to license 12 cores only.
Use this link to get additional information how to deploy and configure Tanzu Mission Control, Tanzu Observability and Tanzu Service Mesh.
What is Application Transformer for Tanzu?
Application Transformer for VMware Tanzu became generally available in February 2022.
Application Transformer can help you to convert virtual machines and application components to OCI-compliant container images, that then can be deployed into the Tanzu Kubernetes stack.
Tanzu App Navigator
Application Transformer helps you to analyze and visualize application components and dependencies. It also provides customers scores that allow them to decide which applications should be transformed.
App Navigator is a 4-to-6 week engagement that helps you to decide which applications you should tackle first and how much change is needed to drive business outcomes. It’s one thing to containerize an application, but App Navigator helps you to create a modernization strategy based on your goals.
Note: VMware’s App Navigator team uses Application Transformer during their service engagement.
Tanzu Application Platform
Deploying an application on Kubernetes is not an easy thing if you don’t know anything about Kubernetes.
If you would like to focus more on your applications and your developer’s experience, then Tanzu Application Platform (TAP) could be very interesting for you.
With Tanzu Application Platform, application developers and operations teams can build and deliver a better multi-cloud developer experience on any Kubernetes distribution, including Azure Kubernetes Service, Amazon Elastic Kubernetes Service, Google Kubernetes Engine, as well as software offerings like Tanzu Kubernetes Grid.
VMware is known to provide reduction of complexity and to provide cloud-agnostic infrastructures. They started to abstract the underlying server hardware, then the virtualization of the whole data center (compute, storage, network) came and the next step was the abstraction of public clouds like AWS, Azure and Google.
In the case of Tanzu Application Platform we are talking about an opinionated grouping of separate components that run on any conformant Kubernetes cluster (TKG, AKS, EKS, GKE, OpenShift etc.). From an application developer perspective an application can automatically be built, tested and deployed on Kubernetes.
Meaning, with TAP you get a modular application developer PaaS (adPaaS) offering and true application platform portability with the capability of “bring-your-own-Kubernetes”.
VMware Cloud on AWS (VMC on AWS) brings VMware’s software-defined data center (SDDC) stack to the AWS cloud. By using the same vSphere-based virtualization/cloud technology on-premises and in the public cloud, you can create a true hybrid cloud architecture, that enables you to get consistent operations by using consistent infrastructure.
This solution comes with optimized access to the AWS services and is delivered, sold and supported by VMware, AWS and their partner networks.
As you can see above, VMC on AWS comes with the same VMware tools and integrates the VMware Cloud Foundation stack (vSphere for compute, vSAN for storage, NSX for networking) along with vCenter for management.
VMware Cloud on AWS comes with two different host configurations, which both require a minimum of two hosts per cluster.
For identifying the right host types for specific use cases, check out the VMware Cloud on AWS sizer.
Note: 99.9% SLA for non-stretched clusters, 99.99% for stretched clusters
Single Host Starter Configuration
VMC on AWS allows you to deploy a starter configuration with a single host only (not available with i3en.metal hosts).
This small SDDC configuration allows customers to get their first experiences with this hybrid cloud offering during a 60-day time period. Such a setup is only appropriate for test and development or proof of concept use cases. You can run production workloads on this small VMC on AWS environment if you scale up to the minimum of two hosts before the 60-day period ends, otherwise your evaluation ends with you losing data.
Note: Not all features of the standard VMC service offering are available in this limited setting. The VMC on AWS service level offering also does not apply to this one-node offering.
Included VMware Software
The following software is included in single host and production configurations:
Single Hosts (non-production environments)
Production (minimum 2 hosts)
Includes
VMware SDDC software: vSphere, vSAN, NSX-T, vCenter Server
VMware HCX
Dedicated Amazon EC2 Bare Metal Instances
VMware Global Support
Purchase separately
VMware Site Recovery
VMware Cloud Disaster Recovery
VMware vRealize Automation Cloud
VMware vRealize Operations Cloud
VMware vRealize Log Insight Cloud
VMware vRealize Network Insight Cloud
VMware Tanzu Standard
Not supported
Lifecycle management by VMware (updates, patches and upgrades)
High Availability (HA) and Stretched Clusters
Service Level Agreement (SLA)
Includes
VMware SDDC software: vSphere, vSAN, NSX-T, vCenter Server
VMware HCX
VMware Tanzu Services: TKG Service + TMC Essentials
Dedicated Amazon EC2 Bare Metal Instances
VMware Global Support
Lifecycle management by VMware (updates, patches and upgrades)
Support for High Availability (HA) and Stretched Clusters
Service Level Agreement (SLA)
Purchase separately
VMware Site Recovery
VMware Cloud Disaster Recovery
VMware NSX Advanced Firewall
VMware vRealize Automation Cloud
VMware vRealize Operations Cloud
VMware vRealize Log Insight Cloud
VMware vRealize Network Insight Cloud
VMware Tanzu Standard
VMware Cloud on AWS Outposts
If you want to get the agility and innovation of (VMware) Cloud in your own data center, delivered as a service, then VMC on AWS Outposts is for you.
VMC on AWS Outposts is a fully managed on-premises as-a-service offering, that stretches VMC on AWS to your data center or edge location. You’ll get dedicated Amazon Nitro-based EC2 bare-metal instances delivered on-premises with VMware Cloud Foundation running on top.
What’s included in the offering?
AWS Outposts 42u rack (we can also expect a half-rack offering in the future)
3-8 hosts configurations based on i3en.metal
Dark host capacity included (for remediation, EDRS, scale-out and lifecycle management purposes)
Installed by AWS
AWS managed dedicated Nitro-based i3en.metal EC2 instance with local SSD storage
VMware managed SDDC software – vSphere, vSAN, NSX-T, vCenter Server
VMware HCX
VMware Cloud Console
Support by VMware SREs
Supply chain, shipment logistics and onsite installation by AWS
Ongoing hardware monitoring with break/fix support.
Use Cases
VMware Cloud on AWS Outposts is made for multiple use cases:
Data/App Locality
Low latency
Local data processing
Data sovereignty/compliance
Infrastructure modernization
Branche Office or large edge modernization
But this offering and VMC on AWS in general come with multiple other use cases which help orgnaizations to fulfill their cloud strategy.
App Modernization
VMware Cloud on AWS provides an infrastructure platform option for customers to modernize their existing enterprise applications on and enables them to run their enterprise workloads of today and tomorrow. With VMware Cloud on AWS, customers can run, monitor, and manage their Kubernetes clusters and virtual machines – all on the same infrastructure. VMware Tanzu Kubernetes Grid provides a consistent, upstream-compatible distribution of Kubernetes, that is tested, signed, and supported by VMware. Tanzu Kubernetes Grid is central to many of the offerings in the VMware Tanzu portfolio.
VMC on AWS can help customers to expand to new locations. Maybe it’s an unplanned project or there are temporary or seasonal capacity needs. Some customers are also using such an offering to build a flexible test, lab or training environment in the public cloud.
Adopt a robust, feature-rich cloud platform for virtual desktops and applications that can be used to deliver complete VDI infrastructure from the cloud. Or you can extend an existing on-premises VDI environment for desktop bursting, protection or proximity to applications running in AWS. Optimize infrastructure costs with flexible, consumption-based billing while paying only for what you use.
Another typical use case is disaster recovery. Customers are looking for an offsite approach with which they can prepare themselves for different kind of scenarios with “warm standby” or “active/active” configurations. There are different architectural options and also different solutions from VMware available, e.g.:
How can you bridge the gap between on-premises data centers and VMC on AWS to enable application migrations or workload mobility? HCX creates an encrypted, high-throughput, WAN-optimized, load-balanced, traffic-engineered hybrid interconnect automates the creation of network extensions.
In short: VMware HCX can interconnect different vSphere-based clouds and with that you achieve a fabric for workload mobility by using vMotion over different clouds. It even preserves existing network connections!
Imagine how much easier and faster application migrations can be done now.
Let’s see if there is a future, that customers need full workload mobility where regular migrations from and to different clouds can be done. Maybe there is a customer, who migrates workloads today from on-prem to VMC on AWS, tomorrow to Azure VMware Solution, the next week to Google Cloud VMware Engine, and in the end back to an on-premises data center where another fully managed service like VMC on Dell EMC is deployed. 😀
VMware Cloud on AWS with Tanzu Services
It was mentioned above already, VMware Cloud on AWS includes “Tanzu Kubernetes Service” and “Tanzu Mission Control Essentials”.
VMware Cloud with Tanzu Services has been introduced at VMworld 2021 as the “Easy path to enterprise-grade Kubernetes on a fully managed, multi-cloud ready IaaS and CaaS platform”:
This was also when Tanzu Services became available for VMC on AWS with the following capabilities:
Managed Tanzu Kubernetes Grid Service: Provision Tanzu Kubernetes clusters within a few minutes using a simple, fast, and self-service experience in the VMware Cloud console. The underlying SDDC infrastructure and capacity required for Kubernetes workloads is fully managed by VMware. Use vCenter Server for managing Kubernetes workloads by deploying Kubernetes clusters, provisioning role-based access and allocating capacity for Developer teams. Manage multiple TKG clusters as namespaces with observability, troubleshooting and resiliency in vCenter Server.
Built in support for Tanzu Mission Control Essentials: Attach upstream compliant Kubernetes clusters including Amazon EKS and Tanzu Kubernetes Grid clusters. Manage lifecycle for Tanzu Kubernetes Grid clusters and centralize platform operations for Kubernetes clusters using the Kubernetes management plane offered by Tanzu Mission Control. Tanzu Mission Control provides a global visibility across clusters and clouds and increases security and governance by automating operational tasks such as access and security management at scale.
Did you know that the Tanzu Mission Control Standard Package is included with TMC Essentials?
As of November 2021, new clusters registered with TMC will have the Carvel package manager (the kapp-controller), deployed within the cluster. The “Catalog” page in the Tanzu Mission Control console allows you to view packages available from the Tanzu Standard repository (and your own custom Carvel package repositories) and install them in your Kubernetes clusters.
Application Transformer for VMware Tanzu for VMC on AWS
Application Transformer for VMware Tanzu is a tool that aids organizations in discovering application types, visualizing application topology, choosing a modernization approach based on scores, and containerizing and migrating suitable legacy applications to enhance business outcomes. As an agentless tool, Application Transformer for Tanzu utilizes the VMware vCenter API to introspect VMs across an entire vSphere or VMware Cloud on AWS-based data center.
Application Transformer can help you to convert virtual machines and application components to OCI-compliant container images, that then can be deployed into the Tanzu Kubernetes stack.
There are several ways how customers get access to Application Transformer for VMware Tanzu:
Good news for everyone is that Application Transformer for VMware Tanzu became generally available in February 2022. With this, VMware Cloud on AWS customers also have limited access to this offering from now on. The access is through integration with VMware Cloud console. If customers desire full access to Application Transformer, they need to buy Tanzu Standard, Tanzu Advanced, Tanzu for Kubernetes Operations, or App Navigator.
Features & Roadmap
VMware provides a lot of information about the features and roadmap of VMware Cloud on AWS.
VMC on AWS FAQ
There is a large collection of FAQs available that can be found here.
In November 2020 I wrote an article called “VMware Cloud Foundation And The Cloud Management Platform Simply Explained“. That piece was focused on the “why” and “when” VMware Cloud Foundation (VCF) makes sense for your organization. It also includes business values and hints that VCF is more than just about technology. Cloud Foundation is one of the most important drivers and THE enabler for to fulfill VMware’s multi-cloud strategy.
To summarize the two above mentioned articles, one can say, that VMware Cloud Foundation is a software-defined data center (SDDC) that can run in any cloud. In “any cloud” means that VCF can also be consumed as a service through other cloud provider partners like:
Additionally, Cloud Foundation and the whole SDDC can be consumed as a managed offering called DCaaS or LCaaS (Data Center / Local Cloud as a service).
Let’s say a customer is convinced that a “VCF everywhere” approach is right for them and starts building up private and public clouds based on VMware’s technologies. This means that VMware Cloud Foundation now runs in their private and public cloud.
Note: This doesn’t mean that the customer cannot use native public cloud workloads and services anymore. They can simply co-exist.
The customer is at a point now where they have achieved a consistent infrastructure. What’s up next? The next logical step is to use the same automation, management and security consoles to achieve consistent operations.
A traditional VMware customer goes for the vRealize Suite now, because they would need vRealize Automation (vRA) for automation and vRealize Operations (vROps) to monitor the infrastructure.
The next topic in this customer’s journey would be application modernization, which includes topics containerization and Kubernetes. VMware’s answer for this is the Tanzu portfolio. For the sake of this example let’s go with “Tanzu Standard”, which is one of four editions available in the Tanzu portfolio (aka VMware Tanzu).
Let’s have a look at the customer’s bill of materials so far:
VMware Cloud Foundation on-premises (vSphere, vSAN, NSX)
VMware Cloud on AWS
VMware Cloud on Dell EMC (locally managed VCF service for special edge use cases)
vRealize Automation
vRealize Operations
Tanzu Standard (includes Tanzu Kubernetes Grid and Tanzu Mission Control)
Looking at this list above, we see that their infrastructure is equipped with three different VMware Cloud Foundation flavours (on-prem, hyperscaler managed, locally managed) complemented by products of the vRealize Suite and the Tanzu portfolio.
This infrastructure with its different technologies, components and licenses has been built up over the past few years. But organizations are nowadays asking for more flexibility than ever. By flexibility I mean license portability and a subscription model.
VMware Cloud Universal
On 31st March 2021 VMware introduced VMware Cloud Universal (VMCU). VMCU is the answer to make the customer’s life easier, because it gives you the choice and flexibility in which clouds you want to run your infrastructure and consume VMware Cloud offerings as needed. It even allows you to convert existing on-premises VCF licenses to a VCF-subscription license.
The VMCU program includes the following technologies and licenses:
As Kit Kolbert, CTO VMware, said, “the idea is that VMware Cloud is everywhere that you want your applications to be”.
The VMware Cloud Console gives you view into all those different locations. You can quickly see what’s going on with a specific site or cloud landing zone, what its overall utilization looks like or if issues occur.
The Cloud Console has a seamless integration with vROps, which also helps you regarding capacity forecasting and (future) requirements (e.g., do I have enough capacity to meet my future demand?).
In short, it’s the central multi-cloud console to manage your global VMware Cloud environment.
vRealize Cloud Universal
What is part of vRealize Cloud Universal (vRCU) Enterprise Plus? vRCU is a SaaS management suite that combines on-premises and SaaS capabilities for automation, operations, log analytics and network visibility into a single offering. In other words, you get to decide where you want to deploy your management and operations tools. vRealize Cloud Universal comes in four editions and in VMCU you have the vRCU Enterprise Plus edition included with the following components:
Note: While vRCU standard, advanced and enterprise are sold as standalone editions today, the enterprise plus edition is only sold with VMCU (and as add-on to VMC on AWS).
vRealize AI Cloud
Have you ever heard of Project Magna? It is something that was announced at VMworld 2019, that provides adaptive optimization and a self-tuning engine for your data center. It was Pat Gelsinger who envisioned a so-called “self-driving data center”. Intelligence-driven data center might haven been a better term since Project Magna leverages artificial intelligence by using reinforcement learning, which combs through your data and runs thousands of scenarios that searches for the best regard output based on trial and error on the Magna SaaS analytics engine.
The first instantiation began with vSAN (today also known as vRAI Cloud vSAN Optimizer), where Magna will collect data, learn from it, and make decisions that will automatically self-tune your infrastructure to drive greater performance and efficiencies.
vRealize AI (vRAI) learns about your operating environments, application demands and adapts to changing dynamics, ensuring optimization per stated KPI. vRAI Cloud is only available on vRealize Operations Cloud via the vRealize Cloud Universal subscription.
VMware Skyline
VMware Skyline as a support service that automatically collects, aggregates, and analyzes product usage data, which proactively identifies potential problems and helps the VMware support engineers to improve the resolution time. Skyline is included in vRealize Cloud Universal because it just makes sense. A lot of customers have asked for unifying the self-service experience between Skyline and vRealize Operations Cloud. And many customers are using Skyline and vROps side by side today.
Users can now be proactive and perform troubleshooting in a single SaaS workflow. This means customers save more time by automating Skyline proactive remediations in vROps Cloud. But Skyline supports vSphere, vSAN, NSX, vRA, VCF and VMware Horizon as well.
VMware Cloud Universal Use Cases
As already mentioned, VMCU makes very much sense if you are building a hybrid or multi-cloud architecture with a consistent (VMware) infrastructure. VMCU, vRCU and the Tanzu portfolio help you to create a unified control plane for your cloud infrastructure.
Other use cases could be cloud migration or cloud bursting scenarios. If we switch back to the fictive customer before, we could use VMCU to convert existing VCF licenses to VCF-S (subscription) licenses, which in the end allow you to build a VMware-based Cloud on top of AWS (other public cloud providers are coming very soon!) for example.
Another good example is to achieve the same service and operating model on-prem as in the public cloud: a fully managed consumable infrastructure. Meaning, to move from a self-built and self-managed VCF infrastructure to something like VMC on Dell EMC.
How can I get VMCU?
There is no monthly subscription model and VMware only supports one-year or three-year terms. Customers will need to sign an Enterprise License Agreement (ELA) and purchase VMCU SPP credits.
Note: SPP credits purchased out of the program are not allowed to be used within the VMCU program!
After purchasing the VMCU SPP credits and VMware Cloud onboarding and organization setup, you can select the infrastructure offerings to consume your SPP credits. This can be done via the VMware Cloud Console.
Summary
I hope this article was useful to get a better understanding about VMware Cloud Universal. It might seem a little bit complex, but that’s not true. VMCU makes your life easier and helps you to build and license a globally distributed cloud infrastructure based on VMware technology.
Michael Rebmann is currently working as a Lead Solution Architect for VMware by Broadcom in Switzerland and focuses on some of the largest and most strategic customers. Michael engages with the community as a co-leader of the Swiss German VMUG and became a VMware vExpert PRO in 2022. Opinions are his own.
VMware CMTY Podcast #607 – VMware Cloud Foundation
VMware CMTY Podcast #546 – VMware Carbon Black Cloud Workload
Priyanka’s message was about collaboration for long-term success. The CNCF is about a large continuously growing community that must work together, and each person can contribute in her/his own way.
It was very interesting and important to hear from him, that you cannot provide a good developer experience without a good user experience. Enterprises and platform teams need to treat the platform as a product and focus on tooling and interoperability.
 
vRealize AI (vRAI) learns about your operating environments, application demands and adapts to changing dynamics, ensuring optimization per stated KPI. vRAI Cloud is only available on vRealize Operations Cloud via the vRealize Cloud Universal subscription.
