Private Cloud - Architecture - addon slides

Report
Additional Info (some are still draft)
Tech notes that you may find useful as input to the design.
A lot more material can be found at the Design Workshop
1
Confidential
Internal Cloud: Gartner model and VMware model
Gartner take:
• Virtual infrastructure
• On-demand, elastic, automated/dynamic
• Improves agility and business continuity
Life cycle management
Configuration and change management
Performance management
Virtual infrastructure management
Virtual infrastructure
Physical infrastructure
2
Confidential
Orchestrator
Capacity management
Ext. cloud connector
Chargeback system
Enterprise service management
Identity and access management
Service catalog
Service governor/infrastructure authority
Self-service provisioning portal
Master / Slave concept
3 3
Confidential
Cluster: Settings
For the 3 sample sizes, here is my personal recommendation
• DRS fully automated. Sensitivity: Moderate
• Use anti-affinity or affinity rules only when needed.
• More things for you to remember.
• Gives DRS less room to maneuver
• DPM enabled. Choose hosts that support DPM
• Do not use WOL. Use DPM or IPMI
• VM Monitoring enabled.
• VM monitoring sensitivity: Medium
• HA will restart the VM if the heartbeat between the host and the VM has not been received within a 60 second interval
• EVC enabled. Enable you to upgrade in future.
• Prevent VMs from being powered on if they violate availability constraints  better availability
• Host isolation response: Shut down VM
• See http://www.yellow-bricks.com/vmware-high-availability-deepdiv/
• Compared with “Leave VM Powered on”, this prevent data/transaction integrity risk. The risk is rather low as the VM itself has lock
• Compared with “Power off VM”, this allows graceful shutdown. Some application needs to run consistency check after a sudden power
off.
4
Confidential
DRS, DPM, EVC
In our 3 sizes, here are the settings:
• DRS: Fully Automated
• DRS sensitivity: Leave it at default (middle. 3 Star migration)
• EVC: turn on.
• It does not reduce performance.
• It is a simple mask.
• DPM: turn on. Unless HW vendor shows otherwise
• VM affinity: use sparingly. It adds complexity as we are using group affinity.
• Group affinity: use (as per diagram in design)
Why turn on DPM
• Power cost is real concern
Singapore example: S$0.24 per kWh x (600 W + 600 W) x 24 hours 365 days x 3 years / 1000 W = $5100
This is quite close of buying 1 server
For every 1W of power consumed, we need minimum 1W of power for aircond + UPS + lighting
5
Confidential
VMware VMmark
Use VMmark as the basis for CPU selection only, not entire box selection.
• It is the official benchmark for VMware, and it uses multiple workload
• Other benchmark are not run on vSphere, and typically test 1 workload
• VMmark does not include TCO. Consider entire cost when choosing HW platform
Use it as a guide only
• Your environment is not the same.
• You need head room and HA.
How it’s done
• VMmark 2.0 uses 1 - 4 vCPU
• MS Exchange, MySQL, Apache, J2EE,
File Server, Idle VM
Result page:
• VMmark 2.0 is not compatible with 1.x results
• www.vmware.com/products/vmmark/results.html
6
Confidential
This slide needs update
VMware VMmark
7
Confidential
VMmark: sample benchmark result (HP only)
I’m only showing result from 1 vendor as vendor comparison is more than just VMmark result.
IBM, Dell, HP, Fujitsu, Cisco, Oracle, NEC have VMmark results
Look at this number. 20 tiles = 100 Active VM
This number is when comparing with same #Tiles
± 10% is ok for real-life sizing. This is benchmark
Opteron 8439, 24 cores
Xeon 5570, 8 cores
Opteron 2435, 12 cores
Xeon 5470, 8 cores
This tells us that Xeon 5500 can run 17 Tiles, at 100% utilisation.
Each Tile has 6 VM, but 1 is idle. 17 x 5 VM = 85 active VM in 1 box.
At 80% Peak utilisation, that’s ~65 VM.
8
Confidential
Fault Tolerance
Workload Type
Databases
Application Specifics
The most popular workloads on FT.
Small to medium instances. Mostly SQL Server.
MS Exchange
and Messaging
BES, Exchange.
Gaming company has 750 mailboxes on 1 FT VM.
See FT load test at blogs.vmware.com
Web and File
servers
File server might be stateless but application using it may be
sensitive to denial of service and may be very costly to lose. A
simulation relying on a file server might have to be restarted if the
file server fails.
Manufacturing
and Custom
Applications
These workloads keep production lines moving. Breaks result in
loss of productivity and material.
SAP
SAP ECC 6.0 System based on SAP NetWeaver 7.0 platform. ASCS, a
Message and Transaction locking service, is a SPOF.
BlackBerry
BlackBerry Enterprise Server 4.1.6 (BES)
Examples: Propeller factory, meat factory, pharma line.
1 vCPU BES can support 200 users, 100-200 emails/day
9
Confidential
MS Clustering
ESX Port Group properties
• Notify Switches = NO
• Forged Transmits = Accept.
Win08 does not support NFS
Storage Design
• Virtual SCSI adapter
• LSI Logic Parallel for Windows Server 2003
• LSI Logic SAS for Windows Server 2008
ESXi changes
• ESXi 5.0 uses a different technique to
determine if RDM LUNs are used for MSCS
cluster devices, by introducing a configuration
flag to mark each device as "perennially
reserved" that is participating in a MSCS
cluster.
Unicast mode reassigns the station (MAC) address of
the network adapter for which it is enabled and all
cluster hosts are assigned the same MAC address,
you cannot have ESX send ARP or RARP to update
the physical switch port with the actual MAC address
of the NICs as this break the the unicast NLB
communication
10
Confidential
Symantec ApplicationHA
Can install agent to multiple VM simultaneously
Additional Roles for security
It does not cover Oracle yet
Presales contact for ASEAN: Vic
11
Confidential
VMware HA and DRS
Read Duncan’s yellowbrick first.
• Done? Read it again. This time, try to internalise it. See speaker notes below for an example.
vSphere 4.1
• Primary Nodes
• Primary nodes hold cluster settings and all “node states” which are synchronized between primaries. Node states hold for instance resource usage
information. In case that vCenter is not available the primary nodes will have a rough estimate of the resource occupation and can take this into
account when a fail-over needs to occur.
• Primary nodes send heartbeats to primary nodes and secondary nodes.
• HA needs at least 1 primary because the “fail-over coordinator” role will be assigned to this primary, this role is also described as “active primary”.
• If all primary hosts fail simultaneously no HA initiated restart of the VMs will take place. HA needs at least one primary host to restart VMs. This is why
you can only take four host failures in account when configuring the “host failures” HA admission control policy. (Remember 5 primaries…)
• The first 5 hosts that join the VMware HA cluster are automatically selected as primary nodes. All the others are automatically selected as secondary
nodes. A cluster of 5 will be all Primary.
• When you do a reconfigure for HA the primary nodes and secondary nodes are selected again, this is at random. The vCenter client does not show
which host is a primary and which is not.
• Secondary Nodes
• Secondary nodes send their state info & heartbeats to the primary nodes only.
• HA does not knows if the host is isolated or completely unavailable (down).
• The VM lock file is the safety net. In VMFS, the file is not visible. In NFS, it is the .lck file.
Nodes send a heartbeat every 1 second. The mechanism to detect possible outages.
12
Confidential
vSphere 4.1: HA and DRS
Best Practices
• Avoid using advance settings to decrease slot size as it might
lead to longer down time. Admission control does not take
fragmentation of slots into account when slot sizes are
manually defined with advanced settings.
What can go wrong in HA
• VM Network lost
• HA network lost
• Storage Network lost
Failed
13
Not Failed
What happen as a result
VM Network
HA Network
Storage Network
Users can’t access VM. If there are active users, they will complain.
HA does nothing as it’s not within the scope of HA in vSphere 4.1
HA Network
VM Network
Storage Network
It depends: Split Brain or Partitioned?
If the host is isolated, it will execute Isolation Response (shut down VM)
Lock is released.
Other host will gain lock. Other host will then start the VM
Storage Network
Does not matter
VM probably crash as it can’t access disk.
Lock expires.
Host will lose connection to array.
Other host (first one to get the lock?) will boot the VM.
Confidential
VMware HA and DRS
Split Brain >< Partitioned Cluster
• A large cluster that spans across racks might experience partitioning. Each partition will think they are full cluster. So long there is no loss is
storage network, each partition will happily run their own VM.
• Split Brain is when 2 hosts want to run a VM.
• Partitioned can happen when the cluster is separated by multiple switches. Diagram below shows a cluster of 4 ESX.
14
Confidential
HA: Admission Control Policy (% of Cluster)
Specify a percentage of capacity that needs to be reserved for failover
• You need to manually set it so it is at least equal to 1 host failure.
• E.g. you have a 8 node cluster and wants to handle 2 node failure. Set the % to be 25%
Complexity arises when nodes are not equal
• Different RAM or CPU
• But this also impact the other Admission Control option. So always keep node size equal, especially in Tier 1.
Total amount of reserved resource < (Available Resources – Reserved Resources)
If no reservation is set a default of 256 MHz is used for CPU and 0MB + overhead for MEM
Monitor the thresholds with vCenter on the Cluster’s “summary” tab
15
Confidential
Snapshot
Only keep for maximum 1-3 days.
• Delete or commit as soon as you are done.
• A large snapshot may cause issue when committing/deleting.
For high transaction VM, delete/commit as soon as you are done verifying
• E.g. databases, emails.
3rd party tool
• Snapshots taken by third party software (called via API) may not show up in the vCenter Snapshot Manager. Routinely check for snapshots
via the command-line.
Increasing the size of a disk with snapshots present can lead to corruption of the snapshots and potential data loss.
• Check for snapshot via CLI before you increase
16
Confidential
vMotion
Can be encrypted. At a cost certainly. If vMotion network is isolated, then there is no need.
May lose 1 ping.
Inter-cluster vMotion is not the same with intra-cluster
• Involves additional calls into vCenter, so hard limit
• Lose VM cluster properties (HA restart priority,
DRS settings, etc.)
17
Confidential
ESXi: Network configuration with UCS
If you are using Cisco UCS blade
• 2x 10G or 4x 10G depending on blade model and mezzanine card
All mezzanine card models support FCoE
• Unified I/O
• Low Latency
The Cisco Virtualized Adapter (VIC) supports
• Multiple virtual adapters per physical adapter
• Ethernet & FC on the same adapter
• Up to 128 virtual adapters (vNICs)
• High Performance 500K IOPS
• Ideal for FC, iSCSI and NFS
Once you decide it’s Cisco,
discuss the detail with Cisco.
18
Confidential
What Is Auto Deploy
Without Auto Deploy…
With Auto Deploy…
Host image tied to physical server
Host image decoupled from server
•
•
•
•
•
•
Each host needs full install and config
Not easy to recover host
Redundant boot disks/dedicated LUN
Run on any server w/ matching hardware
Config stored in Host Profile
No boot disk
A lot of time/effort building hosts
Agile deployment model
•
•
•
•
•
•
Deploying hosts is repetitive and tedious
Heavy reliance on scripting
Need to update for each new release
Deploy many hosts quickly and efficiently
No pre/post install scripts
No need to update with each release
Configuration drift between hosts
Host State Guaranteed
•
•
•
•
19
Config drift always a concern
Compromises HA/DR
Manging drift consumes admin resources
•
Confidential
Single boot image shared across hosts
Every reboot provides consistent image
Eliminate need to detect/correct drift
Auto Deploy Components
20
Component
Sub-Components
Notes
PXE Boot
Infrastructure
• DHCP Server
• TFTP Server
•
•
•
Setup independently
gPXE file from vCenter
Can use Auto Deploy
Appliance
Auto Deploy Server
• Rules Engine
• PowerCLI Snap-in
• Web Server
•
•
Build/Manage Rules
Match server to Image
and Host Profile
Deploy server
Image Builder
• Image Profiles,
• PowerCLI Snap-in
•
Combine ESXi image
with 3rd party VIBs to
create custom Image
Profiles
vCenter Server
• Stores Rules
• Host Profiles
• Answer Files
•
•
Provides store for rules
Host configs saved in
Host Profiles
Custom Host settings
saved in Answer Files
Confidential
•
•
Storage DRS and DRS
Interactions:
• Storage DRS placement may impact VM-host compatibility for DRS
• DRS placement may impact VM-datastore compatibility for Storage DRS
Solution: datastore and host co-placement
• Done at provisioning time by Storage DRS
• Based on an integrated metric for space, I/O, CPU
and memory resources
• Overcommitted resources get more weights
in the integrated metric
• DRS placement proceeds as usual
Datastore
Space
I/O
Connected
CPU
Connected
Memory
Integrated
Metric
1
High
High
Low
Low
Low
2
Low
Medium
Medium
Medium
Medium
3
High
Medium
High
High
High
But easier to architect it properly. Map ESX Cluster to Datastore Cluster manually.
Datastore 1
21
Datastore 2
Confidential
Datastore 3
Unified Fabric with Fabric Extender
End of Row Deployment
Fabric Extender
Multiple points of management
Unified fabric with Fabric extender
Single point of management
Reduced cables
FC
Ethernet
Blade switches
Fiber between racks
Copper in racks
High cable count
22
Confidential
Storage IO Control
Suggested Congestion Threshold values
Storage Media
Congestion Threshold
Solid State Disks
10 - 15 milliseconds
Fiber Channel
20 - 30 milliseconds
SAS
20 - 30 milliseconds
SATA
30 - 50 milliseconds
Auto-tiered Storage
Full LUN auto - tiering
Vendor recommended value. If none provided,
recommended threshold from above for the slowest
storage
Auto-tiered Storage
Block level / sub-LUN
auto - tiering
Vendor recommended value. If none provided, combination
of thresholds from above for the fastest and the slowest
media types
One: Avoid different settings for datastores sharing underlying resources
• Use same congestion threshold on A, B
• Use comparable share values
SIOC
SIOC
Datastore A
Datastore B
(e.g. use Low/Normal/High everywhere)
Physical drives
23
Confidential
NAS & NFS
Two key NAS protocols:
• NFS (the “Network File System”). This is what we support.
• SMB (Windows networking, also known as “CIFS”)
Things to know about NFS
• “Simpler” for person who are not familiar with SAN complexity
• To remove a VM lock is simpler as it’s visible.
• When ESX Server accesses a VM disk file on an NFS-based datastore, a special .lck-XXX lock file is generated in the same directory where
the disk file resides to prevent other ESX Server hosts from accessing this virtual disk file.
• Don’t remove the .lck-XXX lock file, otherwise the running VM will not be able to access its virtual disk file.
• No SCSI reservation. This is a minor issue
• 1 Datastore will only use 1 path
•
•
•
•
•
24
• Does Load Based Teaming work with it?
• For 1 GE, throughput will peak at 100 MB/s. At 16 K block size, that’s 7500 IOPS.
The Vmkernel in vSphere 5 only supports NFS v3, not v4. Over TCP only, no support for UDP.
MSCS (Microsoft Clustering) is not supported with NAS.
NFS traffic by default is sent in clear text since ESX does not encrypt it.
• Use only NAS storage over trusted networks. Layer 2 VLANs are another good choice here.
10 Gb NFS is supported. So is Jumbo Frames, and configure it end to end.
Deduplication can save sizeable amount. See speaker notes
Confidential
iSCSI
Use Virtual port storage system instead of plain Active/Active
• I’m not sure if they cost much more.
Has 1 additional Array Type over traditional FC: Virtual port storage system
• Allows access to all available LUNs through a single virtual port.
• These are active-active Array, but hide their multiple connections though a single port. ESXi multipathing cannot detect the
multiple connections to the storage. ESXi does not see multiple ports on the storage and cannot choose the storage port it
connects to. These array handle port failover and connection balancing transparently. This is often referred to as transparent
failover
• The storage system uses this technique to spread the load across available ports.
25
Confidential
iSCSI
Limitations
• ESX/ESXi does not support iSCSI-connected tape devices.
• You cannot use virtual-machine multipathing software to perform I/O load balancing to a single physical LUN.
• A host cannot access the same LUN when it uses dependent and independent hardware iSCSI adapters simultaneously.
• Broadcom iSCSI adapters do not support IPv6 and Jumbo Frames. [e1: still true in vSphere 5??]
• Some storage systems do not support multiple sessions from the same initiator name or endpoint. Multiple sessions to such
targets can result in unpredictable behavior.
Dependant and Independent
• A dependent hardware iSCSI adapter is a third-party adapter that depends on VMware networking, and iSCSI configuration and
management interfaces provided by VMware. This type of adapter can be a card, such as a Broadcom 5709 NIC, that presents a
standard network adapter and iSCSI offload functionality for the same port. The iSCSI offload functionality appears on the list of
storage adapters as an iSCSI adapter
Error correction
• To protect the integrity of iSCSI headers and data, the iSCSI protocol defines error correction methods known as header digests
and data digests. These digests pertain to the header and SCSI data being transferred between iSCSI initiators and targets, in
both directions.
• Both parameters are disabled by default, but you can enable them. Impact CPU. Nehalem processors offload the iSCSI digest
calculations, thus reducing the impact on performance
Hardware iSCSI
• When you use a dependent hardware iSCSI adapter, performance reporting for a NIC associated with the adapter might show
little or no activity, even when iSCSI traffic is heavy. This behavior occurs because the iSCSI traffic bypasses the regular
networking stack
Best practice
• Configure jumbo frames end to end.
• Use NIC with TCP segmentation offload (TSO)
26
Confidential
iSCSI & NFS: caveat when used together
Avoid using them together
iSCSI and NFS have different HA models.
• iSCSI uses vmknics with no Ethernet failover – using MPIO instead
• NFS client relies on vmknics using link aggregation/Ethernet failover
• NFS relies on host routing table.
• NFS traffic will use iSCSI vmknic and results in links without
redundancy
• Use of multiple session iSCSI with NFS is not supported by NetApp
• EMC supports, but best practice is to have separate subnets, virtual
interfaces
27
Confidential
NPIV
What it is
• Allow a single Fibre Channel HBA port to register with the Fibre Channel fabric using several worldwide port names (WWPNs). This ability
makes the HBA port appear as multiple virtual ports, each having its own ID and virtual port name. Virtual machines can then claim each of
these virtual ports and use them for all RDM traffic.
• Note that is WWPN, not WWNN
• WWPN – World Wide Port Name
• WWNN – World Wide Node Name
• Single port HBA typically has a single WWNN and a single WWPN (which may be the same).
• Dual port HBAs may have a single WWNN to identify the HBA, but each port will typically have its own WWPN.
• However they could also have an independent WWNN per port too.
First one is WW Node Name
Second one is WW Port Name
Design consideration
• Only applicable to RDM
• VM does not get its own HBA nor FC driver required. It just gets an N-port, so it’s visible from the fabric.
• HBA and SAN switch must support NPIV
• Cannot perform Storage vMotion or VMotion between datastores when NPIV is enabled. All RDM files must be in the same datastore.
• Still in place in v5
28
Confidential
2 TB VMDK barrier
You need to have > 2 TB disk within a VM.
• There are some solutions, each with pro and cons.
• Say you need a 5 TB disk in 1 Windows VM.
• RDM (even with physical compatibility) and DirectPath I/O do not increase virtual disk limit.
Solution 1: VMFS or NFS
• Create a datastore of 5 TB.
• Create 3 VMDK. Present to Windows
• Windows then combine the 3 disk into 1 disk.
• Limitation
• Certain low level storage-softwares may not work as they need 1 disk (not combined by OS)
Solution 3: iSCSI within the Guest
• Configure the iSCSI initiator in Windows
• Configure a 5 TB LUN. Present the LUN directly to Windows, bypassing the ESX layer. You can’t monitor it.
• By default, it will only have 1 GE. NIC teaming requires driver from Intel. Not sure if this supported.
29
Confidential
Storage: Queue Depth
When should you adjust the queue depth?
• If a VM generates more commands to a LUN than the LUN queue depth; Adjust the device/LUN queue.
• Generally with fewer, very high IO VMs on a host, larger queues at the device driver will improve performance.
• If the VM’s queue depth is lower than the HBA’s; Adjust the vmkernel.
Be cautious when setting queue depths
• With too large of device queues, the storage array can easily be overwhelmed and its performance may suffer with high latencies.
• Device driver queue depths is global and set per LUN setting.
• Change the device queue depth for all ESX hosts in the cluster
Calculating the queue depth:
• To verify that you are not exceed the queue depth for an HBA use the following formula:
• Max. queue depth of the HBA = Device queue setting * # of LUNs on HBA
Queue are at multiple levels
• LUN queue for each LUN at ESXi host.
• If the above queue is full, then kernel queue will be filled up
• LUN queue at array level for each LUN
• If this queue does not exist, then the array writes straight into disk.
• Disk queue
• The queue at the disk level, if there is no LUN queue
30
3
Confidential
Sizing the Storage Array
• For RAID 1 (it has IO Penalty of 2)
• 60 Drives= ((7000 x 2 x 30%) + (7000 x 70%)) / 150 IOPS
• Why RAID 5 has 4 IO Penalty?
31
RAID Level
IO Penalty
1
2
5
4
6
6
Confidential
Storage: Performance Monitoring
Get a baseline of your environment during a “normal” IO time frame.
• Capture as many data points as possible for analysis.
• Capture data from the SAN Fabric, the storage array, and the hosts.
Which statistics should be captured
• Max and average read/write IOps
• Max and average read/write latency (ms)
• Max and average Throughput (MB/sec)
• Read and write percentages
• Random vs. sequential
• Capacity – total and used
32
Confidential
SCSI Architecture Model (SAM)
33
Confidential
Fibre Channel Multi-Switch Fabric
TR
RC
RC
TR
N_Port 0
F_Port
F_Port
TR
RC
RC
TR
N_Port 1
Fabric Switch 1
Node A
Node B
E_Port
Node D
TR
N_Port 3
F_Port
RC
F_Port
Node C
TR
RC
RC
N_Port 2
TR
RC
TR
F_Port
RC
TR
RC
E_Port
TR
N_Port 0
TR
TR
RC
RC
F_Port
TR
RC
RC
TR
N_Port 1
Node G
Node E
Fabric Switch 2
Node F
F_Port
TR
Node H
RC
TR
N_Port 3
RC
F_Port
RC
N_Port 2
TR
TR
RC
3434
Confidential
Backup: VADP vs Agent-based
ESX has 23 VM. Each VM is around 40 GB.
• All VMs are idle, so this CPU/Disk are purely on back up.
• CPU Peak is >10 GHz (just above 4 cores)
• But Disk Peak is >1.4 Gbps of IO, almost 50% of a 4 Gb HBA.
After VAPD, both CPU and Disk drops to negligible
35
Confidential
VADP: Adoption Status
This is as at June 2010.
Always check with vendor for the most accurate data
36
Partner Name
Product Name
Version
Integration Status
CA
ArcServe
12.5 w/patch
Released
Commvault
Simpana
8.0 SP5
Released
EMC
Avamar
5.0
Released
EMC
Networker
7.6.x
Not yet
HP
Data Protector
6.1.1 with patch
Not yet
IBM
Tivoli Storage Manager
6.2.0
Released
Symantec
Backup Exec
2010
Released
Symantec
Backup Exec System Recovery
2010
Released
Symantec
NetBackup
7.0
Released
Vizioncore
vRanger Pro
4.2
Released
Veeam
Backup & Replication
4.0
Released
Confidential
Partition alignment
Affects every protocol, and every storage array
• VMFS on iSCSI, FC, & FCoE LUNs
• NFS
• VMDKs & RDMs with NTFS, EXT3, etc
VMware VMFS partitions that align to 64KB track boundaries give reduced latency and increased throughput
• Check with storage vendor if there are any recommendations to follow.
• If no recommendations are made, use a starting block that is a multiple of 8 KB.
Responsibility of Storage Team.
• Not vSphere Team
On NetApp :
• VMFS Partitions automatically aligned. Starting block in multiples of 4k
• MBRscan and MBRalign tools available to detect and correct misalignment
FS 4KB-1MB
Cluster
Cluster
VMFS 1MB-8MB
Array 4KB-64KB
37
Cluster
Block
Chunk
Chunk
Confidential
Chunk
Tools: Array-specific integration
The example below is from NetApp. Other Storage partners have integration capability too.
Always check with respective product vendor for latest information.
38
Confidential
Tools: Array-specific integration
Management of the Array can be done from vSphere client. Below is from NetApp
Ensure storage access is not accidently given to vSphere admin by using RBAC
39
Confidential
Data Recovery
No integration with tape
• Can do manual
If a third-party solution is being used to backup the deduplication store, those backups must not run while the Data Recovery service is
running. Do not back up the deduplication store without first powering off the Data Recovery Backup Appliance or stopping the
datarecovery service using the command service datarecovery stop.
Some limits
• 8 concurrent jobs on the appliance at any time (backup & restore).
• An appliance can have at the most 2 dedupe store destinations due to the overhead involved in deduping.
• VMDK or RDM based deduplication stores of up to 1TB or CIFS based deduplication stores of up to 500GB.
• No IPv6 addresses
• No multiple backup appliances on a single host.
VDR cannot back up VMs
• that are protected by VMware Fault Tolerance.
• with 3rd party multi-pathing enabled where shared SCSI buses are in use.
• with raw device mapped (RDM) disks in physical compatibility mode.
• Data Recovery can back up VMware View linked clones, but they are restored as unlinked clones.
Using Data Recovery to backup Data Recovery backup appliances is not supported.
• This should not be an issue. The backup appliance is a stateless device, so there is not the same need to back it up like other types of VMs.
40
Confidential
VMware Data Recovery
We assume the following requirements
• Back up to external array, not the same array.
• External Array can be used for other purpose too. So the 2 arrays are backing up each other.
• How to ensure Write performance as the array is shared?
• 1x a day back up. No need multiple back up per day on the same VM.
Consideration
• Bandwidth: Need dedicated NIC to the Data Recovery VM
• Performance: Need to reserve CPU/RAM for the VM?
• Group like VM together. It maximises dedupe
• Destination: RDM LUN presented via iSCSI to the Appliance. See picture below (hard disk 2)
• Not using VMDK format to enable LUN level operation
• Not using CIFS/SMB as Dedupliation Store is 0.5 TB vs 1 TB on RDM/VMDK
• Space calculation: need to find a tool to help estimate the disk requirements.
41
Confidential
Mapping: Datastore – VM
Criteria to use when placing a VM into a Tier:
• How critical is the VM? Importance to business.
• What are its performance and availability requirements?
• What are its Point-in-Time restoration requirements?
• What are its backup requirements?
• What are its replication requirements?
Have a document that lists which VM resides on which datastore group
• Content can be generated using PowerCLI or Orchestrator, which shows datastores and their VMs.
• Example tool: Quest PowerGUI
• While rarely happen, you can’t rule out if datastore metadata get corrupted.
• When that happens, you want to know what VMs are affected.
A VM normally change tiers throughout its life cycle
• Criticality is relative and might change for a variety of reasons, including changes in the organization, operational processes, regulatory
requirements, disaster planning, and so on.
• Be prepared to do Storage vMotion.
• Always test it first so you know how long it takes in your specific environment
• VAAI is critical, else the traffic will impact your other VMs.
42
Datastore Group
VM Name
Size (GB)
IOPS
Total
12 VM
1 TB
1400 IOPS
Confidential
RDM
Use sparingly.
• VMDK is more portable, easier to manage, and easier to resize.
• VMDK and RDM have similar performance.
Physical RDM
• Can’t take snapshot.
• No Storage vMotion. But can do vMotion.
• Physical mode specifies minimal SCSI virtualization of the mapped device, allowing the greatest flexibility for SAN management
software.
• VMkernel passes all SCSI commands to the device, with one exception: the REPORT LUNs command is virtualized so that the
VMkernel can isolate the LUN to the owning virtual machine.
Virtual RDM
• Specifies full virtualization of the mapped device. Features like snapshot, etc works
• VMkernel sends only READ and WRITE to the mapped device. The mapped device appears to the guest operating system exactly
the same as a virtual disk file in a VMFS volume. The real hardware characteristics are hidden.
43
Confidential
Human Experts vs Storage DRS
2 VMware performance engineers vs Storage DRS competing to balance the following:
• 13 VMs: 3 DVD store, 2 Swingbench, 4 mail servers, 2 OLTP, 2 web servers
• 2 ESX hosts and 3 storage devices (different FC LUNs in shades of blue)
Storage DRS provides lowest average latency, while maintaining similar throughput. Why human expert lost?
• Too many numbers to crunch, too many dimensions to the analysis. Human took a couple of hours to think this through.
Why bother anyway 
2500
50
Latency (ms)
45
IOPS
2000
1500
1000
500
40
35
30
25
20
15
10
5
0
0
Space
balanced
BASIL
Storage
DRS
Expert 1
Space
balanced
Expert 2
BASIL
Storage
DRS
Expert 1
Expert 2
Green: Average Latency (ms)
44
Confidential
Alternative Backup Method
VMware ecosystem may provide new way of doing back up.
• Example below is from NetApp
NetApp SnapManager for Virtual Infrastructure (SMVI)
• In Large Cloud, SMVI server should sit on a separate VM from with vCenter.
• While it has no performance requirement, it is best from Segregation of Duty point of view.
• Best practice is to keep vCenter clean & simple. vCenter is playing much more critical role in larger environment where plug-ins are relying on vCenter
up time.
• Allows for consistent array snapshots & replication.
• Combine with other SnapManager products (SM for Exchange, SM for Oracle, etc) for application consistency
•
•
•
•
45
• Exchange and SQL work with VMDK
• Oracle, SharePoint, SAP require RDM
Can be combined with SnapVault for vaulting to disk.
3 levels of data protection :
• On disk array snapshots for fast backup (seconds) & recovery (up to 255 snapshot copies of any datastore can be kept with no performance impact)
• Vaulting to separate array for better protection, slightly slower recovery
• SnapMirror to offsite for DR purposes
Serves to minimize backup window (and frozen vmdk when changes are applied)
Option to not create a vm snapshot to create crash consistent array snapshots
Confidential
One VMKernel port
& IP subnet
Use multiple links with
IP hash load balancing on
the NFS client (ESX)
Use multiple links with
IP hash load balancing on
The NFS server (array)
Storage needs multiple
sequential IP addresses
46
Confidential
Yes
Support
multi-switch
Link
aggr?
Use multiple VMKernel
Ports & IP subnets
Use ESX routing table
Storage needs multiple
sequential IP addresses
47
Confidential
vMotion Performance on 1 GbE Vs 10 GbE
Scenario
CPU %USED
Idle VM
Moderately Loaded VM
Web Traffic
0
0 Gbps
140%
2.5 Gbps
Idle/Moderately loaded VM scenarios
•
Reductions in duration when using 10 GbE vs 1 GbE
on both vSphere 4.1 and vSphere 5
Heavily Loaded VM
325%
6 Gbps
Consider switch from 1 GbE to 10 GbE vMotion
network
Heavily loaded VM scenario
•
Reductions in duration when using 10 GbE vs 1 GbE
•
1 GbE on vSphere 4.1: Memory copy convergence
issues lead to network connection drops
•
1 GbE on vSphere 5 : SDPS kicked-in resulting in
zero connection drops
vMotion in vSphere 5 never fails due to memory
copy convergence issues
Duration of vMotion
(lower the better)
48
Confidential
Impact on Database Server Performance During vMotion
vSphere 5
vSphere 4.1
450
450
vMotion duration : 23 sec
400
350
350
300
300
250
250
orders-per-second
orders-per-second
200
Impact
during
guest trace
period
200
150
150
100
50
vMotion duration : 15 sec
400
Impact during
guest trace
period
Impact during
switch-over
period
Impact during
switch-over
period
100
50
0
1
14
27
40
53
66
79
92
105
118
131
144
157
170
183
196
209
222
235
248
261
274
1
14
27
40
53
66
79
92
105
118
131
144
157
170
183
196
209
222
235
248
261
274
287
0
Time (in seconds)
Time (in seconds)
Performance impact minimal during the memory trace phase in vSphere 5
Throughput was never zero in vSphere 5 (due to switch-over time < half a second)
Time to resume to normal level of performance about 2 seconds better in vSphere 5
49
Confidential
vMotion Network Bandwidth Usage During Evacuation
50
Confidential
Network Settings
Load-Based Teaming
• We will not use as we are using 1 GE in this design.
• If you use 10 GE, the default settings is a good starting point. It gives VM 2x the share versus hypervisor.
NIC Teaming
• If the physical switch can support, then use IP-Hash
• Need a Stacked-Switch. Basically, they can be managed as if they are 1 bigger switch. Multi-chassis EtherChannel Switch is another name.
• IP-Hash does not help if the source and address are constant. For example, vMotion always use 1 path only as source-destination pair is constant.
Connection from VMkernel to NFS server is contant,
• If the physical switch can’t support, then use Source Port
• You need to manually balance this, so not all VM go via the same port.
VLAN
• We are using VST. Physical switch must support VLAN trunking.
PVLAN
• Not using in this design. Most physical switches are PVLAN aware already.
• Packets will be dropped or security can be compromised if physical switch is not PVLAN aware.
Beacon Probing
• Not enabled, as my design only has 2 NIC per vSwitch. ESXi will flood both NIC if it has 2 NIC only.
Review default settings
• Change Forged Transmit to Reject.
• Change MAC address changes to Reject
51
Confidential
VLAN
Native VLAN
• Native VLAN means the switch can receive and transmit untagged packets.
• VLAN hopping occurs when an attacker with authorized access to one VLAN creates packets that trick physical switches into transmitting the
packets to another VLAN that the attacker is not authorized to access. Attacker send forms an ISL or 1Q trunk port to switch by spoofing DTP
messages, getting access to all VLANs. Or attacker can send double tagged 1Q packets to hop from one VLAN to another, sending traffic to a
station it would otherwise not be able to reach.
• This vulnerability usually results from a switch being misconfigured for native VLAN, as it can receive untagged packets.
Local vSwitches do not support native VLAN. Distributed vSwitch does.
• All data passed on these switches is appropriately tagged. However, because physical switches in the network might be configured for native
VLAN, VLANs configured with standard switches can still be vulnerable to VLAN hopping.
• If you plan to use VLANs to enforce network security, disable the native VLAN feature for all switches unless you have a compelling reason to
operate some of your VLANs in native mode. If you must use native VLAN, see your switch vendor’s configuration guidelines for this feature.
VLAN 0: the port group can see only untagged (non-VLAN) traffic.
VLAN 4095: the port group can see traffic on any VLAN while leaving the VLAN tags intact.
52
Confidential
Distributed Switch
Design consideration
• Version upgrade
• ?? Upgrade procedure
53
Confidential
Feature Comparison Among Switches (partial)
54
Feature
vSS
vDS
Cisco N1K
VLAN
yes
yes
yes
Port Security
yes
yes
yes
Multicast Support
yes
yes
yes
Link Aggregation
static
static
LACP
Traffic Management
limited
yes
yes
Private VLAN
no
yes
yes
SNMP, etc.
no
no
yes
Management Interface
vSphere Client
vSphere client
Cisco CLI
Netflow
No
yes
yes
Confidential
vNetwork Standard Switch: A Closer Look
vSS defined on a per host basis from Home  Inventory  Hosts and Clusters.
Uplinks (physical NICs)
attached to vSwitch.
Port Groups are policy
definitions for a set
or group of ports.
e.g. VLAN membership,
port security policy,
teaming policy, etc
vNetwork Standard
Switch (vSwitch)
55
Confidential
vNetwork Distributed Switch: A Closer Look
vDS operates off the local cache – No operational dependency on vCenter server
• Host local cache under /etc/vmware/dvsdata.db and /vmfs/volumes/<datastore>/.dvsdata
• Local cache is a binary file. Do not hand edit
DV Uplink Port Group
defines uplink policies
DV Uplinks abstract
actual physical nics
(vmnics) on hosts
DV Port Groups
span all hosts
covered by vDS
and are groups
of ports
defined with the
same policy
e.g. VLAN, etc
vmnics on each host
mapped to dvUplinks
56
Confidential
Nexus 1000V: VSM
VM properties
• Each requires a 1 vCPU, 2 GB RAM. Must be reserved, so it will impact the cluster Slot Size.
• Use “Other Linux 64-bit" as the Guest OS.
• Each needs 3 vNIC.
• Requires the Intel e1000 network driver. Because No VMware Tools installed?
Availability
• 2 VSMs are deployed in an active-standby configuration, with the first VSM functioning in the primary role and the other VSM functioning in
a secondary role.
• If the primary VSM fails, the secondary VSM will take over.
• They do not use VMware HA mechanism.
Unlike cross-bar based modular switching platforms, the VSM is not in the data path.
• General data packets are not forwarded to the VSM to be processed, but rather switched by the VEM directly.
57
Confidential
Nexus 1000V: VSM has 3 Interface for “mgmt”
Control Interface
• VSM – VEMs communication, and VSM – VSM communication
• Handles low-level control packets such as heartbeats as well as any configuration data that needs to be exchanged between the VSM and
VEM. Because of the nature of the traffic carried over the control interface, it is the most important interface in Nexus 1000V
• Requires very little bandwidth (<10 KBps) but demands absolute priority.
• Always the first interface on the VSM. Usually labeled "Network Adapter 1" in the VM network properties.
Management Interface
• VSM – vCenter communication.
• Appears as the mgmt0 port on a Cisco switch. As with the management interfaces of other Cisco switches, an IP address is assigned to
mgmt0.
• Does not necessarily require its own VLAN. In fact, you could use the same VLAN with vCenter
Packet Interface
• carry network packets that need to be coordinated across the entire Nexus 1000V. Only two type of control traffic: Cisco Discovery Protocol
and Internet Group Management Protocol (IGMP) control packets.
• Always the third interface on the VSM and is usually labeled "Network Adapter 3" in the VM network properties.
• Bandwidth required for packet interface is extremely low, and its use is very intermittent. If Cisco Discovery Protocol and IGMP features are
turned off, there is no packet traffic at all. The importance of this interface is directly related to the use of IGMP. If IGMP is not deployed,
then this interface is used only for Cisco Discovery Protocol, which is not considered a critical switch function
58
Confidential
vNetwork Distributed Portgroup Binding
Port Binding: Association of a virtual adapter with a dvPort
VMware ESX
Static Binding: Default configuration
• Port bound when vnic connects to portgroup
Dynamic binding
• Use when #VM adapters > #dvPorts in a portgroup and all VMs are not active
DVPort created on proxySwitch and
bound to vnic
Ephemeral binding
• Use when #VMs > #dvPorts and port history is not relevant
• Max Ports is not enforced
ProxySwitch
Use static binding for best performance and scale
59
Confidential
Network Stack Comparison
Good attributes of FCoE
• Has less overhead than FCIP or iSCSI. See diagram below.
• FCoE is managed like FC at initiator, target, and switch level
• Mapping FC frames over Ethernet Transport
• Enables Fibre Channel to run over a lossless Ethernet medium
• Single Adapter, less device proliferation, lower power consumption
• No gateways required
• NAS certification: FCoE CNAs can be used to certify NAS storage. Existing NAS devices listed on VMware SAN Compatibility Guide do not
require recertification with FCoE CNAs.
Mixing of technologies always increase complexity
FCP
FCIP
iSCSI
TCP
SCSI
IP
FCoE
FC
Ethernet
Physical Wire
SCSI
60
iSCSI
FCIP
Confidential
FCoE
FC
Physical Switch Setup
Spanning Tree Protocol
• vSwitch won’t create loops
• vSwitch can’t be linked.
• vSwitch does not take incoming packet from pNIC and forward as outgoing
packet to another pNIC
VM0
VM1
Recommendations
1. Leave STP on in physical network
2. Use “portfast” on ESX facing ports
3. Use “bpduguard” to enforce STP boundary
MAC a
MAC b
vSwitch
vSwitch
Physical
Switches
61
Confidential
MAC c
1 GE switch
Sample from Dell.com (US site, not Singapore)
Around US$5 K. Need a pair.
48 ports
• Each ESXi needs around 7 – 13 ports (inclusive of iLO port)
62
Confidential
10 GE switch
Sample from Dell.com (US site, not Singapore)
Around US$10 – 11 K. Need a pair.
24 ports
• Each ESXi only need 2 port
• iLO port can connect to existing GE/FE switch
63
Compared with 1 GE switch,
Price is very close. Might be
even cheaper in TCO
Confidential
Multi security zones (w/ vShield Edge to protect vApp Network)
vCD “logical” View
vSphere “operational” View
Reminder: this is self-service (UI / API)
vApp
vApp Network
Org Network
Organization
PG
External Network
PG
PG
vSphere vNetwork
vCD will deploy this
64
Confidential
Two-tier application (w/ vShield App to protect backend)
vCD “logical” View
vSphere “operational” View
Reminder: this is NOT self-service (today)
vApp
Front-end
enclave
Back-end
enclave
Org Network
Organization
PG
External Network
PG
vSphere vNetwork
vShield Admin config (today)
65
Confidential
vShield Edge in short
vCD “logical” View
Security Zone 1
NAT
DHCP
LB
vSphere “operational” View
Security Zone 2
Virtual
Appliance
Firewall
Routing
VPN
vNIC
vNIC
PortGroup
L2Network-B
L2Network-A
vSphere vNetwork
vShield Edge
66
PortGroup
Confidential
vShield App in short
vCD “logical” View
vSphere “operational” View
Security Zone 2
Security Zone 1
Firewall
vNIC
vNIC
PortGroup
L2Network
vSphere vNetwork
vShield App
Kernel
Module
67
Confidential
Security Compliance: PCI DSS
PCI applies to all systems “in scope”
• Segmentation defines scope
• What is within scope? All systems that Store, Process, or Transmit
cardholder data, and all system components that are in or connected to
the cardholder data environment (CDE).
The DSS is vendor agnostic
• Does not seem to cover virtualisation.
Relevant statements from PCI DSS
• “If network segmentation is in place and will be used to reduce the scope
of the PCI DSS assessment, the assessor must verify that the segmentation
is adequate to reduce the scope of the assessment.” - (PCI DSS p.6)
• “Network segmentation can be achieved through internal network
firewalls, routers with strong access control lists or other technology that
restricts access to a particular segment of a network.” – PCI DSS p. 6
• “At a high level, adequate network segmentation isolates systems that
store, process, or transmit cardholder data from those that do not.
However, the adequacy of a specific implementation of network
segmentation is highly variable and dependent upon such things as a given
network's configuration, the technologies deployed, and other controls
that may be implemented. “
– PCI DSS p. 6
• “Documenting cardholder data flows via a dataflow diagram helps fully
understand all cardholder data flows and ensures that any network
segmentation is effective at isolating the cardholder data environment.” –
p.6
68
Confidential
Security Compliance: PCI DSS
Added complexity from Virtualisation
• System boundaries are not as clear as their non-virtual counterparts
• Even the simplest network is rather complicated
• More components, more complexity, more areas for risk
• Digital forensic risks are more complicated
• More systems are required for logging and monitoring
• More access control systems
• Memory can be written to disk
• VM Escape?
• Mixed Mode environments
69
Confidential
Sample Virtualized CDE
PCI: Virtualization Risks by Requirement
Requirement
Unique Risks to Virtual Environments
How you can address them
3.
Protect stored
cardholder data.
There is a chance that memory that was previously only stored as
volatile memory may now be written to disk as stored (i.e., taking
snapshots of systems).
 Apply data retention and disposal policy to CDE-VMs, snapshots, and any other components which have the possibility of
storing CHD, encryption keys, passwords, etc.
How are memory resources and other shared resources protected
from access? (How do you know that there are no remnants of stored
data?)
 Document storage configuration and SAN implementation.
 Document any encryption process, encryption keys, &
encryption key management used to protects stored CHD?
 Fully isolate the VMotion network to ensure that as hosts are
moved from one physic server to another, memory and other
sensitive running data cannot be sniffed or logged.
Access controls are more complicated. In addition to hosts, there are
now additional applications, virtual components, and storage of these
components (i.e., what protects their access while they are waiting to
be provisioned).
 Document all the types of different Role Based Access Controls
(RBAC) used for access to physical hosts, virtual hosts, physical
infrastructure, virtual infrastructure, logging systems, IDS/IPS,
multi-factor authentication, and console access.
Organizations should carefully document all the access controls in
place, and ensure that there are separate access controls for different
“security zones.”
 Ensure that physical hosts do not rely on virtual RBAC systems
that they host.
9.
Restrict physical
access to
cardholder data.
Risks are greater since physical access to the hypervisor could lead to
logical access to every component.
 Ensure that you are considering physical protection in your D/R
site.
10.
Track and monitor
all access to
network resources
and cardholder
data.
Some virtual components do not have the robust logging capabilities of
their physical counterparts. Many systems are designed for
troubleshooting and are not designed to create detailed event and
system logs which provide sufficient detail to meet PCI logging
requirements and assist with a digital forensic investigation.
7.
Restrict access to
cardholder data by
business need-toknow.
 Address the risk that physical access to a single server or SAN
can result in logical access to hundreds of servers.
PCI requires logs to be stored in a central location that is independent
of the systems being logged.
70
Confidential
 Establish unified and centralized log management solutions
which cannot be altered or disabled by access to the
hypervisor.
 ESX logs should not be stored on a virtual host on the same ESX
server, as compromising the ESX server could compromise the
logs. Be prepared to demonstrate that the logs are forensically
sound.
vNetwork Appliances
Advantages
• Flexible deployment
• Scales naturally as more ESX hosts are deployed
Architecture
• Fastpath agent filter packets in datapath, transparent to vSwitch
• Optionally forward packets to VM (slowpath agent)
Solutions
• VMware vShield, Reflex, Altor, Checkpoint, etc.
Heavyweight filtering
in “Slow Path” agent
Lightweight filtering
in “Fast Path” agent
71
Confidential
vShield
DMZ
DB
APP
Org vDC
Shared Services
vShield Edge
vShield App
vShield App
vShield App
Virtual Distributed Switch
vSphere
vSphere
vSphere
vSphere
INTERNET
72
Confidential
Setup Perimeter services
Install vShield Edge
• External – Internal
Provision Services
• Firewall
• NAT, DHCP
• VPN
• Load Balancer
Setup Internal Trust Zones
Install vShield App
• vDS / dvfilter setup
• Secure access to shared services
Create interior zones
• Segment internal net
• Wire up VMs
vShield and Fail-Safe
http://www.virtualizationpractice.com/blog/?p=9436
73
Confidential
Security
Steps to delete “Administrator” from vCenter
• Move it to the “No Access” role. Protect it with alarm if this is modified.
• All other plug-in or mgmt products that use Administrator will break
Steps to delete “root” from ESX
• Replaced with another ID. Can’t be tied to AD?
• Manual warns of removing this user.
Create another ID with root group membership
• vSphere 4.1 now support MS AD integration
74
Confidential
VCM’s Free vSphere Compliance Checker (Download)
ESX related
hardening rules
5 ESX Hosts
VM shell related
hardening rules
http://www.vmware.com/products/datacenter-virtualization/vsphere-compliance-checker/overview.html
75
Confidential
security P2V issue – loss of physical control
physical security
cloud security in virtual data center
static
dynamic
perimeter security was achieved using
physical firewall, IPS and VPN
due to mobility of the VM’s it is not sufficient
to achieve the same
interior security was achieved using VLAN
or subnet based policies
leads into VLAN sprawl and complex
policies
endpoints are protected with AV agents
results in more AV agents in each VM
impacting the host or other VM’s
physical organizational boundaries or
security zones can be achieved easily with
physical appliances
can be achieved only with the help of
different subnets resulting in VLAN sprawl
sharing of same physical hosts by multiple
VM’s results in complex multi tenancy
policies – to enable logical boundaries
greater transparency & visibility –
given tools are virtualization aware
opaque with poor visibility
76
Confidential
Windows VM monitoring
Use the new Perfmon counters provided.
The built-in from Windows is misleading in virtual environment
77
Confidential
Time Keeping and Time Drift
Critical to have the same time for all ESX and VM.
All VM & ESX to get time from the same 1 internal NTP server
• Synchronize the NTP Server with an external stratum 1 time source
The Internal NTP server to get time from a reliable external server or real atomic clock
• Should be 2 sources
Do not virtualise the NTP server
• As a VM, it may experience time drift if ESXi host is under resource constraint
Physical candidates for NTP Server:
• Back up server (with vStorage API for Data Protection)
• Cisco switch
See MS AD slide for specific MS AD specific impact.
78
Confidential
Linux
New features in ext4 filesystem:
• Extents reduce fragmentation
• Persistent preallocation
• Delayed allocation
• Journal checksumming
• fsck is much faster
RHEL 6 & ext4 properly align filesystems
Tips: use the latest OS
• Constant Improvements
• Built-in paravirtual drivers
• Better timekeeping
• Tickless kernel. On-demand timer interrupts. Systems stay totally idle
• Hot-add capabilities
• Reduces need to oversize “just in case”
• Might need to tweak udev. See VMware KB 1015501
• Watch for jobs that happen at the same time (across VM)
• Monitoring (every 5 minutes)
• Log rotation (4 AM)
• Don’t need sysstat & sar running. Use vCenter metrics instead
79
Confidential
Guest Optimization Swap File Location
Swap file for Windows guests should be on separate dedicated drives
• Cons:
• This requires another vmdk file. Management overhead as it has to be resized when RAM changes too.
• Pro:
• No need to back up
• Keep the application traffic and OS disk traffic separate from the page file traffic thereby increasing performance.
• Swap partition equal to 1.5x RAM
• 1.5x is the default recommendation for best performance (knowing nothing about the application).
• Monitor the page file usage to see how much of it is actually being used, in the old days whatever memory was installed was what they were
committed to and making a change was an act of congress, look to leverage the virtual flexibility and modify for best usage.
• http://support.microsoft.com/kb/889654 Microsoft limits on page file’s .
Microsoft’s memory recommendations and definition of physical address extension explained
http://support.microsoft.com/?kbid=555223
80
Confidential
80
Infrastructure VM
Purpose
CPU
RAM
Remarks
Admin Client.
Win 7 32 bit
1
2 GB
Dedicated for vSphere management/administration purpose.
vSphere Client has plug-ins. So it’s more convenient to have a ready made client.
Higher security than typical administrator personal notebook/desktop, which serve many other purpose
(email, internet browsing, MS office, iTunes, etc)
For higher security.
Can be placed in the Management LAN. From your laptop, do an RDP jump to this VM. Suitable for SSLF
Useful when covering during leave, etc. But do not use shared ID.
Softwares installed: Microsoft PowerShell (no need to install CLI as it’s in vMA), VMware Orchestrator
vCenter
Win08 R2 64 bit Ent Edition
2
4 GB
1 CPU is not sufficient. 2 vCPU 4 GB RAM 5 GB data drive is enough for 50 ESX and 500 VM.
No need to over allocate, especially on vCPU and RAM.
Ensure MS IIS is removed prior to vCenter installation
~ 1.5 MB of RAM per VM and ~3 MB of RAM per managed host
Avoid installing vCenter on a Domain Controller. But deploy it on a system that is part of the AD domain;
facilitates security and flexibility in setting up VC roles, permissions and DB authentication
IT Database Server
Win08 R2 64 bit Ent Edition
2
4 GB
SQL Server 2005 64 bit. See next slide. Need to plan carefully.
IT Database Server
Win08 R2 64 bit Ent Edition
2
4 GB
SQL Server 2008 64 bit. See next slide. Need to plan carefully.
Update Manager
Win08 R2 64 bit?
1
4 GB
50 GB of D:\ drive for Patch Store is sufficient. Use Thin Provisioning.
vShield
1
See: “VMware Update Manager Performance Best Practices” VMworld session.
1 GB
Tier 1 as traffic goes here.
1 per ESXi host vSwitch (serving VM, not VMkernel)
vShield Manager
1
1 GB
Management console only
Patch Management Server
1
4 GB
I’m assuming client has the tool in place and wants to continue
81
Confidential
Infrastructure VM
Purpose
CPU
RAM
RP Tier
Resource Pool
vMA
1
1 GB
3
Management console only
SRM 5
2
2 GB
2
Recommend to separate from VC.
Converter
1
2 GB
1
If possible, do not run in Production Cluster, so it does not impact the ESX
utilisation
Not set to 3 as you want the conversion process to be completed as soon as
possible.
vShield Security VM from
partner
2
Cisco Nexus.
If you use Nexus
1
Cisco Nexus VSM (HA)
1
2 GB
Tier 1 as it’s in the data path
1
1 per ESXi host
2 GB
3
Management console only. Not data path
Requires 100% reservation, so this impacts the cluster Slot Size
2 GB
Database
3
The HA is managed by Cisco Nexus itself, not managed by VMware.
Bit
Upd Mgr
SRM
vCenter
Orchestrator
View 5
SQL Server 2008 Std Ed (not SP1)
64 bit
No
Yes
Yes
Yes
Need SP1
SQL Server 2008 Ent Ed (not SP1)
64 bit
Yes
Yes
Yes
Yes
Need SP1
Oracle 10g Enterprise Edition, R2
64 bit
Yes
Yes
Yes
Yes
Yes
Oracle 11g Standard Edition, R1 (not R2)
32 bit
Yes
Yes
Yes
Yes
Yes
82
Confidential
Capacity Planner
Version 2.8 does not yet have the full feature for Desktop Cap Plan. Wait for next upgrade.
• But you can use it on case by case basis, to collect those demanding desktop.
Default setting of paging threashold does not take into account server RAM.
• Best practice for the Paging threshold is 200 Pg/sec/GB. So, you have 48GB RAM x 200= 9600 Pgs/sec.
• Reason is that this paging value provides for the lowest latency access to memory pages.
• You might get high paging if back up job run.
Create project if you need to separate result (e.g. per data center)
Win08 has firewall on. Need to turn off using command line.
To be verified in 2.8: You can't change prime time. It's based on the local time zone.
83
Confidential
P2V
Avoid if possible. Best practice is to install from template (which was optimised for virtual machine)
• Remove unneeded devices after P2V
MS does not support P2V of AD Domain Controller.
Static servers are good candidate for P2V:
• Web servers, print servers
Servers with retail licence/key will require Windows reactivation. Too many hardware changes.
Resize
• Relative CPU comparison
• MS Domain Controller: 1 vCPU, 2 GB is enough.
84
Confidential
Many Solutions Depend on vCenter Server
Site
Recovery
Manager
vCloud
Director
Operations
vCenter Server
Configuration
Manager
View Server
and
Composer
Chargeback
8585
CapacityIQ
Confidential
Orchestrator Integrated Workflow Environment
Automation: A way to perform frequently repeated process without manual intervention.
• Basic building block: a shell script, a Perl script, a PowerShell script
• Example: given a list of hostnames, add ESX to VC.
Orchestration: A way to manage multiple automated processes across and among heterogeneous systems.
• Example - Add ESX hosts from a list to VC, update CMDB with successfully added ESX hosts, then send email notification.
Example
• If a datastore on a host is more than 95% utilized, open a change control ticket then perform s-vMotion and send email notification
86
Confidential
vCenter Chargeback Manager deployment options – cont.
For vCD and VSM data collector
• Deploy at least 2 data collectors for vCD and VSM each for high availability
CBM instance can be installed/upgraded at the time of vCD install/upgrade or later
vCenter Server
vCenter Chargeback Web Interface
Chargeback Data Collector
vCenter
Database
Chargeback Load
Balancer
vCenter Server
vCenter
Chargeback
Database
vCenter Chargeback Servers
vCenter
Database
vCenter Server
vCenter
Database
87
Confidential
VR Framework
SRM UI
Primary Site
Secondary Site
VC
Site Pairing
SRM
VRMS
VM
VM
VM
VC
VRMS
VR Service
VR Server
VR Filter
88
SRM
NFC Service
ESX
ESX
ESX
ESX
ESX
ESX
VR
vSphere Replication Server
VRMS
vSphere Replication
Management System
Confidential
SRM Architecture with vSphere Replication
[Protected Site]
[Recovery Site]
vSphere Client
vSphere Client
SRM Plug-In
SRM Server
SRM Plug-In
vCenter Server
vCenter Server
SRM Server
vRMS
vRMS
vRS
ESX
ESX
ESX
vRA
vRA
vRA
ESX
ESX
Replication
Storage
Storage
VMFS
89
Storage
VMFS
VMFS
Confidential
VMFS
Service Provider
[Customer A]
Storage
NFS
[DRaaS Provider]
vCenter
[Customer B]
SRM Server
NFS
vRMS
Replication
ESX
ESX
ESX
vRA
vRA
vRA
vRS
ESX
ESX
SRM Server
vRMS
vCenter
Storage
vCenter
SRM Server
VMFS
VMFS
vRMS
ESX
ESX
vRS
ESX
ESX
ESX
vRA
vRA
vRA
Replication
vRMS
SRM Server
90
vCenter
Confidential
Storage
NFS
NFS
Branch Office
[Remote Site A]
[Central Office]
ESX
vRA
SRM Server
SRM Server
vCenter
vCenter
vRMS
vRMS
ESX
Why is talking to this VRMS?
vRS
vRA
ESX
ESX
ESX
Replication
Storage
[Remote Site B]
91
VMFS
Confidential
VMFS
Decision Trees
Develop decision trees that is tailored to the organisation. Below are 2 examples.
92
Confidential
vSphere Replication Performance
1 vSphere Replication “replication server” appliance can process up to 1 Gbps of sustained throughput using approximately 95% of 1
vCPU.
• 1 Gbps is much larger than most WAN bandwidth
For a VM protected by VR the impact on application performance is 2 - 6% throughput loss
93
Confidential
MS SQL Server 2008: Licensing
Always refer to official statement from vendor web site.
• Emails, spoken words, SMS from a staff (e.g. Sales Manager, SE) is not legally binding
Licensing a Portion of the Physical Processors
If you choose not to license all of the physical processors, you will need to
know the number of virtual processors supporting each virtual OSE (data point
A) and the number of cores per physical processor/socket (data point B).
Typically, each virtual processor is the equivalent of one core
vSphere 4.1 introduce multi-core. Will you save more $? Need to check with
MS reseller + official MS documents
94
Confidential
SQL Server 2008 R2
Get the Express from http://www.microsoft.com/express/Database/
In most cases, the Standard edition will be sufficient.
vCenter 4.1 and Update Manager 4.1 does not support the Express edition.
• Hopefully Update 1 will?
95
Confidential
Windows Support
http://www.windowsservercatalog.com/default.aspx
Interesting. It is the
other way around.
vSphere 4.1
passed the
certification for
Win08 R2. So
Microsoft supports
Win03 too.
It is version
specific. Check for
vSphere 5
96
Confidential
SQL Server: General Best Practices
Follow Microsoft Best Practices for SQL Server deployments
Defrag SQL Database(s) – http://support.microsoft.com/kb/943345
Preferably 4-vCPU, 8+GB RAM for medium/larger deployments
Design back-end to support required workload (IOPS)
Monitor Database & Log Disks -Disks Reads/Writes, Disk Queues
Separate Data, Log, TempDB etc., IO
Use Dual Fibre Channel Paths to storage
• Not possible in vmdk
Use RAID 5 for database & RAID 1 for logs in read-intensive deployments
Use RAID 10 for database & RAID 1 for logs for larger deployments
SQL 2005 TempDB (need to update to 2008)
• Move TempDB files to dedicated LUN
• Use RAID 10
• # of TempDB files = # of CPU cores (consolidation)
• All TempDB files should be equal in size
• Pre-allocate TempDB space to accommodate expected workload
• Set file growth increment large enough to minimize TempDB expansions.
• Microsoft recommends setting the TempDB files FILEGROWTH increment to 10%
97
Confidential
What is SQL Database Mirroring?
Database-level replication over IP…, no shared storage requirement
Same advantages as failover clustering (service availability, patching, etc.)
At least two copies of the data…, protection from data corruption (unlike failover clustering)
Automatic failover for supported applications (DNS alias required for legacy)
Works with SRM too. VMs recover according to SRM recovery plan
98
Confidential
VMware HA with Database Mirroring for Faster Recovery
Highlights:
• Can use Standard Windows and SQL Server editions
• Does not require Microsoft clustering
• Protection against HW/SW failures and DB corruption
• Storage flexibility (FC, iSCSI, NFS)
• RTO in few seconds (High Safety)
• vMotion, DRS, and HA are fully supported!
Note:
• Must use High Safety Mode
for Automatic Failover
• Clients applications must be aware of Mirror or use DNS Alias
99
Confidential
MS SharePoint 2010
Go for 1 VM = 1 Role
100
Confidential
Java Application
RAM best practice
• Size the virtual machine’s memory to leave adequate space
• For the Java heap
• For the other memory demands of the Java Virtual Machine code
• For any other concurrently executing process that needs memory from the same guest operating system
• To prevent swapping in the guest OS
• Do not reserve RAM 100% unless HA Cluster is not based on Host Failure.
• This will impact HA Slot Size
• Consider the VMware vFabric as it takes advantage of vSphere.
Others
• Use the Java features for lower resolution timing as supplied by your JVM (Windows/Sun JVM example: -XX:+ForceTimeHighResolution)
• Use as few virtual CPUs as are practical for your application
• Avoid using /pmtimer in boot.ini for Windows with SMP HAL
101
Confidential
SAP
No new benchmark data on Xeon 5600.
• Need to check latest Intel data.
Regarding the vSphere benchmark.
• It’s a standard SAP SD 2-tier benchmark. In real life, we should split DB and CI instance, hence cater for more users
• vSphere 4.0, not 4.1
• SLES 10 with MaxDB
• Xeon 5570, not 5680 or Xeon 7500 series.
VM Size for Benchmark
4 vCPU
• SAP ERP 6.0 (Unicode) with Enhancement Package 4
SD Users
1144
Around 1500 SAPS per core
• Virtual at 93% to 95% of Native Performance. For sizing, we can take 90%
of physical result.
• Older UNIX servers (2006 – 2007) are good candidates for migration to
X64 due to low SAPS per core.
Central Instance can be considered for FT.
• 1 vCPU is enough for most cases
102
Confidential
8 vCPU
2056
Response Time (s)
0.97
0.98
SAPS
6250
11230
VM CPU Utilization
98%
97%
ESX Server CPU Utilization
<30%
<80 %
SAP 3-Tier SD Benchmark
103
Confidential
MS AD
Good candidate.
• 1 vCPU 2 GB RAM are sufficient. Use the UP HAL.
• 100,000 users require up to 2.75GB of memory to cache directory (x86)
• 3 Million users require up to 32GB of memory to cache entire directory (x64)
• Disk is rather small
• Disk2 (D:) for Database. Around ~16GB or greater for larger directories
• Disk3 (L:) for Log files. Around 25% of the database LUN size
Changes in MS AD design once all AD are virtualised
• VM is not a reliable source of time. Time drift may happens inside a VM.
• Instead of synchronising with the Forest PDC emulator or the “parent” AD, synchronise with Internal NTP Server.
Best practices
• Set the VM to auto boot.
• Boot Order
• vShield VM
• AD
• vCenter DB
• vCenter App
• Regularly monitor Active Directory replication
• Perform regular system state backups as these are
still very important to your recovery plan
104
Confidential
MS Exchange
Exchange has become leaner
and more scalable
Exchange 2003
Exchange 2007
Exchange 2010

32-bit Windows

64-bit Windows

64-bit Windows

900 MB database cache

32+ GB database cache

4 Kb block size

8 Kb block size

32 Kb block size

High read/write ratio

1:1 read/write ratio

I/O pattern optimization

70% reduction in disk I/O

Further 50% I/O reduction
Building block CPU and RAM sizing for 150 sent/received
• http://technet.microsoft.com/en-us/library/ee712771.aspx
Building Block
Profile
Megacycle Requirement
vCPU
1000 mail box
150 sent/received daily
3,000
2 (1.3 actual)
Cache Requirement
9 GB
Total Memory Size
16 GB
Database Availability Group (DAG)
• DAG feature in Exchange 2010 necessitates a different approach to sizing the Mailbox Server role, forcing the administrator to account for
both active and passive mailboxes.
• Mailbox Servers that are members of a DAG can host one or more passive databases in addition to any active databases for which they may
be responsible.
• Not supported by MS when combined
105
Confidential
VMware HA + DAGs (no MS support)
Protects from hardware and application failure
• Immediate failover (~ 3 to 5 secs)
• HA decreases the time the database is in an
‘unprotected state’
No passive servers.
Windows Enterprise edition.
Exchange Standard or Enterprise editions
Complex configuration and capacity planning
2x or more storage needed
Not officially supported by Microsoft
106
Confidential
Realtime Applications
Overall: Extremely Latency Sensitive
• All apps are somewhat latency sensitive
• RT apps break with extra latency
“Hard Realtime Systems”
• Financial trading systems
• Pacemakers
“Soft Realtime Systems”
• Telecom: Voice over IP
• Technically Challenging, but possible. Mitel and Cisco both provide official support. Need 100% reservation.
• Not life-or-death risky
Financial Desktop Apps (need hardware PCoIP)
• Market News
• Live Video
• Stock Quotes
• Portfolio Updates
107
Confidential
File Server
Why virtualise?
• Cheaper
• Simpler.
Why not virtualise
• You already have an NFS server
• You don’t want additional layer.
108
Confidential
Upgrade to vSphere 5
109
Confidential
Upgrade Best Practices
Turn Upgrade into Migrate
• Much lower risk. Ability to roll back and much simpler project.
• Fewer stages. 3 stages  1
• Upgrade + New Features + Rearchitecture in 1 clean stage.
• Faster overall project
• Need to do server tech refresh for older ESXi
Think of both data centers
• vCenter 5 can’t linked-mode to vCenter 4.
Involve App Team
• Successful upgrade should result in faster performance
Involve Network and Storage team
• There cooperation is required to take advantage of vSphere 5
Compare Before and After
• …. and document your success! 
110
Confidential
Migrate: Overall Approach
Document the Business Drivers and Technical Goals
• Upgrade is not simple. And you’re not doing it for fun 
• If you are going to support larger VM, you might need to change server
Check compabitility
• Array to ESXi 5.
• Is it supported?
• You need firmware upgrade to take advantage of new vStorage API
• Backup software to vCenter 5
• Products that integrates with vCenter 5
• VMware “integration” products: SRM, View, vCloud Director, vShield, vCenter Heartbeat
• Partner integration products: TrendMicro DS, Cisco Nexus
• VMware management products, partner management products.
• All these products should be upgraded first
Assuming all the above is compatible, proceed to next step
Read the Upgrade Guide
Plan and Design the new architecture
• Based on vSphere 5 + SRM 5 + vShield 5 + others
• Decide which architectural changes you are going to implement. Examples:
• vSwitch to vDS?
• Datastore Cluster?
• Auto-deploy?
• vCenter appliance? Take note the limitation (View, VCM, LinkedMode, etc limitation)
• What improvements are you implementing? Examples:
• Datastore clean up or consolidation.
• SAN: fabric zoning, multi-pathing, 8 Gb, FCoE
• Chargeback? This will impact your design
111
Confidential
Migrate: Overall Approach
Upgrade vCenter
Create the first ESXi cluster
• Start with IT cluster
Migrate first 4.x cluster into vCenter 5
• 1 cluster at a time.
• Follow VM schedule downtime
• Capture Before Performance, for comparison or proof.
• Back up VM, then migrate.
• Once last VM migrated, the hosts are free for reuse or decommissioned.
Repeat until last cluster is migrated
Upgrade VM to latest hardware version and upgrade VMware Tools.
112
Confidential
New features that impact design
New features with major design impact
• Storage Cluster
• Auto Deploy
• You need infrastructure to support it
• vCenter appliance
• VMFS-5
• Larger datastore, so your datastore strategy might change to “less but larger” one.
Other new features can wait after upgrade.
• Example, Network IO Control can be turned on after upgrade.
113
Confidential
Over Time The DMZ Evolved
Increased technological and operational complexity
Security
Zones
UTM
1995
# of systems & complexity increase over time
SEC 1880
114
Confidential
2005
Design Consideration for DMZ Zone
5-dimensional decision model
SEC 1880
115
Confidential
vDMZ Operations is different
 Virtual DMZ Operations
•
•
•
•
•
•
Needs VMware Know-how
Needs Windows Know-how
Needs Hardware Know-how
Needs Application Know-how
Needs security automation
Needs organizational integration
 Virtual DMZ Operations
• Highly dynamic & agile
• Additional systems (vSphere,
Windows)
• Additional Hardware (Blades,
Converged Networking)
• Server sprawl inside the DMZ
116
Physical DMZ Operations
• Network, Network-Security & Unix
only
• Disparate Silos
• Manual operations
• No integration into “internal ops”
DMZ Operations:
• Maintenance: Upgrading, Updating
and Troubleshooting
• ServiceChanges: Changing existing
Services
• Innovation: Introduction of new
Services
• Monitoring: Keeping things “in the
green” & “secure”
Confidential
Chargeback
vCloud
Director
database
JDBC
vShield
Manager
REST
VSM data
collector
JDBC
Chargeback
data collector
vCenter
database
117
vCloud data
collector
REST
JDBC
Chargeback
Server
REST
JDBC
JDBC
Confidential
Chargeback
database
Automation impacts 8 areas of IT Excellence
Service Design
Continual Process Improvement
•
Supplier Management
•
Service Level Management
•
Service Catalog Management
•
Availability Management
Transformation Planning
Organization and Skill Development
Life Cycle Management
Systems Management
Capacity Management
Financial Management
Configuration Management
Security Management
1
118
Confidential
Internal Cloud Maturity Model
Governance
Service
automation
Service
management
Cloud
infrastructure
management
HIaaS
infrastructure
119
Technologically
proficient
Operationally
ready
Applicationcentric
Serviceoriented
Cloudenabled
Include
virtualization
in software
procurement
Update
procurement and
change
management
Update
audit/
accounting
practices
Define
HIaaS
standard
models
Plan IA
policy
requirements
Assess and deploy
lab automation
Automate
VM
provisioning
Automate
application
provisioning
Automate service
provisioning
Automate
cloud
bursting
Define
service
tiers
Implement service
pools
Implement showback,
update data
protection
Implement
or update
service
catalog
Define
IA service
management
requirements
Define
standard templates
Deploy
essential
management
services
Enforce
QoS
Deploy
virtual
infrastructure
appliances
Deploy
virtual datacenters
Consolidate
physical
to virtual
Deploy HA
services,
tier-3 apps
Deploy load
balancing,
tier-2 apps
Optimize for
tier-1 apps, multitenants
Optimize for cloud
portability
Confidential

similar documents