Dell EMC Extensions for VMware vrealize Automation

Transcription

1 Dell EMC Extensions for VMware vrealize Automation April 2018 H17047 Reference Architecture Guide Abstract This reference architecture guide provides an introduction to the concepts and architectural options available for Dell EMC Extensions for VMware vrealize Automation. Use this guide to help you decide on the most suitable configuration for the initial deployment. Dell Solutions

2 Copyright 2018 Dell Inc. or its subsidiaries. All rights reserved. Published April 2018 Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED AS-IS. DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED IN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE LICENSE. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners. Published in the USA. Dell EMC Hopkinton, Massachusetts In North America Dell EMC Extensions for VMware vrealize Automation

3 CONTENTS Executive summary... 4 Introduction to Hybrid Cloud with Dell EMC Extensions...7 Dell EMC Backup Extension for vrealize Automation Dell EMC Encryption Extension for vrealize Automation...19 Maximums, rules, and best practices...24 Conclusion

4 Executive summary Document purpose Audience Essential reading Solution purpose Overview Dell EMC Extensions for VMware vrealize Automation provide the integration layer between VMware vrealize Automation and the Dell EMC Avamar backup and Dell EMC Cloudlink SecureVM encryption components. These extensions are designed for use with vrealize Automation deployments running on either the Dell EMC VxRack SDDC or Dell EMC VxRail hyper-converged infrastructure platforms. This reference architecture guide provides an introduction to the features and requirements of the Dell EMC Extensions for VMware vrealize Automation. It addresses the detail surrounding the placement of Dell EMC components used by the Dell EMC Extensions, but does not cover the architecture of VxRack SDDC or VxRail. This reference architecture is intended for executives, managers, architects, cloud administrators, security managers, developers, and technical administrators of IT environments who want to implement a hybrid cloud infrastructure as a service (IaaS) platform and would like to extend its native capability to include backup and encryption features. Readers should be familiar with VMware vrealize Suite, storage technologies, general IT functions and requirements, how a hybrid cloud infrastructure accommodates these technologies and requirements, as well as understanding data encryption concepts. The following guides provide further information about various aspects of the Dell EMC Extensions for vrealize Automation: Dell EMC Extensions for vrealize Automation Administration Guide Dell EMC VxRack System SDDC Technology Overview Dell EMC VxRack System SDDC Architecture Overview Dell EMC VxRack System SDDC Tech Book VMware Cloud Foundation documentation VMware vrealize Automation documentation Dell EMC Extensions for VMware vrealize Automation are a set of extensions designed for use with vrealize Automation deployments running on either the VxRack SDDC or VxRail hyper-converged infrastructure platforms that accelerate IT transformation and simplify the deployment of a production-ready VMware-based private or hybrid cloud. Its benefits are based on these main pillars: 4 Dell EMC Extensions for VMware vrealize Automation

5 Business challenge Technology solution Accelerate Enable IT to operate at the highest speed and capture the opportunities of a digitized business through a responsive cloud operational model. Dell EMC Extensions integrate with VMware vrealize Automation to enable selfservice access to an expandable catalog of IT service offerings. IT retains control of resiliency, security, and financial transparency through policies that define how the platform operates. Simplify Deployment and operations risk is greatly reduced through a pretested and integrated architecture with simplified lifecycle management. Extend An extensible and scalable architecture simplifies the adoption of new capabilities. Dell EMC offers fully integrated extensions for backup and encryption to integrate with customers' existing Dell EMC Avamar and Dell EMC CloudLink environments. Deployments can start small, grow, and extend applications to public cloud endpoints. Today, the vast majority of enterprises engage in digital transformation initiatives. To stay relevant for their customers in a highly competitive environment, all industries are being disrupted by new challengers taking advantage of the software-defined approach. According to Dell s Digital Transformation study, 45 percent of global businesses fear that they might become obsolete due to competition from digital-born start-ups. Fifty-three percent say that they have already seen significant disruption in their industries. Ninety-two percent say that they consider digital ways of doing business are critical to their success. Another study, Hybrid Cloud Computing The Great Enabler of Digital Business, based on a global survey of 905 IT executives, revealed that hybrid cloud is an important catalyst for the Digital Transformation. Eighty-eight percent of the respondents view hybrid cloud as important or critical to enable digital business transformation and that hybrid cloud enables them to be more agile and innovative (76 percent). According to this study, hybrid cloud can also provide on average 24 percent of IT costs savings. Enterprises need a private or hybrid cloud to be successful with their Digital Transformation initiatives. They are looking for ways to adopt these initiatives in a simplified and accelerated manner, and with reduced risk. It is worth noting that the benefits of this adoption are provided by the outcomes of the cloud operating model, and not by the complex process of building a hybrid cloud. Customers can buy a complete, integrated solution, such as VxRack SDDC or VxRail with Dell EMC Extensions, to get to the value of a cloud operating model faster, and with less risk so that they can provide the speed and agility that the business requires. Dell EMC Extensions for VMware vrealize Automation enhance the native functionality provided by vrealize Automation running on a VxRack SDDC or VxRail by delivering fully integrated extensions with the following functionality: Backup as a service (BaaS) The Dell EMC Backup Extension integrates Avamar, Dell EMC Data Domain, and Dell EMC Data Protection Advisor technologies to provide multiple data protection services with a fully automated self-service experience for both end users and cloud consumers. Encryption as a service (EaaS) The Dell EMC Encryption Extension integrates Dell EMC CloudLink software to provide key management and encryption for workloads with a fully automated self-service experience for cloud consumers. Business challenge 5

6 We value your feedback Deployment services are required to stand up a production-ready private or hybrid cloud. These services include hardware installation and configuration of VMware Cloud Foundation and vrealize Suite/Cloud Management Platform (CMP) components. Although VMware Cloud Foundation provides automated installation of vrealize Automation components, certain pre-requisites must be met. It also requires additional post automated install configuration to achieve a production-ready cloud environment. The list of additional tasks are explained in detail in the Dell EMC Extensions for VMware vrealize Automation Administration Guide. Dell EMC and the authors of this document welcome your feedback on the solution and the solution documentation. Contact Solution Feedback with your comments. Authors: Ken Gould, Fiona O'Neill 6 Dell EMC Extensions for VMware vrealize Automation

7 Introduction to Hybrid Cloud with Dell EMC Extensions Dell EMC Extensions for VMware vrealize Automation offer a simplified approach to IT functionality for IT organizations, developers, end users, and line-of-business owners. Hybrid cloud features and functionality Hybrid cloud overview Dell EMC Extensions for vrealize Automation are designed for use with a hybrid cloud platform built either by VMware vcloud Foundation on VxRack SDDC, or directly via foundational services for VxRail. The based platform and extensions combined deliver infrastructure as a service (IaaS) across multiple VMware vcenter endpoints and multiple converged and hyper-converged infrastructure systems. In addition to delivering baseline IaaS, built on a software-defined data center (SDDC) architecture, they also deliver feature-rich capabilities to expand from IaaS to business-enabling ITaaS. You can enable backup as a service (BaaS) and encryption as a service (EaaS) policies with just a few clicks across the multi-vcenter architecture. You can deploy resources on private cloud or public cloud service providers. A hybrid cloud built in this way includes the following features and functionality: Automation and self-service provisioning Workload-optimized storage Elasticity and service assurance Monitoring and resource management Metering and showback Dell EMC and VMware integration Introduction to Hybrid Cloud with Dell EMC Extensions 7

8 Figure 1 Hybrid cloud features and functionality Automation and self-service provisioning 8 Dell EMC Extensions for VMware vrealize Automation The hybrid cloud provides self-service provisioning of automated cloud services to end users and infrastructure administrators. VMware vrealize Automation, VMware vrealize Orchestrator, VMware NSX, VMware vsan, and Dell EMC converged and hyper-converged infrastructures are used to provide the compute, storage, network, and security virtualization services for the SDDC. These services enable rapid deployment of business-relevant cloud services across your hybrid cloud and physical infrastructure. Cloud users can request and manage applications and compute resources within established operational policies; this can reduce IT service delivery times from days or weeks to minutes. Features include: Cross-cloud storefront Acts as a service governor that provisions workloads based on business and IT policies Role-based self-service portal Delivers a user-specific catalog of IT services Resource reservations Enables resources to be allocated to a specific group and ensures that access is limited to that group Service levels Defines the amount and type of resources a specific service can receive either during the initial provisioning or as part of any configuration changes Build specifications Contains the automation policies that specify the process for building or reconfiguring compute resources vrealize Automation provides lines of business with both the ability to deploy cloud applications rapidly, and with the services to meet the demands of the business. Furthermore, it provides the ability to divide a shared infrastructure into logical partitions and assign them to different business units. Using role-based entitlements, business users can manage resources from their own self-service catalog of customdefined services and blueprints. Each user's catalog presents the virtual machines, applications, and service blueprints they are entitled to, based on their role within the organization.

9 Dell EMC Extensions for vrealize Automation Catalog items After deployment, Dell EMC Extensions for vrealize Automation inject catalog items in the form of service blueprints, which are powered by vrealize Orchestrator workflows. These blueprints enable cloud infrastructure administrators to integrate Dell EMC Avamar and Dell EMC Data Domain for backup and restore services, as well as Dell EMC CloudLink for encryption services. The following figure shows the vrealize Automation catalog items injected by Dell EMC Extensions. Figure 2 vrealize Automation catalog view with Dell EMC Extensions Resource actions Dell EMC Extensions also inject resource actions into vrealize Automation. This enables the Day 2 application of backup and encryption policies to virtual using context sensitive actions that are available on the items. The following figure shows the items view with the VM resource actions provided by the Backup and Encryption Extensions. Hybrid cloud features and functionality 9

10 Figure 3 Items view showing the VM resource actions Key components Overview of components This section describes the key components used by Dell EMC Extensions for VMware vrealize Automation. VMware vrealize Suite, including: VMware vrealize Automation VMware vrealize Orchestrator VMware vrealize Operations Manager VMware vrealize Business for Cloud VMware vrealize Log Insight VMware vsphere ESXi and VMware vcenter Server VMware NSX for vsphere Dell EMC Avamar and Dell EMC Data Domain data protection platforms Dell EMC CloudLink 10 Dell EMC Extensions for VMware vrealize Automation

11 Figure 4 Dell EMC Extensions, components, and infrastructure as part of vrealize Automation based hybrid cloud Note You can install and life-cycle VMware components that are not part of VMware Cloud Foundation as part of a Dell EMC Professional Services engagement. Components required by Dell EMC Extensions for vrealize Automation The following sections describe the Dell EMC components used by Dell EMC Extensions for vrealize Automation. Dell EMC Avamar Dell EMC Avamar is a fast, efficient backup and recovery system that is provided through a complete software and hardware solution. Equipped with integrated variable-length deduplication technology, Avamar backup and recovery software provides integrated source and global data deduplication, which facilitates fast, full daily backups for hybrid cloud environments. Dell EMC Data Domain With Avamar, you can choose to direct backups to a Dell EMC Data Domain system instead of the Avamar server. Data Domain deduplication storage systems deduplicate data inline so that written data is already deduplicated on the disk, and requires less disk space than the original dataset. With Data Domain, you can retain backup and archive data on site longer to enable quick and reliable data restores from disk. Dell EMC Data Protection Advisor With Dell EMC Data Protection Advisor, you can automate and centralize the collection and analysis of all data across backup applications, replication technologies, the virtual environment, and supporting infrastructure. This provides a single, comprehensive view of your data protection environment and activities. In addition, when integrated via Dell EMC Extensions for vrealize Automation, Data Protection Advisor provides on-demand reporting of backup statistics and status. Dell EMC CloudLink Dell EMC CloudLink features enhanced policy-based key management and orchestration that enables VM encryption across multiple environments and platforms allowing administrators to define where VMs are permitted to run. CloudLink is also a Key Management Interoperability Protocol (KMIP) compliant key management server that has been certified by VMware to provide the external key management necessary to enable vsan encryption. Key components 11

12 Key concepts This section describes the key concepts used in this document. Regions Dell EMC Extensions for vrealize Automation use the concept of a VCF region to understand the location of infrastructure, workload domains, and workloads. When combined with the vrealize suite, they can support workload domains in as many as 20 different regions, which is important to ensure that those services use local resources when being applied to VM workloads. When on-boarding a workload domain or backup infrastructure you will be asked to select the region that it resides on. Workload domains A workload domain is a VMware vcenter Server that is added to vrealize Automation as an endpoint for the purposes of virtual machine workload deployments. Supported workload domains Dell EMC Extensions are designed for deployment on a VxRack SDDC or VxRail based management platform but support workload domains from any of the following types of infrastructure: VxRack SDDC VxRail Dell EMC VxBlock Dell EMC VxRack FLEX Build-Your-Own (BYO) Workload domain properties VxRack SDDC, VxRail and relevant BYO workload domains have the following properties: A single appliance-based vcenter server A single vsphere cluster A single VMware vsan-based datastore All VxBlock workload domains (and relevant BYO environments) have the following properties: A single vcenter Server that can be appliance- or Windows-based One or more vsphere clusters One or more array-based datastores per vsphere cluster 12 Dell EMC Extensions for VMware vrealize Automation

13 Dell EMC Backup Extension for vrealize Automation Backup technology Overview This section discusses the considerations for implementing the Dell EMC Backup Extension for vrealize Automation. The backup extension uses Avamar to protect your datasets. Using Avamar, the backup extension includes the following characteristics: Abstracts the creation of backup policies for cloud administrators Abstracts and simplifies backup and restore operations for cloud users Uses VMware storage APIs for data protection, which provides changed block tracking for faster backup and restore operations Provides full image backups for running virtual machine Eliminates the need to manage backup agents for each virtual machine in most cases Minimizes network traffic by deduplicating and compressing data Using the Dell EMC backup extension, administrators can quickly and easily define multi-tier data protection policies that users can choose when provisioning their virtual machines. The backup infrastructure takes advantage of Avamar and Data Domain features such as deduplication, compression, and VMware integration. Avamar provides scalable backup and restore capabilities with integrated data deduplication. This reduces total disk consumption by up to 50 times, enabling costeffective, long-term retention on Avamar data store servers. Avamar can optionally use a Data Domain appliance as the backup target. Using the vrealize Automation API and extensibility toolkits, the Dell EMC backup extension for vrealize Automation implements custom functionality to provide Avamar-based, image-level backup services for applications and file systems within a single-organization or multiorganization hybrid cloud environment. Note Dell EMC recommends that you engage an Avamar product specialist to design, size, and implement a solution specific to your environment and business needs. Avamar instances/grids Avamar instances are the physical targets for backup data. They may be optionally backed by a Data Domain infrastructure for even greater efficiencies. Dell EMC backup catalog items are made available through the vrealize Automation portal to onboard the Avamar instances and their details. Part of the onboarding process assigns each new Avamar instance to one of the regions that have been defined during the onboarding and enablement of workload domains for use with the backup extension. That information is subsequently used to ensure that workload backups are taken using Avamar instances in the same region as the workload. Scalable backup architecture through multiple Avamar instances Dell EMC backup configurations add scalable backup by adding the ability to configure multiple Avamar instances per site across multiple regions. Backup workflows Dell EMC Backup Extension for vrealize Automation 13

14 automatically distribute workloads in a round-robin fashion across the Avamar instances available to the workloads in question. You can add Avamar instances to increase the scalability. When the backup topology is modified in this way, the additional capacity is made available for new workloads transparently to the vrealize Automation blueprint deployment process, and new workloads will automatically populate the new Avamar instance until load is evenly balanced across all relevant Avamar instances. Avamar instance full You can determine if a backup target, in this case an Avamar instance, has reached capacity based on the metrics of the VMs it is responsible for protecting, including: The number of virtual machines assigned to the instance The total capacity of those virtual machines The rate of change of the data of those virtual machines The effective deduplication ratio that can be achieved while backing up those virtual machines The available network bandwidth and backup window size Because using these metrics can be subjective, the Dell EMC backup extensions enable an administrator to preclude an Avamar instance from being assigned further workload by setting a binary Admin Full flag. This is set via the Set Avamar system to Admin Full operation of the vrealize Automation 'Manage Backup Topology' catalog item. When a virtual machine is enabled for backup using the Dell EMC backup extensions, the available Avamar instances are assessed to determine the most suitable target. If an Avamar instance has the Admin Full flag set to True, then that instance is excluded from the selection algorithm but continues to back up its existing workloads through on-demand or scheduled backups. If workloads are retired and an Avamar instance is determined to have free capacity, the Admin Full flag can be toggled back, including it in the selection algorithm again. Backup attributes One-Copy One-vCenter (1C1VC) The 1C1VC backup model is designed to back up workloads that are bound to a single region and may never move. As a result, the backup strategy that is applied to these workloads has a single copy per backup image (that is, non-replicated) on a single Avamar grid, as shown in the following table. Table 1 Characteristics of one-copy-one-vcenter backup type Applies to workload Number of regions involved Number of images created Number of vcenters involved Number of vcenter folders Number of Avamar grids required Single region You can deploy multiple Avamar grids in the environment to enable scale, and backup is automatically balanced across the number of grids deployed. The following figure shows an example of the folders and backup groups involved in a 1C1VC backup type. 14 Dell EMC Extensions for VMware vrealize Automation

15 Figure 5 1C1VC folders and backup group Backup policies Configuration options Backup policies appear to the user as the available options when specifying the tier of backup that a virtual machine workload will use. They are created using the vrealize Automation 'Manage Backup Policies' catalog item in the Backup Services service category. A backup policy includes the following user-configurable attributes: Cadence At what frequency a backup should run (daily, weekly, monthly, or custom) Backup Schedule Time of day/window that the backup should run Retention How long the backup image should be retained for VMware vcenter folder structure and backup policy relationship When you create a backup policy using the vrealize Automation Manage Backup Policies catalog item, it creates an associated set of folders in the vcenter servers associated with each workload domain that are registered for use with the Dell EMC backup extensions. The format of the folder name is shown in the following table. Table 2 vcenter folder name structure by backup type Backup type Folders Folder name structure 1C1VC 1 BackupPolicyName-ARRName-Region, for example, Gold-ARR00001-NewYork* *Where ARRName is an internal naming mechanism used by Dell EMC backup extensions. When the lifecycle operations included with Dell EMC backup extensions enable backup for a workload, they: 1. Check the cluster the workload resides on. 2. Enumerate the list of Avamar instances that are local to that workload to find the Avamar instance that currently has the least load. 3. Look up the appropriate vcenter folder for the chosen instance. 4. Move the workload to the correct vcenter folder. Backup policies 15

16 At this point the Avamar instance that monitors that vcenter folder will automatically discover and back up that workload and the next scheduled interval. Dell EMC backup component placement Avamar system Physical Avamar appliances are physically external to the VxRack/VxRail CMP and workload domains and therefore have no explicit placement requirements. When using Avamar Virtual Edition, you must adhere to the guidance provided in the following table. Table 3 Placement of Avamar Virtual Edition Avamar Virtual Edition Valid locations VxRack SDDC-based management platform On the VxRack SDDC management domain On a VxRack SDDC workload domain Outside the VxRack VxRail-based management platform On the VxRail Outside the VxRail Data Domain systems Physical Data Domain appliances are physically external to the VxRack/VxRail CMP and workload domains and therefore have no explicit placement requirements. When using Data Domain Virtual Edition, you must adhere to the guidance provided in the following table. Table 4 Placement of Data Domain Virtual Edition Data Domain Virtual Edition Valid locations VxRack SDDC-based management platform On a VxRack SDDC workload domain when Avamar Virtual Edition is on the VxRack SDDC management domain On an alternate VxRack SDDC workload domain when Avamar Virtual Edition is on a VxRack SDDC workload domain Outside the VxRack VxRail-based management platform Outside the VxRail when Avamar Virtual Edition is on the VxRail In an alternate location to Avamar Virtual Edition when Avamar Virtual Edition is outside the VxRail Data Protection Advisor When using Data Protection Advisor, you must adhere to the guidance provided in the following table. 16 Dell EMC Extensions for VMware vrealize Automation

17 Table 5 Placement of Data Protection Advisor Data Protection Advisor Valid locations VxRack SDDC-based management platform On the VxRack SDDC management domain On a VxRack SDDC workload domain Outside the VxRack VxRail-based management platform On the VxRail Outside the VxRail Dell EMC Backup Extension vrealize Automation artefacts Catalog items During deployment, the Dell EMC Backup Extension for vrealize Automation injects the catalog items shown in the following table into the cloud administrator s catalog view. These are automatically entitled for the cloud administrator provided during deployment of the extension, but may be enabled for other users using normal vrealize Automation entitlements. Table 6 Catalog items and operations provided by the Dell EMC Backup Extension for vrealize Automation Service Catalog Service catalog item Available operations Workload Domain Services Workload Domain Services Backup Services Manage Workload Domains Connection Maintenance Manage Backup Topology Add a Workload Domain Remove a Workload Domain Add Cluster to a Workload Domain Edit Connections Configure Initial Backup Topology Expand Backup Topology Modify Backup Topology Enable Backup on a New Workload Domain Enable Backup on an Additional Cluster Remediate Single Failed Avamar Backup Services Manage Backup Policies Add a Backup Policy Remove a Backup Policy Resource actions During deployment, the Dell EMC Backup Extension for vrealize Automation injects the resource actions shown in the following table into vrealize Automation for Dell EMC Backup Extension vrealize Automation artefacts 17

18 inclusion in the end users Items > Actions view. These can be made available to those users using standard vrealize Automation entitlements. Table 7 Resource actions VM-level Action Item Get Backup Status On Demand Backup On Demand Restore Set Backup Policy Get Machine Backup Detailed Report (Requires DPA) Get Machine Backup Summary (Requires DPA) Description The backup status is ed to the machine owner, or the active directory address of the current vrealize Automation user. An additional address can also be provided. Performs an on-demand backup using the backup policy that is assigned to the VM. Performs an on-demand restore using the backup policy that is assigned to the VM. The user selects a restore point from a list. Changes the virtual machines backup policy and moves the virtual machine into a corresponding vcenter folder. Gets a detailed backup report for the VM. The detailed report is ed to the active directory address of the current vrealize Automation user. An additional address can also be provided. Gets a backup summary report for the VM. The detailed report is ed to the active directory address of the current vrealize Automation user. An additional address can also be provided. 18 Dell EMC Extensions for VMware vrealize Automation

19 Dell EMC Encryption Extension for vrealize Automation Overview This section discusses the considerations for implementing the Dell EMC Encryption Extension. The encryption extension uses CloudLink to protect virtual machine data at rest. Using CloudLink and the SecureVM agent, the encryption extension includes the following characteristics: Secures sensitive data that resides in the cloud to address privacy and regulatory compliance requirements Provides encryption for the boot volume and additional data volumes with prestartup authorization for cloud-hosted machines Allows the enterprise security administrator to define the security policy that must be met before virtual machines pass pre-startup authorization The Dell EMC Encryption Extension for vrealize Automation allows administrators to use CloudLink functionality to apply portable encryption to applications and virtual machines. Dell EMC customizations allow administrators to apply preconfigured policy-based encryption to the virtual machine volumes automatically when they provision applications and workloads from the vrealize Automation self-service catalog. After virtual machines are provisioned, administrators can select specific volumes to encrypt or decrypt based on the individual needs of that virtual machine. CloudLink provide a KMIP-compliant key management server to manage keys for various encryption endpoints. This enables CloudLink to be the secure key storage location and provides external key management necessary to enable vsan encryption. Note Dell EMC recommends that you engage a CloudLink product specialist to design, size, and implement a solution specific to your environment and business needs. Note Encryption technology For product information and implementation details, see Dell EMC CloudLink SecureVM Deployment Guide and the Dell EMC CloudLink SecureVM Administration Guide. vsan encryption CloudLink provide a KMIP-compliant key management server necessary to store keys for VMware vsan encryption. Using CloudLink KMIP functionality includes the following characteristics: Allow applications supporting that protocol to securely store keys and certificates All objects stored with CloudLink are encrypted using a key saved to a specific keystore and are stored in the CloudLink Center database CloudLink is a certified VMware Ready KMS For implementation details on CloudLink and vsan encryption, see the CloudLink Key Management for VMware vcenter Server Configuration Guide. Dell EMC Encryption Extension for vrealize Automation 19

20 CloudLink CloudLink and the SecureVM agent secure sensitive information within virtual machines across both public and private clouds. It provides encryption for the boot volume and additional data volumes with pre-startup authorization for cloud-hosted virtual machines. CloudLink provides this encryption by using native operating system encryption features: Microsoft BitLocker for Windows or dm-crypt for Linux. Securing the virtual machine allows you to define the security policy that the virtual machine must meet before passing pre-startup authorization, including verifying the integrity of the virtual machine s boot chain. These security features protect against data tampering. CloudLink encrypts the virtual machine boot and data volumes with unique keys that are controlled by enterprise security administrators. SecureVM agent CloudLink uses the SecureVM agent that is installed in the virtual machine to control the native operating system s encryption technology and communicate to the CloudLink server. The encryption keys are stored in CloudLink Center. If the key release policies are met, the keys are returned to the virtual machine when requested. If the policies are not met, the key request is place in a pending state and the request must be manually accepted or rejected. Key release policy in machine groups CloudLink Center supports multiple machine groups to logically partition virtual machines for policy or management purposes. Machine groups contain attributes and define the conditions under which encryption keys are released to virtual machines. The conditions that need to be met are contained in encryption policies. If a machine does not meet the policies, CloudLink Center puts the machine in the pending state. The following vrealize Automation resource actions can be used to manually choose whether to allow the key release: IP Change Determines whether CloudLink Center allows a machine to boot automatically when it starts up with an IP address that is different from the one recorded in the CloudLink Center database. Moved Volume Determines whether CloudLink Center allows keys to be released (if any) when it detects a volume that is now attached to a different machine than the one recorded in the CloudLink Center database. Platform Change Determines whether CloudLink Center allows a machine to boot automatically when it starts up with a different platform than the one recorded in the CloudLink Center database. Integrity Change Determines whether CloudLink Center allows a machine to boot automatically when it starts up with an integrity value that is different than the one recorded in the CloudLink Center database. Machine Clone Determines whether CloudLink Center allows a cloned machine to boot automatically. Volume encryption policy Volume encryption policy determines which volumes must be encrypted for virtual or physical machines. For example, the All Data volume encryption policy requires that all existing data volumes on a machine must be encrypted. A volume encryption policy is set as part of configuring machine groups. Policies include: encrypting boot and data volumes, encrypting boot volumes, encrypting data volumes, and manual control of which volumes are to be encrypted. 20 Dell EMC Extensions for VMware vrealize Automation

21 Encryption groups Configuration options Business groups in vrealize Automation are associated with one or more encryption groups. The encryption group serves as a policy for how encryption is applied to a virtual machine s volumes. The mapping of encryption groups to business groups is achieved by using the vrealize Automation Configure Encryption Groups catalog item for each business group. Encryption groups in turn are directly related to machine groups on the CloudLink Center server which detail an encryption policy and under which conditions encryption keys are released to virtual machines. A machine group on the CloudLink Center server includes the following attributes: Volume encryption policy Determines what volumes are encrypted automatically when a machine is registered to this group, the default is manual encryption' which results in deployed virtual machines not encrypting anything Keystore Determines where keys for the virtual machines are kept, the default is the local CloudLink Vault keystore Approved networks Determines for which network the group's virtual machines are approved, the default is empty, resulting in virtual machines being treated as if they are on an unapproved network Note It is critical that you create approved networks that match the workload networks and that you assign them to the appropriate machine groups, otherwise encrypted virtual machines will not automatically start and their connection status will be 'pending'. Key lifetime Determines the lifetime of the keys before they are automatically updated; the default is infinite so keys are never automatically updated Key release policy Determines what conditions are checked before releasing a key to the virtual machine Applying encryption to virtual machines You must create blueprints in vrealize Automation that allow and enable CloudLink encryption on virtual machines deployed using that blueprint. Requesting a virtual machine in vrealize Automation catalog provides the user with a choice of encryption groups as part of its configuration and deployment. Depending on the details of the encryption group, volumes on a virtual machine are automatically encrypted at the time of deployment Deploying a virtual machine in vrealize Automation with CloudLink encryption enables the addition of properties to the virtual machine that interact with encryption functionality. These properties remain with the virtual machine throughout its lifecycle. Alternatively, as part of day 2 activities on virtual machines, you can use resource actions to manually install the SecureVM agent software and choose an encryption group to implement a policy. You can use a resource action to select specific volumes on a virtual machine to be encrypted or decrypted as required by the vrealize Automation user. Encryption groups 21

22 Dell EMC encryption component placement When using Cloudlink Center, adhere to the guidance provided in the following table. Table 8 Placement of Cloudlink Center Cloudlink Center Valid locations VxRack SDDC-based management platform On the VxRack SDDC management domain On a VxRack SDDC workload domain Outside the VxRack VxRail-based management platform On the VxRail Outside the VxRail Note CloudLink Center nodes must not reside on an encrypted vsan datastore for which they are managing keys and must be routable from the vcenter servers hosting the vsan datastores being encrypted. Dell EMC Encryption Extension for vrealize Automation artefacts Catalog items During deployment, the Dell EMC Encryption Extension for vrealize Automation injects the catalog items shown in the following table into the cloud administrator s catalog view. These are automatically entitled for the cloud administrator provided during deployment of the extension, but may be enabled for other users using normal vrealize Automation entitlements. Table 9 Catalog items and operations provided by the Dell EMC Encryption Extension for vrealize Automation Service catalog Service catalog item Available operations Encryption Services Bulk Encryption Status Generates an report of all virtual machines owned by a business group. The report lists if the SecureVM agent is installed and the encryption status for each volume in the virtual machine. Encryption Services Configure Encryption Groups Restrict the encryption groups to which a vrealize Automation business group has access. Resource actions During deployment, the Dell EMC Encryption Extension for vrealize Automation injects the resource actions shown in the following table into vrealize Automation for 22 Dell EMC Extensions for VMware vrealize Automation

23 inclusion in the end users Items > Actions view. These can be made available to those users who are using standard vrealize Automation entitlements. Table 10 Resource actions VM-level Action Item Encryption Status Encrypt/Decrypt Virtual Machine Accept/Reject Pending Key Releases Block/Unblock a Virtual Machine Release Encryption License Description Show the encryption status of a single virtual machine. Encrypt or decrypt a virtual machine's volumes. Accept or reject a Pending Key Release. When the key release policies are not met, a key request is placed in a pending state. Block or unblock a virtual machine when you do not want to release encryption keys for the virtual machine volumes. Manually release an encryption license on a powered-off virtual machine. Dell EMC Encryption Extension for vrealize Automation artefacts 23

24 Maximums, rules, and best practices Maximums and minimums This section describes the maximums, rules, best practices and dependencies between components and their constructs, outlining how they influence the supported configurations within the hybrid cloud. The following table shows the maximums and minimums related to workload domains using Dell EMC Extensions for vrealize Automation. Table 11 Workload domains for each hybrid cloud instance Workload domain Number of domains Maximum Minimum For each VxRack SDDC-based management platform 20* 2** For each VxRail-based management platform 20* 1 In a single region 20* 1 For each single sign-on (SSO) domain 15 1 * Based on the 20 vcenter endpoint limit in vrealize Automation. To achieve this at least two SSO domains are required based on the workload domains per single SSO domain maximum. ** While a consolidated management/workload domain is an option in VCF, this option is not supported by VxRack SDDC. This means that the minimum number of workload domains or vcenters for a base vrealize system using VxRack SDDC is two. Log Insight and vrealize Business support only 10 vcenter endpoints per deployment. Note The management workload domain consumes one of the 20 maximum workload domains (one of the 15 maximum workload domains when a single SSO domain is used.) The following table shows the maximums that apply for each workload domain or vcenter endpoint. Table 12 For each workload domain or vcenter maximums Total number of Maximum Regions 1 Hosts per cluster 64 Virtual machines per cluster 8,000 Hosts per vcenter Server 1,000 Powered-on virtual machines per vcenter Server 10,000 Registered virtual machines per vcenter Server 15, Dell EMC Extensions for VMware vrealize Automation

25 Region maximums The following table shows the maximums related to regions in a hybrid cloud using Dell EMC Extensions for vrealize Automation. Table 13 Regions for each hybrid cloud instance Regions Maximum For each hybrid cloud instance with multiple SSO domains 20* For each hybrid cloud instance with a single SSO domain 15* * Based on every possible workload domain being deployed in its own region. Virtual machine maximums The following table shows the maximums that apply for virtual machines. Table 14 Virtual machine maximums Virtual machines Maximum For each hybrid cloud instance 30,000* *This number is governed by the maximum number of virtual machines supported by a two-node vrealize Orchestrator cluster. VMware vrealize Automation tenants and business groups Bulk import of virtual machines vrealize Automation multitenancy Dell EMC Extensions for vrealize Automation are designed for use in single vrealize Automation tenant configurations. It is possible and permitted to have additional vrealize Automation tenants within the hybrid cloud, but only one can use Dell EMC Extensions. To enable Dell EMC Extensions for multiple vrealize Automation tenants, you need separate hybrid cloud instances. As the vrealize Automation IaaS administrator is a system-wide role, having multiple vrealize Automation tenants within the same vrealize Automation instance may not provide any additional value over and above the use of a single tenant with multiple business groups. Importing from virtual machines and adding services provided by Dell EMC Extensions for vrealize Automation For environments that require existing virtual machines to be imported into vrealize Automation with extended functionality, the bulk import feature of vrealize Automation enables the importation of one or more virtual machines. This functionality is available only to vrealize Automation users who have Fabric Administrator and Business Group Manager privileges. The bulk import feature imports virtual machines intact with defining data such as reservation, storage path, blueprint, owner, and any custom properties. Dell EMC Extensions for vrealize Automation offer you the ability to layer Dell EMC services onto pre-existing virtual machines by using and extending the bulk import process. Before beginning the bulk import process, the following conditions must be true: Target virtual machines are located in a workload domain vcenter endpoint that has already been enabled to use Dell EMC Extensions. VMware vrealize Automation tenants and business groups 25

26 Target virtual machines must be located on the correct vrealize Automation managed compute resource cluster, where: Backup services are required for the target virtual machines, they must be on a cluster that is associated with a backup topology configured by Dell EMC Backup Extension for vrealize Automation. Target virtual machines must be located on the correct vrealize Automation managed datastore, where: Backup services are required for the target virtual machines, they must be on a datastore that is already registered with an Avamar proxy. Note The process for importing these virtual machines with services provided by Dell EMC Extensions for vrealize Automation is in the Dell EMC Extensions for VMware vrealize Automation Administration Guide. Resource sharing Data protection considerations Resource isolation Because vrealize Automation endpoints are visible to all vrealize Automation IaaS administrators, resource isolation in the truest sense is not possible. However, you can use locked blueprints and storage reservation policies to ensure that certain types of the workload domains or vcenter clusters are available in the environment. This includes the ability to control those licensing requirements across tenants by ensuring that all relevant deployments are on the same set of compute resources. Resource sharing All endpoints configured across the vrealize Automation instance by an IaaS administrator are available to be added to fabric groups, and therefore consumed by any business group across any of the vrealize Automation tenants. Provisioning to vcenter endpoints, however, can still only be done through the tenant configured as part of the Dell EMC Extensions for vrealize Automation deployment process. Supported Avamar and Data Domain combinations The Dell EMC Extensions for vrealize Automation support physical Avamar infrastructure in the combinations listed in the following table, based on the converged infrastructure platform in use. Table 15 Supported Avamar and Data Domain combinations Converged infrastructure Avamar infrastructure Backed by Data Domain infrastructure VxRail Appliances Avamar Virtual Edition Data Domain Virtual Edition Avamar Physical Edition Data Domain Physical Edition VxRack Systems Avamar Virtual Edition Data Domain Virtual Edition Avamar Physical Edition Data Domain Physical Edition VxBlock Systems Avamar Virtual Edition Data Domain Virtual Edition 26 Dell EMC Extensions for VMware vrealize Automation

27 Table 15 Supported Avamar and Data Domain combinations (continued) Converged infrastructure Avamar infrastructure Backed by Data Domain infrastructure Avamar Physical Edition Data Domain Physical Edition BYO Systems Avamar Virtual Edition Data Domain Virtual Edition Avamar Physical Edition Data Domain Physical Edition Note Avamar Virtual Edition and Data Domain Virtual Edition combinations should only be based on sizing efforts by Dell EMC to ascertain that they are appropriate to support the scale of the particular environment. Data protection considerations 27

28 Conclusion The Dell EMC Extensions for VMware vrealize Automation described in this Reference Architecture simplify and accelerate deployment of private or hybrid cloud using vrealize Automation deployments on either the VxRack SDDC or VxRail hyperconverged infrastructure platforms. Its value proposition is based on these main pillars: Accelerate Enable IT to operate at the highest speed and capture the opportunities of a digitized business through a responsive cloud operational model. Dell EMC Extensions integrate with VMware vrealize Automation to enable selfservice access to an expandable catalog of IT service offerings. IT retains control of resiliency, security, and financial transparency through policies that define how the platform operates. Simplify Deployment and operations risk is greatly reduced through a pretested and integrated architecture with simplified lifecycle management. Extend An extensible and scalable architecture simplifies the adoption of new capabilities. Dell EMC offers fully integrated extensions for backup and encryption to integrate with customers' existing Dell EMC Avamar and Dell EMC CloudLink environments. Deployments can start small, grow, and extend applications to public cloud endpoints. With the power of the engineered extensions for vrealize Automation, it is possible to address a broad range of hybrid cloud use cases and maximize benefits from the VxRack SDDC and VxRail platforms as well as existing IT investments. This can help your enterprise to accelerate its IT transformation journey, which is key to the success of its digital transformation initiatives. 28 Dell EMC Extensions for VMware vrealize Automation