Redefining Hybrid Cloud Management with vcenter Hybrid Linked Mode John Brezak, VMware, Inc. Sameh Zakhary, VMware, Inc. #vmworld HYP2228BU #HYP2228BU
Disclaimer This presentation may contain product features or functionality that are currently under development. This overview of new technology represents no commitment from VMware to deliver these features in any generally available product. Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. Technical feasibility and market demand will affect final delivery. Pricing and packaging for any new features/functionality/ technology discussed or presented, have not been determined. 2018 VMware, Inc. 2
Agenda 1. vcenter Hybrid Linked Mode (HLM) 2. vcenter HLM Configuration 3. vcenter HLM Under the Covers 4. Best Practices 5. Q & A 2018 VMware, Inc. 3
vcenter Hybrid Linked Mode (HLM) 2018 VMware, Inc. 4
Public Clouds Enable Hybrid Use Cases Test / Dev Burst Capacity Disaster Recovery App Migration Data Center control plane must extend to enable Hybrid Cloud use cases 2018 VMware, Inc. 5
But Every Cloud Exposes a Different Management Interface! On-prem Data Centers Public Clouds 2018 VMware, Inc. 6
2018 VMware, Inc. 7
Seamless Hybrid Management with vcenter Hybrid Linked Mode Single logical view and hybrid management of both on-premises & Cloud resources vsphere-based Data Center vcenter Customer Data Center vrealize Suite, ISV ecosystem VMware Cloud TM on AWS Powered by VMware Cloud Foundation vcenter vsphere vsan NSX AWS Global Infrastructure AWS services 2018 VMware, Inc. 8
What Problems Are We Trying to Solve with vcenter HLM? Extend SPOG between on-prem and Cloud Across different vcenter versions Across different administrative domains Supporting all vcenter topologies Ensure administrative separation Extend on-prem user identities to Cloud Different permissions model Enable hybrid management operations Workload migration Data sharing and content sync VMware @vmc.local Maintenance Cloud version Embedded @vsphere.local On-prem version Embedded or MxN 2018 VMware, Inc. 9 9
vcenter HLM Configuration From the Cloud? From On-prem? 2018 VMware, Inc. 10
vcenter HLM Configuration Options Option 1: From the Cloud vcenter Option 2: From On-prem using the vcenter Cloud Gateway 2018 VMware, Inc. 11
vcenter HLM Configuration Option 1: From the Cloud vcenter 2018 VMware, Inc. 12
vcenter HLM Configuration from the Cloud vcenter Must configure identity source in the Cloud vcenter AD over LDAP or OpenLDAP Provide on-prem SSO credentials in Cloud Extra latency to mange on-prem resources Supports on-prem vcenters 6.0U3+ HLM VMC Customer Data Center 2018 VMware, Inc. 13
HLM from the Cloud vcenter: Configuration Steps Provide info about on-prem vcenter on-prem vcenter / PSC IP address or FQDN on-prem SSO administrator credentials (e.g. administrator@vsphere.local) Add on-prem identity source to Cloud vcenter AD over LDAP OpenLDAP Assign Cloud Admin permissions to on-prem AD group(s) 2018 VMware, Inc. 14
2018 VMware, Inc. 15
2018 VMware, Inc. 16
2018 VMware, Inc. 17
2018 VMware, Inc. 18
vcenter HLM Configuration Option 2: vcenter Cloud Gateway on-prem 2018 VMware, Inc. 19
vcenter Cloud Gateway Manage the Cloud SDDC as an extension of your on-prem data center Extends on-prem vcenter with HLM Delivered asynch (no updates on-prem) Auto-updated in sync with Cloud SDDC No AD/LDAP pre-req config in Cloud No on-prem credentials exposed to Cloud Supported with on-prem vcenter 6.5+ HLM VMC Customer Data Center 2018 VMware, Inc. 20
HLM from the Cloud Gateway: Configuration Steps Provide info about Cloud vcenter Cloud vcenter IP address or FQDN Cloud Admin SSO credentials (e.g. cloudadmin@vmc.local) Select on-prem identity source Map on-prem AD group(s) to the Cloud vcenter Automatically get granted Cloud Admin permissions 2018 VMware, Inc. 21
2018 VMware, Inc. 22
2018 VMware, Inc. 23
2018 VMware, Inc. 24
2018 VMware, Inc. 25
2018 VMware, Inc. 26
2018 VMware, Inc. 27
2018 VMware, Inc. 28
2018 VMware, Inc. 29
2018 VMware, Inc. 30
2018 VMware, Inc. 31
vmc.local 2018 VMware, Inc. 32
vcenter HLM Under the Covers 2018 VMware, Inc. 33
Creating that Single Pane of Glass View (from the GW) VC1 VC2 PSC vsphere.local GW Get the list of VC s across vsphere.local and vmc.local Access with single identity you onprem identity Different administrator-ness in vsphere.local and vmc.local Link vmc.local VC
Linking the vcenters What happens when you link vmc.local to vsphere.local? 1. vmc.local will trust vsphere.local s users 2. vsphere.local will trust vmc.local s services to enable vmotion 3. Lookup Service from vmc.local is synchronized to vsphere.local 4. Certificate trusts from vmc.local are synchronized to vsphere.local need to be able to connect via SSL/TLS 5. TAGs are synchronized from vsphere.local to vmc.local be able to share tags
It s all about Trust VC1 VC2 PSC Vsphere.local Trust determine which users are trusted to access a particular resource Access controls determine what a trusted user is able to access Access for untrusted users is generally referred to as anonymous or unauthenticated access Default for access is no access Trust Vmc.local VC
Maintaining shared data in vsphere.local Data type Link On change Unlink Trusts STS Signing certs copied Vmc.local Vsphere.local Lookup Service Entries Vmc.local copied Vmc.local Vsphere.local SSL/TLS vmc.local cert root TAGs Vmc.local copied Vsphere.local tags/categories copied Vmc.local Vsphere.local Vsphere.local Vmc.local Sync is orchestrated on the Cloud Gateway by the Hybrid VC Service Sync is incremental Sync checks for changes periodically and will propagate what has changed Consistency is eventual STS Signing certs deleted Vmc.local deleted Vmc.local deleted Nothing happens Conflicts are detected between source and destination and auto-resolved to Source wins
How does SSO fit in? AD VIAdmins: John 2 vsphere.local STS Admins: viadmins @AD VC W: Admins 1 3 4 Vsphere.local john@ad Admins viadmins@ad john@ad Resources in a VC only trust tokens issued by the resource s domain At logon the user exchanges their credentials for a token issued by the vsphere.local STS This can be based on an Active Directory account if vsphere.local has an identity source setup To access resources in vsphere.local, a token issued by vsphere.local s STS must be used To access resources in vmc.local, a token issued by vmc.local s STS must be used vmc.local GW and VMC STS s support a new protocol to exchange a token from a trusted domain for a new token User s vsphere.local token is sent to the vmc.local STS and a new token issued from vmc.local is returned vmc.local john@ad CloudAdmins viadmins@ad 5 7 8 STS CloudAdmins VC W: CloudAdmins 6 GroupMap Admins@AD CloudAdmins
Cloud Gateway Auto-Updates vsphere.local Services 4 Update agent 2 Updater Checks for updates periodically from the linked SDDC Updates around the same time as VMC SDDC update window 1 3 vmc.local Update service Cloud Gateway doesn t store any non-recoverable state. Reinstall if needed. CDN 2018 VMware, Inc. 39
vcenter HLM Best Practices 2018 VMware, Inc. 40
vcenter HLM Best Practices Monitor your AD and the VMC SDDC s connection to your on-prem AD Maximum latencies for a good experience are 120 150 ms to any VC Always deploy your GW on the same network as a PSC Gateway will be updated with new functionality as its available
Q & A 2018 VMware, Inc.
PLEASE FILL OUT YOUR SURVEY. Take a survey and enter a drawing for a VMware company store gift card. #vmworld #HYP2228BU
THANK YOU! #vmworld # HYP2228BU
Backup 2018 VMware, Inc. 45
vcenter HLM configuration prerequisites Click to edit optional subtitle Network connectivity between on-prem and Cloud vcenters VPN DNS Config Firewall Rules Common user identities across on-prem and Cloud vcenters For Live Migration (vmotion) must extend L2 network Additional configuration must be in sync between on-prem and Cloud MTU Size NTP (Time Sync) 2018 VMware, Inc. 46