VMware vsphere Clusters in Security Zones

Similar documents
vsan Security Zone Deployment First Published On: Last Updated On:

vsan Remote Office Deployment January 09, 2018

Native vsphere Storage for Remote and Branch Offices

vsan Management Cluster First Published On: Last Updated On:

vsan Mixed Workloads First Published On: Last Updated On:

vsan Disaster Recovery November 19, 2017

Eliminate the Complexity of Multiple Infrastructure Silos

What's New in vsan 6.2 First Published On: Last Updated On:

What's New in VMware vsan 6.6 First Published On: Last Updated On:

VMWARE VSAN LICENSING GUIDE - MARCH 2018 VMWARE VSAN 6.6. Licensing Guide

VMWARE vsan 6.7. vsphere vsan. Managed by vcenter. #1 with Cloud Providers 1. vsan Shared Storage. Why VMware vsan?

VMware vsan 6.6. Licensing Guide. Revised May 2017

VMware vsan 6.6 Technical Overview First Published On: Last Updated On:

VxRail: Level Up with New Capabilities and Powers GLOBAL SPONSORS

HCI mit VMware vsan Radikal einfach und vollständig in die SDDC Strategie integriert

REDUCE TCO AND IMPROVE BUSINESS AND OPERATIONAL EFFICIENCY

TECHNICAL WHITE PAPER - JANUARY VMware Horizon 7 on VMware vsan Best Practices TECHNICAL WHITE PAPER

Modern hyperconverged infrastructure. Karel Rudišar Systems Engineer, Vmware Inc.

BUILDING SECURITY INTO YOUR DATA CENTER MODERNIZATION STRATEGY

2014 VMware Inc. All rights reserved.

Table of Contents HOL HCI

Nutanix Tech Note. Virtualizing Microsoft Applications on Web-Scale Infrastructure

DELL EMC TECHNICAL SOLUTION BRIEF. ARCHITECTING A DELL EMC HYPERCONVERGED SOLUTION WITH VMware vsan. Version 1.0. Author: VICTOR LAMA

VMware Virtual SAN. Technical Walkthrough. Massimiliano Moschini Brand Specialist VCI - vexpert VMware Inc. All rights reserved.

StarWind Virtual SAN Free

ProphetStor DiskProphet Ensures SLA for VMware vsan

VMware Virtual SAN. High Performance Scalable Storage Architecture VMware Inc. All rights reserved.

Vision of the Software Defined Data Center (SDDC)

VxRail: Level Up with New Capabilities and Powers

Hedvig as backup target for Veeam

VxRail: Level Up with New Capabilities and Powers

VxRAIL for the ClearPath Software Series

DELL EMC VXRAIL TM APPLIANCE OPERATIONS GUIDE

The Impact of Hyper- converged Infrastructure on the IT Landscape

Protecting Mission-Critical Application Environments The Top 5 Challenges and Solutions for Backup and Recovery

vsan 6.6 Performance Improvements First Published On: Last Updated On:

vrealize Operations Management Pack for vsan 1.0 Guide

Converged Platforms and Solutions. Business Update and Portfolio Overview

Achieving Digital Transformation: FOUR MUST-HAVES FOR A MODERN VIRTUALIZATION PLATFORM WHITE PAPER

HCI: Hyper-Converged Infrastructure

The vsphere 6.0 Advantages Over Hyper- V

TITLE. the IT Landscape

ECONOMICAL, STORAGE PURPOSE-BUILT FOR THE EMERGING DATA CENTERS. By George Crump

VMware vsan 6.5 Technical Overview January 24, 2017

VMware Virtual SAN Technology

Converged and Hyper-Converged: Factory-Integrated Data Protection for Simplicity and Lifecycle Assurance

Interoperability First Published On: Last Updated On:

Copyright 2012 EMC Corporation. All rights reserved.

VMware vsan 6.5 Technical Overview December 15, 2017

Leveraging VMware vsan for Highly Available Management Clusters

Free up rack space by replacing old servers and storage

Nutanix White Paper. Hyper-Converged Infrastructure for Enterprise Applications. Version 1.0 March Enterprise Applications on Nutanix

The Impact of Hyper- converged Infrastructure on the IT Landscape

Integrated and Hyper-converged Data Protection

MODERNIZE INFRASTRUCTURE

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

High performance and functionality

Administering VMware vsan. 17 APR 2018 VMware vsphere 6.7 VMware vsan 6.7

CLOUDIQ OVERVIEW. The Quick and Smart Method for Monitoring Unity Systems ABSTRACT

Integrated and Hyper-converged Data Protection

VxRack System SDDC Enabling External Services

Modernizing Virtual Infrastructures Using VxRack FLEX with ScaleIO

Running VMware vsan Witness Appliance in VMware vcloudair First Published On: April 26, 2017 Last Updated On: April 26, 2017

Administering VMware vsan. Modified on October 4, 2017 VMware vsphere 6.5 VMware vsan 6.6.1

DataON and Intel Select Hyper-Converged Infrastructure (HCI) Maximizes IOPS Performance for Windows Server Software-Defined Storage

Introducing VMware Validated Designs for Software-Defined Data Center

Tech Note: vsphere Replication with vsan First Published On: Last Updated On:

Introducing VMware Validated Designs for Software-Defined Data Center

Hyper-Convergence De-mystified. Francis O Haire Group Technology Director

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

7 Things ISVs Must Know About Virtualization

Technical White Paper: IntelliFlash Architecture

Ten things hyperconvergence can do for you

IBM Spectrum NAS. Easy-to-manage software-defined file storage for the enterprise. Overview. Highlights

3/26/2018. Hyperconvergence. CreekPointe, Inc. Introductions Hyperconvergance Defined Advantages Use Cases Q&A Close. Mike Clarke, CreekPointe Inc.

Introducing VMware Validated Designs for Software-Defined Data Center

儲存網路, 與時俱進 JASON LIN SENIOR TECHNICAL CONSULTANT BROCADE, TAIWAN

CONFIDENTLY INTEGRATE VMWARE CLOUD ON AWS WITH INTELLIGENT OPERATIONS

Modernize and Transform Your Storage Network. Alain HUGUET EMEA Technical Alliance Manager for DELL EMC

VMWARE VIRTUAL SAN: ENTERPRISE-GRADE STORAGE FOR HYPER- CONVERGED INFRASTRUCTURES CHRISTOS KARAMANOLIS RAWLINSON RIVERA

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Hyperconverged Infrastructure: Cost-effectively Simplifying IT to Improve Business Agility at Scale

Dell EMC ScaleIO Ready Node

Transforming Data Protection with HPE: A Unified Backup and Recovery June 16, Copyright 2016 Vivit Worldwide

Copyright 2015 EMC Corporation. All rights reserved. Published in the USA.

Copyright 2012 EMC Corporation. All rights reserved.

Nimble Storage Adaptive Flash

Why Datrium DVX is Best for VDI

Virtual SAN and vsphere w/ Operations Management

Veritas Resiliency Platform 3.1 Overview and Planning Guide. Applicable for Veritas Resiliency Platform 3.1 and 3.1 Update 1

EMC Integrated Infrastructure for VMware. Business Continuity

HPE Synergy HPE SimpliVity 380

vsan Planning and Deployment Update 1 16 OCT 2018 VMware vsphere 6.7 VMware vsan 6.7

DATA CENTRE SOLUTIONS

NEC Express5800 R320f Fault Tolerant Servers & NEC ExpressCluster Software

Cisco SAN Analytics and SAN Telemetry Streaming

Administering VMware Virtual SAN. Modified on October 4, 2017 VMware vsphere 6.0 VMware vsan 6.2

HPE Hyper Converged. Mohannad Daradkeh Data center and Hybrid Cloud Architect Hewlett-Packard Enterprise Saudi Arabia

Intelligent Rebuilds in vsan 6.6 January 08, 2018

StarWind Virtual SAN Getting Started

Transcription:

SOLUTION OVERVIEW VMware vsan VMware vsphere Clusters in Security Zones A security zone, also referred to as a DMZ," is a sub-network that is designed to provide tightly controlled connectivity to an organization s internal IT infrastructure and applications. A security zone typically contains external-facing services that are accessible from untrusted networks such as the Internet. Other common use cases for security zones are internal isolation for classified environments or development infrastructures. The primary purpose of this architecture is adding another layer of security to further reduce the risk of unauthorized access to an organization s internal network, applications, and data. One of the most significant threats to security in any environment is misconfiguration. Complexity increases the possibility of misconfiguration, which could lead to potential security incidents. VMware vsphere uses bare-metal virtualization, so the hypervisor interfaces directly with server hardware without the need for a more complex, general operating system. This approach reduces the attack surface and helps safeguard from OS-related vulnerabilities making it the most robust and secure virtualization platform in the industry an excellent platform for running workloads in security zones. Examples of workloads typically found in security zones include web servers, email gateways, and proxy services. It is very common for these workloads to have high availability requirements. Features such as vsphere High Availability, vsphere Fault Tolerance, and vsphere Distributed Resource Scheduler help protect virtualized applications and services from downtime associated with hardware failures and resource contention. These features require shared storage, which means access to internally hosted storage networks (SAN and NAS) are commonly extended to security zones. This potentially opens up additional options for hackers to gain access to internal resources and leads to more complex firewall configurations. Another option is a dedicated storage appliance contained within the security zone, but this solution can be expensive and add management overhead. Compute and storage resources for a security zone are ideally very secure, simple to implement, cost-effective, and provide the performance and availability levels necessary to run and protect critical, external-facing workloads. vsphere and VMware vsan provide the hyper-converged infrastructure (HCI) best suited to meet these requirements.

Why vsan for a Security Zone? vsan is VMware s software-defined storage solution for HCI. vsan and vsphere provide a complete, natively integrated platform consisting of compute, network, and storage resources that are secure and isolated from the rest of the infrastructure. Since disks internal to the vsphere hosts are used to create a vsan datastore, there is no dependency on external shared storage appliances. Virtual machines can be assigned specific storage policies based on the availability and performance needs of the application. External-facing workloads benefit from dependable storage and predictable performance characteristics while minimizing risk. vsan is built on an optimized I/O data path in the vsphere hypervisor. It is managed as a core component of a vsphere environment meaning separate administration tools and connections are not required. This minimizes the attack surface and complexity of the compute and storage infrastructure. Lower complexity reduces the chances of a misconfiguration that could lead to vulnerability. Virtual machine-centric storage policies are created and assigned for various workload types. Policies are based upon the availability and performance services provided by vsan. These policies can be modified and reassigned, as needed, with no downtime. Access to the vsan datastore is confined to the hosts in the same vsan cluster. A dedicated HCI with vsphere and vsan help ensure controlled access, predictable performance, and availability of applications and services in a security zone without increasing risk. Running workloads on a separate compute and storage platform facilitates more flexibility with maintenance schedules. vsan includes a health dashboard, which automatically monitors and alerts on items such as overall disk health, hardware compatibility list (HCL) compliance, network connectivity issues, and high utilization. If an alert is raised, administrators can easily and quickly start assessing the issue by clicking the Ask VMware button in the vsan Health user interface, which takes them directly to the relevant VMware knowledge base article. Timely alerts and issue resolution is one more way vsan enables a secure and stable platform for business critical applications. Native Data at Rest Encryption vsan encryption is an option for vsan datastores to further improve security and provide compliance with increasingly stringent regulatory requirements. Since vsan encryption is native to vsan, it eliminates the extra cost, limitations, and complexity associated with procuring and maintaining self-encrypting drives.

A Key Management Server (KMS) is required to enable and use vsan encryption. Multiple KMS vendors are compatible including HyTrust, Gemalto (SafeNet), Thales e-security, CloudLink, and Vormetric. After a trust relationship has been set up between VMware vcenter Server and the KMS cluster, vsan encryption is enabled with just a few mouse clicks. vsan datastore encryption is enabled and configured at the datastore level. In other words, every object on the vsan datastore is encrypted when this feature is enabled. Data is encrypted using an AES 256 cipher when it is written to persistent media in the cache and capacity tiers of a vsan datastore. Encryption occurs just above the device driver layer of the vsphere storage stack, which means it is compatible with all vsan features such as deduplication, compression, and RAID-5/6 erasure coding. vsan with vsphere Availability The use of local disk datastores without vsan introduces risk to application uptime. For example, only one copy of a virtual machine s files is stored on a local disk. If that disk fails, the virtual machine files must be restored from backup media, which is time consuming and unreliable. It is possible to create a second copy of virtual machine files on another disk, but the process is not automatic and must be performed frequently. The recovery from this second copy would also be a manual process increasing risk and recovery time. vsan addresses these challenges by aggregating local disks into a shared datastore distributed across hosts in the cluster. vsan features a storage policy rule called Primary level of failures to tolerate or PFTT," which defines the number of replicas of a virtual machine s files to distribute across physical nodes in the vsan cluster. For example, when PFTT = 1, vsan will create and maintain two mirrored replicas of the virtual machine s files and place them on separate hosts. If a disk or host containing one of those replicas is offline, the data is still accessible from the other replica. vsphere HA requires shared storage and vsan is tightly integrated with vsphere HA. If a host fails, virtual machines that were running on the failed host are automatically rebooted by vsphere HA on other hosts in the cluster to minimize downtime. vsphere HA can also monitor guest operating systems and automatically reboot a virtual machine in the event of an operating system failure such as a Windows blue screen. vsphere Fault Tolerance is also compatible with vsan and provides continuous availability for applications with up to four virtual CPUs in the event of a host failure.

A variety of data protection solutions are available to back up and recover virtual machines and applications in a vsan cluster. Check with your data protection vendor to verify support and look for the VMware Ready for vsan logo. Virtual machine replication solutions such as Dell EMC RecoverPoint for Virtual Machines and VMware vsphere Replication works seamlessly with vsan to enable rapid, reliable per-virtual machine recovery. vsan Performance vsan is uniquely embedded in the vsphere hypervisor kernel and sits directly in the I/O data path. It can deliver the highest levels of performance without taxing the CPU or consuming high amounts of memory resources, as compared to other virtual storage appliances that run separately on top of the hypervisor. All-flash vsan configurations provide excellent performance with predictable, low latencies. A combination of magnetic and solid state drives can be used to enable flash-accelerated hybrid configurations. Specific rules such as Number of disk stripes per object and Flash read cache reservation (%) can be used to accelerate read-intensive workloads especially in hybrid vsan configurations. With vsan, it is possible to apply policies with precision. For example, database servers are commonly deployed with the guest OS on one virtual disk and databases on other virtual disks. A storage policy that reserves a higher percentage of flash read cache could be assigned specifically to the virtual disks containing databases to help guarantee performance. Visibility and Proactive Notifications with vrealize Operations vsan includes a health check feature to monitor items such as network connectivity, disk capacity, component metadata, and compliance with the hardware compatibility list (HCL). While this might be sufficient in many cases, enhanced visibility and management capabilities across vsan clusters at multiple locations are available with VMware vrealize Operations. vrealize Operations Manager includes dashboards for vsan such as Capacity Overview, Optimize vsan Deployments, and Operations Overview.

vrealize Operations features predictive analytics and smart alerts to help ensure optimum performance and availability of applications and infrastructures. vrealize Operations Manager enables administrators to monitor several factors such as read and write IOPS, throughput, latency, cache hits, write buffer utilization, and capacity. Capacity utilization and time remaining metrics are also included. vrealize Operations analyzes consumption trends and provides estimates on the amount of time remaining before resources are exhausted. This makes it easier for administrators to procure additional capacity in a timely manner to avoid project delays and more serious issues such as application downtime due to lack of free space. Easily Add Capacity without Downtime vsan is a distributed architecture that allows for elastic, non-disruptive scaling. Compute and storage capacity is scaled out simply by bringing a new host into the cluster. Storage capacity and performance can be scaled up independently by adding new drives to existing hosts. This grow-as-you-go model provides predictable, linear scaling for remote office environments with affordable investments spread out over time. Summary vsan and vsphere provide the best HCI platform for running virtual machine workloads requiring predictable performance and availability in secure environments. vsphere has achieved multiple security certifications and has a proven track record. vsphere and vsan is the first and only HCI solution that is part of a DISA STIG. The integration of vsan with vsphere reduces risk through policy-based management and role-based access control. Important services such as externalfacing web sites, email, and employee remote access can benefit from shared storage without the cost and complexity of dedicated storage hardware. Virtual machine-centric storage policies are created, assigned, and modified, as needs change in the environment. Maintenance windows are easier to schedule and there are features such as vsphere HA and vsphere Replication to enable rapid recovery from unplanned downtime. vsan health monitoring is included and, optionally, vrealize Operations Management Pack for Storage Devices provides multiple vsan dashboards for proactive alerting, heat maps, device and cluster insights, and streamlined issue resolution.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback