STO2451BU Automating Disaster Recovery Operations in the SDDC with SRM, vrealize Automation, and NSX VMworld 2017 Shobhan Lakkapragada Director of Product Management Stefan Tsonev Director of Engineering Content: Not for publication #VMWorld #STO2451BU
Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitment from VMware to deliver these features in any generally available product. Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. Technical feasibility and market demand will affect final delivery. Pricing and packaging for any new technologies or features discussed or presented have not been determined. #STO2451BU CONFIDENTIAL 2
Agenda 1 SRM + vrealize Automation (vra) + NSX: Solution Overview and Benefits 2 SRM + vrealize Automation Deep Dive 4 SRM + NSX Deep Dive 5 Q&A #STO2451BU CONFIDENTIAL 3
VMware Site Recovery Manager Production Site vcenter Server vsphere Servers Site Recovery Manager vsphere Replication Array-based replication Recovery Site vcenter Server vsphere Servers Site Recovery Manager SRM is the industry-leading disaster recovery automation solution for vsphere environments Centralized recovery plans for thousands of VMs Non-disruptive recovery testing Automated DR workflows Integrated with the VMware product stack Lowers the cost of DR management by 50% or more Eliminates complexity and risk of manual processes Enables fast and highly predictable RTOs Provides policy-driven DR control for any virtualized app #STO2451BU CONFIDENTIAL 4
SRM + vrealize Automation enables Self-Service, Policy-Based DR Protection For Apps Production Site Site Recovery Manager vsphere Architecture vrealize Orchestrator plugin for SRM Integration with vr Automation New APIs exposed for PowerCLI integration vrealize Automation Recovery Site Site Recovery Manager vsphere Capabilities Self-service DR provisioning using vrealize Automation blueprints Automated protection mapping according to pre-defined tiers Benefits DR control delivered as a service to app tenants Quicker time to market for apps Reduced complexity for infrastructure admins Array-based Replication External Storage External Storage #STO2451BU CONFIDENTIAL 5
NSX 6.3 Integration Reduce OpEx and Accelerate Recovery Universal Logical Switch Distributed Switch SRM A NSX VMworld 2017 Implicit Mapping Distributed Switch SRM B Overview SRM 6.5 supports NSX 6.3 cross-vcenter logical switches Automatic mapping of networks Preserved network and security rules on recovered VMs Reduce OpEx Benefits Decreased manual configurations postrecovery Faster recovery time by 40% 1 or more Available since SRM 6.1 Content: Not for publication (1) VMware Performance Engineering internal testing #STO2451BU CONFIDENTIAL 6
SRM + vrealize Automation Deep Dive
SRM + vrealize Automation (vra) Key Benefits Protect vra management components and production workloads Incorporate DR protection capability into provisioning process Recover all components & resume day 2 operations 1 Policy-based DR protection through vra for workload VMs VMworld 2017 Content: Not for DR protect vra management components publication 2 3 Recover vra and workload VMs #STO2451BU CONFIDENTIAL 8
SRM + vra Deployment vra considerations vcenters of both sites are Managed endpoints in VRA Palo Alto Site vra vra vsphere Agent vcenter SRM SRM Protected Palo Alto Workload VMs Wenatchee Site vra vsphere Agent vcenter SRM vra is deployed on one site (does not matter which) Workload VM(s) are provisioned to a desired site Both sites are endpoints in vra Reservations at both endpoints Data collection on ALL compute resources containing protected VM(s) SRM Placeholder VM(s) ignored by vra SRM Protected Wenatchee Workload VMs #STO2451BU CONFIDENTIAL 9
SRM + vra Deployment SRM considerations vcenters of both sites are Managed endpoints in VRA Palo Alto Site vra vra vsphere Agent vcenter SRM SRM Protected Palo Alto Workload VMs Wenatchee Site vra vsphere Agent vcenter SRM vra managemet components deployed in dedicated SRM protection group / recovery plan Workload VMs added to SRM protection groups and recovery plans as in normal SRM deployment SRM creates corresponding placeholder at opposite site for each workload VM(s) SRM placeholder VM(s) ignored by vra SRM Protected Wenatchee Workload VMs #STO2451BU CONFIDENTIAL 10
How does vrealize Automation deal with VMs being failed over? Configure two scripts in SRM Recovery Plan 1. Pre-failover script that stops vra from monitoring workload VMs during failover process 2. Post-failover script that resumes monitoring after VMs are failed over More info: http://pubs.vmware.com/vrealize-suite- 70/topic/com.vmware.ICbase/PDF/vrealize-suite-70-disaster-recovery-SRM-61.pdf #STO2451BU CONFIDENTIAL 11
DR Protection for new workload VMs deployed through vra VMworld 2017 Content: Not for publication
vra Provisioning with Automated SRM Protection Which pieces do what? vrealize Automation (vra) vra Plug-in vrealize Orchestrator (vro) SRM Plug-in End user facing portal Policy based control over placement (e.g. onto replicated storage) Extends vra provisioning capabilities vra Plug-in - Enables vra to call vro workflows to perform post provisioning actions SRM Plug-in Enables SRM protection automation (e.g. protect a VM) SRM Provides fully automated disaster recovery of protected workloads #STO2451BU CONFIDENTIAL 13
Automated DR provisioning through vra Let s automate protection of workloads as part of vra provisioning A few capabilities that will help! vra extensibility using vro workflows vrealize Orchestrator plugins for SRM and VR allow us to replicate workloads with vsphere Replication eliminating the need for expensive storage arrays to automatically protect workloads with SRM! VMworld 2017 configure per-vm SRM recovery settings like: Recovery priority Command- call-outs Etc Content: Not for publication #STO2451BU CONFIDENTIAL 14
vro workflow for vsphere Replication and Site Recovery Manager configuration #STO2451BU CONFIDENTIAL 15
Configuring Subscription in vrealize Automation #STO2451BU CONFIDENTIAL 16
Configuring Subscription conditions in vrealize Automation #STO2451BU CONFIDENTIAL 17
Workflow Selection in vrealize Automation #STO2451BU CONFIDENTIAL 18
SRM and NSX
SRM + NSX Overview Feature Definition Preserves VMs affinity to NSX stretched network(s) during Failover Preserved network and security rules on recovered VMs No user-provided Inventory Network mappings configuration is required Works out-of-the box ( auto-mappings ) Respects Inventory Mapper s network mappings Supports Federated and non-federated vcenter Server configurations #STO2451BU CONFIDENTIAL 20
Solution Overview Feature Definition (What Does it NOT do) Does not configure, monitor or protect NSX components Assumes the stretched network is already configured by the networking admin Assumes DFW rules and policies are replicated as needed by NSX Does not handle regular NSX-backed networks in any special way Provides auto-mapping for NSX Universal Logical Switches only Does not provide post-recovery NSX management #STO2451BU CONFIDENTIAL 21
Requirements and Limitations Solution Prerequisites Requires NSX 6.3 and SRM 6.5 NSX Stretched Network Provisioning/Configuration Performed using the NSX vsphere UI plugin, or can be scripted Storage Policy Protection Groups Requires array-based replication only Supports Cross-vCenter vmotion with stretched storage configuration For regular Virtual Machine Protection Groups Auto-mapping integration capability is not supported All NSX networks treated as regular network configurations #STO2451BU CONFIDENTIAL 22
Theory of Operation: Discovering Universal Wires NSX DeviceTopology follows the vsphere VDS Architecture Cluster VDS (NSX Logical Switch) Distributed Virtual Portgroup vnic
Theory of Operation: Discovering Universal Wires (cont.) Use distinct naming conventions ( vxw prefix) PowerCLI> Get-VDPortgroup -Name vxw* ft -au Name NumPorts PortBinding ---- ------- ----------- vxw-vmknicpg-dvs-29-0-dc48a115-c545-4d95-9fa2-69ff90802813 8 Static vxw-dvs-29-universalwire-1-sid-100000-primary-logical-switch-07-08 8 Static NSX Network Naming Scheme dvs-29 DVS MoId universalwire-1 Logical Switch ID 10000 Logical Switch Segment ID (= VXLAN Network ID) Universal Wire VMworld 2017 Spanned between 2+ Logical Switches Logical Switches have the same Logical Switch ID on both sites Content: Not for publication #STO2451BU CONFIDENTIAL
Storage Policy-Based Protection Groups Storage Policy Profile Driven Protection Group Policy Driven Protection New Style Protection Group leveraging storage profiles High level of automation compared to traditional protection groups Policy based approach reduces OpEx Simpler integration of VM provisioning, migration, and decommissioning #STO2451BU CONFIDENTIAL 25
#STO2451BU CONFIDENTIAL 26
#STO2451BU CONFIDENTIAL 27
#STO2451BU CONFIDENTIAL 28
#STO2451BU CONFIDENTIAL 29
#STO2451BU CONFIDENTIAL 30
#STO2451BU CONFIDENTIAL 31
#STO2451BU CONFIDENTIAL 32
Theory of Operation: Protection Device-based (vs. Inventory Mapping based) mapping concept Extends the existing vnic device protection (Protected Site) Detects that vnic is backed by a stretched NSX network Records the Logical Switch ID into the VM s placeholder file (.vmx) The.vmx file is replicated by the underlying array-based replication #STO2451BU CONFIDENTIAL
#STO2451BU CONFIDENTIAL 34
Test Recovery Workflow Does not preserve affinity to stretched network by default Recovers to an ad-hoc isolated Test Bubble Network Use Recovery Plan Test Network mappings to override this behavior Map (all) universal wires to themselves Global Test Network Mapping NOT supported for auto-mapped networks o An Inventory Mapping UI limitation VMworld 2017 Content: Not for o Supported at the VMODL level publication #STO2451BU CONFIDENTIAL 35
Planned Migration and Disaster Recovery Workflows Planned Migration and Disaster Recovery Resolves network device backing to reciprocal NSX Distributed Virtual Portgroup Unresolved networks are fixed/resolved using Placeholder Network Mappings Live Migration with xvmotion on Stretched Storage NSX integration is fully supported on this topology The target NSX network is to be resolved prior to starting xvmotion NSX Distributed Firewall, Routing and Rules Remain in effect as long as they expressed in MAC and IP address terms Container-based rules (if any) might need to be updated after Failover Virtual Machine IP customization not required #STO2451BU CONFIDENTIAL 36
HTTPS HTTPS SRM & NSX: Delivering Simplification and Value ICMP Finance SG-FIN-WEB HR SG-HR-WEB FIN-WEB-01 FIN-WEB-02 HR-WEB-01 HR-WEB-02 DMZ - Web Logical Switch 172.16.10.0/24 ICMP ICMP Source Destination Service Action Apply To Any Any SG-FIN-WEB SG-HR-WEB SG-FIN-WEB SG-HR-WEB HTTPS Any Allow Block SG-FIN-WEB SG-HR-WEB SG-FIN-WEB SG-HR-WEB SG-FIN-WEB SG-FIN-WEB ICMP Allow SG-FIN-WEB SG-FIN-WEB SG-FIN-WEB Any Block SG-FIN-WEB SG-HR-WEB SG-HR-WEB ICMP Allow SG-HR-WEB SG-HR-WEB SG-HR-WEB Any Block SG-HR-WEB SG-FIN-WEB SG-HR-WEB ICMP Allow SG-FIN-WEB SG-HR-WEB Any Block SG-FIN-WEB SG-HR-WEB SG-FIN-WEB SG-HR-WEB #STO2451BU CONFIDENTIAL 37
SG-FIN-WEB Finance HR SG-HR-WEB DMZ - Web Logical Switch 172.16.10.0/24.1.1.1 DLR VMworld 2017 Content: Not for Finance SG-FIN-APP HR SG-HR-APP SYSLOG SRV NTP SRV App Logical Switch 172.16.20.0/24 SNMP SRV DB Logical Switch 172.16.30.0/24 DNS SRV STATS SRV AAA SRV COMMON MGMT Logical Switch 10.1.1.0/24 COMMON SVCS Logical Switch 10.1.2.0/24 publication SG-SHARED-SERVICES Access to shared services must be protected for all Tenants and Tiers Finance SG-FIN-DB HR SG-HR-DB #STO2451BU CONFIDENTIAL 38
Q&A