Today’s enterprise IT is embracing an increasingly heterogenous set of data center resources. The dominant form of compute comes from on premise vSphere based private clouds, but there is increasing interest in edge computing, and computing as-a-service models. The recent announcement of VMware and Amazon’s partnership to bring as a service computing to private clouds with Amazon’s Outposts is the latest step forward in the march of the hybrid cloud. VMware’s vision is to provide one consistent set of software infrastructure that can span this increasingly heterogeneous hybrid cloud.
Recently VMWare announced a bundle of services that extend this consistent data center management to the public cloud – called VMware Cloud Foundation for Amazon EC2, or VCF for EC2. VCF for EC2 consists of two major components – a mechanism to insert and manage these services on Amazon EC2, as well as the networking, security, data and management services themselves. This paper will outline all of the major components of VCF for EC2, and how they can be used to streamline data center operations in an increasingly heterogenous computing environment.
Secure by Design: The VCF Framework
VCF is intended to provide one consistent set of data center management services across vSphere and non-vShpere environments. For the EC2 environment, a mechanism must be in place to transparently insert these services into the workloads running on EC2. In the private cloud environment, users may be familiar with VMware’s VM Tools. This is a collection of host-resident probes, drivers and agents that allow the vSphere system to optimize and manage workloads running on VMWare’s ESXi hypervisor. VMware has extended this concept to EC2 based workloads. VM Tools for EC2 creates a bundle of host-resident probes, drivers and agents, and provides a framework to transparently insert, manage and protect these host components as they run on EC2 environments, either in Amazon’s EC2 public cloud or on premise on Amazon’s Outposts hybrid cloud solution.
VMware has developed a virtual appliance that manages the lifecycle of the VM Tools. This appliance is called the Cloud Controller. The Cloud Controller runs in a VPC on AWS and is tethered back to the NSX Controller running on the customer premise. The NSX Controller provides heart beating and connectivity services to the Cloud Controller. The Cloud Controller acts as an extension of trust from the premise-oriented VMWare SDDC systems.
At boot time, VMware has developed a mechanism to insert the tools into the instance if the tools are not already built into the AMI. This allows central IT to inject a control point without modifying existing DevOps workflows. The Cloud Controller will also collect an inventory of all existing instances running that do not have tools present. Administrators can deal with this by policy, some instances can be automatically rebooted during a change window and tools transparently inserted. Others can be added to an exclusion list meaning no tools are required, but the access of those instances can be limited (i.e. they can’t touch the Internet).
The system is tamper-proof. Even if an attacker or an insider with root tries to disable the tools running in the instance, the controller will detect that the tools have been disabled and will by policy either alert and/or quarantine the instance until remediation is accomplished. If an attacker attempts to alter the controller, the NSX controller on prem will detect and alert on this event. This robust system allows for transparent insertion and management of VMware data center services in EC2. As part of their partnership, VMWare and AWS are continuing to make enhancements that will make the system even more transparent and more tamper proof.
The first set of services enabled in VMware Cloud Foundation for EC2 is NSX Networking and Security. A key feature of the NSX offering for EC2 is service insertion and packet capture. With this capability, the rich partner ecosystem of NSX that exists on VMware private clouds can now be extended into native EC2 environments. Partners can utilize the same NSX APIs for service insertion and packet capture on premise in vSphere environments and in EC2 environments. This is extremely useful for using NSX and the VMware Cloud Foundation as the platform to deliver consistent services across the hybrid cloud.
Another very popular feature of NSX for EC2 is layer two network stretching. This allows workloads running in any EC2 environment, whether on AWS Outposts on premises or in the public cloud to share a common L2 IP space even across multiple VPCs. This greatly simplifies workload migration and DR scenarios as workloads do not to be re-addressed or modified to take advantage of the flexibility and elasticity of the hybrid cloud.
NSX is known for its built-in security services. One of the most powerful is the firewall built for Internal (East-West) traffic flows. This firewall understands the application topology and can visualize and map flows between the web tier, app tiers, and persistence tiers. Firewall policies can then be automatically deployed and dynamically updated if there are changes to application topology. This use case has been widely deployed and there are now thousands of enterprise customers using NSX to internally segment server to server traffic in the data center. With VMware Cloud Foundation for EC2, this same capability can be extended to EC2 based workloads, either on the public cloud or running on AWS Outposts in the customer data center. From a single policy console, IT can now ensure that foundational security policies are consistently enforced for workloads running on premise or in the public cloud, on vShpere or on EC2 environments. In the future, this same architecture will allow VMware advanced security offerings such as App Defense to be extended onto native EC2 environments.
In addition to the data plane services of NSX, VMware has a collection of control plane services that support both vSphere and native EC2 workloads. vRealize Network Insights provides a single pane of glass that allows customers to visualize their flows for workloads running in a vSphere environment and/or in EC2. This is extremely helpful for troubleshooting hybrid cloud workloads, and also for formulating security policies. Additionally, VMware’s Cloud Health provides industry leading cost management for EC2 environments.
The Foundation for all workloads
VMware Cloud Foundation for EC2 creates a common set of data center services that spans the hybrid cloud. These services support all types of workloads from traditional VM based enterprise applications to modern container-based workloads utilizing platforms like PKS or Red Hat OpenShift.
VCF for EC2 and Amazon Outposts will be available in 2H2019. However, VCF is being built on the framework already established for NSX Cloud for EC2 which is available today. Customers can take advantage of this capability to deploy one consistent set of network and security policies across private and public clouds. Building on these products and workflows, customers will then be ready to take full advantage of the innovative new hybrid cloud solutions like Amazon’s Outposts as these products become available in the later part of 2019.