vCloud Director

Hi, Habr!
We updated the VMware vCloud Director platform from version 8.10 to 8.20.

What is new and what features does version 8.20 have? The answer to this question is probably of interest to those who have previously used the clouds on the model of IaaS (Infrastructure-as-a-Service) and is familiar with the product vCloud Director. We will talk about this in the second half of this article, but first we would like to give a brief overview of the modules and components of the vCloud Director for less experienced readers in virtualization issues.
')

What should we build a VODC?

VMware vCloud Director is a platform that allows you to create software-defined, virtual data centers, transforming physical data centers into elastic pools of computing resources that end-users are invited to use for various distribution and consumption models. vCloud Director has a control panel that helps cloud service providers delegate some of their day-to-day IT operations to their customers.

All physical resources of the data center, such as computing power, disks, and networks, are combined into large pools of virtual resources. In the future, parts of these resources are provided in the form of "prefabricated" vCODs, which are allocated to tenants.

VCloud Director uses VMware vCenter and VMware vSphere to convert physical computing and storage resources into virtual pools, and NSX / vCNS to create virtual networks with different topologies.


How does VMware vCloud Director accumulate resources for use, and how can individual tenants consume them?

vSphere provides VCloud Director all the resources to use to create a shared pool called Provider vDC (virtual data centers). Provider vDC creates an abstraction layer from which resources can be obtained for use by end users as separate computational units, the so-called Org vDC. vCloud Director maintains a database of all resources from vSphere, periodically synchronizing with vSphere Inventory.



Org vDC is a computational unit that can be consumed by cloud users. This is a container for all virtual machines that are used in the cloud by a group of users. An enterprise using a cloud provider may have several Org vDataCenters, each of which is designed to match a specific service profile, such as gold, silver and bronze, or a business group, such as HR, finance, or marketing.

Org vDC are combined into one or more networks. Org vDC networks provide network services to virtual machines residing on Org vDC. In addition, the virtual machine can create an additional network segment (vApp network). The vApp network has its own gateway, connected to the Org vDC network.

There are three types of networks to which you can connect a virtual machine or a vApp network:

• Isolated network: A fully isolated and non-routable network suitable for virtual machines that need high security and do not need access to external networks / Internet.
• Org vDC routed network: virtual machines connected to routed networks can send and receive external network traffic using NAT, firewall, and VPN tunnels.
• External network

The service provider may assign the tenant administrator role to any user in that organization. A tenant administrator can add and remove users, allocate resources, and create network services for an organization. Each organization has a unique URL created on top of the vCD base URL. Authorized users can log in through the unique URL of their organizations. Tenant administrators can also include service catalogs for cloud users. These directories can contain virtual machines or multi-machine virtual appliance templates, ISO images or files. Users can use these templates to accelerate the deployment of virtual machines.

vCloud Director is designed to optimize resource consumption, to provide "prefabricated" services while maintaining the isolation between the resources of each client in the cloud. Listed below are some vCloud Director features that make this possible.

Elastic Resource Pool

From the Provider vDC abstract layer, vCloud Director can extract resources for clients when it is needed and return resources to the pool when they are no longer needed.

How it's done? (Distribution Models)

vCloud Director has three types of models with which it allocates resources for the Org vDC. Org vDC is essentially mapped to a resource pool in vSphere.

• ALLOCATION POOL -% of the resource is guaranteed, and the maximum possible limit is set in the resource pool.
• PAY-AS-YOU-GO - there are no guaranteed resources and maximum limits set in the reservation pool. Resource limits are set at the virtual machine level.
• RESERVATION POOL- guaranteed resources and maximum limits are equal, all resources are allocated. At the virtual machine level, the resource parameters are not set, however, the user can change the limits and reserve resources to the virtual machine.

A client who needs a fixed set of resources can work with Org vDC with guaranteed resources, or choose PAY-AS-YOU-GO when there is no data about how many resources they will consume in the cloud. The vDC provider, due to the elasticity of the pool, can avoid redundancy of physical data centers and reduce capital expenditures by adding physical hosts only as needed without stopping work.

Multi-tenancy

Multi-Tenancy is one of the essential characteristics of the IaaS cloud. VCloud Director has special modules and constructions built around this basic feature. An organization in vCloud Director is a unit of multi-user lease that represents a single logical border of security. The organization includes users, virtual data centers and networks. vCloud Director allows service providers to create isolated containers that can be mapped to individual cloud tenants. This is done by “cutting off” resources from the Provider vDC to one or more separate Org vDC for organizations.



Instead of supporting individual client environments, vCloud Director provides standard methods for obtaining and delivering services that help maintain a uniform environment for tenants, reducing transaction costs. Standard and predefined ways of using services for tenants help reduce the time needed to support or create conditions for tenants.

Operational efficiency is at the heart of the VMware vCloud Director value proposition, allowing providers, for example, to improve their VM-to-admin ratio up to 3 times, as in the Zettagrid example (from one administrator on 200 virtual machines to one administrator on 600 VM), or save $ 1.35 million and $ 250,000 in annual maintenance costs, introducing vCloud Director instead of a special solution, as happened in phoenixNAP .

Customer Self Service

vCloud Director offers a model that helps cloud service providers delegate some of their day-to-day IT operations to their customers. This gives customers greater flexibility and control over cloud environments. The control panel allows you to create and manage virtual machines, migrate them from another cloud, flexibly manage access rights to a pool of virtual resources, create internal routable and isolated networks, configure flexible Firewall rules, create VPN connections, configure load balancing between virtual machines and much more.

Real-time monitoring and analysis of cloud infrastructure

VMware vRealize Operations Manager and VMware vRealize Log Insight offer a “single window” for monitoring infrastructure status. Through it, it is possible to control the use of infrastructure, receive performance reports and launch analytics. VRealize Operations connects to vSphere environments through the vCenter Server and provides hierarchical information about all components in the data center: from vCenter servers and ESXi hosts to virtual machines, storage and networks.

VRealize Log Insight collects application and system logs via Syslog and provides analytics capabilities through a visual panel. Logs help to understand the behavior and state of systems, to catch problems that are missed by operational warnings.

vCloud Director has an extensive set of RESTFull APIs accessible via REST Clients over HTTP. To learn more, we recommend studying the vCloud Director API Programming Guide and the vCloud Director SDK for Java / .NET / PHP Developers guide.

We hope that readers who are not previously familiar with the platform for managing the virtual infrastructure of vCloud Director got an idea of ​​its purpose and functions. Now we would like to talk about what gives the cloud provider and its clients an update to version 8.20.

What's new in vCloud Director 8.20

Version 8.20 is a continuation of the work of VMware over the transfer of control over the virtual infrastructure to the end customers of the cloud provider. The previously released vCloud Director 8.10 release provided clients with the opportunity to use useful and expected functionality. For example, the web console vCloud Director 8.10 allowed to use the granular Storage Policy Management feature in the context of individual virtual disks of each VM. Previously, it was possible to change policies for storage only through the vCloud API.

In turn, vCloud Director 8.20 now integrates more closely with VMware NSX network virtualization, which means that end users will be able to create any kind of network topology in a matter of seconds, from simple to multi-level using the new HTML5 interface.

Like virtual machines in computing environments, virtual networks are initialized programmatically and operate independently of the underlying hardware. VMware NSX replicates the network model at the software level. An NSX network is a library of logical network elements and services, such as logical switches, routers, firewalls, load balancing tools, VPNs, and security features.

NSX Extended Network Features

• Dynamic routing - Open Shortest Path First (OSPF) and Border Gateway Protocol (BGP) algorithms have been added to automatically create dynamic routing tables between VMware NSX Edge gateways.
• Distributed Firewall. Ability to manage granular security policies, including firewall rules for traffic passing inside Org vDC.
• Tenant layer 2 (L2) VPN access to support hybrid clouds. Allows tenants to create a tunnel between the networks in Org VDC and the local network in their enterprise, forming a seemingly “seamless” network.
• Tenant SSL VPN - remote access through a browser, in addition to IPSec and L2-VPN.
• Load balancing - dynamic distribution of incoming traffic to maintain SLA.

Configure NSX advanced features

Right-click on the NSX Edge gateway and select "Convert to Advanced Gateway". This action will upgrade NSX Edge to a higher version of the software if version 5.5 or earlier was used, and enable the new HTML5 user interface to configure the advanced features of the NSX.

Dynamic routing vCloud Director 8.20 adds support for configuring dynamic routing between different NSX Edge gateways. Previously, there was only support for static routes between different vApp networks connected to the same or a different vDC network in an organization.

Dynamic routing reduces the need to manually configure routes when a virtual machine (VM) in an Org vDC network must “communicate” with another virtual machine in another organization's vDC network. This reduces the total time that organization administrators spend on maintaining network routing tables.

vCloud Director 8.20 provides the tenant the ability to configure distributed firewall rules in Org vDC. Firewall rules define how traffic flows between virtual machines on the Org vDC network. In previous versions of vCloud Director, you could configure a firewall to control the flow of traffic between external and routed organization's vDC networks, also known as north-south traffic. But the ability to define rules for traffic between virtual machines within one or more networks within Org vDC, in fact, was not (east-west traffic).

Now you can create rules using individual IP or MAC addresses, or a predefined set of IP / MAC addresses. You can apply rules to individual ports or choose from a predefined list of services (for example, SNMP, ICMP, HTTP, etc.). or groups (for example, Microsoft Exchange, Oracle, etc.).

The NSX Edge load balancer now allows you to evenly distribute incoming traffic to the vDC server pool with the IP addresses of the virtual machines that will distribute the incoming traffic load.



The overall process of setting up load balancing on an NSX Edge gateway.

Role-based user access control for service providers and tenants

VCloud Director 8.20 allows you to create custom roles for tenants. You can define roles based on functional tasks and subtasks in vCloud Director.

VM to ESXi Host Affinity Rules

The rules for binding virtual machines to an ESXi host group ensure that the virtual machines defined in the rule set are hosted on a specific set of hosts.

When used by a VMware vSphere Distributed Resource Scheduler (DRS) provider, an algorithm is used to select the appropriate ESXi host for the virtual machine in order to evenly distribute the load. However, there are scenarios in which you need to place a virtual machine in Org vDC on a specific host that is not recommended by DRS. For example, applications that are sensitive to delays or applications with licensing requirements that need to be hosted on a single host. For such cases, apply VM-Host Affinity Rules.

Also among the new features worth noting

• automatic detection and import of virtual machines;
• The Multi-Cell Upgrade update utility now supports upgrading all cells in a server group using a single operation;
• VCDNI to VXLAN network migration utility;
• Support for Windows Server 2016 and Virtual Hardware 13.

You can familiarize yourself with the full range of new features of the vCloud Director control panel using free test access to the Cloud4Y cloud for legal entities. As they say, it's better to see once than hear a hundred times.

Summarize

With this release, the vCloud Director user interface transition from current Flex-based technology to an HTML5-based interface has begun. All NSX network services were migrated to the new interface, while the rest of the user interface elements are still based on Flex.

VMware vCloud Director 8.20 is packed with new features that will help increase the security and convenience of managing virtual resources, securing the trend to a hybrid cloud infrastructure and delegation of management capabilities from the provider to the client.