h10526 Emc Caas Ito Vblock VCD

White Paper
EMC COMPUTE-AS-A-SERVICE
EMC Ionix IT Orchestrator, VCE Vblock Infrastructure Platforms,
VMware vCloud Director
Automate provisioning of infrastructure services
Introduce new services with an integrated framework
EMC Solutions Group
Abstract
This white paper explores the integration of cloud technology components into
a Compute-as-a-Service platform that enables service providers to deploy and
manage cloud-based services, and tenants to adopt and customize those
services into their business.
February 2012
Copyright 2012 EMC Corporation. All Rights Reserved.

EMC believes the information in this publication is accurate as of its
publication date. The information is subject to change without notice.
The information in this publication is provided as is. EMC Corporation makes
no representations or warranties of any kind with respect to the information in
this publication, and specifically disclaims implied warranties of
merchantability or fitness for a particular purpose.
Use, copying, and distribution of any EMC software described in this
publication requires an applicable software license.
For the most up-to-date listing of EMC product names, see EMC Corporation
Trademarks on EMC.com.
EMC2, EMC, RSA, the EMC logo, and the RSA logo are registered trademarks or
trademarks of EMC Corporation in the United States and other countries.
ESX, ESXi, VMware, VMware vCenter, VMware vCloud, VMware Service
Manager, VMware vShield, and VMware vSphere are registered trademarks or
trademarks of VMware, Inc. in the United States and/or other jurisdictions.
All other trademarks used herein are the property of their respective owners.
Part Number H10526
EMC Compute-as-a-Service
EMC Ionix IT Orchestrator, VCE Vblock Infrastructure Platforms, VMware vCloud Director
Table of contents
Executive summary ............................................................................................................................. 5
Business case .................................................................................................................................. 5
Solution overview ............................................................................................................................ 5
Key benefits ..................................................................................................................................... 6
Introduction ....................................................................................................................................... 7
Purpose ........................................................................................................................................... 7
Scope .............................................................................................................................................. 7
Audience.......................................................................................................................................... 7
Terminology ..................................................................................................................................... 7
CaaS overview .................................................................................................................................... 8
What is Compute-as-a-Service? ........................................................................................................ 8
Self-service portals ...................................................................................................................... 8
Orchestration tools ...................................................................................................................... 9
Secure multi-tenant-enabled shared environment ....................................................................... 9
The six design principles of CaaS ................................................................................................... 10
High availability and protection ................................................................................................. 10
Secure separation ..................................................................................................................... 11
Security and compliance ........................................................................................................... 11
Service assurance, metering, and billing ................................................................................... 12
Tenant management and control ............................................................................................... 12
Service provider management and control................................................................................. 13
Summary ................................................................................................................................... 13
EMC Ionix IT Orchestrator ................................................................................................................. 14
Overview ........................................................................................................................................ 14
Adapters ........................................................................................................................................ 15
Design Studio ................................................................................................................................ 15
EMC Ionix Unified Infrastructure Manager ......................................................................................... 17
Overview ........................................................................................................................................ 17
Service catalog and service offerings ............................................................................................. 17
VMware vCloud Director.................................................................................................................... 19
Overview ........................................................................................................................................ 19
Compute resources ........................................................................................................................ 19
Networks and security .................................................................................................................... 21
Network pools ................................................................................................................................ 22
Network models ............................................................................................................................. 23
VMware vShield and vShield Edge ................................................................................................. 23

Application Programming Interfaces ................................................................................................. 24
Overview ........................................................................................................................................ 24
EMC Ionix UIM API .......................................................................................................................... 25
VMware vCloud API ........................................................................................................................ 26
VMware vSphere APIs .................................................................................................................... 27
VIX API ........................................................................................................................................... 28
VMware Service Manager API ......................................................................................................... 28
VMware vShield API ....................................................................................................................... 29
VMware vCenter Chargeback API .................................................................................................... 29
Use cases with EMC Ionix IT Orchestrator ......................................................................................... 30
Use case #1: Onboarding a new customer...................................................................................... 30
Use case #2: Commissioning a vApp .............................................................................................. 36
Use case #3: Decommissioning a vApp .......................................................................................... 39
Conclusion ....................................................................................................................................... 40
Summary ....................................................................................................................................... 40
About EMC Proven Solutions .......................................................................................................... 40
Take the next step .......................................................................................................................... 40
References ....................................................................................................................................... 41
EMC documentation ....................................................................................................................... 41
Executive summary
Business case
Cloud computing enables service providers to seamlessly deliver infrastructure

services to customers, while reducing power consumption, saving space, maintaining
reliability, and reducing the overall cost to serve. A Compute-as-a-Service (CaaS)
architecture based on EMC technology helps IT service providers offer customized
services to their end users that meet their business needs.
Today, service providers face several challenges in delivering services to their clients.
In particular, they need to consolidate the inefficient and disparate infrastructures
typically associated with existing hosting and service offerings. They also need an
alternative to existing dedicated, siloed compute offerings. Service providers can
offer cloud compute services as a solution to these challenges, while integrating
customer service catalogs into an easy-to-deploy platform.
EMC CaaS solutions provide service providers with a flexible platform that enables
the creation of new revenue streams and delivery of additional value-added services.
Customers benefit from their service providers ability to meet published service-level
agreements (SLAs) and quickly create new services in anticipation of changing
business requirements.
To realize the promise of CaaS offerings, service providers and consumers must
overcome a number of challenges. EMC CaaS solutions are uniquely designed to
address these complexities:
Solution overview
Establish a baseline compute offering, while also providing enterprise-grade

services.
Consolidate the inefficient, siloed infrastructures typically associated with

earlier as-a-service offerings.
Provide the necessary security and data protection reassurance to end users
that helps accelerate cloud-service adoption.
Reduce the complexity in managing the end-to-end service lifecycle of CaaS

customers.
Accelerate the time to market for new, compute-based, as-a-service offerings.
EMC CaaS solutions enable service providers to build an enterprise-grade, scalable,

multi-tenant platform for complete management of the compute service lifecycle. EMC
CaaS provides on-demand access to, and control of, network bandwidth, servers,
storage, and security, while maximizing asset utilization. Specifically, EMC CaaS
integrates all these CaaS key elements:
Self-service portal for end-user and administrative provisioning
Service catalog of available compute services
Rapid, precise, automated service provisioning
Multi-tenancy, capable of monitoring, reporting, and billing
IT-as-a-Service (IaaS) framework on which service providers can build

additional as-a-service offerings
Key solution components include:
Key benefits
EMC Ionix IT OrchestratorOffers service providers a scalable, highperformance enterprise solution to orchestrate and automate their public cloud
services.
EMC Ionix Unified Infrastructure Manager (UIM)UIM is a cross-element

discovery and provisioning tool, with an API that provides context-sensitive
access to the underlying infrastructure. UIM has two components:
UIM/Provisioning (UIM/P) and UIM/Operations (UIM/O).
EMC RSA product suiteCombines business-critical controls in identity

assurance, encryption and key management, SIEM (security information and
event management), data loss prevention, and fraud protection.
VMware Service ManagerVMware Service Manager is a fully integrated IT

service management solution with all the process capabilities you need to
deliver and support IT.
VCE Vblock Infrastructure Platforms Vblock Infrastructure Platforms combine

industry-leading compute, network, storage, virtualization, and management
technologies into prepackaged units of infrastructure.
VMware vCenter Chargeback ManagerCustomizes cost models for the

processes and policies of different organizations. Integration with VMware
vCloud Director enables automated chargeback for private cloud
environments.
VMware vCloud DirectorManages the virtual compute environment, combined

with vCloud Connector for hybrid- or multi-cloud management. Consolidates
data centers, deploys workloads, and provides security on shared
infrastructure along with VMware vShield.
VMware vSphereVMware vSphere is the industrys most complete, scalable

and powerful virtualization platform, delivering the infrastructure and
application services that organizations need to transform their information
technology and deliver Compute-as-a-Service.
The key benefits of a CaaS architecture are:
Service providers and enterprises can automate the provisioning and

deployment of infrastructure services.
Service providers can accelerate the time to deploy new services, leveraging an
architecture that integrates management, orchestration, compute, storage, and
network resources.
The solution provides a foundation for additional services like backup and data
protection, and increased agility in business processes through easy and fast
provisioning of required resources.
Introduction
Purpose
This white paper explores the integration of cloud technology components into a
CaaS platform that allows:
Service providers to deploy and manage cloud-based services
Customers to adopt and customize those services into their business
Scope
This white paper discusses multiple EMC products and products from other vendors.
General configuration and operational procedures are outlined. For detailed product
installation information, refer to the relevant product documentation.
Audience
This white paper is intended for EMC employees, partners, and customers, including
IT planners, virtualization architects and administrators, and any others involved in
evaluating, acquiring, managing, operating, or designing a CaaS infrastructure
environment using EMC technologies.
It is assumed that the reader is familiar with the concepts and operations related to
virtualization technologies and their use in a cloud infrastructure.
Terminology
This paper includes the following terminology.

Table 1.
Terminology
Term
Definition
API
Application Programming Interfacea source code

based specification intended to be used as an interface
by software components to communicate with each
other.
CMDB
Configuration Management Database.
Organization
In the context of this white paper, an organization is a

tenant being hosted by the service provider.
Service Catalog
A CaaS catalog is a list of products or services available

to consumers.
Tenant
In the context of this white paper, a tenant is a

customer of a service provider.
vApp
A logical entity composed of virtual machines and

software applications that can be installed and
managed as a unit.
Virtual data center (vDC)
A virtual data center, more commonly referred to as a

vDC, provides the storage, network, and compute
capacity in which vApps are deployed. VMware vCloud
Director has Organization vDCs and Provider vDCs.
CaaS overview
What is Computeas-a-Service?
Compute-as-a-Service (CaaS) is an architecture that uses cloud infrastructure to

deliver data center resources as a service rather than as a capital expenditure.
Service providers can offer CaaS to customers who want a flexible, on-demand
infrastructure without having to purchase, configure, or maintain it themselves.
Much like an electric power utility, in which end users consume and pay for power
without needing to understand or maintain the component devices and infrastructure
required to provide the service, customers can draw on the elastic resources that
cloud computing delivers and pay for only what they need.
A CaaS environment typically consists of:
A self-service portal
An orchestration tool
A secure multi-tenant-enabled shared infrastructure
Self-service portals
Self-service portals and service catalogs play a key role in a service-orientated
architecture. These allow users to select what they need from a published service
catalog, providing an experience similar to internet shopping.
There are various portal and service catalogs available that perform all or some of the
functions required by a service provider or a customer. Cloud providers can choose to
develop their own portal or integrate the cloud offering into an existing portal that
they own. Choosing a portal/catalog depends on what functionality is needed,
existing systems, and price, as well as other considerations.
For the discussions and use cases in this document, the Ionix IT Orchestrator
integrated portal is used as a front end to enable:
Service provider administrators to select and provision infrastructure service

offerings from the EMC Ionix UIM service catalog
Customers to select and provision vApps from the VMware vCloud Director
service catalog
If the business requires additional functionality, such as seeking approval before

deploying a vApp or any other additional workflows, products such as VMware
Service Manager or other third-party products can provide a robust experience as well
as handling both virtual and physical environments.
Orchestration tools
An orchestration tool allows you to define the workflows and operations needed to
deploy the service and execute it on demand. It can automate all kinds of processes
that would otherwise involve manual operations.
For example, it can automate:
Provisioning of the server, storage, and networking
Adding or updating a configuration item (CI) within a CMDB
Synchronizing the resources in VMware vCenter and vCloud Director
Provisioning the Provider vDCs and Organization vDCs
Creating user profiles
Opening a ticket in a service desk to track a change or log an incident
Creating and updating billing policies
Several major orchestrators are available, such as EMC Ionix IT Orchestrator, VMware
vCenter Orchestrator, and Cisco Intelligent Automation; EMC has CaaS solutions for
all these technologies. In general, most orchestrators are capable of handling all or
some of the same tasks. The specific choice for an environment is likely to be
determined by the particular automation needs of that environment, existing
components, and the plug-ins and APIs that are available to enable orchestrators to
integrate with those components. The choice of orchestration tool also depends on
existing skill sets and those required to successfully build complex workflows.
Secure multi-tenant-enabled shared environment
Any CaaS solution should have a systematic approach to secure separation at its
core, with a necessarily heavy focus on multi-tenancy. While the underlying
computing resources may be shared, tenant organizations must be confident that the
logical boundaries and technical controls in the CaaS solution ensure that the
highest degree of separation and security are achieved in a multi-tenanted
environment.
This is achieved using a combination of multiple components within the CaaS stack,
including:
EMC Ionix IT Orchestrator
EMC Ionix UIM
EMC RSA product suite
VCE Vblock Infrastructure Platforms
VMware vCenter Chargeback Manager
VMware vShield
VMware vSphere
Most of the products in the preceding list are used and referenced in this document.
These products leverage each others capabilities to achieve the overall goal of
providing a secure multi-tenant environment for service providers and their tenants.
The six design
principles of CaaS
CaaS solutions are built on a platform of multiple industry-leading technologies that

include the compute, network, security, storage, and management resources of the
compute environment. For successful cloud-service delivery, CaaS solutions must
adhere to the six key design principles.
The six design principles of the CaaS architecture are:
Availability and data protection
Secure separation
Security and compliance
Service assurance, metering, and billing
Tenant management and control
Service provider management and control
High availability and protection

The Vblock Infrastructure Platform architecture shown in Figure 1 is a fully validated,
production-ready, virtualized infrastructure, built on best-of-breed offerings from
EMC, VMware, and Cisco. Each hardware layer uses redundant hardware to ensure
continued High Availability.
Figure 1.
Highly available components of VCE Vblock Infrastructure Platform
10
The data within the CaaS infrastructure can be protected in several ways, using, for
example, EMC Avamar, EMC Data Domain, or EMC Replication Manager, depending
on the backup and recovery requirements.
Secure separation
VMware vCloud Director enables service providers or organizations to create virtual
data centers that are composed of compute, network, and storage resources,
selected from the underlying physical hardware layer. vCloud Director uses vSpheres
abstraction of the network layer as a building block. It pools and leverages these
resources to enable automated, large-scale deployment while at the same time
ensuring secure separation and multi-tenancy.
EMC storage arrays allow for secure separation and isolation of resources at the
storage layer. Authentication can be further extended by incorporating solutions such
as RSAs identity verification and assurance technologies.
Lack of visibility into the environment and the bridging of geopolitical and regulatory
compliance boundaries are among the most significant security and compliance
concerns impeding cloud adoption.
A service provider can help to alleviate these concerns for their tenants through the
integration of vShield and RSA enVision, which enables the centralized logging of
administrator, user, and system actions.
Further integration with RSA SecurID, RSA Archer, and RSA Data Loss Prevention
(DLP) seamlessly extends compliance capabilities from the enterprise to the CaaS
environment by enabling multi-factor authentication, compliance and audit reporting,
and sensitive data discovery and remediation. Organizations can audit and
demonstrate compliance with regulatory statutes and indigenous security policies.
Figure 2 illustrates security and compliance life cycle management.
Figure 2.
Security and compliance lifecycle management
11

The service providers primary goal is to achieve a level of service assurance that
satisfies SLA and quality assurance (QA) parameters. Exact figures for forecasting and
planning environment expansion are crucial to determine the cost of the service and
the prices that should be attached to it.
In general, monitoring tools provide integration across solutions by leveraging
vendor-provided adapters and plug-ins. In a VMware-based public cloud
environment, consider implementing VMware vCenter Operations with UIM
Operations and EMC IT Operations Insight (ITOI) for monitoring and analytic-based
reporting, VMware vCenter CapacityIQ for capacity planning, and vCenter Chargeback
for billing.
In every cloud services model, service providers delegate some elements of control to
the tenant. For some service providers, this is a matter of convenience; for others, it is
a matter of security or compliance.
Tenants have the ability to create and deploy their own virtual machines or vApps
from the service catalog available to them. This vApp catalog is presented to the
tenant via a front-end portal, such as that available with Ionix IT Orchestrator or
VMware vCloud Director. The catalog content can also be managed by the tenant
themselves if required. The tenant can develop and publish their own customized
applications and systems, which can then be used by other members of their
organization. Figure 3 shows an example of a portal page where a tenant
administrator can specify the lease duration for a vApp as it is being commissioned.
Figure 3.
Tenant-in-controlmanage lease of virtual machine
12

Providers of infrastructure services in a multi-tenant environment require
comprehensive control and complete visibility of the shared infrastructure to provide
the data protection, security, and service levels that their tenants expect. The ability
to control, manage, and monitor resources at all levels of the infrastructure requires a
dynamic, efficient, and flexible design that allows the service provider to access,
provision, and then release compute resources from a shared pool quickly and easily,
with minimal administrative effort. Service providers can leverage the portal provided
by Ionix IT Orchestrator, VMware vCloud Director, or their own chosen portal to
manage infrastructure resources and tenant organizations. Figure 4 shows a view
from within vCloud Director whereby the service provider can see and administer all
tenants.
Figure 4.
Service provider administrative view of tenant organizations
Ionix IT Orchestrator provides abstraction of the workflow policies from the underlying
infrastructure. This allows companies to leverage the latest technology and tools to
effectively and efficiently cost the CaaS solution. Upgrades require a new adapter and
managed element only because the policies are not contained at the tool level.
Summary
Service providers can use these six design principles of CaaS as the framework for
any CaaS solution to deliver IT services through the network to their enterprise
customers. The platform enables service providers to build agile, secure, available,
and interoperable solutions as the foundation for the services that they provide. By
reducing administrative and operational expenses and efforts in such environments,
service providers can improve their current and future IT investment decisions for the
service(s) they deliver.
13
EMC Ionix IT Orchestrator

Overview
Ionix IT Orchestrator provides a high performance, enterprise-class automation

platform. Moving beyond the limits of inward-facing data center integration products
and one-off custom integrations, Ionix IT Orchestrator delivers mission-critical IT
process automation that fits seamlessly into todays heterogeneous, multi-vendor IT
infrastructures and orchestrates the complexity of tomorrows demanding
environments. Ionix IT Orchestrator leverages your data center infrastructure
investment, avoiding the need to rip and replace current tools and endure expensive,
custom consulting engagements.
Ionix IT Orchestrator can be quickly and easily extended using its vast library of
prebuilt adapters and process workflows (Accelerators). hese adapters are
designed to accelerate the integration with third party products by providing a set of
reusable workflows and code. This reduces the need to understand the products lowlevel API for common tasks. Figure 5 shows how Ionix IT Orchestrator fits into the
overall product stack that makes up a cloud offering.
Figure 5.
Ionix IT Orchestrator
14
Adapters
Ionix IT Orchestrator uses open and flexible adapters to automate provisioning and
operational tasks across nearly any type of system that can generate events, expose
data, or execute actions. It includes an easy-to-use integrated development
environment, pre-built workflows (or accelerators), and a large number of Information
Technology Infrastructure Library (ITIL)-based adapters for third-party data center
products. Ionix IT Orchestrator integrates event and alert management data with best
practices for operational support processes. Figure 6 shows the vCloud adapter
provided with Ionix IT Orchestrator, and some of the common tasks it contains.
Figure 6.
Design Studio
Example of Ionix IT Orchestrator vCloud Director adapter
The Ionix IT Orchestrator Design Studio provides an intuitive drag-and-drop interface

to create and modify Ionix IT Orchestrator accelerators. Designers select from a
palette of automation components, drag them onto the workspace, and use the pointand-click graphical editor to connect them. Defined processes can be reused in other
workflows and integrated easily with existing and new systems using standard
scripting interfaces (SNMP, JMX, WMI, IPMI). The studio also supports the creation of
a new, custom adapter for orchestration. Figure 7 shows an example of how a
workflow looks with Ionix IT Orchestrator Design Studio.
15
Figure 7.
Ionix IT Orchestrator Design Studio
Ionix IT Orchestrator can encapsulate existing system scripts (Visual Basic, Java, Cshell, and so on) directly into its workflows to enable simple integration with external
IT data center and ITSM service desk applications.
16
EMC Ionix Unified Infrastructure Manager

Overview
Ionix Unified Infrastructure Manager (UIM) provides a powerful and simplified

solution to discover and configure Vblock Infrastructure Platforms. Ionix UIM provides
a GUI for administrators, and also provides a comprehensive set of APIs that can be
used by any orchestration tool to integrate Ionix UIM functionality into existing or new
workflows.
From this single tool, service providers can discover, configure and provision their
compute, network, and storage resources, as shown in Figure 8.
Figure 8.
Ionix UIM logical component architecture
When a service offering is deployed to a server, or collection of servers, Cisco Unified

Computing System (UCS) Manager automatically configures the server, adapters,
fabric extenders, and fabric interconnects to match the configuration specified in the
service offering. This automation of device configuration dramatically reduces the
number of manual steps required to configure servers, NICs, HBAs, and LAN and SAN
switches.
Note
Service catalog
and service
offerings
In the context of UIM/P, a service offering is a predefined bundle of LAN/SAN,

storage, and vSphere resources with a specific set of capacity and
performance criteria.
The configuration and application of a service offering can be linked to resources

configured at a later stage in vCloud Directorfor example, tenant organizations,
Organization vDCs and Provider vDCs. Ionix UIM integrates with vCenter, providing
the ability to provision HA- and DRS-enabled ESX and ESXi clusters, synchronize
these clusters in vCenter, and provision the resources through to vCloud Director
Provider vDCs. The sample CaaS-Infra service offering in Figure 9 shows what the
17
properties of a service offering can contain, and the configuration that it will apply to
a blade or set of blade servers.
Figure 9.
Sample service offering CaaS-Infra in Ionix UIM
Table 2 provides additional details on the numbered sections of the Ionix UIM/P
dashboard in Figure 9.
Table 2.
Ionix UIM/P dashboardsections
Section
Description
This section details the number and grade of the servers that will be
deployed. There may be multiple grades of servers available with varying
compute resources of CPU and RAM. In this example, the four servers are from
the Premium grade of servers.
This section contains details of the storage that will be configured and made
available to each server. In this example, the server boot devices are
configured on the Fibre Channel RAID 5 storage and the data devices on the
PoolBased grade.
This section specifies the constraints applicable to the storage, where no

more than 80 GB of Fibre Channel RAID 5 grade storage and no more than 4
TB of pool-based storage may be used. Note that the PoolBased grade of
storage is FAST-enabled. In this example, each server has access to four 1 TB
FAST-backed datastores.
This section details the networking configurations to be applied to each blade

server. In this example, two vNICs are configured for each server, each with
access to their respective VLANs.
18

Overview
VMware vCloud Director manages the virtual compute environment and, combined
with vCloud Connector, allows for hybrid- or multi-cloud management. It consolidates
data centers, deploys workloads, and provides security on shared infrastructure
along with VMware vShield.
Compute resources vCloud Director enables service providers or organizations to create logical data
centers, called Provider vDCs, that comprise compute, network, and storage
resources, selected from the underlying physical hardware layer, presented first to
VMware vCenter, and subsequently to vCloud Director. These Provider vDCs provide
the resources for the tenant Organization vDCs that support the tenant Organizations
within vCloud Director, as shown in Figure 10.
Figure 10.
vCloud Directorinventory view of organizations
Each Provider vDC could be an Ionix UIM service offering that consists of a certain
type or level of network, storage, and computing resourceshosted and distributed
by the Vblock platform. These different service offerings are eventually mapped as
different Provider vDCs within vCloud Director, as shown in Figure 11.
Figure 11.
vCloud Directorinventory view of Provider vDCs
19
Each tenant organization may have one or more Organization vDCs which are the
entities seen by the cloud tenants. An Organization vDC is associated with a higher
level Provider vDC and provides a further layer of abstraction between the tenants
and the physical infrastructure.
Multiple Organization vDCs (potentially from different tenants) are permitted to draw
on the resources available in the Provider vDCs created in vCloud Director, thereby
permitting multi-tenant sharing without visibility of other tenants resources.
To manage differences in resource requirements, consumption, or SLAs between the
organization and the service provider, vCloud Director provides three allocation
models for organizations, as shown in Figure 12.
Figure 12.
Allocation models for Organization vDCs
These allocation models are set at the Organization vDC layer and map directly into
vCenter Chargeback for billing purposes.
As with all resources in a virtual environment, management and monitoring of
available and remaining resources is key. vCloud Director allows administrators to set
thresholds for resource availability. vCloud Director monitors the utilization of
resources within the Provider vDCs, as shown in Figure 13, and automatically alerts
users and administrators when appropriate.
Figure 13.
View of Provider vDC utilization
20
Networks and
security
vCloud Director uses vSpheres abstraction of the network layer as a building block. It
pools and leverages these logical resources to enable automated, large-scale
deployment while at the same time ensuring the secure separation and multi-tenancy
required by a shared infrastructure model.
By design, vSpheres network layer can ensure network isolation at Layer 2 for each of
the provisioned networks in a multi-tenanted CaaS environment. vSphere virtual
switches provide protection over and above physical switches against threats such
as:
MAC flooding
Spanning-tree attacks
ISL tagging attacks
802.1q VLAN tagging attacks
Double-encapsulation attacks
Multicast brute force attacks
Random frame attacks
In addition, malicious network behavior, including MAC address changes and forged
transmits, can be restricted, and promiscuous mode is rejected by default.
When leveraged, the Cisco Nexus 1000V, which is an integral component of Vblock
Infrastructure Platforms, can bring additional security features to the virtual network,
including:
Access Control Lists (ACLs)
PVLANs
Cisco TrustSec policy-based access control
DHCP snooping
Port security
IP source guard
Dynamic ARP Inspection
vShield Edge layers its L3 and L4 firewall capabilities to augment security controls
implemented at Layer 2 and enforce secure segregation between the tenants IP
networks.
vCloud Director manages access to the CaaS organizations cloud infrastructure and
uses the vCD organizations as the logical security boundaries. Organization
administrators and users are restricted to the resources of their organizationthat is,
the organizations virtual data centers (vDCs), networks, vApps, and catalogs.
21
Figure 14 illustrates what a service providers implementation of vCloud Director

might look like. Different tenants will have different security needsfor example,
some may need to allow access to a web server from the Internet, in which case
vShield Edge can provide the security needed to manage access and further protect
internal systems, as shown in Org-vDC-A inFigure 14.
Figure 14.
Sample CaaS implementation using vCloud Director and vShield
Another example is organizations that may want to extend their data center or private
cloud to the service providers vCloud CaaS implementation through the virtual
private network (VPN). Again, vShield Edge can be utilized to establish a secure VPN
between the sites, as shown in Org-vDC-C inFigure 14.
A further example is organizations or divisions that may share a segment to access
resources in each others vDCs, as shown in Org-vDC-B and Org-vDC-C inFigure 14.
They can control and secure access as required by their respective security policies
using vShield Edge.
Network pools
Network pools can be backed by port groups, VLANs, or vCloud Director Network
Isolation. Port-group-backed network pools are not appropriate for large-scale
deployment because they are difficult to automatically provision and manage.
Similarly, VLAN-backed network pools, while providing the best performance and
security, do not scale beyond 4,095 networks. For a CaaS environment that requires
scalability beyond this, vCloud Director Network Isolation can provide for large-scale
deployment.
As networks are decommissioned, their resources (IP ranges and VLAN IDs) are
dynamically returned to the resource pool for future allocation. This ensures minimum
wastage of resources and maximum availability and elasticity.
22
Network models
vCloud Director, used with vShield, can provision three different network models
external network, organization network, and vApp networkproviding as much
flexibility as possible to the tenant administrator in a multi-purpose, multi-tenanted,
virtual data center.
The types of connectivity and their capabilities are as follows:
VMware vShield
and vShield Edge
External network
WAN connection such as MPLS or VPN tunnel
An Internet connection
A shared link to another organization within the same service providers

network
Organization network
Network address translation (NAT) and/or a routed connection to an

external network through a vShield Edge security gateway
Directly connected to an external network
Isolated (not connected to any external network)
vApp network
NAT and/or routed connection to an organization network through a vShield

Edge security gateway
Directly connected to an organization network or external network
Isolated (not connected to any network)
The VMware vShield product suite is a complementary family of virtualization security

products designed for vSphere to secure cloud environments.
vShield integrates with VMware vCenter and is a prerequisite component for vCloud
Director environments. It plays a pivotal role in providing foundational protection to
virtualized environments, enabling effective management, and addressing security
and compliance concerns relating to virtualized networking. vShield uses vShield
Edge, and policies defined using the tenant administrators vCloud Director portal, to
secure the virtual perimeter, and to provide protection to additional virtual networks
within the organizations vDC.
vShield Edge delivers network and security services such as dynamic host
configuration protocol (DHCP), VPN, Web load balancing, network and port address
translation (NAPT), and fully-fledged L3/L4 stateful firewall support.
23
Application Programming Interfaces

Overview
Application programming interfaces (APIs) are key to enabling self-service within a

cloud infrastructure. APIs enable Ionix IT Orchestrator to implement workflows and
processes that can be executed based on environmental thresholds or on authorized
commissioning requests from a tenant or service provider administrator. Figure 15
shows how Ionix IT Orchestrator interacts with the various APIs within the CaaS stack.
Figure 15.
Cloud management stack
This section of the document provides information around which APIs are required
and available for the development of automated workflows in a CaaS solution:
EMC Ionix Unified Infrastructure Manager (UIM) API
VMware vCloud API
VMware vSphere API
VIX API
VMware Service Manager API
VMware vShield API
VMware vCenter Chargeback API
24
EMC Ionix UIM API
The EMC Ionix UIM API provides support for developers who are building clients or
orchestration tools to interact with Vblock platforms. The API provides a centralized
interface for managing and interacting with the consolidated networking, storage,
and processing of Vblock Infrastructure Platforms. It uses a RESTful application
development style, with API clients and servers communicating over HTTP and taking
the form of XML elements. Figure 16 is a graphical representation of the components
that make up the UIM API.
Figure 16.
Ionix UIM architectural overview
Ionix UIM discovers and manages Vblock platform devices through the UIM/P API, the
XML API for Cisco UCS Manager, CLI/SNMP for the Nexus IP and MDS FC switches,
EMC Unisphere, and EMC Symmetrix Management Console.
The Ionix UIM API provides functionality to:
View and create services and service offerings in UIM
Modify the server, storage, and network configurations of a planned service
Initiate provisioning and activation of a service
Add storage, network, and server resources to an active service
Selectively provision, activate, and synchronize with a VMware vCenter (and

VMware vCloud)
Release individual blades or all blades on a deactivated service
Table 3.
Ionix UIM API reference
Document Title
Document Location
EMC Ionix Unified

Infrastructure
Manager API
Programmers Guide
In Powerlink navigate to Home > Support > Technical

Documentation and Advisories > Software ~ E-I ~
Documentation > Ionix Family > Ionix for Data Center Automation
and Compliance > Ionix Unified Infrastructure
Manager/Provisioning > 2.1 & Service Packs
25
VMware vCloud
API
The VMware vCloud API provides developers with the means to deliver resources
abstracted from the physical implementations of the infrastructure. Using vCloud API,
organization administrators can access and manage their vCloud Director resources
through the native vCloud Director user portal or through a third-party, front-end
portal. Figure 17 shows the structure of the Admin, Extension, and User APIs that
make up the vCloud API.
The vCloud API is an open, representational state transfer (REST) API that allows
scripted access to consume cloud resources, such as uploading and downloading
vApps, and catalog management. The vCloud API enables service providers to create
their own customized management solutions for a new environment or to integrate
existing ones with VMware cloud infrastructure. Clients and servers can communicate
over HTTP, to exchange representations of vCloud objects. These representations take
the form of XML elements.
Figure 17.
vCloud APIs
Table 4.
vCloud API references
Document Title
Document Location
vCloud API Programming Guide
http://www.vmware.com/pdf/vcd_10_api_guide.pdf
vCloud API Specification
http://www.vmware.com/pdf/vcd_10_api_spec.pdf
26
VMware vSphere
APIs
VMware vSphere is a suite of products that provides complete enterprise

virtualization functionality. The vSphere APIs enable developers to create custom
solutions for managing virtual components and to integrate existing data center
management solutions with VMware technologies. For example, use the vSphere APIs
to quickly create, customize, or migrate virtual machines.
The VMware vSphere API is a set of interfaces for centralized management of VMware
ESX/ESXi hosts and virtual machines. The VMware vSphere SDK is a set of libraries
that support VMware vSphere; it includes tools and samples to assist development
efforts. Figure 18 shows where and how the various vSphere API components
integrate in a vSphere environment.
Figure 18.
vSphere API architecture
The vSphere Web Services SDK is the most comprehensive of the available
management APIs. This SDK works with both ESX/ESXi and vCenter Server systems.
As a Web Services SDK, the SDK is language neutral. The SDK includes stubs and
examples for Java, Perl, and C# and a comprehensive documentation set including an
API Reference generated from the source.
Table 5.
vSphere API references
Document Title
Document Location
vSphere 5.0 API

Reference
http://pubs.vmware.com/vsphere50/index.jsp?topic=/com.vmware.wssdk.apiref.doc_50/rightpane.html
vSphere 4.1 API

Reference
http://www.vmware.com/support/developer/vcsdk/visdk41pubs/ApiReference/index.html
27
VIX API
The VIX API is a library for writing scripts and programs to manipulate virtual
machines. It is highlevel, easy to use, and practical for both script developers and
application programmers. This API is well suited for dedicated IT personnel in an
organization that is building its own inhouse tools. It might also be used by software
vendors who are using VIX to integrate VMware products with their own products or to
build management products for virtual machines.
Table 6.
VMware Service
Manager API
VIX API reference
Document Title
Document Location
VIX API Reference
http://www.vmware.com/support/developer/vixapi/vix111_reference/index2.html
VMware Service Manager provides a common integration platform to set up various

types of integration with external applications and technologies, with a view to
automate the:
Transfer of information (for example, for the resolution of calls or the

completion of tasks)
Management of alerts across different systems
Population of the VMware Service Manager CMDB with externally discovered

resources
Figure 19 shows the architecture of the VMware Service Manager API.
Figure 19.
Architecture of Service Manager API
Table 7.
VMware Service Manager API reference
Document Title
Document Location
VMware Service
Manager v9.0 API User
Guide
http://downloads.vmware.com/d/details/sm_90_docrp5/ZG
hkYmRAQGhiZCUqKg
28
VMware vShield
API
VMware vShield is a suite of network edge and applicationaware firewalls built for
VMware vCenter Server integration. vShield inspects clientserver communications
and intervirtualmachine communication to provide detailed traffic analytics and
applicationaware firewall protection. vShield is a critical security component for
protecting virtualized data centers from attacks and misuse, helping you achieve your
compliancemandated goals. The VMware vShield API enables you to install,
configure, monitor, and maintain the VMware vShield system by using REST API
requests.
Table 8.
VMware vCenter
Chargeback API
VMware vShield API reference
Document Title
Document Location
VMware vShield 5.0 API

Programming Guide
http://www.vmware.com/pdf/vshield_50_api.pdf
VMware vCenter Chargeback is an end-to-end metering and cost reporting solution for
virtual environments that use VMware vSphere. It provides a unified control point for
data collection, chargeback mediation, and metric reporting, allowing administrators
to perform flexible cost measurement and utilization analysis. Figure 20 shows the
architecture of the REST-based VMware vCenter Chargeback API.
Figure 20.
REST architecture in vCenter Chargeback
vCenter Chargeback provides a REST-based Web service API for integrating the
vCenter Chargeback solution with existing applications such as enterprise billing
systems. Leverage this REST-based API to perform cost calculations and generate and
deliver resource utilization reports.
Table 9.
VMware vCenter Chargeback API reference
Document Title
Document Location
VMware vCenter
Chargeback Manager 2.0
API Programming Guide
http://www.vmware.com/pdf/cbm_api_prog_guide_2_0_
0.pdf
29
Use cases with EMC Ionix IT Orchestrator

Use case #1:
Onboarding a new
customer
The purpose of this use case is to demonstrate how, by leveraging EMC Ionix IT
Orchestrator, a service provider administrator can automate the onboarding of a new
customer into a multi-tenant environment. The example of onboarding a customer
called GriffinCore is used in this document for the purposes of discussion.
Figure 21 provides a visual representation of the scope of the process in this use
case.
Figure 21.
Procedure for onboarding a new customer
This use case has been customized specifically to highlight the views and operations
specific to those a service provider administrator could experience in onboarding a
new customer/tenant. It is possible to customize and tailor all views and related
workflows to suit a more direct customer experience. This is entirely dependent on
what a service provider chooses to offer their customers.
The operations being focused on for this use case are (shown in Figure 22):
Entry of new customer details and requirements
Authorization of request
Commissioning a UIM service offering from Vblock platform for a new customer,
where a customer requires dedicated hardware/infrastructure
Creation of new Provider vDC if dedicated hardware is requested
Creation of Organization and Org vDC in vCloud Director (with automatic

initialization of chargeback hierarchy)
Creation of new users
30
Figure 22.
Logical workflow of onboarding a new customer
The details specific to a new customer can be input from the portal page and used
within the Ionix IT Orchestrator workflow in the creation of the new resources for the
customer. On the portal page in Figure 23, a new customer named GriffinCore is
created and provided with a dedicated infrastructure of Bronze level.
Figure 23.
Ionix IT Orchestrator portal Onboard New Customer
The Customer Service Level correlates to the service tiers offered by various vCloud
Director Provider vDCs, which in turn are linked to the relevant Ionix UIM Service
Offerings. These service offerings provide the infrastructure resources for a single
vCloud Director Provider vDC with the relevant tier of service.
31
Figure 24 displays the available Ionix UIM Service Offerings published within the
UIM/P Service Catalog.
Figure 24.
Ionix UIM/P Service Catalog displaying available Service Offerings
By leveraging the Ionix UIM APIs, Ionix IT Orchestrator can access and select the
appropriate service offering from the UIM/P service catalog. This automatic
provisioning of resources is consolidated into a single step as part of the overall
onboarding process for a new customer. Figure 25 shows a sample UIM Commission
Service workflow.
Figure 25.
Ionix IT Orchestrator Design Studio Commission Service workflow
Note that a dedicated infrastructure is not a requirement for all customers. It is also
possible to onboard a customer into a shared infrastructure, which would not require
a UIM service offering to be created as part of the onboarding process. In this case,
the customers Organization vDC would use an existing Provider vDC within VMware
vCloud Director, thereby sharing that Provider vDC with other Organization vDCs.
The approval of this onboarding request is managed by VMware Service Manager,
which can be set to respond to, and deal with, all requests as appropriate. Certain
customer requests may require approval elsewhere in the business, while other
requests, such as internal service provider administrative requests, may be
automatically approved, based on the level or type of request. Such decisions are
specific to the business. Any changes made to the environment as a result of the
approved requests are then stored in a CMDB which stores an inventory of IT assets
and their relationships to each other.
For this use case, after the request has been approved by VMware Service Manager,
the onboarding process may continue. The onboarding process and creation of
infrastructure resources for the new customer, GriffinCore, requires the creation of a
32
secure environment within VMware vCloud Director. EMC Ionix UIM/P automatically
synchronizes the newly provisioned resources with VMware vCenter before adding
them as resources to the appropriate Provider vDC within VMware vCD.
Ionix IT Orchestrator uses the vCloud API to create the secure environment for
GriffinCore within vCloud Director. The primary vCD specific tasks required for
onboarding this new customer are:
Creation of new Provider vDC if dedicated hardware requested
Creation of Organization and Org vDC in vCloud Director (with automatic

initialization of chargeback hierarchy)
Creation of new users
The workflow in Figure 26 demonstrates the order and the process used within Ionix
IT Orchestrator for creating the new GriffinCore organization in VMware vCloud
Director, the relevant users, and the virtual data centers that will provide the
environment in which GriffinCore may deploy their vApps and associated services.
Figure 26.
Ionix IT Orchestrator workflow to configure vCloud Director components
33
Figure 27 displays the two new users created during the Onboarding New Customer
process for GriffinCore. An administrative user (admin) has been created as well as a
vApp user (peter).
Figure 27.
Administrative users for new customer GriffinCore
The GriffinCore organization, along with its associated resources and users, can be
viewed and managed by the service provider administrator along with all other
tenants. These tenants are completely isolated and secured from one another within
VMware vCloud Director.
The new customer GriffinCore is highlighted by selection in Figure 28, displaying an
overview of how many users and Provider vDCs are currently configured.
Figure 28.
vCloud Director inventory view of all tenants
Figure 29 displays the end-to-end mapping of the compute resources supporting this
new customer.
Figure 29.
End-to-end mapping of GriffinCore infrastructure resources
34
The final step for this use case is to integrate a billing component for GriffinCore, as
shown in Figure 30.
Figure 30.
GriffinCore chargeback hierarchy in vCenter Chargeback
Through its tight integration with VMware vCloud Director, the creation of this new
customer is automatically detected and reflected in the VMware vCenter Chargeback
inventory.
After Ionix IT Orchestrator completes the onboarding process, the GriffinCore admin is
presented with their own secure environment within VMware vCloud Director from
which they can proceed to create and develop their own vApps, virtual machines, and
applications. Figure 31 shows the end-to-end mapping of the new tenant resources
through to the vCenter Chargeback billing component.
Figure 31.
End-to-end mapping of tenant resources to chargeback billing
35
Use case #2:

Commissioning a
vApp
Commissioning a vApp can be done in several ways, depending on the options the
Service Provider has chosen to provide. One of these options is to deploy a vApp from
an existing template available in the service catalog.
Even before a vApp is deployed, a series of Ionix IT Orchestrator workflows need to be
executed. The activity in Figure 32 corresponds to a workflow that retrieves the list of
templates from the service catalog for the template drop-down list.
Figure 32.
Selecting a template from Service Catalog
A similar workflow is executed to retrieve the list of networks available to connect the
vApp to, as shown in Figure 33.
Figure 33.
Selecting the network
36
When commissioning the vApp, you can also specify how long this vApp is required
for, and have the system automatically decommission the application when that
lease time has expired, as shown in Figure 34.
Figure 34.
Selecting a Lease Period for the vApp
After the information has been gathered from the customer admin, Ionix IT
Orchestrator executes a vApp creation workflow; Figure 35 shows an example.
Figure 35.
Ionix IT Orchestrator workflow for commissioning a vApp
Here we can see the vCloudService object (which is an Ionix IT Orchestrator Adapter
for VMware vCloud Director) being called. A workflow element named createVApp is
fed the relevant information gathered from the customer admin, and the vApp is
created with some error checking and power-on functions to complete the operation.
37
The creation of this new vApp is automatically synchronized with vCenter

Chargeback, which adds the new vApp, Exchange_farm01, to the inventory of
GriffinCore where the relevant cost models and rates can be applied, as shown in
Figure 36.
Figure 36.
vCenter Chargeback Configure Cost for vApp
Alternatively, automated configuration of billing rates, cost models, and reports for
tenants can be achieved by extending the vCenter Chargeback API within Ionix IT
Orchestrator workflows.
38
Use case #3:

Decommissioning
a vApp
While it is possible to specify the lease duration (and hence the expiry time) of a vApp
during the commissioning process, it may also be necessary to manually
decommission a vApp which previously had no set expiry time. In this context,
manually means that the system decommissions the vApp based on a customer
admin request and not as a result of a scheduled event.
Figure 37 shows a corresponding Ionix IT Orchestrator workflow for this customerrequested decommissioning process.
Figure 37.
Ionix IT Orchestrator workflow for decommissioning vApp based on admin

request
As before, the VCloudService adapter is called, but this time the decommissionvAPP
workflow element is used and is fed the information provided by the customer admin
to operate against the correct vApp.
As part of the decommissioning process, the compute, network, and storage
resources previously consumed by the vApp are released back into the pool that
corresponds with the Organization VDC of which the vApp was a part. The CMDB is
updated to reflect the removal of the vApp, and the metering, monitoring, and
chargeback functions for that vApp cease, though the chargeback data should be
retained for the billing process.
39
Conclusion
Summary
The EMC CaaS solution enables service providers to build an enterprise-class,

scalable, multi-tenant platform for complete compute service lifecycle management.
This solution provides on-demand access and control of network bandwidth, servers,
storage, and security while allowing service providers to maximize asset utilization.
Specifically, EMC CaaS integrates all the key functionality that your customers
demand, and provides the foundation for adding other services, such as backup and
virtual desktop infrastructure.
EMC CaaS architecture incorporates these six design principles:
Availability and data protection
Secure separation
This Compute-as-a-Service architecture offers service providers an integrated

framework that leverages EMC Ionix IT Orchestrator, VCE Vblock Infrastructure
Platforms, and VMware vCloud Director. This approach allows you to deploy rapidly
the cloud-based services that your customers demand with the functionality they are
accustomed to. By deploying EMC CaaS, you will spend less time integrating
automation and management components with compute, storage, and network
resources, which enables quicker on-boarding of new customers.
About EMC Proven
Solutions
EMC helps service provider partners accelerate the creation, integration, and
deployment of cloud service offerings through pre-tested and optimized reference
architectures, blueprints, and build guides. Through the deployment of dedicated
service provider field experts, and the creation of Service Provider Competency
Centers, EMC combines decades of enterprise data center experience with a rigorous
solution-testing environment to develop Proven Solutions for Service Providers. EMC
ensures the compatibility of these solutions with service provider and end-user
environments alike.
Take the next step
EMC offers a portfolio of consulting and professional services for service providers
and their customers to assist in balancing workloads across service delivery models
ranging from legacy physical architectures and virtualized infrastructures through
on-premise (private) and off-premise (public) cloud architectures. The EMC Cloud
Advisory Service with Cloud Optimizer helps customers develop a strategy for
optimizing the placement of application workloads. By assessing three factors
economics, trust, and functionalityorganizations can maximize their cost savings
and business agility through the use of private and public cloud resources.
40
References
EMC
documentation
For additional information, see the EMC documents listed below.
White Paper: EMC Compute-as-a-ServiceEMC Symmetrix VMAX, EMC VNX

Series, VMware vSphere, vCloud Director
White Paper: EMC Compute-as-a-ServiceDesign Principles and Considerations

for DeploymentVCE Vblock, VMware vCloud Director
41

h10526 Emc Caas Ito Vblock VCD

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

h10526 Emc Caas Ito Vblock VCD

Uploaded by

Copyright:

Available Formats

White Paper

EMC Solutions Group

Copyright 2012 EMC Corporation. All Rights Reserved.

VMware vShield and vShield Edge ................................................................................................. 23

Cloud computing enables service providers to seamlessly deliver infrastructure

Establish a baseline compute offering, while also providing enterprise-grade

Consolidate the inefficient, siloed infrastructures typically associated with

Reduce the complexity in managing the end-to-end service lifecycle of CaaS

Accelerate the time to market for new, compute-based, as-a-service offerings.

EMC CaaS solutions enable service providers to build an enterprise-grade, scalable,

Self-service portal for end-user and administrative provisioning

Service catalog of available compute services

Rapid, precise, automated service provisioning

Multi-tenancy, capable of monitoring, reporting, and billing

IT-as-a-Service (IaaS) framework on which service providers can build

Key solution components include:

EMC Ionix Unified Infrastructure Manager (UIM)UIM is a cross-element

EMC RSA product suiteCombines business-critical controls in identity

VMware Service ManagerVMware Service Manager is a fully integrated IT

VCE Vblock Infrastructure Platforms Vblock Infrastructure Platforms combine

VMware vCenter Chargeback ManagerCustomizes cost models for the

VMware vCloud DirectorManages the virtual compute environment, combined

VMware vSphereVMware vSphere is the industrys most complete, scalable

The key benefits of a CaaS architecture are:

Service providers and enterprises can automate the provisioning and

Service providers to deploy and manage cloud-based services

Customers to adopt and customize those services into their business

This paper includes the following terminology.

Application Programming Interfacea source code

Configuration Management Database.

In the context of this white paper, an organization is a

A CaaS catalog is a list of products or services available

In the context of this white paper, a tenant is a

A logical entity composed of virtual machines and

Virtual data center (vDC)

A virtual data center, more commonly referred to as a

Compute-as-a-Service (CaaS) is an architecture that uses cloud infrastructure to

A secure multi-tenant-enabled shared infrastructure

Service provider administrators to select and provision infrastructure service

If the business requires additional functionality, such as seeking approval before

Provisioning of the server, storage, and networking

Adding or updating a configuration item (CI) within a CMDB

Synchronizing the resources in VMware vCenter and vCloud Director

Provisioning the Provider vDCs and Organization vDCs

Creating user profiles

Opening a ticket in a service desk to track a change or log an incident

Creating and updating billing policies

EMC Ionix IT Orchestrator

EMC Ionix UIM

EMC RSA product suite

VCE Vblock Infrastructure Platforms

VMware vCenter Chargeback Manager

VMware vCloud Director

CaaS solutions are built on a platform of multiple industry-leading technologies that

Availability and data protection

Security and compliance

Service assurance, metering, and billing

Tenant management and control

Service provider management and control

High availability and protection

Highly available components of VCE Vblock Infrastructure Platform

Security and compliance lifecycle management

Service assurance, metering, and billing