Virtualization-1&2&week1-2-3-4-6-10 (9 Files Merged)

12 January 2010
Virtualization Technologies
Alex Landau (lalex@il.ibm.com)
IBM Haifa Research Lab
© 2010 IBM Corporation

What is virtualization?
 Virtualization is way to run multiple operating systems and user applications on the
same hardware
– E.g., run both Windows and Linux on the same laptop
 How is it different from dual-boot?
– Both OSes run simultaneously
 The OSes are completely isolated from each other
2 © 2010 IBM Corporation

Uses of virtualization
 Server consolidation
– Run a web server and a mail server on the same physical server
 Easier development
– Develop critical operating system components (file system, disk driver) without
affecting computer stability
 QA
– Testing a network product (e.g., a firewall) may require tens of computers
– Try testing thoroughly a product at each pre-release milestone… and have a straight
face when your boss shows you the electricity bill
 Cloud computing
– The modern buzz-word
– Amazon sells computing power
– You pay for e.g., 2 CPU cores for 3 hours plus 10GB of network traffic

What’s new in that? We’ve been doing it for decades!
 Indeed – an OS provides isolation between processes

– Each has it’s own virtual memory
– Controlled access to I/O devices (disk, network) via system calls
– Process scheduler to decide which process runs on which CPU core
 So what’s the hype about?
 Try running Microsoft Exchange requiring Windows and your internal warehouse mgmt.
application requiring Linux simultaneously on the same server!
 Or better yet, try to persuade competing companies to run their processes side-by-side
in Amazon’s cloud (had it not been virtualized)
 Psychological effect – what sounds better?
– You’re given your own virtual machine and you’re root there – do whatever you want
– You can run certain processes, but you don’t get root, call our helpdesk with your
configuration requests and we’ll get back to you in 5 business days…

Two types of hypervisors
 Definitions
– Hypervisor (or VMM – Virtual Machine Monitor) is a software layer that allows several
virtual machines to run on a physical machine
– The physical OS and hardware are called the Host
– The virtual machine OS and applications are called the Guest
Type 1 (bare-metal) Type 2 (hosted)
VM1 VM2 Guest
Guest VM1 VM2 Process Hypervisor

Hypervisor OS Host
Host
Hardware Hardware
VMware ESX, Microsoft Hyper-V, Xen VMware Workstation, Microsoft Virtual PC,
Sun VirtualBox, QEMU, KVM

Bare-metal or hosted?
 Bare-metal
– Has complete control over hardware
– Doesn’t have to “fight” an OS
 Hosted
– Avoid code duplication: need not code a process scheduler, memory management
system – the OS already does that
– Can run native processes alongside VMs
– Familiar environment – how much CPU and memory does a VM take? Use top! How
big is the virtual disk? ls –l
– Easy management – stop a VM? Sure, just kill it!
 A combination
– Mostly hosted, but some parts are inside the OS kernel for performance reasons
– E.g., KVM

How to run a VM? Emulate!
 Do whatever the CPU does but in software

 Fetch the next instruction
 Decode – is it an ADD, a XOR, a MOV?
 Execute – using the emulated registers and memory
Example:
addl %ebx, %eax
is emulated as:
enum {EAX=0, EBX=1, ECX=2, EDX=3, …};
unsigned long regs[8];
regs[EAX] += regs[EBX];

How to run a VM? Emulate!
 Pro:
– Simple!
 Con:
– Slooooooooow
 Example hypervisor: BOCHS

How to run a VM? Trap and emulate!
 Run the VM directly on the CPU – no emulation!

 Most of the code can execute just fine
– E.g., addl %ebx, %eax
 Some code needs hypervisor intervention
– int $0x80
– movl something, %cr3
– I/O
 Trap and emulate it!
– E.g., if guest runs int $0x80, trap it and execute guest’s interrupt 0x80 handler

How to run a VM? Trap and emulate!
 Pro:
– Performance!
 Cons:
– Harder to implement
– Need hardware support
• Not all “sensitive” instructions cause a trap when executed in usermode
• E.g., POPF, that may be used to clear IF
• This instruction does not trap, but value of IF does not change!
– This hardware support is called VMX (Intel) or SVM (AMD)

– Exists in modern CPUs
 Example hypervisor: KVM

How to run a VM? Dynamic (binary) translation!
 Take a block of binary VM code that is about to be executed

 Translate it on the fly to “safe” code (like JIT – just in time compilation)
 Execute the new “safe” code directly on the CPU
 Translation rules?
– Most code translates identically (e.g., movl %eax, %ebx translates to itself)
– “Sensitive” operations are translated into hypercalls
• Hypercall – call into the hypervisor to ask for service
• Implemented as trapping instructions (unlike POPF)
• Similar to syscall – call into the OS to request service

How to run a VM? Dynamic (binary) translation!
 Pros:
– No hardware support required
– Performance – better than emulation
 Cons:
– Performance – worse than trap and emulate
– Hard to implement – hypervisor needs on-the-fly x86-to-x86 binary compiler
 Example hypervisors: VMware, QEMU

How to run a VM? Paravirtualization!
 Does not run unmodified guest OSes

 Requires guest OS to “know” it is running on top of a hypervisor
 E.g., instead of doing cli to turn off interrupts, guest OS should do

hypercall(DISABLE_INTERRUPTS)

How to run a VM? Paravirtualization!
 Pros:
– No hardware support required
– Performance – better than emulation
 Con:
– Requires specifically modified guest
– Same guest OS cannot run in the VM and bare-metal
 Example hypervisor: Xen

Industry trends
 Trap and emulate
 With hardware support
 VMX, SVM

I/O Virtualization
 We saw methods to virtualize the CPU

 A computer is more than a CPU
 Also need I/O!
 Types of I/O:
– Block (e.g., hard disk)
– Network
– Input (e.g., keyboard, mouse)
– Sound
– Video
 Most performance critical (for servers):
– Network
– Block

Side note – How does a NIC (network interface card) driver work?
 Transmit path:
– OS prepares packet to transmit in a buffer in memory
– Driver writes start address of buffer to register X of the NIC
– Driver writes length of buffer to register Y
– Driver writes ‘1’ (GO!) into register T
– NIC reads packet from memory addresses [X,X+Y) and sends it on the wire
– NIC sends interrupt to host (TX complete, next packet please)
 Receive path:
– Driver prepares buffer to receive packet into
– Driver writes start address of buffer to register X
– Driver writes length of buffer to register Y
– Driver writes ‘1’ (READY-TO-RECEIVE) into register R
– When packet arrives, NIC copies it into memory at [X,X+Y)
– NIC interrupts host (RX)
– OS processes packet (e.g., wake the waiting process up)

I/O Virtualization? Emulate!
 Hypervisor implements virtual NIC (by the specification of a real NIC, e.g., Intel, Realtek,
Broadcom)
 NIC registers (X, Y, Z, T, R, …) are just variables in hypervisor (host) memory
 If guest writes ‘1’ to register T, hypervisor reads buffer from memory [X,X+Y) and
passes it to physical NIC driver for transmission
 When physical NIC interrupts (TX complete), hypervisor injects TX complete interrupt into
guest
 Similar for RX path

I/O Virtualization? Emulate!
 Pro:
– Unmodified guest (guest already has drivers for Intel NICs…)
 Cons:
– Slow – every access to every NIC register causes a VM exit (trap to hypervisor)
– Hypervisor needs to emulate complex hardware
 Example hypervisors: QEMU, KVM, VMware (without VMware Tools)

I/O Virtualization? Paravirtualize!
 Add virtual NIC driver into guest (frontend)

 Implement the virtual NIC in the hypervisor (backend)
 Everything works just like in the emulation case…
 …except – protocol between frontend and backend
 Protocol in emulation case:

– Guest writes registers X, Y, waits at least 3 nano-sec and writes to register T
– Hypervisor infers guest wants to transmit packet
 Paravirtual protocol:
– Guest does a hypercall, passes it start address and length as arguments
– Hypervisor knows what it should do
 Paravirtual protocol can be high-level, e.g., ring of buffers to transmit (so NIC doesn’t stay
idle after one transmission), and independent of particular NIC registers

I/O Virtualization? Paravirtualize!
 Pro:
– Fast – no need to emulate physical device
 Con:
– Requires guest driver
 Example hypervisors: QEMU, KVM, VMware (with VMware Tools), Xen
 How is paravirtual I/O different from paravirtual guest?

– Paravirtual guest requires to modify whole OS
• Try doing it on Windows (without source code), or even Linux (lots of changes)
– Paravirtual I/O requires the addition of a single driver to a guest
• Easy to do on both Windows and Linux guests

I/O Virtualization? Direct access / direct assignment!
 “Pull” NIC out of the host, and “plug” it into the guest
 Guest is allowed to access NIC registers directly, no hypervisor intervention
 Host can’t access NIC anymore

I/O Virtualization? Direct access / direct assignment!
 Pro:
– As fast as possible!
 Cons:
– Need NIC per guest
– Plus one for host
– Can’t do “cool stuff”
• Encapsulate guest packets, monitor, modify them at the hypervisor level
 Example hypervisors: KVM, Xen, VMware

I/O Virtualization? Emerging standard – SR-IOV!
 Single root I/O virtualization

 Contains a physical function controlled by the host, used to create virtual functions
 Each virtual function is assigned to a guest (like in direct assignment)
 Each guest thinks it has full control of NIC, accesses registers directly
 NIC does multiplexing/demultiplexing of traffic

I/O Virtualization? Emerging standard – SR-IOV!
 Pros:
– As fast as possible!
– Need only one NIC (as opposed to direct assignment)
 Cons:
– Emerging standard
• Few hypervisors fully support it
• Expensive!
• Requires new hardware
– Can’t do “cool stuff”
 Example hypervisors: KVM, Xen, VMware

Industry trends on I/O virtualization
 SR-IOV is the fastest

 Also, the most expensive
 Paravirtual I/O is cheap

 But much worse performance
 Companies (Red Hat, IBM, …) are looking at paravirtual I/O, trying to optimize it
 Winner still unknown

Advanced topics
 Memory over-commit
 Nested virtualization
 Live migration

The end!
Questions?
Alex Landau
lalex@il.ibm.com

Virtualization Techniques
& Cloud Computing
Vishal Kaushik
Outline
 The need for virtualization
 The concepts
 Types of virtualization
 Issues in virtualization
 Implementation cases
 Conclusion
In the computer-age…
A Lot of Servers/Machines...
 Web server
 Mail server
 Database server
 File server
 Proxy server
 Application server
 …and many others
A Lot of Servers/Machines...
 The data-centre is FULL

 Full of under utilized servers
 Complicate in management
 Power consumption
 Greater wattage per unit area than ever
 Electricity overloaded
 Cooling at capacity
 Environmental problem
 Green IT
Virtualization
 Virtualization -- the abstraction of computer resources.
 Virtualization hides the physical characteristics of computing

resources from their users, be they applications, or end users.
 This includes making a single physical resource (such as a

server, an operating system, an application, or storage device)
appear to function as multiple virtual resources; it can also
include making multiple physical resources (such as storage
devices or servers) appear as a single virtual resource.
The Use of Computers
Applications
Operating
System
Hardware
Virtualization
Applications
Operating
System
Hypervisor
Hardware
Virtualization -- a Server for Multiple
Applications/OS
Application
Application
Applications
Application
Application
Applications
Operating
Operating
OperatingOperating
Operating System
System
System System
Operating System
System
Hypervisor
Hardware
Hardware
Hypervisor also commonly called as Virtual Machine Monitor is a software program that manages multiple
operating systems (or multiple instances of the same operating system) on a single computer system.
The hypervisor manages the system's processor, memory, and other resources to allocate what each
operating system requires.
Hypervisors are designed for a particular processor architecture and may also be called virtualization
managers.
Why now?
 1960—1999
 IBM, CP-40, CP/CMS, S/360-370,VM370,Virtual PC,VMware
 2000—2005
 IBM z/VM, Xen
 2006
 Intel VT-x
 AMD’s AMD-V
 2008—
Hardware evolution
 Faster CPU clock than ever

 Though almost hit its top
 More CPU cores in a single chip
 4 - 8 core or threads CPUs is common desired
 2 – 64 core CPU designs are already available there
 Multi-core architectures make parallel processing more
realizable
 Virtualization support on chip from CPU manufacturers
(e.g., Intel, AMD)
FYI
Anatomy of CPU
FYI
Simple Design
FYI : Multicore Design
FYI
Multicore Architecture
Software maturity
 More than one credible player in the market
 Available and stable open-sourced software
 OS, DB, Web server, Java, PHP, gcc, etc.
 Established and mature software standards
 Web service, XML, SOAP, COM, etc.
Types of Virtualization
 Virtual memory  In this talk, we mainly focus on Platform
 Desktop virtualization virtualization which is mostly related to
 Platform virtualization cloud-computing
 Full virtualization  Full virtualization
 Paravirtualization
 Binary transaltion
 Hardware-assisted virtualization
 Partial virtualization  Hardware-assisted virtualization
 OS-level virtualization  Paravirtualization
 Hosted environment (e.g. User-mode  OS-level virtualization
Linux)
 Hosted environment (e.g. User-mode
 Storage virtualization Linux)
 Network virtualization
 Application virtualizationPortable
application
 Cross-platform virtualization  Hardware level
 Emulation or simulation  Operating system level
 Hosted Virtual Desktop  Application level
Category in Wiki
Full Virtualization
 A certain kind of virtual machine environment: one that provides a
complete simulation of the underlying hardware.
 The result is a system in which all software (including all OS’s) capable of
execution on the raw hardware can be run in the virtual machine.
 Comprehensively simulate all computing elements as instruction set, main
memory, interrupts, exceptions, and device access.
 Full virtualization is only possible given the right combination of hardware
and software elements.
 Full virtualization has proven highly successful

 Sharing a computer system among multiple users
 Isolating users from each other (and from the control program) and
 Emulating new hardware to achieve improved reliability, security and productivity.
Full Virtualization
 It needs a single machine that could be multiplexed among many
users. Each such virtual machine had the complete capabilities of the
underlying machine, and (for its user) the virtual machine was
indistinguishable from a private system.
 Examples
 First demonstrated with IBM's CP-40 research system in 1967
 Re-implemented CP/CMS in IBM's VM family from 1972 to the present.
 Each CP/CMS user was provided a simulated, stand-alone computer.
Full Virtualization
 Virtualization requirements (by Popek and Goldberg) :
 Equivalence: a program running under the VMM should exhibit
a behavior essentially identical to that demonstrated when
running on an equivalent machine directly;
 Resource control (safety): the VMM must be in complete
control of the virtualized resources;
 Efficiency: a statistically dominant fraction of machine
instructions must be executed without VMM intervention.
VMM: Virtual Machine Monitor

Full Virtualization -- challenge
 Security issues -- Interception
 Simulation of privileged operations -- I/O instructions
 The effects of every operation performed within a given virtual machine
must be kept within that virtual machine – virtual operations cannot be
allowed to alter the state of any other virtual machine, the control program,
or the hardware.
 Some machine instructions can be executed directly by the hardware,
 E.g., memory locations and arithmetic registers.
 But other instructions that would "pierce the virtual machine" cannot be
allowed to execute directly; they must instead be trapped and simulated.
Such instructions either access or affect state information that is outside
the virtual machine.
 Some hardware is not easy to be used for full virtualization, e.g., x86
Restrict on Intel IA32 Protection Rings
OS kernel
Level -0
Highest
privilege
OS services
(device driver, etc.)
Level-1
Applications
Level-2
Level-3
Lowest
privilege
The challenges of x86 hardware
virtualization
Ring 3 Application
Ring 2
Ring 1 Direct
Execution
of user and OS
Ring 0 OS
Requests
Hardware
The Problems and the Solutions
 Originally designed for “personal use” (PC)
 Security problems caused by Interception and
privileged operations becomes critical
 Solutions to Full virtualization of x86 CPU
 Full description of operations of all x86 hardware (but they
evolve)
 Binary translation (almost established)
 OS-assisted (or paravirtualization)
 Hardware-assisted (future direction)
Binary translation
 Kernel code of non-virtualizable instructions are translated to replace with new
sequences of instructions that have the intended effect on the virtual hardware.
Each virtual machine monitor provides each Virtual Machine with all the
services of the physical system, including a virtual BIOS, virtual devices and
virtualized memory management.
 This combination of binary translation and direct execution provides Full
Virtualization as the guest OS is fully abstracted (completely decoupled) from
the underlying hardware by the virtualization layer. The guest OS is not aware it
is being virtualized and requires no modification.
 The hypervisor translates all operating system instructions on the fly and
caches the results for future use, while user level instructions run unmodified at
native speed.
 Examples
 VMware
 Microsoft Virtual Server
Binary translation
Ring 3 Application
Direct
Execution
Ring 2
of user and OS
Requests
Ring 1 Guest OS
Binary translation
Ring 0 VMM
of OS Requests
Hardware

OS assisted (Paravirtualization)
 Paravirtualization – via an modified OS kernel as guest OS
 It is very difficult to build the more sophisticated binary translation support
necessary for full virtualization.
 Paravirtualization involves modifying the OS kernel to replace non-
virtualizable instructions with hypercalls that communicate directly with the
virtualization layer hypervisor.
 The hypervisor also provides hypercall interfaces for other critical kernel
operations such as memory management, interrupt handling and time
keeping.
 Paravirtualization is different from full virtualization, where the unmodified
OS does not know it is virtualized and sensitive OS calls are trapped using
binary translation.
 Paravirtualization cannot support unmodified OS
 Example:
 Xen -- modified Linux kernel and a version of Windows XP
OS assisted (Paravirtualization)
Ring 3 Application
Direct
Execution
Ring 2
of user and OS
Requests
Ring 1
Paravirtualized
Ring 0 Guest OS
Virtualization layer Hypercalls to the

Virtualization Layer
replace
non-virtualiable
Hardware
OS instructions

Hardware Assisted Virtualization
 Also known as accelerated virtualization, hardware virtual machine
(Xen), native virtualization (Virtual iron).
 Hardware switch supported by CPU, e.g.
 Intel Virtualization Technology (VT-x)
 AMD’s AMD-V
target privileged instructions with a new CPU execution mode feature that al
lows the VMM to run in a new root mode below ring 0.
 Privileged and sensitive calls are set to automatically trap to the
hypervisor, removing the need for either binary translation or
paravirtualization.
 The guest state is stored in Virtual Machine Control Structures (VT-
x) or Virtual Machine Control Blocks (AMD-V).
 High hypervisor to guest transition overhead and a rigid
programming model
Hardware Assisted Virtualization
Ring 3 Application
Direct
Non-root
Execution
Mode Ring 2
of user and OS
Privilege
Requests
Levels Ring 1
Ring 0 Guest OS
Root Mode OS requests traps

VMM
Privilege to VMM without
Levels binary translation
or paravirtualization
Hardware

OS-Level Virtualization
 OS-level virtualization
 kernel of an OS allows for multiple
isolated user-space instances, instead of
just one.
OS-Level Virtualization
 Each OS instance looks and feels like a
real server
 OS virtualization virtualizes servers on OS OS OS
the operating system (kernel) layer. This Container 1 Container 2 Container 3
creates isolated containers on a single
physical server and OS instance to OS virtualization
utilize hardware, software, data center layer
and management efforts with maximum
efficiency. Standard
 OS-level virtualization implementations Host OS
that are capable of live migration can be
used for dynamic load balancing of Hardware
containers between nodes in a cluster.
Confusion…
 OS-Level Virtualization. A type of server virtualization
technology which works at the OS layer. The physical server
and single instance of the operating system is virtualized into
multiple isolated partitions, where each partition replicates a
real server. The OS kernel will run a single operating system
and provide that operating system functionality to each of the
partitions.
 Operating system virtualization refers to the use of software
to allow system hardware to run multiple instances of different
operating systems concurrently, allowing you to run different
applications requiring different operating systems on one
computer system. The operating systems do not interfere with
each other or the various applications.
Application virtualization
 Application runs on
 Different OS, platform, etc.
 Same OS, different version/framework
 Encapsulation of OS/platform
 Improve portability, manageability and compatibility of applications
 A fully virtualized application is not installed in the
traditional sense, although it is still executed as if it is
(runtime virtualization)
 Full application virtualization requires a virtualization layer.
Memory Virtualization
 Not only virtual memory
 Hardware support
 e.g., x86 MMU and TLB
 To run multiple virtual machines on a single system, another level of memory
virtualization is required.
 The VMM is responsible for mapping guest physical memory to the actual machine
memory, and it uses shadow page tables to accelerate the mappings.
VM1 VM2
Process 1 Process 2 Process 1 Process 2
Virtual memory
Physical memory
Machine memory
Device and I/O Virtualization
 VMM supports all device/IO drivers
 Physically/virtually existed
Source: VMware white paper, “Understanding Full Virtualization, Paravirtualization, and Hardware Assist”
Techniques for X86 virtualization
Full Virtualization with Hardware Assisted OS Assisted Virtualization
Binary Translation Virtualization / Paravirtualization
Technique Binary Translation and Exit to Root Mode on Hypercalls

Direct Execution Privileged Instructions
Guest Unmodified Guest OS Unmodified Guest OS Guest OS codified to
Modification Excellent compatibility Excellent compatibility issue Hypercalls so it
/ can't run on Native
Compatibilit Hardware or other
y Hypervisors Poor
compatibility;
Not available on
Windows OSes
Performance Good Fair Current performance Better in certain cases
lags Binary Translation
virtualization on various
workloads but will
improve over time
Used By VMware, Microsoft, VMware, Microsoft, VMware, Xen
Parallels Parallels, Xen
Guest OS yes yes XenLinux runs only on
Hypervisor Xen Hypervisor
Independent? VMI-Linux is Hypervisor
agnostic
Source: VMware white paper, “Understanding Full Virtualization, Paravirtualization, and Hardware Assist”
Virtualization
 Binary translation is the most established technology for
full virtualization
 Hardware assist is the future of virtualization, but it still
has a long way to go
 Paravirtualization delivers performance benefits with
maintenance costs
 Xen
 VMWare
Issues in Virtualization for Cloud-Computing
 Aspects and expectation from

 End-user
 Operator/Manager
Virtualization
Issues in Virtualization for Cloud-
Computing
 Virtualization implemented on
 a single machine (with multi-core CPUs)
 a cluster of machines (with multi-core CPUs)
 The state-of-the-art
 Running a Xen or a cluster of Xens
Applications
Application Application
Applications
ApplicationApplication
Application
Application
Application
Application
Virtualization
Operating
Operating
Operating
Operating
System
Operating
System
System
System
System
? Operating
Operating
Operating
Operating
System
SystemSystem
System
System
Operating
System
System
Operating
Operating Operating
System
Operating System
Hypervisor
or or Hypervisor
Hardware Hardware Hardware Hardware

Computing
 Abiquo/abicloud may provide partial solutions
Applications Applications
Application
Application
Operating Operating
Operating
System Operating
Operating System
Operating
Operating
Operating System OperatingSystem
System OperatingSystem
System
System System
System
Hypervisor Hypervisor
Hardware Hardware
Virtualization
Management
Applications Applications
System
Application
Application
Operating Operating
Operating
System Operating
Operating System
Operating
Operating
Operating System OperatingSystem
System OperatingSystem
System
System System
System
Hypervisor Hypervisor
Hardware Hardware
Running multiple OS and applications
 Virtualization: One physical
hardware can run multiple
OS and applications
through a hypervisor.
Applications
 A hypervisor is the
Application
Application
Application
Application
virtualization manager Operating

Operating
System
Operating
System
on a physical hardware. Operating
Operating System
System
System
Hypervisor
Hardware
Popular hypervisors
 Xen
 KVM
 QEMU
 virtualBox
 VMWare
 Xen is the selected hypervisor of the project.
Steps to use Xen
 Connect to a Xen host (i.e., a physical hardware + Xen +
Dom0 OS) via ssh.
 Use xen-tools to create (xen-create-image), list (xen-list-
images) and delete (xen-delete-image) images of virtual
machines.
 Use the xm tool to manage (create, list and shutdown)
DomU guests.
Issues related to clouds with Xen
 Xen-tools and xm are great for a single machine, but …
 Today’s private or public clouds often include hundreds or
thousands of machines.
 How to manage the cloud effectively and efficiently
becomes a central issue in cloud computing.
Objectives of managing clouds
 Easy-to-use client interface
 Effective and efficient management of cloud infrastructure
 Scalable deployment
 Robust performance
 Other nice characteristics associated with information
systems management
Some solutions for managing clouds
 abiCloud is the topic of this class.
 EUCALYPTUS, originating in the CS department of UC
Santa Barbara, is an open source software infrastructure
for implementing cloud computing on clusters.
 OpenNebula is an open source virtual infrastructure
engine that enables the dynamic deployment and
replacement of virtualized service within and across sites.
 Other solutions from Citrix, Microsoft, Sun, …
Issues in Virtualization for Cloud-Computing
 Software deployment
 Open-source
 Commercial products
 Re-installation or not
 Compatibility
 Legacy software/database
 Copyright patent problem
 Full virtualization
 Hardware ISA?
 Paravirtualization
 Modifiable OS?
 Hardware assisted virtualization
 Problem model
 Re-write
Computing
 There are more problems…
The answer is hidden behind the “cloud”

Reference
 VMWare ®
 IBM ®
 Miscrosoft®
 Intel ®
 AMD ®
 http://www.xen.org/
 http://en.wikipedia.org/
 http://www.parallels.com/
 http://www.webopedia.com/
Cloud Deployment Models
Vishal Kaushik
SoCS, UPES
A Working Definition of Cloud Computing
■ Cloud computing is a model for enabling convenient, on-

demand network access to a shared pool of configurable
computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly provisioned
and released with minimal management effort or service
provider interaction.
■ This cloud model promotes availability and is composed of

five essential characteristics, three service models, and
four deployment models
Objectives of Cloud Computing
■ Elasticity: Ability to scale virtual machines resources up or

down
■ On-demand usage: Ability to add or delete computing power

(CPU, memory), and storage according to demand
■ Pay-per-use: Pay only for what you use
■ Multitenancy: Ability to have multiple customers access

their servers in the data center in an isolated manner.
5 Essential Cloud Characteristics
■ On-demand self-service
■ Broad network access
■ Resource pooling
– Location independence
■ Rapid elasticity
■ Measured service
3 Cloud Service Models
■ Cloud Software as a Service (SaaS)
– The capability provided to the consumer is to use the
provider’s applications running on a cloud infrastructure and
accessible from various client devices through a thin client
interface such as a Web browser (e.g., web-based email).
The consumer does not manage or control the underlying
cloud infrastructure, network, servers, operating systems,
storage, or even individual application capabilities, with the
possible exception of limited user-specific application
configuration settings.
■ Cloud Platform as a Service (PaaS)
– The capability provided to the consumer is to deploy onto the
cloud infrastructure consumer-created applications using
programming languages and tools supported by the provider
(e.g., Java, Python, .Net). The consumer does not manage or
control the underlying cloud infrastructure, network, servers,
operating systems, or storage, but the consumer has control
over the deployed applications and possibly application
hosting environment configurations.
3 Cloud Service Models 2/2
■ Cloud Infrastructure as a Service (IaaS)

– The capability provided to the consumer is to rent
processing, storage, networks, and other fundamental
computing resources where the consumer is able to
deploy and run arbitrary software, which can include
operating systems and applications. The consumer
does not manage or control the underlying cloud
infrastructure but has control over operating systems,
storage, deployed applications, and possibly select
networking components (e.g., firewalls, load
balancers).
■ To be considered “cloud” they must be deployed on top of

cloud infrastructure that has the key characteristics
Service Model Architectures
Cloud Infrastructure Cloud Infrastructure Cloud Infrastructure

IaaS Software as a Service
PaaS PaaS (SaaS)
SaaS SaaS SaaS Architectures
Cloud Infrastructure Cloud Infrastructure

IaaS Platform as a Service (PaaS)
PaaS PaaS Architectures
Cloud Infrastructure
IaaS Infrastructure as a Service (IaaS)
Architectures
.
Saas, PaaS, IaaS
■
.
3 Features of Mature SaaS Applications
■ SaaS is hosting applications on the Internet as a service (both consumer
and enterprise)
■ Features of Mature Saas applications:
■ Scalable
– Handle growing amounts of work in a graceful manner
■ Multi-tenancy
– One application instance may be serving hundreds of companies
– Opposite of multi-instance where each customer is provisioned their
own server running one instance
■ Metadata driven configurability

– Instead of customizing the application for a customer (requiring code
changes), one allows the user to configure the application through
metadata
SaaS Maturity Levels
■ Level 1: Ad-Hoc/Custom
■ Level 2: Configurable
■ Level 3: Configurable,
Multi-Tenant-Efficient
■ Level 4: Scalable,
Configurable,
Multi-Tenant-Efficient
Cloud Deployment Models
■ Private cloud
– The cloud infrastructure is operated solely for an
organization. It may be managed by the organization or a
third party and may exist on premise or off premise.
■ Public cloud
– Mega-scale cloud infrastructure is made available to the
general public or a large industry group and is owned by an
organization selling cloud services.
■ Hybrid cloud
– The cloud infrastructure is a composition of two or more
clouds (private or public) that remain unique entities but are
bound together by standardized or proprietary technology
that enables data and application portability
Private cloud
– single org only,
– managed by the org or a 3rd party,
– on or off premise
12
Community cloud
– shared infrastructure for specific
community
– several orgs that have shared concerns,
– managed by org or a 3rd party
13
Public cloud
– Sold to the public, mega-scale

infrastructure
– available to the general public
14
Hybrid cloud
– Sold to the public, mega-scale infrastructure

– available to the general public
– composition of two or more clouds
– bound by standard or proprietary technology
15
Common Cloud
Characteristics
■ Cloud computing often leverages:
– Massive scale
– Homogeneity
– Virtualization
– Resilient computing
– Low cost software
– Geographic distribution
– Service orientation
– Advanced security technologies
16
The NIST Cloud Definition Framework
Hybrid
Clouds
Deployment Community
Private Public Cloud
Models Cloud
Cloud
Service Software as a Platform as a Infrastructure as
Models Service (SaaS) Service (PaaS) a Service (IaaS)
On Demand Self-Service
Essential Broad Network Access Rapid Elasticity
Characteristics Resource Pooling Measured Service
Massive Scale Resilient Computing

Homogeneity Geographic Distribution
Common
Characteristics Virtualization Service Orientation
Low Cost Software Advanced Security17
Provisioning Service
■ Advantages
– Rapid reconstitution of services
– Enables availability
■ Provision in multiple data centers / multiple instances
– Advanced honey net capabilities
■ Challenges
– Impact of compromising the provisioning service
18
Data Storage Services
■ Advantages
– Data fragmentation and dispersal
– Automated replication
– Provision of data zones (e.g., by country)
– Encryption at rest and in transit
– Automated data retention
■ Challenges
– Isolation management / data multi-tenancy
– Storage controller
■ Single point of failure / compromise?
– Exposure of data to foreign governments
19
Cloud Processing Infrastructure
■ Advantages
– Ability to secure masters and push out secure images
■ Challenges
– Application multi-tenancy
– Reliance on hypervisors
– Process isolation / Application sandboxes
20
Cloud Support Services
■ Advantages
– On demand security controls (e.g., authentication,
logging, firewalls…)
■ Challenges
– Additional risk when integrated with customer
applications
– Needs certification and accreditation as a separate
application
– Code updates
21
Cloud Network and Perimeter Security
■ Advantages
– Distributed denial of service protection
– VLAN capabilities
– Perimeter security (IDS, firewall, authentication)
■ Challenges
– Virtual zoning with application mobility
22
Use case: provisioning a VM
.
.
Use case provisioning a VM
■ Cloud management system (CMS) offers services like image
management and provisioning of machines; billing,
accounting, metering, and more.
■ CMS is composed of physical servers and in turn the virtual

servers that are “managed-by” the management environment.
The servers in the managed environment belong to a
customer pool; where customers or users can create virtual
servers on-demand and scale up/down as needed.
■ CMS controls and processes all incoming requests to create,

destroy, manage, and monitor virtual machines and storage
devices.
■ In public cloud, the users get direct access to the VMs created
in the managed environment after they are provisioned by the
management layer.
Use case: provisioning a VM
The previous figure describes the following actions:
1. User makes a request to create a VM by logging onto the cloud

portal.
2. The request is intercepted by the request manager and is
forwarded to the management environment.
3. The management environment, on receiving the request,
interprets it and applies to it provisioning logic to create a VM
from the set of available physical servers.
4. External storage is attached to the VM from a storage area
network (SAN) store during provisioning in addition to the local
storage.
5. After the VM is provisioned and ready to use, the user is notified
of this information and finally gains total control of the VM. The
user can access this VM through the public Internet because the
VM has a public IP address (e.g. through SSH).
Cloud Ecosystem
Cloud Ecosystem
■ The public cloud ecosystem has evolved around providers, users, and
technologies.
■ The previous figure suggests one possible ecosystem for private clouds. There are
4 levels of development of ecosystem development: cloud users/consumers, cloud
management, VI management, and VM managers.
■ At the cloud management level, the cloud manager provides virtualized resources
over an IaaS platform.
■ At the virtual infrastructure (VI) management level, the manager allocates VMs
over multiple server clusters. Examples: OpenNebula, VMWare vSphere. These can
manage VM managers like Xen, KVM etc. These support dynamic placement and
VM management on a pool of physical resources, automatic load balancing, server
consolidation, and dynamic infrastructure resizing and partitioning.
■ Finally, at the VM management level the VM managers handles VMs installed on
individual host machines. Examples: Xen, VMWare, KVM.
■ An ecosystem of cloud tools attempts to span both cloud management and VI
management. Besides public clouds such as Amazon EC2, open source cloud tools
for virtualization of cloud infrastructure include Eucalyptus and Globus Nimbus.
■ To access these cloud tools, one can use the Amazon EC2WS interface among
others.
Amazon Cloud: EC2
■ Amazon Elastic Compute Cloud (Amazon EC2) is a web service that
provides resizeable computing capacity—literally, servers in
Amazon's data centers—that you use to build and host your
software systems. You can access the components and features
that EC2 provides using a web-based GUI, command line tools, and
APIs.
■ With EC2, you use and pay for only the capacity that you need. This
eliminates the need to make large and expensive hardware
purchases, reduces the need to forecast traffic, and enables you to
automatically scale your IT resources to deal with changes in
requirements or spikes in popularity related to your application or
service.
■ Components of EC2: Amazon Machine Images and Instances,

Regions and Availability Zones, Storage, Databases, Networking
and Security, Monitoring, Auto-Scaling and Load Balancing, AWS
Identity and Access Management.
Amazon Cloud EC2: AMI
■ An Amazon Machine Image (AMI) is a template that contains a software
configuration (operating system, application server, and applications). From an
AMI, you launch instances, which are running copies of the AMI. You can launch
multiple instances of an AMI, as shown in the following figure.
■ Your instances keep running until you stop or you terminate them, or until they
fail. If an instance fails, you can launch a new one from the AMI.
■ You can use a single AMI or multiple AMIs depending on your needs. From a
single AMI, you can launch different types of instances.
.
Amazon Cloud EC2: AMI
■ An instance type is essentially a hardware archetype. As illustrated in the following
figure, you select a particular instance type based on the amount of memory and
computing power you need for the application or software that you plan to run on
the instance.
■ Amazon publishes many AMIs that contain common software configurations for
public use. In addition, members of the AWS developer community have
published their own custom AMIs.
For example, if your application is a web site or web service, your AMI could be
preconfigured with a web server, the associated static content, and the code for
all dynamic pages. Alternatively, you could configure your AMI to install all
required software components and content itself by running a bootstrap script as
soon as the instance starts. As a result, after launching the AMI, your web server
will start and your application can begin accepting requests.
Amazon Cloud EC2: Regions and Availability Zones
■ Amazon has data centers in different areas of the world (for example, North
America, Europe, and Asia). Correspondingly, Amazon EC2 is available to
use in different Regions. By launching instances in separate Regions, you
can design your application to be closer to specific customers or to meet
legal or other requirements. Prices for Amazon EC2 usage vary by Region.
■ Each Region contains multiple distinct locations called Availability
Zones (illustrated in the following diagram). Each Availability Zone is
engineered to be isolated from failures in other Availability zones and to
provide inexpensive, low-latency network connectivity to other zones in the
same Region. By launching instances in separate Availability Zones, you
can protect your applications from the failure of a single location. .
Amazon Cloud EC2: Storage
■ To store data, Amazon EC2 offers the following storage options:
1. Amazon Elastic Block Store (Amazon EBS)
2. Amazon EC2 Instance Store
3. Amazon Simple Storage Service (Amazon S3)
Amazon EBS
■ Amazon EBS volumes are the recommended storage option for the majority of
use cases. Amazon EBS provides the instances with persistent, block-level
storage. Amazon EBS volumes are essentially hard disks that you can attach to
a running instance.
■ Amazon EBS is particularly suited for applications that require a database, file
system, or access to raw block-level storage.
■ To keep a back-up copy, you can create
a snapshot of the volume. As illustrated
in the following figure, snapshots are
stored in Amazon S3.
You can create a new Amazon EBS

volume from a snapshot, and attach it to
another instance, as illustrated in the
following figure.
You can also detach a volume from an instance and attach it to a different one,
as illustrated in the following figure.
■ Instance Store
All instance types, with the exception of Micro instances, offer instance store. This is storage
that doesn't persist if the instance is stopped or terminated. Instance store is an option
for inexpensive temporary storage. You can use instance store volumes if you don't
require data persistence.
■ Amazon S3
Amazon S3 is storage for the Internet. It provides a simple web service interface that
enables you to store and retrieve any amount of data from anywhere on the web. .
Amazon Cloud S3
– Amazon S3 Functionality
1. Write, read, and delete objects containing from 1 byte to 5 terabytes of data
each.
2. The number of objects you can store is unlimited.
3. Each object is stored in a bucket and retrieved via a unique, developer-
assigned key.
4. A bucket can be stored in one of several Regions. You can choose a Region
to optimize for latency, minimize costs, or address regulatory requirements.
5. Objects stored in a Region never leave the Region unless you transfer them
out. For example, objects stored in the EU (Ireland) Region never leave the
EU.
6. Authentication mechanisms are provided to ensure that data is kept secure
from unauthorized access. Objects can be made private or public, and rights
can be granted to specific users.
7. Options for secure data upload/download and encryption of data at rest are
provided for additional data protection.
8. Uses standards-based REST and SOAP interfaces designed to work with any
Internet-development toolkit.
Amazon Cloud S3: Use Cases
Content Storage and Distribution
– Amazon S3 can store a variety of content ranging from web applications to
media files. A user can offload an entire storage infrastructure onto the
cloud.
Storage for Data Analysis

– Whether a user is storing pharmaceutical data for analysis, financial data for
computation and pricing, or photo images for resizing, Amazon S3 can be
used to store the original content. The user can then send this content to
Amazon EC2 for computation, resizing, or other large scale analytics –
without incurring any data transfer charges for moving the data between the
services.
– E.g. For example, you could stream terabytes of data off of a genomic
sequencer as it is being created, store the final data set as a single object
and then analyze any subset of the data in EC2 using a ranged GET.
Backup, Archiving and Disaster Recovery

– The Amazon S3 solution offers a scalable and secure solution for backing up
and archiving critical data.
Amazon Cloud: Databases
– If the application running on EC2 needs a database, the
common ways to implement a database for the
application are:
1. Use Amazon Relational Database Service (Amazon RDS)

to get a managed relational database in the cloud
2. Launch an instance of a database AMI, and use that EC2

instance as the database
Amazon RDS offers the advantage of handling database

management tasks, such as patching the software,
backing up and storing the backups
Amazon Cloud: Networking & Security
– Each instance is launched into the Amazon EC2 network space and
assigned a public IP address. If an instance fails and a replacement
instance is launched, the replacement will have a different public IP
address than the original.
– Security groups are used to control access to user instances. These

are analogous to an inbound network firewall that allows a user to
specify the protocols, ports, and source IP ranges that are allowed to
reach user instances.
– A user can create multiple security groups and assign different rules
to each group. Each instance can be assigned to one or more security
groups, and the rules determine which traffic is allowed in to the
instance. A security group can be configured so that only specific IP
addresses or specific security groups have access to the instance.
Amazon Cloud: Networking and
Security
– The following figure shows a basic three-tier web-hosting architecture
running on Amazon EC2 instances. Each layer has a different security
group (indicated by the dotted line around each set of instances). The
security group for the web servers only allows access from hosts over
TCP on ports 80 and 443 (HTTP and HTTPS) and from instances in
the App Servers security group on port 22 (SSH) for direct host
management.
– The security group for the app servers allows access from the Web
Servers security group for web requests, and from the corporate
subnet over TCP on port 22 (SSH) for direct host management. The
user’s support engineers could log directly into the application servers
from the corporate network, and then access the other instances from
the application server boxes.
– The DB Servers security group permits only the App Servers security
group to access the database servers.
Amazon Cloud: Networking & Security
Amazon Cloud: Monitoring, Auto Scaling,
and Load Balancing
– AWS provides several features that enable the following:
– Monitor basic statistics for instances and Amazon EBS volumes.
– Automatically scale EC2 capacity up or down according to conditions defined by

the user.
– Automatically distribute incoming application traffic across multiple EC2

instances. It detects unhealthy instances and reroutes traffic to healthy
instances until the unhealthy instances have been restored. Elastic Load
Balancing automatically scales its request handling capacity in response to
incoming traffic.
– Elastic Load Balancing provides several different interfaces that can be used to
manage a user’s load balancers. Users can create, access, and manage their
load balancers using the AWS Management Console, the command line
interface (CLI), or the Query API. Users need to install the command line
interface and the Query API before they can be used.
Amazon Cloud: Identity and Access
Management (IAM)
– Amazon EC2 integrates with AWS Identity and Access Management (IAM), a
service that lets the user organization do the following:
– Create users and groups under user organization's AWS account
– Share an organization’s AWS account resources between the users in the

account
– Assign unique security credentials to each user
– Granularly control users access to services and resources
– Get a single AWS bill for all users under the AWS account
– For example, you can use IAM with Amazon EC2 to control which users under
an AWS account can create AMIs or launch instances.
Introduction to Virtualization
& Cloud Computing
Vishal Kaushik
UPES
Virtualization
• In computing, virtualization refers to the act of creating a virtual

(rather than actual) version of something, including virtual computer
hardware platforms, storage devices, and computer network
resources.`
Compute Virtualization
• In computing, virtualization means to create a virtual version of a
device or resource, such as a server, storage device, network or even
an operating system where the framework divides the resource into
one or more execution environments.
• Hardware Virtualization
• Software Virtualization
• Network Virtualization
Types of Virtualization
• OS Virtualization—aka Virtual Machines. Virtualizing an operating
system environment is the most common form of virtualization.
Application-Server Virtualization.
• Application Virtualization.
• Administrative Virtualization.
• Network Virtualization.
• Hardware Virtualization.
• Storage Virtualization.
Three major types of Virtualization
• There are three major types of virtualization:
• Server Virtualization. This type is where most of the attention is
focused right now in the world of virtualization and is where most
companies begin an implementation of this technology.
• Client (or Desktop) Virtualization.
• Storage Virtualization.
Server Virtualization
This type is where most of the attention is focused right now in the world of
virtualization and is where most companies begin an implementation of this
technology.
• Server sprawl: Very large and legitimate problem in enterprises throughout

the world. Shortage of expensive real estate space.
• Server Consolidation- Multiple Applications, Multiple Functions and
Multiple Servers. (i.e., mail server, file server, Internet server, enterprise
resource planning server, etc.).
• One Server multiple hosts and applications: Multiple operating systems
and multiple applications locally and in remote locations.
• Migration – Server boots up with the virtual hard drive image in the driver
stack. No rebuilding and reconfiguration.
Advantage Server Virtualization
Cost advantage
• Lower CAPEX
• Physical space
• Power consumption
• Cooling
• Efficient use of hardware resources
• OPEX
• High Availability: HA of resources
• Better Management
• Improved disaster-recovery processes
• Business Agitlity
• Rapidly deploy a new application without ordering new hardware.
Desktop Virtualization
Virtualization workstation desktop or laptop pc – an end user machine
• Problems –
• Difficult for a systems administrator to manage.
• Company’s data center has very strict procedures for what gets loaded on
them and when they get updated with new software releases
• Different in end-user machine (often not followed or paid much heed)
• CD/ DVD slot makes it easy for non-approved software to be installed.
• Also end-user machines are more susceptible to malware in numerous ways –
via e-mail viruses, unwitting spyware downloads, etc.
• End-user machines run on popular easy OS well known for attracting attacks
from hackers and cybercriminals.
Desktop Virtualization Models
For end-user computing model:
• Remote (Server-Hosted) Desktop Virtualization model: Operating
environment is hosted on a server in the data center and accessed by the
end user across a network.
• Local (Client-Hosted) Desktop Virtualization model: Operating environment
runs locally on the user’s physical pc hardware and involves multiple flavors
of client-side virtualization techniques that can monitor and protect the
execution of the end user system.
• Application Virtualization: Providing specific application virtualized i.e.
isolated in its own virtualized “sandbox from OS. An application installed or
executed locally within a container that controls how it interacts with other
system and application components. Applications can be streamed across
or delivered across the network to a web browser with most processing
executed on a centralized web server.
Storage Virtualization
Storage virtualization refers the abstraction (separation) of logical
storage (virtualized partitions of stored data) from physical storage
(storage devices that hold, spin, read and write magnetic or optical
disks such as CD, DVD, or even a hard disk drive, etc.). Virtualization of
storage helps achieve location independence by abstracting the
physical location of the data. There are three basic approaches to data
storage:
• Direct-Attached Storage (DAS)
• Network-Attached Storage (NAS)
• Storage Area Network (SAN)
Direct-Attached Storage (DAS)
This is the traditional method used in data storage where hard drives
are attached to a physical server. Because this method is easy to use
but hard to manage, virtualization technology is causing organization to
have a second thought with regard to its viability.
Network-Attached Storage (NAS)
This is a machine that resides on your network and provides data
storage to other machines. It can be thought of as the first step toward
storage virtualization. This approach provides a single source of data,
facilitating data backup. By collecting your data in one place, it also
avoids the problem of multiple servers needing to access data located
on another server.
Storage Area Network (SAN)
This ultra-sophisticated approach deploys specialized hardware and
software to transform mere disk drives into a data storage solution that
transfers data on its own high-performance network.
Companies shift over to a SAN when they recognize that corporate data
is a key resource that must be available 24/7 and needs to be
conveniently managed. The price tag for this approach is very high
indeed.
Other types of Virtualization
OS Virtualization— Virtual Machines (Virtualizing an operating system
environment is the most common form of virtualization. It involves
putting a second instance or multiple instances of an operating system,
like Windows, on a single machine. This empowers businesses to
reduce the amount of physical hardware required to run their software
by cutting down the number of actual machines. It saves companies
cash on energy, cabling, hardware, rack space, and more, while still
allowing them to run the same quantity of applications.
Application-Server Virtualization – Application-server virtualization is
another large presence in the virtualization space, and has been around
since the inception of the concept. It is often referred to as ‘advanced
load balancing,’ as it spreads applications across servers, and servers
across applications. This enables IT departments to balance the
workload of specific software in an agile way that doesn’t overload a
specific server or underload a specific application in the event of a large
project or change. In addition to load balancing it also allows for easier
management of servers and applications, since you can manage them
as a single instance. Additionally, it gives way to greater network
security, as only one server is visible to the public while the rest are
hidden behind a reverse proxy network security appliance.
Application Virtualization – Application virtualization is often confused
with application-server virtualization. What it means is that
applications operate on computers as if they reside naturally on the
hard drive, but instead are running on a server. The ability to use RAM
and CPU to run the programs while storing them centrally on a server,
like through Microsoft Terminal Services and cloud-based software,
improves how software security updates are pushed, and how software
is rolled out.
Administrative Virtualization – Administrative virtualization is one of
the least-known forms of virtualization, likely due to the fact that it’s
primarily used in data centers. The concept of administration, or
‘management,’ virtualization means segmented admin roles through
group and user policies. For example, certain groups may have access
to read specific servers, infrastructure, application files, and rules, but
not to change them.
Network Virtualization – Network virtualization involves virtually
managing IPs, and is accomplished through tools like routing tables,
NICs, switches, and VLAN tags.
Hardware Virtualization – Hardware virtualization is one of the rarer
forms of virtualization, and when simply explained it is similar to OS
virtualization (it is, in fact, often required for OS virtualization). Except,
instead of putting multiple software instances on a single machine,
chunks of a machine are partitioned off to perform specific tasks.
Storage Virtualization – Storage virtualization is an array of servers that
are managed by a virtual storage system. The servers aren’t aware of
exactly where their data is, and instead function more like worker bees
in a hive
Type of Virtualization for My Company
As ‘virtualization’ has recently become a bit of a tech buzzword, companies are hopping on
the virtualization bandwagon. We often hear questions from companies asking how to
virtualize, or if they even should in the first place.
The decision to virtualize should stem from a needs-based discussion and we’d love to have
that conversation with you. Contact us to schedule a convenient time to talk about your
possible virtualization needs, and be ready to answer questions such as:
What are your current network security procedures?

What are gaps in your security protocol that you’d like fixed?
What are your IT pain points, and are they primarily hardware- or software-based?’
Through a series of questions and analysis, we can point you in the direction of the type(s)
of virtualization that can help your business grow.
Storage
Vishal Kaushik
SoCS, UPES
Amazon Cloud Drive vs External Hard Drive
• 1.Amazon Cloud Drive is a web-based storage service while an
external hard drive is physical hardware.
2.Amazon Cloud Drive requires an Internet connection while an
external hard drive doesn’t.
3.Amazon Cloud Drive is on a rental basis while an external hard drive
needs to be purchased.
4.Amazon Cloud Drive is a more reliable data storage solution than an
external hard drive.
Amazon Cloud Drive vs External Hard Drive
• Data storage has gone a long way since the days of tape drives, and there are now many
ways to save your data. For most people who carry a lot of data with them, an external
hard drive is a portable alternative that offers a very large capacity. But companies are
now introducing services that aim to replace the external hard drive; like Amazon’s Cloud
Drive. The main difference between an external hard drive and an Amazon Cloud Drive is
that the Cloud Drive is a web-based solution unlike an external hard drive which is a
physical device.
• Since the Amazon Cloud Drive is a web-based service, you need to have access to the
Internet in order to retrieve or store files. For most people, this is not a big problem since
fast Internet connections are readily available. But for those who do not have access to a
fast connection, an external hard drive is the only choice.
• Getting an external hard drive typically means a single payment of $100 more or less for
the actual drive. Amazon uses a rental model for the Cloud Drive. You get 5GB for free,
and you pay $1 for every GB in excess of that every year. Given that drives do fail over
time, the Amazon Cloud Drive is still more expensive than just buying a large capacity
external hard drive.
• But with the added cost, you also get some benefits. The biggest one
is the assurance that your data will always be there. Because the data
resides on Amazon’s servers, it is constantly backed up and protected
against hardware failures. With external hard drives, you need to back
up your data consistently. You never know when your external hard
drive will get lost, get damaged, or just outright fail. Even if you back
up your external hard drive weekly, you will still lose a few days’
worth of data in case the drive fails or is lost. This won’t happen with
Amazon Cloud Drive. At worst, you will only lose a few hours’ worth
of data if you’ve been uploading at the time of the error.
Amazon S3 vs Amazon EBS
• EBS can only be used with EC2 instances while S3 can be used outside
EC2
• EBS appears as a mountable volume while the S3 requires software to
read and write data
• EBS can accommodate a smaller amount of data than S3
• EBS can only be used by one EC2 instance at a time while S3 can be
used by multiple instances
• S3 typically experiences write delays while EBS does not
Amazon S3 vs Amazon EBS
• S3 (Simple Storage Service) and EBS (Elastic Block Store) are two file
storage services provided by Amazon. The main difference between them is
with what they can be used with. EBS is specifically meant for EC2 (Elastic
Computing Cloud) instances and is not accessible unless mounted to one.
On the other hand, S3 is not limited to EC2. The files within an S3 bucket
can be retrieved using HTTP protocols and even with BitTorrent. Many sites
use S3 to hold most of their files because of its accessibility to HTTP clients;
web browsers for example.
• As already stated above, you need some type of software in order to read
or write information with S3. With EBS, a volume can be mounted on an
EC2 instance and it would appear just like a hard disk partition. It can be
formatted with any file system and files can be written or read by the EC2
instance just like it would to a hard drive.
• When it comes to the total amount that you can store, S3 still has the
upper hand. EBS has a standard limit of 20 volumes with each volume
holding up to 1TB of data. With S3, the standard limit is at 100 buckets with
each bucket having an unlimited data capacity. S3 users do not need to
worry about filling a bucket and the only concern is having enough buckets
for your needs.
• A limitation of EBS is its inability to be used by multiple instances at once.
Once it is mounted by an instance, no other instance can use it. S3 can
have multiple images of its contents so it can be used by many at the same
time. An interesting side-effect of this capability is something called
‘eventual consistency’. With EBS, data read or write occurs almost instantly.
With S3, the changes are not written immediately so if you write
something, it may not be the data that a read operation returns.
Amazon Storage Options
• Amazon S3
• Amazon Glacier
• Amazon EFS
• Amazon EBS
• Amazon EC2 Instance Storage
• AWS Storage Gateway
• AWS Snowball
• Amazon CloudFront
Options
• Low cost data storage
• Highly durable &
available
• Backup, archiving &
• Disaster recovery use
cases
• Provides block, file,
and object storage.
Amazon S3
Simple Storage Service (S3)
• Secure, durable, highly scalable object storage at a very low cost.
• Any amount, at any time, from anywhere on the web through a
simple web service interface.
• Write, read, and delete objects containing from 1 byte to 5 TB.
• Highly scalable, allows concurrent read or write access to data by
many separate clients or threads in an application.
Usage Patterns
Amazon S3 offers a range of storage classes designed for different use
cases including the following:
• Amazon S3 Standard, for general-purpose storage of frequently accessed data
• Amazon S3 Standard-Infrequent Access (Standard-IA), for long-lived, but less
frequently accessed data
• Amazon Glacier, for low-cost archival data
4 Common Usage Patterns for AWS
• Store and distribute static web content and media delivered directly from Amazon S3 via a unique HTTP URL.
• Best for web content like source for content delivery network (CDN) [Origin store], such as Amazon
CloudFront etc. such as
- Elastic
- Bandwidth to handle extreme demand spikes.
- No need for storage provisioning.
- Fast growing websites hosting data-intensive, user-generated content, such as video- and photo-sharing sites.
• Host entire static websites as it is low-cost, highly available, and highly scalable solution, including storage
for static HTML files, images, videos, and client-side scripts in formats such as JavaScript.
• Data store for computation and large-scale analytics, such as financial transaction analysis, clickstream
analytics, and media transcoding.
- Horizontally scalable S3 can be accessed via data from multiple computing nodes concurrently without being constrained by a single
connection.
• Highly durable, scalable, and secure solution for backup and archiving of critical data.
- Easy movement of cold data to Amazon Glacier through lifecycle management rules.
- Cross-region replication automatic and asynchronous copy of objects across S3 buckets in different AWS regions for Disaster
recovery for business continuity.
Performance
• Fastest in the scenarios when accessing S3 from within EC2 in the same Region.
• Server-side latencies in S3 are insignificant relative to Internet latencies.
• S3 supports extremely large number of web-scale applications via scale storage, requests,
and numbers of users.
• Multi thread access to S3 from multiple applications/ clients concurrently outperforms
any single server in Amazon S3 aggregate throughput.
• Multipart upload command: S3 uploads a single object large object (>100 MB) as a set of
parts. S3 reassembles all uploaded parts and recreates the object.
• For faster access to relevant data, S3 paired with a search engine like Amazon
CloudSearch or database like Amazon DynamoDB or Amazon RDS to storing the metadata
repository for associated S3 actual information.
• Enable S3 Transfer Acceleration for fast, easy, and secure transfer of files over long
distances between your client and your Amazon S3 bucket performing GET and PUT
requests via Amazon CloudFront globally distributed edge locations to route traffic to
your Amazon S3 bucket over an Amazon-optimized network path.
Comparison Uses
• The table presents some
storage needs for
considering various AWS
storage options.
IAM
Vishal Kaushik
SoCS, UPES
AWS IAM
AWS Identity and Access Management (IAM) is a web service to securely
control (authenticate & authorize) access to AWS resources.
Any account is the root user with complete access to all AWS services and
resources associated to that account.
Hence create IAM user and securely lock away the root user credentials
and use it to perform only a few account and service management tasks.
[Amazon strongly recommends not to use the root user for even the administrative tasks]
Index
•IAM Features
•Accessing IAM
•Understanding How IAM Works
•Overview of Identity Management: Users
•Overview of Access Management: Permissions and Policies
•Security Features Outside of IAM
•Quick Links to Common Tasks
IAM Features
• Shared access to your AWS account
• Granular permissions
• Secure access to AWS resources for applications that run on Amazon EC2
• Multi-factor authentication (MFA)
• Identity federation
• Identity information for assurance
• PCI DSS Compliance
• Integrated with many AWS services
• Eventually Consistent
• Free to use
Accessing IAM
AWS Management Console is a browser-based interface to manage IAM and AWS resources
AWS Command Line Tools faster and more convenient to issue commands at your system's command line
to perform IAM and AWS tasks or even writing scripts to perform AWS tasks.
1. AWS Command Line Interface (AWS CLI)

2. AWS Tools for Windows PowerShell.
AWS SDKs consisting of libraries and sample code for various programming languages and platforms (Java,
Python, Ruby, .NET, iOS, Android, etc.). The SDKs provide a convenient way to create programmatic access
to IAM and AWS. For example, the SDKs take care of tasks such as cryptographically signing requests,
managing errors, and retrying requests automatically.
IAM HTTPS API programmatic access to IAM and AWS by using the IAM HTTPS API, which lets you issue
HTTPS requests directly to the service. When you use the HTTPS API, you must include code to digitally sign
requests using your credentials.
Working of IAM
IAM provides the infrastructure necessary to control authentication and
authorization for your account. The IAM infrastructure includes the following
elements:
• Principal
• Request
• Authentication
• Authorization
• Actions
• Resources
Principal
A principal is an entity that can take an action on an AWS resource. Your

administrative IAM user is your first principal. Over time, you can allow
users and services to assume a role. You can support federated users or
programmatic access to allow an application to access your AWS
account. Users, roles, federated users, and applications are all AWS
principals.
Request
When a principal tries to use the AWS Management Console, the AWS API, or the AWS CLI,
that principal sends a request to AWS. A request specifies the following information:
- Actions (or operations) that the principal wants to perform
- Resources upon which the actions are performed
- Principal information, including the environment from which the request was made
- Request information is assembled from several sources:
Principal (the requester), which is determined based on the authorization data. This includes
the aggregate permissions that are associated with that principal.
Environment data, such as the IP address, user agent, SSL enabled status, or the time of day.
Resource data: Data related to resource being requested. information such as a DynamoDB
table name or a tag on an Amazon EC2 instance.
[AWS gathers this information into a request context, which is used to evaluate and
authorize the request]
Authentication
Principal must be authenticated (signed in to AWS) to send a request to AWS.
However few services like S3 allow requests from anonymous users.
Authentication happen the following ways –
i. To authenticate from the console must sign in with user name and password.
ii. To authenticate from API or CLI provide your access key and secret key. Along with
additional security information (If required).
[AWS recommends that you use multi-factor authentication (MFA) to increase the
security of your account]
Authorization
IAM uses values from the request context to check for matching policies and determine
whether to allow or deny the request. Policies are stored in IAM as JSON documents and
specify the permissions that are allowed or denied for principals (identity-based policies) or
resources (resource-based policies).
Explicit Deny: IAM checks each policy that matches the context of your request. If a single
policy includes a denied action, IAM denies the entire request and stops evaluating. IAM
authorizes your request only if every part of your request is allowed by the matching
policies. The evaluation logic follows these rules:
• By default, all requests are denied.
• An explicit allow overrides this default.
• An explicit deny overrides any allows.
[Note: By default, only the AWS account root user has access to all the resources in that
account. Play with permissions granted by a policy for the users (other than root)]
Actions
AWS approves the actions in the authenticated and authorized request.
Actions are the things that done to a resource, such as viewing, creating, editing, and
deleting. Actions are defined by a service. For example, IAM supports around 40 actions for
a user resource, including the following actions:
• CreateUser
• DeleteUser
• GetUser
• UpdateUser
[To allow a principal to perform an action, you must include the necessary actions in a
policy that applies to the principal or the affected resource]
Resources
A resource is an entity that exists within a service. E.g. EC2 instance, IAM user or S3 bucket.
• The service defines a set of actions that can be performed on each resource.
• Request for unrelated action is denied. For example, if you request to delete an IAM role
but provide an IAM group resource, the request fails.
After AWS approves the actions in your request, those actions can be performed on the
related resources within your account.
IAM Policies
• A policy is an entity in AWS that defines the permissions to an identity or
resource.
• Policy is evaluated upon a request by a principal (user)
• Permissions in the policies determine whether the request is allowed or
denied.
• Policies are stored in AWS as JSON documents attached to principals
- identity-based policies,
- resources as resource-based policies.
Identity-Based Policies
Identity-based policies are permission policies attached to a principal (or
identity), such as an IAM user, role, or group. These policies control what
actions that identity can perform, on which resources, and under what
conditions.
Identity-based policies can be further categorized:
• Managed policies
• AWS managed policies
• Customer managed policies
• Inline policies
Managed policies
Standalone identity-based policies attached to multiple users, groups, and
roles in your AWS account. You can use two types of managed policies:
• AWS managed policies – Managed policies that are created and managed by
AWS. If you are new to using policies, we recommend that you start by using
AWS managed policies.
• Customer managed policies – Managed policies that you create and manage
in your AWS account. Customer managed policies provide more precise
control over your policies than AWS managed policies. You can create and
edit an IAM policy in the visual editor or by creating the JSON policy
document directly
Inline policies
Policies created and managed and embedded directly into a single user,
group, or role.
Resource-Based policies
Resource-based policies are JSON policy documents attached to a resource
such as an Amazon S3 bucket. These policies control what actions a specified
principal can perform on that resource and under what conditions.
Resource-based policies are inline policies, and there are no managed
resource-based policies.
Although IAM identities are technically AWS resources, you cannot attach a
resource-based policy to an IAM identity. You must use identity-based policies
in IAM.
Trust policies
These are resource-based policies attached to a role that define which
principals can assume the role. When you create a role in IAM, the role must
have two things:
- The first is a trust policy that indicates who can assume the role.
- The second is a permission policy that indicates what they can do with that
role.
• Remember that adding an account to the trust policy of a role is only half of
establishing the trust relationship.
• By default, no users in the trusted accounts can assume the role until the
administrator for that account grants the users the permission to assume
the role.
Overview of JSON Policies
• Policies are stored in AWS as JSON documents attached to principals
as identity-based policies, or to resources as resource-based policies.
• It is not necessary for you to understand the JSON syntax. You can use the
visual editor to create and edit customer managed policies without ever
using JSON.
• However, if you choose to use inline policies for groups, you are still required
to create and edit those policies in the JSON editor.
JSON Policies
JSON policy document includes the following elements:
• Effect – whether the policy allows or denies access
• Action – the list of actions that are allowed or denied by the policy
• Resource – the list of resources on which the actions can occur
• Condition (Optional) – the circumstances under which the policy grants
permission
Sample JSON Policies
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket"
}
}
[Policies are documents that are stored using JSON. A policy consists of one
or more statements, each of which describes one set of permissions. Here's
an example of a simple policy]
Sample JSON Policies
{ • This policy can be attached to an IAM identity
"Version": "2012-10-17", (group, user, or role).
"Statement": { • The identity can perform only this one action
(ListBucket) on one S3 bucket
"Effect": "Allow", (example_bucket). incase this is the only
"Action": "s3:ListBucket", policy.
"Resource": "arn:aws:s3:::example_bucket"
}
}
[Policies are documents that are stored using JSON. A policy consists of one
or more statements, each of which describes one set of permissions. Here's
an example of a simple policy]
{
Sample JSON Policies "Version": "2012-10-17",
"Id": "S3-Account-Permissions",
• To specify permissions for a resource attach a
resource-based policy to the resource, like an "Statement": [{
Amazon SNS topic, S3 bucket, Glacier vault. "Sid": "1",
• That policy will include information about who is "Effect": "Allow",
allowed to access the resource (principal). "Principal": {"AWS":
• The example shows a resource-based policy ["arn:aws:iam::ACCOUNT-ID-WITHOUT-
attached to a S3 bucket. The policy grants HYPHENS:root"]},
permission to a specific AWS account to perform "Action": "s3:*",
any Amazon S3 actions in mybucket. This includes
both working with the bucket and with the objects "Resource": [
in it. (Because the policy grants trust only to the "arn:aws:s3:::mybucket",
account "arn:aws:s3:::mybucket/*"
• Individual users in the account must still be granted ]
permissions for the specified Amazon S3 actions.)
}]
}
Multistatement Policy …. contd
{ {
"Version": "2012-10-17", "Sid": "ThirdStatement",
"Statement": [ "Effect": "Allow",
{ "Action": [
"Sid": "FirstStatement", "s3:List*",
"Effect": "Allow", "s3:Get*"
"Action": ["iam:ChangePassword"], ],
"Resource": "*" "Resource": [
}, "arn:aws:s3:::confidential-data",
{ "arn:aws:s3:::confidential-data/*"
"Sid": "SecondStatement", ],
"Effect": "Allow", "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
"Action": "s3:ListAllMyBuckets", }
"Resource": "*" ]
}, …. Contd.. }
Multiple Statements and Multiple Policies
• An entity can have more than one policy attached to also can have
multiple permissions.
• Usually, one policy statement includes information about a single
permission.
• For multiple policy statements, a logical OR is applied across the
statements at evaluation time.
• Similarly, if multiple policies are applicable to a request, a logical OR is
applied across the policies at evaluation time.
• Users may often function under multiple policies that applied to them
which aren't directly attached to them. How?
Policy Structure
• Each policy is a JSON document. As
illustrated in the following figure, a policy
includes:
• Optional policy-wide information (at the top
of the document)
• One or more individual statements
• Each statement includes the core information about a single
permission. If a policy includes multiple statements, AWS
applies a logical OR across the statements at evaluation time. If
multiple policies are applicable to a request, AWS applies a
logical OR across the policies at evaluation time.
Policy Selection
When you need to set the permissions for an identity in IAM, you must
decide whether to use an AWS managed policy, a customer managed policy,
or an inline policy. The following sections provide more information about
each of the types of identity-based policies and when to use them.
• AWS Managed Policies
• Customer Managed Policies
• Inline Policies
• Choosing Between Managed Policies and Inline Policies
• Deprecated AWS Managed Policies
AWS Managed Policy
• This is created and administered by AWS. Each is Standalone policy i.e. the policy has its
own Amazon Resource Name (ARN) that includes the policy name.
• AWS managed policies are designed to provide permissions for many common use
cases. There are AWS managed policies that define typical permissions for service
administrators and grant full access to the service, such
as AmazonDynamoDBFullAccess and IAMFullAccess.
• AWS managed policies are designed for IAM permissions and provide various levels of
access to AWS services to easily assign appropriate permissions to users, groups, and
roles.
• One type of AWS managed policies closely aligned to commonly used job functions in
the IT industry. For example, the AdministratorAccess.
• Permissions in AWS managed policies can not be changed. Rather, AWS will
occasionally update the permissions defined in an AWS managed policy. That affects all
principal entities (users, groups, and roles) that the policy is attached to.
• Most likely AWS updates an AWS managed policy when a new AWS service is launched
or new API calls become available for existing services. For example, when AWS
launches a new service, AWS updates the ReadOnlyAccess policy to add read-only
permissions for the new service.
Pictorial View
Customer Managed Policy
• Standalone policies created and administered in an AWS account. This can
be attached to multiple principal entities to give permissions defined in the
policy.
• Just copy an existing AWS managed policy and just is customize it to your
environment.
Pictorial View
Inline Policy
• A policy that's embedded in a principal entity (a user, group, or role)—that
is, the policy is an inherent part of the principal entity. You can create a
policy and embed it in a principal entity, either when you create the
principal entity or later.
Pictorial View
Which Policy (Choosing Between Managed /Inline)
• The different types of policies are for different use cases. Managed policies provide the following features:
• Reusability A single managed policy can be attached to multiple principal entities (users, groups, and roles). Even library
of policies can be created defining permissions useful for AWS account, and attached these policies to principal entities
as needed.
• Central change management Any change in a managed policy is applied to all principal entities attached to that policy.
For example, if you want to add permission for a new AWS API, you can update the managed policy to add the
permission. Upon update, the changes are applied to all principal entities that the policy is attached to. In contrast, an
inline policy needs individually edit each principal entity containing the policy. For example, if a group and a role both
contain the same inline policy, you must individually edit both principal entities in order to change that policy.
• Versioning and rolling back When you change a customer managed policy, the changed policy doesn't overwrite the
existing policy. Instead, IAM creates a new version of the managed policy. IAM stores up to five versions of your customer
managed policies. You can use policy versions to revert a policy to an earlier version if you need to.
• A policy version is different from a Version policy element. The Version policy element is used within a policy and defines
the version of the policy language
• Delegating permissions management users can be allowed to attach and detach policies while maintaining control over
the permissions defined in those policies like some designated as full admins (can create, update, and delete policies).
• Automatic updates for AWS managed policies AWS updates them when necessary (e.g. adding permissions for new AWS
services). The updates are automatically applied to the principal entities attached the AWS managed policy to.
• In most cases, we recommend that you use managed policies instead of inline policies.
Which Policy (Choosing Between Managed /Inline)
Using Inline Policies
• Inline policies are useful if you want to maintain a strict one-to-one
relationship between a policy and the principal entity that it's applied to.
For example, you want to be sure that the permissions in a policy are not
inadvertently assigned to a principal entity other than the one they're
intended for. When you use an inline policy, the permissions in the policy
cannot be inadvertently attached to the wrong principal entity. In addition,
when you use the AWS Management Console to delete that principal
entity, the policies embedded in the principal entity are deleted as well.
That's because they are part of the principal entity.
Recap Policies
• A policy is an entity in AWS attached to an identity or resource, defines its permissions.
• AWS evaluates policies upon a request from a principal. Permissions in the policies
determine whether the request is allowed or denied.
• Policies are stored in AWS as JSON documents that are attached to principals
as identity-based policies or to resources as resource-based policies.
• You can attach an identity-based policy to a principal (or identity), such as an IAM
group, user, or role. Identity-based policies inlcude AWS managed policies, customer
managed policies, and inline policies.
• By default all requests are denied, so you must provide access to the services, actions,
and resources that you intend for the identity to access. If you also want to allow access
to complete the specified actions in the IAM console, you need to provide additional
permissions.
• The following library of policies can help you define permissions for your IAM identities.
After you find the policy that you need, choose View this policy to view the JSON for
the policy. You can use the JSON policy document as a template for your own policies.
Example Policies: AWS
• Allows access during a specific range of dates (View this policy)
• Allows specific access when using MFA during a specific range of dates (View this
policy)
• Denies access to AWS based on the source IP address (View this policy)
• Example Policies: AWS CodeCommit
• Allows Read access to an AWS CodeCommit repository, programmatically and in
the console (View this policy)
• Example Policies: AWS Data Pipeline
• Denies access to pipelines that a user did not create (View this policy)
• Example Policies: Amazon DynamoDB
• Allows access to a specific Amazon DynamoDB table (View this policy)
• Allows access to specific Amazon DynamoDB columns (View this policy)
• Allows row-level access to Amazon DynamoDB based on an Amazon Cognito ID
(View this policy)
Example Policies: EC2
• Example Policies: Amazon EC2
• Allows an Amazon EC2 instance to attach or detach volumes (View this policy)
• Allows attaching or detaching Amazon EBS volumes to Amazon EC2 instances based on
tags (View this policy)
• Allows launching Amazon EC2 instances in a specific subnet, programmatically and in
• Allows managing Amazon EC2 security groups associated with a specific VPC,
programmatically and in the console (View this policy)
• Allows starting or stopping Amazon EC2 instances a user has tagged, programmatically
and in the console (View this policy)
• Allows full Amazon EC2 access within a specific region, programmatically and in the
console (View this policy)
• Allows starting or stopping a specific Amazon EC2 instance and modifying a specific
security group, programmatically and in the console (View this policy)
• Limits terminating Amazon EC2 instances to a specific IP address range (View this
policy)
Example Policies: IAM
• Example Policies: AWS Identity and Access Management (IAM)
• Allows access to the policy simulator API (View this policy)
• Allows access to the policy simulator console (View this policy)
• Allows using the policy simulator API for users with a specific path (View
this policy)
• Allows using the policy simulator console for users with a specific path
(View this policy)
• Allows IAM users to self-manage an MFA device (View this policy)
• Allows IAM users to rotate their own credentials, programmatically and in
• Limits managed policies that can be applied to a new IAM user, group, or
role (View this policy)
Example Policies: Amazon RDS
• Example Policies: Amazon RDS
• Allows full Amazon RDS database access within a specific region (View this
policy)
• Allows restoring Amazon RDS databases, programmatically and in the
console (View this policy)
• Allows tag owners full access to Amazon RDS resources that they have
tagged (View this policy)
Example Policies: Amazon S3
• Example Policies: Amazon S3
• Allows an Amazon Cognito user to access objects in their own Amazon S3
bucket (View this policy)
• Allows IAM users to access their own home directory in Amazon S3,
• Allows a user to manage a single Amazon S3 bucket and denies every other
AWS action and resource (View this policy)
• Allows Read and Write access to a specific Amazon S3 bucket (View this
policy)
• Allows Read and Write access to a specific Amazon S3 bucket,
EC2
Vishal Kaushik
SoCS, UPES
Amazon EC2
Elastic Compute Cloud (Amazon EC2) is a web service that provides secure,
resizable compute capacity in the cloud. It is designed to make web-scale cloud
computing easier for developers.
Amazon EC2’s simple web service interface allows you to obtain and configure
capacity with minimal friction. It provides you with complete control of your
computing resources and lets you run on Amazon’s proven computing
environment. Amazon EC2 reduces the time required to obtain and boot new
server instances to minutes, allowing you to quickly scale capacity, both up and
down, as your computing requirements change. Amazon EC2 changes the
economics of computing by allowing you to pay only for capacity that you actually
use. Amazon EC2 provides developers the tools to build failure resilient
applications and isolate them from common failure scenarios.
Benefits
Reliable: Amazon EC2 offers a highly reliable environment where replacement instances
can be rapidly and predictably commissioned. The service runs within Amazon’s proven
network infrastructure and data centers. The Amazon EC2 Service Level Agreement
commitment is 99.99% availability for each Amazon EC2 Region.
Secure: Cloud security at AWS is the highest priority. As an AWS customer, you will benefit
from a data center and network architecture built to meet the requirements of the most
security-sensitive organizations. Amazon EC2 works in conjunction with Amazon VPC to
provide security and robust networking functionality for your compute resources.
Inexpensive: Amazon EC2 passes on to you the financial benefits of Amazon’s scale. You
pay a very low rate for the compute capacity you actually consume.
Easy to Start: There are several ways to get started with Amazon EC2. You can use the AWS
Management Console, the AWS Command Line Tools (CLI), or AWS SDKs. AWS is free to get
started.
Benefits
Elastic Web-Scale Computing: Amazon EC2 enables you to increase or decrease capacity within
minutes, not hours or days. You can commission one, hundreds, or even thousands of server instances simultaneously.
Amazon EC2 Auto Scaling maintains availability of your EC2 fleet and automatically scale your fleet up and down
depending on its needs in order to maximize performance and minimize cost.
Completely Controlled: You have complete control of your instances including root access and the ability to
interact with them as you would any machine. You can stop any instance while retaining the data on the boot partition,
and then subsequently restart the same instance using web service APIs. Instances can be rebooted remotely using web
service APIs, and you also have access to their console output.
Flexible Cloud Hosting Services: You have the choice of multiple instance types, operating systems,
and software packages. Amazon EC2 allows you to select a configuration of memory, CPU, instance storage, and the boot
partition size that is optimal for your choice of operating system and application. For example, choice of operating
systems includes numerous Linux distributions and Microsoft Windows Server.
Integrated: Amazon EC2 is integrated with most AWS services such as Amazon Simple Storage Service (Amazon
S3), Amazon Relational Database Service (Amazon RDS), and Amazon Virtual Private Cloud (Amazon VPC) to provide a
complete, secure solution for computing, query processing, and cloud storage across a wide range of applications.
Amazon EC2 Features
• Virtual computing environments, known as instances
• Preconfigured templates for your instances, known as Amazon Machine Images (AMIs), that package the bits you need
for your server (including the operating system and additional software)
• Various configurations of CPU, memory, storage, and networking capacity for your instances, known as instance types
• Secure login information for your instances using key pairs (AWS stores the public key, and you store the private key in a
secure place)
• Storage volumes for temporary data that's deleted when you stop or terminate your instance, known as instance store
volumes
• Persistent storage volumes for your data using Amazon Elastic Block Store (Amazon EBS), known as Amazon EBS volumes
• Multiple physical locations for your resources, such as instances and Amazon EBS volumes, known as regions and
Availability Zones
• A firewall that enables you to specify the protocols, ports, and source IP ranges that can reach your instances using
security groups
• Static IPv4 addresses for dynamic cloud computing, known as Elastic IP addresses
• Metadata, known as tags, that you can create and assign to your Amazon EC2 resources
• Virtual networks you can create that are logically isolated from the rest of the AWS cloud, and that you can optionally
connect to your own network, known as virtual private clouds (VPCs)
Accessing Amazon EC2
• Amazon EC2 provides a web-based user interface, the Amazon EC2 console. If
you've signed up for an AWS account, you can access the Amazon EC2 console by
signing into the AWS Management Console and selecting EC2 from the console
home page. Also a command line interface, with following options:
• AWS Command Line Interface (CLI) Provides commands for a broad set of AWS
products, and is supported on Windows, Mac, and Linux. To get started, see AWS
Command Line Interface User Guide.
• AWS Tools for Windows PowerShell Provides commands for a broad set of AWS
products for those who script in the PowerShell environment.
• Amazon EC2 provides a Query API. These requests are HTTP or HTTPS requests
that use the HTTP verbs GET or POST and a Query parameter named Action. For
more information about the API actions for Amazon EC2.
• If you prefer to build applications using language-specific APIs instead of
submitting a request over HTTP or HTTPS, AWS provides libraries, sample code,
tutorials, and other resources for software developers. These libraries provide
basic functions that automate tasks such as cryptographically signing your
requests, retrying requests, and handling error responses, making it is easier for
you to get started
Purchase Options
Initial sign up for AWS can get started with Amazon EC2 for free using the AWS Free Tier. Amazon EC2 provides the following options for instance
purchasing:
• On-Demand Instances – Pay, by the second, for the instances that you launch. No long-term commitments or upfront payments.
• Savings Plans – Reduce costs via a committed consistent amount of usage, USD per hour, for a term of 1 or 3 years.
• Reserved Instances – Reduce Reduce costs via a consistent instance (type and Region) committed amount of usage, reserved for a term of 1 or 3
years.
• Scheduled Instances – Purchase instances that are always available on the specified recurring schedule, for a one-year term.
• Spot Instances – Request unused EC2 instances, which can reduce your Amazon EC2 costs significantly.
• Dedicated Hosts – Pay for a physical host that is fully dedicated to running your instances, and bring your existing per-socket, per-core, or per-VM
software licenses to reduce costs.
• Dedicated Instances – Pay, by the hour, for instances that run on single-tenant hardware.
• Capacity Reservations – Reserve capacity for your EC2 instances in a specific Availability Zone for any duration.
Instance Lifecycle
• Purchase option affects the lifecycle of the instance.
• Starts at launch and Ends at termination. [On-Demand Instance]
• Spot Instance runs as long as capacity is available and your maximum price is
higher than the Spot price.
• Scheduled Instance is launched during its scheduled time period; Amazon
EC2 launches the instances and then terminates them three minutes before
the time period ends.
[launch, stop, hibernate, start, reboot, or terminate]

Determining Instance Lifecycle
PCI DSS Compliance
Amazon EC2 supports the processing, storage, and transmission of

credit card data by a merchant or service provider, and has been
validated as being compliant with Payment Card Industry (PCI) Data
Security Standard (DSS).
OpenStack
Vishal Kaushik, 2018

The E-mail That Started It All
The Birth of OpenStack
COMPANIES COUNTRIES
338 135
INDIVIDUAL TOP 10 COUNTRIES
MEMBERS
United States, China, India,
15,672 Great Britain, France, Russia,

Australia, Canada, Japan, Germany
TOTAL AVERAGE CODE CONTRIBUTIONS

DEVELOPERS MONTHLY
CONTRIBUTORS
2130 374 115,206

Automation and Orchestration of IT Resources
6
In a Loosely Coupled Architecture
To Deliver Self-Service IT Rapidly and At
Scale
Leveraging Many Open Source Projects
Rackspace Private Cloud Reference Architecture
10
References OpenStack
The OpenStack Foundation
http://www.openstack.org/
Official OpenStack Documentation

http://docs.openstack.org/
The OpenStack Cloud Computing Cookbook (Second ion)

http://www.amazon.com/OpenStack-Cloud-Computing-Cookbook-
Jackson/dp/1782167587/ref=sr_1_1?s=books&ie=UTF8&qid=1382033707&sr=1-1
11
Trying Out OpenStack
TryStack (OpenStack Sandbox)
http://trystack.org/
OpenStack-based Public Clouds

• DreamHost
http://dreamhost.com/cloud/
• HP Public Cloud
https://www.hpcloud.com/
• Rackspace Public Cloud

http://www.rackspace.com/cloud/
12
Deploying OpenStack
OpenStack Distributions
Red Hat - http://openstack.redhat.com/
SUSE - https://www.suse.com/products/suse-cloud/
Ubuntu - http://www.ubuntu.com/cloud
Packaged Deploys For Different Linux Distros

Mirantis - https://fuel.mirantis.com/
Piston Cloud Computing - http://www.pistoncloud.com/openstack-cloud-software/
Rackspace - http://www.rackspace.com/cloud/private/openstack_software/
Configuration Management Tools

Opscode Chef - https://github.com/opscode/openstack-chef-repo/
Puppet Labs Puppet -http://puppetlabs.com/solutions/cloud-automation/compute/openstack
13
Join the Community
Join The OpenStack Community
http://www.openstack.org/community/
14
Demo
Identity (Keystone)
• OpenStack Identity (Keystone) provides a central directory of users

mapped to the OpenStack services they can access. It acts as a
common authentication system across the cloud operating system
and can integrate with existing backend directory services like LDAP. It
supports multiple forms of authentication including standard
username and password credentials, token-based systems and AWS-
style (i.e. Amazon Web Services) logins. Additionally, the catalog
provides a queryable list of all of the services deployed in an
OpenStack cloud in a single registry. Users and third-party tools can
programmatically determine which resources they can access.
1
6
Compute (Nova)
• OpenStack Compute (Nova) is a cloud computing fabric controller, which is the main part of an
IaaS system. It is designed to manage and automate pools of computer resources and can work
with widely available virtualization technologies, as well as bare metal and high-performance
computing (HPC) configurations. KVM, VMware, and Xen are available choices for hypervisor
technology (virtual machine monitor), together with Hyper-V and Linux container technology such
as LXC.
• It is written in Python and uses many external libraries such as Eventlet (for concurrent
programming), Kombu (for AMQP communication), and SQLAlchemy (for database access).
Compute's architecture is designed to scale horizontally on standard hardware with no
proprietary hardware or software requirements and provide the ability to integrate with legacy
systems and third-party technologies.
• Due to its widespread integration into enterprise-level infrastructures, monitoring OpenStack

performance in general, and Nova performance in particular, at scale has become an increasingly
important issue. Monitoring end-to-end performance requires tracking metrics from Nova,
Keystone, Neutron, Cinder, Swift and other services, in addition to monitoring RabbitMQ which is
used by OpenStack services for message passing. All these services generate their own log files,
which, especially in enterprise-level infrastructures, also should be monitored.
1
7
Networking (Neutron)
• OpenStack Networking (Neutron) is a system for managing networks and IP addresses. OpenStack
Networking ensures the network is not a bottleneck or limiting factor in a cloud deployment, and
gives users self-service ability, even over network configurations.
• OpenStack Networking provides networking models for different applications or user groups.
Standard models include flat networks or VLANs that separate servers and traffic. OpenStack
Networking manages IP addresses, allowing for dedicated static IP addresses or DHCP. Floating
IP addresses let traffic be dynamically rerouted to any resources in the IT infrastructure, so users
can redirect traffic during maintenance or in case of a failure.
• Users can create their own networks, control traffic, and connect servers and devices to one or
more networks. Administrators can use software-defined networking (SDN) technologies
like OpenFlow to support high levels of multi-tenancy and massive scale. OpenStack networking
provides an extension framework that can deploy and manage additional network services—such
as intrusion detection systems (IDS), load balancing, firewalls, and virtual private networks (VPN).
1
8
Block storage (Cinder)
• OpenStack Block Storage (Cinder) provides persistent block-level storage devices
for use with OpenStack compute instances.
• The block storage system manages the creation, attaching and detaching of the
block devices to servers. Block storage volumes are fully integrated into
OpenStack Compute and the Dashboard allowing for cloud users to manage their
own storage needs. In addition to local Linux server storage, it can use storage
platforms including Ceph, CloudByte, Coraid, EMC (ScaleIO, VMAX, VNX and
XtremIO), GlusterFS, Hitachi Data Systems, IBM Storage (IBM DS8000, Storwize
family, SAN Volume Controller, XIV Storage System, and GPFS), Linux LIO,
NetApp, Nexenta, Nimble Storage, Scality, SolidFire, HP (StoreVirtual and 3PAR
StoreServ families) and Pure Storage.
• Block storage is appropriate for performance sensitive scenarios such as database
storage, expandable file systems, or providing a server with access to raw block
level storage. Snapshot management provides powerful functionality for backing
up data stored on block storage volumes. Snapshots can be restored or used to
create a new block storage volume. 1
9
Image (Glance)
• OpenStack Image (Glance) provides discovery, registration, and delivery services for disk and
server images. Stored images can be used as a template. It can also be used to store and
catalog an unlimited number of backups. The Image Service can store disk and server images
in a variety of back-ends, including Swift. The Image Service API provides a standard REST
interface for querying information about disk images and lets clients stream the images to
new servers.
• Glance adds many enhancements to existing legacy infrastructures. For example, if integrated
with VMware, Glance introduces advanced features to the vSphere family such as vMotion,
high availability and dynamic resource scheduling (DRS). vMotion is the live migration of a
running VM, from one physical server to another, without service interruption. Thus, it
enables a dynamic and automated self-optimizing datacenter, allowing hardware
maintenance for the underperforming servers without downtimes.
• Other OpenStack modules that need to interact with Images, for example Heat, must
communicate with the images metadata through Glance. Also, Nova can present information
about the images, and configure a variation on an image to produce an instance. However,
Glance is the only module that can add, delete, share, or duplicate images.
2
0
Object storage (Swift)
• OpenStack Object Storage (Swift) is a scalable redundant storage system.
Objects and files are written to multiple disk drives spread throughout
servers in the data center, with the OpenStack software responsible for
ensuring data replication and integrity across the cluster.
• Storage clusters scale horizontally simply by adding new servers. Incase of a
server or hard drive failure, OpenStack replicates its content from other
active nodes to new locations in the cluster. Because OpenStack uses
software logic to ensure data replication and distribution across different
devices, inexpensive commodity hard drives and servers can be used.
• SwiftStack, an object storage software company, is currently the leading
developer for Swift with significant contributions from HP, Red Hat, NTT,
NEC, IBM and more.
• In August 2009, Rackspace started the development of the precursor to

OpenStack Object Storage, as a complete replacement for the Cloud Files
product. The initial development team consisted of nine developers. 2
1
Dashboard (Horizon)
• OpenStack Dashboard (Horizon) provides administrators and users
with a graphical interface to access, provision, and automate
deployment of cloud-based resources.
• The design accommodates third party products and services, such as
billing, monitoring, and additional management tools.
• The dashboard is also brand-able for service providers and other
commercial vendors who want to make use of it. The dashboard is
one of several ways users can interact with OpenStack resources.
• Developers can automate access or build tools to manage resources
using the native OpenStack API or the EC2 compatibility API.
2
2
Orchestration (Heat)
• Heat is a service to orchestrate multiple composite cloud applications
using templates, through both an OpenStack-native REST API and a
CloudFormation-compatible Query API.
2
3
Workflow (Mistral)
• Mistral is a service that manages workflows. User typically writes a
workflow using workflow language based on YAML and uploads the
workflow definition to Mistral via its REST API. Then user can start this
workflow manually via the same API or configure a trigger to start the
workflow on some event.
2
4
Telemetry (Ceilometer)
• OpenStack Telemetry (Ceilometer) provides a Single Point Of Contact
for billing systems, providing all the counters they need to establish
customer billing, across all current and future OpenStack
components.
• The delivery of counters is traceable and auditable, the counters must
be easily extensible to support new projects, and agents doing data
collections should be independent of the overall system.
2
5
Database (Trove)
• Trove is a database-as-a-service provisioning relational and a non-
relational database engine.
2
6
Elastic map reduce (Sahara)
• Sahara is a component to easily and rapidly provision Hadoop
clusters. Users will specify several parameters like the Hadoop version
number, the cluster topology type, node flavor details (defining disk
space, CPU and RAM settings), and others.
• After a user provides all of the parameters, Sahara deploys the cluster
in a few minutes.
• Sahara also provides means to scale a preexisting Hadoop cluster by
adding and removing worker nodes on demand.
2
7
Bare metal (Ironic)
• Ironic is an OpenStack project that provisions bare metal machines
instead of virtual machines. It was initially forked from the Nova
Baremetal driver and has evolved into a separate project.
• It is best thought of as a bare-metal hypervisor API and a set of
plugins that interact with the bare-metal hypervisors.
• By default, it will use PXE and IPMI in concert to provision and turn on
and off machines, but Ironic supports and can be extended with
vendor-specific plugins to implement additional functionality.
2
8
Messaging (Zaqar)
• Zaqar is a multi-tenant cloud messaging service for Web developers.
The service features a fully RESTful API, which developers can use to
send messages between various components of their SaaS and
mobile applications by using a variety of communication patterns.
Underlying this API is an efficient messaging engine designed with
scalability and security in mind.
• Other OpenStack components can integrate with Zaqar to surface
events to end users and to communicate with guest agents that run in
the "over-cloud" layer.
2
9
Shared file system (Manila)
• OpenStack Shared File System (Manila) provides an open API to
manage shares in a vendor agnostic framework.
• Standard primitives include ability to create, delete, and give/deny
access to a share and can be used standalone or in a variety of
different network environments.
• Commercial storage appliances from EMC, NetApp, HP, IBM, Oracle,
Quobyte, and Hitachi Data Systems are supported as well as
filesystem technologies such as Red Hat GlusterFS or Ceph.
3
0
DNS (Designate)
• Designate is a multi-tenant REST API for managing DNS. This
component provides DNS as a Service and is compatible with many
backend technologies, including PowerDNS and BIND.
• It doesn't provide a DNS service as such as its purpose is to interface
with existing DNS servers to manage DNS zones on a per tenant basis.
3
1
Search (Searchlight)
• Searchlight provides advanced and consistent search capabilities
across various OpenStack cloud services.
• It accomplishes this by offloading user search queries from other
OpenStack API servers by indexing their data into ElasticSearch.
• Searchlight is being integrated into Horizon and also provides a
Command-line interface.
3
2
Key manager (Barbican)
• Barbican is a REST API designed for the secure storage, provisioning
and management of secrets.
• It is aimed at being useful for all environments, including large
ephemeral Clouds.
3
3
Container orchestration (Magnum)
• Magnum is an OpenStack API service developed by the OpenStack
Containers Team making container orchestration engines such as
Docker Swarm, Kubernetes, and Apache Mesos available as first class
resources in OpenStack.
• Magnum uses Heat to orchestrate an OS image which contains Docker
and Kubernetes and runs that image in either virtual machines or
bare metal in a cluster configuration.
3
4
Root Cause Analysis (Vitrage)
• Vitrage is the OpenStack RCA (Root Cause Analysis) service for
organizing, analyzing and expanding OpenStack alarms & events,
yielding insights regarding the root cause of problems and deducing
their existence before they are directly detected.
3
5
Rule-based alarm actions (Aodh)
• This alarming service enables the ability to trigger actions based on
defined rules against metric or event data collected by Ceilometer or
Gnocchi.
3
6
Compatibility with other APIs
• OpenStack does not strive for compatibility with other clouds APIs.
However, there is some amount of compatibility driven by various
members of the OpenStack community.
• EC2 API project aims to provide compatibility with Amazon EC2

• GCE API project aims to provide compatibility with Google Compute Engine.
3
7
Deployment models
• There are multiple ways devised by vendors to deploy OpenStack for customers :
- OpenStack-based Public Cloud: A vendor provides a public cloud computing

system based on the OpenStack project.
- On-premises distribution: In this model, a customer downloads and installs an
OpenStack distribution within their internal network. See Distributions.
- Hosted OpenStack Private Cloud: A vendor hosts an OpenStack-based private
cloud: including the underlying hardware and the OpenStack software.
- OpenStack-as-a-Service: A vendor hosts OpenStack management software
(without any hardware) as a service. Customers sign up for the service and pair it
with their internal servers, storage and networks to get a fully operational private
cloud.
- Appliance based OpenStack: Nebula was a vendor that sold appliances that could
be plugged into a network which spawned an OpenStack deployment.
3
8
Releases and Evolution
Release Release date Included Component code names

name
Austin 21 October 2010 Nova, Swift
Bexar 3 February 2011 Nova, Glance, Swift
Cactus 15 April 2011 Nova, Glance, Swift
Diablo 22 September Nova, Glance, Swift
2011
Essex 5 April 2012 Nova, Glance, Swift, Horizon, Keystone
Folsom 27 September Nova, Glance, Swift, Horizon, Keystone, Quantum, Cinder
2012
Grizzly 4 April 2013 Nova, Glance, Swift, Horizon, Keystone, Quantum, Cinder
Havana 17 October 2013 Nova, Glance, Swift, Horizon, Keystone, Neutron, Cinder, Heat, Ceilometer
3
9
Releases and Evolution
Release Release date Included Component code names
name
Icehouse 17 April 2014 Icehouse 17 April 2014[132] Nova, Glance, Swift, Horizon, Keystone, Neutron, Cinder, Heat,
Ceilometer, Trove
Juno 16 October 2014 Nova, Glance, Swift, Horizon, Keystone, Neutron, Cinder, Heat, Ceilometer, Trove, Sahara
Kilo 30 April 2015 Nova, Glance, Swift, Horizon, Keystone, Neutron, Cinder, Heat, Ceilometer, Trove, Sahara, Ironic
Liberty 16 October 2015 Nova, Glance, Swift, Horizon, Keystone, Neutron, Cinder, Heat, Ceilometer, Trove, Sahara, Ironic, Zaqar,
Manila, Designate, Barbican, Searchlight
Mitaka 7 April 2016 Nova, Glance, Swift, Horizon, Keystone, Neutron, Cinder, Heat, Ceilometer, Trove, Sahara, Ironic, Zaqar,
Manila, Designate, Barbican, Searchlight, Magnum
Newton 6 October 2016 Nova, Glance, Swift, Horizon, Keystone, Neutron, Cinder, Heat, Ceilometer, Trove, Sahara, Ironic, Zaqar,
Manila, Designate, Barbican, Searchlight, Magnum, aodh, cloudkitty, congress, freezer, mistral,
monasca-api, monasca-log-api, murano, panko, senlin, solum, tacker, vitrage, Watcher
Ocata 22 February 2017 Nova, Glance, Swift, Horizon, Keystone, Neutron, Cinder, Heat, Ceilometer, Trove, Sahara, Ironic, Zaqar,
Manila, Designate, Barbican, Searchlight, Magnum, aodh, cloudkitty, congress, freezer, mistral,
monasca-api, monasca-log-api, murano, panko, senlin, solum, tacker, vitrage, Watcher
Pike 30 August 2017 Nova, Glance, Swift, Horizon, Keystone, Neutron, Cinder, Heat, Ceilometer, Trove, Sahara, Ironic, Zaqar,
Manila, Designate, Barbican, Searchlight, Magnum, aodh, cloudkitty, congress, freezer, mistral, 4
monasca-api, monasca-log-api, murano, panko, senlin, solum, tacker, vitrage, Watcher 0
Xen Citrix
• Database — At least one Microsoft SQL Server database is required for every XenApp or XenDesktop Site to store all configuration and session
information. This database stores the data collected and managed by the services that make up the Controller. Install the database within your data
center, and ensure it has a persistent connection to the Controller.
• Virtual Delivery Agent (VDA) — The VDA is installed on each physical or virtual machine in your Site that you want to make available to users. It
enables the machine to register with the Controller, which in turn allows the machine and the resources it is hosting to be made available to users.
VDAs establish and manage the connection between the machine and the user device, verify that a Citrix license is available for the user or session,
and apply whatever policies have been configured for the session. The VDA communicates session information to the Broker Service in the Controller
through the broker agent included in the VDA.XenApp and XenDesktop include VDAs for Windows server and desktop operating systems. VDAs for
Windows server operating systems allow multiple users to connect to the server at one time. VDAs for Windows desktops allow only one user to
connect to the desktop at a time.
• StoreFront — StoreFront authenticates users to Sites hosting resources and manages stores of desktops and applications that users access. It hosts
your enterprise application store, which lets you give users self-service access to desktops and applications you make available to them. It also keeps
track of users’ application subscriptions, shortcut names, and other data to ensure they have a consistent experience across multiple devices.
• Receiver — Installed on user devices and other endpoints, such as virtual desktops, Citrix Receiver provides users with quick, secure, self-service
access to documents, applications, and desktops from any of the user's devices, including smartphones, tablets, and PCs. Receiver provides on-
demand access to Windows, Web, and Software as a Service (SaaS) applications. For devices that cannot install Receiver software, Receiver for HTML5
provides a connection through a HTML5-compatible web browser.
• Studio — Studio is the management console that enables you to configure and manage your deployment, eliminating the need for separate
management consoles for managing delivery of applications and desktops. Studio provides various wizards to guide you through the process of setting
up your environment, creating your workloads to host applications and desktops, and assigning applications and desktops to users. You can also use
Studio to allocate and track Citrix licenses for your Site.Studio gets the information it displays from the Broker Service in the Controller.
• Director — Director is a web-based tool that enables IT support and help desk teams to monitor an environment, troubleshoot issues before they
become system-critical, and perform support tasks for end users. You can use one Director deployment to connect to and monitor multiple XenApp or
XenDesktop Sites.Director shows session and Site information from these sources: Real-time session data from the Broker Service in the Controller,
which include data the Broker Service gets from the broker agent in the VDA.
• Historical Site data from Monitor Service in the Controller.
• Data about HDX traffic (also known as ICA traffic) captured by HDX Insight from the NetScaler, if your deployment includes a NetScaler and your
XenApp or XenDesktop edition includes HDX Insights.
4
1
Components XenApp or XenDesktop deployment Site.
Database
• At least one Microsoft SQL Server database is required for every
XenApp or XenDesktop Site to store all configuration and session
information. This database stores the data collected and managed by
the services that make up the Controller. Install the database within
your data center, and ensure it has a persistent connection to the
Controller.
4
3
Virtual Delivery Agent (VDA)
• The VDA is installed on each physical or virtual machine in your Site
that you want to make available to users. It enables the machine to
register with the Controller, which in turn allows the machine and the
resources it is hosting to be made available to users. VDAs establish
and manage the connection between the machine and the user
device, verify that a Citrix license is available for the user or session,
and apply whatever policies have been configured for the session.
The VDA communicates session information to the Broker Service in
the Controller through the broker agent included in the VDA.XenApp
and XenDesktop include VDAs for Windows server and desktop
operating systems. VDAs for Windows server operating systems allow
multiple users to connect to the server at one time. VDAs for
Windows desktops allow only one user to connect to the desktop at a
time.
4
4
StoreFront
• StoreFront authenticates users to Sites hosting resources and
manages stores of desktops and applications that users access. It
hosts your enterprise application store, which lets you give users self-
service access to desktops and applications you make available to
them. It also keeps track of users’ application subscriptions, shortcut
names, and other data to ensure they have a consistent experience
across multiple devices.
4
5
Receiver
• Installed on user devices and other endpoints, such as virtual
desktops, Citrix Receiver provides users with quick, secure, self-
service access to documents, applications, and desktops from any of
the user's devices, including smartphones, tablets, and PCs. Receiver
provides on-demand access to Windows, Web, and Software as a
Service (SaaS) applications. For devices that cannot install Receiver
software, Receiver for HTML5 provides a connection through a
HTML5-compatible web browser.
4
6
Studio
• Studio is the management console that enables you to configure and
manage your deployment, eliminating the need for separate
management consoles for managing delivery of applications and
desktops. Studio provides various wizards to guide you through the
process of setting up your environment, creating your workloads to
host applications and desktops, and assigning applications and
desktops to users. You can also use Studio to allocate and track Citrix
licenses for your Site.Studio gets the information it displays from the
Broker Service in the Controller.
4
7
Director
• Director is a web-based tool that enables IT support and help desk teams
to monitor an environment, troubleshoot issues before they become
system-critical, and perform support tasks for end users. You can use one
Director deployment to connect to and monitor multiple XenApp or
XenDesktop Sites.Director shows session and Site information from these
sources: Real-time session data from the Broker Service in the Controller,
which include data the Broker Service gets from the broker agent in the
VDA.
• Data about HDX traffic (also known as ICA traffic) captured by HDX Insight
from the NetScaler, if your deployment includes a NetScaler and your
• You can also view and interact with a user's sessions using Microsoft
Remote Assistance. 4
8
Director
• Director is a web-based tool that enables IT support and help desk teams
to monitor an environment, troubleshoot issues before they become
system-critical, and perform support tasks for end users. You can use one
Director deployment to connect to and monitor multiple XenApp or
XenDesktop Sites.Director shows session and Site information from these
sources: Real-time session data from the Broker Service in the Controller,
which include data the Broker Service gets from the broker agent in the
VDA.
• Data about HDX traffic (also known as ICA traffic) captured by HDX Insight
from the NetScaler, if your deployment includes a NetScaler and your
• You can also view and interact with a user's sessions using Microsoft
Remote Assistance. 4
9
License Server
• License server manages your product licenses. It communicates with
the Controller to manage licensing for each user's session and with
Studio to allocate license files. You must create at least one license
server to store and manage your license files.
5
0
Hypervisor
• The hypervisor hosts the virtual machines in your Site. These can be the
virtual machines you use to host applications and desktops as well as
virtual machines you use to host the XenApp and XenDesktop components.
A hypervisor is installed on a host computer dedicated entirely to running
the hypervisor and hosting virtual machines.Citrix XenServer hypervisor is
included with XenApp and XenDesktop, but you can use other supported
hypervisors, such as Microsoft Hyper-V or VMware vSphere.
• Although most implementations of XenApp and XenDesktop require a
hypervisor, you don’t need one to provide remote PC access or when you
are using Provisioning Services (included with some editions of XenApp and
XenDesktop) instead of MCS to provision virtual machine.
• These additional components, not shown in the illustration above, may
also be included in typical XenApp or XenDesktop deployments: 5
1
Provisioning Services
• Provisioning Services is an optional component of XenApp and
XenDesktop available with some editions. It provides an alternative to
MCS for provisioning virtual machines. Whereas MCS creates copies
of a master image, Provisioning Services streams the master image to
user device. Provisioning Services doesn’t require a hypervisor to do
this, so you can use it to host physical machines. When Provisioning
Services is included in a Site, it communicates with the Controller to
provide users with resources.
5
2
NetScaler Gateway
• When users connect from outside the corporate firewall, this release
can use Citrix NetScaler Gateway (formerly Access Gateway)
technology to secure these connections with SSL. NetScaler Gateway
or NetScaler VPX virtual appliance is an SSL VPN appliance that is
deployed in the demilitarized zone (DMZ) to provide a single secure
point of access through the corporate firewall.
5
3
Citrix CloudBridge
• In deployments where virtual desktops are delivered to users at remote
locations such as branch offices, Citrix CloudBridge (formerly Citrix Branch
Repeater or WANScaler) technology can be employed to optimize
performance. Repeaters accelerate performance across wide-area
networks, so with Repeaters in the network, users in the branch office
experience LAN-like performance over the WAN. CloudBridge can prioritize
different parts of the user experience so that, for example, the user
experience does not degrade in the branch location when a large file or
print job is sent over the network. HDX WAN Optimization with
CloudBridge provides tokenized compression and data deduplication,
dramatically reducing bandwidth requirements and improving
performance. For more information, see the Citrix CloudBridge
documentation.
5
RACKSPACE® HOSTING | WWW.RACKSPACE.COM 4
Virtualization Techniques
Software Virtualization
Virtual Desktop Infrastructure
Agenda
• Overview
• Virtual Desktop Infrastructure

• Concept
• Challenge
• Case Study
• VMware VDI
• Citrix XenDesktop
• Ulteo OVD
Overview
Traditional Desktop
What Kinds of Desktop Do People Need Now?
Typical Desktop Deployment
User data &
Desktop preferences
Management
Tightly 1. procure 8. retire

X
Profile Coupled
X
Apps
2. image 7. back-up
Applications
Windows
3. secure 6. maintain
Hardware Locally
Installed 4. deploy 5. monitor
Existing methods,
• Tight binding between layers Operating
tools, and processes
• The components are linked together in System
ways that are difficult to support and
maintain
• A problem at one layer often causes a chain

reaction
• May destroy the whole stack
• Make recovery difficult

• Threaten any locally stored user data and
settings
• Most organizations just replace or re-
image the whole PC
Traditional Desktop Infrastructure Challenges
Difficult to manage Inefficient resource utilization
• Variety of PC hardware and users’ need • The distributed nature of PCs
• Broadly distributed PC hardware
High total cost of ownership Difficult to protect and secure data

• High cost of PC management and support • Data back-up and data restored when PCs are
• Lack of standardization and the need for failed or files are lost
support personnel to troubleshoot issues • The risk of PC theft threatens the security of
important data
Overview
Traditional Desktop
What Kind of Desktop Do People Need Now?
For End Users
• What do end users want for their PC?

• Increased mobility
• Anywhere access
• Device independence
• Roam across PCs
• Consumerization
• More workspace freedom
• Flexible configurations
• Access through own devices
For IT Pros
• What do IT pros want for their PC?

• Security and compliance
• Stolen laptops and data loss
• Stringent regulation
• Protection of IT environment
• Cost reduction
• Increased computing complexity
• Escalating operational costs
• Disaster recovery
So, here comes …

Agenda
• Overview

• Concept
• Challenge
• Case Study
• VMware VDI
• Ulteo OVD
Concept
What is VDI?
Composition of VDI
Advantages and Disadvantage
A Computing Model
• Virtual Desktop Infrastructure (VDI) is a computing model that adds a

layer of virtualization between the server and the desktop PCs
A Service
• VDI is a desktop-centric service

• Host users desktop environments on remote servers and/or blades, which
are accessed over a network using a remote display protocol (RDP)
Characteristics
• Every desktop user can utilize the same image

• Reduce management and support costs
• Generally have just one system to troubleshoot
• Processing moves from individual workstations to a VDI server
• Hardware costs can be more easily managed

• Since almost everything will reside in the data center
Why Centralize with VDI?
Desktop Location
Independence
• Hot-desking between Desktop PCs
• Flexibly work from home and offsite
contractor locations
Business Continuity
Data Security & Compliance
Quicker recovery from
Keeps data safe in the datacenter device malfunctions
Centralized tracking helps simplify Centralized data storage and backup
the burden of regulatory reduces losses from stolen devices
compliance
Centralized
Management
concept
What is VDI?
Composition of VDI
Basic View
VDI Server
VDI
Protocol Virtual
VDI Client
Desktop Agent
Guest OS
Virtual Machine
hosted in a Data
Center
Basic View
• Virtual Desktop Client (VDC)

• The converged end user device
• VDI server
• Virtual Desktop Agent (VDA)
• The control software resides in a virtual machine hosted in a data center
• VDI protocol
• Connect client and server,
• Transport the necessary control commands and I/O data
• Different I/O data may be encapsulated in different virtual channel
VDI Components
Session
Broker
Guest OS
Virtual
Client Machine
Devices Protocol
Virtualization
Platform
Virtualization
Management
Platform
Protocol
• For users to connect to the virtualized OS
• Handle certain features such as device and printer redirection
• Decision about a protocol depends on the device end users

• Example: a thin client or a remote client under a full OS
• Examples:
• Remote Display Protocol (RDP)
• A part of CP or Vista
• RDP allow users to access systems at remote locations with the ability to manipulate the
system as if physically sitting at that computer terminal
• Independent Computing Architecture (ICA)
• A proprietary protocol for an application server system, designed by Citrix
• The protocol lays down a specification for passing data between server and clients, but is not
bound to any one platform.
Desktop Remoting Techniques
• Fundamentally there are several different ways that a desktop running at
one place can show up on a screen of a client at another location:
• The “screen scrape” method
• Screen scrape + multimedia redirection
• Server graphics system virtualization
• Hardware acceleration on the server and client
Screen-Scraping
• The general idea with “screen scraping” is that whatever graphical
elements are painted to the “screen” on the host are then scraped by
the protocol interface and sent down to the client. This can happen in
two ways:
• The client can contact the server and pull a new “snapshot” of the screen from
the frame buffer. This is how VNC works.
• The server can continuously push its screen activity to the client. This can be at
the frame buffer level, the GDI / window manager level, or a combination of
both. (This is how RDP and ICA work)
Screen Scrape + Multimedia Redirection
• A technique whereby server-side multimedia elements are sent in their
native formats down to the client devices. Then the client can play the
multimedia streams locally and dynamically insert them back into the
proper position on the screen. This works well
• If your client has the technical capability and hardware specs to render the
multimedia, and
• Your client has the proper codec installed so that it knows how to render the
multimedia content. In effect, this means that your clients can’t be “too thin.”
• This is what Citrix does in ICA with their “SpeedScreen” multimedia

acceleration enhancements.
• It’s also what Wyse does in RDP with their TCX enhancements.
Server Graphics System Virtualization
• Software on the host captures all possible graphical layers (GDI, WPF,
DirectX, etc.) and renders them into a remote protocol stream (like RDP)
where they’re sent down to the client as fast as possible.
• This will give the client an experience which is very close to local performance,
regardless of the client device (even on very low-end WinCE and Linux clients).
• GPU capabilities must exist on the server side where the rendering is
taking place.
• This is fine if you plug a physical graphics card into physical hardware running a
physical OS.
• In a VDI scenario, your hypervisor must be able to virtualize the GPU just like any
other piece of hardware. This means that the Windows desktop OS running
inside the VM be able to detect the “virtual” GPU so that it can enable all of it’s
cool graphical features.
• This is what Calista Technologies does today

• Full desktop-like remote experience to any RDP client, even low-end ones, over
the regular RDP protocol.
Hardware Acceleration on Server/Client
• Screen and video content is captured on the host via a special chipset
and sent across the network in a proprietary way to a client device with
a matching special chipset.
• This is what Teradici does. Today their solution works with physical
blades (with their special TERA chips) and their clients (also with TERA
chips.
Session Broker
• The session broker is responsible for
• Distribute sessions from clients to VMs
• Redirect disconnected sessions of users back to their original VMs.
• Example: Windows Server 2008 R2, XenDesktop (for Microsoft VDI), and VMware
View Manager
Client VM
Client
...
Session . . . VM
Client Broker VM
Virtualization platform
• A platform hosts VMs with the client operating systems

• This platform must have the capacity to host enough VMs for all
concurrently connected users
Guest Guest Guest

OS OS OS
Virtual Virtual Virtual
Machine Machine Machine
Virtualization Platform
Virtual Management Platform
• Virtual management platform is a platform that

• Manage the servers
• Provision VMs quickly and efficiently
• Use templates and libraries of disk images to provision the client OS in VMs.
• It ensures there is always a pool of VMs available for new

connections.
• Two other functions

• Application virtualization
• Profile and data redirection
Application Virtualization
• Application virtualization is software technology that encapsulates
application software from the underlying operating system on which it is
executed.
• Application virtualization is layered on top of other virtualization

technologies, such as storage virtualization or machine virtualization to
allow computing resources to be distributed dynamically in real time.
• Application virtualization enables fast availability of applications to the

virtual client OS.
• Solutions for application virtualization

• Microsoft Application Virtualization
• For example, Windows 7 provides Windows XP Mode that enables older Windows XP
application to run unmodified on Windows 7.
• VMware Thin App
Profile and Data Redirection
• It is important to maintain customization and configuration done by

users between connections
• Users would customize their environments
• Profile and data redirection ensure that

• If users switch between VMs, they have a consistent environment
• If any data the user stores, including folders such as documents, is stored on
a server
Client Devices
• Client devices are the point of access
• It could be
• Thin clients
• Clients running software on OS
• Such as Windows, Linux, or others supported by the VDI solution
Concept
What is VDI?
Composition of VDI
Advantages
• Improved utilization
• Efficient use of CPU and memory resources
• Improved availability
• Reduced desktop downtime
• Improved manageability
• Patches and upgrades performed in data center
• Centralized management reduces operational expenses
• Improved security
• Data and applications reside in secure data centers
• Rapid Client Deployment

• New users can be up and running quickly
Disadvantages
• Need a unique image for each user who requires a different set of
applications
• Require a major investment in server hardware, and possibly in

storage and network infrastructure
• This might no be feasible for some smaller businesses
• Administrators need to learn the VDI software’s capabilities and

limitations
• Server-side problems can affect multiple users--everyone using that

server or that image.
• It’s a good to set up redundant servers as a failsafe
Agenda
• Overview

• Concept
• Challenge
• Case Study
• VMware VDI
• Ulteo OVD
Challenges for VDI
• Challenges
• Interoperability
• Ecosystem
• Mobile access
Interoperability
• Although current VDI are aiming the same goal, they are defined by
different companies using different methodologies.
• So ……
Ecosystem
• Each layer have tight-coupling relationship
• They cannot move forward independently
• Main problem for less interoperability.
VDI server
VDI Protocol
VDI Client
Mobile Access
• Streaming application in the best current systems consuming extra 8x
bandwidth compared to original bitrate
• Service continuity issue

• Switching over different access networks and different devices
• Duplicate sign-on issue

• Mobile user will be authenticated at least twice (one by the network, and
another by VDI server)
Agenda
• Overview

• Concept
• Challenge
• Case Study
• VMware VDI
• Ulteo OVD
VMware VDI
• An end-to-end desktop virtualization solution
• Use Vmware’s proven virtualization platform (VI3)
• Deliver enterprise-class desktop control and manageability
while providing a familiar user experience
> Control and manageability in an

end-to-end solution
> Familiar end-user experience
> Rapid desktop deployments
> Enterprise-class scalability, management and
reliability
> Tight integration with VMware VI3 – proven
virtualization platform
VMware VDI Solution
VMware Infrastructure 3 Integration
• Manage desktops & servers on a single platform
• No retraining: similar administrative experience across desktops and servers
• End-to-end single vendor solution: common management, service and support
• Bring powerful data center capabilities to the desktop:
• VI3 Business Continuity (HA & DRS)
• Simplify backups and disaster recovery
• No single point of failure:
• Synchronized VDI servers
• Support for industry std server load balancing
• Runs desktops on proven virtualization platform (VI3)
VMware Virtual Desktop Manager
• Enterprise-class connection broker,

connects users to their desktops via RDP
• Web-based administrative interface
• Automatically assigns desktops
• Performs automatic desktop
provisioning as needed
•Designed for small to

enterprise organizations
• Tightly integrated with VMware
Infrastructure 3 for high availability, security
& scalability
• Multiple VDM servers can support
thousands of users
Enterprise-class Virtual Desktop Management Server

VMware VDM: Individual Desktops
• Desktop virtual machines

were created specifically for
each user.
• User is manually associated
with a virtual desktop
through VDM Administrator.
• User is connected to same
desktop on subsequent
connections
VMware VDM: Non-Persistent Pools
• Individual isolated desktops

returned to pool after each
use
• Reverts to pre-determined
state for future use
• Efficient way to populate &
provision desktops to end
users
• Common template used to
create all desktops
VMware VDM: Persistent Pools
• Individual isolated desktops
assigned to user on first log-
in
• Desktop remains associated
with the user on subsequent
logins
• Efficient way to populate &
provision desktops to end
users
• Common template used to
create all desktops
VMware VDM Security
• Full integration with Microsoft Active Directory
(AD):
• User credentials authenticated against AD;
• VDM Connection Server maintains authenticated
session for each user;
• ‘Single sign-on’ (SSO) to virtual desktops
• Optional SSL encapsulation & tunneling

• Optional two-factor authentication via RSA
SecurID®
• Event logs
VMware VDM Security Server
• SSL VPN used to secure

connections between clients and
VMware VDM connection broker
• Optionally runs within the DMZ
(demilitarized zone) for remote
access users
• Fully encrypted connections
• Grow security servers for
scalability of secure connections
Outside the firewall

(remote access connections)
VMware VDI Client Access
Native Windows Client
• Provides extended capabilities
(e.g. USB device support on
Windows XP & Vista)
Thin-Client Support
• Thin clients based on Linux and XPe
• WYSE ThinOS models
Browser Access
• Windows, Linux & Mac
What Distinguishes VMware VDI?
Familiar End-User Experience
• Run applications with no modifications. “Our users love their hosted
desktops. One user was totally
Virtual desktop is unchanged. upset and crying because she
thought she had lost her
• Leverage existing desktop mgmt tools documents. She couldn’t
believe it when the terminal
• Support for USB devices through RDP came back up and everything
was just how she had left it.”
extensions (e.g. local printing, storage, etc.)
• Support multi-monitors in “stretch mode”
David Siles
CTO
Kane County Government (Illinois)
Making the move to virtual desktops as

seamless as possible
What Distinguishes VMware VDI?
Rapid Deployment
• VMware Infrastructure templates can
be used to replicate 1000s of
desktops quickly
• Automatic desktop provisioning with
VDI pooling capabilities
• Rapid redeployments of virtual
images throughout desktop lifecycle
• Changing, patching, restarting images
improved when centralized &
virtualized
How Customers Use VMware VDI
Desktop PC Replacement
Replace traditional PCs with thin clients, repurposed PCs or less costly desktop hardware.
Address short desktop lifecycles. Simplify moves, adds & changes (MACs) because the
desktop images are administered in corporate data center.
Transactional Office Workers with Security Needs

Secure all sensitive personal records or intellectual property running on laptops in host
country data center. Control access to centralized desktop images through Microsoft AD.
Provide complete desktop isolation. Ensure all sessions are fully encrypted using VMware
VDI’s optional Security Server.
Disaster Recovery & Business Continuity

Eliminate unplanned desktop downtime through VMware Infrastructure 3 DRS and HA
capabilities. Simplify backup and desktop disaster recovery because desktops are located
in corporate data center and can leverage shared storage technology.
VMware VDI: Summary
Centralized Desktop Management & Control
• Desktops moves, adds & changes (MACs) are easier from a single
location. Support personnel no longer needed on location
• Maintain Desktops in Secure Corporate Datacenter
• VMware VDI desktops are isolated from one another
Familiar End-User Experience
• A complete isolated desktop that is unchanged, simply running
inside a virtual machine. No retraining. No custom modifications.
VMware Infrastructure 3 Scalability & Reliability
• Brings powerful VI3 capabilities to the desktop
• Single vendor solution
Agenda
• Overview

• Concept
• Challenge
• Case Study
• VMware VDI
• Ulteo OVD
Composition
Features
• Supports any device, anywhere

• Deliver high user experience, even in 3D
• Deploy virtual desktops and apps for any use case
• Any Windows, Web or SaaS Applications
• Transforms IT with open, scalable and proven technology
• Single-instance management
• Data security and access control
Different Types of Virtual Desktops
• Local VM
• Streamed VHD
• Hosted VDI
• Hosted Shared
Local VM
• Local VM desktops extend the benefits of centralized, single-instance

management to mobile workers that need to use their laptops
offline.
• When they are able to connect to a suitable network, changes to the
OS, apps and user data are automatically synchronized with the
datacenter.
Streamed VHD
• Streamed VHDs leverage the local processing power of rich clients, while
providing centralized single-image management of the desktop.
• This approach offers an easy, low-cost way for customers to get started
with desktop virtualization by leveraging existing PC resources and
keeping datacenter overhead to a minimum.
• It can also be ideal for government and university labs that use diskless
PCs for maximum data security.
Hosted VDI
• A Windows 7/XP desktop running as a virtual machine where a single
user connects remotely. One user’s desktop is not impacted by another
user’s desktop configurations.
• Hosted VDI desktops offer a personalized Windows desktop experience,

typically needed by office workers, which can be securely delivered over
any network to any device.
• This option combines the benefits of central management with full user
personalization, and can generally support up to 150 desktops per
server.
Hosted Shared
• Users get a desktop interface, which can look like Windows 7. However,
that desktop is actually being shared by every user on the server.
• Hosted Shared desktops provide a locked down, streamlined and

standardized environment with a core set of applications, ideally suited
for task workers where personalization is not needed — or allowed.
• Support up to 500 users on a single server, this model offers a significant

cost savings over any other virtual desktop technology.
On-Demand Apps
• Allows any Windows application to be centralized and managed in

the datacenter, hosted either on multi-user terminal servers or
virtual machines, and instantly delivered as a service to physical and
virtual desktops.
Typical Desktop Deployment (Revisit)
User data &

Desktop preferences
Management
Tightly 1. procure 8. retire

Profile Coupled
Apps
2. image 7. back-up
Applications
Windows
3. secure 6. maintain
Hardware Locally
Installed 4. deploy 5. monitor
Existing methods,
Operating
tools, and processes
System
Desktop Delivery Vision
XenDesktop is a Better Way…
Profiles
Profile Virtualized & Isolated
Apps
Windows
Dynamically Delivered Apps

Hardware
XenDesktop
• Fewest possible desktop images

• Desktop image simplicity
• Fewer conflicts, minimized testing OS
• Low-touch, self-serve re-imaging

Desktop Delivery Components
Support Brokering Monitoring
1 2
Users request their Operating Systems,
desktop by logging in to Apps, and user Profiles are
the system provisioned on demand
Profiles
Secure Hypervisor
Users WAN
Remote
Optimization
Access
Apps
3
Users are delivered
their desktop remotely Blade Chassis OS

Citrix XenDesktop v2 Technology Components
Desktop Delivery
GoToAssist Controller EdgeSight
Profiles
Access Xen, Hyper-V, VM

ICA Client WANScaler
Gateway
XenApp
Apps
Provisioni
Blade Chassis ng Server OS
Citrix Optimized
Storage
Express Standard Advanced Enterprise Platinum
Price (per CCU) $0 $75 $195 $295 $395

Core components
Desktop Delivery Controller     
VM Infrastructure
Secure Remote Access    
Scalability
Desktop Provisioning
  
Resource Pooling &
XenMotion
Desktop Delivery Services

Performance Monitoring
Virtual Desktop Support 
WAN Optimization
EasyCall
Integrated App delivery

 
(XenApp for Virtual Desktops)
Basic Desktop Delivery
Desktop Delivery
Profiles

Gateway
Apps
Virtual
Desktop
Agent
Blade Chassis OS
Citrix Optimized
Storage
Virtual Desktop Agent and ICA Client
• Installed on all Desktops (VM's or Blades)
• Supports XP SP2 and Vista SP1 (32bit)
Desktop Delivery
Controller • Delivers virtual desktop via ICA to any ICA
client
• SpeedScreen
• SpeedBrowse
• SmoothRoaming
ICA Virtual
Desktop
• Universal Print Driver
Agent • Dynamic client drive mapping
(USB drives)
• Multi-monitor support
• Session Reliability
• ClearType
• etc…
Desktop Delivery Controller
Solution
• Simple to deploy and administer
• Brokers and end-to-end ICA connections
Desktop Delivery
Controller • Manages flexible desktop-user
association:
• Pooled
• Assign on first use
• Pre-assigned
• Enables secure ticket-based connections
• Supports single sign-on
Virtual
• Runs on Windows Server 2003 (32 & 64-
ICA bit)
Desktop
Agent
• Broad desktop hosting infrastructure
support
• Efficient use of AD for non-volatile
settings:
• Transactional data moved from AD to Data
Store in Beta
End User Experience
Access
Scenarios
Desktop
Appliances login Full-Screen
unmanaged Web page Windowed Full-Screen

machines
Desktop Delivery
Profiles

Gateway
Apps
Blade Chassis OS
Citrix Optimized
Storage
• Agnostic to desktop hosting • Virtual Machine Support
infrastructure - XenServer
• Enable management of desktops to - Hyper-V
optimize: - VMware VI3
- Power consumption • Blade PC’s
- Infrastructure utilization - Power for specialized users
Desktop
• Integration to VM infrastructure
Virtual Desktop
Delivery
Infrastructure
- Start
Controller
- Suspend
- Resume
- Shutdown
• Traditional PC’s
- Migration and remote access
• SDK coming
XenServer
Fast:
• Para-virtualization sheds the
‘middle man’ Near Bare Metal Performance Resource Pools
Native 64 bit hypervisor

Secure:
• Thin hypervisor drastically
reduces attack surface
Low maintenance:
• No drivers and thin means
minimal patching – keeps Next Generation XenMotion: Live
workload running Management Architecture Relocation
XenDesktop Specific
Integration:
• XenDesktop Specific Templates
• Preboot eXecution Clustered Management Layer
Environment VMs (<500Kb in
size)
OS, App & Profile Management
Desktop Delivery
Profiles

Gateway
XenApp
Apps
Provisioni
Blade Chassis ng Server OS
Virtual Desktop Infrastructure Citrix Optimized Storage

OS, App & Profile Management
VDI without XenDesktop VDI with XenDesktop

• Single image for every • Single OS image to store & maintain
desktop • Apps not installed, stored as single
• Desktops managed image, delivered on demand and
individually maintained centrally
• Same problems, in a new • Managed Profiles
location
1:1
Hypervisor Network Storage Xen, Hyper-V, VM Network Storage

How to Implement XenDesktop v2
Desktop Delivery
Profiles

Gateway
XenApp
Apps
Provisioning
Blade Chassis Server OS
Virtual Desktop Infrastructure Citrix Optimized Storage

How to Implement XenDesktop v2
Desktop Delivery
Controller
A
D
O
U
Login Page Licensing Data Store Domain
Controller
Secured Web Services
Profiles
ICA Client Xen, Hyper-V, VM
Setup
Apps
Tool
Golden Image:
• PV Tools
• Virtual Desktop Agent
• ICA & Streaming Client OS
VDisk
How XenDesktop v2 Works
Desktop Delivery
Controller
A
request license D
O
U
Login Page Licensing Data Store Domain
Controller
policies find desktop
validate
ICA prepare
resume
Profiles
ICA Client Xen, Hyper-V, VM
Apps
Golden Image:
• PV Tools
• Virtual Desktop Agent
• ICA & Streaming Client OS
VDisk
Agenda
• Overview

• Concept
• Challenge
• Case Study
• VMware VDI
• Ulteo OVD
Ulteo Open Virtual Desktop (OVD)
• Ulteo Open Virtual Desktop is an installable Open Source virtual

desktop and application delivery solution for corporations.
• It allows IT departments to deliver desktops and applications easily

and at a lower cost than other solutions.
• It works in both a Windows and Linux environment.

Infrastructure Overview and Vision
• Ulteo OVD is all about mixing various applications sources into a

consistent stream that can be delivered to users, depending on their
needs.
• It's also been designed to be integrated in heterogeneous

environments and inter-operate with various technologies.
Infrastructure Overview and Vision
Key Benefits for IT
• Ease of use, ease of deployment and management:
• Clients can be either a Java enabled web browser or a dedicated software client.
• Interoperability:
• Full integration with existing infrastructures including Microsoft environments
(Windows authentication, Windows applications, Active Directory, File server).
• Customizable:
• Ulteo is using Open Source software. Ulteo source code is covered by GPL v2
software licensing terms.
• Lower cost than any comparable product
• Secure, reliable, scalable

Key Benefits for End-users
• Easy to use:
• Applications are delivered as a complete desktop or displayed seamlessly and
integrated to the user's desktop.
• Access is possible from a simple web browser, a web portal or accessed from a
dedicated client software.
• Ulteo OVD provides its own web portal as a demo portal, but corporations are
free to integrate Ulteo services into their own web portals.
• Extensive application portfolio:

• Access any Linux and/or Windows applications
• User friendly:
• Browser based interface
Core Architectures
• Desktop mode
• Application/portal mode
• Application mode or Desktop mode with WAN access through OVD

Gateway
Desktop Mode
• Windows or Linux Desktop with a mix of remote Windows and/or Linux
applications
Desktop Mode Example
• Windows & Linux apps on a Windows desktop,
in the web browser
Desktop Mode Example
• Windows & Linux apps on a Linux desktop,
in the web browser
Application/Portal Mode
• Application Portal, to run remote Windows and/or Linux applications
from web links
Application/Portal Mode Example
• Portal mode, with embedded file manager
• Portal mode, running two flavors of Excel
• Application mode, with remote Windows &
Linux applications integration on Windows 7 desktop
• Applications mode, displaying the remote
applications seamlessly on the local desktop
Application mode or Desktop mode with WAN
access through OVD Gateway
• Application Publishing, to get remote Windows and/or Linux
applications seamlessly integrated in the local end-user
desktop
User Clients
• A web-browser(*)
• A dedicated Ulteo client software for Linux or Windows PCs or thin
clients
• An iOS or Android tablet (desktop mode only)
(*) The web-browser needs a Java plugin to perform

References
• Vmware VDI http://www.virtualizationadmin.com/articles-tutorials/vdi-
articles/general/virtual-desktop-infrastructure-overview.html
• Virtual Desktop Infrastructure http://ebookbrowse.com/03-david-
young-vdi-ppt-d138117600
• Virtual Desktop Infrastructure (VDI) Protocol Problem Statement
http://wenku.it168.com/d_000070198.shtml
• Microsoft Client Virtualization Strategy White Paper
http://ebookbrowse.com/microsoft-client-virtualization-strategy-white-
paper-final-brz-pdf-d216269211
• Citrix http://flexcast.citrix.com/technology/hostedshared.html
• Ulteo OVD http://www.ulteo.com/home

Virtualization-1&2&week1-2-3-4-6-10 (9 Files Merged)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Virtualization-1&2&week1-2-3-4-6-10 (9 Files Merged)

Uploaded by

Copyright:

Available Formats

12 January 2010

© 2010 IBM Corporation

2 © 2010 IBM Corporation

3 © 2010 IBM Corporation

 Indeed – an OS provides isolation between processes

4 © 2010 IBM Corporation

Type 1 (bare-metal) Type 2 (hosted)

VM1 VM2 Guest

Guest VM1 VM2 Process Hypervisor

5 © 2010 IBM Corporation

6 © 2010 IBM Corporation

 Do whatever the CPU does but in software

7 © 2010 IBM Corporation

 Example hypervisor: BOCHS

8 © 2010 IBM Corporation

 Run the VM directly on the CPU – no emulation!

9 © 2010 IBM Corporation

– This hardware support is called VMX (Intel) or SVM (AMD)

 Example hypervisor: KVM

10 © 2010 IBM Corporation

 Take a block of binary VM code that is about to be executed

11 © 2010 IBM Corporation

 Example hypervisors: VMware, QEMU

12 © 2010 IBM Corporation

 Does not run unmodified guest OSes

 E.g., instead of doing cli to turn off interrupts, guest OS should do

13 © 2010 IBM Corporation

 Example hypervisor: Xen

14 © 2010 IBM Corporation

 Trap and emulate

 With hardware support

15 © 2010 IBM Corporation

 We saw methods to virtualize the CPU

16 © 2010 IBM Corporation

17 © 2010 IBM Corporation

 Similar for RX path

18 © 2010 IBM Corporation

 Example hypervisors: QEMU, KVM, VMware (without VMware Tools)

19 © 2010 IBM Corporation

 Add virtual NIC driver into guest (frontend)

 Protocol in emulation case:

20 © 2010 IBM Corporation

 Example hypervisors: QEMU, KVM, VMware (with VMware Tools), Xen

 How is paravirtual I/O different from paravirtual guest?

21 © 2010 IBM Corporation

22 © 2010 IBM Corporation

 Example hypervisors: KVM, Xen, VMware

23 © 2010 IBM Corporation

 Single root I/O virtualization

24 © 2010 IBM Corporation

 Example hypervisors: KVM, Xen, VMware

25 © 2010 IBM Corporation

 SR-IOV is the fastest

 Paravirtual I/O is cheap

 Winner still unknown

26 © 2010 IBM Corporation

27 © 2010 IBM Corporation

28 © 2010 IBM Corporation

 The data-centre is FULL

 Virtualization hides the physical characteristics of computing

 This includes making a single physical resource (such as a

 Faster CPU clock than ever

 Full virtualization has proven highly successful