Professional Documents
Culture Documents
Virtualization Technologies
Alex Landau (lalex@il.ibm.com)
IBM Haifa Research Lab
Virtualization is way to run multiple operating systems and user applications on the
same hardware
– E.g., run both Windows and Linux on the same laptop
How is it different from dual-boot?
– Both OSes run simultaneously
The OSes are completely isolated from each other
Server consolidation
– Run a web server and a mail server on the same physical server
Easier development
– Develop critical operating system components (file system, disk driver) without
affecting computer stability
QA
– Testing a network product (e.g., a firewall) may require tens of computers
– Try testing thoroughly a product at each pre-release milestone… and have a straight
face when your boss shows you the electricity bill
Cloud computing
– The modern buzz-word
– Amazon sells computing power
– You pay for e.g., 2 CPU cores for 3 hours plus 10GB of network traffic
Definitions
– Hypervisor (or VMM – Virtual Machine Monitor) is a software layer that allows several
virtual machines to run on a physical machine
– The physical OS and hardware are called the Host
– The virtual machine OS and applications are called the Guest
VMware ESX, Microsoft Hyper-V, Xen VMware Workstation, Microsoft Virtual PC,
Sun VirtualBox, QEMU, KVM
Bare-metal
– Has complete control over hardware
– Doesn’t have to “fight” an OS
Hosted
– Avoid code duplication: need not code a process scheduler, memory management
system – the OS already does that
– Can run native processes alongside VMs
– Familiar environment – how much CPU and memory does a VM take? Use top! How
big is the virtual disk? ls –l
– Easy management – stop a VM? Sure, just kill it!
A combination
– Mostly hosted, but some parts are inside the OS kernel for performance reasons
– E.g., KVM
Example:
addl %ebx, %eax
is emulated as:
enum {EAX=0, EBX=1, ECX=2, EDX=3, …};
unsigned long regs[8];
regs[EAX] += regs[EBX];
Pro:
– Simple!
Con:
– Slooooooooow
Pro:
– Performance!
Cons:
– Harder to implement
– Need hardware support
• Not all “sensitive” instructions cause a trap when executed in usermode
• E.g., POPF, that may be used to clear IF
• This instruction does not trap, but value of IF does not change!
Translation rules?
– Most code translates identically (e.g., movl %eax, %ebx translates to itself)
– “Sensitive” operations are translated into hypercalls
• Hypercall – call into the hypervisor to ask for service
• Implemented as trapping instructions (unlike POPF)
• Similar to syscall – call into the OS to request service
Pros:
– No hardware support required
– Performance – better than emulation
Cons:
– Performance – worse than trap and emulate
– Hard to implement – hypervisor needs on-the-fly x86-to-x86 binary compiler
Pros:
– No hardware support required
– Performance – better than emulation
Con:
– Requires specifically modified guest
– Same guest OS cannot run in the VM and bare-metal
VMX, SVM
Types of I/O:
– Block (e.g., hard disk)
– Network
– Input (e.g., keyboard, mouse)
– Sound
– Video
Most performance critical (for servers):
– Network
– Block
Transmit path:
– OS prepares packet to transmit in a buffer in memory
– Driver writes start address of buffer to register X of the NIC
– Driver writes length of buffer to register Y
– Driver writes ‘1’ (GO!) into register T
– NIC reads packet from memory addresses [X,X+Y) and sends it on the wire
– NIC sends interrupt to host (TX complete, next packet please)
Receive path:
– Driver prepares buffer to receive packet into
– Driver writes start address of buffer to register X
– Driver writes length of buffer to register Y
– Driver writes ‘1’ (READY-TO-RECEIVE) into register R
– When packet arrives, NIC copies it into memory at [X,X+Y)
– NIC interrupts host (RX)
– OS processes packet (e.g., wake the waiting process up)
Hypervisor implements virtual NIC (by the specification of a real NIC, e.g., Intel, Realtek,
Broadcom)
NIC registers (X, Y, Z, T, R, …) are just variables in hypervisor (host) memory
If guest writes ‘1’ to register T, hypervisor reads buffer from memory [X,X+Y) and
passes it to physical NIC driver for transmission
When physical NIC interrupts (TX complete), hypervisor injects TX complete interrupt into
guest
Pro:
– Unmodified guest (guest already has drivers for Intel NICs…)
Cons:
– Slow – every access to every NIC register causes a VM exit (trap to hypervisor)
– Hypervisor needs to emulate complex hardware
Pro:
– Fast – no need to emulate physical device
Con:
– Requires guest driver
“Pull” NIC out of the host, and “plug” it into the guest
Guest is allowed to access NIC registers directly, no hypervisor intervention
Host can’t access NIC anymore
Pro:
– As fast as possible!
Cons:
– Need NIC per guest
– Plus one for host
– Can’t do “cool stuff”
• Encapsulate guest packets, monitor, modify them at the hypervisor level
Pros:
– As fast as possible!
– Need only one NIC (as opposed to direct assignment)
Cons:
– Emerging standard
• Few hypervisors fully support it
• Expensive!
• Requires new hardware
– Can’t do “cool stuff”
Companies (Red Hat, IBM, …) are looking at paravirtual I/O, trying to optimize it
Memory over-commit
Nested virtualization
Live migration
Questions?
Alex Landau
lalex@il.ibm.com
Applications
Operating
System
Hardware
Virtualization
Applications
Operating
System
Hypervisor
Hardware
Virtualization -- a Server for Multiple
Applications/OS
Application
Application
Applications
Application
Application
Applications
Operating
Operating
OperatingOperating
Operating System
System
System System
Operating System
System
Hypervisor
Hardware
Hardware
Hypervisor also commonly called as Virtual Machine Monitor is a software program that manages multiple
operating systems (or multiple instances of the same operating system) on a single computer system.
The hypervisor manages the system's processor, memory, and other resources to allocate what each
operating system requires.
Hypervisors are designed for a particular processor architecture and may also be called virtualization
managers.
Why now?
1960—1999
IBM, CP-40, CP/CMS, S/360-370,VM370,Virtual PC,VMware
2000—2005
IBM z/VM, Xen
2006
Intel VT-x
AMD’s AMD-V
2008—
Hardware evolution
Anatomy of CPU
FYI
Simple Design
FYI : Multicore Design
FYI
Multicore Architecture
Software maturity
More than one credible player in the market
Available and stable open-sourced software
OS, DB, Web server, Java, PHP, gcc, etc.
Established and mature software standards
Web service, XML, SOAP, COM, etc.
Types of Virtualization
Virtual memory In this talk, we mainly focus on Platform
Desktop virtualization virtualization which is mostly related to
Platform virtualization cloud-computing
Full virtualization Full virtualization
Paravirtualization
Binary transaltion
Hardware-assisted virtualization
Partial virtualization Hardware-assisted virtualization
OS-level virtualization Paravirtualization
Hosted environment (e.g. User-mode OS-level virtualization
Linux)
Hosted environment (e.g. User-mode
Storage virtualization Linux)
Network virtualization
Application virtualizationPortable
application
Cross-platform virtualization Hardware level
Emulation or simulation Operating system level
Hosted Virtual Desktop Application level
Category in Wiki
Full Virtualization
A certain kind of virtual machine environment: one that provides a
complete simulation of the underlying hardware.
The result is a system in which all software (including all OS’s) capable of
execution on the raw hardware can be run in the virtual machine.
Comprehensively simulate all computing elements as instruction set, main
memory, interrupts, exceptions, and device access.
Full virtualization is only possible given the right combination of hardware
and software elements.
OS kernel
Level -0
Highest
privilege
OS services
(device driver, etc.)
Level-1
Applications
Level-2
Level-3
Lowest
privilege
The challenges of x86 hardware
virtualization
Ring 3 Application
Ring 2
Ring 1 Direct
Execution
of user and OS
Ring 0 OS
Requests
Hardware
The Problems and the Solutions
Originally designed for “personal use” (PC)
Security problems caused by Interception and
privileged operations becomes critical
Solutions to Full virtualization of x86 CPU
Full description of operations of all x86 hardware (but they
evolve)
Binary translation (almost established)
OS-assisted (or paravirtualization)
Hardware-assisted (future direction)
Binary translation
Kernel code of non-virtualizable instructions are translated to replace with new
sequences of instructions that have the intended effect on the virtual hardware.
Each virtual machine monitor provides each Virtual Machine with all the
services of the physical system, including a virtual BIOS, virtual devices and
virtualized memory management.
This combination of binary translation and direct execution provides Full
Virtualization as the guest OS is fully abstracted (completely decoupled) from
the underlying hardware by the virtualization layer. The guest OS is not aware it
is being virtualized and requires no modification.
The hypervisor translates all operating system instructions on the fly and
caches the results for future use, while user level instructions run unmodified at
native speed.
Examples
VMware
Microsoft Virtual Server
Binary translation
Ring 3 Application
Direct
Execution
Ring 2
of user and OS
Requests
Ring 1 Guest OS
Binary translation
Ring 0 VMM
of OS Requests
Hardware
Ring 3 Application
Direct
Execution
Ring 2
of user and OS
Requests
Ring 1
Paravirtualized
Ring 0 Guest OS
Ring 3 Application
Direct
Non-root
Execution
Mode Ring 2
of user and OS
Privilege
Requests
Levels Ring 1
Ring 0 Guest OS
VM1 VM2
Virtual memory
Physical memory
Machine memory
Device and I/O Virtualization
VMM supports all device/IO drivers
Physically/virtually existed
Source: VMware white paper, “Understanding Full Virtualization, Paravirtualization, and Hardware Assist”
Techniques for X86 virtualization
Full Virtualization with Hardware Assisted OS Assisted Virtualization
Binary Translation Virtualization / Paravirtualization
Virtualization
Issues in Virtualization for Cloud-
Computing
Virtualization implemented on
a single machine (with multi-core CPUs)
a cluster of machines (with multi-core CPUs)
The state-of-the-art
Running a Xen or a cluster of Xens
Applications
Application Application
Applications
ApplicationApplication
Application Application
Application
Application
Application
Application Application
Application
Virtualization
Operating
Operating
Operating
Operating
System
Operating
System
System
System
System
? Operating
Operating
Operating
Operating
System
SystemSystem
System
System
Operating
System
System
Operating
Operating Operating
System
Operating System
Hypervisor
or or Hypervisor
Applications Applications
Application Application
Application Application
Application
Application Application
Application
Operating Operating
Operating
System Operating
Operating System
Operating
Operating
Operating System OperatingSystem
System OperatingSystem
System
System System
System
Hypervisor Hypervisor
Hardware Hardware
Virtualization
Management
Applications Applications
System
Application Application
Application Application
Application
Application Application
Application
Operating Operating
Operating
System Operating
Operating System
Operating
Operating
Operating System OperatingSystem
System OperatingSystem
System
System System
System
Hypervisor Hypervisor
Hardware Hardware
Running multiple OS and applications
Virtualization: One physical
hardware can run multiple
OS and applications
through a hypervisor.
Applications
A hypervisor is the
Application
Application
Application
Application
Hypervisor
Hardware
Popular hypervisors
Xen
KVM
QEMU
virtualBox
VMWare
Xen is the selected hypervisor of the project.
Steps to use Xen
Connect to a Xen host (i.e., a physical hardware + Xen +
Dom0 OS) via ssh.
Use xen-tools to create (xen-create-image), list (xen-list-
images) and delete (xen-delete-image) images of virtual
machines.
Use the xm tool to manage (create, list and shutdown)
DomU guests.
Issues related to clouds with Xen
Xen-tools and xm are great for a single machine, but …
Today’s private or public clouds often include hundreds or
thousands of machines.
How to manage the cloud effectively and efficiently
becomes a central issue in cloud computing.
Objectives of managing clouds
Easy-to-use client interface
Effective and efficient management of cloud infrastructure
Scalable deployment
Robust performance
Other nice characteristics associated with information
systems management
Some solutions for managing clouds
abiCloud is the topic of this class.
EUCALYPTUS, originating in the CS department of UC
Santa Barbara, is an open source software infrastructure
for implementing cloud computing on clusters.
OpenNebula is an open source virtual infrastructure
engine that enables the dynamic deployment and
replacement of virtualized service within and across sites.
Other solutions from Citrix, Microsoft, Sun, …
Issues in Virtualization for Cloud-Computing
Software deployment
Open-source
Commercial products
Re-installation or not
Compatibility
Legacy software/database
Copyright patent problem
Full virtualization
Hardware ISA?
Paravirtualization
Modifiable OS?
Hardware assisted virtualization
Problem model
Re-write
Issues in Virtualization for Cloud-
Computing
There are more problems…
Cloud Infrastructure
IaaS Infrastructure as a Service (IaaS)
Architectures
.
Saas, PaaS, IaaS
■
.
3 Features of Mature SaaS Applications
■ SaaS is hosting applications on the Internet as a service (both consumer
and enterprise)
■ Scalable
– Handle growing amounts of work in a graceful manner
■ Multi-tenancy
– One application instance may be serving hundreds of companies
– Opposite of multi-instance where each customer is provisioned their
own server running one instance
■ Level 2: Configurable
■ Level 3: Configurable,
Multi-Tenant-Efficient
■ Level 4: Scalable,
Configurable,
Multi-Tenant-Efficient
Cloud Deployment Models
■ Private cloud
– The cloud infrastructure is operated solely for an
organization. It may be managed by the organization or a
third party and may exist on premise or off premise.
■ Public cloud
– Mega-scale cloud infrastructure is made available to the
general public or a large industry group and is owned by an
organization selling cloud services.
■ Hybrid cloud
– The cloud infrastructure is a composition of two or more
clouds (private or public) that remain unique entities but are
bound together by standardized or proprietary technology
that enables data and application portability
Private cloud
– single org only,
– managed by the org or a 3rd party,
– on or off premise
12
Community cloud
– shared infrastructure for specific
community
– several orgs that have shared concerns,
– managed by org or a 3rd party
13
Public cloud
14
Hybrid cloud
15
Common Cloud
Characteristics
■ Cloud computing often leverages:
– Massive scale
– Homogeneity
– Virtualization
– Resilient computing
– Low cost software
– Geographic distribution
– Service orientation
– Advanced security technologies
16
The NIST Cloud Definition Framework
Hybrid
Clouds
Deployment Community
Private Public Cloud
Models Cloud
Cloud
Service Software as a Platform as a Infrastructure as
Models Service (SaaS) Service (PaaS) a Service (IaaS)
On Demand Self-Service
Essential Broad Network Access Rapid Elasticity
Characteristics Resource Pooling Measured Service
■ Advantages
– Rapid reconstitution of services
– Enables availability
■ Provision in multiple data centers / multiple instances
– Advanced honey net capabilities
■ Challenges
– Impact of compromising the provisioning service
18
Data Storage Services
■ Advantages
– Data fragmentation and dispersal
– Automated replication
– Provision of data zones (e.g., by country)
– Encryption at rest and in transit
– Automated data retention
■ Challenges
– Isolation management / data multi-tenancy
– Storage controller
■ Single point of failure / compromise?
– Exposure of data to foreign governments
19
Cloud Processing Infrastructure
■ Advantages
– Ability to secure masters and push out secure images
■ Challenges
– Application multi-tenancy
– Reliance on hypervisors
– Process isolation / Application sandboxes
20
Cloud Support Services
■ Advantages
– On demand security controls (e.g., authentication,
logging, firewalls…)
■ Challenges
– Additional risk when integrated with customer
applications
– Needs certification and accreditation as a separate
application
– Code updates
21
Cloud Network and Perimeter Security
■ Advantages
– Distributed denial of service protection
– VLAN capabilities
– Perimeter security (IDS, firewall, authentication)
■ Challenges
– Virtual zoning with application mobility
22
Use case: provisioning a VM
.
.
Use case provisioning a VM
■ Cloud management system (CMS) offers services like image
management and provisioning of machines; billing,
accounting, metering, and more.
■ With EC2, you use and pay for only the capacity that you need. This
eliminates the need to make large and expensive hardware
purchases, reduces the need to forecast traffic, and enables you to
automatically scale your IT resources to deal with changes in
requirements or spikes in popularity related to your application or
service.
.
Amazon Cloud EC2: AMI
■ An instance type is essentially a hardware archetype. As illustrated in the following
figure, you select a particular instance type based on the amount of memory and
computing power you need for the application or software that you plan to run on
the instance.
■ Amazon publishes many AMIs that contain common software configurations for
public use. In addition, members of the AWS developer community have
published their own custom AMIs.
For example, if your application is a web site or web service, your AMI could be
preconfigured with a web server, the associated static content, and the code for
all dynamic pages. Alternatively, you could configure your AMI to install all
required software components and content itself by running a bootstrap script as
soon as the instance starts. As a result, after launching the AMI, your web server
will start and your application can begin accepting requests.
Amazon Cloud EC2: Regions and Availability Zones
■ Amazon has data centers in different areas of the world (for example, North
America, Europe, and Asia). Correspondingly, Amazon EC2 is available to
use in different Regions. By launching instances in separate Regions, you
can design your application to be closer to specific customers or to meet
legal or other requirements. Prices for Amazon EC2 usage vary by Region.
■ Each Region contains multiple distinct locations called Availability
Zones (illustrated in the following diagram). Each Availability Zone is
engineered to be isolated from failures in other Availability zones and to
provide inexpensive, low-latency network connectivity to other zones in the
same Region. By launching instances in separate Availability Zones, you
can protect your applications from the failure of a single location. .
Amazon Cloud EC2: Storage
■ To store data, Amazon EC2 offers the following storage options:
1. Amazon Elastic Block Store (Amazon EBS)
2. Amazon EC2 Instance Store
3. Amazon Simple Storage Service (Amazon S3)
Amazon EBS
■ Amazon EBS volumes are the recommended storage option for the majority of
use cases. Amazon EBS provides the instances with persistent, block-level
storage. Amazon EBS volumes are essentially hard disks that you can attach to
a running instance.
■ Amazon EBS is particularly suited for applications that require a database, file
system, or access to raw block-level storage.
Amazon Cloud EC2: Storage
■ To keep a back-up copy, you can create
a snapshot of the volume. As illustrated
in the following figure, snapshots are
stored in Amazon S3.
■ Instance Store
All instance types, with the exception of Micro instances, offer instance store. This is storage
that doesn't persist if the instance is stopped or terminated. Instance store is an option
for inexpensive temporary storage. You can use instance store volumes if you don't
require data persistence.
■ Amazon S3
Amazon S3 is storage for the Internet. It provides a simple web service interface that
enables you to store and retrieve any amount of data from anywhere on the web. .
Amazon Cloud S3
– Amazon S3 Functionality
1. Write, read, and delete objects containing from 1 byte to 5 terabytes of data
each.
2. The number of objects you can store is unlimited.
3. Each object is stored in a bucket and retrieved via a unique, developer-
assigned key.
4. A bucket can be stored in one of several Regions. You can choose a Region
to optimize for latency, minimize costs, or address regulatory requirements.
5. Objects stored in a Region never leave the Region unless you transfer them
out. For example, objects stored in the EU (Ireland) Region never leave the
EU.
6. Authentication mechanisms are provided to ensure that data is kept secure
from unauthorized access. Objects can be made private or public, and rights
can be granted to specific users.
7. Options for secure data upload/download and encryption of data at rest are
provided for additional data protection.
8. Uses standards-based REST and SOAP interfaces designed to work with any
Internet-development toolkit.
Amazon Cloud S3: Use Cases
Content Storage and Distribution
– Amazon S3 can store a variety of content ranging from web applications to
media files. A user can offload an entire storage infrastructure onto the
cloud.
– E.g. For example, you could stream terabytes of data off of a genomic
sequencer as it is being created, store the final data set as a single object
and then analyze any subset of the data in EC2 using a ranged GET.
– A user can create multiple security groups and assign different rules
to each group. Each instance can be assigned to one or more security
groups, and the rules determine which traffic is allowed in to the
instance. A security group can be configured so that only specific IP
addresses or specific security groups have access to the instance.
Amazon Cloud: Networking and
Security
– The following figure shows a basic three-tier web-hosting architecture
running on Amazon EC2 instances. Each layer has a different security
group (indicated by the dotted line around each set of instances). The
security group for the web servers only allows access from hosts over
TCP on ports 80 and 443 (HTTP and HTTPS) and from instances in
the App Servers security group on port 22 (SSH) for direct host
management.
– The security group for the app servers allows access from the Web
Servers security group for web requests, and from the corporate
subnet over TCP on port 22 (SSH) for direct host management. The
user’s support engineers could log directly into the application servers
from the corporate network, and then access the other instances from
the application server boxes.
– The DB Servers security group permits only the App Servers security
group to access the database servers.
Amazon Cloud: Networking & Security
Amazon Cloud: Monitoring, Auto Scaling,
and Load Balancing
– AWS provides several features that enable the following:
– Elastic Load Balancing provides several different interfaces that can be used to
manage a user’s load balancers. Users can create, access, and manage their
load balancers using the AWS Management Console, the command line
interface (CLI), or the Query API. Users need to install the command line
interface and the Query API before they can be used.
Amazon Cloud: Identity and Access
Management (IAM)
– Amazon EC2 integrates with AWS Identity and Access Management (IAM), a
service that lets the user organization do the following:
– Get a single AWS bill for all users under the AWS account
– For example, you can use IAM with Amazon EC2 to control which users under
an AWS account can create AMIs or launch instances.
Introduction to Virtualization
& Cloud Computing
Vishal Kaushik
UPES
Virtualization
• Hardware Virtualization
• Software Virtualization
• Network Virtualization
Types of Virtualization
• OS Virtualization—aka Virtual Machines. Virtualizing an operating
system environment is the most common form of virtualization.
Application-Server Virtualization.
• Application Virtualization.
• Administrative Virtualization.
• Network Virtualization.
• Hardware Virtualization.
• Storage Virtualization.
Three major types of Virtualization
• There are three major types of virtualization:
• Server Virtualization. This type is where most of the attention is
focused right now in the world of virtualization and is where most
companies begin an implementation of this technology.
• Client (or Desktop) Virtualization.
• Storage Virtualization.
Server Virtualization
This type is where most of the attention is focused right now in the world of
virtualization and is where most companies begin an implementation of this
technology.
The decision to virtualize should stem from a needs-based discussion and we’d love to have
that conversation with you. Contact us to schedule a convenient time to talk about your
possible virtualization needs, and be ready to answer questions such as:
Through a series of questions and analysis, we can point you in the direction of the type(s)
of virtualization that can help your business grow.
Storage
Vishal Kaushik
SoCS, UPES
Amazon Cloud Drive vs External Hard Drive
• 1.Amazon Cloud Drive is a web-based storage service while an
external hard drive is physical hardware.
2.Amazon Cloud Drive requires an Internet connection while an
external hard drive doesn’t.
3.Amazon Cloud Drive is on a rental basis while an external hard drive
needs to be purchased.
4.Amazon Cloud Drive is a more reliable data storage solution than an
external hard drive.
Amazon Cloud Drive vs External Hard Drive
• Data storage has gone a long way since the days of tape drives, and there are now many
ways to save your data. For most people who carry a lot of data with them, an external
hard drive is a portable alternative that offers a very large capacity. But companies are
now introducing services that aim to replace the external hard drive; like Amazon’s Cloud
Drive. The main difference between an external hard drive and an Amazon Cloud Drive is
that the Cloud Drive is a web-based solution unlike an external hard drive which is a
physical device.
• Since the Amazon Cloud Drive is a web-based service, you need to have access to the
Internet in order to retrieve or store files. For most people, this is not a big problem since
fast Internet connections are readily available. But for those who do not have access to a
fast connection, an external hard drive is the only choice.
• Getting an external hard drive typically means a single payment of $100 more or less for
the actual drive. Amazon uses a rental model for the Cloud Drive. You get 5GB for free,
and you pay $1 for every GB in excess of that every year. Given that drives do fail over
time, the Amazon Cloud Drive is still more expensive than just buying a large capacity
external hard drive.
• But with the added cost, you also get some benefits. The biggest one
is the assurance that your data will always be there. Because the data
resides on Amazon’s servers, it is constantly backed up and protected
against hardware failures. With external hard drives, you need to back
up your data consistently. You never know when your external hard
drive will get lost, get damaged, or just outright fail. Even if you back
up your external hard drive weekly, you will still lose a few days’
worth of data in case the drive fails or is lost. This won’t happen with
Amazon Cloud Drive. At worst, you will only lose a few hours’ worth
of data if you’ve been uploading at the time of the error.
Amazon S3 vs Amazon EBS
• EBS can only be used with EC2 instances while S3 can be used outside
EC2
• EBS appears as a mountable volume while the S3 requires software to
read and write data
• EBS can accommodate a smaller amount of data than S3
• EBS can only be used by one EC2 instance at a time while S3 can be
used by multiple instances
• S3 typically experiences write delays while EBS does not
Amazon S3 vs Amazon EBS
• S3 (Simple Storage Service) and EBS (Elastic Block Store) are two file
storage services provided by Amazon. The main difference between them is
with what they can be used with. EBS is specifically meant for EC2 (Elastic
Computing Cloud) instances and is not accessible unless mounted to one.
On the other hand, S3 is not limited to EC2. The files within an S3 bucket
can be retrieved using HTTP protocols and even with BitTorrent. Many sites
use S3 to hold most of their files because of its accessibility to HTTP clients;
web browsers for example.
• As already stated above, you need some type of software in order to read
or write information with S3. With EBS, a volume can be mounted on an
EC2 instance and it would appear just like a hard disk partition. It can be
formatted with any file system and files can be written or read by the EC2
instance just like it would to a hard drive.
• When it comes to the total amount that you can store, S3 still has the
upper hand. EBS has a standard limit of 20 volumes with each volume
holding up to 1TB of data. With S3, the standard limit is at 100 buckets with
each bucket having an unlimited data capacity. S3 users do not need to
worry about filling a bucket and the only concern is having enough buckets
for your needs.
• A limitation of EBS is its inability to be used by multiple instances at once.
Once it is mounted by an instance, no other instance can use it. S3 can
have multiple images of its contents so it can be used by many at the same
time. An interesting side-effect of this capability is something called
‘eventual consistency’. With EBS, data read or write occurs almost instantly.
With S3, the changes are not written immediately so if you write
something, it may not be the data that a read operation returns.
Amazon Storage Options
• Amazon S3
• Amazon Glacier
• Amazon EFS
• Amazon EBS
• Amazon EC2 Instance Storage
• AWS Storage Gateway
• AWS Snowball
• Amazon CloudFront
Options
• Low cost data storage
• Highly durable &
available
• Backup, archiving &
• Disaster recovery use
cases
• Provides block, file,
and object storage.
Amazon S3
Simple Storage Service (S3)
• Secure, durable, highly scalable object storage at a very low cost.
• Any amount, at any time, from anywhere on the web through a
simple web service interface.
• Write, read, and delete objects containing from 1 byte to 5 TB.
• Highly scalable, allows concurrent read or write access to data by
many separate clients or threads in an application.
Usage Patterns
Amazon S3 offers a range of storage classes designed for different use
cases including the following:
• Amazon S3 Standard, for general-purpose storage of frequently accessed data
• Amazon S3 Standard-Infrequent Access (Standard-IA), for long-lived, but less
frequently accessed data
• Amazon Glacier, for low-cost archival data
4 Common Usage Patterns for AWS
• Store and distribute static web content and media delivered directly from Amazon S3 via a unique HTTP URL.
• Best for web content like source for content delivery network (CDN) [Origin store], such as Amazon
CloudFront etc. such as
- Elastic
- Bandwidth to handle extreme demand spikes.
- No need for storage provisioning.
- Fast growing websites hosting data-intensive, user-generated content, such as video- and photo-sharing sites.
• Host entire static websites as it is low-cost, highly available, and highly scalable solution, including storage
for static HTML files, images, videos, and client-side scripts in formats such as JavaScript.
• Data store for computation and large-scale analytics, such as financial transaction analysis, clickstream
analytics, and media transcoding.
- Horizontally scalable S3 can be accessed via data from multiple computing nodes concurrently without being constrained by a single
connection.
• Highly durable, scalable, and secure solution for backup and archiving of critical data.
- Easy movement of cold data to Amazon Glacier through lifecycle management rules.
- Cross-region replication automatic and asynchronous copy of objects across S3 buckets in different AWS regions for Disaster
recovery for business continuity.
Performance
• Fastest in the scenarios when accessing S3 from within EC2 in the same Region.
• Server-side latencies in S3 are insignificant relative to Internet latencies.
• S3 supports extremely large number of web-scale applications via scale storage, requests,
and numbers of users.
• Multi thread access to S3 from multiple applications/ clients concurrently outperforms
any single server in Amazon S3 aggregate throughput.
• Multipart upload command: S3 uploads a single object large object (>100 MB) as a set of
parts. S3 reassembles all uploaded parts and recreates the object.
• For faster access to relevant data, S3 paired with a search engine like Amazon
CloudSearch or database like Amazon DynamoDB or Amazon RDS to storing the metadata
repository for associated S3 actual information.
• Enable S3 Transfer Acceleration for fast, easy, and secure transfer of files over long
distances between your client and your Amazon S3 bucket performing GET and PUT
requests via Amazon CloudFront globally distributed edge locations to route traffic to
your Amazon S3 bucket over an Amazon-optimized network path.
Comparison Uses
• The table presents some
storage needs for
considering various AWS
storage options.
IAM
Vishal Kaushik
SoCS, UPES
AWS IAM
AWS Identity and Access Management (IAM) is a web service to securely
control (authenticate & authorize) access to AWS resources.
Any account is the root user with complete access to all AWS services and
resources associated to that account.
Hence create IAM user and securely lock away the root user credentials
and use it to perform only a few account and service management tasks.
[Amazon strongly recommends not to use the root user for even the administrative tasks]
Index
•IAM Features
•Accessing IAM
•Understanding How IAM Works
•Overview of Identity Management: Users
•Overview of Access Management: Permissions and Policies
•Security Features Outside of IAM
•Quick Links to Common Tasks
IAM Features
• Shared access to your AWS account
• Granular permissions
• Secure access to AWS resources for applications that run on Amazon EC2
• Multi-factor authentication (MFA)
• Identity federation
• Identity information for assurance
• PCI DSS Compliance
• Integrated with many AWS services
• Eventually Consistent
• Free to use
Accessing IAM
AWS Management Console is a browser-based interface to manage IAM and AWS resources
AWS Command Line Tools faster and more convenient to issue commands at your system's command line
to perform IAM and AWS tasks or even writing scripts to perform AWS tasks.
AWS SDKs consisting of libraries and sample code for various programming languages and platforms (Java,
Python, Ruby, .NET, iOS, Android, etc.). The SDKs provide a convenient way to create programmatic access
to IAM and AWS. For example, the SDKs take care of tasks such as cryptographically signing requests,
managing errors, and retrying requests automatically.
IAM HTTPS API programmatic access to IAM and AWS by using the IAM HTTPS API, which lets you issue
HTTPS requests directly to the service. When you use the HTTPS API, you must include code to digitally sign
requests using your credentials.
Working of IAM
IAM provides the infrastructure necessary to control authentication and
authorization for your account. The IAM infrastructure includes the following
elements:
• Principal
• Request
• Authentication
• Authorization
• Actions
• Resources
Principal
i. To authenticate from the console must sign in with user name and password.
ii. To authenticate from API or CLI provide your access key and secret key. Along with
additional security information (If required).
[AWS recommends that you use multi-factor authentication (MFA) to increase the
security of your account]
Authorization
IAM uses values from the request context to check for matching policies and determine
whether to allow or deny the request. Policies are stored in IAM as JSON documents and
specify the permissions that are allowed or denied for principals (identity-based policies) or
resources (resource-based policies).
Explicit Deny: IAM checks each policy that matches the context of your request. If a single
policy includes a denied action, IAM denies the entire request and stops evaluating. IAM
authorizes your request only if every part of your request is allowed by the matching
policies. The evaluation logic follows these rules:
• By default, all requests are denied.
• An explicit allow overrides this default.
• An explicit deny overrides any allows.
[Note: By default, only the AWS account root user has access to all the resources in that
account. Play with permissions granted by a policy for the users (other than root)]
Actions
AWS approves the actions in the authenticated and authorized request.
Actions are the things that done to a resource, such as viewing, creating, editing, and
deleting. Actions are defined by a service. For example, IAM supports around 40 actions for
a user resource, including the following actions:
• CreateUser
• DeleteUser
• GetUser
• UpdateUser
[To allow a principal to perform an action, you must include the necessary actions in a
policy that applies to the principal or the affected resource]
Resources
A resource is an entity that exists within a service. E.g. EC2 instance, IAM user or S3 bucket.
• The service defines a set of actions that can be performed on each resource.
• Request for unrelated action is denied. For example, if you request to delete an IAM role
but provide an IAM group resource, the request fails.
After AWS approves the actions in your request, those actions can be performed on the
related resources within your account.
IAM Policies
• A policy is an entity in AWS that defines the permissions to an identity or
resource.
• Policy is evaluated upon a request by a principal (user)
• Permissions in the policies determine whether the request is allowed or
denied.
• Policies are stored in AWS as JSON documents attached to principals
- identity-based policies,
- resources as resource-based policies.
Identity-Based Policies
Identity-based policies are permission policies attached to a principal (or
identity), such as an IAM user, role, or group. These policies control what
actions that identity can perform, on which resources, and under what
conditions.
Identity-based policies can be further categorized:
• Managed policies
• AWS managed policies
• Customer managed policies
• Inline policies
Managed policies
Standalone identity-based policies attached to multiple users, groups, and
roles in your AWS account. You can use two types of managed policies:
• AWS managed policies – Managed policies that are created and managed by
AWS. If you are new to using policies, we recommend that you start by using
AWS managed policies.
• Customer managed policies – Managed policies that you create and manage
in your AWS account. Customer managed policies provide more precise
control over your policies than AWS managed policies. You can create and
edit an IAM policy in the visual editor or by creating the JSON policy
document directly
Inline policies
Policies created and managed and embedded directly into a single user,
group, or role.
Resource-Based policies
Resource-based policies are JSON policy documents attached to a resource
such as an Amazon S3 bucket. These policies control what actions a specified
principal can perform on that resource and under what conditions.
Resource-based policies are inline policies, and there are no managed
resource-based policies.
Although IAM identities are technically AWS resources, you cannot attach a
resource-based policy to an IAM identity. You must use identity-based policies
in IAM.
Trust policies
These are resource-based policies attached to a role that define which
principals can assume the role. When you create a role in IAM, the role must
have two things:
- The first is a trust policy that indicates who can assume the role.
- The second is a permission policy that indicates what they can do with that
role.
• Remember that adding an account to the trust policy of a role is only half of
establishing the trust relationship.
• By default, no users in the trusted accounts can assume the role until the
administrator for that account grants the users the permission to assume
the role.
Overview of JSON Policies
• Policies are stored in AWS as JSON documents attached to principals
as identity-based policies, or to resources as resource-based policies.
• It is not necessary for you to understand the JSON syntax. You can use the
visual editor to create and edit customer managed policies without ever
using JSON.
• However, if you choose to use inline policies for groups, you are still required
to create and edit those policies in the JSON editor.
JSON Policies
JSON policy document includes the following elements:
• Effect – whether the policy allows or denies access
• Action – the list of actions that are allowed or denied by the policy
• Resource – the list of resources on which the actions can occur
• Condition (Optional) – the circumstances under which the policy grants
permission
Sample JSON Policies
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket"
}
}
[Policies are documents that are stored using JSON. A policy consists of one
or more statements, each of which describes one set of permissions. Here's
an example of a simple policy]
Sample JSON Policies
{ • This policy can be attached to an IAM identity
"Version": "2012-10-17", (group, user, or role).
"Statement": { • The identity can perform only this one action
(ListBucket) on one S3 bucket
"Effect": "Allow", (example_bucket). incase this is the only
"Action": "s3:ListBucket", policy.
"Resource": "arn:aws:s3:::example_bucket"
}
}
[Policies are documents that are stored using JSON. A policy consists of one
or more statements, each of which describes one set of permissions. Here's
an example of a simple policy]
{
Sample JSON Policies "Version": "2012-10-17",
"Id": "S3-Account-Permissions",
• To specify permissions for a resource attach a
resource-based policy to the resource, like an "Statement": [{
Amazon SNS topic, S3 bucket, Glacier vault. "Sid": "1",
• That policy will include information about who is "Effect": "Allow",
allowed to access the resource (principal). "Principal": {"AWS":
• The example shows a resource-based policy ["arn:aws:iam::ACCOUNT-ID-WITHOUT-
attached to a S3 bucket. The policy grants HYPHENS:root"]},
permission to a specific AWS account to perform "Action": "s3:*",
any Amazon S3 actions in mybucket. This includes
both working with the bucket and with the objects "Resource": [
in it. (Because the policy grants trust only to the "arn:aws:s3:::mybucket",
account "arn:aws:s3:::mybucket/*"
• Individual users in the account must still be granted ]
permissions for the specified Amazon S3 actions.)
}]
}
Multistatement Policy …. contd
{ {
{ "Action": [
"Action": ["iam:ChangePassword"], ],
}, "arn:aws:s3:::confidential-data",
{ "arn:aws:s3:::confidential-data/*"
"Sid": "SecondStatement", ],
"Action": "s3:ListAllMyBuckets", }
"Resource": "*" ]
}, …. Contd.. }
Multiple Statements and Multiple Policies
• An entity can have more than one policy attached to also can have
multiple permissions.
• Usually, one policy statement includes information about a single
permission.
• For multiple policy statements, a logical OR is applied across the
statements at evaluation time.
• Similarly, if multiple policies are applicable to a request, a logical OR is
applied across the policies at evaluation time.
• Users may often function under multiple policies that applied to them
which aren't directly attached to them. How?
Policy Structure
• Each policy is a JSON document. As
illustrated in the following figure, a policy
includes:
• Optional policy-wide information (at the top
of the document)
• One or more individual statements
• Each statement includes the core information about a single
permission. If a policy includes multiple statements, AWS
applies a logical OR across the statements at evaluation time. If
multiple policies are applicable to a request, AWS applies a
logical OR across the policies at evaluation time.
Policy Selection
When you need to set the permissions for an identity in IAM, you must
decide whether to use an AWS managed policy, a customer managed policy,
or an inline policy. The following sections provide more information about
each of the types of identity-based policies and when to use them.
• AWS Managed Policies
• Customer Managed Policies
• Inline Policies
• Choosing Between Managed Policies and Inline Policies
• Deprecated AWS Managed Policies
AWS Managed Policy
• This is created and administered by AWS. Each is Standalone policy i.e. the policy has its
own Amazon Resource Name (ARN) that includes the policy name.
• AWS managed policies are designed to provide permissions for many common use
cases. There are AWS managed policies that define typical permissions for service
administrators and grant full access to the service, such
as AmazonDynamoDBFullAccess and IAMFullAccess.
• AWS managed policies are designed for IAM permissions and provide various levels of
access to AWS services to easily assign appropriate permissions to users, groups, and
roles.
• One type of AWS managed policies closely aligned to commonly used job functions in
the IT industry. For example, the AdministratorAccess.
• Permissions in AWS managed policies can not be changed. Rather, AWS will
occasionally update the permissions defined in an AWS managed policy. That affects all
principal entities (users, groups, and roles) that the policy is attached to.
• Most likely AWS updates an AWS managed policy when a new AWS service is launched
or new API calls become available for existing services. For example, when AWS
launches a new service, AWS updates the ReadOnlyAccess policy to add read-only
permissions for the new service.
Pictorial View
Customer Managed Policy
• Standalone policies created and administered in an AWS account. This can
be attached to multiple principal entities to give permissions defined in the
policy.
• Just copy an existing AWS managed policy and just is customize it to your
environment.
Pictorial View
Inline Policy
• A policy that's embedded in a principal entity (a user, group, or role)—that
is, the policy is an inherent part of the principal entity. You can create a
policy and embed it in a principal entity, either when you create the
principal entity or later.
Pictorial View
Which Policy (Choosing Between Managed /Inline)
• The different types of policies are for different use cases. Managed policies provide the following features:
• Reusability A single managed policy can be attached to multiple principal entities (users, groups, and roles). Even library
of policies can be created defining permissions useful for AWS account, and attached these policies to principal entities
as needed.
• Central change management Any change in a managed policy is applied to all principal entities attached to that policy.
For example, if you want to add permission for a new AWS API, you can update the managed policy to add the
permission. Upon update, the changes are applied to all principal entities that the policy is attached to. In contrast, an
inline policy needs individually edit each principal entity containing the policy. For example, if a group and a role both
contain the same inline policy, you must individually edit both principal entities in order to change that policy.
• Versioning and rolling back When you change a customer managed policy, the changed policy doesn't overwrite the
existing policy. Instead, IAM creates a new version of the managed policy. IAM stores up to five versions of your customer
managed policies. You can use policy versions to revert a policy to an earlier version if you need to.
• A policy version is different from a Version policy element. The Version policy element is used within a policy and defines
the version of the policy language
• Delegating permissions management users can be allowed to attach and detach policies while maintaining control over
the permissions defined in those policies like some designated as full admins (can create, update, and delete policies).
• Automatic updates for AWS managed policies AWS updates them when necessary (e.g. adding permissions for new AWS
services). The updates are automatically applied to the principal entities attached the AWS managed policy to.
• In most cases, we recommend that you use managed policies instead of inline policies.
Which Policy (Choosing Between Managed /Inline)
Using Inline Policies
• Inline policies are useful if you want to maintain a strict one-to-one
relationship between a policy and the principal entity that it's applied to.
For example, you want to be sure that the permissions in a policy are not
inadvertently assigned to a principal entity other than the one they're
intended for. When you use an inline policy, the permissions in the policy
cannot be inadvertently attached to the wrong principal entity. In addition,
when you use the AWS Management Console to delete that principal
entity, the policies embedded in the principal entity are deleted as well.
That's because they are part of the principal entity.
Recap Policies
• A policy is an entity in AWS attached to an identity or resource, defines its permissions.
• AWS evaluates policies upon a request from a principal. Permissions in the policies
determine whether the request is allowed or denied.
• Policies are stored in AWS as JSON documents that are attached to principals
as identity-based policies or to resources as resource-based policies.
• You can attach an identity-based policy to a principal (or identity), such as an IAM
group, user, or role. Identity-based policies inlcude AWS managed policies, customer
managed policies, and inline policies.
• By default all requests are denied, so you must provide access to the services, actions,
and resources that you intend for the identity to access. If you also want to allow access
to complete the specified actions in the IAM console, you need to provide additional
permissions.
• The following library of policies can help you define permissions for your IAM identities.
After you find the policy that you need, choose View this policy to view the JSON for
the policy. You can use the JSON policy document as a template for your own policies.
Example Policies: AWS
• Allows access during a specific range of dates (View this policy)
• Allows specific access when using MFA during a specific range of dates (View this
policy)
• Denies access to AWS based on the source IP address (View this policy)
• Example Policies: AWS CodeCommit
• Allows Read access to an AWS CodeCommit repository, programmatically and in
the console (View this policy)
• Example Policies: AWS Data Pipeline
• Denies access to pipelines that a user did not create (View this policy)
• Example Policies: Amazon DynamoDB
• Allows access to a specific Amazon DynamoDB table (View this policy)
• Allows access to specific Amazon DynamoDB columns (View this policy)
• Allows row-level access to Amazon DynamoDB based on an Amazon Cognito ID
(View this policy)
Example Policies: EC2
• Example Policies: Amazon EC2
• Allows an Amazon EC2 instance to attach or detach volumes (View this policy)
• Allows attaching or detaching Amazon EBS volumes to Amazon EC2 instances based on
tags (View this policy)
• Allows launching Amazon EC2 instances in a specific subnet, programmatically and in
the console (View this policy)
• Allows managing Amazon EC2 security groups associated with a specific VPC,
programmatically and in the console (View this policy)
• Allows starting or stopping Amazon EC2 instances a user has tagged, programmatically
and in the console (View this policy)
• Allows full Amazon EC2 access within a specific region, programmatically and in the
console (View this policy)
• Allows starting or stopping a specific Amazon EC2 instance and modifying a specific
security group, programmatically and in the console (View this policy)
• Limits terminating Amazon EC2 instances to a specific IP address range (View this
policy)
Example Policies: IAM
• Example Policies: AWS Identity and Access Management (IAM)
• Allows access to the policy simulator API (View this policy)
• Allows access to the policy simulator console (View this policy)
• Allows using the policy simulator API for users with a specific path (View
this policy)
• Allows using the policy simulator console for users with a specific path
(View this policy)
• Allows IAM users to self-manage an MFA device (View this policy)
• Allows IAM users to rotate their own credentials, programmatically and in
the console (View this policy)
• Limits managed policies that can be applied to a new IAM user, group, or
role (View this policy)
Example Policies: Amazon RDS
• Example Policies: Amazon RDS
• Allows full Amazon RDS database access within a specific region (View this
policy)
• Allows restoring Amazon RDS databases, programmatically and in the
console (View this policy)
• Allows tag owners full access to Amazon RDS resources that they have
tagged (View this policy)
Example Policies: Amazon S3
• Example Policies: Amazon S3
• Allows an Amazon Cognito user to access objects in their own Amazon S3
bucket (View this policy)
• Allows IAM users to access their own home directory in Amazon S3,
programmatically and in the console (View this policy)
• Allows a user to manage a single Amazon S3 bucket and denies every other
AWS action and resource (View this policy)
• Allows Read and Write access to a specific Amazon S3 bucket (View this
policy)
• Allows Read and Write access to a specific Amazon S3 bucket,
programmatically and in the console (View this policy)
EC2
Vishal Kaushik
SoCS, UPES
Amazon EC2
Elastic Compute Cloud (Amazon EC2) is a web service that provides secure,
resizable compute capacity in the cloud. It is designed to make web-scale cloud
computing easier for developers.
Amazon EC2’s simple web service interface allows you to obtain and configure
capacity with minimal friction. It provides you with complete control of your
computing resources and lets you run on Amazon’s proven computing
environment. Amazon EC2 reduces the time required to obtain and boot new
server instances to minutes, allowing you to quickly scale capacity, both up and
down, as your computing requirements change. Amazon EC2 changes the
economics of computing by allowing you to pay only for capacity that you actually
use. Amazon EC2 provides developers the tools to build failure resilient
applications and isolate them from common failure scenarios.
Benefits
Reliable: Amazon EC2 offers a highly reliable environment where replacement instances
can be rapidly and predictably commissioned. The service runs within Amazon’s proven
network infrastructure and data centers. The Amazon EC2 Service Level Agreement
commitment is 99.99% availability for each Amazon EC2 Region.
Secure: Cloud security at AWS is the highest priority. As an AWS customer, you will benefit
from a data center and network architecture built to meet the requirements of the most
security-sensitive organizations. Amazon EC2 works in conjunction with Amazon VPC to
provide security and robust networking functionality for your compute resources.
Inexpensive: Amazon EC2 passes on to you the financial benefits of Amazon’s scale. You
pay a very low rate for the compute capacity you actually consume.
Easy to Start: There are several ways to get started with Amazon EC2. You can use the AWS
Management Console, the AWS Command Line Tools (CLI), or AWS SDKs. AWS is free to get
started.
Benefits
Elastic Web-Scale Computing: Amazon EC2 enables you to increase or decrease capacity within
minutes, not hours or days. You can commission one, hundreds, or even thousands of server instances simultaneously.
Amazon EC2 Auto Scaling maintains availability of your EC2 fleet and automatically scale your fleet up and down
depending on its needs in order to maximize performance and minimize cost.
Completely Controlled: You have complete control of your instances including root access and the ability to
interact with them as you would any machine. You can stop any instance while retaining the data on the boot partition,
and then subsequently restart the same instance using web service APIs. Instances can be rebooted remotely using web
service APIs, and you also have access to their console output.
Flexible Cloud Hosting Services: You have the choice of multiple instance types, operating systems,
and software packages. Amazon EC2 allows you to select a configuration of memory, CPU, instance storage, and the boot
partition size that is optimal for your choice of operating system and application. For example, choice of operating
systems includes numerous Linux distributions and Microsoft Windows Server.
Integrated: Amazon EC2 is integrated with most AWS services such as Amazon Simple Storage Service (Amazon
S3), Amazon Relational Database Service (Amazon RDS), and Amazon Virtual Private Cloud (Amazon VPC) to provide a
complete, secure solution for computing, query processing, and cloud storage across a wide range of applications.
Amazon EC2 Features
• Virtual computing environments, known as instances
• Preconfigured templates for your instances, known as Amazon Machine Images (AMIs), that package the bits you need
for your server (including the operating system and additional software)
• Various configurations of CPU, memory, storage, and networking capacity for your instances, known as instance types
• Secure login information for your instances using key pairs (AWS stores the public key, and you store the private key in a
secure place)
• Storage volumes for temporary data that's deleted when you stop or terminate your instance, known as instance store
volumes
• Persistent storage volumes for your data using Amazon Elastic Block Store (Amazon EBS), known as Amazon EBS volumes
• Multiple physical locations for your resources, such as instances and Amazon EBS volumes, known as regions and
Availability Zones
• A firewall that enables you to specify the protocols, ports, and source IP ranges that can reach your instances using
security groups
• Static IPv4 addresses for dynamic cloud computing, known as Elastic IP addresses
• Metadata, known as tags, that you can create and assign to your Amazon EC2 resources
• Virtual networks you can create that are logically isolated from the rest of the AWS cloud, and that you can optionally
connect to your own network, known as virtual private clouds (VPCs)
Accessing Amazon EC2
• Amazon EC2 provides a web-based user interface, the Amazon EC2 console. If
you've signed up for an AWS account, you can access the Amazon EC2 console by
signing into the AWS Management Console and selecting EC2 from the console
home page. Also a command line interface, with following options:
• AWS Command Line Interface (CLI) Provides commands for a broad set of AWS
products, and is supported on Windows, Mac, and Linux. To get started, see AWS
Command Line Interface User Guide.
• AWS Tools for Windows PowerShell Provides commands for a broad set of AWS
products for those who script in the PowerShell environment.
• Amazon EC2 provides a Query API. These requests are HTTP or HTTPS requests
that use the HTTP verbs GET or POST and a Query parameter named Action. For
more information about the API actions for Amazon EC2.
• If you prefer to build applications using language-specific APIs instead of
submitting a request over HTTP or HTTPS, AWS provides libraries, sample code,
tutorials, and other resources for software developers. These libraries provide
basic functions that automate tasks such as cryptographically signing your
requests, retrying requests, and handling error responses, making it is easier for
you to get started
Purchase Options
Initial sign up for AWS can get started with Amazon EC2 for free using the AWS Free Tier. Amazon EC2 provides the following options for instance
purchasing:
• On-Demand Instances – Pay, by the second, for the instances that you launch. No long-term commitments or upfront payments.
• Savings Plans – Reduce costs via a committed consistent amount of usage, USD per hour, for a term of 1 or 3 years.
• Reserved Instances – Reduce Reduce costs via a consistent instance (type and Region) committed amount of usage, reserved for a term of 1 or 3
years.
• Scheduled Instances – Purchase instances that are always available on the specified recurring schedule, for a one-year term.
• Spot Instances – Request unused EC2 instances, which can reduce your Amazon EC2 costs significantly.
• Dedicated Hosts – Pay for a physical host that is fully dedicated to running your instances, and bring your existing per-socket, per-core, or per-VM
software licenses to reduce costs.
• Dedicated Instances – Pay, by the hour, for instances that run on single-tenant hardware.
• Capacity Reservations – Reserve capacity for your EC2 instances in a specific Availability Zone for any duration.
Instance Lifecycle
• Purchase option affects the lifecycle of the instance.
• Starts at launch and Ends at termination. [On-Demand Instance]
• Spot Instance runs as long as capacity is available and your maximum price is
higher than the Spot price.
• Scheduled Instance is launched during its scheduled time period; Amazon
EC2 launches the instances and then terminates them three minutes before
the time period ends.
338 135
INDIVIDUAL TOP 10 COUNTRIES
MEMBERS
United States, China, India,
10
References OpenStack
The OpenStack Foundation
http://www.openstack.org/
11
Trying Out OpenStack
TryStack (OpenStack Sandbox)
http://trystack.org/
• HP Public Cloud
https://www.hpcloud.com/
12
Deploying OpenStack
OpenStack Distributions
Red Hat - http://openstack.redhat.com/
SUSE - https://www.suse.com/products/suse-cloud/
Ubuntu - http://www.ubuntu.com/cloud
13
Join the Community
Join The OpenStack Community
http://www.openstack.org/community/
14
Demo
Identity (Keystone)
1
6
Compute (Nova)
• OpenStack Compute (Nova) is a cloud computing fabric controller, which is the main part of an
IaaS system. It is designed to manage and automate pools of computer resources and can work
with widely available virtualization technologies, as well as bare metal and high-performance
computing (HPC) configurations. KVM, VMware, and Xen are available choices for hypervisor
technology (virtual machine monitor), together with Hyper-V and Linux container technology such
as LXC.
• It is written in Python and uses many external libraries such as Eventlet (for concurrent
programming), Kombu (for AMQP communication), and SQLAlchemy (for database access).
Compute's architecture is designed to scale horizontally on standard hardware with no
proprietary hardware or software requirements and provide the ability to integrate with legacy
systems and third-party technologies.
• OpenStack Networking provides networking models for different applications or user groups.
Standard models include flat networks or VLANs that separate servers and traffic. OpenStack
Networking manages IP addresses, allowing for dedicated static IP addresses or DHCP. Floating
IP addresses let traffic be dynamically rerouted to any resources in the IT infrastructure, so users
can redirect traffic during maintenance or in case of a failure.
• Users can create their own networks, control traffic, and connect servers and devices to one or
more networks. Administrators can use software-defined networking (SDN) technologies
like OpenFlow to support high levels of multi-tenancy and massive scale. OpenStack networking
provides an extension framework that can deploy and manage additional network services—such
as intrusion detection systems (IDS), load balancing, firewalls, and virtual private networks (VPN).
1
8
Block storage (Cinder)
• OpenStack Block Storage (Cinder) provides persistent block-level storage devices
for use with OpenStack compute instances.
• The block storage system manages the creation, attaching and detaching of the
block devices to servers. Block storage volumes are fully integrated into
OpenStack Compute and the Dashboard allowing for cloud users to manage their
own storage needs. In addition to local Linux server storage, it can use storage
platforms including Ceph, CloudByte, Coraid, EMC (ScaleIO, VMAX, VNX and
XtremIO), GlusterFS, Hitachi Data Systems, IBM Storage (IBM DS8000, Storwize
family, SAN Volume Controller, XIV Storage System, and GPFS), Linux LIO,
NetApp, Nexenta, Nimble Storage, Scality, SolidFire, HP (StoreVirtual and 3PAR
StoreServ families) and Pure Storage.
• Block storage is appropriate for performance sensitive scenarios such as database
storage, expandable file systems, or providing a server with access to raw block
level storage. Snapshot management provides powerful functionality for backing
up data stored on block storage volumes. Snapshots can be restored or used to
create a new block storage volume. 1
9
Image (Glance)
• OpenStack Image (Glance) provides discovery, registration, and delivery services for disk and
server images. Stored images can be used as a template. It can also be used to store and
catalog an unlimited number of backups. The Image Service can store disk and server images
in a variety of back-ends, including Swift. The Image Service API provides a standard REST
interface for querying information about disk images and lets clients stream the images to
new servers.
• Glance adds many enhancements to existing legacy infrastructures. For example, if integrated
with VMware, Glance introduces advanced features to the vSphere family such as vMotion,
high availability and dynamic resource scheduling (DRS). vMotion is the live migration of a
running VM, from one physical server to another, without service interruption. Thus, it
enables a dynamic and automated self-optimizing datacenter, allowing hardware
maintenance for the underperforming servers without downtimes.
• Other OpenStack modules that need to interact with Images, for example Heat, must
communicate with the images metadata through Glance. Also, Nova can present information
about the images, and configure a variation on an image to produce an instance. However,
Glance is the only module that can add, delete, share, or duplicate images.
2
0
Object storage (Swift)
• OpenStack Object Storage (Swift) is a scalable redundant storage system.
Objects and files are written to multiple disk drives spread throughout
servers in the data center, with the OpenStack software responsible for
ensuring data replication and integrity across the cluster.
• Storage clusters scale horizontally simply by adding new servers. Incase of a
server or hard drive failure, OpenStack replicates its content from other
active nodes to new locations in the cluster. Because OpenStack uses
software logic to ensure data replication and distribution across different
devices, inexpensive commodity hard drives and servers can be used.
• SwiftStack, an object storage software company, is currently the leading
developer for Swift with significant contributions from HP, Red Hat, NTT,
NEC, IBM and more.
2
2
Orchestration (Heat)
• Heat is a service to orchestrate multiple composite cloud applications
using templates, through both an OpenStack-native REST API and a
CloudFormation-compatible Query API.
2
3
Workflow (Mistral)
• Mistral is a service that manages workflows. User typically writes a
workflow using workflow language based on YAML and uploads the
workflow definition to Mistral via its REST API. Then user can start this
workflow manually via the same API or configure a trigger to start the
workflow on some event.
2
4
Telemetry (Ceilometer)
• OpenStack Telemetry (Ceilometer) provides a Single Point Of Contact
for billing systems, providing all the counters they need to establish
customer billing, across all current and future OpenStack
components.
• The delivery of counters is traceable and auditable, the counters must
be easily extensible to support new projects, and agents doing data
collections should be independent of the overall system.
2
5
Database (Trove)
• Trove is a database-as-a-service provisioning relational and a non-
relational database engine.
2
6
Elastic map reduce (Sahara)
• Sahara is a component to easily and rapidly provision Hadoop
clusters. Users will specify several parameters like the Hadoop version
number, the cluster topology type, node flavor details (defining disk
space, CPU and RAM settings), and others.
• After a user provides all of the parameters, Sahara deploys the cluster
in a few minutes.
• Sahara also provides means to scale a preexisting Hadoop cluster by
adding and removing worker nodes on demand.
2
7
Bare metal (Ironic)
• Ironic is an OpenStack project that provisions bare metal machines
instead of virtual machines. It was initially forked from the Nova
Baremetal driver and has evolved into a separate project.
• It is best thought of as a bare-metal hypervisor API and a set of
plugins that interact with the bare-metal hypervisors.
• By default, it will use PXE and IPMI in concert to provision and turn on
and off machines, but Ironic supports and can be extended with
vendor-specific plugins to implement additional functionality.
2
8
Messaging (Zaqar)
• Zaqar is a multi-tenant cloud messaging service for Web developers.
The service features a fully RESTful API, which developers can use to
send messages between various components of their SaaS and
mobile applications by using a variety of communication patterns.
Underlying this API is an efficient messaging engine designed with
scalability and security in mind.
• Other OpenStack components can integrate with Zaqar to surface
events to end users and to communicate with guest agents that run in
the "over-cloud" layer.
2
9
Shared file system (Manila)
• OpenStack Shared File System (Manila) provides an open API to
manage shares in a vendor agnostic framework.
• Standard primitives include ability to create, delete, and give/deny
access to a share and can be used standalone or in a variety of
different network environments.
• Commercial storage appliances from EMC, NetApp, HP, IBM, Oracle,
Quobyte, and Hitachi Data Systems are supported as well as
filesystem technologies such as Red Hat GlusterFS or Ceph.
3
0
DNS (Designate)
• Designate is a multi-tenant REST API for managing DNS. This
component provides DNS as a Service and is compatible with many
backend technologies, including PowerDNS and BIND.
• It doesn't provide a DNS service as such as its purpose is to interface
with existing DNS servers to manage DNS zones on a per tenant basis.
3
1
Search (Searchlight)
• Searchlight provides advanced and consistent search capabilities
across various OpenStack cloud services.
• It accomplishes this by offloading user search queries from other
OpenStack API servers by indexing their data into ElasticSearch.
• Searchlight is being integrated into Horizon and also provides a
Command-line interface.
3
2
Key manager (Barbican)
• Barbican is a REST API designed for the secure storage, provisioning
and management of secrets.
• It is aimed at being useful for all environments, including large
ephemeral Clouds.
3
3
Container orchestration (Magnum)
• Magnum is an OpenStack API service developed by the OpenStack
Containers Team making container orchestration engines such as
Docker Swarm, Kubernetes, and Apache Mesos available as first class
resources in OpenStack.
• Magnum uses Heat to orchestrate an OS image which contains Docker
and Kubernetes and runs that image in either virtual machines or
bare metal in a cluster configuration.
3
4
Root Cause Analysis (Vitrage)
• Vitrage is the OpenStack RCA (Root Cause Analysis) service for
organizing, analyzing and expanding OpenStack alarms & events,
yielding insights regarding the root cause of problems and deducing
their existence before they are directly detected.
3
5
Rule-based alarm actions (Aodh)
• This alarming service enables the ability to trigger actions based on
defined rules against metric or event data collected by Ceilometer or
Gnocchi.
3
6
Compatibility with other APIs
• OpenStack does not strive for compatibility with other clouds APIs.
However, there is some amount of compatibility driven by various
members of the OpenStack community.
3
7
Deployment models
• There are multiple ways devised by vendors to deploy OpenStack for customers :
3
9
Releases and Evolution
Release Release date Included Component code names
name
Icehouse 17 April 2014 Icehouse 17 April 2014[132] Nova, Glance, Swift, Horizon, Keystone, Neutron, Cinder, Heat,
Ceilometer, Trove
Juno 16 October 2014 Nova, Glance, Swift, Horizon, Keystone, Neutron, Cinder, Heat, Ceilometer, Trove, Sahara
Kilo 30 April 2015 Nova, Glance, Swift, Horizon, Keystone, Neutron, Cinder, Heat, Ceilometer, Trove, Sahara, Ironic
Liberty 16 October 2015 Nova, Glance, Swift, Horizon, Keystone, Neutron, Cinder, Heat, Ceilometer, Trove, Sahara, Ironic, Zaqar,
Manila, Designate, Barbican, Searchlight
Mitaka 7 April 2016 Nova, Glance, Swift, Horizon, Keystone, Neutron, Cinder, Heat, Ceilometer, Trove, Sahara, Ironic, Zaqar,
Manila, Designate, Barbican, Searchlight, Magnum
Newton 6 October 2016 Nova, Glance, Swift, Horizon, Keystone, Neutron, Cinder, Heat, Ceilometer, Trove, Sahara, Ironic, Zaqar,
Manila, Designate, Barbican, Searchlight, Magnum, aodh, cloudkitty, congress, freezer, mistral,
monasca-api, monasca-log-api, murano, panko, senlin, solum, tacker, vitrage, Watcher
Ocata 22 February 2017 Nova, Glance, Swift, Horizon, Keystone, Neutron, Cinder, Heat, Ceilometer, Trove, Sahara, Ironic, Zaqar,
Manila, Designate, Barbican, Searchlight, Magnum, aodh, cloudkitty, congress, freezer, mistral,
monasca-api, monasca-log-api, murano, panko, senlin, solum, tacker, vitrage, Watcher
Pike 30 August 2017 Nova, Glance, Swift, Horizon, Keystone, Neutron, Cinder, Heat, Ceilometer, Trove, Sahara, Ironic, Zaqar,
Manila, Designate, Barbican, Searchlight, Magnum, aodh, cloudkitty, congress, freezer, mistral, 4
monasca-api, monasca-log-api, murano, panko, senlin, solum, tacker, vitrage, Watcher 0
Xen Citrix
• Database — At least one Microsoft SQL Server database is required for every XenApp or XenDesktop Site to store all configuration and session
information. This database stores the data collected and managed by the services that make up the Controller. Install the database within your data
center, and ensure it has a persistent connection to the Controller.
• Virtual Delivery Agent (VDA) — The VDA is installed on each physical or virtual machine in your Site that you want to make available to users. It
enables the machine to register with the Controller, which in turn allows the machine and the resources it is hosting to be made available to users.
VDAs establish and manage the connection between the machine and the user device, verify that a Citrix license is available for the user or session,
and apply whatever policies have been configured for the session. The VDA communicates session information to the Broker Service in the Controller
through the broker agent included in the VDA.XenApp and XenDesktop include VDAs for Windows server and desktop operating systems. VDAs for
Windows server operating systems allow multiple users to connect to the server at one time. VDAs for Windows desktops allow only one user to
connect to the desktop at a time.
• StoreFront — StoreFront authenticates users to Sites hosting resources and manages stores of desktops and applications that users access. It hosts
your enterprise application store, which lets you give users self-service access to desktops and applications you make available to them. It also keeps
track of users’ application subscriptions, shortcut names, and other data to ensure they have a consistent experience across multiple devices.
• Receiver — Installed on user devices and other endpoints, such as virtual desktops, Citrix Receiver provides users with quick, secure, self-service
access to documents, applications, and desktops from any of the user's devices, including smartphones, tablets, and PCs. Receiver provides on-
demand access to Windows, Web, and Software as a Service (SaaS) applications. For devices that cannot install Receiver software, Receiver for HTML5
provides a connection through a HTML5-compatible web browser.
• Studio — Studio is the management console that enables you to configure and manage your deployment, eliminating the need for separate
management consoles for managing delivery of applications and desktops. Studio provides various wizards to guide you through the process of setting
up your environment, creating your workloads to host applications and desktops, and assigning applications and desktops to users. You can also use
Studio to allocate and track Citrix licenses for your Site.Studio gets the information it displays from the Broker Service in the Controller.
• Director — Director is a web-based tool that enables IT support and help desk teams to monitor an environment, troubleshoot issues before they
become system-critical, and perform support tasks for end users. You can use one Director deployment to connect to and monitor multiple XenApp or
XenDesktop Sites.Director shows session and Site information from these sources: Real-time session data from the Broker Service in the Controller,
which include data the Broker Service gets from the broker agent in the VDA.
• Historical Site data from Monitor Service in the Controller.
• Data about HDX traffic (also known as ICA traffic) captured by HDX Insight from the NetScaler, if your deployment includes a NetScaler and your
XenApp or XenDesktop edition includes HDX Insights.
4
1
Components XenApp or XenDesktop deployment Site.
Database
• At least one Microsoft SQL Server database is required for every
XenApp or XenDesktop Site to store all configuration and session
information. This database stores the data collected and managed by
the services that make up the Controller. Install the database within
your data center, and ensure it has a persistent connection to the
Controller.
4
3
Virtual Delivery Agent (VDA)
• The VDA is installed on each physical or virtual machine in your Site
that you want to make available to users. It enables the machine to
register with the Controller, which in turn allows the machine and the
resources it is hosting to be made available to users. VDAs establish
and manage the connection between the machine and the user
device, verify that a Citrix license is available for the user or session,
and apply whatever policies have been configured for the session.
The VDA communicates session information to the Broker Service in
the Controller through the broker agent included in the VDA.XenApp
and XenDesktop include VDAs for Windows server and desktop
operating systems. VDAs for Windows server operating systems allow
multiple users to connect to the server at one time. VDAs for
Windows desktops allow only one user to connect to the desktop at a
time.
4
4
StoreFront
• StoreFront authenticates users to Sites hosting resources and
manages stores of desktops and applications that users access. It
hosts your enterprise application store, which lets you give users self-
service access to desktops and applications you make available to
them. It also keeps track of users’ application subscriptions, shortcut
names, and other data to ensure they have a consistent experience
across multiple devices.
4
5
Receiver
• Installed on user devices and other endpoints, such as virtual
desktops, Citrix Receiver provides users with quick, secure, self-
service access to documents, applications, and desktops from any of
the user's devices, including smartphones, tablets, and PCs. Receiver
provides on-demand access to Windows, Web, and Software as a
Service (SaaS) applications. For devices that cannot install Receiver
software, Receiver for HTML5 provides a connection through a
HTML5-compatible web browser.
4
6
Studio
• Studio is the management console that enables you to configure and
manage your deployment, eliminating the need for separate
management consoles for managing delivery of applications and
desktops. Studio provides various wizards to guide you through the
process of setting up your environment, creating your workloads to
host applications and desktops, and assigning applications and
desktops to users. You can also use Studio to allocate and track Citrix
licenses for your Site.Studio gets the information it displays from the
Broker Service in the Controller.
4
7
Director
• Director is a web-based tool that enables IT support and help desk teams
to monitor an environment, troubleshoot issues before they become
system-critical, and perform support tasks for end users. You can use one
Director deployment to connect to and monitor multiple XenApp or
XenDesktop Sites.Director shows session and Site information from these
sources: Real-time session data from the Broker Service in the Controller,
which include data the Broker Service gets from the broker agent in the
VDA.
• Historical Site data from Monitor Service in the Controller.
• Data about HDX traffic (also known as ICA traffic) captured by HDX Insight
from the NetScaler, if your deployment includes a NetScaler and your
XenApp or XenDesktop edition includes HDX Insights.
• You can also view and interact with a user's sessions using Microsoft
Remote Assistance. 4
8
Director
• Director is a web-based tool that enables IT support and help desk teams
to monitor an environment, troubleshoot issues before they become
system-critical, and perform support tasks for end users. You can use one
Director deployment to connect to and monitor multiple XenApp or
XenDesktop Sites.Director shows session and Site information from these
sources: Real-time session data from the Broker Service in the Controller,
which include data the Broker Service gets from the broker agent in the
VDA.
• Historical Site data from Monitor Service in the Controller.
• Data about HDX traffic (also known as ICA traffic) captured by HDX Insight
from the NetScaler, if your deployment includes a NetScaler and your
XenApp or XenDesktop edition includes HDX Insights.
• You can also view and interact with a user's sessions using Microsoft
Remote Assistance. 4
9
License Server
• License server manages your product licenses. It communicates with
the Controller to manage licensing for each user's session and with
Studio to allocate license files. You must create at least one license
server to store and manage your license files.
5
0
Hypervisor
• The hypervisor hosts the virtual machines in your Site. These can be the
virtual machines you use to host applications and desktops as well as
virtual machines you use to host the XenApp and XenDesktop components.
A hypervisor is installed on a host computer dedicated entirely to running
the hypervisor and hosting virtual machines.Citrix XenServer hypervisor is
included with XenApp and XenDesktop, but you can use other supported
hypervisors, such as Microsoft Hyper-V or VMware vSphere.
• Although most implementations of XenApp and XenDesktop require a
hypervisor, you don’t need one to provide remote PC access or when you
are using Provisioning Services (included with some editions of XenApp and
XenDesktop) instead of MCS to provision virtual machine.
• These additional components, not shown in the illustration above, may
also be included in typical XenApp or XenDesktop deployments: 5
1
Provisioning Services
• Provisioning Services is an optional component of XenApp and
XenDesktop available with some editions. It provides an alternative to
MCS for provisioning virtual machines. Whereas MCS creates copies
of a master image, Provisioning Services streams the master image to
user device. Provisioning Services doesn’t require a hypervisor to do
this, so you can use it to host physical machines. When Provisioning
Services is included in a Site, it communicates with the Controller to
provide users with resources.
5
2
NetScaler Gateway
• When users connect from outside the corporate firewall, this release
can use Citrix NetScaler Gateway (formerly Access Gateway)
technology to secure these connections with SSL. NetScaler Gateway
or NetScaler VPX virtual appliance is an SSL VPN appliance that is
deployed in the demilitarized zone (DMZ) to provide a single secure
point of access through the corporate firewall.
5
3
Citrix CloudBridge
• In deployments where virtual desktops are delivered to users at remote
locations such as branch offices, Citrix CloudBridge (formerly Citrix Branch
Repeater or WANScaler) technology can be employed to optimize
performance. Repeaters accelerate performance across wide-area
networks, so with Repeaters in the network, users in the branch office
experience LAN-like performance over the WAN. CloudBridge can prioritize
different parts of the user experience so that, for example, the user
experience does not degrade in the branch location when a large file or
print job is sent over the network. HDX WAN Optimization with
CloudBridge provides tokenized compression and data deduplication,
dramatically reducing bandwidth requirements and improving
performance. For more information, see the Citrix CloudBridge
documentation.
5
RACKSPACE® HOSTING | WWW.RACKSPACE.COM 4
Virtualization Techniques
Software Virtualization
Virtual Desktop Infrastructure
Agenda
• Overview
X
Apps
2. image 7. back-up
Applications
Windows
3. secure 6. maintain
Hardware Locally
Installed 4. deploy 5. monitor
Existing methods,
• Tight binding between layers Operating
tools, and processes
• The components are linked together in System
ways that are difficult to support and
maintain
• Overview
Guest OS
Virtual Machine
hosted in a Data
Center
Basic View
• VDI server
• Virtual Desktop Agent (VDA)
• The control software resides in a virtual machine hosted in a data center
• VDI protocol
• Connect client and server,
• Transport the necessary control commands and I/O data
• Different I/O data may be encapsulated in different virtual channel
VDI Components
Session
Broker
Guest OS
Virtual
Client Machine
Devices Protocol
Virtualization
Platform
Virtualization
Management
Platform
Protocol
• For users to connect to the virtualized OS
• Handle certain features such as device and printer redirection
• Examples:
• Remote Display Protocol (RDP)
• A part of CP or Vista
• RDP allow users to access systems at remote locations with the ability to manipulate the
system as if physically sitting at that computer terminal
• Independent Computing Architecture (ICA)
• A proprietary protocol for an application server system, designed by Citrix
• The protocol lays down a specification for passing data between server and clients, but is not
bound to any one platform.
Desktop Remoting Techniques
• Fundamentally there are several different ways that a desktop running at
one place can show up on a screen of a client at another location:
• The “screen scrape” method
• Screen scrape + multimedia redirection
• Server graphics system virtualization
• Hardware acceleration on the server and client
Screen-Scraping
• The general idea with “screen scraping” is that whatever graphical
elements are painted to the “screen” on the host are then scraped by
the protocol interface and sent down to the client. This can happen in
two ways:
• The client can contact the server and pull a new “snapshot” of the screen from
the frame buffer. This is how VNC works.
• The server can continuously push its screen activity to the client. This can be at
the frame buffer level, the GDI / window manager level, or a combination of
both. (This is how RDP and ICA work)
Screen Scrape + Multimedia Redirection
• A technique whereby server-side multimedia elements are sent in their
native formats down to the client devices. Then the client can play the
multimedia streams locally and dynamically insert them back into the
proper position on the screen. This works well
• If your client has the technical capability and hardware specs to render the
multimedia, and
• Your client has the proper codec installed so that it knows how to render the
multimedia content. In effect, this means that your clients can’t be “too thin.”
• It’s also what Wyse does in RDP with their TCX enhancements.
Server Graphics System Virtualization
• Software on the host captures all possible graphical layers (GDI, WPF,
DirectX, etc.) and renders them into a remote protocol stream (like RDP)
where they’re sent down to the client as fast as possible.
• This will give the client an experience which is very close to local performance,
regardless of the client device (even on very low-end WinCE and Linux clients).
• GPU capabilities must exist on the server side where the rendering is
taking place.
• This is fine if you plug a physical graphics card into physical hardware running a
physical OS.
• In a VDI scenario, your hypervisor must be able to virtualize the GPU just like any
other piece of hardware. This means that the Windows desktop OS running
inside the VM be able to detect the “virtual” GPU so that it can enable all of it’s
cool graphical features.
• This is what Teradici does. Today their solution works with physical
blades (with their special TERA chips) and their clients (also with TERA
chips.
Session Broker
• The session broker is responsible for
• Distribute sessions from clients to VMs
• Redirect disconnected sessions of users back to their original VMs.
• Example: Windows Server 2008 R2, XenDesktop (for Microsoft VDI), and VMware
View Manager
Client VM
Client
...
Session . . . VM
Client Broker VM
Virtualization platform
Virtualization Platform
Virtual Management Platform
• It could be
• Thin clients
• Clients running software on OS
• Such as Windows, Linux, or others supported by the VDI solution
Concept
What is VDI?
Composition of VDI
Advantages and Disadvantage
Advantages
• Improved utilization
• Efficient use of CPU and memory resources
• Improved availability
• Reduced desktop downtime
• Improved manageability
• Patches and upgrades performed in data center
• Centralized management reduces operational expenses
• Improved security
• Data and applications reside in secure data centers
• Need a unique image for each user who requires a different set of
applications
• Overview
• Challenges
• Interoperability
• Ecosystem
• Mobile access
Interoperability
• Although current VDI are aiming the same goal, they are defined by
different companies using different methodologies.
• So ……
Ecosystem
• Each layer have tight-coupling relationship
• They cannot move forward independently
VDI server
VDI Protocol
VDI Client
Mobile Access
• Streaming application in the best current systems consuming extra 8x
bandwidth compared to original bitrate
• Overview
Thin-Client Support
• Thin clients based on Linux and XPe
• WYSE ThinOS models
Browser Access
• Windows, Linux & Mac
What Distinguishes VMware VDI?
Familiar End-User Experience
• Run applications with no modifications. “Our users love their hosted
desktops. One user was totally
Virtual desktop is unchanged. upset and crying because she
thought she had lost her
• Leverage existing desktop mgmt tools documents. She couldn’t
believe it when the terminal
• Support for USB devices through RDP came back up and everything
was just how she had left it.”
extensions (e.g. local printing, storage, etc.)
• Support multi-monitors in “stretch mode”
David Siles
CTO
Kane County Government (Illinois)
Rapid Deployment
• VMware Infrastructure templates can
be used to replicate 1000s of
desktops quickly
• Automatic desktop provisioning with
VDI pooling capabilities
• Rapid redeployments of virtual
images throughout desktop lifecycle
• Changing, patching, restarting images
improved when centralized &
virtualized
How Customers Use VMware VDI
Desktop PC Replacement
Replace traditional PCs with thin clients, repurposed PCs or less costly desktop hardware.
Address short desktop lifecycles. Simplify moves, adds & changes (MACs) because the
desktop images are administered in corporate data center.
• Overview
• Local VM
• Streamed VHD
• Hosted VDI
• Hosted Shared
Local VM
• This option combines the benefits of central management with full user
personalization, and can generally support up to 150 desktops per
server.
Hosted Shared
• Users get a desktop interface, which can look like Windows 7. However,
that desktop is actually being shared by every user on the server.
Existing methods,
Operating
tools, and processes
System
Desktop Delivery Vision
XenDesktop is a Better Way…
Profiles
Apps
Windows
Profiles
Secure Hypervisor
Users WAN
Remote
Optimization
Access
Apps
3
Users are delivered
their desktop remotely Blade Chassis OS
Profiles
Provisioni
Blade Chassis ng Server OS
Citrix Optimized
Virtual Desktop Infrastructure
Storage
Express Standard Advanced Enterprise Platinum
Scalability
Desktop Provisioning
Resource Pooling &
XenMotion
Profiles
Blade Chassis OS
Citrix Optimized
Virtual Desktop Infrastructure
Storage
Virtual Desktop Agent and ICA Client
• Installed on all Desktops (VM's or Blades)
• Supports XP SP2 and Vista SP1 (32bit)
Desktop Delivery
Controller • Delivers virtual desktop via ICA to any ICA
client
• SpeedScreen
• SpeedBrowse
• SmoothRoaming
ICA Virtual
Desktop
• Universal Print Driver
Agent • Dynamic client drive mapping
(USB drives)
• Multi-monitor support
• Session Reliability
• ClearType
• etc…
Desktop Delivery Controller
Solution
• Simple to deploy and administer
• Brokers and end-to-end ICA connections
Desktop Delivery
Controller • Manages flexible desktop-user
association:
• Pooled
• Assign on first use
• Pre-assigned
• Enables secure ticket-based connections
• Supports single sign-on
Virtual
• Runs on Windows Server 2003 (32 & 64-
ICA bit)
Desktop
Agent
• Broad desktop hosting infrastructure
support
• Efficient use of AD for non-volatile
settings:
• Transactional data moved from AD to Data
Store in Beta
End User Experience
Access
Scenarios
Desktop
Appliances login Full-Screen
Profiles
Blade Chassis OS
Citrix Optimized
Virtual Desktop Infrastructure
Storage
Virtual Desktop Infrastructure
• Agnostic to desktop hosting • Virtual Machine Support
infrastructure - XenServer
• Enable management of desktops to - Hyper-V
optimize: - VMware VI3
- Power consumption • Blade PC’s
- Infrastructure utilization - Power for specialized users
Desktop
• Integration to VM infrastructure
Virtual Desktop
Delivery
Infrastructure
- Start
Controller
- Suspend
- Resume
- Shutdown
• Traditional PC’s
- Migration and remote access
• SDK coming
XenServer
Fast:
• Para-virtualization sheds the
‘middle man’ Near Bare Metal Performance Resource Pools
Low maintenance:
• No drivers and thin means
minimal patching – keeps Next Generation XenMotion: Live
workload running Management Architecture Relocation
XenDesktop Specific
Integration:
• XenDesktop Specific Templates
• Preboot eXecution Clustered Management Layer
Environment VMs (<500Kb in
size)
OS, App & Profile Management
Desktop Delivery
GoToAssist Controller EdgeSight
Profiles
Provisioni
Blade Chassis ng Server OS
1:1
Profiles
Provisioning
Blade Chassis Server OS
Profiles
Setup
Apps
Tool
Golden Image:
• PV Tools
• Virtual Desktop Agent
• ICA & Streaming Client OS
VDisk
How XenDesktop v2 Works
Desktop Delivery
Controller
A
request license D
O
U
Login Page Licensing Data Store Domain
Controller
policies find desktop
validate
ICA prepare
resume
Profiles
Apps
Golden Image:
• PV Tools
• Virtual Desktop Agent
• ICA & Streaming Client OS
VDisk
Agenda
• Overview
• Interoperability:
• Full integration with existing infrastructures including Microsoft environments
(Windows authentication, Windows applications, Active Directory, File server).
• Customizable:
• Ulteo is using Open Source software. Ulteo source code is covered by GPL v2
software licensing terms.
• User friendly:
• Browser based interface
Core Architectures
• Desktop mode
• Application/portal mode
• A web-browser(*)
• A dedicated Ulteo client software for Linux or Windows PCs or thin
clients
• An iOS or Android tablet (desktop mode only)