This action might not be possible to undo. Are you sure you want to continue?
TEC H N I C A L W H ITE PA P E R
Architecting a vCloud
Table of Contents 1. What is a VMware vCloud? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 1.1 Document Purpose and Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 1.2 Cloud Computing and vCloud Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 1.3 vCloud Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 2. Assembling a vCloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.1 vCloud Logical Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2 vCloud Management Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 2.3 vCloud Resource Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10 3. Creating Services with vCloud Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.1 vCloud Director Constructs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.2 Establish Provider Virtual Datacenters (Prov vDCs) . . . . . . . . . . . . . . . . . . . . . . .13 3.3 Establish Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 3.4 Establish Networking Options – Public vCloud . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 3.5 Establish Networking Options – Private vCloud . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.6 Establish Organization Virtual Datacenters (Org vDCs) . . . . . . . . . . . . . . . . . . . 18 3.7 Create vApp Templates and Media Catalogs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 3.8 Establish Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 3.9 Accessing your vCloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21 4. Managing the vCloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21 4.1 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21 4.2 Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 4.3 Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 4.4 Workload Availability Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 5. Sizing the vCloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 5.1 Sizing Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 5.2 Sizing the management cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 5.3 Sizing the workload resource group clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
TECH N I C AL WH ITE PAPE R / 2
Architecting a vCloud
List of Figures Figure 1 – vCloud Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Figure 2 – vCloud Logical Architecture Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Figure 3 – vCloud Resource Group Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10 Figure 4 – vCloud Director Construct to vSphere Mapping . . . . . . . . . . . . . . . . . . . . . . 12 Figure 5 – Example Diagram of Provider Networking for a Public vCloud . . . . . . . . . .16 Figure 6 – Configure External IPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Figure 7 – Example Diagram of Provider Networking for a Private vCloud . . . . . . . . . 17 Figure 8 – Configure Firewall Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23 Figure 9 - vShield Manager’s Administrator UI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24 Figure 10 - vCloud Director Manage and Monitor UI . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Figure 11 - Configure Firewall Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
TECH N I C AL WH ITE PAPE R / 3
nor is it a step-by-step guide for installing a vCloud. vCenter Chargeback. This document is not intended as a substitute for detailed product documentation. What is a VMware vCloud? 1. TECH N I C AL WH ITE PAPE R / 4 . refer to the Knowledge Base on vmware.1 Document Purpose and Assumptions Architecting a vCloud is intended to serve as a reference for cloud architects. you should have access to the following documentation referred to throughout this document for step-by-step instructions on installing and configuring various components. vShield Manager). For additional guidance and best practices. particularly VMware vSphere (vCenter Server. C AT E G O R Y REFERENCED DOCUMENT Service Definitions vCloud vCloud Director vSphere vShield Chargeback Service Definition for Public Cloud Service Definition for Private Cloud vCloud Installation Guide VMware vCloud Director Security Hardening Guide VMware vCloud Director Administration Guide vCloud Director Administrator’s Guide vSphere Administrator Guide vSphere Resource Management Guide vShield Manager Administrator Guide VMware vCenter Chargeback User’s Guide vCloud Chargeback Models Implementation Guide For further information. and vCloud Director. Before proceeding with the rest of this document you should have read the vCloud service definition for the type of cloud you are building (private or public). Also.Architecting a vCloud 1. ESXi. The target audience is VMware Certified Professionals (VCP) familiar with VMware products. refer to the set of documentation for the appropriate product.com.
Architecting a vCloud This document is organized into these sections: SECTION DESCRIPTION What is a VMware vCloud? Components and definitions comprising the cloud solution: • Document Purpose and Assumptions • vCloud Components Logical architecture of VMware product components: • vCloud Logical Architecture • vCloud Management Cluster • vCloud Resource Groups Resource abstraction and the consumption model: • vCloud Director Constructs • Establish Provider Virtual Datacenters (Prov vDCs) • Establish Organizations • Establish Networking Options – Public vCloud • Establish Networking Options – Private vCloud • Create vApp Templates and Media Catalogs • Establish Policies • Accessing your vCloud Administrative tasks and considerations: • Monitoring • Logging • Security Considerations • Workload Availability Considerations Sizing your vCloud environment: • Sizing Considerations • Sizing the Management Cluster Assembling a vCloud Creating Services with vCloud Director Managing the vCloud Sizing the vCloud TECH N I C AL WH ITE PAPE R / 5 .
3 vCloud Components The VMware vCloud is comprised of the following components: vCloud API vCenter Chargeback VMware vCloud Director vShield Edge VMware Sphere Figure 1 – vCloud Overview TECH N I C AL WH ITE PAPE R / 6 . Cloud computing is a new approach to computing that leverages the efficient pooling of on-demand. self-managed virtual infrastructure to provide resources consumable as a service. Cloud computing can be delivered as three layers of service delivery: • Infrastructure as a Service (IaaS) • Platform as a Service (PaaS) • Software as a Service (SaaS) This iteration of a vCloud focuses strictly on the IaaS layer. The vCloud will build upon VMware vSphere by extending the robust virtual infrastructure capabilities to facilitate delivery of infrastructure service via cloud computing. 1.Architecting a vCloud 1.2 Cloud Computing and vCloud Introduction VMware’s vCloud leverages VMware technologies and solutions to deliver cloud computing.
automatically deployed by vCloud Director Optional component that provides resource metering and reporting to facilitate resource showback/ chargeback Includes: • vCenter Chargeback Server • Chargeback Data Collector • vCloud Data Collector • VSM Data Collector VMware vSphere VMware vShield VMware vCenter Chargeback Other VMware or third-party products or solutions such as orchestration are not addressed in this iteration of a vCloud. • One or more vCloud resource groups that represent dedicated resources for cloud consumption. and is under the control of VMware vCloud Director. this could lead to situations where it is time-consuming to track down and manage such workloads. TECH N I C AL WH ITE PAPE R / 7 . As a best practice of separating resources allocated for management functions from pure user-requested workloads.1 vCloud Logical Architecture In building a vCloud.Architecting a vCloud VC LO U D C O M P O N E N T DESCRIPTION VMware vCloud Director (vCD) Cloud Coordinator and UI. They do not run on a large set of host clusters. assume that all management components such as vCenter Server and vCenter Chargeback Server will run as virtual machines. Multiple resource groups can be managed by the same vCenter Server. Management components are strictly contained in a relatively small and manageable management cluster. clustered by vCenter Server • Management Assistant Provides network security services Includes: • vShield Manager (VSM) virtual appliance • vShield Edge virtual appliances. • A single management cluster running all core components and services needed to run the cloud. used to manage cloud objects Underlying foundation of virtualized resources. 2. Includes: • vCloud Director Server(s) (also known as “cell”) • Cloud Director Database • vCloud API. Abstracts vSphere resources. Each resource group is a cluster of ESXi hosts managed by a vCenter Server. The vSphere family of products includes: • vCenter Server and vCenter Server Database • ESXi hosts. the underlying vSphere clusters will be split into two logical groups. Reasons for organizing and separating vSphere resources along these lines are: • Facilitating quicker troubleshooting and problem resolution. Assembling a vCloud 2.
Otherwise. a cluster of 3 VMware ESXi hosts will be used. vCloud resource groups also reside within the same physical site. The logical architecture with vSphere resource separation is depicted as follows. 2. You can also consult the Knowledge Base on vmware. over a slower or less reliable network. A VMware HA percentage-based policy and a N+1 host architecture will be used instead of dedicating a single host for host failures. cloud resource groups would not host vCenter VMs. This will allow the management workloads to run evenly across the hosts in the cluster without the need to dedicate a host strictly for host failure situations. 3 hosts supporting just vCloud management components should be sufficient for typical vCloud environments. This ensures a consistent level of service. For example.2 vCloud Management Cluster To enable VMware High Availability (HA).Architecting a vCloud • Management components are separate from the resources they are managing. and scaled horizontally. Management Cluster VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM vCloud Resource Groups VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM wa VM re wa VM re wa VM re wa VM re wa VM re wa re vCloud Infrastructure • vCenter Server VMs • vCloud Director Cell VMs • vCenter Chargeback Server VMs • vShield Manager (VSM) virtual appliance • vCenter Database VMs • Cloud Director Database VM • vCenter Chargeback Database VM • Load balancer VMs for VMware Cloud Director Cells • vCenter Update Manager VMs • Data Recovery VMs • vSphere Management Assistant (vMA) VM No user workloads vCloud infrastructure VMs • vShieldEdge virtual appliances User workloads only VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM wa VM re wa VM re wa VM re wa re VM wa VM re wa VM re wa VM re wa re Figure 2 – vCloud Logical Architecture Overview The management cluster resides in a single physical site. Certain limitations apply when using VMware and 3rd party tools for disaster recovery and secondary or federated sites. For detailed sizing of the management cluster see Sizing the vCloud in this document. Consult your local VMware representative for assistance in understanding these limitations and possible alternatives. Additional hosts can be added to the management cluster for N+2 or more redundancy but this is not required by the current vCloud service definitions. TECH N I C AL WH ITE PAPE R / 8 . While additional hosts can be added. Neither secondary nor disaster recovery (DR) sites are in the scope of this document. • Resources allocated for cloud use have little overhead reserved. • Resource groups can be consistently and transparently managed and carved up.com for additional information. latency issues might arise if workloads need to be moved from one site to another.
• Network path redundancy. All of the management VMs can be protected by VMware HA and FT. The architecture calls for the use of vNetwork Distributed Switches in the user workload resource group. TECH N I C AL WH ITE PAPE R / 9 . • Increasing the MTU size of the physical switches as well as the vNetwork Distributed Switches to at least 1524 to accommodate the additional MAC header information used by vCloud Director Network Isolation links. including (but not limited to) the following: • Separation of network traffic for security and load considerations by type (management. • Use of vNetwork Distributed Switches where possible for network management simplification. unless the vCenter Server VM has 2 vCPUs. VM. Shared storage in the management cluster will be configured per vSphere best practices. including the management cluster. vMotion/Fault Tolerance (FT). vCenter Site Recovery Manager (SRM) can be used to protect some components of the management cluster. Unlike a traditional vSphere environment where vCenter Server is used by administrators to provision VMs. and changes to IP addresses and schemas in recovered vCloud Director cells can result in problems. Therefore. including (but not limited to) the following: • Storage paths will be redundant at the host (connector). vCenter Site Recovery Manager will not be used to protect vCloud Director cells because a secondary (DR) site is out of scope of the vCloud. • All hosts in a cluster will have access to the same datastores. ensuring the availability of vCenter Servers with a solution such as vCenter Heartbeat is highly recommended. Management components running as VMs in the management cluster include the following: • vCenter Server(s) and vCenter Database • vCloud Director Cell(s) and vCloud Director Database • vCenter Chargeback Server(s) • vShield Manager (one per vCenter Server) Optional management functions. deployed as VMs include: • vCenter Update Manager • VMware Data Recovery • VMware Management Assistant (vMA) For more information on the resources needed by the VMs in the management cluster refer to Sizing the vCloud in this document. vCD-NI is called for by the service definition and the architecture found later in this document.Architecting a vCloud Host networking in the management cluster will be configured per vSphere best practices. Failure to increase the MTU size could adversely affect performance of the network throughput to VMs hosted on the vCloud infrastructure. At this time. so it is a best practice to use the vNetwork Distributed Switch across all of your clusters. switch. The optional management VMs are not required by the service definition but they are highly recommended to increase the operational efficiency of the solution. in which case it cannot use FT and a solution such as vCenter Heartbeat should be considered. • The use of RDMs in the vCloud Director infrastructure is currently not supported and should be avoided. vCenter Server plays an integral role in end-user self-service provisioning by handling all VM deployment requests by vCloud Director. storage. and storage array levels.
not in the management cluster. Resource groups can be of different compute capacity sizes (number of hosts. TECH N I C AL WH ITE PAPE R / 1 0 . VMware HA will also be used to protect against host and VM failures. Compute Resources All hosts in the vCloud resource groups will be configured per vSphere best practices. which will affect the number and size of datastores to be created. refer to the vShield Manager Administrator guides. For a detailed look at how to size the vCloud resource groups. Resource pools will be automatically created by vCloud Director. Creation of datastores will need to take into consideration Service Definition requirements and workload use cases. refer to Sizing the vCloud in this document. it is a best practice to use a 1-to-1mapping with vCloud Resource Group to vCenter host cluster.3 vCloud Resource Groups Each resource group represents a cluster of VMware ESXi hosts under the management of a vCenter Server and associated with a single vSphere Cluster. if the reservations are not set appropriately. it is best to dedicate the cluster for use by vCloud Director. Multiple parent-level resource pools can also add unnecessary complexity and lead to unpredictable results or inefficient use of resources. number of cores. To summarize. Storage Shared storage in the vCloud resource groups will be configured per vSphere best practices. performance of hosts) to support differentiation of compute resources by capacity or performance for service level tiering purposes. vCloud Resource Group = vCenter Host Cluster vCenter Resource Pool Figure 3 – vCloud Resource Group Mapping While it is possible to create multiple vCenter resource pools per host cluster. For additional information on the vShield Edge appliance and its functions. The use of RDMs in the vCloud Director infrastructure is currently not supported and should be avoided. They will be placed in a separate resource pool by vCloud Director and vCenter. and only existing vSphere datastores can be assigned. Since vCloud Director manages vSphere resources by proxy through a vCenter Server and automatically creates resource pools within vCenter as needed. Storage types supported by vSphere will be used. using vCenter Server to create resource pools or nested pools can go against the efficient allocation of resources by vCloud Director. similar to the management cluster. vCloud Director will automatically allocate resources to cloud organizations by creating resource pools with appropriate reservations and limits within the cluster.Architecting a vCloud vShield Edge appliances are deployed automatically by vCloud Director as needed and will reside in the vCloud resource groups. vCloud Director will assign datastores for use through provider virtual datacenters ( provider vDCs). 2. similar to the management cluster.
Additionally. – vNetwork Distributed Switches are required. TECH N I C AL WH ITE PAPE R / 11 . which use fewer VLAN IDs.Architecting a vCloud Datastores in the vCloud resource groups will be used for vCloud workloads. – MTU size should be increased to a minimum of 1524 bytes. – Hosts must be connected to VLAN trunk ports. known as vApps. – Make sure to have sufficient vSphere port groups created and made available for VM access in the vCloud. Sizing considerations include: • Datastore size: – What is the average vApp size x number of vApps x spare capacity? For example: Avg VM size * # VMs * (1+ % headroom) – What is the average VM disk size? – How many VMs are in a vApp? – How many VMs are to be expected? – How much spare capacity do you want to allocate for room for growth (express in a percentage)? • Datastore use: – Will expected workloads be transient or static? – Will expected workloads be disk-intensive? The public cloud service definition calls for a capacity of 1. Refer to the vSphere Administrator Guide for more information on increasing this value. an NFS share must be set up and made visible to all cells for use by vCloud Director for transferring files in a vCloud Director multi-cell environment. • VLANs to support private networks: – Private networks are private with respect to an organization. • Pre-configured vSphere port groups for use in connecting to external networks: – These can be using standard vSwitch port groups. Vary datastore size or shared storage characteristic if providing differentiated or tiered levels of service. Refer to the vCloud Installation Guide for more information on where to mount this volume. the value of the number of vNetwork Distributed Switch ports per host should be increased from the default value of 128 to the maximum of 4096. – In a vCloud for service providers. these pre-configured port groups will provide access to the internet. You should consider these numbers when sizing your datastores. – Private networks are backed by VLAN IDs or network pools. – Note that vCloud Director creates port groups automatically as needed. vCD-NI is called for by the service definition and the architecture found later in this document. # of vCD-NI networks per VLAN. Failure to increase the MTU size could adversely affect performance of the network throughput to VMs hosted on the vCloud infrastructure. or the Cisco Nexus 1000V. vNetwork Distributed Switch port groups. NFS is the required protocol for the transfer volume. Networking Host networking for hosts within a vCloud resource group will be configured per vSphere best practices in the same manner as the vCloud management cluster. In addition. vSphere best practices apply for datastore sizing in terms of number and size. Increasing the ports will allow for vCloud Director to dynamically create port groups as necessary for the private organization networks created later in this document. Networking requirements specific to the vCloud resource groups that facilitate cloud networking include: • Increasing the MTU size of the physical switches as well as the vNetwork Distributed Switches to at least 1524 to accommodate the additional MAC header information used by vCloud Director Network Isolation links.500 VMs initially and specifies 60 GB of storage per VM.
Creating Services with vCloud Director 3. such as organizations. such as provider virtual datacenters (vDCs). Admin Organization Users Access Control Users Organization A Access Control Catalogs Provisioning Policies Catalogs Provisioning Policies User Clouds User Clouds Organization vDCs vApp (VMs with vApp Network) Organization vDCs vApp (VMs with vApp Network) vSphere vApp Network Organization Network External Networks Organization Network Port Groups or dvPort Groups Resource Pools Organization vDCs Provider vDC: Gold Organization vDCs Provider vDC: Silver Organization vDC Provider vDC: Bronze Datastores Figure 4 – vCloud Director Construct to vSphere Mapping VC LO U D D I R E C TO R C O N S T R U C T DESCRIPTION Provider Virtual Datacenter (vDC) Logical grouping of vSphere compute resources (backed by a vCenter resource pool automatically created by vCloud Director when attaching a vSphere cluster) and assigned datastores for the purposes of providing cloud resources to consumers. groups. In the simplest term. A unit of administration that represents a logical collection of users. The following diagram depicts the logical constructs within vCloud Director that abstract underlying vSphere resources. and security boundaries. to facilitate multi-tenancy consumption of resources. an organization = an association of related end consumers.1 vCloud Director Constructs VMware vCloud Director introduces logical constructs. and computing resources.Architecting a vCloud 3. Organization TECH N I C AL WH ITE PAPE R / 12 . and also serves as a security boundary from which only users of a particular organization can deploy workloads and have visibility into such workloads in the cloud.
It can be an external organization network with connectivity to an external network. An organization vDC allocates resources using one of three models: • Pay as you go • Reservation • Allocation A collection of available services for consumption. and use a direct or routed connection. add additional hosts to the cluster from vCenter and attach more datastores. If additional compute capacity is required. When creating a provider vDC. or it can be an internal network visible only to vApps within the organization. TECH N I C AL WH ITE PAPE R / 13 . provider vDC_B = mid-tier hosts. For example. A network visible within a vApp. A network visible within an organization. datastores should not be shared by multiple provider vDCs. It can be connected to other vApp networks within an organization and use a direct or routed connection.2 Establish Provider Virtual Datacenters (Prov vDCs) A provider vDC is backed by a vCenter resource pool that is automatically created by vCloud Director when attaching a vSphere cluster that will back the provider vDC. • One or more datastores can be attached to a provider vDC. provider vDC02 = medium storage. Or Provider vDC_A = high-end hosts. This will allow preservation of resource allocations should additional hosts be added to the cluster. or it can be an internal network visible only to VMs within the vApp. take the following rules and guidelines into consideration: • At least one provider vDC is required for a vCloud. • A provider vDC can map to one and only one cluster. the best practice is to use a cluster. A datastore can be assigned to multiple provider vDCs.Architecting a vCloud VC LO U D D I R E C TO R C O N S T R U C T DESCRIPTION Organization Virtual Datacenter (vDC) Subset allocation of a provider vDC resources assigned to an organization. • While it is possible to back a provider vDC with a resource pool instead of a cluster. • Create multiple provider vDCs to differentiate different levels or characteristics of a service offering. Catalogs contain vApp templates (preconfigured containers of one or more virtual machines) and/or media (ISO images of operating systems). provider vDC01 = fast storage. A provider vDC cannot span multiple host clusters. • If the cluster backing a provider vDC has reached the maximum number of hosts per vSphere design guidelines. Segment by capacity or performance type. As a best practice in segmenting storage. add more hosts in the vCenter cluster on the vSphere end. vApp Templates and Media Catalogs External Network Organization Network vApp Network 3. create a new provider vDC backed by a new resource pool associated with a new cluster. A network that connects to the outside using an existing vSphere network port group. it is no longer available for attachment to another provider vDC. • It is not possible to attach a second cluster to a provider vDC at this time. • As the level of expected consumption increases for a given provider vDC. Once a cluster is attached to a provider vDC.
You can use the system defaults for most of the other organization settings. Users authenticate at the organization level. you should separate the Pay-As-You-Go service tier from the Resource Pool service tier by creating two separate Prov vDCs. 3. This organization will own a master catalog of vApp templates that are published and shared with all other (standard) organizations. memory. groups. Consider: • Expected number of VMs • Size of VMs (CPU. There are no specific requirements called out by the service definition for leases. Refer to the service definition for private cloud for details on the Service Tier(s) called for. Should it be determined that existing host capacity can’t meet the requirement. and storage resources. you should create one large Prov vDC attached to a cluster that has sufficient capacity to run 400 VMs. If you determine that your hosts do not have sufficient capacity to run the maximum number of VMs called out by the public cloud service definition. using credentials established by an organization administrator within vCloud Director or LDAP. memory. the first organization to be created will be an administrative organization. The service definition does not specifically call out the use of LDAP for organizations. quotas. Each organization represents a collection of end consumers. You should take care to avoid special characters or spaces in the organization name since that will affect the URL in undesirable ways. it’s commonly accepted that a single Prov vDC be established. CPU types in different Prov vDCs). and those are common across all of the requirements in the private cloud service definition. and computing resources.Architecting a vCloud Refer to the service definition for guidance on the size of vSphere clusters and datastores to attach when creating a provider vDC. Because Prov vDCs contain only CPU. disk) Service Provider Considerations Considerations for a service provider (public) vCloud include creating multiple provider virtual datacenters (Prov vDCs) based on tiers of service that will be provided. As a best practice. Private Cloud Considerations Given that a provider virtual datacenter (Prov vDC) represents a vSphere cluster and resource pool. RAM. so each organization will be set up to not use LDAP. should organizations need to grow in the future. and limits. TECH N I C AL WH ITE PAPE R / 14 . Administrative Organization A vCloud requires at least one organization. The one exception is leases. As an example. and limits. or there’s a desire to segment capacity along the lines of equipment type (for example. Because Prov vDCs contain only CPU. and instead use local users. The provider should set these values to whatever works best in their cloud. When creating organizations the name of the organization will be used in the URL to access the GUI for that organization. ACME would be accessed at https://<hostname>/cloud/org/ACME. then establish a Prov vDC for Pay-As-You-Go use cases and a separate Prov vDC for the resource-reserved use cases. You should also leave overhead to grow the cluster with more resources up to the maximum of 32 hosts.500 VMs. and storage resources and those are common across all of the requirements in the public cloud service definition. quotas. Users in an organization consume resources by selecting vApps from a predefined catalog. you should create one large Prov vDC attached to a vSphere cluster that has sufficient capacity to run 1.3 Establish Organizations A vCloud contains one or more organizations. See Security Considerations in this document for more information on LDAP authentication.
you will need at least 11 networks in the network pool per organization. You will connect this External network to a vSphere port group which is actually connected to the Internet. When connecting the network pool to a vNetwork Distributed Switch. Because the network pools will be used by both the external organization network and private vApp networks. As a note of reference. you need at least 275 networks in the pool. Per the service definition. To fulfill this. Create a single large network pool for all organizations to share. there is already a default System organization in the vCloud Director environment. For sizing purposes. The administrative organization being created here is different from the built-in System organization since it can actually create vApps and catalogs and share them. Standard Organizations Create an organization for each tenant of the vCloud as necessary. Lastly. You can optionally use a VLAN to further segregate all of the vCD-NI traffic. Network Pools In addition to access to external networks. Make sure to give the network a descriptive name such as Provider-Internet for the case here. so make sure you have at least 25 IP addresses in your static IP pool. including the network mask. vCloud Director instantiates Isolated L2 networks through the use of network pools. Make sure you have the IP information for the physical network you have attached to. default gateway. and DNS information. Make sure that when you create the administrative organization you set it up to allow publishing of catalogs. TECH N I C AL WH ITE PAPE R / 15 . you will create a pool of static IP addresses that will be consumed by vShield Edge appliances (which facilitate a routed connection) each time you connect an organization network to this external network. all service tiers use a shared public Internet connection. and limit the use of this network pool when you create each individual organization. you should create a large enough IP address pool so that each of your organizations can have access to an external network.500 VMs is 25 organizations. create a single external provider network. and Limits meeting the provider’s requirements 3. make sure you have enough free ports left on the switch (at least 275). Ten of the networks in the pool will be for the private vApp networks according to the public cloud service definition. This will use an existing vNetwork Distributed Switch previously created for connecting hosts. There is a limitation of a maximum of 4096 networks in a network pool due to the port limitation on the vNetwork Distributed Switch. Each of the standard organizations will be created with the following considerations: • Do not use LDAP • Cannot publish catalogs • Use system defaults for SMTP • Use system defaults for notification settings • Use Leases. VMs in development should be stored in a separate development catalog that is not shared with other organizations. Given the estimate of 25 organizations. The network pool created will use vCloud Network Isolation for separating the traffic. each organization in a public vCloud will have organization-specific private networks. the estimated number of organizations for 1. One of the networks will be used for the protected external organization network.Architecting a vCloud Administrators assigned to the administrative organization will also be responsible for creating official template VMs for placement in the master catalog for other organizations to use.4 Establish Networking Options – Public vCloud External Networks Referencing the service definition for a public cloud. Quotas.
you can make the static IP address pool as large as desired. The last step is to add external public IP addresses to the vShield Edge configuration on the external organization network. By selecting Configure Services on the external organization network. ACME-Internet. When naming a organization network. so you should provide a range of 8 IP addresses only when creating the static IP address pool for the external network. it is a best practice to start with the organization name and a hyphen. TECH N I C AL WH ITE PAPE R / 1 6 . The Service Definition for Public Cloud defines a limit of external connections with a maximum of 8 IP addresses. For the private network. you can use RFC 1918 addresses for both static IP address pools. you can add 8 public IP addresses that can be used by that particular organization. Typically.” Org Net: “ACME-Private” Private Internal Org Net: “ACME-Internet” Private Routed “Provider Internet” Network Pool Figure 5 – Example Diagram of Provider Networking for a Public vCloud Organization Networks Create 2 different organization networks for each organization. You can do this as one step in the vCloud Director UI wizard by selecting the default (recommended) option when creating a new organization network. you will need to provide a range of IP addresses and associated network information.Architecting a vCloud vCloud Datacenter Organization “ACME Corp. one external organization network and one private internal organization network. For both the internal network and the external network. These IP addresses should come from the same subnet as the network that you assigned to the system’s external network static IP pool. for example. Both the external organization network and the internal organization networks will leverage the same vCD-NI network pool previously established. the external network will be connected as a routed connection that will leverage vShield Edge for firewalling and NAT to keep traffic separated from other organizations on the same external provider network. a full RFC 1918 class C is used for the private network IP pool. Since both of the networks will be private networks behind a vShield Edge. Per the Service Definition for Public Cloud.
direct connections from inside the organization to the networking backbone provided by the enterprise are all that’s necessary. This is analogous to “extending a wire” from the network switch that contains the network or VLAN to be used all the way through the cloud layers to the organization and into the vApp.5 Establish Networking Options – Private vCloud External Networks In general. As such. One of these direct networks must be established for each network or VLAN to be used in the private vCloud. Enterprise vCloud Organization “Software Design” Network Pool Org Net: “Internal Network” Private Internal (optional) Org Net: “External Access” Private Direct “Corporate Backbone” Figure 7 – Example Diagram of Provider Networking for a Private vCloud TECH N I C AL WH ITE PAPE R / 17 . for a private vCloud. the networking needs are simplified and direct compared to a Public vCloud.Architecting a vCloud Figure 6 – Configure External IPs 3.
It is a network that already exists within the address space used by the enterprise. Multiple Org vDCs can take from the same Prov vDC. Resources are taken from a Provider vDC and allocated to an Organization vDC using one of three resource allocation models: • Pay as you go. a function of the vCloud foundational layer under all the private vClouds that may get established. A baseline amount (“guarantee”) of resources from the provider vDC is reserved for the organization vDC’s exclusive use. For the purpose of this design there are no additional network requirements. Network Pools A network pool is a collection of virtual machine networks that are available to be consumed by organizations to create organization networks and vApp networks. as this is where vCloud Director draws “Public IP Pool” addresses from. the foundational object. Network traffic on each network in a pool is isolated at layer 2 from all other networks.. and could be used. In the wizard. This pool will be used to provision NAT-type connectivity between the Organizations and the cloud services below it. The external provider network in a private vCloud is a network outside of the scope of the cloud. 3. This section is focused on the first external network mentioned.e. When building this. like a routed organization external network.Architecting a vCloud An important differentiation to keep an eye on is an “External Network”. You will need a network in the network pool for every private organization network and external organization network in the vCloud environment. follow the wizard. or ranges already committed for DHCP. Resources are only reserved and committed for vApps as vApps are created. An additional percentage of resources is available to oversubscribe CPU and memory. Note: Static IP Pool address space is not used for DHCP. specify enough address space for use as static assignments. At least one external network is required to enable organization networking to connect to. create an external network in the Cloud Resources section (under Manage & Monitor of the System Administration section of the vCloud Director UI). An organization can have multiple Org vDCs. default gateway and other specifications of the LAN segment as required. be sure to select a direct connection. A good starting range is 30 addresses that do not conflict with existing addresses in use. a component of each organization that gets established at its creation time. There is no upfront reservation of resources. but this taps into compute resources that are shared by other organization vDCs drawing from the provider vDC. i. and “Organization External Networks”. • Allocation. TECH N I C AL WH ITE PAPE R / 1 8 . but add complexity to the design that is normally not needed. For more information on adding additional network options please refer to the vCloud Director Administrator’s Guide. The private cloud service definition calls for one external organization network and the ability for the organization to create private vApp networks. To establish this network. This external network maps to an existing vSphere network for VM use as defined in the External Networks section (above). Make your network pool as large as the number of organizations times 10.6 Establish Organization Virtual Datacenters (Org vDCs) An organization virtual datacenter (Org vDC) allocates resources from a Prov vDC and makes it available for use for a given organization. a good number of networks to start out with is 10 per organization. but the function is similar to that. Other networking options are available. it is not managed by either the vCloud layer or the vSphere layer. To accomplish this. Because there is no minimum called out in the service definition for the number of vApp networks. Organization Networks At least one organization external network is required to connect vApps created within the Organization to other vApps and/or the networking layers beyond the Private vCloud. filling in the network mask.
Since a fixed set of resources are guaranteed. The allocation model is set to “Pay as you go” so as not to take resources from other organization vDCs until they are needed. Or. • Allocation. All resources assigned to the organization vDC are reserved exclusively for the organization vDC’s use. Consumers are allocated and billed for a fixed container of resources. This model will result in more variable billing but allows for the possibility of more closely aligning variable workloads to their cost. The first organization vDC to be created should be an administration organization vDC for use by the administration organization.Architecting a vCloud • Reservation. • Reservation. Billing is unpredictable as it is tied directly to actual usage. and a corresponding speed of a vCPU equivalent can be specified. TECH N I C AL WH ITE PAPE R / 1 9 . this can also be set to unlimited. vCenter Server automatically creates child resource pools with the appropriate resource reservations and limits. • Pay as you go. Chargeback functionality is provided by VMware vCenter Chargeback. The Basic VDC model will use the Pay-as-you-go allocation model since instances are only charged for the resources they consume and there is no commitment required from the consumer. Private Cloud Considerations The organization vDC allocation model used depends on the type of workloads to be expected. Pricing can be set per VM. When an organization vDC is created in vCloud Director. but are typically charged at higher rates for exceeding baseline usage. For further information. Subsequent organization vDCs should be created to serve the organizations previously established. With all of the above models the organization can be limited to deploy a certain number of VMs. The Dedicated VDC model will use the Reservation Pool model since this service tier requires dedicated and guaranteed resources for the consumer. • Reservation. regardless of usage. would be suited for this model. infrastructure-type workloads that demand a predictable level of service would run well using this model. which is integrated with VMware vCloud Director. but consumers may pay for a premium if they do not consume all their allocated resources. You can further reference the VMware vCenter Chargeback User’s Guide for information on how to customize the individual reports generated. such as a demonstration or training environment. and allocation-based pricing. the service definition and organization’s use cases of workloads should be taken into consideration. In selecting the appropriate allocation model. which details how to set up vCloud Director and vCenter Chargeback to accommodate instance-based pricing (pay as you go). These allocation models also map directly to the service tiers found in the public cloud service definition. You should follow the steps in the vCloud Chargeback Models to set up the appropriate charging profiles for each of your service tiers. A transient environment where workloads are repeatedly deployed and undeployed. The Committed VDC model will use the Allocation Pool model since the consumer is required to commit to a certain level of usage but is also allowed to exceed that usage. Consumers are allocated a baseline set of resources but have the ability to burst by tapping into additional resources as needed. Elastic workloads that have a steady state but during certain periods of time surge due to special processing needs would be suited for this model. • Allocation. reservation-based pricing. under the resource pool representing the provider vDC. The Service Definition for Public Cloud provides detailed and descriptive guidance on how much a provider should charge for each service tier. refer to the vCloud Chargeback Models Implementation Guide. Service Provider Considerations The organization virtual datacenter allocation model maps directly to a corresponding vCenter Chargeback billing model: • Pay as you go. This model allows for predictable billing and level of service.
When any option for storage lease (with the exception of “never expire”) is selected. There are no other configuration requirements for the catalogs or templates in this cloud architecture. • The storage lease can be specified. you can set policies around the number of deployed and stored VMs: • Deployed VMs refers to the number of running VMs. or set to “never expire”.8 Establish Policies During the creation of an organization. It is recommended to enable this feature when creating each organization. This flags the vApps or vApp templates for deletion. a storage limit can be set on the amount of storage to draw from the provider vDC backing the organization vDC. this setting is left to unlimited. allowing vApps or vApp templates to be stored for a defined period of time. • Stored VMs refers to the total number of VMs including VMs that are not powered on. You can also specify runtime policies to control vApps and vApp templates in an organization vDC. For the purpose of this architecture there will be no limit on storage consumed by the vApps since we are providing static values for the individual VM storage and we are also limiting the number of VMs in an organization. The administrative organization vDC will have two catalogs: • Internal.7 Create vApp Templates and Media Catalogs The way to consume services in a cloud environment is from a catalog. Organizations will use the master catalog that has been published from the administrative organization vDC with the default cloud templates. vSphere best practices apply in the use of thin-provisioned virtual disks. Catalogs are stored in an organization vDC. This feature can save substantial amounts of storage and have very little performance impact on workloads in the vCloud infrastructure. the vApps or vApp templates will automatically be deleted. By default. Published and shared to all other organization vDCs. Used for developing and staging new vApps and media. or set to “never expire”. organizations will have a private catalog created by the organization administrator and used for uploading new vApps or media to the individual organization. after which time vApps or vApp templates will be automatically cleaned up. 3. • Moved to expired items. the storage will be automatically cleaned up. For more information about this feature please refer to the vCloud Director Administrator’s Guide or the VMware knowledge base. In addition. The public cloud service definition has specific requirements for the maximum number of VMs each organization can have based on size.Architecting a vCloud As part of creating an organization vDC. After the specified period of time. which hides them from users so that they can no longer be used. Refer to the public cloud service definition for the maximum VM count for each of the three tiers of reservation pools. • Master. Additional options include: • Permanently deleted. An option to “enable thin provision” allows provisioning VMs using thin disks to conserve disk usage. 3. Specify the maximum length of time vApps and vApp templates can run and be stored in the organization vDCs: • The runtime lease can be set to allow vApps or vApp templates to run for a defined period of time after which time vApps will be powered off. TECH N I C AL WH ITE PAPE R / 20 . Please refer to the service definition for a full listing of recommended templates. allowing an Administrator to remove them.
Active Directory Server. monitor all vCloud components.apache. If you see java process listed then the cell should be running. This document will not detail specifics on setting up a monitoring solution since every provider has very different monitoring solutions in place to be integrated. typical procedures for monitoring physical and vSphere components apply.logging. Each time a user of an organization logs in they should point their browser to the organization-specific URL. Alternatively. To ensure that vCloud Director and vCloud Director-related components are running. otherwise you will get no output from the command below.configDir=/opt/vmware/cloud-director/etc -Dorg. here are the vCloud dependent processes to monitor for each vCloud component. TECH N I C AL WH ITE PAPE R / 21 .util.filemonitor. Each vCloud Director cell is dependent on the following to be operational: • vCloud Director Database • vCenter Server (which depends on vCenter Database) • vShield Manager (to deploy vShield Edge virtual appliances) • VMware ESXi hosts (via vCenter Server) vCenter Chargeback Server is needed to generate reports and is dependent on the vCenter Chargeback Database. SNMP and SMASH are not supported for monitoring vCloud Director cells. vCloud Director Within Red Hat Enterprise Linux where vCloud Director is installed. Windows Server) that are needed to run a vCloud Director environment. filemonitor. executing the following commands will provide the status of the cell and the watchdog process that monitors the cell.9 Accessing your vCloud The vCloud is now ready for self-service use.properties -Dorg.servicemix. These URLs will have the format of https://<vCD-cellhostname>/cloud/org/<org-Name>. At the vSphere level.apache.config. # ps -ef | grep java vcloud 27721 1 0 Aug20 ? 00:16:01 /opt/vmware/cloud-director/jre/ bin/java -Xms512M -Xmx1024M -XX:MaxPermSize=256m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/opt/vmware/cloud-director/logs -Dservicemix. vCenter Chargeback is also dependent on data collectors to collect usage information.home=/opt/vmware/clouddirector -Dservicemix. DNS Server.1 Monitoring To ensure the vCloud operates with minimal downtime.servicemix. Red Hat Enterprise Linux Server. Downtime of data collectors can impact reporting but does not affect the ability to generate reports. # service vmware-vcd status vmware-vcd-watchdog is running vmware-vcd-cell is running vCloud Director is basically a java process.logging. Each organization should have a public URL configured to access the organization’s cloud portal using vCloud Director.util. Managing the vCloud 4.base=/opt/vmware/cloud-director -Djava. One can search for java processes with the process status (ps) command to make sure that the cells are running.Architecting a vCloud 3. 4. A centralized monitoring tool such as Hyperic can be used to monitor some of the servers (Oracle Server.file=/ opt/vmware/cloud-director/etc/java. SQL Server. cells can be monitored through integration with a third party monitoring platform via JMX Beans.
Analyzing errors from the log files is also possible from the vCloud Director’s Administrator portal.log) located in /opt/vmware/cloud-director/logs.ssdc. servicemix.DefaultServiceLog.backend.LdapProviderImpl.servicemix.backend.scanInterval=86400000 -Dservicemix.defaultNChar=true -Dlog4j.awt.LdapProviderImpl. This would give some information in narrowing down the problem to a specific component in place (LDAP in this case).ldap.name=root -Djava.logging. TECH N I C AL WH ITE PAPE R / 2 2 .log. Searching for a string “ERROR” in the log files such as vcloud-container-debug.ssdc.log.headless=true -DVCLOUD_HOME=/opt/vmware/cloud-director -Djava.startRemoteShell=false -Dorg.backend.log file: 2010-08-23 15:33:34.log will show all the errors that happened to an individual cell at execution time.vmware.java:844) at com.getUsersByName(LdapProviderImpl.level=ERROR -Dservicemix.library.vmware.jar -configuration /opt/ vmware/cloud-director/etc Running a tail command on the vCloud Director’s log files (cell. com.path=/opt/vmware/clouddirector -Djava.filemonitor.ops4j.tmpdir=/opt/vmware/cloud-director/tmp -Djava.preferIPv4Stack=true -Doracle.pax.ldap. vcloud-container-debug.LdapSearchException: “Problem encountered search searching LDAP or retrieving object from LDAP.vmware.net.filemonitor.backend. For detailed instructions on how to access the log files in the Administrator portal please refer to the vCloud Director Administrator’s Guide. the following error message could appear in the vcloud-container-debug. configuration=file:/opt/vmware/cloud-director/etc/log4j.vmware. generatedJarDir=/opt/vmware/cloud-director/data/generated-bundles -Dorg.log and vcloud-container-info. For example.eclipse.apache.jdbc. and vcloudcontainer-info.getUserByUsername(LdapProviderImpl.LdapProviderImpl.osgi-3.3. For multi-cell environments you should enable syslog collection to a centralized logging server.ldap.” at com.407 | ERROR | pool-jetty-6 | LdapProviderImpl | LDAP search error. contains a lot of information related to understanding the execution and health of each individual cell.apache.ldap.testLdapSettings(LdapProviderImpl.ssdc. Please refer to the vCloud Director Administrator’s Guide for instructions on how to setup syslog redirection. this could be more challenging because one has to log into different servers to monitor the health of all of the cells.startLocalConsole=false -Dservicemix.Architecting a vCloud monitorDir=/opt/vmware/cloud-director/deploy -Dorg.io.ssdc.properties -jar /opt/vmware/ cloud-director/system/org.4.R34x_v20081215-1030.java:212) This entry reveals that there is a problem with LDAP. In a multi-cell environment.java:818) at com.
In addition. one can run a process status (ps) command and make sure that these processes are up and running. ensure that vCloud dependencies are monitored. # ps aux | grep vslad 45832 5659 worker 5659 5659 worker 5670 5659 poll 5671 5659 worker /opt/vmware/vslad/vslad /opt/vmware/vslad/vslad /opt/vmware/vslad/vslad /opt/vmware/vslad/vslad For more information on monitoring the vSphere components refer to the vSphere Resource Management Guide.Architecting a vCloud Figure 8 – vCloud Director Administrator Portal vSphere: ESXi hosts Follow vSphere best practices to ensure hosts are running. All of the agents run as services. To do a sanity check. “Vslad” is the vCloud agent and “vpxa” and “hostd” are the vSphere agents that run on ESX/ESXi hosts. TECH N I C AL WH ITE PAPE R / 2 3 .
you can see the necessary details to monitor the functionalities of vShield Edge devices. By navigating through the administrator UI. there is currently no external mechanism to do health monitoring of vShield Manager or vShield Edge devices. vCloud Resource Consumption Monitoring Within vCloud Director. the following items should be proactively monitored to ensure sufficient resources will be available for consumption. You can also directly log in to the vShield Manager virtual appliance from its console. Figure 9 – vShield Manager’s Administrator UI Apart from the Administrator UI or vShield Manager vSphere Client plugin. and checking the System Events and Audit Logs (under Setting & Reports). SCOPE ITEM vCloud Director System Organizations Leases Quotas Limits CPU Memory Network static IP address pool Storage free space vSphere Resources TECH N I C AL WH ITE PAPE R / 24 . vShield Edge devices are under the control of vShield Manager. For more detailed information on the monitoring aspects of vShield Manager and vShield Edge refer to the vShield Manager Administrator Guide. The recommended way to monitor them is though the vShield Manager’s Administrator UI. there are two ways to manage and leverage the monitoring aspect that vShield Manager provides.Architecting a vCloud vShield Manager and vShield Edge Once the vShield Manager is installed and configured successfully to work with vCloud Director. A console shell will be provided after successful login with which limited monitoring is possible with the restricted set of command line options. There is no console access for a vShield Edge device. You can log in directly to vShield Manager’s administrator portal (UI) or the vShield Manager itself with a vSphere Client plug-in (vShield Manager will show up in the vSphere Client under “Solutions and Applications”).
or.your. TECH N I C AL WH ITE PAPE R / 2 5 .of. resource pools. hosts.syslog.server • audit. organization virtual datacenters [Org vDCs].host = ip. and ports. The following settings will need to be modified: • /opt/vmware/cloud-director/etc/global. and network pools). The primary methods for remote event notification include syslog.syslog. It is possible to configure the vShield Edge devices to redirect their syslog messages to a centralized syslog server (example vMA – vManagement Appliance). provider virtual datacenters [Prov vDCs]. vCloud Director cells can be configured to send logs to a centralized server.hostname. the use of a centralized logging server is recommended.of.server” with the appropriate IP address or hostname. change port 514 to the port for your syslog server.properties and these lines should be changed: • audit. SNMP. and additional monitoring purposes. organization networks. auditing.hostname. vShield Manager does not support remote transmission of logs. if needed. external networks.your. Figure 10 – vCloud Director Manage and Monitor UI 4. the UI shows the availability and current status of both virtual and pure virtual resources (where virtual resources are vCenters. datastores. switches.syslog.port = 514 Replace “ip. Refer to the Administrator’s Guide for each respective VMware product.2 Logging Logs of vCloud components can be analyzed for troubleshooting.syslog.properties • /opt/vmware/cloud-director/etc/responses. and MOM (Windows). As with vSphere. Connect to the vShield Manager and use “show log” commands to view vShield Manager logs.or. and pure virtual resources are vCloud cells. and. This is done through the vShield Manager’s Administrator UI.Architecting a vCloud Once logged in as Administrator to vCloud Director.
For more information on how to set up LDAP or Active Directory integration. refer to the VMware vCloud Director Security Hardening Guide. COMPONENT LO G LO C AT I O N R E M OT E LO G G I N G ? vCloud Director %VCLOUD%/logs/* /var/log/messages /var/log/secure Yes vSphere ESXi /var/log/vmware/vslad/installer.3 Security Considerations Security in a vCloud can be considered at three levels—the overall vCloud environment.log /var/log/vmware/vpx/vpxa. Securing User Access Security for the consumers of vCloud resources is done through authentication and authorization mechanisms built into VMware vCloud Director.log /var/log/vmkernel /var/log/vmware/esxcfg-firewall.log /var/log/vmware/esxcfg-boot.2\logs %ProgramFiles%\VMware\VMware vCenter Chargeback\DataCollectorEmbedded\logs No No vShield Manager View from UI or console: “show log” or “show manager log” on console View from vShield Manager No vShield Edge Yes 4. Integration with LDAP or Active Directory can be configured for user authentication. refer to the VMware vCloud Director Administration Guide.0. there are additional steps that can be taken to harden the environment. Securing the vCloud Environment While vCloud Director is designed for secure multi-tenancy so that multiple organizations do not impact each other. and workloads. TECH N I C AL WH ITE PAPE R / 26 . This is especially important for a service provider environment where multiple organizations coexist and most are connected to the Internet.log /var/log/vmware/esxupdate.18\logs %ProgramFiles%\VMware\VMware vCenter Chargeback\Apache2. For detailed information on hardening your VMware vCloud Director environment. and whether remote logging is supported. user access.log vCenter Server vCenter Chargeback Server Windows Logs Windows Logs %ProgramFiles%VMware\VMware vCenter Chargeback\apachetomcat-6.Architecting a vCloud The following table shows the primary log files for each vCloud component.log /var/log/vmware/vslad/vslad.
vShield Edge uses MAC encapsulation for NAT routing. In order to meet the requirements of the service definition. Securing Workloads Workloads in the vCloud environment are protected from a networking perspective through network visibility (external or internal to an organization or vApp) and connection types (direct or NAT routed). and default settings. the vApp will obtain a private IP address from the static IP pool previously established. refer to the VMware vCloud Director Administration Guide. so it is up to the individual provider. The organization administrator is the actual user that will be responsible for making this configuration change. Each of the organization networks are connected to the shared public network through a routed connection. This prevents any Layer 2 network information from being seen by other organizations in the environment. allow up to 8 public IP addresses inbound access to virtual machines in the organization. User access and privileges within vCloud Director is controlled through role-based access control (RBAC). The organization administrator can then configure the firewall and the NAT external IP mapping for the newly created VM and private IP address using the network configure services wizard as shown below. For service providers. vShield also provides firewall services which can be configured to not allow any inbound traffic to any virtual machines connected to a public access organization network. vShield Edge devices are deployed automatically by vCloud Director to facilitate routed network connections. Figure 11 – Configure Firewall Services TECH N I C AL WH ITE PAPE R / 27 . the Service Definition for Public Cloud specifies how the networking options should be set up.Architecting a vCloud The current public cloud service definition does not call out a requirement for setting up LDAP or Active Directory integration. Once a vApp is created and VMs are added to it and connected to the public access organization network. For additional information on permissions. which in turn takes into consideration network security requirements. This is also the case for an enterprise running a private vCloud. roles.
1 Sizing Considerations When sizing your vCloud environment there are 4 main resources you should consider: • CPU • Memory • Storage • Networking These core resources are divided into 2 types of resource clusters: • The management cluster • The workload resource group clusters Sizing for each of these environments is slightly different.4 Workload Availability Considerations vCloud Director provisions VMs by transparently working with vCenter Server to deploy VMs on hosts. While these VMs are accessible from vCenter Server and can be set up for protection irrespective of vCloud Director. At this time. The management cluster has a fairly predictable workload with very prescriptive guidance from the service definitions. ITEM VC P U MEMORY S TO R AG E N E T WOR KING vCenter Server Oracle Database vCloud Director Cells (2 – stats for each) vCenter Chargeback 2 4 2 2 8 GB 16 GB 4 GB 8 GB 20 GB 100 GB 10 GB 30 GB 100 MB 1 GigE 1 GigE 1 GigE TECH N I C AL WH ITE PAPE R / 2 8 . The rest of this section will guide you through sizing your vCloud environment appropriately. this approach can lead to problems in the recovery of VMs because vCloud Director adds additional logical constructs and management information not visible to vCenter. network routing and firewall requirements will depend on the security policies of the enterprise as they apply to the specific workloads. Sizing the vCloud 5. on what should run there. VMs can also be protected using backup tools within the Guest OS. VMs protected and recovered using processes that are not integrated with vCloud Director can lead to VMs that will not work properly with vCloud Director.2 Sizing the Management Cluster The following table lists out the requirements for each of the components that will run in the vCloud Director management cluster. or VMware Data Recovery. VMs provisioned by vCloud Director cannot be protected by VMware FT. 5. and this architecture document. vCenter Site Recovery Manager. although some guidance can be given based on the assumptions from the service definitions.Architecting a vCloud For a private vCloud. 4. and the enterprise itself. 5. For the number of VMs and organizations listed in the service definitions you will not need to worry about scaling too far beyond the provided numbers. organizations. The workload resource group has very unpredictable usage. Provisioned VMs can be protected by VMware HA.
The size for this volume will vary depending on how many concurrent uploads are in progress. The information below should assist in initial sizing of the vCloud environment and is based on information from the service definition. and 5%. and large represents 2. In addition to the storage requirements above. medium. 5. the reservation pool is split into small.5% of the total number of VMs in the environment. a NFS volume is required to be mounted and shared by each vCloud Director cell to facilitate uploading of vApps from cloud consumers.500 * Note that some total VMs are rounded up or down due to percentages TECH N I C AL WH ITE PAPE R / 2 9 .5% 10% 2. Using the 50% above this means that small represents 37.3 Sizing the Workload Resource Group Clusters Sizing for the workload resource group clusters can be difficult to predict since the provider is not in charge of what the consumer may run.Architecting a vCloud ITEM VC P U MEMORY S TO R AG E N E T WOR KING vShield Manager TOTAL 1 11 4 GB 40 GB 512 MB 161 GB* 100 MB 3 GigE* * Numbers rounded up or down will not impact overall sizing For the table above. Once an upload completes the vApp is moved to permanent storage on the datastores backing the catalogs for each organization and the data no longer resides on the NFS volume. TYPE OF RESOURCE POOL TOTA L P E R C E N TAG E TOTA L V M S Pay-As-You-Go Small Reservation Pool Medium Reservation Pool Large Reservation Pool TOTAL 50% 37. and the vCenter Chargeback Server. and large pools with a respective split of 75%. The recommended starting size for the NFS transfer volume is 250 GB. It is highly recommended that you engage you local VMware representative for detailed sizing of your environment.5% of the total. The service definition states that 50% of the total number of VMs will be run in the reservation pool model and 50% will be run in the Pay-As-You-Go model. 20%. The provider is also not aware of existing usage statistics for VMs that are run in the cloud. the Oracle Database will be shared between the vCenter Server. You should monitor this volume and increase the size should you experience more concurrent or larger uploads in your environment.500 from the public cloud service definition is used in the example below.5% 100% 750 563* 150 37* 1. The definition for these resource pools and the split with the VMs is listed below. the vCloud Director cells. Furthermore. You can change this total to reflect your own target VM count. Different users and instances should be used for each database instance in-line with VMware best practices. This information is being provided as examples. medium represents 10% of the total. The total number of VMs of 1.
5 TB 130.5 400 GB 300 GB 400 GB 200 GB 1. An example table has been provided below to show you what final numbers could look like using typical consolidation ratios seen in field deployments. and 5% extra large. storage. This product is protected by U .5 TB 1. Socket count: 4 Core count: 6 Hyper threading: Yes Memory: 128 GB Networking: Dual 10 GigE The above calculations do not take into account the storage consumed by consumer’s or provider’s templates. Inc. and networking based on the service definition assumptions and the total VM count from the public cloud service definition.500) 45% 35% 15% 5% 100% 675 1.225 GB 130.5 TB 31.300 GB The above numbers may shock you.050 GB 900 GB 600 GB 3.300 GB 8:1 1.Architecting a vCloud The service definition also calls out the distribution for VMs in the environment with 45% small. in the United States and/or other jurisdictions . There will be a vShield Edge for each private organization network and external organization network. and international copyright and intellectual property laws . The specifications for each vShield Edge appliance are listed below.5 TB 54 TB 4. VMware is a registered trademark or trademark of VMware.016 GB 52 TB 217 GB The above calculations could be served by 16 of the following hosts.S . All rights reserved . 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.6:1 2. Below is a chart that shows the total amount of memory.225 3. ITEM PERCENT VC P U S MEMORY S TO R AG E N E T WOR KING Small Medium Large Extra Large TOTAL (1.225 675 GB 1.com Copyright © 2010 VMware. RESOURCE BEFORE R AT I O AFTER CPU Memory Storage Network 3. Inc .225 GB 40. Inc . CPU. Before you determine your final sizings you should refer to VMware best practices for common consolidation ratios on the above resources. VMware products are covered by one or more patents listed at http://www . 35% medium.com/go/patents . Item No: VMW_11Q4_WP_Architecting_p30_A_R2 . Given the current service definition target of 25 organization a maximum of 275 vShield Edge appliances will be created.vmware .5:1 6:1 403 vCPUs 2. The above calculations also do not take into account the resources consumed by the vShield Edge appliances that are deployed for each organization. CPU: 1 vCPU Memory: 64 MB Storage: 16 MB Network: 1 GigE (this is already calculated in the throughput of the workloads and should not be added again) VMware. 15% large. All other marks and names mentioned herein may be trademarks of their respective companies .050 900 600 3.vmware.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.