Chapter 1

Introduction to vSphere

IN THIS CHAPTER, YOU WILL LEARN TO:

  • UNDERSTAND THE LEGACY FEATURES OF VSPHERE
    • vMotion
    • VMware Cluster
    • Distributed Resource Scheduler
    • High Availability
    • VMware vCenter Converter
    • VMware vSphere Update Manager
    • 64-Bit
    • VMware Capacity Planner
    • Host Profiles
    • vCenter Linked Mode
    • Distributed Power Management
    • Enhanced vMotion Compatibility
    • VMware Data Recovery
    • vSphere Client
    • VMkernel Protection
    • Virtual Disk Thin Provisioning
    • VMware DCUI
    • vSphere Web Client
  • UNDERSTAND THE NEW FEATURES OF VSPHERE
    • Enhancements in Storage
    • Storage DRS
    • Enhancements in VMFS-5
    • Enhancements in Storage vMotion
    • Virtual Machine Scalability
    • vCenter Improvements
    • Fault Tolerance
    • Networking Enhancements
    • VMware vShield 5 Suite

VSphere 5 is here! With this fifth-generation release, the VMware Virtual Datacenter operating system continues to transform x86 IT infrastructure into the most efficient shared on-demand utility, with built-in availability, scalability, and security services for all applications and simple, proactive automated management.

Administrators who have been around for a while may think of the new product as the fifth generation, or simply VMware Infrastructure 5. However, this release better aligns the new product with the direction that virtual datacenters are taking. It introduces many new features that promise to continue to revolutionize the infrastructure of the modern and evolving datacenter, making this release even bigger than the VI4 release. The most sought-after three features—vMotion, Distributed Resource Scheduler (DRS), High Availability (HA)—have been improved and are better than ever.

Understand the Legacy Features of vSphere

Welcome to the legacy features of vSphere. They serve as the foundation that brings tremendous flexibility to managing an x86 environment. There are many legacy features, but we’ll be covering the top three here:

  • vMotion, which offers the ability to relocate a running virtual machine or server from one physical location to another without any downtime.
  • Distributed Resource Scheduler, which you use to make sure that your servers are balanced, getting the resources they deserve.
  • High Availability, which ensures you’ll never have to rush into the office to address bad hardware.

vMotion

vMotion remains one of the most powerful features of virtualization today. With vMotion, you can perform work on underlying hosts during business hours rather than having to wait until the wee hours of the morning or weekends to upgrade BIOS or firmware or do something as simple as add more memory to a host. vMotion requires that each underlying host have a CPU that uses the same instruction set, because, after all, moving a running virtual machine (VM) from one physical host to another without any downtime is a phenomenal feat. VMware VMs run on top of the Virtual Machine File System (VMFS) or NFS. Windows still runs on New Technology File System (NTFS), but the underlying file system is VMFS-5 or VMFS-3. VMFS allows for multiple access, and that is how one host can pass a running VM to another host without downtime or interruptions. It is important to realize that even momentary downtime can be critical for applications and databases. Zero downtime when moving a VM from one host to another physical host is crucial.

Unfortunately, there is no way to move from Intel to AMD, or vice versa. In the past, there were even issues going from an older Intel CPU to a newer Intel CPU, which were somewhat mitigated by Enhanced vMotion Compatibility (EVC).

VMware has several years of experience mastering virtualization while the competitors are playing catch-up. Furthermore, VMware has explored many approaches to virtualization and has seen firsthand where some approaches fall short and where some excel.

vMotion technology requires shared storage, but the virtual machine files do not move from that shared storage during the logical transition. If, for example, you have to change the virtual machine’s physical location, you must first power down the VM and then “migrate” it from one logical unit number (LUN) or hard drive to another LUN or hard drive. Or you can use Storage vMotion, allowing the virtual machine to move between hosts and storage.

A caveat to vMotion is that traditional Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) may not work as originally designed. Part of the reason for this is that the traffic of VMs that are communicating with one another inside a host never leaves the host and therefore cannot be inspected. Virtual appliances are being developed to address this concern. They have the ability to run side-by-side VMs.

Since uptime is important, VMware developed Storage vMotion so that the physical location of a running VM can be changed, again without any downtime and without losing any transactional information. Obviously, Storage vMotion is very exciting because one of the reasons that virtualization is the hottest technology in IT today is the flexibility it brings to the datacenter (compared with running servers the old-fashioned way in a physical environment).

There are other ways to leverage the technology. Virtual machines can be moved on the fly from shared storage to local storage if you need to perform maintenance on shared storage or if LUNs have to be moved to other hosts. Imagine moving a physical server with no downtime or sweat on your part by simply clicking on a new rack in your datacenter and then clicking OK. Wouldn’t that ability be useful for a variety of needs and tasks every day?

VMware Cluster

A VMware cluster allows you to pool the resources of several physical hosts and create logical and physical boundaries within a virtual infrastructure or datacenter. Some organizations may want to create several clusters in their vCenter (formerly VMware Virtual Center) based on functionality—for example, a demilitarized zone (DMZ) cluster or an application cluster. You may want to create a VMware cluster based on the type of LUNs, their speed, their size, or the type of appliance they represent—for example, EMC VNX versus Left Hand Networks. Networking teams may not always want to present all networks to all hosts in the cluster. By creating pools of resources, you can manage these assets and work may be performed on individual clusters rather than the entire infrastructure.

What resources are pooled? CPU, memory, networking bandwidth, storage, and physical hosts are all shared by the VMs that are defined on the specific cluster.

A good rule of thumb is to have sufficient capacity to run extra VMs in the event that one or more ESXi hosts go down. For example, a cluster with three hosts that runs at 50 percent of resources on each host could probably handle one host failure; the remaining two hosts would then take on 25 percent of the load from the failed host and the cluster would be running at 75 percent of resources. In this scenario, a second host failure would overwhelm the remaining host and some virtual machines would not be able to start on the last host. Obviously, you should plan for extra capacity when designing clusters if failover is important.

Distributed Resource Scheduler

Distributed Resource Scheduler (DRS) helps you load-balance workloads across a VMware cluster. Advanced algorithms constantly analyze the cluster environment and even use vMotion to move a running server or VM from one host to another without any downtime. You can specify that DRS performs these actions automatically. Say, for instance, that a VM needs more CPU or memory and the host it is running on lacks those resources. With the automatic settings you specify, DRS will use vMotion to move the VM to another host that has more resources available. DRS can be set to automatically make needed adjustments any time of the day or night or to issue recommendations instead. Two circumstances that often trigger such events are when an Active Directory server is used a lot in the morning for logins and when backups are run. A DRS-enabled cluster shares all the CPU and memory bandwidth as one unified unit for the VMs to use.

DRS is extremely important because in the past, VMware administrators had to do their best to analyze the needs of their VMs, often without a lot of quantitative information. DRS changed the way the virtualization game was played and revolutionized the datacenter. You can now load VMs onto a cluster and the technology will sort out all the variables in real time and make necessary adjustments. DRS is easy to use, and many administrators boast about how many vMotions their environments have completed since inception.

For example, let’s say an admin virtualizes a Microsoft Exchange server, a SQL Server, an Active Directory server, and a couple of heavily used application servers and puts all of them on one host in a cluster. The week before, another admin virtualized several older NT servers that were very lightweight; because those servers didn’t use very much CPU, memory, network, or disk input/output (I/O), the admin put those servers on another host. At this point, the two hosts are off balance based on their workloads. One host has too little to do because its servers have low utilization, and the other host is getting killed with heavily used applications. Before DRS, a third admin would have had to look at all the servers running on these two hosts and determine how to distribute the VMs evenly across the hosts. Admins would have had to use a bit of ingenuity—along with trial and error—to figure out how to balance the needs of each server with the underlying hardware. DRS analyzes these needs and moves VMs when they need more resources so that you can attend to other, more pressing issues.

High Availability

When CIOs and management types begin learning about virtualization, one of their most common fears is “putting all their eggs in one basket.” “If all our servers are on one host, what happens if that host fails?” This is a smart question to ask, and one that VMware prepared for when they revealed the HA, or High Availability, feature of VI3. A virtual infrastructure is controlled by vCenter, which is aware of all the hosts that are in its control and all the VMs that are on those hosts. vCenter installs and configures HA but at that point, the ESXi hosts monitor heartbeats and initiate failovers and VM startup. This is fundamentally important to understand because vCenter can be one of the VMs which has gone down in an outage and HA will still function, providing a primary HA host, aka failover coordinator, is still available.

VMware recommends a strategy referred to as N+1 (as a minimum, not an absolute), dictated by architectural requirements. This simply means that your cluster should include enough hosts (N) so that if one fails, there is enough capacity to restart the VMs on the other host(s). Shared storage among the hosts is a requirement of HA. When a host fails and HA starts, there is a small window of downtime—roughly the same amount that you might expect from a reboot. If the organization has alerting software, a page or email message might be sent indicating a problem, but at other times, this happens so quickly that no alerts are triggered. The goal of virtualization is to keep the uptime of production servers high: hosts can go down, but if servers keep running, you can address the challenge during business hours.

NOTE vMotion is not utilized in a High Availability failover scenario.

VMware vCenter Converter

If your organization is new to virtualization, VMware vCenter Converter is handy. It’s a plug-in to vCenter in the Enterprise version, but there is also a free stand-alone download that lets you convert physical servers into the virtual infrastructure without downtime—thanks to a technology that enables incremental changes to be captured during the physical to virtual (P2V) conversion process. This application works extremely well. You can use it to convert a single server or multiple servers, move a VM from a workstation or another virtual infrastructure, resize hard drives, or work with partitions. Organizations are choosing virtualization because it gives them the flexibility to convert already-built working servers, or if the need exists, rebuild a server from a known good build. Both Windows and Linux servers can be virtualized, and there is interoperability with other third-party formats, such as Norton Ghost, Acronis, and Windows Virtual PC (a feature of Windows 7).

VMware vSphere Update Manager

A second plug-in that has proved to be invaluable is VMware vSphere Update Manager. This feature allows for a baseline creation that represents a security standard. A baseline, for example, would be one host or virtual machine that has been configured to be the golden image; it has all the right patches and all other hosts or VMs should have this level of configuration. You can then apply this baseline to all hosts or select Microsoft and Linux virtual machines, and the technology will remediate updates and apply them to the infrastructure, saving you valuable time. The technology will automatically place one host in a cluster in maintenance mode, migrate the VMs to another host, update the host, reboot, exit maintenance mode, and move to the next host to continue the process. You can remediate one host at a time to achieve a fine level of control in environments or organizations that have high visibility or special needs, or you can remediate an entire cluster and sit back to watch it happen.

Another outstanding feature of VMware vSphere Update Manager is its ability to patch offline virtual machines. Obviously not possible with physical servers, this feature offers a level of security compliance far superior to datacenters without virtual infrastructure.

Although this may not sound like a breakthrough in technology, in the old days, administrators would have to go to the VMware site; download several patches with long, cryptic names; copy the patches to each host; clear off the virtual machines; open the command line; run an even more cryptic command to work with each file on each ESXi host; reboot—and do the same thing over on each and every host. Now, with the click of a mouse, VMware vSphere Update Manager does all these steps quickly and efficiently. Furthermore, since a baseline is utilized, each host receives exactly the same build. No longer will you need to worry whether you applied every patch to every host. The technology handles this task for you.

NOTE It is important to know that VMware is discontinuing support of patching inside guests via VUM.

64-Bit

With the release of vSphere 5, ESXi continues with 64-bit technology for the Direct Console User Interface (DCUI). The difference between 32- and 64-bit is that with 64-bit, you can achieve higher consolidation ratios (VMs per host) and a better return on investment (ROI) on your hardware. Most likely, only the largest organizations will approach those top ends, but either way, the infrastructure just became more robust.

The downside is that many organizations will have no choice but to purchase new hardware for their infrastructure. With prior versions of VMware, organizations had the option of virtualizing some of their newer servers, and then turning around and using that hardware as their next ESXihost.

VMware Capacity Planner

A third plug-in we’ll look at is VMware Capacity Planner. When tasked with virtualizing a physical datacenter, this tool enables you to gather quantitative data from physical servers to better understand which servers are the best candidates for virtualization. Of course, the underlying premise of virtualizing is that on average, most physical servers use significantly less than 10 percent of the resources available on a server; it only makes sense to take a handful of those servers and place them on a host to achieve better utilization of the company’s hardware. VMware Capacity Planner analyzes how much CPU, memory, disk I/O, and network bandwidth a server uses over time, and how much it isn’t using. As any tenured VMware administrator will attest, VMs need less CPU and less memory than their physical counterparts. Capacity Planner is your quantitative friend in the virtualization journey.

Host Profiles

Host profiles are similar in notion to a template or a golden image used to consistently replicate new desktops or virtual machines. Prior to this feature, you either rebuilt each host from scratch or used some kind of automated build process and then did your best to create consistency across all hosts. Host profiles greatly reduce configuration management by allowing you to build a golden image once and then “plug it into” any new hosts, thus ensuring standards across the infrastructure.

Every organization and administrator chooses how they want to configure their hosts. Some manually build each one; some use scripting to create exact copies. These approaches each have their merits. However, host profiles will allow an administrator to create a golden image and then apply those settings to any new or replaced ESXi hosts.

vCenter Linked Mode

vCenter Linked Mode creates a simplified approach to management in large environments by allowing you to use a single interface for multiple vCenter servers. If there is more than one vCenter server in your environment, they can be interconnected in a mode that allows you to share management roles across the infrastructure, licensing, and other related tasks. This reduces the amount of work associated with setting up the same configurations on multiple vCenter servers.

Distributed Power Management

Distributed Power Management (DPM) is the ability of the system to identify when there is enough extra capacity to either automatically shut down hosts or make recommendations to reduce power consumption (think holidays, evenings, and weekends!).

You don’t have to be “green” to appreciate this feature. Studies by many industry analysts point out how fast energy costs have gone up in the past few years, and those costs now account for a significant portion of operating costs. The ability to reduce unneeded capacity during the course of a fiscal year can add up to a bigger bonus at year-end. And as any business student will point out, cutting costs adds directly to the bottom line.

VMware states on their website that power and cooling costs can be cut by up to 20 percent in the datacenter during low-utilization time periods. Distributed Resource Scheduler (DRS) helps to accomplish the task. During a weekend or holiday, vCenter recognizes extra CPU capacity and/or memory in a cluster and uses DRS to migrate VMs off a designated ESXi host. Once all systems are off the host, that host can be powered off or put in standby mode to conserve energy and lower costs. If the need for capacity starts to increase, that host will be powered back up and VMs will migrate back onto it to take advantage of all cluster resources.

Enhanced vMotion Compatibility

The Enhanced vMotion Compatibility (EVC) feature will add more flexibility when you are configuring vMotion between CPUs from the same manufacturer. As noted earlier, vMotion is not always compatible between older and newer CPU generations. However, the EVC feature allows the hypervisor to mask or hide certain differences (CPU instruction sets) so that compatibility between generations is more relaxed. This works for both Intel and AMD.

VMware Data Recovery

A virtual infrastructure would not be complete without a backup solution. VMware introduced its Data Recovery feature in vSphere 4. The traditional approach to backing up virtual machines (agent-based backups) utilizes a lot of system resources from a host. Data Recovery relieves that unnecessary pressure by providing a centralized and agent-free process to back up virtual machines. A separate physical server or servers that have access to the shared storage will pull the data through their own network instead of through the ESX/ESXi host, thereby reducing the load on the hosts and allowing the host to provide its resources for performance instead of backups.

NOTE ESXi hosts are both bare-metal enterprise-class hypervisors that function as hosts for virtual machines.

VMware Data Recovery can be integrated with backup tools and technologies that are already part of your organization’s datacenter. Full and incremental file-level backups are much easier to perform in this release. Changed block tracking functionality allows incremental backups to be even more efficient.

vSphere Client

One of many areas where VMware excels over its competitors is its management features. There are several ways to interact with a VMware infrastructure, chief among them vSphere Client. (The other methods, vSphere Web Access and DCUI [ESXi’s command-line interface], are discussed in upcoming sections.) You can use vSphere Client to connect to vCenter or directly to a host. However, we recommend that you use vCenter as the central administrative unit for the infrastructure. vSphere Client is installed on a Windows machine and with it, you can do such tasks as the following:

  • Configure vCenter.
  • Create virtual machines.
  • Monitor, manage, and adjust settings for hosts, VMs, and vCenter.

vSphere Client is not a tool for end users. It’s intended for VMware administrators only. As tools go, this is a great one. The user interface is intuitive and the features are easy to navigate. You can open up your favorite browser, enter the server name of vCenter or any ESXi hostname, and download the client.

VMkernel Protection

The new VMkernel Protection technology helps protect the hypervisor by ensuring that the integrity of the VMkernel is not compromised and/or changed by either common attacks or software loaded on the host. The VMkernel modules are now digitally signed and validated during each reboot so that nothing is overwritten, and they use memory integrity for protection from buffer overflow. When you combine this technology with VMware VMsafe (which is used to protect VMs by including an Application Programming Interface [API] for third-party developers to create security products), you’ll see that security has been enhanced yet again.

VMkernel Protection is somewhat similar to what Microsoft did to try to eliminate the “Blue Screen of Death”: they created digitally signed device drivers. Before this, third-party vendors created all sorts of software that interacted with Windows operating systems. Sometimes, that software was coded well and played nicely. Other times, it blue-screened the operating system. Microsoft did not have control over outside companies, so they did the next best thing by introducing digitally signed drivers. In a similar manner, VMkernel Protection ensures that the kernel is not modified, ensuring the long-term stability of the VMware platform.

Virtual Disk Thin Provisioning

In the storage realm, there is a feature called virtual disk thin provisioning. SAN storage is more expensive than direct attached disk. Therefore, administrators are careful to properly provision each new VM with the right amount of GBs on their drives. Virtual disk thin provisioning allows you to overprovision valuable shared storage while at the same time allowing the VM to grow into its allocated hard drives. This technology would not be complete without the underlying reporting and notifications that ensure proper maintenance of the storage, and that is well taken care of on the management side in vCenter Server. This feature reduces the need for SAN storage, helping keep costs low and under control.

Take a moment to imagine a virtual infrastructure that has, say, 255 virtual machines in version 3.5, update 2. If, on average, each VM has between 1 and 5 GB of unused space on just the C: drive, that means between 255 GB and 1.2 TB of SAN storage is unused. If each VM has two hard drives, almost 2 TB of space could be reclaimed if this feature is utilized. Now, that is valuable.

VMware DCUI

The Direct Console User Interface, or ESXi DCUI, is an interface used to configure, manage, and monitor an ESXi host from a command-line level. The DCUI is in essence the first virtual machine on an ESXi, and it serves as a communication device between the administrator and the hypervisor. Recently, admins have begun using PowerShell to configure and manage the infrastructure. This will open up many powerful opportunities for scripting.

NOTE A hypervisor is a high-speed scheduler and hardware abstraction layer. It hands out resources (CPU, memory, network, disk) to the virtual machines asking for them, very quickly.

vSphere Web Client

The final interface is the vSphere Web Client, formally vSphere Web Access. The vSphere Web Client is a fully-extensible, platform-independent implementation of the vSphere client based on Adobe Flex. This tool enables full virtual machine management, including creation of virtual machines, deployment from templates, and even client-side USB device access. This new feature of the vSphere 5 family finally solves the age-old challenge of management access from non-Windows clients.

Understand the New Features of vSphere

The list of new features is a lot longer than what we will introduce here, but the following sections detail some of the most exciting ones.

Enhancements in Storage

Storage by far has had some of the greatest investment in the release of VMware vSphere 5, with features and enhancements responding to the needs of customers worldwide. At a glance, the feature set enhancements are:

  • Storage DRS (SDRS)
  • Policy-driven storage delivery
  • VMFS-5
  • iSCSI UI enhancements
  • Storage IO Control (SIOC) NFS Support
  • Storage APIs - Array Integration (VASA) : Thin Provisioning
  • Swap to SSD
  • 64-TB LUN and pRDM support
  • FCoE Software Initiator
  • Storage vMotion snapshot and linked-clone support

Storage DRS

Carrying the torch of DRS throughout the stack, Storage DRS delivers the benefits of resource aggregation, automated initial placement, and bottleneck avoidance with storage. Because storage is aggregated into a logical management point, administrators are able to manage it as pools as they do compute. Storage DRS enables smart and rapid placement of new virtual machines and virtual disk drives while load-balancing existing workloads.

Enhancements in VMFS-5

Of the changes associated with VMFS-5, the ones you will find most life-changing are 64-TB device support, unified block size (1 MB), and an improved sub-block mechanism. Supporting a non-disruptive upgrade from VMFS-3 to VMFS-5 will enable you to take advantage of these features immediately in your infrastructure! It should be noted that the in-place upgrade will maintain existing block sizes >1 MB, so consider that in your migration strategy. With datastore scaling enhancements, you can reach higher-density virtual machine allocation (64 TB on a single extent) and up to 30,000 sub-blocks of 8 KB can be allocated for files such as virtual machine metadata and log files.

NOTE Not all new features are supported after performing a VMFS-3 to VMFS-5 in-place upgrade so plan accordingly.

Enhancements in Storage vMotion

With vSphere 5, there have been numerous enhancements to improve performance and supportability with Storage vMotion. Migration of virtual machines is supported with vSphere snapshots and Linked Clones! The Mirror Mode feature increases efficiency with single-pass block copies being sent to source disk and destination disk by mirroring I/Os of copied blocks providing a direct impact on improving Storage vMotion. These enhancements make it easier to plan while reducing the time elapsed during a migration.

Virtual Machine Scalability

Virtual machine scalability has increased! 32-way virtual symmetric multiprocessing (SMP) supports even more demanding workloads; 1 TB of RAM can be assigned to VMs; and 3D graphics support Windows Aero and Basic 3D applications. USB 3.0 support and UEFI virtual BIOS allow booting from Unified Extended Firmware Interfaces.

Usability enhancements enable you to configure the number of virtual CPU cores per socket in Virtual Machine properties via the vSphere Web Client and vSphere client (previously only configurable through advanced settings). Virtual Machines can connect to locally attached USB devices, including support for smart card readers.

VMware vSphere 5 further enhances the datacenter with support for Apple MAC OSX Server 10.6 as a guest. Host-side UEFI boot support enables booting from hard drives, CD-ROM, or USB media.

Taking scale to the next level, VMware vSphere 5 supports up to 512 virtual machines with a maximum of 2048 virtual CPUs per host. Larger system scale supports 160 logical CPUs and up to 2 TB of RAM. These advances allow you to scale up as well as scale out as your virtual infrastructure matures with your business.

vCenter Improvements

New with VMware vCenter Server is the vCenter Server Appliance. This preconfigured Linux-based virtual appliance reduces setup time and provides a low-cost alternative to the traditional Windows server–based vCenter host.

The next-generation browser-based vSphere client is a fully-extensible, platform-independent implementation of the vSphere client based on Adobe Flex. The browser-based client includes a subset of the functionality available in the Windows-based client—primarily related to inventory display, virtual machine deployment, and configuration.

With inventory extensibility, vCenter Server will become the unified console to manage your virtualized datacenter. This is enabled through extensions created by VMware partners in the form of inventory, agents, graphical user interface enhancements, and more!

You’ll find solutions installation and management to be simplified with vCenter Solutions Manager and vSphere ESXi Agent Manager. Solutions Manager provides a simpler installation, configuration, and monitoring interface for managing your virtual infrastructure. vSphere ESXi Agent Manager takes this a step further, enabling you to deploy, update, and monitor your vSphere agents on ESXi hosts. This is independent of the maintenance mode and distributed power management features of vSphere.

System messaging logging can now deliver all messages generated to local and remote syslog servers with support for multiple remote log servers via TCP or securely over SSL. Log messages from different sources can be configured to go to different logs for convenience or role separation. This helps with the process of troubleshooting errors in your organization. Configuring message logging is enabled via esxcli or the vSphere client.

Fault Tolerance

VMware High Availability has reached new levels of fault tolerance with the introduction of Fault Domain Manager. VMware HA is now more reliable, more scalable, and able to protect and provide better uptime than ever before! Instead of an active/passive configuration strategy, all hosts in the cluster can be primary nodes using shared storage as a channel for host-side heartbeat detection. This enables VMware HA to more efficiently and accurately react to host failures, allowing the cluster to transform into a cloud-optimized platform.

Networking Enhancements

VMware vSphere 5 builds upon network enhancements in vSphere 4. Enhanced Network I/O Control (NIOC) allows control leveraging user-defined network resource pools, enabling true multitenancy deployments, and bridging virtual and physical infrastructure QoS with per resource pool 802.1 tagging.

vNetwork Distributed Switches were introduced in vSphere 4. vSphere 5 improves visibility into virtual machine traffic through Netflow. Monitoring and troubleshooting are enhanced through the use of SPAN and LLDP.

Taking protection to the next level, the ESXi 5.0 management interface is protected with a service-oriented stateless firewall with ESXi Firewall. Configurable with vSphere Client, command line, or the esxcli interface, this new engine eliminates iptables and rule set–defined port rules for services. Remote hosts can be configured to be accessible via specific IP addresses or ranges of IP addresses.

These three features combined allow greater levels of granularity, management, and control of your virtual infrastructure at the network layer. They help alleviate some of the strain caused by network teams treating everything in the virtual infrastructure as a troubleshooting and support nightmare.

VMware vShield 5 Suite

The new VMware vShield 5 suite puts your virtual infrastructure on a par with physical isolation security. Included with this suite are VMware vShield App, VMware vShield App with Data Security, VMware vShield Edge, VMware vShield Endpoint, and VMware vShield Manager.

VMware vShield App enables you to secure the interior of your virtual infrastructure. This software-based solution is deployed as a virtual appliance, providing complete visibility and control of inter-virtual machine traffic. With vShield App, you can create virtual firewalls with unlimited port density, enabling multiple trust zones within an ESXi cluster. With protection at the hypervisor level, VMs are protected at layer 2 and layer 3, and enforced at the vNIC level. Governance, Risk, and Compliance have never been easier with vShield App’s robust flow monitoring, logging, and auditing. vShield Data Security (vSDS) reduces risk of noncompliance with automated scans and assessment reporting on policy machines per virtual machine.

With vShield App protecting the inter-VM relationships, vShield Edge provides protection for the edge of the datacenter. The latest version includes static routing (instead of requiring NAT), certificate-based VPNs, and gateway services allowing isolation of virtual machines by port group. Commonly used to protect extranets, vShield Edge can also be used to secure multitenant environments—allowing perimeter security for each tenant’s virtual datacenter.

Security is often considered an afterthought, but it can make or break your virtual or physical infrastructure. VMware vShield 5 suite allows you to secure and separate barriers without needing to physically isolate as you would have needed to in the past. The VMware vShield product protects such large installations as the New York Stock Exchange’s own community cloud infrastructure. So whether you are a small shop managing a small virtual infrastructure or a major multitenant service provider, the VMware vShield 5 suite provides the single management framework to secure your hosts, network, applications, data, and endpoints!

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset