Vmware Cloud On Aws Technical Overview: White Paper
Vmware Cloud On Aws Technical Overview: White Paper
TECHNICAL OVERVIEW
VMWARE CLOUD ON AWS TECHNICAL OVERVIEW
Contents
Introduction 3
Conclusion 12
W H I T E PA P E R | 2
VMWARE CLOUD ON AWS TECHNICAL OVERVIEW
Introduction
VMware CloudTM on AWS brings VMware enterprise-class Software-Defined
Data Center (SDDC) software to the AWS Cloud. It enables customers to run
production applications across private, public, and hybrid cloud environments based
on VMware vSphere®, with optimized access to AWS services. It is delivered, sold, and
supported by VMware as an on-demand service. IT teams manage their cloud-based
resources with familiar VMware tools—without the difficulties of learning new skills
or utilizing new tools.
The VMware Cloud on AWS solution enables customers to have the flexibility to
treat their private cloud and public cloud as equal partners and to easily transfer
workloads between them—for example, to move applications from DevTest to
production or burst capacity. Users can leverage the global AWS footprint while
getting the benefits of elastically scalable SDDC clusters, a single bill from VMware
for its tightly integrated software plus AWS infrastructure, and on-demand or
subscription services.
W H I T E PA P E R | 3
VMWARE CLOUD ON AWS TECHNICAL OVERVIEW
Platform
vCenter
Server NSX Services VM VM VM VM VM
Controller
vSAN Cluster
W H I T E PA P E R | 4
VMWARE CLOUD ON AWS TECHNICAL OVERVIEW
Within a VMware Cloud on AWS four-host cluster configuration, 40TB of raw capacity,
comprising all 32 encrypted NVMe devices, is available for the VMs to consume. The
management VMs consume .9 percent of the vSAN datastore capacity. If the cluster
is expanded to 16 hosts, 160TB of raw capacity is available for the VMs to consume,
along with 128 encrypted NVMe devices. For all cluster configurations, the usable
VM storage capacity depends on the per-VM storage policy.
vSAN Architecture
As was mentioned in the previous section, each host contains eight NVMe devices
distributed across two vSAN disk groups. Within a disk group, the write-caching tier
leverages one NVMe device with 1.7TB of storage; the storage capacity tier leverages
the other three NVMe devices with a combined 5.1TB of storage.
W H I T E PA P E R | 5
VMWARE CLOUD ON AWS TECHNICAL OVERVIEW
Although default storage policy configuration settings are in place, users can
configure their own storage policies to provide the appropriate protection level against
host and component failure. The default storage policy setting for fault tolerance is
RAID 1, but users can select RAID 5 or RAID 6 instead, depending on the number
of hosts in the cluster. VMware monitors the health and performance of the vSAN
datastore; therefore, vSAN Health Monitoring and vSAN Performance Service are
not exposed to the end user.
Storage Encryption
Datastore-level encryption with vSAN encryption, or VM-level encryption with
vSphere VM encryption, is not available at initial availability of VMware Cloud on AWS.
To provide data security, all local storage NVMe devices are encrypted at the firmware
level by AWS. The encryption keys are managed by AWS and are not exposed to or
controlled by VMware or VMware Cloud on AWS customers.
vSAN Datastore
All VMs running inside the cloud SDDC consume storage capacity and leverage
storage services from the vSAN datastore. Management workloads, and the workloads
belonging to a single VMware Cloud on AWS customer, are located on the same
vSAN cluster. However, the cloud SDDC introduces a new vSAN capability that
provides two logical datastores instead of one. One of these datastores is used to
store the management VMs; the other datastore is used for the customer VMs.
Cluster Configuration
At initial availability, clusters are restricted to a single AWS region and availability
zone (AZ). Failed hardware can be automatically detected, and automated
remediation enables failed hosts to be automatically replaced by other cloud hosts
and vSAN datastores to be automatically rebuilt—without user intervention.
W H I T E PA P E R | 6
VMWARE CLOUD ON AWS TECHNICAL OVERVIEW
+
Web Portal
Consumes Pre-Created
Network Services
• Deploys VMs
Cloud Creates • Attaches VMs to networks
Administrator • Creates new networks
• IP addressing for VMs
vSphere Web Client
Network Connectivity
To provide connectivity to VMware Cloud on AWS, two gateways are created. The
management edge gateway (MGW) utilizes VMware NSX Edge™ to enable users to
connect to the vCenter Server instance. They can configure firewall rules, an IPsec
VPN, and DNS for the management gateway.
The customer gateway (CGW) utilizes an NSX Edge instance and a distributed logical
router (DLR) to enable ingress and egress of VM network traffic. Users can configure
firewall rules, inbound NAT, VPN connections, DNS, and public IP addresses for their
compute gateway. The initial customer configuration supports a single customer
gateway. By default, all NSX Edge instances are large sized and are monitored for
utilization. A default logical network is DHCP enabled and is provisioned with source
NAT to provide outbound Internet connectivity.
W H I T E PA P E R | 7
VMWARE CLOUD ON AWS TECHNICAL OVERVIEW
An IPsec layer 3 VPN is set up to securely connect the on-premises vCenter Server
instance with the management components running on the in-cloud SDDC cluster.
A separate IPsec layer 3 VPN is set up to create connectivity between the on-premises
workloads and the VMs running inside the in-cloud SDDC cluster. NSX is used for all
networking and security and is decoupled from Amazon VPC networking. The
compute gateway and DLR are preconfigured as part of the prescriptive network
topology and cannot be changed by the customer. Customers must provide only
their own subnets and IP ranges.
Management Gateway
Public IP - aaa.bbb.ccc.ddd VPN to Corporate
Management Subnet - 10.53.96.0/20
^
Actions
6 Firewall Rules
^
Actions
^
vCenter Server NSX
On Premises
Internet
Compute Gateway
No VPN Configured
Public IP - www.xxx.yyy.zzz ^
Actions
1 Firewall Rule
^
Actions vpc-xx1y2zz3
^
1 Logical Network
^ Amazon
0 Public IPs
VPC
Encrypted vMotion
The Encrypted vMotion feature was introduced in VMware vSphere 6.5. It does not
require a third-party key manager. It is set on a per-VM basis as one of the VM options.
Encrypted vMotion encrypts the data traversing the vSphere vMotion network—not
the network itself. It therefore requires no special configuration other than enabling it
in the VM options. Encrypted vSphere vMotion migration between hosts inside the
cloud SDDC is offered at initial availability of VMware Cloud on AWS.
W H I T E PA P E R | 8
VMWARE CLOUD ON AWS TECHNICAL OVERVIEW
However, if there are host failures, or VMs that demand more capacity, VM availability
or performance might be compromised until the administrator adds more hosts to
the cluster. Historically, it can take from 6 to 12 weeks for IT to order, rack, stack, and
configure a new server, creating opportunities for SLAs to be breached.
With VMware Cloud on AWS, customers have access to a large pool of server
resources that exist in AWS data centers. These servers are available on demand and
can be joined to existing customer clusters in minutes. If the capacity of a cluster
is greater than necessary for the given time, servers can be removed from the
customer’s cluster and scrubbed before being returned to the general pool of
resources. This ability can be utilized to provide unique features that are not
available anywhere else.
Management Network
vSphere vMotion Network
vSAN Network
VXLAN Network
W H I T E PA P E R | 9
VMWARE CLOUD ON AWS TECHNICAL OVERVIEW
1. HOST FAILS OR
PROBLEM IDENTIFIED
vSAN Cluster
W H I T E PA P E R | 1 0
VMWARE CLOUD ON AWS TECHNICAL OVERVIEW
To run HLM, users must have on-premises vCenter Server 6.5d or later, as
well as layer 3 network connectivity. Because of the restrictive access model
of VMware Cloud on AWS, HLM is restricted to connecting one on-premises
Enhanced Linked Mode domain and does not have synchronized roles.
Operations Model
VMware Cloud on AWS is sold and operated as a service. To ensure that all
environments perform correctly, VMware manages the systems exclusively. Likewise,
VMware is the sole contact point for customers. In case of hardware failure, VMware
interacts with AWS on the customer’s behalf, streamlining communication
and remediation.
To enable the monitoring and management of the lifecycle of the cloud SDDC
software stack, the VMware Cloud on AWS service retains the administrator rights
on the SDDC to deploy and configure the AWS infrastructure and the SDDC software.
It is responsible for adding and removing hosts and networks due to a failure or if
cluster-scaling operations require more or fewer resources. The VMware Cloud on AWS
service is also responsible for cloud SDDC software patching and for the application
of updates.
The VMware Cloud on AWS service introduces a new cloud administrator role to the
traditional vCenter Server user model and extends the roles and permissions scheme.
This is to ensure that the cloud SDDC infrastructure is configured in a prescriptive
deployment architecture and that the customer cloud administrator cannot
reconfigure the management appliances. Within this model, the customer cloud
administrator has full control over their workload while having a read-only view of
management workloads and infrastructure.
W H I T E PA P E R | 1 1
VMWARE CLOUD ON AWS TECHNICAL OVERVIEW
Due to the restricted access model, the cloud SDDC vCenter Server instance is used
only to manage the cloud SDDC environment and does not support management of
on-premises SDDC environments. Customers cannot use root access or install VIBs.
They can log in to the vCenter Server instance and use it to operate and manage their
environment. They do not, however, have direct access to the appliance and cannot
make any changes to the vCenter Server instance itself. Customers using a third-party
vendor on premises for particular services should consult their partner and ask if they
have plans to support the VMware Cloud on AWS model.
Conclusion
The agility to use a private, public, or hybrid environment is one of the main drivers
in adopting the cloud. Customers can leverage a hybrid cloud environment in any
number of ways. The common denominator is that VMware Cloud on AWS empowers
them to focus on consuming resources and managing their VMs rather than spend
their time and energy dealing with host-based operations.
W H I T E PA P E R | 1 2
VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com
Copyright © 2017 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. and its subsidiaries in the United States and other jurisdictions. All other marks and names mentioned herein
may be trademarks of their respective companies. Item No: VMW-TO-Cloud on AWS-USLET-101
8/17