Monthly Archives: July 2016

Configuring AlwaysON on NetScaler 11.1

One of the cool new features in NetScaler 11.1 is a feature called AlwaysON, now NetScaler has had a VPN agent setup for a long time now, and in 11.1 it got a huge overhaul! AlwaysON is a VPN feature which will trigger the VPN agent to logon after a user is a logged into an computer.

image

Again there are some things that you need to be aware of by using this feature.

1: It requires that the vServer is set in smart access mode, meaning that all connections will require universal license.

2: It will require a user to be logged on the computer, therefore it will not be same as DirectAccess.

3: It requires an admin to install the VPN agent on the endpoint.

In order to configure the AlwaysON feature you need to configure an AlwaysON profile and attach it to a session profile on the NetScaler Gateway. First to create an AlwaysON Profile. NetScaler Gateway –> Policies –> AlwaysON

image

Its a pretty simple setup, but we need to be aware of what each setting does to the client configuration when they connect.

Location Based VPN: This defines how and when the client will try and connect. If it is set to Everywhere the client will try to authenticate the tunnel regardsless of where the client is.
Is set to Remote it will only try to connect when outside the network. DNS suffixes will be used to detect the location. The client receives the DNS suffixes in the configuration after successful login. These suffixes will be stored in registry. Client reads these suffixes upon starting and tries to resolve.  If the resolved IP addressed is a public IP address according to RFC1918, it is considered to be outside the enterprise network. If the resolved IP address(es) are private addresses according to RFC1918, the client is considered to be part of the enterprise network.

    10.0.0.0        -   10.255.255.255  (10/8 prefix)
     172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
     192.168.0.0     -   192.168.255.255 (192.168/16 prefix)

So if you use public IP’s or IPv6 for the DNS suffixes its going to be hard to use the Remote based location feature.

image

Client Control: The Logoff option from the plugin context menu and plugin UI will be disabled when AlwaysON  is enabled and client control is disabled.

image

Network Access ON VPN Failure:
This defines if the computer will have network access if the VPN authentication has failed. It has two options, either full access meaning that in regardsless of authenticaiton failure it will be able to communicate fully with the network. Or we can choose Only to Gateway which defines that it can only communicate with the VPN gateway if for some reason the VPN tunnel is not established.

So how does this look like for the enduser when they try to logon with a properly configured NetScaler Gateway? Pretty seamless!

Clientless access with NetScaler 11.1 and Storefront 3.6

One of the questions I’ve been getting alot lately is the ability is about the new NetScaler 11.1 UI RfwebUI and the ability to log directly to the UI and display all the different applications directly from the NetScaler UI instead of being redirected to the StoreFront Web site.

This is of course possible but there are somethings you need to be aware of.

1: This will by default only work with Smart Access mode (meaning that all connections will require an universal license)

2: It will not get any web applications that have been published directly to Storefront. And other customizations like password changes, UI changes and such will not be displayed. the NetScaler will only communicate with Storefront to get a list of applications/desktops available to the end-user.

Now it has been quite cumbersome to get Storefront application aggregation in NetScaler clientless access before and you needed to configure X-FRAME options in the web.config file, but that is not needed anymore.

In order to set it up, all you need to do is have an existing NetScaler Gateway enviroment that you can configure, and basic StoreFront setup.

NOTE: Storefront 3.6 is not required, you only need to have < Storefront 3.0.

Some other enchanements.

Fileshare feature – The fileshare feature that accesses SMB file shares is not supported.

Email Tab – The VPN parameter, Email Home, is no longer available as an embedded view for the Gateway Portal. It is accessed as an App, and it can be seen on the Apps tab and in the “Web and Software as a Service (SaaS) Apps” bundles.

Java Client – The browser based Java client for establishing a SSL tunnel is no longer available in this theme. This is keeping in mind the ending support for java applets in browsers (announced by Oracle). 

Set the vServer in Smart Access mode. Virtual Server –> Basic Settings

image

Set the portal Theme to RfWEbUI. Note that this clientless access feature only works with this theme.

image

Set Clientless Access to ON in the Session policy that you have with the NetScaler Gateway Virtual server.

image

NOTE: In some cases you might have the client choices option enabled. This gives users the option to choose what kind of features that they want to use, this can be disabled in the session policy under Client Experience –> Advanced Settings –> And remove any checkmarks behind Client Choices options there.

Last thing we need to do is disable ICA-proxy. It is also important that the Web Interface Address is spelled exactly as it is in the Storefront console. If not it will not work, so make sure that if you have capital letters and such.

image

The reason we need to disable ICA-proxy is that if that is enabled, it will by default redirect to the Storefront UI. That’s the only reason the ICA proxy option is therefore, do to HTTP redirect to Storefront. Even if that is disabled all ICA session will trigger an ICA-proxy connection to NetScaler.

So when users now connect to the website they will be greeted with this new portal where they will see web based bookmarks from the NetScaler Gateway and Desktop application agreegated frmo Storefront

image

Does data locality matter? My Perspective on Windows Server 2016 Storage Spaces Direct and RDMA

With the uprise in Hyperconverged technology it is interesting to see how the different vendors in the market has embraced different architectures in their implementation . I’ve previously blogged about how VMware, Microsoft and Nutanix has done this –> http://msandbu.org/storage-warshci-edition/

Now therefore I decided to dig a bit deeper into the way Microsoft has implemented their hyperconverged infrastructure solution called Storage Spaces Direct.

Now for those that are not aware of that new feature, it is a further improvement of Storage Spaces which came in 2012, which allowed us to create a virtual disk based upon one of more physical disks using different “RAID”like features like mirroring, parity or striping. In 2012 R2 they came with improved performance and new features like tiering for instance.

Fast forward to 2016, and we have seen that the market has changed with VMware, Nutanix been in the hyperconverged space for a while and Microsoft soon to be taking the step into this market. Now unlike VMware and Nutanix, Microsoft recommends that if you use their hyperconverged solution that you have a RDMA based backend network.

Why? The issue is the way that Microsoft stores data on the Storage Pools, and that is that storage on a virtual machine can be placed anywhere on the cluster. So what’s the issue with that?

image

Imagine a virtual machine running on top of a SPD (Storage Spaces Direct) cluster, for a single virtual machine all the blocks in writes down to the CSV storage can be placed on any node within the cluster (Now of course there are some rules where data will be placed depending on fault tolerance rules. But if we look at the traffic generated here, all writes much be written twice (depending on the resillency defined) which means one or two remote hosts to where the virtual machine resides before the VM is allowed to continue operating. Now a virtual disk consists of multiple extents which the default value is 1GB per extent which will then be placed upon the different hosts in the cluster.

Now the issue here is latency placed in the network layer. So let’s think of a tradisional ethernet TCP/IP network.

Quote from the VMware VSAN network design
”The majority of customers with production Virtual SAN deployments (and for that matter any hyper-converged storage product) are using 10Gigabit Ethernet (10GbE). 10GbE networks have observed latencies in the range of 5 – 50 microseconds. (Ref: Qlogic’s Introduction to Ethernet Latency – http://www.qlogic.com/Resources/Documents/TechnologyBriefs/Adapters/Tech_Bri ef_Introduction_to_Ethernet_Latency.pdf) “

So data would need to travel from the virtual machine, to the VMswitch, to the filesystem, to the virtual disk, ClusterPort, Block over SMB, Processed by TCP/IP,  Storage Controller, then the disks eventually, and this has to happen twice before the VM can continue its operations (This is to ensure availability of data)

Now with storage devices becoming faster and faster you might argue that the backend network will become the bottleneck, since it can operate between 5 – 50 MS latency.  while all NVMe or SSD flash devices can operate within the sub 10 microseconds range, you would not be able to leverage the speed properly because of the higher latency on the network.

blog-image-a

Source: http://www.mellanox.com/blog/wp-content/uploads/blog-image-a.jpg

Now Microsoft has some READ based host cache implemented using CSV cache (Which will offer some form of data locality for virtual machines, since some reads will be served from memory from the hosts that they reside on, and memory delivers very low latency, high-troughput,  but this will not help write operations only on reads.

This is where RDMA comes in!

For those that don’t know what RMDA is it technology that allows direct memory access from one computer to another, bypassing TCP layer, CPU , OS layer and driver layer. Allowing for low latency and high-troughput connections. This is done with hardware transport offloads on network adapters that support RDMA.

Roce2

Now Microsoft has been working with RDMA since server 2003, and with 2016 there are multiple improvements such as SET (Switch Embedded Teaming) where NIC teaming and the Hyper-V switch is a single entity and can now be used in conjunction with RDMA NICs, where in 2012 you needed to have seperate NIC teams for RDMA and Hyper-V Switch.
Configuring SET with RDMA: https://technet.microsoft.com/en-us/library/mt403349.aspx 

Now the interesting thing about this technology is that it makes remote NVMe, SSD devices behave like local devices  to the physical host in terms of latencty as an example Mellanox tested Storage Spaces Direct with and without RDMA to display the latency and troughput differences

SATA versus NVMe SSDs with RDM

Another test that Mellanox did was to test RDMA over RoCE (RDMA over Converged Ethernet) which was using the NVMf (pre-standard)
blog-image-b

NOTE: 1000 us = 1 ms

Which shows you that is has an tremendous improvement in troughput and reducing CPU overhead, which is crucial in a hyperconverged setup where you have storage and compute merged together.

So to summerize:
Is data locality important? Yes it still it, but to a certain degree, it is usefull with READS to have the data stored as close to the machine as possible, and making sure that you ahve tiering features to make sure that the hot data is stored on the fastest tier close to the virtual machine. For WRITES you cannot escape the fact that you need to have write the data twice for resilliency, and that has to be stored on two different hosts and for these WRITES having a backend networking solution like ROCE / iWARP will drastically improve the performance of Storage Spaces Direct because of the architecture, but it should be noted that it comes with a cost and for many that might mean they would need to reinvest into new network equipment: And with that I present the latest storage spaces direct benchmark from the Storage Direct PM: https://blogs.technet.microsoft.com/filecab/2016/07/26/storage-iops-update-with-storage-spaces-direct/

 

Now there are some requirements now if you want to implement RMDA on Windows Server 2016
For iWARP capable NICs, same as non-RDMA capable NICs .
For RoCE capable NICs, the network switches must provide Enhanced Traffic Selection (802.1Qaz), Priority Based Flow Control (802.1p/Q and 802.1Qbb)
If RDMA capable NICs are used, the physical switch must meet the associated RDMA requirements

Mappings of TC class markings between L2 domains must be configured between switches that carry RDMA traffic.
You need to have DCB installed

More information:

Storage Spaces Direct and Intel:
https://blogs.technet.microsoft.com/filecab/2016/03/25/microsoft-and-intel-showcase-storage-spaces-direct-with-nvm-express-at-idf-15/

NVMe over fabrics: http://www.snia.org/sites/default/files/SDC15_presentations/networking/WaelNoureddine_Implementing_%20NVMe_revision.pdf

RDMA/RoCE Considerations for Windows 2016 on ConnectX-3 Adapters:
https://community.mellanox.com/docs/DOC-2206

The Power of RDMA
https://blogs.technet.microsoft.com/larryexchange/2016/03/15/the-power-of-rdma-in-storage-space-direct/

Overview of Azure Active Directory, Subscriptions, Accounts & Role based access control

So in the beginning there was nothing!

Venturing in Azure these days, you might lose the overview you once had and now with the introduction of Azure RBAC  and having multiple subscriptions, probably many Azure Active Directories, mixing Microsoft and Work accounts it might be confusing how it all blends together. So therefore I decided to write this post to perhaps enlighten any confusion that people might have.

Before I go ahead and describe the different scenarioes there are some key roles and names you should be aware of

Microsoft Account : An account assosiated with Microsoft, this can for instance be a Outlook, Hotmail, Xbox Live, MSDN  or any other  purpose created account with Microsoft.

Work Account: An user account assosiated with Azure Active Directory object, this can for instance be accounts sourced from Office365, Intune or syncronized user accounts from an on-premises Active Directory. User which sign it with an work account will be authenticated either directly to Azure Active Directory on with federated access to an on-premises Active Directory.

Azure subscription: An active agreement with Microsoft which is needed to provision resources in Microsoft Azure. Every subscriptions also has a trust relationship with an Azure AD instance. This means that it trusts that directory to authenticate users, services and devices. An subscription will only trust one directory, but we can have multiple subscriptions trust the same directory.

Every resource provisioned in Azure is a child-resource to an Azure subscription. If the subscription is expired or stops, then those child-resources also stops.

Account Owner : Account Owner is the Microsoft Account or Azure Active Directory (AAD) Account that is responsible financially for the Microsoft Azure subscription.  There can be only one account owner for an subscription.

Service Administrator: The Service Administrator is a property of each Azure subscription, and it represents a user account who can login to the Portal and can deploy to it or create new resources.
Typically, an Account Administrator purchases an Azure subscription, makes his or her developer the Service Administrator and now the developer can login to the Developer Portal. The Service Administrator can only be changed in the Billing Portal.

Azure Active Directory: Is an web-based identity service running on Azure. It is automatically created when you setup an subscription using a default domain like company.onmicrosoft.com where the user which is used to create the subscription is automatically added as a Global Administrator of that new directory.

Azure Active Directory Domain Services: Is an web based implementation of Active Directory which allows for services such as domain join, group policy, LDAP, Kerberos/NTLM authentication etc. that are fully compatible with Windows Server Active Directory.

AAD Connect: Is a tool which is used to syncronize from an on-premises Active Directory to an Azure Active Directory Catalog. 

Resource Group:
Is a logical grouping of a set of resources, which can for instance be virtual machines, virtual networks, sql databases, and so on. All resource groups are attached to a subscription.

Diagram overview: This diagram shows an overview of a example user with a Microsoft Account msandbu@hotmail.com when he logs into the Azure portal we has access to two Azure Active Directories.

Where one Active Directory is used with Office365 (Where it has an active subscription) and also has another subscription used for different IaaS resources in Azure. This Azure AD catalog is also setup with federated access with an on-premises Active Directory where user objects are syncronized across using AAD Connnect, authentication with happen on the local active directory because it is configured the federated access.

The other Azure Active directory catalog is setup with two linked accounts sourced from another Azure AD catalog and a Microsoft Account.

image

Azure virtual machine speed test

When sizing an enviroment in Microsoft Azure it is important to remember what kind of performance you can expect from the different virtual machine instance types in Azure, because there are alot of different aspects you need to think about when setting up virtual machines.

Now by default there are different instance types, which defines what kind of CPU-type, disk support, and other limitations that are in place as well.

Now before I publish the results from the Azure speed tests, I just want to show you the results from my own personal computer as a reference, this first test it from a virtual machine in my lab enviroment, this is running a pretty plain storage solution.

image

Now there are some facts you should be aware of, because of the limits in Azure as of now for the storage accounts.

Total Request Rate (assuming 1KB object size) per storage account Up to 20,000 IOPS, entities per second.

Target throughput for single blob (Page blobs are optimized for representing IaaS disks and supporting random writes, and may be up to 1 TB in size)
Up to 60 MB per second, or up to 500 requests per second

NOTE: All tests were run 4 times to ensure that the results were persistent.

The DiskSPD parameters I used

Diskspd.exe -b4K –d60 -Sh –o8 -t4 –si –c50000M volume:\io.dat (This means that)

4K reads For 60 seconds 8 overlapped IOs 4 threads per target Using a 50,000 MB file IO.DAT on a specific volume, I also did a 64K reads.

A-series

image

D:\ disk (Read Storage IO 4k block size)

image

D:\ disk (Read Storage IO 64k block size)

image

D:\disk (Random Access)

image

image

 

D-series (Standard DS12 (4 cores, 28 GB memory) I didn’t know that the D-series has been updated to Haswell V3 as well!

image

D: disk (READ Random Access)

image

D: Disk (Read) 4k block size

image

D: Disk (Read 64k block size)

image

D:\ disk (Write)

image

D_V2-series (Standard D3 v2 (4 cores, 14 GB memory)    Local SSD disk = 28 GB    SSD disk Cache = 172    Max IOPS = 12,800 Max Bandwidth = 192 MB per second

image

D:\ disk random access

image

4k block size

image

64k block size

image

D:\ disk writes

image

Data disks w/No cache: (NOTE:  Azure limit) Target throughput for single blob
Up to 60 MB per second, or up to 500 requests per second

image

image

image

Premium disk: (Limit is for R/W)

image

image

Premium Storage (w/4 disks in Storage Spaces setup with simple outlay

image

image

Analysis:

My VMware VM test
Read: 350 MB/s
Write: 100 MB/s
Read random IOPS: 6000 IOPS
Write Random IOPS: 10000 IOPS

A-Instance D Disk: (the D: disk on A-instaces has very unpredictable performace in terms of read/writes)
Read: 250 MB/s
Write: 80 MB/s
Read random IOP: 620 IOPS
Write random IOPS: 590 IOPS

D-instance D Disk (SSD) This had very consistent and predicable performance)
Read: 130 MB/s
Write: 130 MB/s
Read random IOPS: 16500 IOPS
Write random IOPS: 16500 IOPS

D_V2 series D disk (SSD) this includes its own SSD cache for read, which suprised me, but cleary it only affects the read performance, and operated at a bit higher latency.
Read: 190 MB/s
Write: 98 MB/s
Read random IOPS: 13700 IOPS
Write random IOPS: 12000 IOPS

Data disks:  (This was consistent in terms of the limitations stated on Microsoft Azure documentation)
Read: 96 MB/s
Write: 61 MB/s
Read random IOPS: 600 IOPS
Write random IOPS: 500 IOPS

Premium Disks: (This was very consistent in terms of the limitations stated on Microsoft Azure documentation)
Read: 191 MB/s
Write: 191 MB/s
Read Random IOPS: 5000 IOPS
Write Random IOPS: 5000 IOPS

Premium Disks with Storage spaces: (Setting up a simple Storage Spaces configuration gives an increase in IOPS according to the amount of disks, but because it increased the latency to do read/writes the bandwidth performance does only increase on Reads
Read: 250 MB/s
Write: 191 MB/s
Read Random IOPS: 17700 IOPS
Write Random IOPS: 13000 IOPS
NOTE: The disks were all placed within the same storage account.

It is hard to determine the performance on virtual disks in Azure, expect for data disks and premium storage disks which in 9/10 cases gives the performance that is stated in the documentation. The other disks have alot of different factors that play in for instane read/write cache, DS series also has its own SSD cache implemented which you can read more about on the Azure documentation site here –> https://azure.microsoft.com/nb-no/documentation/articles/storage-premium-storage/#create-and-use-a-premium-storage-account-for-a-virtual-machine-data-disk

Comparison of on-premises HCI vs Microsoft Azure

So lately a lot HCI vendors in the market have stated in their marketing campaigns that they bring all the benefits of the cloud to on-premises solutions.  Some have also states that they make on-premises cool again. A lot of companies these days are evaluating the benefits that the cloud could bring to their enterprises “should I move my resources to the cloud? can I save money by moving to the cloud?”

Now  while cost is one factor to think about, another is of course capacity, less management, ease of scaleability and elasticity/agility of the cloud also while reducing an existing infrastructure which might be harder and harder to maintain in terms of management.

A while back I did a blogpost about comparing an on-premises solution using standard Dell equipment etc and comparing that with Microsoft Azure. Since alot has changed over the last couple of years I  wanted to revisit the post with and updated view  on the same scenario.

I wanted to compare how a solution would look like for an small buisness who wanted to move their solution from an old traditional three-tier SAN based solution to either a HCI solution from Nutanix or move their resources to Microsoft Azure.  Now  of couse this post is only focusing on the cost of each component, it will not go in depth on performance differences between the two solutions (apples and oranges) but a couple of factors will kick in during the setup of the scenario, for instance I belive that Nutanix delivers alot of the benefits that the cloud offers will I go more in-depth on this later  in the post.

NOTE: The cost estimates are based upon street-prices and does not take into account that;

1: Microsoft licenses have different levels and agreement depending on customer
2: Microsoft Azure has different levels of rebate depending on what kind of subscription is used
3: Nutanix has a channel program where customers purchase from partners which also might have different levels and prices to end-customers and the price listed here might not be 100% accurate.

Scenario company:
So we have a SMB based company running about 40 virtual machines, which contains a mix of LOB applications (Win32 & Web) SQL, RDS, AD, DNS, Fileservers etc. They are running their entire infrastructure on Windows so we need to take in account for the windows license as well as RDS license. Also SQL is an important piece of the puzzle in regards to licensing which some of their LOB apps are using. They are also using about 5 TB of total storage, where alot is used for archiving purposes.  The customer consists of about 150 total users.

However using RDS in Azure requires SAL license from a SPLA provider therefore I’m going to leave that out of the equation.

The split of the virtual machines is like this in the existing enviroment

Small VM: 2 GB RAM, 2 vCPU, 40 GB Disk : 8 VM
Medium VM: 4 GB RAM, 2 vCPU, 100 GB Disk: 14 VM
Large VM: 16 GB RAM 4vCPU, 140 GB Disk : 8 VM
Fileservers (HA): 8 GB RAM, 2 vCPU, 800 GB Disk: 2 VM
SQL Server standard: 8 GB RAM, 2 vCPU, 250 GB Disk: 1 VM

Total hardware requirements:

RAM: 224 GB
CPU: 82 vCPU
DISK: 4690GB Storage

To make sure that the calculations are correctly when doing the comparisons, I need to take assumptions.

1: The servers will be running 24×7
2: The hypervisor will be Hyper-V (Could also be using AHV) This will be discussed further down the post.
3: Normal Microsoft licensing applies.
4: The solution will be running for atleast 3 years

Nutanix

So how well does an on-premises solution fare compared to the cloud? First of an on-premises solution will need some additional cost.

1: Power
2: Dedicated network
3:  Physical security /  Dedicated Cooling
4: Fire protection for datacenter
5: Additional management (Network, Physical Equipment, hardware maintance)

Since these costs are hard to calculate given the price for power is fluctuating, the networking fabric might be somehing that the customer has from before, or if the customer is renting from another third party or etc, but it needs to be taken into account for when doing the cost analysis.

In terms of additional management needed for a on-premises solution using Nutanix might vary, since in this case it is using Hyper-V the customer might also be using System Center for  Hyper-V managenent and additional capabilities

image

Or the customer could convert to using AHV (Nutanix Hypervisor) and remove the System Center licensing cost and reduce the management to a single solution for both Storage / Infrastructure and virtualization layer. But in most cases a customer would not need/require System Center for a small solution like this, and could easily Instead be using for instance 5nine to do Hyper-V management.

image

As an example I’ve decided to focus on the Nutanix discovery kit 1350-series (which is an entry kit which is quite suitable for SMB based companies) is consits of three nodes in a block (a 2U chassis) This solutions will suffice for this given scenario, in terms of performance on the hardware.

Processor: 2x E5-2620 (Sandy Bridge, 12x Cores, 2.0 GHZ)
Memory: 128
HDD: 4x 1 TB Disks
SSD: 1 x 400 GB SSD
This gives about 5,47 TB of usable disk place

The street-price (Which I located just using Google search and may not represent an actual valid customer price) is $35750 This then includes Starter edition and production level support for one year. This now gives us just the complete hardware we need to setup our solution.

NOTE: The price range for Nutanix might be higher or lower based upon currency, specifications, customer and so on.

In order to use Windows on the servers we also need datacenter licenses and user CALs (Source: https://www.microsoft.com/en-us/cloud-platform/windows-server-2012-r2-pricing) for six datacenter licenses it will cost us $36930   user CAL will come to about $5670

Also with the use of SQL standard within on-premises we can use the per core SQL standard licensing which is approx $3,717 per core in 2 core packs.  Furthermore, every virtual OSE requires a minimum of four core licenses. therefore we need to pay 7,434$ for SQL standard, of course the customer might have SQL server from before with SA, but to make the cost analysis more correct I’m just going to assume that the customer needs to repurchase SQL server.

Hardware cost Nutanix: 35750$
License cost Microsoft: 42600$
SQL cost 7434$

Totalt cost: 85,784$

 

Azure

So in Azure we have official numbers from the Azure calculator to get the correct pricing, since virtual machine instances in Azure comes in fixed sizes I need to calculate based upon virtual machine instances which resemble the most the existing virtual machines. Note that in Azure, storage is calculated seperately from compute, also other factors like bandwidth, VPN usage and so on will also change the price outcome.

When pricing Azure, there are however some things that need to taken into account because are included in the product.

NOTE: For compute instances in Azure, we can choose which type of OS we want to have running, if we choose Windows it will include Windows Server OS and user CALs as part of the runtime pricing

Small VMs: A1: (HDD, 1 vCPU, 1,75 GB RAM, 70 GB disk:  535$ pr month
Medium VMs: A2: (HDD, 2 vCPU, 3,5 GB RAM, 135 GB disk: 1874$ pr month
Large VMs: D3 v2 (SSD, 4 vCPU, 14 GB RAM, 200 GB disk: 3071$ pr month
Fileservers: D2 V2 (SSD, 2 VCPU, 7 GB RAM, 100 GB disk: 383$ pr month
SQL server: D2 V2 (SSD, 2 VCPU, 7 GB RAM, 100 GB disk, SQL Standard edition license: 979$ pr month (This also includes all necessery CALs)
Total for one month in compute cost: 6,842$

NOTE: Compute instances in Azure there are a few things you need to be aware of, first of there is no SLA or HA in place for single virtual machine entities, if you want to have SLA for virtual machines you need to have a duplicate set for each virtual machine, but still this will not give you any HA features. This will just ensure that Microsoft will not shut down both instances within an availability set.

Also the specifications on the Azure compute instances are a bit smaller then the current enviroment, for instance the A-series is mostly using AMD opteron CPUs, while the D-series v2 is running Intel Haswell CPUs. This also needs to be taken into account for performance of the virtual machines, the D-series run with SSD on the D-drive (Which in Azure is a temporary disk) 

Total compute instance cost for 1 year: 82,104$

Now in terms of management, things are a bit simplified. We have the Azure portal were most management is done. Since we can only “see” the resources we have and not the underlying infrastructure.

image

We can also get glimpse of what the actual cost usage is day by day.

Next we need to calculate the Storage cost, since the cost of Azure is (pay per used GB) As mentioned the customer uses about 5000 GB of storage, which will about 250$ pr month using LRS data redundancy (Data is replicated three times within the same datacenter)
NOTE: Storage transaction are also billed in Microsoft Azure, since the cost is so small I’ve decided not to include it in the calculations.

Totalt cost for one year of storage: 3000$

Now  depending on the customer use of applications, mostly relying on RDP for desktop connection to their enviroment, and some web based applications as well. We need to calculate bandwidth usage as well in Azure. Important to note however that only bandwidth going out of Microsoft’s datacenter are billed

First of is RDP, let us say that on average the end-users at the customer have about 5 hours of active RDP work each day. Which will spend about 30 MB of bandwidth each user, each day which is about 4,5 GB of bandwidth each day since they are 150 users. In a month that is about 135 GB bandiwdth (-/+) which is about 11$ pr month. Of course since they are using RDP for alot of their applications the bandwidth cost can also be alot higher for instance with the use of printing, clipboard, file access and so on.

Totalt cost for one year of bandwidth: 132$

Total cost for Azure one year 85,236$

Cost analysis:

Now the on-premises solutions with just Nutanix Totalt cost: 85,784$ where the whole HCI infrastructure is approx 40% of the cost, the rest is spent on Microsoft licensens. Azure on the other hand is about the same 85,236$ which is pretty close the on-premises HCI solution. Now some points to take in here in terms of comparison.

1: One-time cost:
The cost for the Nutanix infrastructure is one-time cost, also has one year support, the next years are only on renewing the support. The Azure cost will be recurring each year.

2: Redundancy
The HCI infrastructure has built-in redudancy in terms of virtualization using clustering, if a host goes down, the virtual machine will be restarted on another host, and with the hardware on the discovery kit the HCI solution will have sufficient resources to restart virtual machines on another host. Azure does not have built-in “high-availability” for virtual machines, you need to use availability-set and have duplicate resources available if you want a service to be available when Microsoft is doing maintance, of course this is only useful for stateless solutions and not so much for RDS and such.

Another thing to take in mind is that even though Nutanix has built-in RF2 (Data is replicated twice within the same cluster) Microsoft has RF3 built-in meaning that data is replicated three times within the same datacenter.

3: Performance
The HCI solution has alot better hardware resources and built-in performance. Because of the tiering that Nutanix uses allows all virtual machines to get SSD like performance, while Azure on the other hand has limit in terms of IOPS per virtual machine disk, even though we can use storage space solution to increase performance, or use Premium Disks in Azure, this will increase the cost for virtual machines using this feature.

4: Pay only for what you use
One of the benefits of using Azure is that you only pay for what you use, if the 60% of the resources are RDS server which the end-users only use between work-hours, they could be automated and shut-down when not in use, this will decrease the cost for the virtual machine instances, since Virtual machines are billed for each minute use. The same goes for Storage usage, even if virtual machines are provisioned with multiple disks with 1 TB disks, the customer is not billed for the disks until they start storing data on the disks.

5: Latency & network performance
This is not directly a cost-factor, but the customer needs to be aware of how moving applications to Azure will affect their applications in terms of performance, it might be that moving their web applications (and therefore moving the applications further away from the end-users) might decrease their effectiveness by maybe 5-10% (Increased latency and slower performance on virtual machines) and with having 150 end-users working on their LOB applications this can be a high cost factor to consider.

6: Management
Another thing to consider is how  infrastructure management is done. When moving resources to Azure, Microsoft takes responsibility for hardware/virtualization layer, each virtual machine is still the customers responsibility, we still need to conside that we need to have backup / management / policies / security agent in place even if the virtual machines are running in Microsoft. Backup is also of course an important thing to think about, since we do not have directly management of the virtualization layer in Azure we are dependant on Microsoft to create backup options for us. Now Microsoft has an IaaS backup feature in place for Azure, it does has some drawbacks in terms of single-item recovery solutions, also there we have another cost-factor for each virtual machine instance and datastorage. For on-premises solutions, and using for instance Veeam we have single-item recovery options for SQL, AD, SharePoint and so on, but this is also an option that should have redicated hardware resources outside of the HCI infrastrucutre.

7: Other features built-in
Now even if Microsoft has IaaS features, it also has alot of other features which we as a customer can benefit of, makes things alot easier depending on solution we have. For instance have built-in load balancing options, DNS management, security center, application insight (to do application management) and so on. If we wanted to implement this on our HCI infrastructure we needed to have some third party solutions in place. So this is of course another thing to consider.

My personal conclusion

So based upon the research I did on this blogpost, I found that Nutanix was more cost-effective and gives alot better performance for pure virtualization solutions compared to Microsoft Azure. Now of course there are a lot of factors that needs to be taken into consideration, but with Azure it offers alot more options around the virtualization ecosystem and supporting features like Backup, Load balancing, Security features, Application Monitoring. It also has the option to pay for what you use, which offers alot more flexibility.
Of course but it is difficult to get a 100% cost usage of resources in Azure since alot of the resources usage are variables which might be hard to calculate.  On the other hand Microsoft might reduce to cost in Azure from time to time to ensure healthy competition which then benefits the customer as well, but this as I’ve seen has also been the other way around when they increased prices for some features as well.

Now this has been a pretty long post, if you feel that I have miscalculated or left something out I would love to get your feedback on this subject!

Azure Stack as an turnkey solution is that the right approach from Microsoft?

Earlier last week it was announced that Azure Stack will be deliverd as a turnkey solution duing 2017 via Dell, HPE and Lenovo systems. Now this came as a disappointment to many that they now could not be able to run Azure Stack on their existing hardware, since many have started to look forward to the release of it. Now Microsoft learned alot from the CPS solution they had with Dell, they got alot of customer feedback and tok it a bit further.

Now to me, the desicion to make it a turnkey solution makes alot of sense, because Microsoft wants to deliver services outside of just the Cloud management  stack which (Windows Azure Pack, deliveries today). They want to deliver a full Azure experience, and having full control of the infrastructure from one fabric, which is what Azure actually does today.

Don’t get me wrong, Azur e the cloud solution runs using commodity hardware which is more a fully software-defined datacenter solution, so now why lock ourselves in with three specific vendors in this case? This is because Microsoft wants to make sure that:

  • We get the optimal performance! (Have tested, validated existing hardware it makes it easier for Microsoft to ensure performance, stability, and feature validation)
  • That you get full lifecycle orchestration (Microsoft’s vision is that we have the ability to do full fabric management which includes doing  BIOS, BMC, NIC firmware, Drive firmware, OS patches etc from a single solution which wouldn’t be feasible having support for all the different hardware vendors out here and making sure that all hardware patches works across different scenarios.
  • That you get the right help! making sure that you get a single-point of contact for support both on the hardware and the software to ensure if enterrprises who deploy AzureStack runs into issues, it makes it easy to isolate and troubleshoot further if the HCL is limited to specific vendors and hardware.

Now many is think that this is going to hurt the AzureStack adoption,  I on one hand am not so sure about that, of course it is going to exclude some of the smaller service providers which cannot affoard the solution or have some company policy about signing up with a specific vendor.

If we for instance take a closer look at Nutanix and what they are doing, they have taken a similar approach. When they started selling their product, instead of supporting all hardware vendors out there, they focused on a single hardware vendor (SuperMicro) and made sure that their product worked rock solid on that particular hardware, and also being able to deliver one-click updates to (firmware, BIOS, BMC and so on) And as of now is the largest growing infrastructure vendor on the market, even though it now only has Dell, Lenovo and SuperMicro OEM, did that hurt the Nutanix adoptaion in the marked? maybe but now it is known for having one of the best tech-support in the market of HCI, and Microsoft is looking at “borrowing” the same route to the marked.

But of course there are still some things that needs to be available in AzureStack to ensure that their cloud infrastructure is going to be used in larger enterprises

* Scaleability
It needs to be able to scale automatically within an existing fabric, without minimum interruption to the fabric.

* Top of the line support
There are alot of new components coming in play in AzureStack, RDMA, Storage Spaces Direct, Networking VXLAN and so on, so the support teams needs to be properly trained on the new features.

* Robust
Since Microsoft is betting alot of these customized appliances, it needs to be proper tested since Microsoft will also take control of the patching of the entire fabric

* Easy licensing
Since little is known of the Azure Stack licensing, it should be an easy monitoring metric which takes care of the licensing of both the fabric and the guest components running on top of it, or atleast have a proper licensing and/or maybe billing API included into the Stack.

* Customization and mixing appliances
One size does not fit all, there should be “plenty” of room to customize within a specific AzureStack appliance, where some might need more memory, some need more storage space and some need more storage speed, and GPU support and so on.

 

Using Citrix Cloud with Remote Access to Azure using NetScaler Gateway Services

Citrix has recently announced the public beta of a new cloud feature called NetScaler Gateway services. This feature is a Windows based NetScaler solution which allows remote access to a citrix enviroment using the windows server that has the cloud connector component installed.

When setting up Citrix Cloud Apps services you need to install a Citrix Cloud Connector which can only be installed on a Windows Server 2012 R2 server. With the new offering, which can be enabled within the citrix cloud managmenet console

image

Next time the cloud connector calls back to the cloud service it will detect that this feature is enabled and download and install it. This will essentially use the cloud connector server as an NetScaler Gateway, but do not worry! it does not require any chances to the server and it does not connect automatically back to clients who connect to it.

I configured my Azure Resource Manager enviroment with this service to see what was going on in the back!

image

When a user tries to start an application using the Citrix cloud hosted storefront, it would generate an ICA session which pointed to the NetScaler Proxy service which Citrix hosts in Amazon. This proxy service was responding at port 443, which also was the same port that the cloud gateway uses to communicate with that service on. The cloud gateway server communicated with the VDA agents on port 2598 as a “regular” NetScaler would.

image

As seen here, this is an output from my cloud connector virtual machine. It communicates with the netscaler proxy endpoint in AWS using port 443 and the internal VDA agent on (10.0.0.12) on port 2598.

Now the downside to this service compared to setting up a regular NetScaler Gateway is that this is kind of a “double-hop” scenario where traffic first needs to go from the client, to AWS and then to Azure and back again. While with a regular NetScaler it could go directly to the VDA and back to the client. On the other hand, this might be a good enough solution depending on the price point, but the cloud connector will most likely become the bottleneck and won’t be able to handle a large amount of users.(NOTE: There is currently a limit of 30 users) and it is also alot simpler to configure compared to a regular NetScaler

Veeam Backup and Replication 9.5 With Azure and Windows Server 2016 support!

So with the upcoming release of Veeam Backup and Replication 9.5 there are alot of new enhancements announced coming this way!

Restore workloads directly to Azure

(This is a feature which I’ve blogged about previosly, but has gained alot of enhancements in this build! first of, no need to deploy an appliance in Azure this is now done directly from our own datacenter using the Azure APIs. Also it used to be a seperate software but is now included into the management console, and now it also supports Azure RM and Classis mode (SM)

NOTE: The UI here might change from the  beta to the public release! so the process might also change.

Direct restore to Azure can now be triggered from the backup files. Just right click on the backup and click Restore to Microsoft Azure (NOTE: You need to go trough the default configuration first, setting up an account and such)

image

Note that we need to do the initial configuration first which can be done from the main meny within B&R, but note that in order to run this configuratio we need to have Azure Powershell cmdlets installed or else it won’t work (You will get notified of this in the setup)

image

Now choose which type of deployment type you use, Azure RM is the default type.

If you are using Cloud Services using the Classic Model.

image

On the next pane you need to enter an subscription, here you enter the Azure AD or Microsoft account that is the sub owner on your Azure account. After that is done it will get a list of active subscriptions attached to that account.

image

From here just click finish, you will be able to choose which subscription to use when doing the restore option. So now after we have done the configuration and do right click on a virtual machine and choose restore to azure, we get the option to choose which subscription to choose and which location we want to restore the virtual machine.

NOTE: We also have the option to choose use gateway server to do WAN optimization, this requires that we have an existing gateway server in our location in Azure to minimize the bandwidth usage.

image

Next we choose which virtual machine instance size the restored machine is going to have in  azure.
Remember that depending on the size, it also specifies which price rate it is going to be –> https://azure.microsoft.com/nb-no/pricing/calculator/ also which storage account we want to store it in.

image

So next we need to choose which Resource group we want to put the virtual machien in, by default it will create a resource group based upon the name of the virtual mahcine

image

And last but not least choose a default virtual network to store the virtual machine in the region we selected.

image

And then we can start to restore the virtual machine. And after a while, here we go..

image

Support for Windows Server 2016

This is of course not the only feature which came in 9.5 which I found the most interesting… The really coool part is support for all the latest Windows Server 2016 features, such as the Change Block Tracking (Called Resillient Change Tracking in Hyper-V)  feature (Which now is embedded into Windows Server, previosly this was a filter driver that Veeam had to inject themselves but no need anymore! In order to use this feature you need to upgrade your virtual machine configuration to atleast 6.2

So if you are for instance running Hyper-V 2012 R2 and upgraded to Windows Server 2016, your virtual machines are still running on version 5.0 and you are missing out on all the cool features, for instance

Feature    – VM version
Hot Add/Remove Memory    6.2
Secure Boot for Linux VMs    6.2
Production Checkpoints    6.2
PowerShell Direct    6.2
Virtual Machine Grouping    6.2
Virtual Trusted Platform Module (vTPM)    7.0
Virtual machine multi queues (VMMQ)    7.1

NOTE: Version 6.2 was introduced in earlier versions of the Windows 10 beta and Windows Server 2016.

Now in order to update the virtual machines you can just use this script to detect which level they are on and upgrade them.

Get-VM * | Format-Table Name, Version

Update-VMVersion <vmname>

NOTE: You will need to shutdown the virtual machines before you can do this. And also note that you cannot downgrade a virtual machine that has been upgraded. So if we upgrade a virtual machine to version 7.1 we cannot run that machine on a 2012 r2 host anymore.

But that is not the most important feature in 9.5 but support for Windows Server 2016 Storage Spaces direct cluster (Where you can have converged setup and hyperconverged setup) Storage Spaces Direct is a new storage spaces feature which allows us to have multiple windows server with local attached disks which share nothing but can be joined in a cluster to present out as a distriuted storage layer using SMB 3, and also support for Nano server which will be the de facto standard for hyper-v and file server deployments

image

Also important to remember that storage spaces direct clusters are setup using ReFS volumes. and with Veeam now being among the first vendors to support Windows Server 2016, we might see that they become a logical solution for AzureStack partners as well!

Delivering XenDesktop from Microsoft Azure using Azure Resource Manager

Last week, Citrix announced support for Microsoft Azure Resource Manager in XenDesktop. As of now this feature is only available in Citrix Cloud. Because Citrix has the common policy that features comes in Cloud first then on the on-premises deployment.

Using Azure Resource manager the setup has been simplified alot!  My lab is quite simple to setup, we need an Active Directory setup, an Windows Server 2012 R2 with the cloud connector installed. We also need a Windows Server 2012 R2 with the RSDH role installed with the VDA agent.

The VDA agent can be found and downloaded from here – https://www.citrix.com/downloads/citrix-cloud/product-software/xenapp-and-xendesktop-service.html

So we also need a Citrix Cloud sub or a trial, when doing into the management console and into connection we will now have Azure as a Connection Type.

We need to enter a subscription ID which we can find from within the Azure Console, and define a Zone name for these resources.  Then choose Create New, from there it will ask you to authenticate against Azure AD using your subscription credentials.

image

After you have successfully authenticated it will say “connected”

image

Next choose which region you want to provision resources in

image

And lastly define which Virtual network (and subnet) you want the connection to provision resources in.
We can define use of multiple subnets here.

image

The resources that appear in the wizard will depend on what already exists in the region and the active subscription. Now that we have an connection to Azure we can start creating our machine catalog.

Now before we create a Machine Catalog we need to have a template machine fininshed setup. The easiest way to setup a template machine is first by installing a virtual machine using the marketplace template

image

And make sure that this RSDH server is placed within the same virtual network or make sure that it can connect to the Cloud Connector server since that act as a delivery controller for the VDA. After you have successfully setup the server shut it down

image

So now after we are done with this we can go on with the setup within Citrix Cloud.

image

image

Now before we go ahead and find the master image we need to find where our Virtual machine template is stored in. So we need to locate the storage account that is uses.

So when choosing Master image, we first need to locate which resource group the virtual machine is located in and then going into the stoarge account, vhds and choosing the VHD file of the virtual machine, which will be uses as the template image.

image

We now also have the option to choose if we want to use Standard disks or Premium disks.

image

We also here define how many virtual machines we want to provisoin and what type of machine instances we want to use. The Standard_DS1_v2 It is based on the latest generation 2.4 GHz Intel Xeon® E5-2673 v3 (Haswell)

image

And then we need to choose where the NICs are going to be connected to, this is defined in the connection resource.

image

And then we have  the same procedure for Computer accounts.

image

And also domain credentials.

image

image

Then when we click Finish, let it roll!
You can see in the portal, that Citrix Cloud will create a new resource group where it stores the images and VHD files

image

now this setup is going to take some time, since it needs to copy the vhd file from one storage account to another.  Now since this takes some time, stay tuned for part 2 where I show NetScaler Gateway services attached with Azure RM setup in XenDesktop