Monthly Archives: May 2017

Considering GPU in the Cloud for VDI deployments? Not so fast…

At Citrix Synergy myself and Phillip Jones https://twitter.com/P2Vme has a presentation at the NVIDIA Booth on the first day of the conference where we talked about different deployment scenarioes for NVIDIA GRID both for HCI (Which Phillip covered) and in Cloud which I talked about. This also something which I discussed at the hot topics roundtable later on the week at the conference.

image

Now for deployment of GPU in Cloud there are some limits people should be aware of. Note that I only focused on the larger cloud providers such as IBM, Azure, AWS and GCP. When it comes to GPU there are only two which can provide native GPU with GRID architecture which is Azure and IBM.

IBM
IBM Softlayer (Which is IBM’s IaaS offering can provide customers which a bare metal deployment choice of M60 or K2 cards which can be rented at a monthly basis. Since this is a bare metal deployment you can use the different NVDIA deployment options such as vGPU or Pass-trough if needed.

Microsoft Azure
Microsoft Azure provides M60 cards on their NV virtual machine instances, which is possible using DDA (Discrete Device Assignment) in Windows Server 2016, so it is in essence pass-trough mode.

image
The issue with these instances is the lack of better IOPS support.  Now in Microsoft Azure there are multiple storage options available for virtual machines. First of we have the Storage Account which is a general purpose storage options which can be used for multiple storage objects, but has always been the default storage option for virtual machines. Storage Accounts has a limitation when it comes to IOPS for VHD (Virtual Harddrives). So VHD’s are stored as a storage blob which means they have a limit which is about 500 IOPS per second per 8KB sector size

image
https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits#storage-limits

Now Microsoft is advertising the NV-series with SSD but this is ONLY available on the D:\ drive which in Azure is a temp drive (never store persistent data on that drive!!) Now we have the option to combine multiple drive in Azure using Storage Spaces and have a combined higher IOPS and troughput, but it does not fix the latency issue with it and even though we will get a higher level of troughput/IOPS it will not drastically improve application experience.

Now Microsoft has something called Premium Storage which is SSD backend storage option which allows us to add data disks with higher level of IOPS.  However the N-series does not support this feature in Azure. Which means that if we for instance use the NV6 instance for our XenApp Servers we are bound to the limits of the data disks for our applications.

Now Microsoft announced a new series of virtual machines which are coming later this year with a new release of NVIDIA cards which will support Premium Disk options but their scale and GPU type (the P40) is

image
more advised towards using AI and Deep Learning workloads and not XenApp / RDSH deployments.

Amazon Web Services
Amazon Web Services has support for GPU instances as well using an older card called K520 on G2 instances.

Instance

CPU Cores

Memory

COST

DISK IO

K520

G2.2x large – EBS Optimized

8

15

0,8$ / h

High

1

G2.8x.large

32

60

2,8$ / h

Limited

4

Flexible GPU ( Preview )

?

?

?

?

X

AWS however has the option to do optimized EBS (Elastic Block Storage) which provides us with a high level of IOPS available to the instance. However the K520 is no longer supported because of the GRID drivers for this type of old cards –> https://support.citrix.com/article/CTX202066

AWS is also working on something called Flexible GPU which is not directly a dedicated GPU but a custom service that AWS is adding and will be available to all instance types in AWS but it is a way to give dedicated video memory to an instance, but it is only OpenGL aware and will not work natively with the operating system. Therefore AWS is now working with ISV and software vendors to have applications with work nativly with their GPU offerings (using a set of custom API’s)

Google Cloud Compute
Google’s GPU option is still in Preview as of now NVIDIA® Tesla® K80 GPUs are available  and soon we will be able deploy instances on AMD FirePro S9300 x2 and the NVIDIA® Tesla® P100. Now all the cards are purely aimed against HPC and Rendering such with using TensorFlow.  This GPU instances are also directly attached to a virtual machine using Pass-trough mode. Also uou must have GPU quota before you can create instances with GPUs on GCP.

In Google you can attach a GPU instance to ANY type of virtual machine instance. However, instances with lower numbers of GPUs are limited to a maximum number of vCPUs. In general, higher numbers of GPUs allow you to create instances with higher numbers of vCPUs and system memory.

Summary
Cloud today does not provide the same level of deployment options as we have on traditional on-premises scenarioes using for instance HCI. On on-premises we can setup Pass-trough, NVIDIA vGPU, RemoteFX vGPU and even offerings such as VDGA.

Which is a shame actually, just think about the ability to be able to rent a GPU per minute with blazing fast disks and use it for the duration of the time it took to do the rendering and having a power control mechanism which would shit the VM down after the user logged out (and also have the ability to power it on on-demand as well). Which is something the flexibility of the cloud provides but we aren’t quite there yet hopefully we will be there someday. Hopefully the cloud providers actually see that VDI workloads are something that people want and have offerings which can support that.

So you are considering Citrix Cloud? What do you need to think about

After attending Citrix Synergy this week, there is no denying that Citrix is quite serious about their cloud offerings and announced more offers that will be arriving later this year. This includes offerings like their Citrix Analytics Services and Workspace Service, but still it will take some time before these services will be available. Today Citrix Cloud consists of multiple services such as XenApp and XenDesktop Essentials, ShareFile, XenMobile and the “plain” XenDesktop deployments which are labeled Apps & Desktops.

frontdoor-main

So if you plan to start using Citrix Cloud today, what do you need to think about? It is an important fact to know that Citrix Cloud is not a solution which manages your VDA agents (meaning where you applications and data is stored) it is about controlled management plane with additional services.

Brief overview of the architecture
This shows the architecture on Citrix Cloud with Apps and Desktop Service. You have an active subscription with Citrix Cloud and you setup a integration between your resources and Citrix Cloud using a Cloud Connector whic his the link between your resources and Citrix Cloud. These Cloud Connectors are stateless and

To ensure security compliance, the Connector will self-manage. So do not disable reboots or put other restrictions on the Connector virtual machines. These actions prevent the Connector from updating itself when there is a critical update.

Limitations
In Citrix Cloud, Citrix will manage the XenDesktop infrastructure for you, this includes delivery controllers, backend site database, license server and such. Also you will automatically get updated every two weeks as part of it as well which provides us with access to new functionality directly.  So what do we as customers need to maintain?

  • *  VDA Agents (endpoints such as VDI or Session Hosts)
    *  NetScaler appliances (Unless using NetScaler Gateway as a Service)
    *  Storefront  (Unless using Citrix Cloud Hosted Storefront)
    *  RDS Licenses and RDS License Server
    *  Active Directory (We need to bring our own)

So what else are we missing out on?
* Logging and Auditing (Since we do not have the option to check logs on who has been logged into Citrix Cloud from a management perspective.) In case we need to figure out who has logged in Citrix has extensive internal auditing information. If a customer has a concern, contact Citrix within 30 days. They will review the audit logs to determine which of the customer’s administrators performed an operation, on what date, from which IP address, etc.
* The Citrix Cloud control plane is only hosted in the United States, which might pose as an issue for customers who want their resources to be in EMEA.
* The customer owns and manages the Resource Locations. It can be created in any data center, cloud, location, or geo desired. All critical business data (such as documents, spreadsheets, etc.) are in the Resource Locations and are under customer control.

Access from the end-users and management
In regular Citrix XenDesktop and XenApp enviroments we can give end-users access from multiple types of authentication mechanisms such as Smart Cards, SAML, OAuth, KDC Constrained Delegation and even regular LDAP based as well. This allows us to utilize Azure AD or Google IAM to delegate authentication to them as identity providers. Citrix Cloud only supported regular Active Directory authentication for regular end-users.  From a management perspective they support Azure AD which allows us to specify which people are allowed to access the management plane.

image

Using Azure AD as identity provider allows us to get some more insight into who has authenticated into Citrix Cloud, but it does not give us any insight into who has done “what”.

Using Storefront in Cloud
You also have the option if you want to have Storefront hosted from Citrix Cloud as well. When you set this up the end-users can access it from the https://<customername>.xendesktop.net/Citrix/StoreWeb/ address. This address cannot be changed. Using this service has still some limitations when it comes to UI customization options, also the ability to do more advanced features such as Optimal Gateway Routing and other Authentication options such as SAML. But again it is a question if you want to manage your own Storefront servers or consume it as a service.

Using NetScaler Gateway as a Service
If you plan on using Citrix XenApp Essentials, NetScaler Gateway as a Service is the default option since it does not require any type of configuration or deployment of virtual instances since it is actually running as a Windows Service on the Citrix Cloud Connector machine. This service is actually “ICA-proxy” as a service it does not provide any of the Smart Access features such as SSL VPN, Endpoint Analysis, support for the newer protocols such as Framehawk and EDT as well. Also from an authentication perspective it does not provide any other options that regular pass-trough from Storefront option. localized image

You can also use NetScaler Gateway as a service as an option for regular Citrix Cloud deployments as well. You need to be aware of since this is a cloud service running in Citrix Cloud all traffic will be routed trough from your endpoint to Citrix Cloud to the Cloud Connectors and to the VDA agents. This feature is natively supported in Citrix Reciver and Receiver for Web as well. 

NGaaS is a multi region geo load balanced services which is available on different locations around the world, and will always try to route a user to the closest PoP. Note that if you do not have PoP which is close to your location you might suffer with higher latency values than setting up your own NetScaler virtual appliances. Also NGaaS does not provide any AppFlow analytics which means that we do not have the insight we might be used to in Insight Center or MAS, it will give information about ICA RTT and such within Citrix Director.

Here is a chart of where the closest PoPs are located:

Eight PoPs in Azure
Azure South Central US
Azure West Europe
Azure Australia East
Azure East US
Azure West US
Azure North Europe
Azure Japan East
Azure Brazil South

Three PoPs in Amazon
US-East
US-West
EU-Centra

Concurrent Users:  No Limit
Data Transfer Limit per user: No Limit
Overall Bandwidth Up to 250 Mbps – Can be scaled up with setting up multiple Citrix Cloud Connectors wherever your resources are located.

Cloud health and SLA
Citrix has an SLA for all their different cloud services on 99.9 every 30 days. They also have their own status page for all cloud offerings here –> http://status.cloud.com/

And they have also implemented an subscribe option which allows us to send notifications to Slack or other Webhooks directly to our Service Management tool –> http://status.cloud.com/subscribers/new

image
NOTE: The status page does not show if there is any planned Maintance.

Is Citrix Cloud an option for me?
After having a lot of good conversations and discussions with customers and partner at Citrix Synergy I got a lot of good feedback which I want to share directly.

* I don’t wanna manage Citrix I just want to deliver my apps and desktops and  make it easy for my end-users
* I like the OpEx model for Citrix but they need to make it easier for adjust licenses for our end-users directly.
* For large enterprises we  require complete visibility and full role based access control based upon what kind of responbiility our IT-staff has, Citrix Cloud does not have that option yet.

Now I don’t think that Citrix Cloud is going to replace any large XenApp/XenDesktop Enterprise solutions anytime soon, I belive that Citrix cloud will provide customers with an even broader range of deployment options to choose from depending on what kind of setup they are looking for. If you are considering a Citrix Cloud setup, you can use a finished a deployment guide from Citrix here –> http://tools.cloud.com/

Overview of VMware vRealize Network

VMware announced the acquisition of Arkin a year back, with their platform (Arkin Visibility and Operations Platform) Arkin has out-of-box integrations with virtualization (ex: VMware vCenter, VMware NSX, Palo Alto Virtual Firewall) as well as physical infrastructure components (physical chassis, switches and routers), providing end to end visibility and analytics into the network. This has now been completly transformed into vRealize Network Insight

Even though VMware has alot of built-in feature in NSX, visibility of the networking combining the usage of VXLAN, VLANs, Hardware vTeps, Distributed firewall rules and so on makes it hard to troubleshoot in case of packet drops, firewall rules not configured properly, and seeing the direct traffic flow. Because even if NSX bring alot of good features to the table it makes networking alot more complex, especially those which are used to an old fashion networking stack.

So will Arkin make this alot simpler? I decided to take a closer look at the product. (Since it wasen’t simple to get a demo license, I decided to try the online trial that they offer, which simulates a “real enviroment” which mixes VXLAN, VLANs and different switches (Cisco, Arista) and some dFW rules in the mix.

image

So at first login, you get a “Google” like search engine which allows us to query for different objects and get information, and I can also choose different objects which I can dig into. For instance if I search after “Arista” since I know there are multiple Arista switches in the demo enviroment, I automatically get a list of all Arista switches

image

Same if I search after VXLAN, I get of all VXLAN’s definined from the NSX controllers.

image

So if I click on a specific VXLAN I get a detailed overview of the VXLAN, which ESXi hosts have the VXLAN mapped, which dFW rules are in place, and in the middle I see which core switches act as the upload for each dwSwitch.

image

I can also see which objects have been changed, and see the L2 metrics for the specific VXLAN. I can also see alerts for differnt objects within the topology.

The most awesome feature is VM path topology, being able to see how the traffic flows from a specific virtual machine to another. In this case we can see that a virtual machine has to go a dVRF, go to an edge router and the to the VM on another host. Also in the mix you can see that we have some Palo Alto extensions setup has which are presented in the topology as well.

image

Now Arkin provides the full visibility into the networking segment, I think the issue is how VMware is going to license this as a product! I’ve seen rumours that It costs about 750$ per socket on hypervisor level (and integrating into the physical network is no additional cost) and with NSX costing about (standard 2000$, Advanced 4500$ and enterprise 7000$) I’m guessing this is going to be only part of the enterprise license, but I hope that this does not afffect the pricing level as well. Since it gives NSX a much needed visibility boost which vRealize haven’t given us so far.