Monthly Archives: November 2017

Microsoft Azure and VMware? Not so fast!

In August this year, VMware and Amazon announced that VMware Cloud on AWS was available! (Atleast from Oregon) Which essentially means VMware based infrastructure running on AWS hardware. And this was the highest attending session on VMworld this year, so the interest is quite huge!

And the path to cloud for many buisnesses need to start with something familiar, and not a complex beast like what AWS is, so for many it makes sense.  It is important to note here that this is a fully managed service. That is to say, VMware will install, manage and maintain the underlying ESXi, VSAN, vCenter and NSX infrastructure. Routine operations like patching or hardware failure remediation will be taken care of by VMware as part of the service. Customers will have delegated permissions to things like vCenter and will be able to use vCenter to perform administrative tasks but there will be some actions like patching which VMware will provide to you as part of the service. This means that VMware takes care of the core infrastructure in partnership with AWS.

Also during VMworld this year, VMware and IBM also announced a partnership and released a new product called HCX, which I’ve blogged more about here –> http://msandbu.org/more-info-on-vmware-hcx/ which also allows for seamless DR options as well.

So for VMware to partner up with AWS and the long time partnership with IBM makes sense. It provides customers with the ability to use the marketleading hypervisor (According to Gartner: The market remains dominated by VMware, however, Microsoft has worked its way in as a mainstream contender for enterprise use.) In a cloud scenario.

Earlier this week, Microsoft also had some big news to announce, seems like they want a piece of the cake…
https://azure.microsoft.com/nb-no/blog/transforming-your-vmware-environment-with-microsoft-azure/
Host VMware infrastructure with VMware virtualization on Azure. Most workloads can be migrated to Azure easily using the above services; however, there may be specific VMware workloads that are initially more challenging to migrate to the cloud. For these workloads, you may need the option to run the VMware stack on Azure as an intermediate step. Today, we’re excited to announce the preview of VMware virtualization on Azure, a bare-metal solution that runs the full VMware stack on Azure hardware, co-located with other Azure services. We are delivering this offering in partnership with premier VMware-certified partners. General availability is expected in the coming year. Please contact your Microsoft sales representative if you’d like to participate in this preview.  Hosting the VMware stack in public cloud doesn’t offer the same cost savings and agility of using cloud-native services, but this option provides you additional flexibility on your path to Azure.

So this means that we will be able to provision VMware Infrastructure on Azure as well, but note here that this is not done together with VMware and they issued a statement saying VMware does not recommend and will not support customers running on the Azure announced partner offering.(https://www.theregister.co.uk/2017/11/23/vmware_refuses_to_support_vmware_on_azure)

There are a couple of things to consider on this part.

* If this is just running VMware infrastructure in a Azure datacentre and is following the VMware HCL and is following everything by the book, how can VMware deny support?
* How will the partnership work, will the partner be managing everything inside Azure such as VMware is doing with AWS?
* We know that this is entirely different from the VMonAWS setup

image

I will bet that Microsoft will not have announced anything like this if they haven’t figured out stuff like support and management and such so stay tuned.

Cisco Umbrella–What is it?

I’ve just been introduced to Cisco Umbrella now even though I’ve heard the name before, I haven’t actually tried it yet until now.  Umbrella comes from the OpenDNS Business purchase that Cisco did a while back, and is essentially a service to secure traffic trough proxying DNS requests. So in essence it is to setup clients to use the public Umbrella DNS servers which are 208.67.222.222 & 208.67.220.220 where we have a set of policies which define what end-users are allowed to access or not.

6c98178-umbrella_VA_network_resize

So when you access your favorite website or newspaper online or such your computer will do 20+ DNS requests where their are different 3.party ads or other content which needs to be rendered inside the browser session which you don’t actually see. What if one of these domains actually contain malware or some form of bitcoin mining JS code? That is kind of hard to know, there has of course been traditional ways to handle and securing web traffic which has been using a forward web proxy where all traffic is forwareded trough a network appliance, but this doesn’t scale to that degree and has some implications for remote workers. This might also place a bottleneck on your proxy since all layer 7 traffic is tunneled trough it. Umbrella works on a smart level since it only checks the DNS requests a client has and makes sure that the domain does not fall into a category that is blocked in a policy. If there is a domain that Umbrella finds suspicious it will do a more in-depth analytics of the content it provides. 

Umbrella can either be deployed using Umbrella virtual appliance utilized as conditional DNS forwarders on your network, Virtual Appliances record the internal IP address information of DNS requests for usage in Reports, also the VA provide more granular control.

Or you can also just point the DNS servers to the umbrella DNS servers or use the lightweight client which can be installed on endpoints and protect remote workers.

So what about when malware authors do hardcoded downloads that point to an IP address instead of DNS name? Umbrella also has a IP Layer Enforcement which works at IP level to detect suspicious addresses. The Umbrella roaming client retrieves a list of suspicious IP addresses from Umbrella Cloud Services, and automatically checks again for any new IP addresses several times an hour from the Umbrella API, but again most services are in different tiers of Umbrella (http://bit.ly/2B2hh2k)

image

The UI is pretty slick and simple to configure where we can define block and allow lists also just specify categories which domains should be allowed/blocked. For instance it blocks Malware based domains which is a list maintained by Cisco.

image

So when an end-user browses to an external website which is blocked by Umbrella, they will get this 302 redirect message instead. This is because that the domain is blocked and the DNS request will route the enduser to a Cisco website instead.

image

Umbrella is a really cool interesting product which can enforce alot of security on endpoints without an “hit” to the end-user experience, however you need to be aware of that Umbrella is not intended to enforce data loss prevention policies, which address compliance concerns due to accidental disclosure of company or customer data, and  is not intended to completely replace a firewall, which is designed to secure both internal and external network connections.

Microsoft Azure Reserved instances and pitfalls

Microosft recently released Reserved Instances back to Microsoft Azure (Yes it was the before, but was pulled and is now back) which can provide a huge discount on running virtual machines in Azure which are static in nature. With Reserved instances you commit for a certain amount of compute capacity either 1 year or 3 year upfront. So how much is the difference on a single virtual machine? A single virtual machine running D4 v3 in West Europe without any discount will cost about $175 a month.

A price example from the MIcrosoft Azure price calculator, does not reflect EA prices.

image

Using 3 year reserved it will only cost 76$ (almost 56% discount) if with Windows is will cost 211$ discount (meaning only 32% lower cost) which shows that we get some discount of Windows as well but if we run with Hybrid Use Benefit it will cost the same 76$. So if we are running static workloads in Azure, meaning virtual machines that are running 24/7 and not being powered on/off it sounds like a best pratice to enable RI for those instances. This feature should not be enabled for virtual machines that are powered off during the night because with RI you will need to pay for the virtual machine regardless if it is running or not. This does give you some predictability when it comes to compute cost, but it does not apply to other services such as storage / bandwidth and such. However there are some limitations to RI as it is now.

* It is only available for Pay-as-you-go and EA agreements (no CSP and Open support, CSP coming Q1 2018)
* RI only apply to VMs, VM Scale Sets, and other services that spin up VMs in a customer subscription, such as Azure Batch in customer subscription mode
* Azure RIs are available for all VM families other than A-series, A_v2 series, or G-series (and also VM-series in Preview such as B-series)
* Enterprise Agreement (EA) customers, Azure Monetary Commitment can be used to purchase Azure Reserved VM Instances. In scenarios where EA customers have used all of their monetary commitment, RI’s can still be purchased, and those purchases will be invoiced on their next overage bill. For customers using pay-as-you-go Azure.com, at the time of purchase, the credit card on file will be charged for the full upfront payment of the Azure Reserved Instances.
* RI are scoped to a Azure region and instnace type (No option to choose amount of vCPU and RAM, but you need to choose instance type such as D2_v2)

You can enable reserved instances by going into the Microsoft Azure portal and going into the reserved instances panel in the portal, and from there selecting the amount of instances and size type and choosing accept.

image

It is a shame however that Microsoft still needs to have RI tied to a select set of virtual machines. GCP for instance allows us to apply commited discount use to the aggregate number of vCPUs or memory within a region so no need to define an amount of instances. This also allows us to be more flexible when it comes to the amount of virtual machines we need to use for static workloads as well. Also GCP allows us to still continue to use the pay-as-you-go model, since the Committed use discounts are applied to our bill every month.

Comparison between Horizon Cloud and Citrix Cloud on Azure

The last couple of weeks I have been working with VMware Horizon Cloud for Microsoft Azure, and tesing the bits and pieces about the platform, and especially I’ve been looking at how it compares against Citrix Cloud in general. Therefore I decided to write this blog post to maybe enlighten how it differs in terms of deployment and operations and how to get it up and running. you can review the requirements for Horizon Cloud for Azure deployment here –> https://docs.vmware.com/en/VMware-Horizon-Cloud-Service/services/com.vmware.hconmsazure.getstarted.doc/GUID-DC011997-CE9E-4B38-9C4F-57104226218C.html#GUID-DC011997-CE9E-4B38-9C4F-57104226218C 

One thing I want to highlight that moving VDI to the cloud does not bring any real value unless it is for the proper reasons, in most cases the public cloud is still more expensive then running it on local infrastructure. The most common use-case if you can benefit from the automatic scaleability that cloud provides such as companies where the amount of users is fluctuating going from 10 – 100 users during working hours ( 7 AM – 5 PM) where you only need to pay for what you use in terms of infrastructure cost and licensing.

The architecture is quite simple, as Citrix Cloud it requres that we have an existing Azure subscription and with an existing Active Directory virtual machine running and an virtual network defined. After you have setup the connection it will deploy a Horizon Cloud Node(Node Manager) which acts as the hub between Horizon Cloud Control Plane and your servers and Active Directory.

It also provides simple update mechanism, so when an new version is available the node will automatically upgrade itself and the unified access gateway running in parralell and configuration information and system state is copied from the running SmartNode and Unified Access Gateways to the new ones. After the configuration information is copied and checks completed, the new SmartNode and Unified Access Gateways become active.

Architecture illustration of the node's resource groups, VMs, and subnets

To begin with let’s take a closer look at some of the capabilities that are included in the initial release of Horizon Cloud on Microsoft Azure.

* Application & Session Desktop Delivery
Ability to publish and manage RDS-hosted applications and desktops on Microsoft Azure while leveraging on-premises and cloud resource (VDI not available that is coming later)
* Hybrid Architecture
Support for both Horizon Cloud with on-premises infrastructure and Horizon Cloud on AzureMicrosoft Azure, in a single solution.
* User Experience & Access
Identity-based end-user catalog access via VMware Workspace ONE
Secure remote access for end users with integrated VMware Unified Access Gateway
Support for Blast Extreme, Blast Extreme Adaptive Transport (BEAT) protocol.
* Power Management
Ability to track and manage Microsoft Azure capacity consumption to keep costs low, allowing for scaling based upon sessions or schedule.
* Easy Deployment
Automated deployment of Horizon Cloud service components Integration with Microsoft Azure Marketplace to allow importing a Windows Server image on which the necessary agents get automatically applied.
* Simplified Management
Horizon Cloud always maintained at latest versions Under five-minutes, self-scheduled upgrades for components on Microsoft Azure via Blue-Green upgrades.
Unified Access Gateway deployed automatically in Microsoft Azure.
* Pricing
Horizon Cloud Apps
Named User – $8/month
Concurrent User – $13/month

One of the first inital things that struck me was the price model that they have for cloud. With is named user or concurrent user. If we are thinking about a global organization where task workers are roaming across different regions concurrent user would make a lot more sense also combined with the pay-as-you-go model that is in the cloud. Also that XenApp Essentials from Citrix cost 12$/month for each named user.
Another detail was that VMWare chooses to do automatic deployment of their Unified Access Gateway as a virtual appliance directly to Microsoft Azure, while in Citrix you would need to deploy this on your own, or using NGaaS service from Citrix. However the NGaaS Service all traffic is routed trough Citrix Cloud POPs which the unified gateway provides direct communication from the endpoint to the applications.

Another thing is when setting up agents in Azure, VMware has a limited set of virtual machine instances that they support  which are Standard_D2_v2, Standard_D3_v2, Standard_D4_v2 & Standard_NV6 not sure why they only have this list, Citrix Cloud supports all available instance types on Azure. Also one thing with the NV series. With this release, GPU is supported for use only in Microsoft Windows Server 2012 R2 due to a driver limitation in the Horizon agent in Microsoft Windows Server 2016.
1

Setting up Horizon Cloud against Azure we need to create an application service principal in our Azure AD account and this application ( service principal ) needs to have contributer right on the Azure subscription.
NOTE: is is important that the sign-on URL is http://localhost:8000 or else the wizard will fail.

Create App Registration screen with values for Hzn-Cloud-Principal

Doing all this work on setting up the service principal should be automated however, Citrix Cloud uses an Azure AD account to create a service account for the use. This way we don’t need to get all the info like App ID, Directory ID and such.

The initial wizard also requires us to have a precreated vNET. The wizard will automatically create the subnets within the vNET( Management, Desktop and DMZ). It will also handle the deployment og the access gateway.

2

Also the wizard will also automatically deploy a unified access gateway which will be accessable behind an Azure load balancer also equipped with a certificate. The only piece we need to fix is the public DNS record.

If you have a fresh account it will also validate the quota setup for the Azure account both to ensure the certificate, quota of users and make sure that the subsets are not already defined.

3

After you are done with the initial wizard it will start to provision a jumpbox server on the Azure account and start downloading agents and other VHD files. After the jumpbox server is up and running it will start to setup the node manager. The jumpbox will then self destruct after the node manager is up and running and is only provisioned/used when there is an update or building up a node manager.

image

After the node manager is up and it has successfully connected back to the control plane (Horizon Cloud) you just need to complete the wizard setup, and setup integration with Active Directory.

image

After you have integrated Horizon Cloud with Active Directory will need to reauthenticate to VMware cloud and also after login again you will also need to authenticate against Active Directory which the node manager is integrated with.

image

After you are authenticated you need to create an image which will be used to deploy your applications. You can either bring you own image or you can import a VM from the marketplace.

    • image
      • Horizon will essentially create a VM using a image from the Azure marketplace (Which is either 2012 R2 or 2016) and it will preinstall the agent and such which we then can convert to an image.
        • image
        • After the desktop from the marketplace was created we can go ahead and convert to an image after we have adjustments to it. This makes it easy to create a master image with doing just a small piece of the image setup.
        • After that I need to create an farm based upon the image, where I have the same list of machine models that are supported. I also specify what kind of protocol, domain and client type I want to use. Further down I also specify the logon idle timeout value as well (before a session is kicked out)
  • image

    Next I specify the update/maintance sequence, where it will do automatic draning of each server, as best practice for virtual machine maintenance is to restart the VMs from time to time, to clear out cached resources or any memory leaks from third-party applications in the VM. I can also specify what the servers should do during maintance window, such as restart or rebuild.

    • image
  • so after I’ve specified the amount of VM’s it will start to provision the farm based upon the image and machine instance type in Azure.
  • image
  • And last but not least, do an assigment of a desktop to a set of users.
  • image

One thing I notice is that I love the dashboard showing issues directly related to Azure such as quota management, since most subscriptions in Azure have a soft quota which should be increased. image

Summary:
From the first impression, I do love the work that VMware has done with Azure in terms of integration. It does provide and supports many of the Azure features.
* Using Azure AD Service Principal for authenticating with Azure and also checking the storage quota.
* Using Managed Disks for VM provisioned on the farms
* Power Management for virtual machines using ARM underlying API.

* Automatic starting of another node in a farm if one goes down suddenly.
Also that they provide the simple deployment of the Unified Access Gateway and certificate management can be done using the Horizon Cloud HTML5 portal which makes it easy to manage the remote access. Now I enjoy working with NetScaler, but Citrix should do something simliar to have simple deployment of remote access where they just deploy a VPX instance directly to Azure.

  • A couple of things I would like to see for the future setup.
    * Support for Encrypted Disks in Azure
  • * Support for other machine model and instances in Azure
    * Be able to define my own resource grups.
    * Provide OMS module for Monitoring ( yes please! )
    * Specify disk size use of managed disks.
  • Looking forward to seeing this develop moving forward!

More info on VMware HCX

After looking into the blog post announcements on VMware HCX after VMworld I decided to get a bit more info what HCX actually is. This blog post will try to summarize what it is and what it can do. HCX is not a single product, but a combination of multiple VMware products which will be available is a single solution.
HCX is a also a cloud product which is delivered together with HCX Providers such as IBM or OVH.

So what can HCX Provide? It is essentially works as an extension between your existing infrastructure and a HCX Provider or a bridge. This allows for instance use of

  • Disaster Recovery 
  • Hybrid Cloud 
  • Migration to newer platforms

On the HCX provider side we have a VMware Cloud Foundation setup. Cloud Foundation is based off of  VMware vSphere, vSAN, NSX, and SDDC Manager, where the last part automates and orchestrates the entire deployment process on the providers end. Using NSX on the providers end opens up for a new way to do software-defined network where all traffic is wrapped into VXLAN traffic. On the client’s or customers end we only need to deploy a single virtual machine (which is the HCX Client) this runs on your existing VMware infrastructure. The HCX client will be backwards compatible with as old versions ESX 5.1, and allow for management from the existing VMware console.

HCX will also come with WAN optimization and will allow us to connect our existing DC over regular internet or we can use a direct connection with the cloud provider. Regardless all traffic will be encrypted using AES 256 bits encryption.

So HCX will provide secure Live vMotion – HCX proxies vMotion, resulting in a secure, zero downtime live migration to the cloud, over the HCX interconnect fabric described above.  It will also provide built-in business continuity – HCX provides DRaaS to enable business continuity while migrating/moving applications, and will allow customers can define as low as 5-minute RPO/RTO for VMs.

So some question that I am left with (Which I’m guessing will be answered when it will be released.)

1: How will the HCX Client provide redudancy on the customer side? can we setup multiple HCX clients which can load balance across the traffic?
2: How can we handle disaster recovery when it comes to layer two network failure?
3: How does it integrate with older versions of VMware where we don’t have web based console?
4: Since it doesn’t require us to have NSX on the customer side, and we pay for the license as part of the cloud offering what kind of functionality will we get?

When will it be available?
November – 2017 ( Later this month ) so looking forward to testing this on IBM Bluemix especially. IBM is also consolidating both of their platforms (Bluemix and Softlayer) into a single platform from a management perspective as well. So it should be available from the different IBM Softlayer locations pretty soon –> http://www.softlayer.com/data-centers%20