Monthly Archives: February 2018

Is this the year of Unified Application Delivery?

Always amusing when I see on social media “Is this year going to be the year of VDI?” Which has been going back a lot of years already? The issue with VDI projects back in the day (Starting to write like an old guy…) was that the architecture and storage didn’t quite scale to that extent since VDI projects were heavy when it came to resource usage, and therefore launching a successful VDI project was difficult of course there weren’t a lot of good products in the market as well. I don’t know how many blog posts and reference architectures I looked at about “scaling and designing VDI”, “How to scale VDI for IOPS” etc.. The first uprising in VDI projects started when the new players in the software-defined market came along and changed the market with its hyper-converged infrastructure made VDI projects a lot easier in terms of performance and more players in the VDI space as well. Now I’ve seen large reference VDI projects from most of the different hyper-converged / software-defined players in the market and also seeing more and more VDI deployments leveraging the cloud as well since you have the economics which can make it suitable for many use-cases. So is 2018 going to be the year of VDI? Not gonna happen! My personal opinion is that the year of VDI is not going to happen this year as well. I believe that the VDI ship has sailed, and moving forward more and more SaaS-based services are going to replace the windows based applications at a much faster rate. There is, of course, going to be a need for a VDI solution to deliver applications for a long time to come, but we need to look away from VDI solutions and focus more on application delivery (and not just windows based)

However, the key moving forwards it to be able to deliver all these applications in a single unified manner. Combining all those Windows-based applications, Linux based applications, those sloppy web-based apps which have their own authentication mechanism or using Basic Web authentication. Also to deliver those modern web applications which support open authentication mechanisms such as SAML and OAuth. The key is also to have a single security plane as well to control access and maintain security to these applications and also have a single source of truth for identity as well.

last ned

Handling security in a Cloud-based scenario such as with Google Gsuite or Office 365 also requires more investment into the different CASB products such as Microsoft 365 with Cloud App Security to allow integration directly with the cloud providers. So is it actually possible to build this type of unified application delivery platform? We are pretty close, so what kind of products do we need?

Identity:
There are multiple identity solutions that can be used, most tend to look at the cloud-based identity sources such as  Azure AD and Google Identity since they are proven for scale and have advanced functionality both to setup federation/trust but also a rich ecosystem which allows for building new applications which support these are identity sources. Both have a lot of built-in mechanisms to handle authentication such as SAML and OAuth. Azure AD, however, has a bit more security features built-in compared to Google at this time. There are also other solutions which provide these built-in authentication solutions such as Ping Identity, Okta, and One Identity. For on-premises deployments, we also have VMware identity manager. This depends on where you want the identity source to be located. Of course, vendors such as Ping, Okta and One identity are companies which only focus identity field and have proven products for that purpose. 

Application Delivery Platform:
Here we also have a couple of solutions which can deliver both Windows/Linux applications from a single platform, such as Citrix XenDesktop and VMware Horizon. Both of these platforms support LDAP/AD but also other authentication mechanisms such as SAML to support user-based authentication from end-user to backend. This allows us to for instance authenticate against XenDesktop or Horizon using any of the identity sources listed above.

Gateway:
This is of course to handle traffic and proxy connections with authorization rules against internal resources such as on-premises web applications which only supports basic web authentication for instance or to handle traffic to a backend VDI or RDS host. Both Citrix NetScaler and VMware Identity Manager can handle authentication mapping from SAML to for instance basic web authentication, both different in terms of function since NetScaler is more an advanced beast since it is a network application focusing on ADC but has advanced functionality to handle authentication and authorization while Vmware Identity Manager is more aimed at handling user lifecycle management and application access. VMware has traffic flow through its Unified Gateway. But also the online identity providers can also handle traffic against Basic Web applications. Microsoft also has Azure Active Directory App Proxy which allows authentication and traffic flow against on-premises web applications using Kerberos for instance.

Security:
Identity is the new firewall, which makes even more sense in this type of environment where we cannot control the end-users traffic and therefore we need to make sure there are security mechanisms in place to ensure data confidentiality. Only Microsoft of the large vendor has a solution which falls within the CASB (Cloud Access Security Broker) domain to handle connections and activities done against a SaaS product. The product Cloud App Security is now tightly integrated within Azure AD as well. VMware and Citrix have some policies controls which determine what kind of activity an end-user can do within a Terminal server environment and conditional access on the device connecting, but they do not have any functionality to control what a user can do within a SaaS service. Of course, controlling the user and what the user does is only a small part of the puzzle, we also need to be able to control to an extent, how the endpoint is which the end-user is using as well. Most all vendors Citrix, VMware, Microsoft, and Okta have MDM solutions which allow us to make more advanced authentication rules to determine if an end-user should have access to a business critical application from certain endpoints. Microsoft and VMware both have Conditional Access rules where we can build a solution to ensure that device is compliant before gaining access to an application or system.

Unified Application Portal:
There are multiple portals which we can utilize which can expose all these different applications from multiple sources, however we will be taking a closer took at those from Citrix, VMware and Microsoft.

Azure AD My Apps:
My Apps in Azure is directly integrated into Azure Active Directory and can expose applications which have been added to Azure AD. This can also be Office365 which also has its own App Launcher solution which reflects and shows the same application. It can also add other 3.party applications using SAML (Citrix and VMware can be added here but just as a hard link) but VDI desktops cannot be shown directly here. Azure also has support for an internal web application using Azure AD application proxy which can publish internal web applications and supports SSO using Kerberos and NTLM. The good thing is that this also integrates directly with Office365 så applications can be shown directly to the end-users App Launcher. Of course that we can protect access using Azure MFA and Azure Conditional Access which can now be integrated into Cloud App Security.

2017-01-18_11-39-57

Workspace One is a combination of VMware Identity Manager, AirWatch Enterprise Mobility Management Suite, and Horizon which is running as a local server setup.  The Workspace portal allows us to present out VDI/RDSH Desktops and application combined with web-based applications using SAML, where can also protect resources using conditional access rules. And also VMware has its own MFA solution as well that be used to provide additional security on top. The advantage here is that we can present both Windows/Linux application and web application within a single portal and multiple security policies on top.

VMware Workspace One:

Citrix Workspace Services which is the future workspace portal from Citrix which will be able to serve both applications and data from the same UI. Which will be more similar to Office365 app launcher with Sharepoint data in it. A Similar setup is possible with Unified Gateway where we can present out Windows/Linux applications and desktop, SAML based applications using NetScaler as the SAML SP and RDP sessions using RDP proxy etc. Citrix also has the advantage of being able to deliver VPN solutions as well so it provides a strong range of different solution which can be presented from within the same portal.

Citrix Workspace / Unified Gateway:
Bilderesultat for citrix workspace services

So what does the workspace of tomorrow look like? I’m guessing that this is the product that many vendors are working towards solving or finding the secret ingredients.
With more and more business applications become more and more web-based there is no denying that the workspace will need to have tight integrations with modern SaaS products such as Google GSuite, Salesforce, Service Now, Workday, Office365 and such, but also be able to integrate with on-premises based applications on legacy systems such as Windows/Linux based applications and Desktop but also older internal web applications. The workspace will also need to have certain security policies in place such as conditional access to give a more granular approach to security when it comes to giving access to applications and or SaaS services. We also need to have certain security products backend as well to take control of the data and API access to the SaaS services to ensure compliance and so on.

 

 

 

Windows 10 and Server 2016 network enhancements

There has been a lot of new enhancements done to the networking stack in Windows 10 and Server 2016, which I wanted to write a bit more about. Earlier I wrote a bit about TCP Fast Open which was available in Windows 10 and Microsoft EDGE to reduce the initial TCP SYN process http://msandbu.org/increasing-microsoft-edge-performance-using-tcp-fast-open-on-netscaler/ but looking at the rapid release cycle in Windows ther has been more new stuff that has been introduced over the last couple of years. Much of the functionality is defined is NDIS (https://docs.microsoft.com/en-us/windows-hardware/drivers/network/overview-of-ndis-versions) Which is the Windows specificiations on how drivers should be created for network communication. Now some of the new features that have been introduced are things as:

  • CUBIC Support: In Windows 10 creators update they also came with support for the congestion algoritm CUBIC, which is actually the default congestion algoritm in Linux. The main goal behind CUBIC is to improve the scalability of TCP over fast and long distance networks, and also to keep the CW much longer at the saturation point.
    The following commands can be used to enable CUBIC globally and to return to the default Compound TCP (requires elevation):

    • netsh int tcp set supplemental template=internet congestionprovider=cubic
    • netsh int tcp set supplemental template=internet congestionprovider=compound
  • Fast Connection Teardown: TCP connections in Windows are by default preserved for about 20 seconds to allow for fast reconnection in the case of a temporary loss of wired or wireless connectivity.  However, in the case of  such as docking and undocking this is long delay, Fast Connection Teardown feature can signal the Windows transport layer to instantly tear down TCP connections for a fast transition.
  • ISATAP and 6to4 disabled by default: With the uptake in IPV6, these protocols are now disabled by default, but can be enabled using Group Policy, Teredo is the last transition technology that is expected to be in active use because of its ability to perform NAT traversal to enable peer-to-peer communication.
  • Windows TCP AutoTuningLevel: Before the Creators Update the TCP receive Window autotuning algorithm depended on correct estimates of the connection’s bandwidth and RTT, the new algoritm adapts to BDP (Bandwidth-delay product) much more quickly than the old algorithm and has increased performance when it comes to converge on the maximum receive window value for a given connection.
  • Recent ACKnowledgement (RACK): RACK uses the notion of time, instead of  packet or sequence counts, to detect losses, for modern TCP implementations that can support per- packet timestamps and the  selective acknowledgment (SACK) option. RACK is enabled only for connections that have an RTT of at least 10 msec in both Windows Client and Server 2016. This is to avoid spurious retransmissions for low latency connections. RACK is also only enabled for connections that successfully negotiate SACK.
  • Windows Low Extra Delay BAckground Transport (LEDBAT): LEDBAT is a way to transfer data in the background quickly,  without clogging the network. Windows LEDBAT transfers data in the background and does not interfere with other TCP connections. LEDBAT does this by only consuming unused bandwidth. When LEDBAT detects increased latency that indicates other TCP connections are consuming bandwidth it reduces its own consumption to prevent interference. When the latency decreases again LEDBAT ramps up and consumes the unused bandwidth. LEDBAT is only exposed through an undocumented socket option and can only be used by approved partners.
  • RSSv2: Compared to RSSv1, RSSv2 shortens the time between the measurement of CPU load and updating the indirection table. This avoids slowdown during high-traffic situations. This is part of the  Windows 10, version 1709 kernel.

This youtube video from Ignite last year goes into detail on the different improvements that have been introduced into Windows over the course of the last year –> https://www.youtube.com/watch?v=BlBWUGcYCQQ 

And of course having a strong networking stack is important to handle the modern web applications and connections from different endpoints and different network connectivity. In the next blog post I will focus on a bit more on the container networking aspects that have been introduced in Windows.

 

 

 

My thoughts on Citrix buying Cedexis and what it is?

Earlier today Citrix announced publicly that they have bought the company Cedexis. (If you didn’t catch the news you can read the official blogpost here –>  https://www.citrix.com/blogs/2018/02/12/citrix-acquires-cedexis/)

Being the tech-curious mind that I am, and started to read through the official blogpost didn’t give me any clarity in what kind of value it would actually bring to Citrix. Also, I haven’t heard about the company before (other than some on social media from time-to-time, so I started to do some research) so therefore I decided to take a closer look and how Citrix can benefit from it.

Looking into the company I noticed that they have a set of products which make up the core which is called Cedexis ADP (Application Delivery Platform) which is actually aimed at making more intelligent load balancing using a combination of (Real-user monitoring & synthetic monitoring) to make the correct decision on where to route the data.

clip_image002

The platform is split into smaller parts where the core is three applications.

Radar: Is a product which contains and gathers real-user telemetry from thousands of users worldwide (you can see some of the interesting statistics here https://live.cedexis.com/) so with this we have detailed mappings on outages and response times and such. This is using a simple JavaScript script embedded within a content page or application provider’s pages to collect information about the performance and availability of a data center or delivery platform. (You can also access some nifty reports here as well à https://www.cedexis.com/get-the-data/country-report/)

Sonar: is a live-ness check service that can be used to monitor web-based services for availability. Sonar works by making HTTP or HTTPS requests from multiple points-of-presence around the world to a URL, Sonar checks are performed from multiple test locations from around the world.

Openmix: a SaaS Global Load Balancing which uses information from for instance Radar to consider real-time data feeds of end-user telemetry, and server or application monitoring data from Sonar to do Intelligent Global Load Balancing. Using all these different tools we can also combine this with other data such as Cost/Performance and define our own rating on a service if we for instance have a service available on multiple locations/platforms. The cool thing about Openmix being a cloud service and all is that Is available via DNS and HTTP, example here à https://github.com/cedexis/openmixapplib/wiki/Openmix-HTTP-API#overview

Fusion: In addition to Radar and Sonar data, Openmix can use 3rd party data as part of its decision criteria, which can integrate an existing synthetic monitoring service you already use. Or make cost-based decisions using usage data from a CDN provider. Here is a picture of the supported integrations that Fusion has which can be used to determine the best path.

clip_image004

There are also some new integrations such as Datadog, which also allows us to do for instance more efficient routing application logic based upon Datadog alerts.

So, looking at the products we can see that Cedexis have multiple tools to determine the optimal path, including the use of real-time user information and synthetic testing combined with third party integrations using custom metrics also a global SaaS load balancing service. For instance if we have a service which is available in multiple locations on multiple cloud providers, how can we ensure that an end-user is directed to the optimal route? We have multiple logic such as Radar (How is the network performing or CDN where the content is served from? ) and Sonar: (what is the RTT of the application from the ongoing test?) and also information from Fusion(New relic integration for instance APM which shows that Service Y is performing slow because of DB errors) and deduct from that information the correct path. However, Cedexis is missing the product to handle the actually load balancing in between the end-users and the backend services and is depedant on someone else to actually do the local load balancing and handle SSL traffic. While NetScaler on the other hand is missing the products to do more intelligent load balancing based upon real user telemetry, instead of just doing health-checks to the backend web server or doing GSLB based upon user proximity or such.

I can see the value of integrating the Cedexis platform into the NetScaler portfolio seeing that it can make it a much more powerful smart application delivery system. So, this is just my personal idea on how the portfolio could look like from an integrated solution. We could have NetScaler MAS feeding fusion using Web Analytics for instance and also seeing the performance usage on the NetScaler’s) which will then make it easier for Openmix to make the decision if the end-users should be load balanced to region X or Y based upon the weight that was defined on the application or service.

image

So just some intial thoughts on the Cedexis platform. Looking forward to try the platform and testing it out in real-scenario and what plans Citrix have for the platform moving forward.

Cloud Wars – IBM vs Microsoft vs Google vs Amazon IaaS

In my previous blog post I did a short overview of the different cloud vendors, a bit about their focus areas and also a bit about strengths and weaknesses. The blogpost can be found here –>http://bit.ly/2CrBgZA .In this post I want to focus more on IaaS and the offerings surrounding it, first I want describe a bit about each vendor and then ill go into a bit more comparison and also include the price/performance factor here as well and end it with some focus on automation functionality and additional services.

IBM:
As mentioned in my previous blogpost, IBM with its Softlayer capabilities has had extremely focus on bare-metal, with the addition on traditional IaaS and also with the extended partnership with VMware, they can also provide vCloud Foundation package (which also is a prerequisite package for VMware HCX) or just plain ESXi with vCenter deployment. On the bare-metal options we can choose between hourly or monthly pre-configured servers or customize with single to quad processing solutions that range from 4 to 72 cores. We can also order bare-metal servers with dedicated GPU offerings such as K2, K80, M60, P100). One of the cool features in terms of pure IaaS is that they offer pure Block storage as an option as well, using iSCSI or just plain file storage using NFS which also is an option. In terms of scale ability they can only offer up to 56 cores and 242 GB RAM for a single virtual machine which is a lot smaller then most offerings in Azure, Google and AWS. IBM like AWS and Azure also offers pre defined instances sizes which can be used and when setting up an instance you can also define what kind of network connectivity you want to have, by default you get 100 mbps uplink and private connectivity which is free, but if you want to up it to 1 GB you need to pay a cost. The main issue is that of all much of the concepts such as availability zones and other options for HA is not an option in IBM compared to GCP, AWS and Azure.

In terms of Automation, IBM has a feature called Cloud Schematics which is natively based upon Terraform, so it is basically wrapping REST API calls using a IBM Provider in Terraform, https://ibm-cloud.github.io/tf-ibm-docs/ we also have the ability to run provision scripts which can be run at boot as part of a deployment. One of the things I feel is missing on IBM when it comes to automation is the ability to provider more overall system management capability such as Azure automation or AWS systems manager.

Google:
Google compared to the others have the most simplified deployment of virtual machines. Also they are the only vendor that has the option to defined custom instance sizes (for a bit higher prices of course) and also the flexibility when it comes to GPU flexibility for instance we can add GPU instances to any type of instance and also when it comes to disk type and sizes.

With Automation, Google has an API framework called Google Cloud Deployment Manager, which uses a YAML based syntax, but can also be using providers from Terraform or Puppet to do the deployment as well. Google also has the option do run start-up scripts on each virtual machine which allows for scripting of software and services inside the virtual machines. Google provides up to 96 vCPU and 1433 GB of memory on their largest instances. They however do not have any form of bare metal options, compared to IBM but that is not their focus either but like AWS, Google has gone into a partnership with Nutanix on a Hybric Cloud model which is going to be interesting to see how it turns out. Another cool thing about Google is that they provide live migrations of instances as default to handle maintance updates on their infrastructure.

For deployment of redudant solutions you need to be able to deploy instances across multiple zones within a region (Which is a simliar setup as Amazon Web Services do and Azure does with Availability Zones)

From a management perspetive, Google has been really good at developing their Cloud Shell solutions which allows for easy access to virtual instances directly from their browser and also allows for simple access with auto inserting the SSH key as part of the setup. One of the coolest things about Google is their core infrastructure and the network backbone which is called Andromeda https://cloudplatform.googleblog.com/2017/11/Andromeda-2-1-reduces-GCPs-intra-zone-latency-by-40-percent.html which now has allowed them to provide low latency high bandwidth connections on east-west traffic. Also that they SDN is also worldwide meaning that if you create a virtual network by default it will be available on all the different regions (where different subnets are placed within each region  but are all interconnected)

Azure:
Microsoft has also been doing a lot of work recently and investing heavily into new options such as new GPU offerings with the P100 and P40 cards but also with the introductions of availability zones (Still in preview for most services) which now allows for a great level of redundancy which is now pretty similar to Zones on GCP and AWS. Microsoft has also introduced loads of different new instances types with the burstable compute (B-series) and also now with the introduction of GA on Accelerated networking which allows for SRV-IO based network deployment of instances in Azure.

From a management perspective Microsoft has been doing alot around regular operations, such as with Log Analytics which can now do patch management and provide multiple pieces of monitoring across different platforms and also integrating different PaaS serivces to allow for a single hub to do monitoring across most of the services. Also with simple EDI based tools such as Logic Apps and Azure Automation allows us to setup simple and down to more complex automation jobs to do automated deployments and start/stop virtual instanced based upon a trigger or schedule. Also that they provide alot more tools when it come to migration and backup tools compared to the other vendors, with Azure Migrate and Azure Site Recovery.

Also Microsoft has been doing alot of investment into their Cloud shell solution as well which allows us to run az cli (bash based) and Azure PowerShell cmdlets directly from the browser. (As as of t01.02 they now also support Ansible directly from the cloud shell interface)

One of the issues with Azure from an IaaS perspective is the lacking flexibility to mixing like GPU cards with different instances, scaleable IOPS together with disk size. Also Microsft is focusing alot on building partners in the ecosystem to support automation and have been doing alot when it comes to Terraform which now covers alot of the resources in Azure directly.

AWS:
When it comes to IaaS, Amazon provides most of the services both when it comes to bare-metal(coming) and support with VMware. Also different options depending on if needed reserved instances or just need to get reserve capacity or godzilla virtual machines. They also provide different storage options and scale options on IOPS depending on the size of the storage. Now with the upcoming support with VMware will also provide a whole new level of infrastructure solutions (the service is now available but still limited to certain regions in the US)

AWS also provides multiple management tools to make things easier such as AWS systems manager (which can also target on-premises virtual machines), and they even provide their own AWS Managed Services where they manage the IaaS solutions for you . AWS also has a service called OpsWorks which provides automation solution based upon Puppet and Chef as a managed service which can be then used to deliver configuration management against your own enviroment in AWS. AWS also has CloudWatch and CloudTrail to track events, logs and activity and API usage across AWS subscriptions.

AWS also has multiple options when it comes to GPU offerings such as P2 and G2 series which comes with a dedicated GPU card, or use the flexible GPU which is a software-defined GPU offering which allows us to add a GPU card to almost any type of instance.

Summary:
Now the fun part is that most providers are now delivering more and more services to help with automation and system management, such as managed container engine cluster and also different advisor roles which can detect cost or security issues. This can be to check for best-pratices according to the cloud provider.

Now the interesting part is mainly around the container solutions that most providers are now fighting about. Both Microsoft and AWS have their own Container instance solution, where you just provision a container based upon an image and don’t have to worry about the infrastructure beneath (AWS Fargate and Azure Container Instance) and both of them also provide other container solutions such as Amazon Container Engine and Azure Container Engine. The fun part is that all 4 providers supports Kubernetes as the container orchestration engine and have supported features to build upon it, this can be a container registry solution or CI/CD solutions.

Technical Comparison: So the intention here is to have a short table to compare some of the different infrastrucutre services from each vendor, it does not measure the quality of service but just defines that they have a service and service name.

Provider Microsoft Google Amazon IBM
High Performance Computing Services Azure Batch Amazon Batch  IBM Spectrum, IBM Aspera
Reserve Capacity instances Low Priority VM’s Preemptible instance Spot instances
Reserved Instances Reserved Instances Committed use EC2 Reserved Instances
Dedicated instances EC2 Dedicated Instances
Bare Metal hosts Yes (Announced) Yes
Burstable Instances Yes Yes Yes No
VM Metadata support Yes Yes Yes Yes
Custom Instance Sizes Yes Yes
Compute Service Identity Yes Yes Yes No

 

High performance disk Premium Disk SSD persistent disk, Local SSD SSD EBS SSD Octane
GPU-instances N-series (NV, NC, ND) Flexible GPU P2 instances / Flexible GPU Only as bare metal
Nested virtualization support Yes Yes (Beta) Yes
Hybrid Story Azure Stack Nutanix VMware VMware
GPU cards support M60, K80, P40, P100 K80, P100, AMD S9300 M60, Custom GPU, V100 P100, M60, K80
Desktop as a service Third Party Third party Workspaces & AppStream Third Party
Scale set VM Scale Set Instance Group Auto Scaling Auto Scale
Godzilla VM Standard_M128 128vCPU, 3800 GB N1-highmem 96vCPU, 1433 GB X1.32large 128vCPU, 4 TB 56 vCPU, 242 GB Memory (Other Bare Metal)
Skylake support Yes Yes Yes
VMware support Yes (Announced) Yes (Limited to the US) Yes
Billing for VM Per minute Per Second Per Second (For some) Per Hour
Deployment & Automation service Azure Resource Manager Google Deployment Manager Cloudformation IBM Cloud Schematics
CLI PowerShell, AzureCLI GCloud CLI, Cloud Tools for PowerShell AWS CLI, AWS Tools for PowerShell Bluemix CLI
Monitoring & Logging Microsoft Log Analytics, Azure Monitor StackDriver CloudWatch, Cloudtrail Monitoring and Analytics
Optimization Azure Advisor Native Service in UI Trusted Advisor
Automation tools Azure Automation Amazon CloudOps for Chef and Puppet Cloud Automation, Workload Scheduler
Support for third party configuration and infrastructure tools Chef, Puppet, Terraform, Ansible, SaltStack Chef, Puppet, Terraform, Ansible, SaltStack Chef, Puppet, Terraform, Ansible, SaltStack Terraform
Cloud Shell support Yes Yes
EDI Tools Azure Logic Apps

In the next blog post I will take a closer look at some price comparison and comparing apples and apples in some benchmarks which measures speed of deployment using the different deployment tools and in VM spped on different levels.