Cloudistics Product Documentation · 2019-06-28 · CloudisticsGettingStartedGuide Copyright©2019Cloudistics,Inc. Page35 Cloudisticshasthreetypesoftemplaterepositories:theApplicationMarketplace;the

Cloudistics Getting StartedGuideRev: 3/18/2019

Cloudistics Getting Started Guide

Copyright © 2019 Cloudistics, Inc.

Page 2

Contents

Getting Started 5

Product Documentation 5

Contact Support 6

What is Cloudistics? 7

How Does it Work? 7

What Can I Do with it? 9

How Do I Purchase it? 10

How Do I Access and Use it? 10

Product Components 11

Network 11

Compute 12

Storage 13

Cloud Controller 13

Key Product Concepts 15

Compute Concepts 15

Compute Block and Nodes 15

Compute Categories and Tags 16

Migration Zones 16

Storage Concepts 17

Storage Blocks 17

Storage Pools 18

Types of Optimized Storage Blocks 18

Recommendations for Using Optimized Storage 19



Page 3

Networking Concepts 20

VLAN 20

VNET 21

Virtual Datacenters 21

Self Service 23

Types of Users 24

Ignite User Management 24

On-premises User Management 24

On-premises Users 24

LDAP/AD Configuration and Management 25

Types of Roles 25

Infrastructure Admin 26

VDC Manager 28

Infrastructure Viewer 29

VDC Viewer 31

No Access 31

Application Concepts 32

Application Instances 32

Application Templates 33

Application Marketplace 33

Template Store 34

Security and Compliance 35

Micro-segmentation 35

Distributed firewalls 36

Application security profiles 36



Page 4

SaaS-based management 36

Multi-tenancy 36

Secure control plane 37

Data-at-rest encryption 37

Government standards compliance 37

Two-factor authentication 38

Security testing 38



Page 5

Getting Started

Welcome to Cloudistics, a private cloud with a premium experience. Cloudistics bringsthe power of the cloud to the datacenter in an easy-to-use, on-premises cloud platformthat automatically provides high performance resources for all types of applications andhigh performance workloads. As a truly composable cloud platform, Cloudisticscombines storage, network, compute, and virtualization components, managed via anintegrated and intelligent operating system that gives you unprecedented insight andcontrol over your resources..

This Getting Started guide provides an introduction to key concepts that you shouldunderstand before you begin to install and to use Cloudistics.

Product DocumentationThe following product documentation and information is available to guide you ingetting started and using the platform.

Document Description

Getting StartedGuide

This guide provides an introduction to key concepts that you should

understand before you begin using Cloudistics.

AdministrationGuide

This guide provides information for using Cloudistics Ignite, theWeb-

basedmanagement console for configuring, managing, andmaintaining

your storage, network, compute, and virtualization resources. It also

includes troubleshooting information, which describes how to resolvecommon issues or perform advanced tasks.

Pre-InstallationGuide

This guide provides important information to help you plan and prepare

for installing Cloudistics.

https://www.cloudistics.com/documentation/en-us/Content/Knowledgebase/Troubleshooting.htm

https://www.cloudistics.com/documentation/en-us/Content/Pre-Install Guide/Pre_Install_Guide.htm

https://www.cloudistics.com/documentation/en-us/Content/Pre-Install Guide/Pre_Install_Guide.htm



Page 6

Document Description

What'sNew/ReleaseNotes

Release Notes provide the latest information available for the current ver-

sion of the platform, including details about the latest platform improve-

ments, feature and functionality updates, and any known issues and

resolutions. It is important to refer to the release notes for each release

because they contain themost recently documented information about

functionality updates and any known issues with a specific product ver-

sion.

Technical Briefs

Technical Briefs provide additional information about a technical topic,

such as recommended best practices, background information on a com-

ponent or feature, or additional detailed information for how a feature,

component, or specific technology in the Cloudistics platform works.

ProductAdvisories

Product Advisories provide important information to help you stay

informed of and to address potential issues in your infrastructure.

API Docu-mentation

Cloudistics web services provides API access to the platform,

including access to virtual datacenter and infrastructure resources as

well as hardware information. It is used to create resizable resources,

manage workloads and retrieve information about the underlying

infrastructure.

Contact SupportA premium customer experience is our primary focus, , and we deliver it with ourCloudistics support and maintenance services. All products include 24/7/365 softwareand next business day or 4-hour hardware support. Our team of experts are here to

https://www.cloudistics.com/documentation/en-us/Content/Technical Articles/Technical Articles.htm

https://www.cloudistics.com/documentation/en-us/Content/Notifications/Notifications.htm

https://www.cloudistics.com/documentation/en-us/Content/Notifications/Notifications.htm



Page 7

respond to your technical questions quickly and provide personal interactive support inreal time.

l We offer real-time chat 8:00 AM – 6:00 PM ET, Monday-Friday below in the bottomright of this page, on our Web site, or from within the Cloudistics management portal.

l Phone support is available during business hours, from 8:00 AM - 6:00 PM ET, Monday-Friday, by calling +1-703-570-8880.

l For after-hours phone support, call +1-800-685-9636.

l You may also submit a support inquiry online.

What is Cloudistics?Cloudistics is a private cloud software platform, purpose-built to deliver a full-fledged,all-in-one cloud infrastructure that’s ready for use out of the box. With a premiumimplementation, deployment, operations, and management experience, you can expectthat it is easy, powerful, and able to accelerate your applications — supporting businessinitiatives and better outcomes. The platform operates free of any hardware-specificdependencies and is programmatically extensible. Refer to the following topics to learnmore:

l How Does it Work?

l What Can I Do with it?

l How Do I Purchase it?

l How Do I Access and Use it?

How Does it Work? The Cloudistics Cloud Platform was designed to simplify implementation, deployment,operations, and maintenance of your cloud resources, enabling your IT staff to beinnovative and to accelerate your business' time-to-market and time-to-value. We haveincorporated the advantages of public, private and hybrid cloud models into onesoftware appliance, and the platform is comprised of the following software definedcomponents. (For more information about these product components, see ProductComponents.)

http://www.cloudistics.com/support

https://support.cloudistics.com/hc/en-us/requests/new



Page 8

l Networking

l Compute

l Storage

l Cloudistics Ignite cloud controller

The Cloudistics hardware is completely cloud-managed, via the Ignite Cloud Controller,which makes it easy for you to build, manage, and monitor your cloud from any Webbrowser. Once you have connected and installed the tightly integrated hardwarecomponents, you use the Ignite Cloud Controller to provision, manage, and control yourhardware. When the units are powered on, Ignite automatically detects and enables high-speed connectivity between them. You can then create and manage virtual datacentersand related applications.

The Ignite Cloud Controller manages all hardware



Page 9

Because it is a "composable" platform, Cloudistics grows with you easily and cost-effectively. Compute and storage hardware are separate nodes in the platform, so youonly need to buy and add resources as you need them. Since there is nothing toconfigure on-site, and the Ignite controller automatically detects new resources, addingnew compute, storage, and network resources takes seconds. Cloudistics can scalenetwork, compute, and storage resources independently as your application demandschange in real time and without downtime.

What Can I Do with it?The aim of Cloudistics is to give organizations the ability to accelerate digitaltransformation with a private cloud infrastructure that is easy to implement, deploy,operate and maintain—with predictable performance and costs. Example solutionsinclude:

l Faster cloud virtualization - On-premises virtualization platforms do not have to becomplex. Cloudistics delivers applications in minutes, not hours or days, so you canfocus on the application, not infrastructure.

l Actionable insights with big data applications - Cloudistics delivers an agile, highperformance platform with pre-packaged big data applications to simplify adoptionand shorten time-to-market.

l Database workloads support - The unique Cloudistics architecture composes anddelivers raw system resources with the least amount of latency via all-flash storage,non-blocking network, and our cluster-less design, removing bottlenecks and deliv-ering a high-performance platform.

l Delivery of cloud services for managed service providers - Cloudistics is builtwith the attributes of the public cloud, including multi-tenancy, micro-segmentation, and self-service, and can be manipulated via an API, allowing serviceproviders to deliver unique cloud services to their customers.

l Ready-to-use container technology templates to jump start digital trans-formation - Cloudistics delivers an agile, composable platform with the ability to beAPI-driven to support DevOps practices, such as on-premises infrastructure for Docker,that works out- of-the-box.



Page 10

l Simplified support of remote offices - Cloudistics offers the same enterprise fea-tures, functionality, and performance regardless of the size and location of your busi-ness — all managed and orchestrated under one SaaS-based management interface.

The list is really endless: Cloudistics provides the platform and flexibility for you to dowhat you want and be as creative as you want. The software-defined network, storage,compute, and virtualization platform enables your applications to deliver capabilitiesbased on your current and changing business and technology needs. Learn more aboutCloudistics solutions here.

How Do I Purchase it?You work with a Cloudistics solutions expert to acquire the appliance hardware as oneplatform. The Ignite Cloud Controller, a management console that resides in the cloud, isprovided with the platform for you to manage your hardware and applications. Out ofthe box, you can begin to deploy and manage your applications.

Because the Cloudistics platform is application-driven, you then simply pay as you go.You can work with your Cloudistics solutions expert to add additional nodes for storageand compute as your needs grow and change.

How Do I Access and Use it? Out of the box, the Cloudistics platform provides all the hardware and software you needto deploy an on-premises cloud.

1. After simple installation and setup of your hardware, you can provision, manage andcontrol the network, compute, and storage hardware via the Ignite Cloud Controller,which is accessible via your Web browser.

2. You easily build and deploy applications within Ignite. You can create your own applic-ation templates based on existing Virtual Machines (VMs)residing on the cloud. Or, anonline application marketplace is available for free, which provides one-click down-load of popular, published applications for immediate deployment.

3. You can deploy application instances in your virtual datacenters, and you can easilyallocate resources into multiple virtual data centers as needed.

4. You can easily monitor and manage your cloud infrastructure from within the Cloud-istics Ignite management portal.

http://www.cloudistics.com/solutions



Page 11

APIs are also available to enable application orchestration and customized managementand make it easier to perform complex bulk actions. Cloudistics Web Services provideAPI access to the platform, including access to virtual datacenter and infrastructureresources. They are helpful for creating resizable resources, managing workloads, andretrieving information about the underlying infrastructure.

Product ComponentsCloudistics Ignite Cloud Platform is a composable, software defined, private cloudplatform managed from the web that operates and scales free of typical hardware-specific dependencies and is programmatically extensible. All hardware elements areabstracted by the software defined private cloud platform. Network, storage, andcompute abstraction delivers compelling simplicity, efficiency and performanceadvantages beyond bare metal implementations. The Cloudistics Network, Compute andStorage hardware is completely cloud-managed, via the Cloud Controller, which makes iteasy for you to build, manage, and monitor your cloud from any Web browser.

l Network

l Compute

l Storage

l Cloud Controller

Network

The network block of the Cloudistics platform, called the Cloudistics Interconnect,connects the Cloud Controller to your environment.

In the Cloudistics platform, the Interconnect is essentially the control point for the on-premises cloud infrastructure, or, the “brains” of the infrastructure. It manages allnorth/south and east/west traffic within the Cloudistics infrastructure without impactingyour current environment. The Cloudistics Interconnect decouples control, data, andmanagement traffic into different planes. This allows Cloudistics to deliver predictableperformance that scales linearly between compute and storage. Built-in micro-segmentation functionality allows you to control communication and security betweenapplications with a few clicks.



Page 12

The Cloudistics Interconnect is driven by our simpler, smarter and open-standards basednetwork virtualization software that is 50x faster than network virtualization solutionsavailable today. Cloudistics networking includes both network overlay virtualization andnetwork function virtualization (NFV). To maximize secure performance, Cloudistics NFVincludes distributed switching, routing, and firewall software. Customers can deploycustom NFV instances to extend these capabilities to include NAT and load balancing.The micro-segmentation and distributed firewalls allow Cloudistics to attach firewallpolicies by virtual network, significantly improving the overall security of the system.

Compute

Cloudistics Compute delivers the processing (CPU and Memory) layer of the Cloudisticsplatform. The Compute block consists of server blades inside a hardware chassis, and thisblock is expandable by adding CPU or memory. The architecture enables computeworkloads to scale quickly, simply and as needed without the expense and inefficiency ofover-provisioning. There is no upper limit to the maximum number of compute blocks.You can start with one node and scale to thousands of nodes.

The compute nodes are driven by our open KVM-based compute virtualization softwareand other software that supports network virtualization. It supports full- and para-virtualization, live migration, CPU/memory/storage oversubscription and CPU andmemory hot-plug.

The benefits offered by Cloudistics Compute are:

l Full virtualization

l Support for Linux, Windows, and BSD [BW2]

l Agile platform with integrated support for containers

l Hot-plug virtual CPU and memory

l Live migration

l Near-native performance

l Advanced security



Page 13

Storage

Cloudistics Storage provides the application and data storage layer of the Cloudisticsplatform. It combines the benefits of the network layer with the benefits of all-flashstorage capacity for advanced resource pooling, elasticity, accelerated applicationperformance and service delivery.

The architecture enables storage capacity and performance to scale linearly and quicklyand as needed without the expense and inefficiency of over-provisioning. There is noupper limit to the maximum number of storage blocks. With storage federation, you canstart with one storage block and scale to Exabytes of capacity.

The storage block is driven by our storage virtualization software. It simplifies storagemanagement by eliminating clusters, the need to set up RAID groups, export LUNs, or setup multi-pathing (drop or set up clustering). Unlike storage virtualization approachesbased on shared file systems (for instance, VMware VMFS), we provide high-performanceshared direct block access. Enterprise-grade storage functionality includes thinprovisioning, snapshots, cloning, and integrated asynchronous replication.

Cloudistics Storage also includes integrated replication, recovery, and archivingcapabilities needed to maintain business continuity, web and database services as well aslegal compliance.

Cloud Controller

The Cloudistics hardware is completely cloud-managed via the Ignite Cloud Controller,which makes it easy for you to build, manage and monitor your cloud from any Webbrowser. And, because the cloud software appliance is managed in the cloud, it iscontinually updated, with free upgrades and new features.

The network, storage and compute components are designed to work seamlessly witheach other. When the units are powered on, the Ignite Cloud Controller, also called theIgnite management portal, automatically detects the resources and enables high-speedconnectivity between them. You can drill down from the Interconnect ports to thestorage and compute resources and even cycle power devices remotely.



Page 14

Hardware page

Using the Cloudistics Ignite management portal, you can configure and manage yourhardware, create virtual datacenters, control resources for individual applications andusers, deploy and secure applications, monitor application health, and more. Aconvenient dashboard provides a single-view overview of your infrastructure, and a Webrepresentation of your hardware provides a view of connectivity and detailed healthinformation. You know exactly what is happening in your on-premise cloud in nearrealtime so you can easily manage users, applications, and performance.

You can also see how compute and storage resources are allocated. With performancemonitoring, you always know what applications are using resources as well as peak times.It gives you full visibility into the applications in your cloud, including OS, networkbandwidth, storage performance, latency, and more.



Page 15

Key Product ConceptsCloudistics provides access to the virtual representations of your tightly integratedcompute, storage, and network hardware components in the cloud and enables you toprovision, manage, and control your hardware. You easily and securely connect to theCloudistics Ignite Controller Web Portal by logging in with two-factor authentication;you do not connect to the hardware stack directly, only to the controller.

Before you begin using Cloudistics, it is important that you understand key productconcepts, which will help you to organize and properly allocate resources for deployingyour applications and virtual data centers.

Compute Concepts

Compute concepts consist of:

l Compute Block and Nodes

l Compute Categories and Tags

l Migration Zones

Compute Block and Nodes

A compute block is a chassis that houses compute nodes (the following image depictsone compute block with four compute nodes).

Compute Block and Nodes represented in Ignite

A compute node represents a physical compute resource housed in the compute chassiscontaining CPU and memory. A compute node occupies one node in the chassis, andeach node provides compute resources for use by applications.



Page 16

Compute Categories and Tags

Categories and tags are designations applied to compute nodes that allow you to applyconstraints or filters on your compute resources.

A compute category is a descriptor of a node, and each compute node in the systemmust belong to exactly one compute category. Compute categories are used to organizecompute resources for allocation to virtual datacenters. Compute categories are usefulfor organizing a large infrastructure to define specific site settings like user managementor other application settings, such as computing power or memory requirements. Ifneeded, you may also restrict an application instance to run only on nodes in a specificcompute category.

Compute tags are additional metadata that can be applied to nodes. While each nodemust belong to exactly one category, a node may have any number of tags. Because acompute node can have many tags, this helps you to be more specific in yourdesignations. Compute tags are used by application instances and nodes to determinewhich nodes are eligible to run an application. If an instance lists compute tags in itsresource profile, only nodes with all of those compute tags will be able to run thatinstance.

In the Cloudistics environment, when an application runs, instead of requesting a specifichardware server to run, it requests a compute resource with certain tag/categorydesignations for the computing resources needed. Traditionally, applications are tied tospecific hardware ; however, in the Cloudistics platform, an application is not required tobe assigned to a particular compute node, which allows for flexibility in applicationdeployment and ensures a hardware-agnostic approach. Applications do not have tospecify hardware to run; they can specify computing power or memory requirementsbased on categories and tags.

For added stability, another compute resource can be automatically chosen with thesame category and/or tag designations to serve the application in the event the computenode goes down.

Migration Zones

Compute nodes are grouped into migration zones for use by applications. Essentially, amigration zone provides a way to organize a collection of resources virtually. It consists



Page 17

of a defined set of compute nodes (with any categories/tags) and connectivity to storage(one or more storage pools).

Migration zones act as boundaries around a set of compute nodes of any category or tag.Anytime an application starts in a particular migration zone, it only utilizes the computenodes in that zone. Migration zones can be useful for departmental or regionalboundaries, for specific application computing requirements, or in cases wherecustomers have high security requirements; for example, for service providers that havemultiple customers in banking or government and must keep a customer’s computingresources isolated from other customers. The Cloudistics platform guarantees separationwithout needing to separate hardware physically.

One compute node can belong to one migration zone, and migration zones can connectto one or more storage pools. There is no limit on the number of nodes in a migrationzone, and nodes can be added or removed from a migration zone without any impact onrunning applications. For a migration zone to support application instances, it must beconnected to at least one storage pool. The resources in a migration zone must also beallocated to at least one virtual datacenter before they can be used to run applicationinstances. Application instances can migrate among nodes within a migration zone, butcannot migrate to nodes outside of a migration zone.

Storage Concepts

In Ignite, storage concepts consist of:

l Storage Blocks

l Storage Pools

Storage Blocks

In Cloudistics Ignite a storage block represents the physical storage resources that can beused by application instances. The storage block hardware consists of a set of twostorage controllers and one or two storage sleds, all housed in a storage chassis. TheIgnite management console displays a representation of each storage block, includingcontrollers and sleds. Two types of storage block configurations are available inCloudistics as described in this topic: Types of Optimized Storage Blocks.



Page 18

Storage Block represented in Ignite

Storage Pools

A storage pool is a federation of storage blocks and aggregates the capacity of allconstituent blocks. A storage pool’s capacity is allocated to virtual datacenters for use byapplications. A storage pool also contains a single template store that can be used by allvirtual datacenters with allocations to that storage pool. When an application is deployedin a virtual datacenter it requests capacity (for each of its disks) from the storage poolsallocated to that virtual datacenter.

Storage Pool represented in Ignite

Types of Optimized Storage Blocks

Two types of storage block configurations are available for the Cloudistics platform:

l Space-optimized storage blocks (SOSB) - This type of storage block has compressionand deduplication enabled to maximize storage consumption.

l Performance-optimized storage blocks (POSB) - This storage configuration enablesmaximum performance and throughput. These storage blocks do not have com-pression and deduplication enabled, which results in higher I/O throughput and lowerlatency (albeit at the expense of higher storage consumption).



Page 19

NOTE:

The space and performance characteristics of storage blocks are determined at thetime your hardware stack is installed. It is not possible to convert a SOSB storageblock to POSB, or vice versa, once the storage block has been installed.

Recommendations for Using Optimized Storage

A Cloudistics stack can contain all SOSBs, all POSBs, and a combination of the two. In amixed configuration, you should place the SOSBs and POSBs in separate storage pools.You can allocate disks from the POSB storage pool for workloads with high throughputand low latency demands. For a workload with different I/I demands on different files, itis a good idea to allocate files with higher performance demands on disks created from aPOSB pool and the rest on storage disks from a SOSB pool. This approach enables goodoverall workload performance and storage savings. For example, an online transactionprocessing database performs significant read-and-write operations on the tempdatabase and significant writes on the transaction logs. The performance of these twodatabase components greatly impact the overall database performance. In this case, it is agood idea to place database files for temporary database and transaction logs on diskscreated from a POSB pool.

The SOSBs are manufactured with a projected dedup/compression storage savings ration.These storage blocks typically show a higher virtual capacity than the physical one. See anexample below.



Page 20

Example Storage-Optimized Storage Blocks

In this example, the physical usable capacity is 2.52 TiB, while the projected virtualcapacity is 26.15 TiB.

The POSBs are manufactured without deduplication and compression, and therefore, theprojected virtual capacity and the physical capacity are the same. See an example below.

Example Performance-Optimized Storage Blocks

Networking Concepts

When creating and deploying applications, you will select the network mode as eitherVLAN or VNET. Cloudistics allows you to take advantage of your existing virtual LANs(VLANs) or create new VLANs for use in the Cloudistics stack. You also have the option toset up virtual networks (VNETs) for deploying applications. Each vNIC on an applicationinstance can be configured to use any VLAN or virtual network that has access to thevirtual datacenter where the instance is deployed.

VLAN

A virtual LAN (Local Area Network) is a logical subnetwork that groups together devicesfrom different physical LANs without having to run new cables or make changes incurrent infrastructure. VLANs are often set up to re-partition a network for better trafficmanagement.

Cloudistics offers site-specific bridged networks based on VLAN tagging for use byapplication instances. Infrastructure administrators can create VLAN-tagged bridged



Page 21

networks, each tied to a specific site. When an application instance uses these VLANnetworks, traffic from those instances is tagged with the VLAN ID.

VNET

You can deploy applications in a secure and micro-segmented virtual network (VNET)with just a few clicks. Cloudistics allows application instances to migrate seamlesslyamong compute nodes without changing their networking configurations and makesnetworks as easy to manage as compute and storage, leading to true datacenter agility.Each VNET supports network function virtualization services such as firewalls and DHCP.

VNETs can stretch across multiple migration zones. If the migration zones are located ona single site, VNETs operate at line rates. In situations where the migration zones spanmultiple sites, traffic between instances running in those migration zones is encapsulated,which enables you to start instances in a disaster recovery (DR) location without changingIP settings.

When you create a VNET, the Cloudistics Ignite management console manages all DHCPand firewall services via an auto-deployed application instance called the networkfunction virtualization (NFV) or NFV instance. There is one NFV instance per VNET. ThisNFV instance acts like any application instance in your cloud infrastructure. It resides in avirtual datacenter and consumes migration zone and storage pool resources. It uses thegateway IP address for your VNET. You can also choose to use your own custom NFVinstances to deploy VNETs for capabilities like load balancing.

Virtual Datacenters

In your Cloudistics infrastructure, applications are deployed in virtual datacenters. Avirtual datacenter is a logical grouping of compute and storage resources allocated fromone or more migration zones and one or more storage pools, usually to a business unit inan organization. In the Cloudistics environment, the virtual datacenter is the ultimateorganizing construct to manage allocations and give you visibility into your infrastructure.You can create specific datacenters for your users that include the precise allocation ofcompute, storage, and network resources they need. Your users can allocate storage andcreate as many applications as they need without assistance from a storage orvirtualization admin. It’s easy to set up and makes cloud administration easy.



Page 22

A virtual datacenter must have compute and storage allocations and permission tonetworks before it can be used to deploy application instances. The compute andstorage allocations must come from connected resources. You can specify theconnectivity among migration zones and storage pools; an application can run in amigration zone that is connected to a storage pool on which it is provisioned in thevirtual datacenter. You also define the compute allocation you need in the virtualdatacenter; at the physical level, you define compute resources into categories and tags,but how those resources are used is dictated at the virtual datacenter level.

When creating a virtual datacenter in Ignite, you allocate CPU and memory from one or more Migration Zones to the

virtual datacenter, and you can allocate the CPU and memory based on categories you previously defined.

The Ignite dashboard displays the total and available resources in your infrastructure tohelp you decide how many resources to allocate to your virtual datacenters. This makes it



Page 23

easy to change properties on-the-fly, for example, to increase computing power orstorage capacity for your virtual datacenter as needed.

Ignite Dashboard

Self Service

Cloudistics offers role-based access control and access management for administratorsof Cloudistics Ignite. Cloudistics uses the construct of Virtual Datacenters as partitions toabstract away hardware, networks, storage, and capacity into logical groups of resources.Administrators are granted access to resources in each virtual datacenter. An InfrastructureAdministrator can apportion resources of the private cloud into virtual datacenters anddelegate administration rights and privileges to those virtual datacenters.



Page 24

Refer to the following topics.

l Types of Users

l Ignite User Management

l On-premises User Management

l Types of Roles

Types of Users

Users can be one of three types, depending on the type of Cloudistics deployment.

l Cloudistics SaaS portal users. These users are created, managed, and authenticateddirectly via the Cloudistics SaaS portal.

l Cloudistics on-premises management portal users: On-premises Ignite users.These users are created, managed, and authenticated via the on-premises man-agement portal.

l Cloudistics on-premises management portal users: On-premises LDAP/AD users.These users are created, managed, and authenticated via LDAP/AD.

Ignite User Management

An Ignite Infrastructure Admin role can configure other Ignite admin users and assignthem to one of five roles. The following conditions apply to Ignite users:

l An Ignite user cannot remove themselves from an organization; only another IgniteInfrastructure Admin of that organization can perform this operation.

l An Ignite user cannot change their own access level; only another Ignite InfrastructureAdmin of that organization can perform this operation.

l Deployments with the Cloudistics SaaS management portal can only have Ignite users.

On-premises User Management

On-premises Users

All deployments with an on-premises management portal require at least one on-premises Infrastructure Admin.

An on-premises Infrastructure Admin can invite and manage other on-premises users.



Page 25

An on-premises Infrastructure Admin can set up and configure LDAP/AD authenticationfor the organization.

LDAP/AD Configuration and Management

LDAP/AD authentication is available to on-premises deployments.

l A one-time setup in which the organization’s LDAP/AD credentials are entered andverified is required.

l Cloudistics looks for, and syncs with, LDAP groups periodically, and, every time a userattempts to authenticate using their LDAP credentials.

l An Infrastructure Admin role authenticated via LDAP does not have capabilities to cre-ate or manage on-premises users or manage the organization.

See this topic for more information about LDAP setup and configuration.

Types of Roles

For a given organization, an Ignite user can belong to one of the following roles:

l Infrastructure Admin – Has full access to the infrastructure and all virtual datacenters.An Ignite Infrastructure Admin can configure other Ignite users and assign them to oneof the five roles.

l Infrastructure Viewer – Has read-only access to the infrastructure and all virtual data-centers. This user can also create API tokens.

l VDC Manager – Has full access to selected virtual datacenters.

l VDC Viewer – Has read-only access to selected virtual datacenters.

l No Access – A user with no access (that is, a "staged" user). This role is not available inorganizations with LDAP/AD authentication.

NOTE:

In the case of users authenticated via LDAP/AD, if a user is assigned to multiple roles(groups), the role with the highest level of permissions is selected for a givenorganization. The levels of access, highest to lowest, are: Infrastructure admin > VDCmanager > Infrastructure viewer > VDC viewer.



Page 26

See the following sections for more detailed descriptions of the permissions for theseroles.

Infrastructure Admin

This role has the most expansive permissions and is responsible for creating andmanaging all aspects of a Cloudistics Ignite installation. Specifically, this role has thefollowing capabilities.

l Physical infrastructure capabilities:l Create and manage organizations.

l Set up and manage physical sites (geographic locations) of an organization.

l Register and manage hardware across all sites, including routers, computenodes, and storage blocks.

l Specify and manage physical (underlay) networks (reserved VLAN tags for man-agement networks and bridged VLAN networks for application instances) andtheir permissions, gateways, and routing.

l Classify hardware using compute categories and tags.

l Use support mode to troubleshoot issues or contact Cloudistics.

l Software-defined resource pool capabilities:l Create and manage migration zones.

l Create and manage storage federation via storage pools.

l Manage connectivity among migration zones and storage pools.

l Create and manage virtual (overlay) networks, their ranges, gateway settings, fire-wall profiles, and routing options.

l Create and manage virtual datacenters.

l Allocate and manage compute and storage resources from one or more sites tovirtual datacenters.

l Specify virtual and bridged networks accessible to virtual datacenters. Note: Thevirtual datacenter in which a virtual network (VNET) NFV instance is running will



Page 27

automatically have access to that VNET.

l Specify users and their level of access for each virtual datacenter.

l User management capabilities:l For customers using the Cloudistics SaaS management portal: invite and man-age Ignite users of an organization.

l For customers with the on-premises Ignite management portal: invite and man-age on-premises and LDAP/AD users.

l Application template management capabilities:l Manage an organization’s template marketplace. Templates in this marketplaceare accessible by all virtual datacenters.

l Copy or move templates between a virtual datacenter’s marketplace and theorganization marketplace. (Templates in a virtual datacenter marketplace areonly accessible to that virtual datacenter’s users.)

l Create organization or virtual datacenter templates from application instances.

l Download templates from the Cloudistics marketplace to the organization’s or avirtual datacenter’s marketplace.

l Application instance management capabilities:l Deploy and manage applications inside virtual datacenters.

l View all instances across the infrastructure.

l Filter instances by hardware, resource pool, virtual, and application constructs(node, migration zone, storage pool, network, running, unresponsive, paused,and shutdown).

l Perform bulk actions (start, restart, delete, shutdown, force shutdown) oninstances.

l Create and manage application groups in a virtual datacenter.

l Create and manage application firewall overrides in a virtual datacenter.

l Leverage Disaster Recovery (DR) replication if a virtual datacenter has storageallocations from two or more sites.



Page 28

l Developer option management capabilities:l Create and manage their own developer API tokens.

l View and delete obfuscated versions of all API tokens of all roles in the organ-ization.

NOTE:

An LDAP/AD Infrastructure Admin can view and delete the API tokens of an IgniteInfrastructure Admin, and vice versa.

VDC Manager

Users in this role have permissions to consume resources of virtual data centers assignedto them. A user can be assigned the role of a VDC manager for multiple virtualdatacenters. Users in this role are self-sufficient from an application deploymentperspective, as long as their utilization is within the allocations of the virtual datacenter.

NOTE:

Virtual datacenter templates are not counted towards this utilization. This capabilityis planned for a future release. If the user runs out of resources allocated to thevirtual datacenter, they should contact the Infrastructure Admin as allocations of avirtual datacenter can only be modified by the Infrastructure Admin role.

Specifically, this role has the following capabilities.

l Application template management capabilities:

l Use templates from the organization’s and virtual datacenter’s marketplaceto deploy applications.

l Create templates in the virtual datacenter marketplace from applicationinstances in a virtual datacenter. (These templates are accessible to users inthat virtual datacenter only.)

l Download templates from the Cloudistics marketplace to the virtualdatacenter marketplace.



Page 29

l Application instance management capabilities:

l Deploy and manage applications inside assigned virtual datacenters. Note: Ifa virtual network (VNET) NFV instance is running in the virtual datacenter, thisrole can modify the NFV instance and may indirectly impact the VNETproperties. They cannot, however, directly edit a VNET properties.

l View all instances across all assigned virtual datacenters.

l Filter instances views by application status (running, unresponsive, paused,and shutdown).

l Perform bulk actions (start, restart, delete, shutdown, force shutdown) oninstances.

l Create and manage application groups in a virtual datacenter.

l Leverage Disaster Recover (DR) replication if a virtual datacenter has storageallocations from two or more sites.

l User management capabilities:

l View other VDC manager and VDC viewer users of the virtual datacenter.

NOTE:

This role does not have a listing of all Infrastructure Admins and Viewers.

NOTE:

Although this role will not see a list of all infrastructure-level roles, they will getnotifications with username and role for actions initiated by Infrastructure Admins, ifthose actions pertain to their virtual datacenter.

Infrastructure Viewer

This role has the same visibility as the Infrastructure Admin but does not have thecapabilities to act on any of the objects in the infrastructure. Specifically, this role has thefollowing capabilities.



Page 30

l Physical infrastructure capabilities:

l View organization details.

l View physical sites (geographic locations) of an organization.

l View hardware properties and health.

l View physical (underlay) networks (reserved management networks andbridged networks, and their associated VLAN tags), gateways, and routing.

l View compute categories and tags.

l Software-defined resource pools capabilities:

l View migration zone properties and utilization.

l View storage pool properties and utilization.

l View connectivity among migration zones and storage pools.

l View virtual (overlay) networks, their ranges, gateway settings, and routingoptions.

l View VNET firewall profiles.

l View virtual datacenter properties, allocations, utilization, and users.


l View all users and their permissions.

l View LDAP/AD configuration settings, if available.


l View templates in the Cloudistics marketplace.

l View templates in the Organization marketplace.

l View templates in virtual datacenter marketplaces.


l View all instances across the infrastructure.

l View applications inside virtual datacenters.



Page 31

l Filter instances by hardware, resource pool, virtual, and application constructs(node, migration zone, storage pool, network, running, unresponsive, paused,and shutdown).

l View application groups in a virtual datacenter.

l Developer option management capabilities:

l Create and manage their own developer API tokens.

l View obfuscated versions of all API tokens of all roles in the organization.

VDC Viewer

This role has the same visibility as the VDC manager but does not have the capabilities toact on any of the objects in the virtual datacenter. Specifically, this role has the followingcapabilities:


l View templates in the organization’s marketplace.

l View templates in the virtual datacenter marketplace


l View applications inside assigned virtual datacenters.

l View all instances across all assigned virtual datacenters.

l Filter instances view by application status (running, unresponsive, paused, andshutdown).

l View application groups in a virtual datacenter.

l View Disaster Recovery (DR) status of applications.


l View other VDC manager and VDC viewer users of the virtual datacenter.

No Access

This role acts as a staging role as a user transitions from one access level to another. Thisrole has no access to functionality in the organization. However, a user in this role does



Page 32

have the ability to update their own user account details (that is, username, password, andso on).

NOTE:

When a user is assigned this role, any existing API tokens for the user will be saved,but all access levels will be removed. The API tokens will regain their access levelswhen the user is transitioned to any of the other four roles.

NOTE:

No notifications about the organization will be sent to users of this role, but theirnotification settings will be preserved. The only notifications this user will receiveare those pertaining to their account (such as, password changes, mobile numberupdates, and so on).

Application Concepts

Application concepts consist of:

l Application Instances

l Application Templates

l Application Marketplace

l Template Store

Application Instances

An application instance is one or more virtual machines (VMs) grouped together toprovide a particular set of software capabilities for a user. Application instances aredeployed within a virtual datacenter.

In Ignite you have four ways to create and deploy application instances:

l Create from template - Use a pre-defined template to quickly create and deploy anapplication instance.



Page 33

NOTE:

A number of pre-defined templates are available for download from the CloudisticsApplication Marketplace.

l Import from VMDK or VHD - Import a VMDK or VHD file and save it as a template.

l Create from installer - Use an ISO file to create a new application instance. (LiveDVDs are not supported.)

l Create from a snapshot – Use an existing local or DR snapshot of an application tostart a new instance.

Application Templates

An application template is a "gold master" sys-prepped image of an application instance.Templates facilitate easy and instantaneous creation of application instances; a singletemplate can be used to create any number of instances. In Ignite, you can createapplication templates in the following ways:

l Create a new template from an existing application instance.

l Import a VM from a VMDK or VHD and save it as a template. (Only non-sysprep'eddisks can be imported.)

l Download a template from the Cloudistics Application Marketplace.

Application Marketplace

The Cloudistics Application Marketplace makes it easy to search, select, purchase anddeploy cloud applications and services in minutes. It includes both public and privatepre-built, ready-to-run and reusable, application virtual machine templates that can bedeployed instantly. Like the name suggests, the private marketplace is available andaccessible to the specific customer. As an example, you can easily download and createinstances and customize your private marketplace with custom applications or importexisting application images from VMware or Microsoft Hyper-V.



Page 34

Cloudistics Application Marketplace

The Cloudistics Application Marketplace includes many popular applications such as Chef,Cloudera, Docker, Splunk, Hadoop, Hortonworks, Pivotal, Puppet, Netscaler, OwnCloud,Prometheus, freeNAS, CentOS, Windows and Linux operating systems. You simplydownload and create instances just like using the public cloud. Customize your privatemarketplace with custom applications or import your own (for example, vmdk, vhd, vhdx,ova, raw, img, qed or qcow2).

Template Store

Templates, whether created internally or downloaded from the marketplace, are stored inthe template store in Ignite. The template store is a portion of a storage pool; and, assuch, it is a local, private storage space that can only be accessed by users within yourorganization.



Page 35

Cloudistics has three types of template repositories: the Application Marketplace; theorganization's template store, which is a repository of templates accessible to anyone ina given organization, irrespective of which Storage Pool they are stored in (they arecopied over to the local Storage Pool as needed); and an individual virtual datacentertemplate store for each virtual datacenter. For virtual datacenter template stores,templates are only stored in the Storage Pools that have allocation to that virtualdatacenter.

Security and Compliance

Security is a critical integral component of Cloudistics. Our security approach helps ourcustomers alleviate the burden of worrying about security so that they can focus oncreating and consuming applications that drive business strategy. Some of the keyfeatures and benefits of the Cloudistics security implementation include:

l Micro-segmentation

l Distributed firewalls

l Application security profiles

l SaaS-based management

l Multi-tenancy

l Secure control plane

l Data-at-rest encryption

l Government standards compliance

l Two-factor authentication

l Security testing

Micro-segmentation

Traditional purpose-built networks offer perimeter-based protection, but they cannotguard against threats that may exist within the network. Cloudistics delivers highlygranular security controls using micro-segmentation on a per application basis. Micro-segments offer complete isolation of each micro-segment from all other micro-segments and provide a zoned defense on a per application basis.



Page 36

With the ability to set up micro-segments within minutes, Cloudistics combines ease ofuse with high levels of control, limiting any effects of application exploits to anapplication’s micro-segment.

Distributed firewalls

Cloudistics employs distributed firewalls for added security. As the name suggests,distributed firewalls are deployed across the platform on all compute nodes. Withdistributed authorization, rather than a single, traditional firewall, network traffic is nolonger evaluated only at one point on the network but is evaluated or authorized at everynetwork endpoint.

Application security profiles

Application security profiles are defined via a combination of micro-segmentation anddistributed firewalls. While firewall security policies allow or block traffic on a givenmicro-segment (or VNET), application security profiles layer in ‘allow but scan’ rules ontop of firewall policy, which invoke scanning of authorized applications for threats, suchas viruses, malware, spyware, and DDOS attacks.

SaaS-based management

The Cloudistics platform is managed by a single, secure SaaS portal, the Ignite CloudController. Cloudistics separates the management services from on-premiseinfrastructure to deliver increased business agility with greater flexibility and speed ofservice provisioning. Unlike other management systems, the Ignite Cloud Controllermaximizes security by leveraging an ‘inbound-only’ approach. This way you are notrequired to open any inbound firewall ports; only outbound ports. All communication isinitiated from the on-premises infrastructure in your datacenter to the SaaS portal byusing SSL and TLS encryption. Upon authentication, the SaaS portal communicates backwith the on-premises infrastructure. Importantly, the SaaS portal does not hold anysensitive customer data, which protects on-premise infrastructure and data.

Multi-tenancy

The Cloudistics platform simultaneously offers both logical and physical multi-tenancy.Multi-tenant partitions are created by using virtual datacenters. Virtual datacenters useauthentication, authorization, and role-based access control to create the logical partitionbetween tenants on the shared platform. For physical multi-tenancy, Cloudistics uses



Page 37

"migration zones,” compute categories and compute "tags,” which apportion physicalpartitions for true isolation of individual tenants.

Secure control plane

The control plane uses industry standard secure and encrypted communication betweenthe Ignite cloud controller and the infrastructure (storage, compute, and network). Thissecure method provides confidentiality, integrity, and authentication through encryptedchannels. Control plane encryption protects against “man-in-the-middle” and otherattacks that could compromise network security.

Data-at-rest encryption

To enable businesses to safeguard their data to meet their organizational security andcompliance requirements, Cloudistics encrypts all data residing in the storage pool bydefault. All data residing in the storage pool is automatically encrypted prior topersisting to storage and is decrypted prior to retrieval. Encryption, decryption, and keymanagement are transparent to users. Additionally, customers seeking to achieve NISTFIPS 140-2 Level 2 compliance have the option of using a KMIP-compliant keymanagement service to manage encryption keys.

Government standards compliance

Cloudistics automatically secures each customer’s platform to the highest standards. TheCloudistics Spark Guardian Edition powered by Red Hat is accredited and validated tomeet government compliance standards, including:

l Common Criteria (CC)

l FIPS 140-2

l Secure Technical Implementation Guidelines (STIG)

l USGV6 (DOD IPv6)

l USGv6 Tested Product List

l TAA

Additionally, Cloudistics is compliant with HIPAA-specific policies, procedures, andsafeguards to protect client data and PHI, in accordance with HIPAA guidelines.



Page 38

Two-factor authentication

Cloudistics uses two-factor authentication (2FA) security measures to preventunauthorized access to user accounts in the SaaS management portal. By requiring morethan one factor during the authentication process, there is increased assurance the user’saccess is authorized.

Security testing

Cloudistics uses a third-party security audit organization to perform regular penetrationtesting to ensure critical security tests are performed by experienced and skilled auditorsfrom outside the company. Each audit helps determine the extent of vulnerabilities notdetected through regular in-house audits. As well, these audits gauge the adequacy ofincident management procedures and performance of the incident management team.

Documents

Cloudistics Product Documentation · 2019-06-28 · CloudisticsGettingStartedGuide Copyright©2019Cloudistics,Inc. Page35 Cloudisticshasthreetypesoftemplaterepositories:theApplicationMarketplace;the