h10526 Emc Caas Ito Vblock Vcd (1)

White Paper

EMC Solutions Group

Abstract

This white paper explores the integration of cloud technology components into a Compute-as-a-Service platform that enables service providers to deploy and manage cloud-based services, and tenants to adopt and customize those services into their business.

February 2012

EMC COMPUTE-AS-A-SERVICE EMC Ionix IT Orchestrator, VCE Vblock Infrastructure Platforms, VMware vCloud Director

• Automate provisioning of infrastructure services

• Introduce new services with an integrated framework

Copyright © 2012 EMC Corporation. All Rights Reserved.

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

The information in this publication is provided “as is.” EMC Corporation makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose.

Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com.

EMC2, EMC, RSA, the EMC logo, and the RSA logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries.

ESX, ESXi, VMware, VMware vCenter, VMware vCloud, VMware Service Manager, VMware vShield, and VMware vSphere are registered trademarks or trademarks of VMware, Inc. in the United States and/or other jurisdictions.

All other trademarks used herein are the property of their respective owners.

Part Number H10526

2 EMC Compute-as-a-ServiceEMC Ionix IT Orchestrator, VCE Vblock Infrastructure Platforms, VMware vCloud Director


Table of contents

Executive summary ............................................................................................................................. 5 Business case .................................................................................................................................. 5

Solution overview ............................................................................................................................ 5

Key benefits ..................................................................................................................................... 6

Introduction ....................................................................................................................................... 7 Purpose ........................................................................................................................................... 7

Scope .............................................................................................................................................. 7

Audience.......................................................................................................................................... 7

Terminology ..................................................................................................................................... 7

CaaS overview .................................................................................................................................... 8 What is Compute-as-a-Service? ........................................................................................................ 8

Self-service portals ...................................................................................................................... 8

Orchestration tools ...................................................................................................................... 9

Secure multi-tenant-enabled shared environment ....................................................................... 9

The six design principles of CaaS ................................................................................................... 10

High availability and protection ................................................................................................. 10

Secure separation ..................................................................................................................... 11

Security and compliance ........................................................................................................... 11

Service assurance, metering, and billing ................................................................................... 12

Tenant management and control ............................................................................................... 12

Service provider management and control ................................................................................. 13

Summary ................................................................................................................................... 13

EMC Ionix IT Orchestrator ................................................................................................................. 14 Overview ........................................................................................................................................ 14

Adapters ........................................................................................................................................ 15

Design Studio ................................................................................................................................ 15

EMC Ionix Unified Infrastructure Manager ......................................................................................... 17 Overview ........................................................................................................................................ 17

Service catalog and service offerings ............................................................................................. 17

VMware vCloud Director .................................................................................................................... 19 Overview ........................................................................................................................................ 19

Compute resources ........................................................................................................................ 19

Networks and security .................................................................................................................... 21

Network pools ................................................................................................................................ 22

Network models ............................................................................................................................. 23

EMC Compute-as-a-ServiceEMC Ionix IT Orchestrator, VCE Vblock Infrastructure Platforms, VMware vCloud Director

4

VMware vShield and vShield Edge ................................................................................................. 23

Application Programming Interfaces ................................................................................................. 24 Overview ........................................................................................................................................ 24

EMC Ionix UIM API .......................................................................................................................... 25

VMware vCloud API ........................................................................................................................ 26

VMware vSphere APIs .................................................................................................................... 27

VIX API ........................................................................................................................................... 28

VMware Service Manager API ......................................................................................................... 28

VMware vShield API ....................................................................................................................... 29

VMware vCenter Chargeback API .................................................................................................... 29

Use cases with EMC Ionix IT Orchestrator ......................................................................................... 30 Use case #1: Onboarding a new customer ...................................................................................... 30

Use case #2: Commissioning a vApp .............................................................................................. 36

Use case #3: Decommissioning a vApp .......................................................................................... 39

Conclusion ....................................................................................................................................... 40 Summary ....................................................................................................................................... 40

About EMC Proven Solutions .......................................................................................................... 40

Take the next step .......................................................................................................................... 40

References ....................................................................................................................................... 41 EMC documentation ....................................................................................................................... 41

Executive summary

Cloud computing enables service providers to seamlessly deliver infrastructure services to customers, while reducing power consumption, saving space, maintaining reliability, and reducing the overall cost to serve. A Compute-as-a-Service (CaaS) architecture based on EMC technology helps IT service providers offer customized services to their end users that meet their business needs.

Business case

Today, service providers face several challenges in delivering services to their clients. In particular, they need to consolidate the inefficient and disparate infrastructures typically associated with existing hosting and service offerings. They also need an alternative to existing dedicated, siloed compute offerings. Service providers can offer cloud compute services as a solution to these challenges, while integrating customer service catalogs into an easy-to-deploy platform.

EMC CaaS solutions provide service providers with a flexible platform that enables the creation of new revenue streams and delivery of additional value-added services. Customers benefit from their service provider’s ability to meet published service-level agreements (SLAs) and quickly create new services in anticipation of changing business requirements.

To realize the promise of CaaS offerings, service providers and consumers must overcome a number of challenges. EMC CaaS solutions are uniquely designed to address these complexities:

• Establish a baseline compute offering, while also providing enterprise-grade services.

• Consolidate the inefficient, siloed infrastructures typically associated with earlier as-a-service offerings.

• Provide the necessary security and data protection reassurance to end users that helps accelerate cloud-service adoption.

• Reduce the complexity in managing the end-to-end service lifecycle of CaaS customers.

• Accelerate the time to market for new, compute-based, as-a-service offerings.

EMC CaaS solutions enable service providers to build an enterprise-grade, scalable, multi-tenant platform for complete management of the compute service lifecycle. EMC CaaS provides on-demand access to, and control of, network bandwidth, servers, storage, and security, while maximizing asset utilization. Specifically, EMC CaaS integrates all these CaaS key elements:

Solution overview

• Self-service portal for end-user and administrative provisioning

• Service catalog of available compute services

• Rapid, precise, automated service provisioning

• Multi-tenancy, capable of monitoring, reporting, and billing

• IT-as-a-Service (IaaS) framework on which service providers can build additional as-a-service offerings


Key solution components include:

• EMC® Ionix™ IT Orchestrator—Offers service providers a scalable, high-performance enterprise solution to orchestrate and automate their public cloud services.

• EMC Ionix Unified Infrastructure Manager (UIM)—UIM is a cross-element discovery and provisioning tool, with an API that provides context-sensitive access to the underlying infrastructure. UIM has two components: UIM/Provisioning (UIM/P) and UIM/Operations (UIM/O).

• EMC RSA product suite—Combines business-critical controls in identity assurance, encryption and key management, SIEM (security information and event management), data loss prevention, and fraud protection.

• VMware Service Manager™—VMware Service Manager is a fully integrated IT service management solution with all the process capabilities you need to deliver and support IT.

• VCE Vblock® Infrastructure Platforms —Vblock Infrastructure Platforms combine industry-leading compute, network, storage, virtualization, and management technologies into prepackaged units of infrastructure.

• VMware vCenter™ Chargeback Manager™—Customizes cost models for the processes and policies of different organizations. Integration with VMware vCloud™ Director enables automated chargeback for private cloud environments.

• VMware vCloud Director—Manages the virtual compute environment, combined with vCloud Connector for hybrid- or multi-cloud management. Consolidates data centers, deploys workloads, and provides security on shared infrastructure along with VMware vShield™.

• VMware vSphere™—VMware vSphere is the industry’s most complete, scalable and powerful virtualization platform, delivering the infrastructure and application services that organizations need to transform their information technology and deliver Compute-as-a-Service.

The key benefits of a CaaS architecture are: Key benefits

• Service providers and enterprises can automate the provisioning and deployment of infrastructure services.

• Service providers can accelerate the time to deploy new services, leveraging an architecture that integrates management, orchestration, compute, storage, and network resources.

• The solution provides a foundation for additional services like backup and data protection, and increased agility in business processes through easy and fast provisioning of required resources.


Introduction

This white paper explores the integration of cloud technology components into a CaaS platform that allows:

Purpose

• Service providers to deploy and manage cloud-based services

• Customers to adopt and customize those services into their business

This white paper discusses multiple EMC products and products from other vendors. General configuration and operational procedures are outlined. For detailed product installation information, refer to the relevant product documentation.

Scope

This white paper is intended for EMC employees, partners, and customers, including IT planners, virtualization architects and administrators, and any others involved in evaluating, acquiring, managing, operating, or designing a CaaS infrastructure environment using EMC technologies.

Audience

It is assumed that the reader is familiar with the concepts and operations related to virtualization technologies and their use in a cloud infrastructure.

This paper includes the following terminology. Terminology

Table 1. Terminology

Term Definition

API Application Programming Interface—a source code based specification intended to be used as an interface by software components to communicate with each other.

CMDB Configuration Management Database.

Organization In the context of this white paper, an organization is a tenant being hosted by the service provider.

Service Catalog A CaaS catalog is a list of products or services available to consumers.

Tenant In the context of this white paper, a tenant is a customer of a service provider.

vApp A logical entity composed of virtual machines and software applications that can be installed and managed as a unit.

Virtual data center (vDC) A virtual data center, more commonly referred to as a vDC, provides the storage, network, and compute capacity in which vApps are deployed. VMware vCloud Director has Organization vDCs and Provider vDCs.


CaaS overview

Compute-as-a-Service (CaaS) is an architecture that uses cloud infrastructure to deliver data center resources as a service rather than as a capital expenditure. Service providers can offer CaaS to customers who want a flexible, on-demand infrastructure without having to purchase, configure, or maintain it themselves.

What is Compute-as-a-Service?

Much like an electric power utility, in which end users consume and pay for power without needing to understand or maintain the component devices and infrastructure required to provide the service, customers can draw on the elastic resources that cloud computing delivers and pay for only what they need.

A CaaS environment typically consists of:

• A self-service portal

• An orchestration tool

• A secure multi-tenant-enabled shared infrastructure

Self-service portals

Self-service portals and service catalogs play a key role in a service-orientated architecture. These allow users to select what they need from a published service catalog, providing an experience similar to internet shopping.

There are various portal and service catalogs available that perform all or some of the functions required by a service provider or a customer. Cloud providers can choose to develop their own portal or integrate the cloud offering into an existing portal that they own. Choosing a portal/catalog depends on what functionality is needed, existing systems, and price, as well as other considerations.

For the discussions and use cases in this document, the Ionix IT Orchestrator integrated portal is used as a front end to enable:

• Service provider administrators to select and provision infrastructure service offerings from the EMC Ionix UIM service catalog

• Customers to select and provision vApps from the VMware vCloud Director service catalog

If the business requires additional functionality, such as seeking approval before deploying a vApp or any other additional workflows, products such as VMware Service Manager or other third-party products can provide a robust experience as well as handling both virtual and physical environments.



Orchestration tools

An orchestration tool allows you to define the workflows and operations needed to deploy the service and execute it on demand. It can automate all kinds of processes that would otherwise involve manual operations.

For example, it can automate:

• Provisioning of the server, storage, and networking

• Adding or updating a configuration item (CI) within a CMDB

• Synchronizing the resources in VMware vCenter and vCloud Director

• Provisioning the Provider vDCs and Organization vDCs

• Creating user profiles

• Opening a ticket in a service desk to track a change or log an incident

• Creating and updating billing policies

Several major orchestrators are available, such as EMC Ionix IT Orchestrator, VMware vCenter Orchestrator, and Cisco Intelligent Automation; EMC has CaaS solutions for all these technologies. In general, most orchestrators are capable of handling all or some of the same tasks. The specific choice for an environment is likely to be determined by the particular automation needs of that environment, existing components, and the plug-ins and APIs that are available to enable orchestrators to integrate with those components. The choice of orchestration tool also depends on existing skill sets and those required to successfully build complex workflows.

Secure multi-tenant-enabled shared environment

Any CaaS solution should have a systematic approach to secure separation at its core, with a necessarily heavy focus on multi-tenancy. While the underlying computing resources may be shared, tenant organizations must be confident that the logical boundaries and technical controls in the CaaS solution ensure that the highest degree of separation and security are achieved in a multi-tenanted environment.

This is achieved using a combination of multiple components within the CaaS stack, including:

• EMC Ionix IT Orchestrator

• EMC Ionix UIM

• EMC RSA product suite

• VCE Vblock Infrastructure Platforms

• VMware vCenter Chargeback Manager

• VMware vCloud Director

• VMware vShield

• VMware vSphere

Most of the products in the preceding list are used and referenced in this document. These products leverage each other’s capabilities to achieve the overall goal of providing a secure multi-tenant environment for service providers and their tenants.

The six design principles of CaaS

CaaS solutions are built on a platform of multiple industry-leading technologies that include the compute, network, security, storage, and management resources of the compute environment. For successful cloud-service delivery, CaaS solutions must adhere to the six key design principles.

The six design principles of the CaaS architecture are:

• Availability and data protection

• Secure separation

• Security and compliance

• Service assurance, metering, and billing

• Tenant management and control

• Service provider management and control

High availability and protection

The Vblock Infrastructure Platform architecture shown in Figure 1 is a fully validated, production-ready, virtualized infrastructure, built on best-of-breed offerings from EMC, VMware, and Cisco. Each hardware layer uses redundant hardware to ensure continued High Availability.

Figure 1. Highly available components of VCE Vblock Infrastructure Platform


The data within the CaaS infrastructure can be protected in several ways, using, for example, EMC Avamar®, EMC Data Domain®, or EMC Replication Manager, depending on the backup and recovery requirements.

Secure separation

VMware vCloud Director enables service providers or organizations to create virtual data centers that are composed of compute, network, and storage resources, selected from the underlying physical hardware layer. vCloud Director uses vSphere’s abstraction of the network layer as a building block. It pools and leverages these resources to enable automated, large-scale deployment while at the same time ensuring secure separation and multi-tenancy.

EMC storage arrays allow for secure separation and isolation of resources at the storage layer. Authentication can be further extended by incorporating solutions such as RSA’s identity verification and assurance technologies.

Security and compliance

Lack of visibility into the environment and the bridging of geopolitical and regulatory compliance boundaries are among the most significant security and compliance concerns impeding cloud adoption.

A service provider can help to alleviate these concerns for their tenants through the integration of vShield and RSA® enVision®, which enables the centralized logging of administrator, user, and system actions.

Further integration with RSA SecurID®, RSA Archer™, and RSA Data Loss Prevention (DLP) seamlessly extends compliance capabilities from the enterprise to the CaaS environment by enabling multi-factor authentication, compliance and audit reporting, and sensitive data discovery and remediation. Organizations can audit and demonstrate compliance with regulatory statutes and indigenous security policies. Figure 2 illustrates security and compliance life cycle management.

Figure 2. Security and compliance lifecycle management


Service assurance, metering, and billing

The service provider’s primary goal is to achieve a level of service assurance that satisfies SLA and quality assurance (QA) parameters. Exact figures for forecasting and planning environment expansion are crucial to determine the cost of the service and the prices that should be attached to it.

In general, monitoring tools provide integration across solutions by leveraging vendor-provided adapters and plug-ins. In a VMware-based public cloud environment, consider implementing VMware vCenter Operations with UIM Operations and EMC IT Operations Insight (ITOI) for monitoring and analytic-based reporting, VMware vCenter CapacityIQ for capacity planning, and vCenter Chargeback for billing.

Tenant management and control

In every cloud services model, service providers delegate some elements of control to the tenant. For some service providers, this is a matter of convenience; for others, it is a matter of security or compliance.

Tenants have the ability to create and deploy their own virtual machines or vApps from the service catalog available to them. This vApp catalog is presented to the tenant via a front-end portal, such as that available with Ionix IT Orchestrator or VMware vCloud Director. The catalog content can also be managed by the tenant themselves if required. The tenant can develop and publish their own customized applications and systems, which can then be used by other members of their organization. Figure 3 shows an example of a portal page where a tenant administrator can specify the lease duration for a vApp as it is being commissioned.

Figure 3. Tenant-in-control—manage lease of virtual machine


Service provider management and control

Providers of infrastructure services in a multi-tenant environment require comprehensive control and complete visibility of the shared infrastructure to provide the data protection, security, and service levels that their tenants expect. The ability to control, manage, and monitor resources at all levels of the infrastructure requires a dynamic, efficient, and flexible design that allows the service provider to access, provision, and then release compute resources from a shared pool quickly and easily, with minimal administrative effort. Service providers can leverage the portal provided by Ionix IT Orchestrator, VMware vCloud Director, or their own chosen portal to manage infrastructure resources and tenant organizations. Figure 4 shows a view from within vCloud Director whereby the service provider can see and administer all tenants.

Figure 4. Service provider administrative view of tenant organizations

Ionix IT Orchestrator provides abstraction of the workflow policies from the underlying infrastructure. This allows companies to leverage the latest technology and tools to effectively and efficiently cost the CaaS solution. Upgrades require a new adapter and managed element only because the policies are not contained at the tool level.

Summary

Service providers can use these six design principles of CaaS as the framework for any CaaS solution to deliver IT services through the network to their enterprise customers. The platform enables service providers to build agile, secure, available, and interoperable solutions as the foundation for the services that they provide. By reducing administrative and operational expenses and efforts in such environments, service providers can improve their current and future IT investment decisions for the service(s) they deliver.


EMC Ionix IT Orchestrator

Ionix IT Orchestrator provides a high performance, enterprise-class automation platform. Moving beyond the limits of inward-facing data center integration products and one-off custom integrations, Ionix IT Orchestrator delivers mission-critical IT process automation that fits seamlessly into today’s heterogeneous, multi-vendor IT infrastructures and orchestrates the complexity of tomorrow’s demanding environments. Ionix IT Orchestrator leverages your data center infrastructure investment, avoiding the need to rip and replace current tools and endure expensive, custom consulting engagements.

Overview

Ionix IT Orchestrator can be quickly and easily extended using its vast library of prebuilt adapters and process workflows (“Accelerators”). hese adapters are designed to accelerate the integration with third party products by providing a set of reusable workflows and code. This reduces the need to understand the products low-level API for common tasks. Figure 5 shows how Ionix IT Orchestrator fits into the overall product stack that makes up a cloud offering.

Figure 5. Ionix IT Orchestrator


Ionix IT Orchestrator uses open and flexible adapters to automate provisioning and operational tasks across nearly any type of system that can generate events, expose data, or execute actions. It includes an easy-to-use integrated development environment, pre-built workflows (or accelerators), and a large number of Information Technology Infrastructure Library (ITIL)-based adapters for third-party data center products. Ionix IT Orchestrator integrates event and alert management data with best practices for operational support processes. Figure 6 shows the vCloud adapter provided with Ionix IT Orchestrator, and some of the common tasks it contains.

Adapters

Figure 6. Example of Ionix IT Orchestrator vCloud Director adapter

The Ionix IT Orchestrator Design Studio provides an intuitive drag-and-drop interface to create and modify Ionix IT Orchestrator accelerators. Designers select from a palette of automation components, drag them onto the workspace, and use the point-and-click graphical editor to connect them. Defined processes can be reused in other workflows and integrated easily with existing and new systems using standard scripting interfaces (SNMP, JMX, WMI, IPMI). The studio also supports the creation of a new, custom adapter for orchestration. Figure 7 shows an example of how a workflow looks with Ionix IT Orchestrator Design Studio.

Design Studio


Figure 7. Ionix IT Orchestrator Design Studio

Ionix IT Orchestrator can encapsulate existing system scripts (Visual Basic, Java, C-shell, and so on) directly into its workflows to enable simple integration with external IT data center and ITSM service desk applications.


EMC Ionix Unified Infrastructure Manager

Ionix Unified Infrastructure Manager (UIM) provides a powerful and simplified solution to discover and configure Vblock Infrastructure Platforms. Ionix UIM provides a GUI for administrators, and also provides a comprehensive set of APIs that can be used by any orchestration tool to integrate Ionix UIM functionality into existing or new workflows.

Overview

From this single tool, service providers can discover, configure and provision their compute, network, and storage resources, as shown in Figure 8.

Figure 8. Ionix UIM logical component architecture

When a service offering is deployed to a server, or collection of servers, Cisco Unified Computing System (UCS) Manager automatically configures the server, adapters, fabric extenders, and fabric interconnects to match the configuration specified in the service offering. This automation of device configuration dramatically reduces the number of manual steps required to configure servers, NICs, HBAs, and LAN and SAN switches.

Note In the context of UIM/P, a service offering is a predefined bundle of LAN/SAN, storage, and vSphere resources with a specific set of capacity and performance criteria.

The configuration and application of a service offering can be linked to resources configured at a later stage in vCloud Director—for example, tenant organizations, Organization vDCs and Provider vDCs. Ionix UIM integrates with vCenter, providing the ability to provision HA- and DRS-enabled ESX™ and ESXi™ clusters, synchronize these clusters in vCenter, and provision the resources through to vCloud Director Provider vDCs. The sample ‘CaaS-Infra’ service offering in Figure 9 shows what the

Service catalog and service offerings


properties of a service offering can contain, and the configuration that it will apply to a blade or set of blade servers.

Figure 9. Sample service offering “CaaS-Infra” in Ionix UIM

Table 2 provides additional details on the numbered sections of the Ionix UIM/P dashboard in Figure 9.

Table 2. Ionix UIM/P dashboard—sections

Section Description

1 This section details the number and grade of the servers that will be deployed. There may be multiple grades of servers available with varying compute resources of CPU and RAM. In this example, the four servers are from the Premium grade of servers.

2 This section contains details of the storage that will be configured and made available to each server. In this example, the server boot devices are configured on the Fibre Channel RAID 5 storage and the data devices on the PoolBased grade.

3 This section specifies the constraints applicable to the storage, where no more than 80 GB of Fibre Channel RAID 5 grade storage and no more than 4 TB of pool-based storage may be used. Note that the PoolBased grade of storage is FAST-enabled. In this example, each server has access to four 1 TB FAST-backed datastores.

4 This section details the networking configurations to be applied to each blade server. In this example, two vNICs are configured for each server, each with access to their respective VLANs.


VMware vCloud Director

VMware vCloud Director manages the virtual compute environment and, combined with vCloud Connector, allows for hybrid- or multi-cloud management. It consolidates data centers, deploys workloads, and provides security on shared infrastructure along with VMware vShield.

Overview

vCloud Director enables service providers or organizations to create logical data centers, called Provider vDCs, that comprise compute, network, and storage resources, selected from the underlying physical hardware layer, presented first to VMware vCenter, and subsequently to vCloud Director. These Provider vDCs provide the resources for the tenant Organization vDCs that support the tenant Organizations within vCloud Director, as shown in Figure 10.

Compute resources

Figure 10. vCloud Director—inventory view of organizations

Each Provider vDC could be an Ionix UIM service offering that consists of a certain type or level of network, storage, and computing resources—hosted and distributed by the Vblock platform. These different service offerings are eventually mapped as different Provider vDCs within vCloud Director, as shown in Figure 11.

Figure 11. vCloud Director—inventory view of Provider vDCs


Each tenant organization may have one or more Organization vDCs which are the entities seen by the cloud tenants. An Organization vDC is associated with a higher level Provider vDC and provides a further layer of abstraction between the tenants and the physical infrastructure.

Multiple Organization vDCs (potentially from different tenants) are permitted to draw on the resources available in the Provider vDCs created in vCloud Director, thereby permitting multi-tenant sharing without visibility of other tenants resources.

To manage differences in resource requirements, consumption, or SLAs between the organization and the service provider, vCloud Director provides three allocation models for organizations, as shown in Figure 12.

Figure 12. Allocation models for Organization vDCs

These allocation models are set at the Organization vDC layer and map directly into vCenter Chargeback for billing purposes.

As with all resources in a virtual environment, management and monitoring of available and remaining resources is key. vCloud Director allows administrators to set thresholds for resource availability. vCloud Director monitors the utilization of resources within the Provider vDCs, as shown in Figure 13, and automatically alerts users and administrators when appropriate.

Figure 13. View of Provider vDC utilization


vCloud Director uses vSphere’s abstraction of the network layer as a building block. It pools and leverages these logical resources to enable automated, large-scale deployment while at the same time ensuring the secure separation and multi-tenancy required by a shared infrastructure model.

Networks and security

By design, vSphere’s network layer can ensure network isolation at Layer 2 for each of the provisioned networks in a multi-tenanted CaaS environment. vSphere virtual switches provide protection over and above physical switches against threats such as:

• MAC flooding

• Spanning-tree attacks

• ISL tagging attacks

• 802.1q VLAN tagging attacks

• Double-encapsulation attacks

• Multicast brute force attacks

• Random frame attacks

In addition, malicious network behavior, including MAC address changes and forged transmits, can be restricted, and promiscuous mode is rejected by default.

When leveraged, the Cisco Nexus 1000V, which is an integral component of Vblock Infrastructure Platforms, can bring additional security features to the virtual network, including:

• Access Control Lists (ACLs)

• PVLANs

• Cisco TrustSec policy-based access control

• DHCP snooping

• Port security

• IP source guard

• Dynamic ARP Inspection

vShield Edge layers its L3 and L4 firewall capabilities to augment security controls implemented at Layer 2 and enforce secure segregation between the tenants’ IP networks.

vCloud Director manages access to the CaaS organization’s cloud infrastructure and uses the vCD organizations as the logical security boundaries. Organization administrators and users are restricted to the resources of their organization—that is, the organization’s virtual data centers (vDCs), networks, vApps, and catalogs.


Figure 14 illustrates what a service provider’s implementation of vCloud Director might look like. Different tenants will have different security needs—for example, some may need to allow access to a web server from the Internet, in which case vShield Edge can provide the security needed to manage access and further protect internal systems, as shown in Org-vDC-A in Figure 14.

Figure 14. Sample CaaS implementation using vCloud Director and vShield

Another example is organizations that may want to extend their data center or private cloud to the service provider’s vCloud CaaS implementation through the virtual private network (VPN). Again, vShield Edge can be utilized to establish a secure VPN between the sites, as shown in Org-vDC-C in Figure 14.

A further example is organizations or divisions that may share a segment to access resources in each other’s vDCs, as shown in Org-vDC-B and Org-vDC-C in Figure 14. They can control and secure access as required by their respective security policies using vShield Edge.

Network pools can be backed by port groups, VLANs, or vCloud Director Network Isolation. Port-group-backed network pools are not appropriate for large-scale deployment because they are difficult to automatically provision and manage. Similarly, VLAN-backed network pools, while providing the best performance and security, do not scale beyond 4,095 networks. For a CaaS environment that requires scalability beyond this, vCloud Director Network Isolation can provide for large-scale deployment.

Network pools

As networks are decommissioned, their resources (IP ranges and VLAN IDs) are dynamically returned to the resource pool for future allocation. This ensures minimum wastage of resources and maximum availability and elasticity.


vCloud Director, used with vShield, can provision three different network models—external network, organization network, and vApp network—providing as much flexibility as possible to the tenant administrator in a multi-purpose, multi-tenanted, virtual data center.

Network models

The types of connectivity and their capabilities are as follows:

• External network

WAN connection such as MPLS or VPN tunnel

An Internet connection

A shared link to another organization within the same service provider’s network

• Organization network

Network address translation (NAT) and/or a routed connection to an external network through a vShield Edge security gateway

Directly connected to an external network

Isolated (not connected to any external network)

• vApp network

NAT and/or routed connection to an organization network through a vShield Edge security gateway

Directly connected to an organization network or external network

Isolated (not connected to any network)

The VMware vShield product suite is a complementary family of virtualization security products designed for vSphere to secure cloud environments.

VMware vShield and vShield Edge

vShield integrates with VMware vCenter and is a prerequisite component for vCloud Director environments. It plays a pivotal role in providing foundational protection to virtualized environments, enabling effective management, and addressing security and compliance concerns relating to virtualized networking. vShield uses vShield Edge, and policies defined using the tenant administrator’s vCloud Director portal, to secure the virtual perimeter, and to provide protection to additional virtual networks within the organization’s vDC.

vShield Edge delivers network and security services such as dynamic host configuration protocol (DHCP), VPN, Web load balancing, network and port address translation (NAPT), and fully-fledged L3/L4 stateful firewall support.


Application Programming Interfaces

Application programming interfaces (APIs) are key to enabling self-service within a cloud infrastructure. APIs enable Ionix IT Orchestrator to implement workflows and processes that can be executed based on environmental thresholds or on authorized commissioning requests from a tenant or service provider administrator. Figure 15 shows how Ionix IT Orchestrator interacts with the various APIs within the CaaS stack.

Overview

Figure 15. Cloud management stack

This section of the document provides information around which APIs are required and available for the development of automated workflows in a CaaS solution:

• EMC Ionix Unified Infrastructure Manager (UIM) API

• VMware vCloud API

• VMware vSphere API

• VIX API

• VMware Service Manager API

• VMware vShield API

• VMware vCenter Chargeback API


The EMC Ionix UIM API provides support for developers who are building clients or orchestration tools to interact with Vblock platforms. The API provides a centralized interface for managing and interacting with the consolidated networking, storage, and processing of Vblock Infrastructure Platforms. It uses a RESTful application development style, with API clients and servers communicating over HTTP and taking the form of XML elements. Figure 16 is a graphical representation of the components that make up the UIM API.

EMC Ionix UIM API

Figure 16. Ionix UIM architectural overview

Ionix UIM discovers and manages Vblock platform devices through the UIM/P API, the XML API for Cisco UCS Manager, CLI/SNMP for the Nexus IP and MDS FC switches, EMC Unisphere™, and EMC Symmetrix™ Management Console.

The Ionix UIM API provides functionality to:

• View and create services and service offerings in UIM

• Modify the server, storage, and network configurations of a planned service

• Initiate provisioning and activation of a service

• Add storage, network, and server resources to an active service

• Selectively provision, activate, and synchronize with a VMware vCenter (and VMware vCloud)

• Release individual blades or all blades on a deactivated service

Table 3. Ionix UIM API reference

Document Title Document Location

EMC Ionix Unified Infrastructure Manager API Programmer’s Guide

In Powerlink navigate to Home > Support > Technical Documentation and Advisories > Software ~ E-I ~ Documentation > Ionix Family > Ionix for Data Center Automation and Compliance > Ionix Unified Infrastructure Manager/Provisioning > 2.1 & Service Packs


The VMware vCloud API provides developers with the means to deliver resources abstracted from the physical implementations of the infrastructure. Using vCloud API, organization administrators can access and manage their vCloud Director resources through the native vCloud Director user portal or through a third-party, front-end portal. Figure 17 shows the structure of the Admin, Extension, and User APIs that make up the vCloud API.

VMware vCloud API

The vCloud API is an open, representational state transfer (REST) API that allows scripted access to consume cloud resources, such as uploading and downloading vApps, and catalog management. The vCloud API enables service providers to create their own customized management solutions for a new environment or to integrate existing ones with VMware cloud infrastructure. Clients and servers can communicate over HTTP, to exchange representations of vCloud objects. These representations take the form of XML elements.

Figure 17. vCloud APIs

Table 4. vCloud API references


vCloud API Programming Guide http://www.vmware.com/pdf/vcd_10_api_guide.pdf

vCloud API Specification http://www.vmware.com/pdf/vcd_10_api_spec.pdf


VMware vSphere is a suite of products that provides complete enterprise virtualization functionality. The vSphere APIs enable developers to create custom solutions for managing virtual components and to integrate existing data center management solutions with VMware technologies. For example, use the vSphere APIs to quickly create, customize, or migrate virtual machines.

VMware vSphere APIs

The VMware vSphere API is a set of interfaces for centralized management of VMware ESX/ESXi hosts and virtual machines. The VMware vSphere SDK is a set of libraries that support VMware vSphere; it includes tools and samples to assist development efforts. Figure 18 shows where and how the various vSphere API components integrate in a vSphere environment.

Figure 18. vSphere API architecture

The vSphere Web Services SDK is the most comprehensive of the available management APIs. This SDK works with both ESX/ESXi and vCenter Server systems. As a Web Services SDK, the SDK is language neutral. The SDK includes stubs and examples for Java, Perl, and C# and a comprehensive documentation set including an API Reference generated from the source.

Table 5. vSphere API references


vSphere 5.0 API Reference

http://pubs.vmware.com/vsphere-50/index.jsp?topic=/com.vmware.wssdk.apiref.doc_50/right-pane.html

vSphere 4.1 API Reference

http://www.vmware.com/support/developer/vc-sdk/visdk41pubs/ApiReference/index.html


The VIX API is a library for writing scripts and programs to manipulate virtual machines. It is high‐level, easy to use, and practical for both script developers and application programmers. This API is well suited for dedicated IT personnel in an organization that is building its own in‐house tools. It might also be used by software vendors who are using VIX to integrate VMware products with their own products or to build management products for virtual machines.

VIX API

Table 6. VIX API reference


VIX API Reference http://www.vmware.com/support/developer/vix-api/vix111_reference/index2.html

VMware Service Manager provides a common integration platform to set up various types of integration with external applications and technologies, with a view to automate the:

VMware Service Manager API

• Transfer of information (for example, for the resolution of calls or the completion of tasks)

• Management of alerts across different systems

• Population of the VMware Service Manager CMDB with externally discovered resources

Figure 19 shows the architecture of the VMware Service Manager API.

Figure 19. Architecture of Service Manager API

Table 7. VMware Service Manager API reference


VMware Service Manager v9.0 API User Guide

http://downloads.vmware.com/d/details/sm_90_docrp5/ZGhkYmRAQGhiZCUqKg


VMware vShield is a suite of network edge and application‐aware firewalls built for VMware vCenter Server integration. vShield inspects client‐server communications and inter‐virtual‐machine communication to provide detailed traffic analytics and application‐aware firewall protection. vShield is a critical security component for protecting virtualized data centers from attacks and misuse, helping you achieve your compliance‐mandated goals. The VMware vShield API enables you to install, configure, monitor, and maintain the VMware vShield system by using REST API requests.

VMware vShield API

Table 8. VMware vShield API reference


VMware vShield 5.0 API Programming Guide

http://www.vmware.com/pdf/vshield_50_api.pdf

VMware vCenter Chargeback is an end-to-end metering and cost reporting solution for virtual environments that use VMware vSphere. It provides a unified control point for data collection, chargeback mediation, and metric reporting, allowing administrators to perform flexible cost measurement and utilization analysis. Figure 20 shows the architecture of the REST-based VMware vCenter Chargeback API.

VMware vCenter Chargeback API

Figure 20. REST architecture in vCenter Chargeback

vCenter Chargeback provides a REST-based Web service API for integrating the vCenter Chargeback solution with existing applications such as enterprise billing systems. Leverage this REST-based API to perform cost calculations and generate and deliver resource utilization reports.

Table 9. VMware vCenter Chargeback API reference


VMware vCenter Chargeback Manager 2.0 API Programming Guide

http://www.vmware.com/pdf/cbm_api_prog_guide_2_0_0.pdf


Use cases with EMC Ionix IT Orchestrator

The purpose of this use case is to demonstrate how, by leveraging EMC Ionix IT Orchestrator, a service provider administrator can automate the onboarding of a new customer into a multi-tenant environment. The example of onboarding a customer called GriffinCore is used in this document for the purposes of discussion.

Use case #1: Onboarding a new customer

Figure 21 provides a visual representation of the scope of the process in this use case.

Figure 21. Procedure for onboarding a new customer

This use case has been customized specifically to highlight the views and operations specific to those a service provider administrator could experience in onboarding a new customer/tenant. It is possible to customize and tailor all views and related workflows to suit a more direct customer experience. This is entirely dependent on what a service provider chooses to offer their customers.

The operations being focused on for this use case are (shown in Figure 22):

• Entry of new customer details and requirements

• Authorization of request

• Commissioning a UIM service offering from Vblock platform for a new customer, where a customer requires dedicated hardware/infrastructure

• Creation of new Provider vDC if dedicated hardware is requested

• Creation of Organization and Org vDC in vCloud Director (with automatic initialization of chargeback hierarchy)

• Creation of new users


Figure 22. Logical workflow of onboarding a new customer

The details specific to a new customer can be input from the portal page and used within the Ionix IT Orchestrator workflow in the creation of the new resources for the customer. On the portal page in Figure 23, a new customer named GriffinCore is created and provided with a dedicated infrastructure of Bronze level.

Figure 23. Ionix IT Orchestrator portal – Onboard New Customer

The Customer Service Level correlates to the service tiers offered by various vCloud Director Provider vDCs, which in turn are linked to the relevant Ionix UIM Service Offerings. These service offerings provide the infrastructure resources for a single vCloud Director Provider vDC with the relevant tier of service.


Figure 24 displays the available Ionix UIM Service Offerings published within the UIM/P Service Catalog.

Figure 24. Ionix UIM/P Service Catalog displaying available Service Offerings

By leveraging the Ionix UIM APIs, Ionix IT Orchestrator can access and select the appropriate service offering from the UIM/P service catalog. This automatic provisioning of resources is consolidated into a single step as part of the overall onboarding process for a new customer. Figure 25 shows a sample UIM Commission Service workflow.

Figure 25. Ionix IT Orchestrator Design Studio ‘Commission Service’ workflow

Note that a dedicated infrastructure is not a requirement for all customers. It is also possible to onboard a customer into a shared infrastructure, which would not require a UIM service offering to be created as part of the onboarding process. In this case, the customers’ Organization vDC would use an existing Provider vDC within VMware vCloud Director, thereby sharing that Provider vDC with other Organization vDCs.

The approval of this onboarding request is managed by VMware Service Manager, which can be set to respond to, and deal with, all requests as appropriate. Certain customer requests may require approval elsewhere in the business, while other requests, such as internal service provider administrative requests, may be automatically approved, based on the level or type of request. Such decisions are specific to the business. Any changes made to the environment as a result of the approved requests are then stored in a CMDB which stores an inventory of IT assets and their relationships to each other.

For this use case, after the request has been approved by VMware Service Manager, the onboarding process may continue. The onboarding process and creation of infrastructure resources for the new customer, GriffinCore, requires the creation of a


secure environment within VMware vCloud Director. EMC Ionix UIM/P automatically synchronizes the newly provisioned resources with VMware vCenter before adding them as resources to the appropriate Provider vDC within VMware vCD.

Ionix IT Orchestrator uses the vCloud API to create the secure environment for GriffinCore within vCloud Director. The primary vCD specific tasks required for onboarding this new customer are:

• Creation of new Provider vDC if dedicated hardware requested

• Creation of Organization and Org vDC in vCloud Director (with automatic initialization of chargeback hierarchy)

• Creation of new users

The workflow in Figure 26 demonstrates the order and the process used within Ionix IT Orchestrator for creating the new GriffinCore organization in VMware vCloud Director, the relevant users, and the virtual data centers that will provide the environment in which GriffinCore may deploy their vApps and associated services.

Figure 26. Ionix IT Orchestrator workflow to configure vCloud Director components


Figure 27 displays the two new users created during the Onboarding New Customer process for GriffinCore. An administrative user (admin) has been created as well as a vApp user (peter).

Figure 27. Administrative users for new customer GriffinCore

The GriffinCore organization, along with its associated resources and users, can be viewed and managed by the service provider administrator along with all other tenants. These tenants are completely isolated and secured from one another within VMware vCloud Director.

The new customer GriffinCore is highlighted by selection in Figure 28, displaying an overview of how many users and Provider vDCs are currently configured.

Figure 28. vCloud Director inventory view of all tenants

Figure 29 displays the end-to-end mapping of the compute resources supporting this new customer.

Figure 29. End-to-end mapping of GriffinCore infrastructure resources


The final step for this use case is to integrate a billing component for GriffinCore, as shown in Figure 30.

Figure 30. GriffinCore chargeback hierarchy in vCenter Chargeback

Through its tight integration with VMware vCloud Director, the creation of this new customer is automatically detected and reflected in the VMware vCenter Chargeback inventory.

After Ionix IT Orchestrator completes the onboarding process, the GriffinCore admin is presented with their own secure environment within VMware vCloud Director from which they can proceed to create and develop their own vApps, virtual machines, and applications. Figure 31 shows the end-to-end mapping of the new tenant resources through to the vCenter Chargeback billing component.

Figure 31. End-to-end mapping of tenant resources to chargeback billing


Commissioning a vApp can be done in several ways, depending on the options the Service Provider has chosen to provide. One of these options is to deploy a vApp from an existing template available in the service catalog.

Use case #2: Commissioning a vApp

Even before a vApp is deployed, a series of Ionix IT Orchestrator workflows need to be executed. The activity in Figure 32 corresponds to a workflow that retrieves the list of templates from the service catalog for the template drop-down list.

Figure 32. Selecting a template from Service Catalog

A similar workflow is executed to retrieve the list of networks available to connect the vApp to, as shown in Figure 33.

Figure 33. Selecting the network


When commissioning the vApp, you can also specify how long this vApp is required for, and have the system automatically decommission the application when that lease time has expired, as shown in Figure 34.

Figure 34. Selecting a Lease Period for the vApp

After the information has been gathered from the customer admin, Ionix IT Orchestrator executes a vApp creation workflow; Figure 35 shows an example.

Figure 35. Ionix IT Orchestrator workflow for commissioning a vApp

Here we can see the vCloudService object (which is an Ionix IT Orchestrator Adapter for VMware vCloud Director) being called. A workflow element named createVApp is fed the relevant information gathered from the customer admin, and the vApp is created with some error checking and power-on functions to complete the operation.


The creation of this new vApp is automatically synchronized with vCenter Chargeback, which adds the new vApp, Exchange_farm01, to the inventory of GriffinCore where the relevant cost models and rates can be applied, as shown in Figure 36.

Figure 36. vCenter Chargeback Configure Cost for vApp

Alternatively, automated configuration of billing rates, cost models, and reports for tenants can be achieved by extending the vCenter Chargeback API within Ionix IT Orchestrator workflows.


While it is possible to specify the lease duration (and hence the expiry time) of a vApp during the commissioning process, it may also be necessary to ‘manually’ decommission a vApp which previously had no set expiry time. In this context, ‘manually’ means that the system decommissions the vApp based on a customer admin request and not as a result of a scheduled event.

Use case #3: Decommissioning a vApp

Figure 37 shows a corresponding Ionix IT Orchestrator workflow for this customer-requested decommissioning process.

Figure 37. Ionix IT Orchestrator workflow for decommissioning vApp based on admin request

As before, the VCloudService adapter is called, but this time the decommissionvAPP workflow element is used and is fed the information provided by the customer admin to operate against the correct vApp.

As part of the decommissioning process, the compute, network, and storage resources previously consumed by the vApp are released back into the pool that corresponds with the Organization VDC of which the vApp was a part. The CMDB is updated to reflect the removal of the vApp, and the metering, monitoring, and chargeback functions for that vApp cease, though the chargeback data should be retained for the billing process.


Conclusion

The EMC CaaS solution enables service providers to build an enterprise-class, scalable, multi-tenant platform for complete compute service lifecycle management. This solution provides on-demand access and control of network bandwidth, servers, storage, and security while allowing service providers to maximize asset utilization. Specifically, EMC CaaS integrates all the key functionality that your customers demand, and provides the foundation for adding other services, such as backup and virtual desktop infrastructure.

Summary

EMC CaaS architecture incorporates these six design principles:

• Availability and data protection

• Secure separation

• Security and compliance

• Service assurance, metering, and billing

• Tenant management and control

• Service provider management and control

This Compute-as-a-Service architecture offers service providers an integrated framework that leverages EMC Ionix IT Orchestrator, VCE Vblock Infrastructure Platforms, and VMware vCloud Director. This approach allows you to deploy rapidly the cloud-based services that your customers demand with the functionality they are accustomed to. By deploying EMC CaaS, you will spend less time integrating automation and management components with compute, storage, and network resources, which enables quicker on-boarding of new customers.

EMC helps service provider partners accelerate the creation, integration, and deployment of cloud service offerings through pre-tested and optimized reference architectures, blueprints, and build guides. Through the deployment of dedicated service provider field experts, and the creation of Service Provider Competency Centers, EMC combines decades of enterprise data center experience with a rigorous solution-testing environment to develop Proven Solutions for Service Providers. EMC ensures the compatibility of these solutions with service provider and end-user environments alike.

About EMC Proven Solutions

EMC offers a portfolio of consulting and professional services for service providers and their customers to assist in balancing workloads across service delivery models —ranging from legacy physical architectures and virtualized infrastructures through on-premise (private) and off-premise (public) cloud architectures. The EMC Cloud Advisory Service with Cloud Optimizer helps customers develop a strategy for optimizing the placement of application workloads. By assessing three factors—economics, trust, and functionality—organizations can maximize their cost savings and business agility through the use of private and public cloud resources.

Take the next step


References

For additional information, see the EMC documents listed below. EMC documentation • White Paper: EMC Compute-as-a-Service–EMC Symmetrix VMAX, EMC VNX

Series, VMware vSphere, vCloud Director

• White Paper: EMC Compute-as-a-Service–Design Principles and Considerations for Deployment–VCE Vblock, VMware vCloud Director


Documents

h10526 Emc Caas Ito Vblock Vcd (1)