Jumpstarting Enterprise Hybrid-Cloud with VMware Cloud on AWS

Enterprise-Hybrid-Cloud-VMware-Cloud-1080x675.jpg

Enterprise customers with VMware installations in their datacenters can now quickly shift workloads into AWS using VMware Cloud. Almost a year after the initial announcement, this long-anticipated offering is now a reality and ready for mainstream consumption.

Based on VMware vSphere, with optimized access to AWS services, the offering is delivered, sold, and supported by VMware as an on-demand service with all the hardware scalability benefits of AWS bare metal infrastructure beneath it.

So, what’s cool about the offering?

  • As a SaaS offering, VMware Cloud runs as its own stack including NSX, vSAN, and vSphere. Unless accessing other AWS services, customers won’t even realize they are running on AWS as a virtual extension of their own data center.
  • Full access to all AWS native services through the public API endpoints, without additional networking charges.
  • Flexibility to shift workloads between the data center and AWS cloud.
  • The ability to leverage existing VMware licenses to secure pricing discounts (maximum 25% off list depending on license type.)

What stinks about it?

  • The minimum host configuration requirement is 4 hosts per cluster. On demand pricing of $8.3681 per hour per host would require a minimum consolidation ratio of 3.9 to reach potential native cloud pricing of $0.06 per comparable instance (bandwidth charges not included.)
  • 50% savings over the above host pricing can be obtained by committing to 3 years of reserved hosts. Unfortunately, just like reserved native cloud instances, you are charged for every hour of the commitment regardless of whether the instances are running or not.
  • Workload mobility is currently limited to only cold migration to transfer workloads to the cloud Software Defined Data Center, SDDC. (Cross-cloud vSphere vMotion migration is on the product roadmap, but no date commitments have been provided.)
  • To use vCenter Hybrid Linked Mode you will need to be running vSphere 6.5d or later; You can however do cold migrations of the VMs without it.

Key Take-Aways…

Don’t expect public cloud instance pricing, but VMware has eliminated any excuses for most enterprise customers to start the public cloud transition, if only for Dev/Test workloads. Taking advantage this PaaS/SaaS offering will help reduce the internal IT team’s workload to support these VMs.

With full access to native AWS services, using VMware Cloud as a foundation, your Application teams can begin to leverage cloud services such as Lambda, RDS, DynamoDB and Redshift without having to do cloud transformation migration of the core application.

It’s clear that the VMware Cloud offering can jumpstart your enterprise hybrid cloud efforts, but just like with native cloud services, the tendency to overprovision, misconfigure, and abandon running resources is real and you must manage these actions to ensure a secure cloud environment as well as managing runaway cost. This starts with a well implemented tagging strategy, in combination with continuous monitoring, and an action driven compliance engine.

Key areas to consider and control are:

  • Policy automation to ensure compliance with security policy controls and asset configurations
  • Operational automation tied to storage, CPU and memory allocation of virtual instances.
  • Resource cost management through downsizing over-provisioned instances, stopping dev/test instances off-cycle, and eliminating stranded resources such as orphaned or underutilized hypervisors

Whether your enterprise cloud efforts are focused on the native consumption of public resources, establishing a hybrid cloud footprint both on premise and off, or you are just starting out by migrating workloads to the new VMware Cloud on AWS platform, having third party governance and automation platform is a cornerstone feature to drive consistent policy adoption, ensure security compliance, and optimize efficient consumption of resources.

————

Thomas Martin is a former CIO, and technology leader of the General Electric Company.  Prior to leaving GE,  Thomas was the Executive Vice President of Application Transformation tasked with moving 9000 legacy workloads to public and private cloud infrastructure.  He has been a leading evaluator, adopter, and advocate of innovative tools and emerging technology that drive effective operation of cloud infrastructure at scale.

Your Amazon EBS Snapshots and RDS Data may be leaking sensitive data to the public… And that’s just the tip of the iceberg. Fix it permanently!

iceberg

A recently published article outlined the careless behaviors of users that is allowing sensitive company data contained in EBS snapshots and RDS services to be leaked into public domain.  AWS has released new functionality to “see” and be notified about these risks via Trusted Advisor.  But, as an experienced technologist working with Fortune 100 companies to deploy enterprise applications to cloud infrastructure, I can tell you first hand that the misconfiguration of RDS and EBS Snapshots are only the tip of the iceberg of how careless set-ups, and a lack of an action based configuration control can put your data and infrastructure at grave risk.  S3 buckets, misconfigured firewall ports, improper security groups… This list goes on and on.

The potential financial and reputation losses to companies that don’t proactively manage public access to Cloud infrastructure can be catastrophic. But rest assured, these pitfalls are not the result of an insecure or faulty product from AWS or other public cloud provider. In fact each of these services are specifically designed to enable public exposure when desired. The idiocy in all of these events is that they were completely preventable had a cornerstone tagging and monitoring/action system been put in place.

Don’t watch user mistakes in the rear-view mirror through Trusted Advisor alone… Let’s dig in and let me take you through the foundations of how to pro-actively set-up, monitor, and action your cloud to ensure risky behavior is caught and actioned so that your company doesn’t become the subject of a media headlines.

Across clients, I have seen tens of millions of dollars spent annually on ITIL processes and ISO27001 compliance within traditional company data centers.  Each IT asset ID’d, every attribute and detail meticulously tracked and logged. But it never ceases to amaze me that once infrastructure becomes ephemeral (created and destroyed as simply and as quickly as code can allow) that all sense of organization is kicked to the curb and the Wild Wild West ensues.  Exposure to data loss and/or security breach, unbridled growth in costs, and orphaned resources is not a product problem, but an operational problem and one that we as an IT community need address within our organizations.

Managing Cloud resources at scale doesn’t have to come with the traditional organizational bloat, added costs, and process bureaucracy that plagues most organizations in their implementation of ITIL practices. In fact I would argue that those trying to manage ephemeral Cloud infrastructure through traditional practices and CMDB methodologies are outright wrong in their approach and are setting their organizations up to fail… The dynamics of Cloud assets simply change too quickly.

Successful Cloud asset management begins with a strategic asset tagging strategy that is systematically applied and monitored ubiquitously across your Enterprise Cloud(s).  Resources are available by the individual Cloud providers on how to tag and the number of tags allowed by asset.  You can find AWS tagging recommendations here, but to prevent the atrocities of misconfiguration, and bloated costs, an organizational tagging strategy and related use policy must be established.  This document must outline which tags are required by asset, and specific tag formats.  Various articles have been written, but one of the most comprehensive and straightforward white paper on how to establishing a cloud tagging strategy was written by the team at DivvyCloud.

Once a tagging policy is created it must be deployed and enforced.  How your organization orchestrates infrastructure as code will determine how the tags are deployed. Monitored holistically, these tags can be interrogated and systematically used to enforce broader operational policies, with “if-then-this” outcomes.

Let’s assume that we have a policy that states only resources tagged as ENV = PROD + DATACLASS = PUBLIC should be allowed to be associated to a publicly open security group, or configured for public access. We can now continuously monitor for this grouping of tags and take appropriate action when non-compliant assets are discovered, with actions that proactively and immediately quarantine the asset and notify the appropriate team members that the incident has occurred and how to resolve prior to Intellectual Property data loss.

A well implemented tagging strategy, in combination with continuous monitoring, and an action driven compliance engine will cover your entire Cloud Enterprise with real time proactive protection.  In addition to security and peace of mind, it will reduce costs, and drive broader operational efficiencies.  Bottom line, these are table stakes to the Cloud Enterprise at scale, and the cornerstone of effective Cloud Operations.  

————

Thomas Martin is a former CIO, and technology leader of the General Electric Company.  Prior to leaving GE,  Thomas was the Executive Vice President of Application Transformation tasked with moving 9000 legacy workloads to public and private cloud infrastructure.  He has been a leading evaluator, adopter, and advocate of innovative tools and emerging technology that drive effective operation of cloud infrastructure at scale.