Home > Blogs > VMware vCloud Blog > Author Archives: Mathew Lodge

Today’s VMware and Google Announcement

By: Mathew Lodge

Today Google and VMware announced an agreement to integrate selected Google Cloud Platform services into VMware vCloud® Air™.

Google Cloud Storage– Distributed low-cost object storage service

  • Google BigQuery – A real-time analytics service suitable for ad-hoc business intelligence queries across billions of rows of data in seconds
  • Google Cloud Datastore– A schemaless NoSQL database service
  • Google Cloud DNS– A globally-distributed low-latency DNS service

For more information about the integration of selected Google Cloud Platform Services into vCloud Air, visit the Tribal Knowledge blog.

Behind the Scenes with a Hybrid Application: the VMworld 2014 Mobile App

By: Mathew Lodge

How do you build an application that can handle 2,000 requests/second in less than 6 weeks that has to integrate on-premises systems, native mobile and SaaS services? It has to pass a strict security audit, be managed as a single application, and absolutely cannot fail during one of the tech industry’s largest events in San Francisco and Barcelona? Using a hybrid cloud, of course! If you’ve ever wondered what a “hybrid cloud application” looks like, then the VMworld 2014 mobile application is a great example.

The VMworld application represents a new generation of hybrid applications: those that span on-premises, off-premises and SaaS services. The “backend” of the mobile application, containing the data layer and the core logic, ran on vCloud Air and integrated with all the other systems. We engaged mobile solutions provider raw engineering to build the application for VMware, who deployed their built.io app development platform on vCloud Air. The VMworld mobile application was designed and developed in 6 weeks using agile methodology with regular demonstrations and testing by the VMworld team. The rest of the project schedule was spent on scale testing, security and privacy audits, bug fixes and legal review before submitting to the Google Play Store and Apple App Store about a month before VMworld San Francisco.

Continue reading

TPS (Transparent Page Sharing) and vCloud Air

Transparent Page Sharing (TPS) is a memory oversubscription technique that reduces physical memory usage by sharing identical memory pages between virtual machines (VMs) – e.g., when two VMs are running the same operating system. Academic security researchers have recently shown that TPS may be used to gain unauthorized access to data running in VMs on vSphere and Xen hypervisors under certain highly controlled conditions. In a lab environment, the researchers demonstrated that they could recover an AES encryption key used by another VM running on the same physical server.

Out of an abundance of caution, we have turned off TPS in vCloud Air multi-tenant environments (the VPC and DR services). There is no impact to customers from this change.

For more information on the research and the changes to TPS in VMware vSphere, see VMware Knowledge Base article 2080735 http://kb.vmware.com/kb/2080735

The VMware security team’s blog is here: https://blogs.vmware.com/security/2014/10/transparent-page-sharing-additional-management-capabilities-new-default-settings.html

Tech Preview: vCloud Air Object Storage

By Mathew Lodge

VMware made some significant announcements today around vCloud Air (previously vCloud Hybrid Service) at VMworld San Francisco 2014. One of the announcements was on a new storage service – vCloud Air Object Storage.

VMware vCloud Air today has two block storage tiers, Standard and SSD-Accelerated, which look to a virtual machine like a block volume. Object Storage acts as low-speed, long-term storage for buckets of unstructured data and isn’t associated with any specific virtual machine.

VMware vCloud Air Object Storage is a highly scalable, cost-effective, and dependable storage solution that can easily scale up to petabytes, and you only pay for the storage in use. Based on EMC’s ViPR technology, it offers the popular S3 API, including lifecycle management and versioning features to simplify and reduce management overhead. Data durability is 11 nines per object, and data can be accessed via HTTP and HTTPS.

Continue reading

Why is vCloud Air 35% Cheaper Than Azure and 83% Cheaper Than AWS?

Imagine that your local grocery store or supermarket proudly proclaimed, “We’ve cut the price of eggs 44 times and they’re now $3!” and their competitor down the street, not to be outdone, claimed, “Eggs are $2.75 here!” The first question you’d ask is, “How many eggs do I get and what size are they?” In short, what exactly am I getting for my money? Yet in the cloud wars when vendors cut prices, the headlines are the equivalent of, “Vendor cuts egg prices to $2.75 rendering chicken farms irrelevant,” and blogs sprout speculating about the type and cost of the underlying poultry and flock management.

When it comes to running applications on IaaS, price-performance is what matters. It is no use having low-cost cloud service if it’s not powerful enough to run your app with the performance you need. To that end, VMware commissioned benchmarking tests from Principled Technologies, who determined that vCloud Air delivers 2x the compute power of Microsoft Azure and 3x the storage performance of Amazon AWS.

Continue reading

How vCloud Hybrid Service is Different: 10 Cloud Capabilities on vCloud Hybrid Service that Don’t Exist on AWS

By: Mathew Lodge, Vice President of Cloud Services at VMware

We first published this blog back in March, but since it’s been our most popular post to-date, we are sharing it again in case you missed it. Since March, we have shipped updates to vCloud Hybrid Service every 3-4 weeks, including a simple, cost-effective Disaster Recovery service that also simply isn’t possible on AWS. We also introduced our Desktop as a Service offering, a new low-cost Standard Storage Tier, production hybrid PaaS with Pivotal CloudFoundry, and a refreshed version of our data protection service — also something you can’t get on AWS.

With vCloud Hybrid Service (vCHS), we’re firmly focused on solving enterprise customer cloud problems – especially making the transition from today’s investments in apps and data to a cloud future as easy as possible. And that means building a different kind of cloud – those that matter to enterprises. To make that very concrete for those familiar with Amazon Web Services (AWS), here are 10 things in vCHS to make that transition easier that you can’t do in AWS.

1. Free automatic availability monitoring and fast VM restart

vCHS includes hot standby redundant capacity to maximize the uptime of your application. It’s free and requires no configuration. vCHS automatically monitors all servers and if there’s a catastrophic failure, immediately re-starts all affected VMs on hot standby hardware in the same vCHS cluster. At reboot time, the VM’s file system is exactly as it was before the failure, preserving as much state as possible to allow the OS and application to recover quickly. It also has exactly the same network configuration – MAC addresses, IP addresses and so on – ensuring other VMs can communicate with the new VM without reconfiguration.

By contrast, AWS offers no redundant capacity, no automatic monitoring, and no fast VM restart. New EC2 instances don’t have the same MAC address and require extra configuration to get the same IP address. For redundancy you must buy extra instances, buy and manage a load balancer (assuming the app traffic can be load balanced), architect and code a state-sharing mechanism, buy and manage monitoring, and orchestrate VM re-start.

2. Free automatic proactive performance management

The same VMware technology that watches for server failure in vCHS also monitors the overall performance and health of servers. It’s free and there’s no configuration. If any particular server is overloaded, vCHS automatically live migrates VMs to a server with more capacity. There is no downtime and no “pausing” of the application – it just keeps on running.

The variability of AWS performance is legendary, leading users to devise cunning strategies to juice performance. One example: start more AWS instances than you need, conduct performance tests to see which ones perform well, and kill off the poorly performing instances. Rinse and repeat until you have enough working instances, and continue to monitor instances during their lifetime. With vCHS, this “Darwinian instance infanticide” isn’t necessary.

3. Non-disruptive maintenance

When AWS needs to do preventative maintenance on a server (e.g. a hypervisor security patch), your instance is going to die. There’s even an API where you can learn about when this will happen. vCHS uses live migration to move VMs to redundant server capacity, then performs maintenance on the affected server. The net? Your apps don’t stop because VMware needs to do server maintenance. There is no need for an “apology API.”

4. Create a VM of any size

With vCHS, you get to choose exactly the VM dimensions you want — any ratio of CPU, memory and disk up to the physical maxima. All VMs run on physical servers with 20Gbit/sec aggregate connectivity, unlike AWS servers with single 100Mbit or 1Gbit network cards. Unlike AWS, there is no need to process a complex decision tree of 29 instance choices (as of Feb 2014) to figure out which one you need (choose wisely because you can’t change it later). In vCHS, there is no need to over-buy CPU when all you want is high memory, or over-buy memory when all you want is good I/O.

On AWS, you have to buy up to the largest size that meets your memory or I/O requirement. If you get it wrong, then you have to pick a new instance and figure out if you can run what you want on it (not all AWS images run on all instance types), and how to transition your application without down-time, which leads me to…

5. Resize a VM or disk while it’s running

On vCHS you can add vCPU, memory and disk space to any running VM. Operating system support for adding CPU, memory and disk is present in Linux distros and Windows versions shipped since 2008. AWS instances cannot be expanded, and ensuring they can scale effectively requires careful planning (picking the right instance type and a fixed disk size) and writing code to do state sharing (adding parallel instances). Inadvertently making a bad sizing choice for horizontal scaling can put you in a world of operational pain – if, for example, your instances start running out of disk space, adding more of them just means more instances failing in exactly the same way because they’re all clones of each other.

VM and disk resize on vCHS can be a lifesaver for operations teams managing a critical application that is under load and needs more memory, disk or CPU right away. 

6. Get strong I/O performance as standard, with no clever tricks

Netflix only ever buys AWS instances that completely fill a physical server in order to eliminate the I/O performance variation that comes from multiple tenants sharing the same physical server. This is just one example of clever strategies AWS customers have devised to extract better performance, along with choosing “EBS optimized” instance types – i.e. instances that run on servers with a 1 Gig NIC card.

On vCHS, all servers have 20G of aggregate network bandwidth 20 times that of “EBS optimized” instances at AWS. Storage is a maximum of two network hops from server, unlike AWS, minimizing congestion. Couple that with the ability to have any size of VM, and you can get exactly the VM you want, with the I/O bandwidth you need.

7. Higher performance disk without paying for provisioned IOPs

The standard disk tier on vCHS is a blend of SSDs (flash) and enterprise high-end disk. The flash acts as a cache for most-recently-used blocks, and multi-tenancy of the disk subsystem is limited to improve good cache hit rates. Therefore, you get the acceleration of flash and high performance disk without having to buy higher-priced all-flash disk with I/O guarantees, or settle for AWS’ low-performance SATA-based EBS.

8. Bring your own VM without conversion, with full app vendor support

vCHS can run any VM you currently run on vSphere, Workstation or Fusion without any conversion into a proprietary format – and it’s supported by the software vendor for your application. You can also transfer and run practically any x86 physical machine running any operating system from DOS onwards, without having to switch to a special kernel or re-platform. There’s no waiting, or testing cycles to ensure that the converted VM actually works the same way. There is no arguing with your vendor about whether or not they support the deployment if it’s one of the 5,700 apps already certified on VMware.

With AWS, you must convert the VM, and that only works for a very small set of operating systems, and then covert it again if you want to export the VM. If the VM is at all dependent on any AWS services, you can’t run it in your own data center later because they don’t exist and they use proprietary APIs. You must also make sure that your software vendor can support your deployment on AWS.

9. Use the management tools you already have

vCHS can be managed by any of the VMware management toolset, third party tools that support the vCloud API, or offer generic REST API adapters. You can manage vCHS from the vSphere client (web or Windows), vCloud Automation Center (vCAC) and vCenter Operations (vCOps). This is huge for many customers because it means they don’t need a second operations team to manage cloud infrastructure – one that assumes the radically different AWS architecture and operational model, along with the “fix it yourself” approach to performance and availability.

10. Stretched layer 2 networks between data center and vCHS

VMware allows you to stretch an Ethernet (layer 2) network from your data center to vCHS, making it appear like a single flat LAN segment. The simplest way to do this is with Direct Connect, a dedicated link between your data center and vCHS. Traffic is simply bridged between vCHS and your data center using the virtual networking capabilities of vCHS. To applications, it looks like all VMs are “on net” in the same LAN segment, which is useful for those apps that have a rigid, pre-defined idea of how the network should work and can’t be easily reconfigured. AWS by comparison offers no layer 2 stretched networks, only IP (layer 3) network connectivity.

All of these capabilities are designed to make it easier to run today’s and tomorrow’s applications with high performance and high resiliency. There’s no reason going to the cloud should mean a wholesale re-architecture where you take on the burden of implementing and managing those.

For future updates, follow us on Twitter and Facebook at @vCloud and Facebook.com/VMwarevCloud.

For more information about the VMware vCloud Hybrid Service, visit vCloud.VMware.com.

vCHS OpenSSL remediation completed

Remediation is complete for vCHS. VMware Global Support Services has been in contact with the small number of customers who were potentially effected.

vCHS not affected by OpenSSL vulnerabilities except for Edge Gateway to Edge Gateway SSL VPN

We’ve determined that VMware Edge Gateway SSL VPN sessions that terminate on vCHS Edge Gateways are vulnerable to CVE-2014-0224. If you are not using SSL VPN Edge Gateway to Edge Gateway, you are not affected, as no other Edge Gateway functions are vulnerable: SSL load balancing and IPSec VPNs are not affected. We will remediate.

The CVE-2014-0224 vulnerability allows a “man in the middle” attacker to force negotiation of weak key material for SSL VPN sessions between Edge Gateways, potentially allowing an attacker with sufficient resources to decrypt the contents of the session.

We are also patching the Linux distributions in the vCHS catalog to the latest versions of OpenSSL. Customers can get the latest OpenSSL libraries on their Linux VMs using “sudo yum update openssl” (or equivalent for your distro), and restarting any services dependent on OpenSSL, or rebooting the VM.

We’ll provide more details on status in a later post.

New OpenSSL vulnerabilities and vCloud Hybrid Service

VMware is aware of today’s announcement of multiple vulnerabilities in the OpenSSL library and is reviewing their impact on vCloud Hybrid Service. Full details for all VMware products and services are tracked in the VMware Knowledge Base Article 2079783. We will post information specific to vCHS here on the vCloud Blog, and provide updates with more information as we have it.

Hybrid Cloud: Existing AND New Apps

It was a busy week for the cloud Twitterverse: trashing the new Gartner Cloud IaaS Magic Quadrant was de rigeur early in the week because everyone knows that IT is dead and all applications are going to be re-written to run on one of the clouds in the leaders’ quadrant. Then, on Friday, AWS announced a management plug-in for VMware vCenter, prompting a rush of schadenfreude as this clearly means that VMware is “going to disappear” as all existing apps are going to be imported into an operationally incompatible cloud environment with no resiliency for existing apps and highly inconsistent performance (for all apps).

Both of these things can’t be simultaneously true, of course. But there are kernels of truth in both narratives that underscore the importance of a hybrid cloud strategy: public cloud has to evolve to support both existing and cloud-native applications, blend together on-prem and off-prem deployments, and address the key challenge of production application deployment, which is operations. The single most expensive part of any cloud deployment is the operations team, whether you’re doing DevOps or waterfall, or anything in between.

My colleague Chris Wolf has written a clear and lucid blog post on why this is the case, which I encourage you to read. Allowing IT organizations to extend their current modus operandi into a complimentary, compatible public IaaS service is central to the capabilities of vCloud Hybrid Service. That means being able to operate immediately with the apps you have and the team you have, jump starting the journey that is IaaS adoption. Your destination may very well look radically different to where you are today – you want to change how you operate to take advantage of the flexibility that cloud provides – but that doesn’t mean the journey has to be filled with giant leaps, downtime, re-writing everything multiple times, and huge operational risk.

I would also argue that when writing cloud-native applications, you want to write them once and not have to rewrite large chunks of your app if you choose to deploy somewhere else. When developing for hybrid cloud, the choice of deployment venue can be deferred until the later stages of the process. When developing for a pure public cloud, you choose the deployment venue at the beginning, and it’s very expensive to change your mind later. It’s no coincidence that there’s no “Export” button in AWS’s new vCenter plug-in.

And so yes, I believe the best place to run a VMware virtualized app is VMware’s cloud, which you would expect me to say. But not because it’s super simple to bring your existing VMs to it, but because it allows you to get started with the operations you have today, and gives you unparalleled operational flexibility tomorrow.