VMware Cloud Provider VMware Sovereign Cloud

A Quick Look at New Sovereign and Developer Ready Cloud Services Coming for Cloud Providers

It is with great excitement that we are able to share with you several upcoming new services being offered for our VMware Cloud Service Providers here at VMware Explore Europe. VMware continues to expand our Sovereign and Developer Ready cloud portfolios with these important new capabilities, which fill important areas for our cloud providers solutions portfolios. Cloud providers in turn can use these services to expand the solution offerings available for their tenants that enable them to accelerate their cloud smart modernization journeys, while in the case of sovereign clouds also aligning with requirements from data sovereignty and jurisdictional control mandates.

VMware Solutions for Sovereign Clouds

So without further ado, let’s take a closer look at some of the announced services now available, or coming soon, for VMware cloud providers!

What’s New for Sovereign Cloud

Developer Ready Cloud Solutions for Sovereign Clouds

The VMware team has long understood that regulated and sensitive industries struggle to meet regulatory, environmental, and jurisdictional requirements, while still innovating. These organizations are being forced to assess their technology solutions within the context of local, state, and national regulations and requirements, several of which enforce data processing rules and restrictions. Organizations need to remain compliant while continuing to innovate.

Often these organizations are also resource-constrained.  With recent economic pressures and global instability, highly regulated organizations are having to achieve more with less. Given the ever-increasing cost pressures these organizations experience, alongside dwindling resources, and fulfilling talent gaps, organizations need cloud smart technologies, tools, and processes to help them to most effectively deliver value to their stakeholders or constituents. These organizations need curated and managed modern technology solutions that can help them get their innovation on track, while remaining compliant. This is why the VMware team is pleased to make several VMware Tanzu products available to our sovereign cloud partners.

VMware Tanzu on Sovereign Cloud

Sovereign-Ready VMware Tanzu Available on Sovereign Cloud

Sovereign Cloud Providers can now help their customers quickly and easily onboard Kubernetes workloads onto their clouds with Tanzu Kubernetes Grid. Not only is it a local version of our enterprise-ready Kubernetes solution, but as an enterprise grade solution it gives your customers the flexibility and capabilities to build, deploy, and manage their application solutions that align with their specific sovereignty requirements.

VMware Tanzu on sovereign cloud includes a fully-compliant Kubernetes runtime that is hosted and managed by the sovereign cloud provider. It’s a fully disconnected version of Tanzu Kubernetes Grid that is packaged with the additional automation tools such as the Services Installer for VMware Tanzu (SIVT) and Container Service Extension (CSE) for VMware Cloud Director (VCD), and open-source technologies needed to deploy and consistently operate a scalable Kubernetes environment wherever it is needed to run. The open-source components included with Tanzu Kubernetes Grid allow a sovereign cloud provider and their tenants to remain agile through the deployment and operational management of Kubernetes clusters, while ensuring enterprise-level compliance. Tenant operators can streamline administration across cloud infrastructure types giving developers a consistent experience across environments, observe and adapt based on open-source metrics, traces and logs which display where Kubernetes cluster failures may arise, and better ensure traffic is safe and allowed.

VMware Data Solutions for Scalable Data Management

VMware Data Solutions (formerly Tanzu Data Services) are also coming to sovereign clouds. This portfolio of data messaging, database, and caching solutions will help our sovereign cloud providers build scalable, compliant and conformant data management solutions for highly regulated and sensitive industries. By leveraging the capabilities of these data services in conjunction with VMware Cloud Director for multi-tenant environments, sovereign cloud providers can help customer development teams improve performance, expand their application service capabilities, and deepen their data insights across their enterprise customers. Tenants will have access to a self-service UI and API for lifecycle management of these services provided by sovereign cloud providers so they can tune their instances for optimal performance of their applications.

VMware Data Solutions

For this initial sovereign cloud announcement, VMware RabbitMQ is supported and globally available and VMware SQL is available as preview with additional VMware Data Solutions services to come in 2023. For more about the VMware Data Solutions for our VMware Cloud Providers, you can read our blog from earlier this year for additional details.

Tanzu Application Platform Enhanced for Sovereign Clouds

Sovereign-ready Tanzu Application Platform provides development teams with the tools and services they need they need to get their code to production faster and more securely. Announced at VMware Explore US, Tanzu Application Platform has added air-gapped installation for enhanced security and compliance in sovereign cloud environments. Developer productivity has been enhanced with the addition of Dynamic API spec registration using the Backstage API plugin to securely automate the publishing, consuming, and collaborating on APIs for software development. A new, centralized vulnerability monitoring dashboard will aid app teams with their pre-deployment security checks and secure app deployments. Tanzu Application Platform has also added support for RedHat Openshift, Jenkins, and Carbon to expand the footprint of ecosystem integrations.

Aria Compliance for Sovereign Clouds

Aria Operations offers continuous compliance, reporting and remediation to ensure providers are servicing their Sovereign tenants with complete, fast, and efficient compliance. 

Aria compliance pack for Sovereign Cloud (in Initial Availability) includes out-of-the-box regulatory compliance kits, configuration checks and reporting on the core Sovereign controls such as micro-segmentation, data at rest and in transit encryption, and ISO 27000 compliance. With full integration with VMware Cloud Director, a unified dashboard for reporting offers an efficient way for tenants to validate Sovereign compliance with their complete infrastructure.

Aria Compliance for Sovereign Clouds offers the following key benefits to Sovereign Cloud providers 

  • Operate and manage your sensitive and regulated workloads on a secure, compliant Sovereign cloud that meets data residency and data sovereignty requirements
  • Leverage compliance benchmarks based on VMware security best practices (Sovereign Cloud Control checklist & Security configuration guides)
  • Support for regulatory compliance frameworks like ISO, PCI, CIS, FISMA, HIPAA, DISA 
  • Visualize Compliant / Non-compliant objects breakdown and associated compliance alerts
  • Detect and automatically remediate cloud misconfigurations
  • Generate, schedule, and share audit-friendly Sovereign Cloud Compliance posture report

Sovereign SaaS

Recognizing the need to deliver innovation within a Sovereign Cloud Air-gapped or isolated domain, VMware is introducing a Sovereign SaaS delivery platform. Essentially VMware is separating SaaS platform components to be able to run SaaS services within a Sovereign Cloud. This will ensure that Data Residency and provider operations maintain a sovereign stance because there is complete isolation from external sources, no operational nor metadata is exchanged with external (outside sovereign domain systems). The Sovereign SaaS delivery mechanism will prioritise the delivery of Tanzu components starting with Tanzu Mission Control.

Unified Kubernetes Management with Tanzu Mission Control

VMware is working to add support for private deployments of Tanzu Mission Control, a global Kubernetes management plane, with the goal of allowing customers and sovereign cloud partners who must operate in highly regulated, on-premises, and air-gapped environments to benefit from full Kubernetes cluster visibility in a single private control plane. Tanzu Mission Control enables management of Kubernetes clusters, including Tanzu Kubernetes Grid, at scale and consolidates lifecycle and policy management so that resource constrained organizations can operate their Kubernetes estate at-scale more efficiently. The Tanzu team is working on this offer via a private beta program with selected customers and partners.

Partner Ecosystem Solutions for Sovereign Clouds

The Sovereign Cloud market is being driven by highly sensitive and regulated markets with key drivers like the threats from geo-political and environmental changes, increasing volumes of data particularly unstructured, more data protection regulations and regional laws, increasing economic pressure, concern over foreign jurisdictional access to national data and cyber attacks which generate significant risk to economies and systems of national importance.  To protect those workloads with best of breed products, VMware has worked with our ecosystem of 3rd party partners to deliver solutions for securing and protecting those sovereign workloads. Let’s take a closer look at these solutions:

Key Management as-a-Service with Fortanix

Customers needing to meet data sovereignty and jurisdictional requirements for their workloads will need key management services that is both secure and adaptable to a dynamic software-defined infrastructure. Traditional HSM solutions require proprietary hardware, which is inflexible in complex software-defined data centers, while software-only key managers do not provide the same level of protection as HSMs. Fortanix Data Security Manager(DSM) is a unified HSM and key management solution that integrates via KMIP for VMware vSAN and vSphere VM encryption, enabling those sovereign cloud tenants to bring and manage their own keys. Fortanix makes it possible for sovereign cloud providers to deliver secure multi-tenant data protection and compliance to tenants with its software-defined HSM security for sovereign cloud scale architectures. Fortanix DSM allows sovereign cloud providers to offer Bring Your Own Key (BYOK) for VM encryption and vSAN encryption, FIPS 140-2 Level 3 HSM protection, key management, tokenization, and secrets management through a single platform hosted within the VMware sovereign cloud boundary.

Fortanix Key Management for Sovereign Cloud

Compliance as-a-Service with Caveonix

A sovereign cloud customer’s primary prerequisite is to safeguard data, secure access to the right parties, ensure complete compliance with all state, national and global regulatory requirements, as well as provide continuous compliance monitoring for data sovereignty and governance on an ongoing basis. The joint VMware and Caveonix Cloud solution offers a fully integrated security, compliance, and governance platform for customers to effectively manage data sovereignty compliance requirements of hybrid multi-cloud environments. The Caveonix Cloud platform has been fully tested and validated to support the VMware Cloud Foundation (VCF) components including, VCloud Director (VCD), vCenter, vSphere, VMWare Tanzu Kubernetes Grid (TKG), vRealize Automation (vRA), NSX-V and NSX-T. The platform assesses the security posture of the VMware environment and provides continuous monitoring to ensure immediate reporting and mitigation of any drift in the security and compliance posture, thus protecting all data assets stored in the sovereign cloud provider’s infrastructure.

Caveonix Compliance for Sovereign Cloud

Data Protection and Ransomware Defense as-a-Service with Veeam & Cloudian

Data, as the blood of all businesses, is critical to protect and secure. With ransomware attacks, denial of service (DDoS) attacks, and state-sponsored cyber thefts of data on the rise, one of the more important aspects a highly regulated business or public entity must provide for their workloads is the ability to protect their data within the sovereign domain. With this critical need, sovereign cloud providers can offer data protection and recovery, ransomware defense, and disaster recovery services within their sovereign cloud, leveraging a joint solution of Veeam and Cloudian. Veeam Availability Suite provides the requisite data protection services, while Cloudian Hyperstore forms the scalable and secure cloud object storage layer delivering long term data protection storage and ransomware defense for the backups and archives sent from Veeam. Together, VMware Sovereign Cloud customers can be ready for ransomware attacks, recover with confidence and overcome any cyberthreat. Veeam’s Secure Restore ensures that if malware is activated in a backup, the backup can be restored to a previous state with the malware removed. Cloudian in addition offers data immutability, a must-have feature which ensures there is an air gapped and tamper-proof backup customers can rely on, safe from hacker attacks and clear of malware for reliable recovery. Customers can leverage Veeam and Cloudian to ensure that data protection meets compliance and regulatory audit requirements for their critical workloads.

Data Protection and Ransomware Defense with Veeam & Cloudian

Data Lakehouse as a Service with VMware Greenplum and Cloudian

Modern analytics applications in the cloud have evolved by combining the flexibility, cost-efficiency, and scale of S3 data lakes with the data management and ACID transactions of data warehouses to create “Data Lakehouses.” However, organizations that need to comply with sovereignty laws where their data resides have not been able to take advantage of these paradigm-shifting analytics applications in the public cloud.

VMware Tanzu Greenplum, a massively parallel processing (MPP) data warehouse platform, seamlessly integrates with Cloudian HyperStore S3-compatible object storage to provide enterprise sovereign cloud customers the same Data Lakehouse architectures on-premises. This VMware-certified solution enables new efficiencies and savings and is ideal for the creation and deployment of advanced analytics models for complex enterprise applications. Sovereign cloud customers can leverage this joint solution to modernize their data analytics architecture, offer high data durability, and more easily comply with local data sovereignty laws by storing data in scalable storage in-region at up to 70% lower total cost than public cloud solutions. Sovereign cloud providers can leverage the solution to open new monetization opportunities, with the fully multi-tenant solution sitting on a single shared data lake infrastructure, and addressing the complex storage, access, and security requirements of highly regulated industries and public domains.

Data Lakehouse with VMware Greenplum and Cloudian for Sovereign Cloud

VMware Application Catalog Delivers Production Quality Open-Source Components

According to 2021’s State of Software Supply Chain report, 95 percent of enterprises use OSS, of which 94 percent admit to security concerns about using OSS in production. Cloud Service Providers that currently provide OSS to their customers through cloud marketplaces may not be able to address this pain point, as the catalog of solutions they provide are more suited to dev and test environments as opposed to production environments. VMware Application Catalog addresses this shortfall because it offers a customizable selection of trusted, pre-packaged open-source application components that are continuously maintained and verifiably tested for use in production environments. VMware Application Catalog is now available as a subscription for VMware Cloud Providers, including sovereign cloud providers. This is an important new service for cloud providers to offer for their tenants, particularly once they get to scale with development and app modernization projects and then have the burden of continuously:

  • Needing to update OSS components every time a major or minor release or patch update occurs
  • Identifying the security footprint and vulnerabilities existing in OSS components
  • Packaging and validating the OSS components for different target deployment platforms, including support for Helm and dependencies therein
  • Understanding the provenance of the software used in customer organizations

By deploying VMware Application Catalog, cloud providers can easily and significantly reduce risk and security exposure that would realistically require substantial effort otherwise to address.

VMware Application Catalog for Production Quality Open-source Software Components

Nvidia vGPU as a Service for Modern Application Compute Requirements

Announced earlier this year, VMware Cloud Director now supports multi-tenanted NVIDIA vGPU as a Service to address accelerated compute and AI/ML use cases. As modern applications become more prolific in the cloud, Cloud Providers need to address the increasing customer demand for accelerated computing (e.g. machine learning, artificial intelligence development, high-end analytics, scientific computing, and much more) that requires large volumes of multiple, simultaneous computation that can be met with GPU capability. VMware Cloud Providers can leverage vSphere support for vGPUs based on NVIDIA AI Enterprise with compatible hardware from within Cloud Director 10.3.2 – delivering multi-tenancy vGPU services. This can substantially reduce cost requirements for vGPU services, and tenants can self-serve and manage their vGPU accelerated workloads within Cloud Director. Cloud Providers can use innovative GPU profiles to meter vGPU usage averaged over a unit of time per tenant through vCloud APIs for tenant billing, monetizing the capabilities of their hardware investments and improving overall revenue generation, while simultaneously improving compute times and cost savings for their tenants.

Container Service Extension 4.0 Enhanced to Support Tanzu Kubernetes Grid Clusters

Container Service Extension 4.0 provides many enhancements focused on simplicity and usability that cloud providers have been needing to complement their modern application cloud infrastructure services. These capabilities help cloud providers significantly improve availability of key Kubernetes services and reduce complexity of delivering cloud-native strategies that their tenants are executing. Some of the key capabilities this release will bring as the go-to plugin for VMware Cloud Director include:

  • Multiple master control plane nodes to deliver Control Plane capabilities, providing improved resiliency for tenants
  • Worker plane VMs can now be categorized into node groups to better organize nodes based on tenant requirements
  • 1-click cluster upgrade, and pre-installation of Tanzu core packages in Tanzu Kubernetes Grid multi-cloud clusters greatly simplify and automate the management of K8s clusters, freeing up time and effort for users
  • CSE is now highly available (HA) and offers enhanced flexibility with GPU support and allows for heterogenous clusters with custom-sized nodes, further increasing the service offerings a provider can deliver

Additional Resources for Cloud Providers

Below is a list of upcoming sessions at VMware Explore Barcelona, as well as available assets which can help provide more detail on partner solutions available for our cloud providers. In addition, stop by the Sovereign Cloud and Tanzu booths at the VMware Pavilion to learn more about the solutions and talk to experts about how VMware can help you plan and build cloud smart services that meet your tenant requirements, whether in public, private, or sovereign clouds.

VMware Explore Barcelona Sessions

Blogs

Solution Briefs

Videos: