Home > Blogs > Federal Center of Excellence (CoE) Blog > Tag Archives: governance

Tag Archives: governance

Use vCloud Automation Center’s Property Dictionary to Customize Service Requests

[originally posted on virtualjad.com]

As I’ve eluded to on more than one occasion, VMware’s vCloud Automation Center (vCAC) is more than just a cloud portal. It is a solution designed to take defined business policy and requirements and apply them to the underlying IT systems, providing a governance model that delivers infrastructure-as-a-service (IaaS) with business agility in mind. Once defined, those policies are applied to vCAC’s individual policy definitions to build a “mesh policy” that provide the governance and controls for self-service, automation, and lifecycle management. The result is a finely-tuned service deployment model that defines the applications (blueprints), where they can be deployed, who can deploy them, and under which circumstances they are (or aren’t) allowed to be deployed. More than just a cloud portal.

vCAC 5.1 provides a ton of this capability “out of the box”, but the solution can also add a tremendous amount of additional capability using built-in control concepts, custom properties, and native integration with external tools such as PowerShell, vCenter Orchestrator (vCO), and others. The possibilities are immense. Those of you who are familiar with vCO will immediately realize the power of that last statement. If you’re not familiar with vCO you should stop reading this, download/deploy the vCO appliance, and make it your best friend…then come back and finish reading. Any workflow available in vCO can be initiated during a vCAC service request. vCAC’s extensibility options — utilizing the built-in Design Center and/or Cloud Development Kit (CDK) add-on — take it to a whole other level of customization and automation. Well-defined use cases and a solid implementation strategy are key when you head down the extensibility path. I will cover more on extensibility and custom use cases in future posts. For now, I’m going to focus on one of vCAC’s built-in concepts that can be used to customize service provisioning options, reduce the number of managed objects (blueprints), and add a nice touch to the user experience…with as few point-and-clicks as possible! What I’m referring to is vCAC’s built-in Property Dictionary feature.

The Property Dictionary

From the vCAC 5.1 What’s New Guide (p. 2-77):

The property dictionary feature, introduced in release 4.5, enables an enterprise administrator to provide a more robust user interface for custom properties that a machine owner enters at request time.

Properties are used throughout the product to provide settings for many features. When users request new machines they are prompted for any required properties. Enterprise administrators or provisioning group managers designate which properties are required by selecting the Prompt User option on the blueprint or build profile. By default, the Confirm Machine Request page displays the literal name of the property as a required text box and does not provide any validation other than that a value has been entered.

The property dictionary allows you define characteristics of properties that are used to tailor the behavior of the request user interface…

(give the “what’s-new” guide a read if you haven’t done so already)

You use the Property Dictionary function to build a Property Definition, which is the logic behind each action. Property definitions can be created for custom properties that require user input during the service request process and, for example, will trigger an external action (e.g. workflow) to complete a given set of tasks that respond back to vCAC when completed. Can you say “Software-Defined Datacenter”?

Some additional uses of the Property Dictionary include:

  • Allowing users to select specific resources that are otherwise hidden (e.g. overriding resource reservation policies to allow users to select a specific datastore, network, or cluster)
  • Creating property names and descriptions that make sense and can be read in plain english
  • Adding pop-up tool tips to explain each required item
  • Customizing the order in which required fields are displayed
  • Making an otherwise required field no longer required

You can also create property definition that utilize vCAC’s built-in reserved custom properties, which can take the user’s input (or selection) and apply that to the existing custom property as an answer file of sorts. For example, you can define a drop-down menu that lists all the networks available to a given Provisioning Group (via that group’s resource reservation) and allow the user to select a preferred network. Once the request is approved, that application is deployed to the selected network. You can also build relationships between parent and child definitions to provide a more dynamic and nested functionality — the user selects a datacenter (“Datacenter A”, parent) and, based on that selection, only appropriate networks (“NetA”, “NetB”, “NetC”, children) become available. The result is an application that gets deployed to Datacenter A using Network B. Throw a storage selection option in there with the same Datacenter relationship rule and now you’ve got a fine balance of policy-based controls and a dynamic user-experience.

Sounds like a good use case to me! — my next post will provide detailed configuration steps for enabling this exact scenario.  Stay tuned…


Gov’t Agencies Taking the Cloud Journey

This week I had the distinct pleasure of joining a panel of cloud industry experts for the AFCEA Belvoir Industry Days conference at Washington National Harbor's Gaylord Resort to discuss the hot topics of cloud computing in front of hundreds of attendees representing several federal agencies (notably the US Army).  The panel was moderated by GSA CIO, Casey Coleman, and included experts representing Lockheed Martin, CSC, Octo Consulting Group and — best of all — VMware.

To kick things off, each panelist had 5 minutes for opening remarks and to provide some insight on their organization's perspective on cloud…call it a 5-minute elevator pitch.  For my part, I shared VMware's cloud vision of transforming IT as we know it and the journey through this transformation — an approach to cloud that is broken up into three measurable stages:

  1. IT Production – early stage virtualization to reach new infrastructure and cost efficiencies.
  2. Business Production – realizing the value of all that is gained by virtualizing "low hanging" applications in stage 1 — increased availability and performance, app agility, centralized management, etc — to drive the virtualization of business critical applications while setting a solid foundation for cloud computing.
  3. IT as a Service (ITaaS) – reaping the benefits of the first two stages and laying down the framework of a modern cloud architecture, which ultimately leads to to business agility.

The first panel question was teed up by Ms. Coleman, which was enough to fuel additional questions by the 300+ audience for the remainder of the 1-hr session.  After each panelist shared their thoughts on each of the questions, I couldn't help but notice the recurring theme: Security and Compliance in the cloud.  The panel shared several views and opinions on this often-touchy topic.  Here are a few highlights of these and other important questions along with my response (not necessarily in this order and all paraphrased of course)…

Q: How will I know my agency is ready for cloud?
A: Does IT and business agility intrigue you?  Understanding the industry-accepted characteristics of cloud — pooling, elasticity, automation, self-service, etc. (see: NIST) — and all that it promises will often trigger a need to move along on the journey.  But agencies are approaching the journey in many different ways. Some are eager to achieve the goal of business agility — and quickly ramping up to get there — while others are simply following the guidelines of the Vivek Kundra's cloud first mandate but struggling to lay down the ground work to get there.  Regardless of why you need/want cloud, how prepared your agency is will make the journey affordable, achievable, and worth-while.

Q: How do I evolve from traditional IT to IT as a Service and the cloud?
A: First and foremost, setting a solid foundation of the cloud — just like you would for a house — is a critical first step (resource pooling: a key prerequisite) in the journey.  For VMware's customers, that means achieving high levels of virtualization and efficiencies through vSphere.  For any organization that is stuck in the IT Production phase (20-30% virtualized), that means taking the necessary steps to moving to the Business Production phase and increase those levels of virtualization to 60% or greater on an optimized virtual infrastructure.

Q: How is compliance and security addressed in the cloud?
A: We first have to understand what changes as we shift from static workloads protected by physical perimeter security devices to an environment where they are run virtually on shared infrastructure — possibly across multiple datacenters — and free to be elastic, portable, and dynamic.  This shift requires a fundamentally new approach.  From a VMware perspective, security and compliance are addressed using a set of technologies and management tools to provide end-to-end compliance and security in depth.  This includes the ability to provide dynamic network segmentation and protection in the cloud; providing secure multi-tenancy through frameworks and adaptive [virtual] security devices built for this era; a governance model that makes sense of all actions (and interactions); and a compliance and control engine that address these issues within a single workload or entire clouds at a time.  Only with these tools and tight integration with the surrounding frameworks can you provide a level of compliance for workloads small and big, connected or not, and still be able to deliver all that we drive to achieve in the cloud.

Q: Workload portability is critical — how is this achieved in the cloud?
A: We're constantly referring to the need for elasticity and portability in the cloud.  These terms are referring to the ability to move workloads been cloud infrastructures for reasons including capacity, performance, security, availability, cost, and other business factors.  VMware addresses these key characteristics by implementing technologies that allow a cloud user to shift workloads across cloud infrastructures — between any combination of private, public, or traditional virtualized environments — and achieve true Hybrid cloud capabilities.  With these tools at their fingertips, consumers are presented with a "single pane of glass" interface that allows them to move and manipulate workloads across all vCloud-powered clouds for whatever the purpose.

Q: How about cloud interoperability?
A: Interoperability is key.  Most agencies that dive into the realm of all things cloud quickly realize that not all clouds are made equal — from from it!  This can be a big problem — the journey to cloud doesn't have to be polluted with warning signs and speed bumps.  VMware spear-headed the Open Virtualization Framework (OVF) which has received industry-wide acceptance, is an ANSI standard for portability, and is supported by several partners and competitors alike.  With OVF, customers are able to import/export workloads and associated meta data to/from a variety of virtualization and cloud platforms.  VMware is also a big believer in open API's — vCloud API's in this case — to enable streamlined management and control of workloads across clouds.  VMware uses these technologies natively to enable portability across vClouds (pub/priv/hybrid) and to/from vSphere environments.  This means that your on-premise private vCloud will deliver interoperability with vCloud-powered service providers and allow you to deploy, run, manage, and secure workloads across these common frameworks.

There are gotchas — understand that the objective here is to provide a means of moving your applications based on the requirements of the business or the unique characteristics of a given application.  Interoperability needs to be a two-way (at least) road…beware of the service providers that are happy to receive (import) an OVF workload but not give you the tools to get it back.  We call this the "Hotel California" model.  When all sources and destinations provide a common set of frameworks and API's, this issue goes away and streamlined management ensues.

I certainly enjoyed learning the position of each panelist — many common approaches but not always the case, which keeps it interesting!  All in all, the audience questions were great, the panelists were often in sync, and we all demonstrated a [mostly] unified approach to the cloud journey.