by: VMware Senior Director R&D Gopinath Anantharaman; VMware IT Director Arjun Basu; VMware Director, Solutions Engineering and Design Swapnil Hendre; VMware Senior Manager Application Services Ramanathan Meyyappan; VMware Technical Architect Eric Rong
VMware IT builds, operates, and manages Identity Services, which enable VMware Cloud Services and the My VMware application platforms. VMware Cloud Services platform in turn enables secure access to more than twenty VMware SaaS offerings, including VMware Cloud on AWS, VMware Tanzu, and the VMware vRealize portfolio. The My VMware platform also enables key services, including license management, downloads, and global support services. Identity Services is centralized across both platforms and helps millions of customers to authenticate and log in. Achieving a 99.99 percent service-level objective with stringent security and performance bars, and gaining economies of scale by managing both private and public cloud workloads with a single team were key challenges we successfully addressed.
The VMware Cloud on AWS solution is an on-demand cloud service that integrates VMware vSphere®, VMware vSAN™, and VMware NSX®—along with VMware vCenter® management running on a dedicated, elastic Amazon Web Services (AWS) infrastructure. It offers IT the flexibility to provide a reliable VMware infrastructure to host Identity Services from a tertiary data center.
The solution involved works across five key areas:
- VMware Cloud on AWS core services
- VMware NSX Advanced Load Balancer
- Identity Services application stack
VMware Cloud on AWS Core Services
Deploying team-built core services in VMware Cloud on AWS (active directory (AD), Domain Name Server (DNS), load balancers, multifactor authentication (MFA), network time protocol (NTP), and the security stack) ensured low latency, eliminated cloud egress cost, and removed on-premises data center dependency. We used Direct Connect to provide dedicated, low-latency, cost-effective secure network connectivity.
VMware NSX Advanced Load Balancer
NSX Advanced Load Balancer, used for load balancing the Identity application, provides automated application services, application analytics, and security. This allowed us to easily deploy load balancer services and also trace pod traffic, provide improved metrics, and reduce fault isolation time.
Identity Services Application Stack
The application stack was originally deployed on-premises across a primary and secondary data center. The Identity and Access Provider, catering to high-volume inbound customer single sign-on (SSO) traffic, was deployed in virtualized environments. Identity application services were containerized workloads. The increasing high availability needs of the cloud services platform led the Identity Services IT team to think beyond traditional on-premises deployments and add a completely isolated disaster recovery (DR) site for VMware Identity on VMware Cloud on AWS. This enabled a clean separation from an on-premises data center and any associated outages, as well as isolation in a DR situation.
IT teams leveraged VMware NSX micro-segmentation to provide desired levels of isolation and security. NSX Advanced Load Balancers provided automated load balancing, application analytics, and security. VMware IT also refactored the Identity application services to provide a leaner, easier-to-operate application footprint on public cloud. Secure, real-time directory services synchronization enabled replication of user records across data centers.
Functional, Performance, Security, Resiliency Testing
To stand up a highly available disaster recovery (DR) site for a foundational service on a public cloud infrastructure, IT needed a consistent SDDC infrastructure in the on-premises and public data centers. VMware Cloud on AWS helped seamlessly port the application stacks.
High-level Key Performance Indicators (KPIs) for Identity Services include:
|High availability||99.99 %|
|Security posture||Zero infrastructure, OS, application vulnerabilities|
|Throughput||Stable response times under 5x normal load|
Our testing methodology followed an automated approach on a replicated installation to ensure that the new implementation on VMware Cloud on AWS would meet required KPIs.
An integrated automated suite tested all access management features, including SSO, multifactor authentication, and profile checks.
All identity services on public cloud were progressively tested at workloads scaling to 1x/2x/3x/4x/5x of current production loads. The enterprise-grade performance of the entire stack on proved fully capable of handling thousands of transactions per second.
Identity Services are a foundational service for VMware IT. The DR site was tested for near real-time failover capabilities in case the primary on-premises data center went down. The Identity platform on VMware Cloud on AWS was also tested for individual component failures in the infrastructure, application, and networking layers. The team confirmed that failover to the public cloud data center could complete within 30 seconds with no loss of user data or sessions.
The insights and metrics gathered from leveraging VMware vRealize and Tanzu Observability tools with the team’s instrumentation help ensure (but is not limited to):
- stability of the infrastructure
- availability of the identity stack
- better transactional service-level agreement (SLA) and customer experience.
Our metrics help ensure these by delivering:
- a proactive and actionable alerting mechanism
- user activity tracking
- the ability to detect anomalies
- capacity planning/trends
- network traffic discovery/migration-deployment planning.
All the information, insights, and alerts are put into an aggregator platform/application that enables the site reliability engineers, operations and development teams to make informed decisions that drive standard operating procedures and incident/problem management in various circumstances. The result is an exceptional customer experience.
VMware IT plans to enable active-active configurations to help us serve Identity Services from both private and public clouds.
VMware on VMware blogs are written by IT subject matter experts sharing stories about our digital transformation using VMware products and services in a global production environment. Contact your sales rep or email@example.com to schedule a briefing on this topic. Visit the VMware on VMware microsite and follow us on Twitter.