by: VMware Senior Manager IT Lincu Abraham; VMware Product Manager Avinash Giri; VMware Senior Member of Technical Staff Ganesh Kumar; and VMware Senior Manager Cloud Infrastructure Operations Karthigairaj Venkatasamy
One of the key responsibilities of the VMware IT Operations team is to manage the Chief Digital Transformation Office Modern App Platform (CDTO MAP) powered by VMware Tanzu™, which enables our developers to build and deliver apps to accelerate VMware digital transformation.
Figure 1. CDTO MAP architecture.
We had to address some key challenges to successfully deliver VMware Tanzu™ Application Service™ foundations, on demand, to our developers:
- Our infrastructure is spread across multiple data centers, making it challenging to maintain the same standard for delivering multiple foundations.
To address this, we developed a standardized infrastructure as code (IAC) delivery model, which we then programmed into our platform delivery pipeline and customized to fulfill our requirements.
- We didn’t have the luxury of dedicating infrastructure to each of our different business units, which meant we needed to onboard multiple tenants over a limited infrastructure pool.
To allow for multitenancy, we created isolation at three layers:
- Infrastructure Layer: we used the VMware NSX-T™ multitiered distributed routing model for centralized routing and isolation.
- Foundational Layer: we deployed multiple Tanzu Application Service foundations within the same infrastructure to provide isolation between development, staging and production environments.
- Service Layer: we used isolation segments (dedicated resource pools) within each of the Tanzu Application Service foundations and allocated these marketplace offerings (tile-based services) to provide compute and routing isolation.
- Using a single Tanzu Application Service foundation for multiple organization tenants over the same infrastructure leads to ‘noisy neighbor’ situations. The ‘noisy neighbor effect’ occurs when an application monopolizes available network resources and causes performance issues for others on the shared infrastructure.
We addressed this issue by building an automated IAC pipeline for isolation segments, which enabled us to deploy multiple foundations to ensure tenant-based setup while guaranteeing consistency and eliminating the security and performance issues from noisy neighbors at the same time.
To meet our challenges, we built a standardized and automated IAC pipeline for multitenancy by leveraging the Platform Automation Toolkit™ for VMware Tanzu for the Tanzu Application Service.
The workflows of Platform Automation Toolkit are modular and idempotent, making it ideal for automating pipeline(s). The toolkit provides instructions on using these building blocks in various workflows such as, installing, configuring, and upgrading foundations.
The toolkit also helped solve the challenge of requiring specialized skills for GitOps, DevOps, and other modern agile methodologies for delivering IAC, with its easy-to-use, human-readable YAML configuration files that can be customized for different types of continuous integration/continuous development (CI/CD) pipelines.
As with any platform, we have customization requirements which involves fine-tuning of several parameters and configurations that needed to be defined throughout our foundations. Platform Automation Toolkit helped save a lot of person-hours by reducing these redundant and error-prone manual tasks. To put this into perspective, our automated IAC pipeline enabled us to deploy new foundations in just a few hours (vs. days, before) while ensuring all foundations maintain a standard set of configurations.
The flexibility of Platform Automation Toolkit coupled with the capability of Isolation Segments enabled us to build a fully automated and multitenant platform.
Our journey towards delivering an automated and multitenant platform involved some fundamental rearchitecting and refactoring of our existing Infrastructure and tools.
- Rearchitecting involved migrating our network virtualization layer from NSX-V to NSX-T. This helped us to achieve a multitenant networking layer under a single NSX-T instance with ‘Tenant and Segment isolation’ curated over pipeline (network component creation using manifests). See Figure 2.
- Refactoring our automation pipeline (based on Concourse) required additional customization and a lot of manual effort for streamlining delivery and operations. Adopting the Platform Automation Toolkit had the benefit that it came bundled with Concourse tasks and provided a standard delivery model with adaptive inputs for granular level customization and updates to our platform. This change led to our IAC Pipeline builds being able to complete within minutes (rather than days). See Figure 3.
These two strategies enabled our platform teams to be able to easily deliver an on demand, self-service model to our app developers.
VMware IT partnered with experienced architects from Tanzu Labs team to develop the designs for achieving multitenancy (Figure 2) and automation (Figure 3).
Figure 2. VMware IT multitenancy architecture.
Figure 3. VMware IT IAC ‘automated’ pipeline.
The key benefits of enabling multitenancy and improved platform automation are :
- Streamlined delivery and operational excellence
- Infrastructure that delivers better security
- Improved performance for our app teams
- Ability to isolate app owners from multiple business units, which eliminated the ‘noisy neighbor’ issue
VMware on VMware blogs are written by IT subject matter experts sharing stories about our digital transformation using VMware products and services in a global production environment. Contact your sales rep or email@example.com to schedule a briefing on this topic. Visit the VMware on VMware microsite and follow us on Twitter.