The VMware vision of the modern data center starts with a foundation of software-defined infrastructure and is based on the value customers realize from a standardized architecture. It is a fully integrated hardware and software stack, simple to manage, monitor and operate. The VMware approach to the SDDC delivers a unified platform that supports any application and provides flexible control. The VMware architecture for the SDDC empowers companies to run private and hybrid clouds and to leverage unique capabilities to deliver key outcomes that enable efficiency, agility and security.
The fully virtualized data center is automated and managed by intelligent, policy-based data center management software, vastly simplifying governance and operations. A unified management platform enables centralized monitoring and administration of all applications across physical geographies, heterogeneous infrastructure and hybrid clouds. Workloads can be deployed and managed in physical, virtual and cloud environments with a unified management experience. IT becomes agile, elastic and responsive to a degree never before possible.
The VMware SDDC is based on well-established products from VMware. vSphere, vSAN and NSX provide compute, storage and networking virtualization to the SDDC and the vRealize Suite brings additional management, self-service, automation, intelligent operations and financial transparency. This forms a solid foundation to host both traditional and cloud-native application workloads.
Figure 29. VMware software-defined data center architecture
Organizations that are running traditional hardware data center architectures are forced to rely on manual processes, scripting, and complicated communication between teams to get new applications to market. They experience lengthy and costly challenges provisioning networks, and troubleshooting manual process configuration errors. By transforming to an SDDC, organizations can automate and manage IT processes in software. A fully automated environment can dramatically reduce the production-ready infrastructure and application component provisioning time from days or weeks down to a matter of minutes.
As part of the VMware SDDC cloud management platform, VMware vRealize Automation (vRA), can solve the challenges observed in traditional data center architectures with comprehensive and extensible automation capabilities, providing a self-service cloud experience. The ability to integrate into existing processes maximizes the SDDC platform return on investment (ROI) and ensures that it is not just an island in the environment.
Service architects use a convenient visual interface to design service blueprints that can span one or multiple VM templates, logical networks, load balancers, security policies, software components and scripts. Using this approach, they can model comprehensive IaaS and application services, which then can be exposed to end-users via the customizable self-service catalog as shown by the example in Figure 30. Provisioning and lifecycle management of these standardized services (e.g. scaling out of the application components, change requests, de-provisioning) can be fully automated, accelerating IT service delivery and eliminating error-prone operations, that translates into reduced operational costs and improved end-user experience.
With built-in orchestration and a rich choice of pre-defined plugins, automated workflows can be built to integrate the platform with the external environment, including backup, configuration management, CMDB, service desk systems, and other ITSM tools. By leveraging orchestrator workflows, it is possible to define and expose XaaS (anything-as-a-service) in the self-service catalog. All of these services can be consumed by end-users via a web-based portal, or by developers through the API or CLI.
vRealize Automation policies provide governance for the IT services being offered via the platform. The service catalog can be customized, making sure that the services are only exposed to appropriate users and groups. Reservation policies can be used to prioritize the assignment of infrastructure resources and stay below quotas and to alert administrators when approaching defined thresholds. Multiple levels of approval policies can be defined for request approval from both business (cost) and technical (configuration) perspectives, eliminating potential VM-sprawl enabled by the self-service automated consumption.
It’s worth noting, that the orchestration capabilities provided by vRealize Automation are focused more on workloads and integration with the external environment, enabling end users to consume these as services and at scale.
Security is historically one of the top concerns of organizations adopting a cloud operating model. VMware SDDC provides a holistic approach to security, which exceeds the capabilities typically found in a traditional data center architecture, very often dependent on perimeter security. In a diverse traditional infrastructure environment, it is challenging to maintain consistent operations and compliance. vRealize Automation, used in conjunction with NSX, automates an application’s network connectivity, security, performance, and availability.
Network virtualization provided by NSX decouples the workloads from the underlying physical infrastructure by leveraging a network overlay technology and moves the intelligence of the network from hardware to software. A key innovation of NSX is the ability to provide network and security functions, such as switching, routing and firewalling in a distributed fashion across all hosts and within the kernel-level module of the hypervisor.
One of the great benefits provided by this approach is an enhanced distributed security model, where security policies are applied closer to the workload, using virtualization-aware, higher-level security constructs, and where security policies move with the workload. NSX helps to segment the environment, decreasing risk and the attack surface while increasing the security.
NSX micro-segmentation is a specific security capability that decreases the level of risk and increases the security posture of a data center. It is achieved with a distributed stateful firewalling, implemented at the kernel-level of the hypervisor and distributed across all hosts in the environment. Security policies are applied at the vNIC level, independently from the underlying physical network topology, with per-workload granularity. A grouping construct called Security Group can be leveraged to dynamically identify workloads based on matching criteria, such as VM name, Security Tag, OS type, Active Directory group, etc. Especially helpful is that when workloads are moved between hosts, the security policies automatically move with the workloads. The IT administrator can define vRealize Automation application blueprints that specify NSX security policies that contain firewall rules, intrusion detection integration, and agentless anti-virus scanning at each application tier to allow application and per-tier security. Deploying network security at the application level or between application tiers to ensure that firewall rules are placed as close to the virtual machine as possible provides a true defense-in-depth solution that was too expensive and difficult to implement for a transitional hardware-based infrastructure.
vRealize Automation provisions, updates and decommissions network and security services in lockstep with virtualized applications. Network and security services are deployed as part of the automated delivery of the application, consistent with its connectivity, security, and performance requirements.
NSX-T brings the advanced security features, including micro-segmentation to the cloud native applications. It supplies Kubernetes clusters with advanced container networking and security features, such as micro-segmentation, load balancing, ingress control, and security policies. NSX furnishes the complete set of Layer 2 through Layer 7 networking services that is needed for pod-level networking in Kubernetes. You can quickly deploy networks with micro-segmentation and on-demand network virtualization for containers and pods.
VMware SDDC security is obviously not limited to NSX and micro-segmentation. Encryption protects the confidentiality of information by encoding it to make it unintelligible to unauthorized recipients. In VMware SDDC, data on the datastore can be encrypted using native vSAN encryption, individual VMs can be encrypted using vSphere Encryption, and VMs in motion can be encrypted using vMotion encryption. Additional levels of encryption may be configured based on the application requirements.
vSAN encryption is the easiest and most flexible way to encrypt data at rest because the entire vSAN datastore is encrypted with a single setting. This encryption is cluster-wide for all VMs using the datastore. Normally, encrypted data does not benefit from space-reduction techniques such as deduplication or compression. But with vSAN, encryption is performed after deduplication and compression, so it takes full advantage of these space reduction techniques.
VMware AppDefense is a data center endpoint security product that protects applications running in VMware SDDC. Unlike existing endpoint security solutions that chase threats, AppDefense focuses on monitoring applications against their intended state and responds automatically when they deviate from that intended state, indicating a threat. When a threat is detected, AppDefense can trigger vSphere and VMware NSX to orchestrate the correct response to the threat, without the need for manual intervention.
VMware SDDC can be deployed as a private cloud on premises or off-site using secure infrastructure-as-a-service (IaaS) operated by VMware or VMware certified partners.
Customers can build a true hybrid cloud, by integrating their private cloud with VMware Cloud™ on AWS. With Hybrid Linked Mode a VMware Cloud on AWS vCenter Server instance can be linked with an on-premises VMware vCenter® Single Sign-On domain. Once linked the inventories of both vCenters can be viewed and managed from a single vSphere Client interface, and workloads can be easily migrated between them.
Multiple public cloud providers can be connected to vRealize Automation as endpoints. In this case, the automated service provisioning and basic lifecycle management operations can be extended to popular public cloud IaaS services using the same self-service portal, while maintaining the same governance principles as in the private cloud. This provides greater transparency, increases internal control and eliminates “shadow IT.” The organization IT department can become a service broker for their internal customers, enabling a multi-cloud experience. The VMware vRealize Business for Cloud component, integrated into the same self-service portal, can be used to provide cost transparency and showback.
Additionally, the inclusion of an optional VMware HCX® component can provide workload mobility between enterprise sites and VMware Cloud on AWS. It enables large scale application mobility between sites with secure live migration enabling customers to transform their applications and datacenters more rapidly and securely.