The VMware vision of the modern data center starts with a foundation of software-defined infrastructure and is based on the value customers realize from a standardized architecture. VMware SDDC provides a fully integrated hardware and software stack that is simple for customers to manage, monitor, and operate. The VMware approach to the SDDC delivers a unified platform that supports any application and provides flexible control. The VMware architecture for the SDDC empowers companies to run private and hybrid clouds and to leverage unique capabilities to deliver key outcomes that enable efficiency, agility, and security.

The fully virtualized data center is automated and managed by intelligent, policy-based data center management software, which simplifies governance and operations. A unified management platform enables centralized monitoring and administration of all applications across physical geographies, heterogeneous infrastructure, and hybrid clouds. Workloads can be deployed and managed in physical, virtual, and cloud environments with a unified management experience.

The VMware SDDC is based on well-established products from VMware. vSphere, vSAN, and NSX to provide compute, storage, and networking virtualization to the SDDC. The Aria Suite (formerly vRealize Suite) provides additional management, self-service, automation, intelligent operations, and financial transparency to the system. This forms a solid foundation to host both traditional and cloud-native application workloads.

IT service delivery automation

Organizations that are running traditional hardware data center architectures are forced to rely on manual processes, scripting, and complicated communication between teams to get new applications to market. They experience lengthy and costly challenges provisioning networks, and troubleshooting manual process configuration errors. By transforming to an SDDC, organizations can automate and manage IT processes in software. A fully automated environment can dramatically reduce the production-ready infrastructure and application component provisioning time from days or weeks down to a matter of minutes.

As part of the VMware SDDC cloud management platform, VMware Aria Automation (formerly vRealize Automation), can solve the challenges observed in traditional data center architectures with comprehensive and extensible automation capabilities, providing a self-service cloud experience. The ability to integrate into existing processes maximizes the SDDC platform return on investment (ROI) and ensures that it is not just an island in the environment.

Service architects use a convenient visual interface to design service blueprints that can span one or multiple VM templates, logical networks, load balancers, security policies, software components, and scripts. Using this approach, they can model comprehensive IaaS and application services, which can be exposed to end users through the customizable self-service catalog, as shown by the example in Figure 33. Provisioning and LCM of these standardized services (scaling out of the application components, change requests, de-provisioning) can be fully automated. This automation accelerates IT service delivery and eliminates error-prone operations, resulting in reduced operational costs and improved end-user experience.

Figure 33.    Sample self-service catalog configured within vRealize Automation

With integrated orchestration and several choices for predefined plug-ins, automated workflows can be built to integrate the platform with the external environment, including backup, configuration management, CMDB, service desk systems, and other ITSM tools. By leveraging orchestrator workflows, it is possible to define and expose XaaS (anything-as-a-service) in the self-service catalog. All these services can be consumed by end users through a web-based portal or by developers through the API or CLI.

vRealize Automation policies provide governance for the IT services being offered using the platform. The service catalog can be customized, making sure that the services are only exposed to appropriate users and groups. Reservation policies can be used to prioritize the assignment of infrastructure resources and stay below quotas and to alert administrators when approaching defined thresholds. Multiple levels of approval policies can be defined for request approval from both business (cost) and technical (configuration) perspectives, eliminating potential VM-sprawl enabled by the self-service automated consumption.

Note: The orchestration capabilities provided by vRealize Automation are focused more on workloads and integration with the external environment, enabling end users to consume these as services and at scale.

Security

Security tends to be a top concern for organizations adopting a cloud operating model. VMware SDDC provides a holistic approach to security that exceeds the capabilities typically found in a traditional data center architecture which often depends on perimeter security. In a diverse traditional infrastructure environment, it is challenging to maintain consistent operations and compliance. vRealize Automation, used with NSX, automates an application’s network connectivity, security, performance, and availability.

Network virtualization provided by NSX decouples the workloads from the underlying physical infrastructure by leveraging a network overlay technology and moves the intelligence of the network from hardware to software. A key innovation of NSX is the ability to provide network and security functions, such as switching, routing, and firewalling in a distributed fashion across all hosts and within the kernel-level module of the hypervisor.

A major benefit to this approach is an enhanced distributed security model, where security policies are applied closer to the workload, using virtualization-aware, higher-level security constructs, and where security policies move with the workload. NSX helps to segment the environment, decreasing risk and the attack surface while increasing the security.

NSX microsegmentation is a specific security function that decreases the level of risk and increases the security posture of a data center. It is achieved with a distributed stateful firewalling that is implemented at the kernel-level of the hypervisor and distributed across all hosts in the environment. Security policies are applied at the vNIC level, independently from the underlying physical network topology, with per-workload granularity. A grouping construct called Security Group can be leveraged to dynamically identify workloads based on matching criteria, such as VM name, Security Tag, operating system type, Active Directory group, and more. This means when workloads are moved between hosts the security policies automatically move with the workloads. The IT administrator can define vRealize Automation application blueprints that specify NSX security policies that contain firewall rules, intrusion detection integration, and agentless anti-virus scanning at each application tier to allow application and per-tier security. Deploying network security at the application level or between application tiers to ensure that firewall rules are placed as close to the virtual machine as possible provides a true defense-in-depth solution. Such a solution was too expensive and difficult to implement for a transitional hardware-based infrastructure.

vRealize Automation provisions, updates, and decommissions network and security services in lockstep with virtualized applications. Network and security services are deployed as part of the automated delivery of the application, consistent with its connectivity, security, and performance requirements.

NSX provides advanced security features, including microsegmentation, to cloud native applications. It supplies Kubernetes clusters with advanced container networking and security features, such as microsegmentation, load balancing, ingress control, and security policies. NSX furnishes the complete set of Layer 2 through Layer 7 networking services that are needed for pod-level networking in Kubernetes. Customers can quickly deploy networks with microsegmentation and on-demand network virtualization for containers and pods.

VMware SDDC security is not limited to NSX and microsegmentation. Encryption protects the confidentiality of information by encoding it to make it unintelligible to unauthorized recipients. In VMware SDDC, data on the datastore can be encrypted using native vSAN encryption, individual VMs can be encrypted using vSphere Encryption, and VMs in motion can be encrypted using vMotion encryption. Additional levels of encryption may be configured based on the application requirements.

vSAN encryption is the easiest and most flexible way to encrypt data at rest because the entire vSAN datastore is encrypted with a single setting. This encryption is cluster-wide for all VMs using the datastore. Encrypted data does not benefit from space-reduction techniques such as deduplication or compression. But with vSAN, encryption is performed after deduplication and compression, so it takes full advantage of these space reduction techniques.

Hybrid cloud ready

VMware SDDC can be deployed as a private cloud on premises or offsite using secure infrastructure-as-a-service (IaaS) operated by VMware or VMware certified partners.

Customers can build a true hybrid cloud, by integrating their private cloud with VMware Cloud on AWS. Using a Hybrid Linked Mode a VMware Cloud on AWS vCenter Server instance can be linked with an on-premises VMware vCenter Single Sign-On domain. Once linked the inventories of both vCenters can be viewed and managed from a single vSphere Client interface, and workloads can be easily migrated between them.

Multiple public cloud providers can be connected to vRealize Automation as endpoints. In this case, the automated service provisioning and basic life cycle management operations can be extended to popular public cloud IaaS services by using the same self-service portal, while maintaining the same governance principles as in the private cloud. This provides greater transparency, increases internal control, and eliminates “shadow IT.” The organization IT department can become a service broker agent for their internal customers, enabling a multicloud experience. The VMware vRealize Business for Cloud component, integrated into the same self-service portal, can be used to provide cost transparency and showback.

Additionally, the inclusion of an optional VMware HCX component can provide workload mobility between enterprise sites and VMware Cloud on AWS. It enables large-scale application mobility between sites with secure live migration enabling customers to transform their applications and data centers more rapidly and securely.

To learn more about VMware HCX, see the product website.