Eric Sloof - NTPRO.NL

For vSphere-based environments, vShield solutions provide capabilities to secure the edge of the vDC, protect virtual applications from network-based threats, and streamline antivirus protection for VMware View deployments by offloading AV processing to dedicated security VMs. These new product offerings can start securing infrastructure almost immediately since all the underlying compute resources are already present in the vsphere environment.

These same solutions in the traditional security model would have taken months to authorize and provision in the physical data center. vShield Edge provides network-edge security and gateway services to isolate the virtual machines in a port group. Common deployments of vShield Edge include protecting access to a company’s Extranet. vShield Edge can also be used in a multi-tenant cloud environment where the vShield Edge provides perimeter security for each tenant’s virtual datacenters (or VDC).

vShield Edge secures the edge of a virtual datacenter with firewalling, VPN, NAT, DHCP, and Web load-balancing capabilities that enable rapid, secure scaling of cloud infrastructures. Along with network isolation, these edge services create logical security perimeters around virtual datacenters and enable secure multi-tenancy. New features in vShield Edge include the ability to set up static routing, instead of requiring NAT for connections to the outside, as well as certificate-based VPN. vShield Edge provides network-edge security and gateway services to isolate the virtual machines in a port group. Common deployments of vShield Edge include protecting access to a company’s Extranet. vShield Edge can also be used in a multi-tenant cloud environment where the vShield Edge provides perimeter security for each tenant’s virtual datacenters (or VDC).

vShield App helps you overcome the challenges of securing the interior of your virtual datacenter. vShield App is software-based, it is deployed as a virtual appliance. As a result, vShield App is better than physically securing the virtual datacenter because it is a lot less expensive than buying a number of physical firewalls and segmenting them into different security zones. Also, with vShield App, you can create virtual firewalls with unlimited port density. vShield App provides complete visibility and control of inter-virtual machine traffic in logical security zones that you create. vShield App provides hypervisor-level introspection into the inter-VM traffic. vShield App enables multiple trust zones in the same ESX/ESXi cluster. vShield App also allows you to create intuitive, business language policies, using the vCenter Server inventory for convenience.

Advanced Grouping capabilities in vShield App allow even more sophisticated policies to be managed with ease Layer 2 protection coupled with APIs enable automatic quarantining of compromised VMs.  vShield Data Security provides knowledge of protected data across cloud environments and lowers cost of compliance by helping define scope Enterprise roles in vShield Manager provides the separation of duties required by security and compliance standards.

UEFI virtual BIOS. Virtual machines running on ESXi 5.0 can boot from and use the Unified Extended Firmware Interface (UEFI). When you create a new virtual machine on an ESXi 5.0 host you have the option to choose for virtual machine version 8. This new version brings a lot of extra (scalability) features but there’s one other interesting new feature. The Extensible Firmware Interface can be selected to replace the BIOS of a virtual machine. EFI is the successor of the traditional BIOS which is used since the introduction of the IBM PC back in 1981. If you want to host Apple Mac OS X 10.6 in a virtual machine, you need EFI. In this video I’ll show you how to get access to the EFI interface. I’ll also show you how you can get access to the pre-OS command line environment.

When you select a guest operating system, BIOS or Extensible Firmware Interface (EFI) is selected by default, depending on which firmware the operating system uses. Mac OS X Server guest operating systems support only EFI. If the operating system supports both BIOS and EFI, you can change the default before you install the guest operating system. Use the Virtual Machine Properties dialog box at the end of the creation process or after the virtual machine is created. The Firmware selection pane is on the Options tab under Advanced > Boot Options.

vSphere 5.0 also supports booting ESXi hosts from the Unified Extensible Firmware Interface (UEFI). With UEFI you can boot systems from hard drives, CD-ROM drives, or USB media. Booting over the network requires the legacy BIOS firmware and is not available with UEFI.

So what does Profile-Driven Storage try to achieve? Very simply - minimize the amount of time required to provision virtual machines. Provisioning virtual machines isn’t only just selecting a random datastore. You will need to know what the requirements are of the virtual machine and then select the appropriate volume to the best of your knowledge. Profile-Driven Storage tries to help with that by providing better insight into storage characteristics and allowing for custom-tags and linking virtual machines to profiles. vSphere Storage APIs for Storage Awareness is a new set of APIs which will enable vCenter to see the capabilities of the storage array LUNs/datastores, making it much easier to select the appropriate disk for virtual machine placement. Storage capabilities, such as RAID level, Thin or Thick Provisioned, Replication State and much more can now be made visible within vCenter. vSphere Storage APIs for Storage Awareness eliminates the need for maintaining massive spreadsheets detailing the storage capabilities of each LUN needed to guarantee the correct SLA to virtual machines. It helps SDRS make a decision about where to Storage vMotion a VM too, because if two datastore are backed by the same set of spindles, then it doesn’t make sense to move the VM to the other datastore.

With Storage Awareness APIs, storage vendors can provide vSphere with information about the storage environment. It enables tighter integration between storage and the virtual infrastructure. Information about storage health status, configuration info, capacity and thin provisioning info etc For the first time we have an end to end story, i.e. storage array informs VASA storage provider of capabilities & then the storage provider informs vCenter, so now users can see storage array capabilities from vSphere client. Through the new VM Storage Profile-Driven Storageles, these storage capabilities can then be displayed in vCenter to assist administrators in choosing the right storage in terms of space, performance and SLA requirements. This information enables the administrator to take the appropriate actions based on health & usage information.

Currently we identify the requirements of the virtual machine, try to find the optimal datastore based on the requirements and create the virtual machine or disk. In some cases customers even periodically check if VMs are compliant but in many cases this is neglected. Storage DRS only solves that problem partly. We will need to manually identify the correct datastore cluster, and even when grouping datastores into a datastore cluster, we need to manually verify if all LUNs are “alike”. When using Profile-Driven Storage and Storage DRS together, these problems are solved. A datastore cluster can be created based on the characteristics provided through VASA or the custom tags. When deploying virtual machines, a storage profile can be selected ensuring that the virtual will be on compliant storage.

VMware HA clusters enable a collection of ESXi hosts to work together so that, as a group, they provide higher levels of availability for virtual machines than each ESXi host could provide individually. When you plan the creation and usage of a new VMware HA cluster, the options you select affect the way that cluster responds to failures of hosts or virtual machines.

Before creating a VMware HA cluster, you should be aware of how VMware HA identifies host failures and isolation and responds to these situations. You also should know how admission control works so that you can choose the policy that best fits your failover needs. After a cluster has been established, you can customize its behavior with advanced attributes and optimize its performance by following recommended best practices.

VMware HA provides high availability for virtual machines by pooling them and the hosts they reside on into a cluster. Hosts in the cluster are monitored and in the event of a failure, the virtual machines on a failed host are restarted on alternate hosts.

When you create a VMware HA cluster, a single host is chosen as the master host to communicate with vCenter Server and to monitor the state of the other, slave, hosts and their virtual machines. Different types of host failures are possible and must be detected and appropriately dealt with. To do this, the master host must distinguish between a failed host and one that is in a network partition. Datastore heartbeating is used to do this.