Just Because You COULD, Doesn't Mean You SHOULD - vSphere 6.0 Architecture Considerations from Real World Experiences Jonathan McDonald, VMware, Inc INF4712 #INF4712
Apr 12, 2017
Just Because You COULD, Doesn't Mean You SHOULD - vSphere 6.0 Architecture Considerations
from Real World ExperiencesJonathan McDonald, VMware, Inc
INF4712
#INF4712
CONFIDENTIAL 2
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
My Team and I…• Jonathan McDonald
– Technical Solutions Architect– Professional Services Engineering
Global Technology & Professional Services
• What does Professional Services Engineering do?– Develop, build and validate architecture designs with
VMware Products for Professional Services– Training VMware and partner field resources– Assistance with customer designs
–
CONFIDENTIAL 3
4
Agenda
1 Compatibility and Maximums
2 vCenter Server for Windows vs. vCenter Server Appliance
3 Platform Services Controller
4 Enhanced Linked Mode
5 VMware Certificate Authority
6 Standard vs. Distributed Virtual Switches
7 Virtual SAN
8 Fault Tolerance SMP
9 Content Library
CONFIDENTIAL
Just Because You COULD Doesn’t Mean You SHOULD
Compatibility and Maximums
6CONFIDENTIAL
vCenter 6 Platform Choice
7
Metric / Feature vSphere 5.5Operating System Windows ApplianceHosts Per vCenter Server 1,000 100 or 1,000
Powered-ON VMs 10,000 10,000
Hosts per Cluster 32 32
Linked Mode Yes No
• Replication Technology Microsoft AD LDS / ADAM -
Mixed Platforms No No
vSphere 6.0Windows Appliance
1,000 1,000
10,000 10,000
64 64
Yes YesIn-House
(from PSC)In-House
(from PSC)
Yes Yes
CONFIDENTIAL
8
vCenter 6 Platform Choice (Continued)• The question becomes which platform should you use?
– More Importantly does it really matter?
• Remember the two platforms are functionally identical
• Make the decision based on your business needs– Will there be multiple sites being configured?– Is there prior experience with vCenter?– Is there Linux experience?– Is there Oracle or Postgres experience?– Are licensing costs a concern?
CONFIDENTIAL
9
vCenter – New Deployment Architecture
• The Platform Services Controller includes:– vCenter Single Sign-On™– License service– Lookup service– Directory services (vmdir)– VMware Certificate Authority
• The vCenter installation includes:– vCenter Server– vSphere Web Client– Inventory Service– vSphere Auto Deploy™– vSphere ESXi Dump Collector– vSphere Syslog Collector (Windows) or
vSphere Syslog Service (Appliance)
The services are split between the Platform Services Controller and vCenter Server
PSC Server Host OS
Platform Services Controller
vCenter Server Host OS
vCenter Server
CONFIDENTIAL
vCenter – New Deployment Architecture (Continued)• #1 Architectural Decision which needs to be made prior to deploying vSphere 6.0
• Greatly simplified since vSphere 5.x, with only two deployment types:
• Single or multiple node systems can be used
• Depending on size, the environment can become complex
10
PSC Server Host OS
External PSC
vCenter Server Host OS
vCenter ServervCenter Server Host OS
vCenter Server
Embedded PSC
CONFIDENTIAL
Enhanced Linked Mode• Allows for a single pane of glass view of all vCenter Servers connected to a
Single Sign On Domain
11CONFIDENTIAL
Enhanced Linked Mode (Continued)• Platform Services Controllers replicate configuration information between nodes
– Microsoft AD LDS / ADAM used previously
• Dramatically simplifies management of the environment
12
vSphere 5.5 vSphere 6.0vCenter Server for Windows Yes Yes
vCenter Server Appliance No Yes
Single Inventory View Yes Yes
Single Inventory Search Yes Yes
Replication Technology Microsoft AD LDS / ADAM In-House (from PSC)
Roles and Permissions Yes Yes
Licenses Yes Yes
Policies No Yes
Tags No Yes
CONFIDENTIAL
Platform Services Controller Architecture – What Should I Do?It depends of course! (Did you expect me to say anything else?)
Architecture #1 – Embedded Deployment Model
• Sufficient for environments with:– Only a single site– No expansion past a single vCenter required
• Easiest to deploy and maintain
• Multiple standalone instances supported
• Replication between embedded instances not recommended.
14
vCenter Server Host OS
vCenter Server
Embedded PSC
CONFIDENTIAL
Architecture #2 – External Deployment Model
• Sufficient for environments with:– Only a single site– Up to 4 vCenter Servers
• Multiple Platform Service Controller nodes locally
• vCenter interacts with the Platform Service Controller through a compatible load balancer
• Platform Service Controllers replicate state information between them and provide a single pane of glass view of the environment
• (Optional) vCenter instances can be clustered with Windows Server Failover Clusters (WSFC)
15
PSC Server Host OS
External PSC
PSC Server Host OS
External PSC
Load Balancer
vCenter Server Host OS
vCenter Server
vCenter Server Host OS
vCenter Server
Replication
CONFIDENTIAL
Architecture #3 – External Deployment Model Multiple Sites
16
PSC Server Host OS
External PSC
PSC Server Host OS
External PSC
vCenter Server Host OS
vCenter Server
vCenter Server Host OS
vCenter Server
PSC Server Host OS
External PSC
vCenter Server Host OS
vCenter Server
Provides Enhanced Linked Mode• Facilitated via Platform Services Controller• Maintains single pane of glass management• Replicates Licenses, permissions,
tags and roles
By Default• Each site is independent• PSC replication automated• Site awareness• No HA Shown
Site #1:New York
Common SSOM Domain and Replication
Site #2:San Francisco
Site #3:Toronto
CONFIDENTIAL
Architecture #4: Platform Services Controller – Max Size• Implementing the maximum supported size configuration is...complex.
17
Common SSO DomainCommon SSO DomainCommon SSO Domain
PSC Server Host OS
External PSC
PSC Server Host OS
External PSC
Load Balancer
vCenter Server Host OS
vCenter Server
vCenter Server Host OS
vCenter Server
vCenter Server Host OS
vCenter Server
vCenter Server Host OS
vCenter Server
PSC Server Host OS
External PSC
PSC Server Host OS
External PSC
Load Balancer
vCenter Server Host OS
vCenter Server
vCenter Server Host OS
vCenter Server
vCenter Server Host OS
vCenter Server
vCenter Server Host OS
vCenter Server
PSC Server Host OS
External PSC
PSC Server Host OS
External PSC
Load Balancer
vCenter Server Host OS
vCenter Server
vCenter Server Host OS
vCenter Server
CONFIDENTIAL
18
What Should You Use?• Build based on business requirements, thinking of the future• If there is only a single small site or if there is no desire for Enhanced Linked Mode:
– Use embedded nodes – Allows for simplicity in the environment – Reduces the administrative overhead of configuring the environment. – High Availability (HA) is provided by VMware HA.
• If there are multiple sites and/or vCenter and Enhanced Linked Mode will be used: – Use an external Platform Service Controller configuration– The number of controllers and Load Balancers depends on the size of the environment:
– HA is provided by having multiple PSC, and load balancers as well as VMware HA
VMware SolutionsWithout HA With HA
# PSC # PSC # Load Balancers
2 – 4 1 2 1
5 – 8 2 4 2
9 – 10 3 6 3
CONFIDENTIAL
19
Is There Anything to Be Aware Of?• Once a deployment mode is chosen it cannot be changed without a full reinstallation (currently)
• It is not recommended to use embedded Platform Services Controllers if planning to use enhanced linked mode– It can however be configured in the installer
• If upgrading from vSphere 5.1 or 5.5 to vSphere 6.0 GA:– Ensure that the 5.x installation is configured as you want the end outcome after upgrade– Cannot change deployment mode during upgrade (embedded to external)
CONFIDENTIAL
20
VMware Certificate Authority• My FAVOURITE feature of this release!
• Secure communication is a top priority in the industry
• VMware uses SSL Certificates to secure communication between components
• With vSphere, there are many components that require a certificate– Increased complexity to secure– There is more than 20 different services in vCenter 6!
• VMware Certificate Authority aims to remove much of this complexity– Fully functional Certificate Authority for VMware Components
• vCenter Server Components• ESXi Hosts
– Not a General Purpose CA for the environment– Can be root CA which manages its own certs or it can manage certs from external CA.
CONFIDENTIAL
Single-Sign On
Inventory
vCenter
vRealizeOrch.
Web Client
UpdateManager
Log Browser
5
1
2
6
7
315
18 17
9
13
124
8
11
10
14
16
Prior to VMware Certificate Authority (vSphere 5.1- 5.5)
n
n
Update Trust (may require SSO Master password)
Replace SSL certificate
Trust Relationship
Old Certificate
New Certificate
CONFIDENTIAL 21
VMware Certificate Authority (vSphere 6.0)
22
• vCenter architecture has changed substantially between 5.x and 6.0– Consolidation of Solution Users has occurred– Fewer solution users and therefore fewer certificates– No Longer not use self-signed certificates– No longer need to replace certificates to be signed and secure
• Manage certificates in a wallet– Uses VMware Endpoint Certificate Store (VECS) to store certs– Certificates are no longer be stored on disk in various locations– Are centrally managed in VECS
CONFIDENTIAL
VMware Certificate Authority (vSphere 6.0)• Built into the Platform Services Controller
– Issues CA signed Certificates to all solutions and ESXi hosts
• Operates in one of three modes:– VMware Certificate Authority Self-Signed
Root Certificate (Default)– VMware Certificate Authority Enterprise
Certificate– Custom
• Can be updated from the GUI for ESXi hosts, or command line
23CONFIDENTIAL
24
VMware Certificate Authority – Should I use it?• Yes.
• Recommended configuration varies
• For most environments using default configuration recommended – All that is required is to download and install the VMware Certificate Authority Root Certificate to clients
• For environments that secure or have compliance requirements use the enterprise CA mode– More difficult– Subordinate CA certificate required– Replacement of all other certificates then must be performed (Root Certificate, Solution User, ESXi host)– Requires restarts of services or servers
• There are very few scenarios where manual configuration is recommended
• See KB:
Replacing default certificates with CA signed SSL certificates in vSphere 6.0 (2111219)
CONFIDENTIAL
25
Standard vs. Distributed Switches• One of the biggest questions in most design sessions
• My recommendation?– Always use Distributed Virtual Switches if the licensing is available
• Included with Virtual SAN!
– Gives features such as Network I/O Control (NIOC) & both ingress and egress bandwidth control
• Allows for greater control of network traffic
• Many old arguments against using it now illogical– Recovery capability built into the GUI– Backup and Restore of switch configurations available– NIOC in vSphere 6 allows for per VM bandwidth reservations
• Look into using VMware NSX for even more control – Micro-segmentation of traffic
CONFIDENTIAL
Virtual SAN and Virtual Volumes
26
VMware Software-Defined Storage
vSphere
Storage Policy-Based Mgmt
vSphere vSphere
Virtual SAN
CONFIDENTIAL
Storage Policy-Based Mgmt
VVOL-enabled arrays
VMware Software-Defined Storage
vSphere Virtual Volumes
Storage Policy-Based Mgmt.
Control Plane
Data Plane
Storage Policy Based Mgmt.Virtual Volumes
VVOL-enabled SAN / NAS
AP
Is
Control Plane
Data Plane
Virtual SAN and Virtual Volumes
27
……
Virtual SAN 6.0
All-Flash architecture
2x greater scalability
4x greater with All-Flash;
2x performance with
Hybrid
Virtual SAN Snapshots
and Clones
Radically SimpleHypervisor-Converged Storage for VMs
NEW
vSphere Virtual Volumes
Virtualizes SAN/NAS
devices
Uses native array
capabilities
VM-level operations
Included with vSphere
Management & Integration Framework for External Storage
NEW
HDDSSD HDDSSD HDDSSD
Virtual SAN
Hypervisor-converged SDS Stack
External Storage App-Centric Automation
CONFIDENTIAL
28
Virtual SAN 6.0• So should you or should you not Virtual SAN / Virtual Volumes 6.0?
• It depends. (Am I starting to sound like a broken record? Do records even still exist?) • There are benefits:
– High Performance can be achieved with proper hardware– Radically simple to administer– No external storage is required for VSAN– New Health reporting plug-in provides detail for the environment– On demand policy and policy changes for performance and high availability of virtual machine disks– Business critical applications now supported in Virtual SAN 6.0
• There are drawbacks:– Not all vSphere supported hardware, supported with Virtual SAN – Additional hardware required beyond simple servers (HDD/SSD/10 Gb Networking/HBA’s)– Learning curve for operational procedures and recovery
• Many designs include it as a part of Greenfield deployments
CONFIDENTIAL
Virtual Volumes• So should you or should you not Virtual Volumes?
• If you have an array that supports it.
• There are benefits:– Software-Defined constructs change the way that storage is administered– On demand policy and policy changes revolutionize management of storage
• There are drawbacks:– Very limited hardware support for Virtual Volumes currently. – Storage Array required that supports Virtual Volumes– Learning curve for operational procedures and recovery
29CONFIDENTIAL
SMP Fault Tolerance• Long awaited, Fault Tolerance now supports up to 4 vCPUs in vSphere 6.0
• Completely rewritten architecture in vSphere 6.0– Works similar to how VMware vMotion works…it just doesn’t stop until there is a failure
30CONFIDENTIAL
SMP Fault Tolerance (Continued)• Should you use it?
• If you have a need for continuous availability and instantaneous failover use it– An easy solution to Business Continuity without need for development!
• A significant hardware investment may be required– 10 Gb Networking a requirement– If there is significant load in the VM performance can be degraded– By default, the maximum number of FT VMs per host is 4 and the maximum number of vCPUs is 8
including secondary VMs
• Depending on the number of FT vCPUs desired, upgraded licenses may be required
31CONFIDENTIAL
Content Library• New to vSphere 6!
• Little known new feature
• Allows for storage and sharing of:– Templates– Appliances– ISOs– Scripts– etc.
• Allows for a subscription and download repository between nodes for these items
32CONFIDENTIAL
33
Content Library (Continued)• Should you use it?
• Definitely!
• It is not until I bring it up that in many cases this is even thought of– Simplifies the management of media/templates/etc. in everything from small to large environments
• Where the library is stored is the only thing you have to plan!– Recommend putting it local to the sites on reliable storage
CONFIDENTIAL
Questions?
34
Just Because You COULD, Doesn't Mean You SHOULD - vSphere 6.0 Architecture Considerations
from Real World ExperiencesJonathan McDonald, VMware, Inc
INF4712
#INF4712