VCloud Tools: IT Grad Experience

The essence of cloud services is that the user is given a choice of server capacities, such as processor, memory, amount of disk space, type of network adapter, and others. Cloud computing itself can be divided into three levels, namely:

• Infrastructure as a Service (IaaS);
• Platform as a Service (PaaS);
• Software as a Service (SaaS).

The vCloud family is responsible for providing Infrastructure as a Service (IaaS) . The two main components of vCloud are VMware vSphere and vCloud Director. VMware vSphere is the virtualization platform on which cloud infrastructure services are deployed, and vCloud Director is the cloud infrastructure management center through which the administrator manages these services.

Using VMware vCloud Director, you can create and manage virtual machines, migrate them from another cloud, flexibly manage access rights to the pool of virtual resources, create VPN connections, configure load balancing between virtual machines, and much more.

However, often the customer company, transferring its IT infrastructure to the cloud, receives a number of tools to the existing functionality, the existence and functionality of which are not always known. An example would be VMware vShield Edge, which is part of VMware vCloud Director.

To begin with, it is worth noting that VMware vShield Edge is an integral part of any cloud infrastructure built on VMware vCloud. As a security product, vShield Edge acts as a network gateway. Depending on the policies that are configured, vShield Edge can enable or disable certain connections, control VPN sessions, perform network address translation, inspect data by source or destination port, and perform load balancing.

In other words, VMware vShield Edge allows you to configure services such as Stateful Firewall, VPN, DHCP, NAT, Web Load Balancing, etc. For example, here is one of the real situations: you need to combine several remote sites into a single routed network. To do this, you need to configure a VPN tunnel, and VMware vShield Edge will help in this.

The scenario is as follows: a client company needs access to virtual machines in the IT-GRAD cloud through a Site-to-Site VPN. Each site has a VMware EDGE server with direct Internet access.



Site A - client company: uses the subnet 10.64.20.0/24.
Site B - IT-GRAD company site: subnet 172.16.16.0/24.

To raise the tunnel, we’ll use the vCloud Director web console, available when IaaS provider is connected to the cloud. In the settings, activate the VPN, set the name of the tunnel and its description. Then we indicate the option of connecting to the network (in our case, the remote one), specify the subnets to which you want to organize the tunnel, and write the IP addresses of the EDGE interfaces.

An important point when setting up Site-to-Site VPN is the choice of encryption protocol. Recall that to ensure secure communication in private virtual networks, the IPSec protocol suite is used.

IPSec enables authentication and provides integrity checking and encryption of IP packets. The IKE protocol included in it is the connecting link that unites all IPSec components into a single system and implements the initial authentication of the parties and the exchange of their shared keys.

Installation and support of the VPN tunnel takes place in two stages (in two phases of IKE). First, IKE creates a secure channel between the two nodes called the IKE Security Association (IKE SA), and the first phase begins.

Here IKE works in the main mode - these are three two-way exchanges between the sender and the recipient. During the first exchange, encryption algorithms and hash functions are matched by matching the IKE SA of each node. During the second exchange, the Deffy-Hellman algorithm is used, when the parties pass each other a shared secret key.

Also at this stage, the nodes check each other by transmitting and confirming a sequence of pseudo random numbers. During the third exchange, the identity of the opposite side is verified using the encrypted IP address.

Then the second phase begins, during which the key data is generated, and the nodes agree on the policy used. This mode is set only after the first stage, when all packets of the second phase are encrypted. If the second phase completed correctly, we can assume that the tunnel is installed.

This is just one of the additional features of VMware vShield Edge. In addition, vShield Edge allows you to "raise" the software firewall, which, like any other, checks the traffic and, depending on the settings in the relevant rules, blocks or allows its transmission. The order in which the rules are applied can be changed by simply dragging and dropping the corresponding rule with the mouse in the vCloud Director console.

VShield Edge also integrates dynamic host configuration protocol functionality. It allows you to automate the mechanism for assigning IP addresses to virtual machines connected to networks of a virtual organization. You can configure and manage IP ranges directly from the vCloud Director console.

Another worth noting is the DHCP service, which greatly simplifies the process of assigning IP addresses and minimizes administrative overhead and errors. In the DHCP console, it is possible to create the so-called address pool, which is a container with the IP addresses stored in it for issuing to virtual machines.

IP addresses are issued for a certain period of time: there are two parameters in the vShield Edge settings: the default lease time is 3600 seconds, and the maximum time is 7200 seconds by default. If the IP address was leased to a virtual machine, it is considered busy and cannot be assigned to another node until the lease expires.

All of these features are controlled from a single vCloud Director console. Detailed guides on setting up Site-to-Site IPsec VPN, Firewall, NAT, DHCP, static routing and network load balancing can be found in our blog.

Another useful VMware product is the VMware vSphere Power CLI - this tool automates the administrative tasks of the administrator when working with ESX servers and virtual machines. There are a lot of examples of using Power CLI: from searching for the user who deleted the virtual machine, to full-fledged diagnostics programs for the VMware vSphere virtual infrastructure. For example, it can be used to track down processor performance issues.

One of the important performance parameters is the intensity of processor resources consumption. For example, in a vSphere environment, too many virtual machines are used with highly loaded applications running on them - all this can lead to insufficient processor resources. Sometimes the reason for this shortage is another point related, for example, to inefficient use or suboptimal configuration of virtual machines.

And so, the lack of CPU resources leads to serious problems with performance and affects the work of services important for business. For example, a high Co-stoptime indicates that there are more vCPUs than necessary, and this often causes additional resource consumption and reduces the performance of the virtual machine.

The Guest CPU Saturation parameter indicates the CPU load of the virtual machine: if the virtual machine application uses 90% or more CPU resources, there is a performance problem. These and many other parameters of the VMware vSphere Power CLI allow you to track.

When investigating CPU performance problems, pay attention to the following counters:

• Demand - the number of CPUs of the virtual machine required for operation.
• Ready is an indicator of the time during which the virtual machine is ready to start, but cannot due to a lack of physical resources.
• Usage - the number of virtual machine processors currently allowed for use.

The image above shows how much CPU resources are required for the virtual machine to work and how much is actually used. In this particular case, it is required (Demand) much more than used (Use).

Also pay attention to the Ready Time indicator, equal to 9977 ms - this is another indicator that you should pay attention to when looking for performance problems. If this value turns out to be more than 10%, then there is a high probability of performance problems. To convert a value from milliseconds to percent, you can use the following formula:



It is important to remember that tuning virtual machines with a large number of virtual CPUs can lead to an increase in resource use, potentially affecting the performance of heavily loaded systems. And even if the guest operating system does not use all the dedicated virtual processors, such a machine will consume host resources at the physical level. A detailed guide to monitoring processor performance can be found on our corporate blog ( 1 , 2 ).

As part of this article, I would like to touch upon another tool related (albeit indirectly) to vCloud Director. It's about Veeam Backup. With it, the administrator can make backupsmetadata and attributes of virtual services and restore virtual services and virtual machines directly to vCD.

The topic of backup was, is and will be relevant at all times. Every year, the amount of data stored on both physical and cloud platforms of various companies is constantly growing, and this dramatically changes the look of the backup market.

Veeam Cloud Connect offers a fast and reliable way to transfer backups to remote cloud sites, as well as data recovery. This decision is subject to the so-called “3-2-1” rule, according to which, to ensure reliable data storage , these conditions must be met:

• Have three backups;
• Use two types of storage media;
• Store one instance remotely.

Veeam Cloud Connect technology enables reliable backup storage at remote sites of cloud service providers, comprehensive control with guaranteed ability to restore data stored on remote sites directly from the backup console, the ability to use backup archiving tasks using built-in WAN acceleration and long-term policies storage.

To start using the benefits of Veeam Cloud Connect, you first need to decide on the Veeam cloud service provider, whose site will be used as a reliable storage for virtual machine backups - such providers have the competency of Veeam Cloud Provider(VCP). At the same time, any customer who has opted for backup to the cloud will need a subscription to services from a cloud provider.

The second step is to deploy the Veeam Backup & Replication product on the client side, plan and configure infrastructures, select and connect to remote sites of Veeam cloud providers, and so on. You can see the whole process in detail, again, in our blog .