Category: Landing zone concepts

Star Hand AWS Certification Exam, Compliance concepts, Exams of Microsoft, Landing zone concepts

Technical requirements – Cloud Security Fundamentals

In the age of digital innovation, cloud computing has become the backbone of modern business operations. The convenience, scalability, and cost-efficiency of the cloud have revolutionized how we store, process, and share data. As we embrace the cloud’s potential, we must also acknowledge the growing importance of cloud security. Protecting our digital assets from a range of threats is paramount in this interconnected world. Cloud security encompasses a wide range of concerns, including data protection, access control, compliance with regulatory requirements, and the overall integrity and confidentiality of information stored and processed in the cloud.

 This chapter focuses on building baseline understanding of cloud security, which means understanding the key principles and strategies that underpin our ability to operate securely in the cloud. You will learn about some of the most important topics of cloud security, such as the shared responsibility model, defense in depth, the Zero Trust model, compliance concepts in the cloud, and the Cloud Adoption Framework.

The following main topics are covered in this chapter:

  • What is cloud computing?
  • Exploring cloud security
  • The shared responsibility model
  • Defense in depth
  • The Zero Trust model
  • Compliance concepts
  • Cryptography and encryption in the cloud
  • The Cloud Adoption Framework

Let us get started!

Technical requirements

To get the most out of this chapter, you are expected to have the following:

  • A baseline understanding of cloud computing concepts.
  • A general understanding or experience of working in an IT environment. To have a better understanding, you can use the sandbox environment of the organization’s CSPM tool, if available.

What is cloud computing?

Cloud computing is a technology that allows organizations and individuals to access and use computing resources such as processing power, storage, and software over the internet without having to buy and maintain physical infrastructure. Cloud service providers (CSPs) such as Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and many other providers offer these services. Cloud offerings empower traditional IT offerings by adding many other services such as artificial intelligence (AI), machine learning (ML), Internet of Things (IoT), and security.

Cloud computing is a powerful technology for organizations of all sizes. Here are some of the key features of cloud computing:

  • Agility: Cloud computing allows organizations to rapidly deploy and scale computing resources up or down as needed, which means they can be more agile and respond quickly to changing business requirements. With cloud computing, businesses can avoid the time and expense of building and managing their IT infrastructure, allowing them to focus on developing and delivering their products and services.
  • Productivity: Cloud computing can improve productivity by providing access to computing resources and software from anywhere, on any device, and at any time. This flexibility allows employees to work remotely and collaborate more easily, which can lead to increased productivity and efficiency:

Figure 1.1 – Cloud computing

  • Resiliency: Cloud computing can improve resiliency by providing redundancy and failover options, which means that if one computing resource fails, others can take over seamlessly. This reduces the risk of downtime and improves the availability and reliability of applications and services.
  • FinOps: Cloud computing offers Financial Operations (FinOps) capabilities that allow organizations to manage and optimize their cloud spending. This includes tools for monitoring cloud usage, forecasting costs, and optimizing resource allocation to reduce costs and maximize value.
  • Pay-as-you-go model: Cloud computing is often priced on a pay-as-you-go basis, which means that organizations only pay for the computing resources they use. This allows businesses to avoid the capital expense of buying and maintaining their IT infrastructure, and instead, pay for computing resources as an operational expense.

In summary, cloud computing provides organizations with agility, productivity, resiliency, FinOps, and a pay-as-you-go model, making it an attractive option for businesses looking to optimize their IT operations and focus on delivering value to their customers.

Gartner estimates the following by 2025 (https://www.gartner.com/en/newsroom/press-releases/2021-11-10-gartner-says-cloud-will-be-the-centerpiece-of-new-digital-experiences):

  • More than 95% of new digital workloads will be deployed on cloud-native application platforms, up from 30% in 2021
  • 70% of the new applications developed by companies will use low-code or no-code technologies
  • More than 50% of organizations will have explicit strategies to adopt cloud-delivered Secure Access Service Edge (SASE), up from less than 5% in 2020
  • 85% of organizations will embrace cloud-first principles

While these fact-based estimations look very overwhelming, there is no doubt that the cloud provides extraordinary benefits to the data-driven business world.

Star Hand AWS Certification Exam, Compliance concepts, Division of responsibility, Exams of Microsoft, Landing zone concepts

SDDC deployment – Appendix: Preflight before Onboarding

When preparing for the deployment of your first SDDC, you need to collect the configuration data in advance. The settings ideally should be captured at the design stage, as discussed in the previous chapter.

The following table depicts the configuration items you need to provide to successfully deploy your first SDDC:

Configuration sectionConfiguration itemDescription
SDDC (see Figure 12.3 for details)NameFree text field. You can change the name after the deployment as well. It is recommended to use the company naming convention.
 AWS RegionAWS Region where your SDDC resides. The Region should fit your subscription, AWS VPC configuration, and AWS DX configuration (if in use).
 DeploymentSingle host – for POC only, for 60 days only. Multi-host – production deployment. Stretched cluster – a deployment across two AWS AZs.
 Host typeSelect one of the available host types. The host type should fit into your subscription, design, and workload requirements. You have a choice between: i3.metali3en.metalI4i.metal See Figure 12.4 for the deployment wizard where the host type is specified. VMware constantly adds new instances. Check the VMware documentation for the available instances.
 Number of hostsCount of ESXi hosts in your first cluster. If your design requires a multi-cluster setup, you will add additional clusters after the SDDC is provisioned with the first cluster.
AWS Connection (see Figure 12.2 for details)AWS accountThis is an AWS account you own. Choose the account according to the design and security requirements.
 Choose a VPCSelect an AWS VPC (the VPC should be precreated) in your AWS account. This VPC will become a connected VPC after the deployment.
 Choose subnet(s)Select a subnet in your VPC (the subnet must be precreated). The subnet must have enough free IPs for the SDDC deployment (to accommodate ESXi hosts’ ENI interfaces). The subnet also defines the destination AZ. You cannot change the subnet after the deployment. If you deploy a stretched cluster SDDC, you must select two subnets in two different AZs.
SDDC networkingProvide the management subnet CIDRYou should provide a private network subnet with enough IP addresses for the SDDC management (vCenter, ESXi hosts, vSAN network, etc.). It is recommended to use a /23 subnet if you plan to deploy more than 10 hosts. You cannot change the subnet after the deployment. Make sure the subnet does not overlap with the on-premises or other connected networks (including AWS).

Table 12.1 – SDDC Configuration Details

You can review the deployment wizard in Figure 12.3:

Figure 12.3 – SDDC deployment wizard SDDC Properties

You can review the VPC and subnet details of the SDDC wizard in Figure 12.4:

Figure 12.4 – SDDC deployment wizard. AWS VPC and subnet

After you have provisioned the SDDC, you must configure access to the vSphere Web Client to manage your SDDC through VMware vCenter Server. You will use the NSX manager UI to create a Management Gateway Firewall Rule. By default, access to vCenter is not allowed. You will specify an IP or a subnet and entitle it to access vCenter. An “allow all” rule is not possible.

Star Hand Avoiding common pitfalls, AWS Certification Exam, Exams of Microsoft, Landing zone concepts

Hybrid cloud configuration – Appendix: Preflight before Onboarding

If your design requires establishing a connection on-premises, several configuration changes have to be made to enforce the connection. If you also need to configure HCX for migration, it adds some complexity to the deployment. The following table lists the relevant configuration items to be considered for the hybrid cloud deployment:

Configuration sectionConfiguration itemDescription
Network configurationVPNPolicy-based or route-based. See the networking section in Chapter2 for more details on VPNs
 AWS DX (see Figure 12.5)You can choose to use the AWS DX service to gain predictable latency and possibly higher throughout for your workload. You can leverage the following: AWS DX provisioned as a private VIF to your SDDC.AWS DX VIF connected to an AWS DX Gateway (DXGW). You will use an SDDC group and a vTGW to connect your SDDC(s) to a DXGW.Cloud connector service providers – cloud connector service providers can offer an alternative by sharing cloud connectivity lines. From the SDDC perspective, the connection still would be in the form of a private VIF or a connection to a DXGW.
 Dynamic routing supportVMware Cloud on AWS supports only the BGP dynamic routing protocol. You can filter incoming/outcoming routes and/or announce 0.0.0.0./0 to route all SDDC traffic through the selected connection. If you have multiple connections from on-premises to the cloud, it is important to synchronize the routing information (e.g., avoid announcing 0.0.0.0/0 through DX and specific subnets through a route-based VPN)
SDDC managementvCenter ServerReconfigure to use a private IP
(see Figure 12.6)NSX managerReconfigure to use a private IP
 HCX managerReconfigure to use a private IP
FirewallManagement Gateway FirewallEnsure your on-premises CIDRs required access to vCenter/NSX Manager/HCX Manager is included in the management firewall rules.
 Compute Gateway FirewallEnsure you add on-premises CIDRs and map them to the DX/VPN interface.
Migration ServiceActivate HCXHCX Enterprise is included with VMware Cloud on AWS SDDC.
 Pair HCX managersConfigure a pairing between on-premises and the cloud. You can have multiple site pairs if needed.
 Configure a network profile. (See Figure 12.7.)Configure HCX on VMware Cloud on AWS to use the “directConnectNetwork1” network profile. Add a non-overlapping private CIDR (different from the SDDC management network). HCX will use this network to establish connectivity between the appliances. The SDDC workflow will automatically add the subnet to the BGP route distribution and create the required firewall rules.
 Create a service meshOverride the network uplink configuration to use the directConnectNetwork1 network profile while configuring the service mesh.
 Configure network extensionThe HCX network extension service can extend vSphere vDS VLAN-based port groups to the cloud. You can enable high availability for your NE appliances (you need to configure an HA group before extending a VLAN).
Migrate workloadsIdentify VMs to be migratedIdentify VMs building an application and migrate them as a part of the same migration group.
 Select migration typeSelect between the following: vMotionbulk migrationreplication-assisted vMotion (RAV) See Chapter 3, which covers HCX migrations in great depth for more details.
 Configure scheduleUse this option to define the switchover/start of vMotion. If using bulk or RAV, you need to make sure HCX has enough time to replicate virtual machine data.

Table 12.2 – Hybrid Cloud configuration details

You can review the Direct Connect configuration in Figure 12.5.

Figure 12.5 – AWS DX VIF attached to an SDDC

You can review the FQDN configuration in Figure 12.6:

Figure 12.6 – Configure vCenter Server, HCX, and NSX FQDN resolution

You can review the configuration of HCX to leverage AWS Direct Connect (DX) connection in Figure 12.7:

Figure 12.7 – VMware Cloud on AWS HCX network profile: uplink over AWS DX

Next steps

Now that you have completed the basic SDDC setup and connected the SDDC to on-premises, you can use the following list to get further information about the services and next steps:

Star Hand Avoiding common pitfalls, AWS Certification Exam, Division of responsibility, Exams of Microsoft, Landing zone concepts

Accessing and configuring the VMware Cloud Console – Appendix: Preflight before Onboarding

There are a couple of steps required before you can start consuming VMware Cloud on AWS. You use the VMware Cloud Console to provision VMware Cloud on AWS SDDC. If you are already using any of the VMware Cloud services, you can just log in to the VMware Cloud Console and look for VMware Cloud on AWS in the Services inventory:

Figure 12.1 – VMware Cloud Console Services inventory

However, if it’s the first time you’re using VMware Cloud services, you should get access to the VMware Cloud Console.

The following steps outline the procedure to get started with the VMware Cloud Console:

  1. Receive a welcome email: Upon processing your purchase, VMware will send an email with an activation link. Use this link to log in to the VMware Cloud Console.
    NOTE
    VMware will use the email address designated as the “Fund owner’s” to send the activation link.
  2. Setup an Organization. An Organization provides authentication boundaries for your VMware Cloud services. Each Organization can be entitled to different services. A user can access multiple Organizations and switch between them in the VMware Cloud Console.
  3. Setup VMware Cloud service accounts: After gaining initial access to the VMware Cloud Console and creating an Organization, you can entitle user accounts to access to VMware Cloud on AWS. You can use manual assignment, or you can federate VMware Cloud Console with your identity provider. If your design includes federation for the VMware Cloud Console, it’s important to configure the federation feature before you deploy VMware Cloud on AWS SDDC.
  4. Create a term subscription. If you purchased a term subscription, it’s important to create a subscription object in the VMware Cloud Console before you deploy an SDDC. Creating a subscription matching your purchase is a organization’s responsibility – VMware does not pre-create a subscription in your VMware Cloud Organization. Make sure you have all the details of your purchase contract before creating a subscription, including the following:
    • AWS Region
    • Host count and host type
    • Subscription type – flexible or standard
    • Subscription duration – 1 year or 3 years

Figure 12.2 – Creating a subscription for VMware Cloud on AWS
NOTE
You can deploy a VMware Cloud on AWS SDDC without creating a subscription. In this case, VMware will use on-demand prices for billing. If you purchased a subscription but did not create a subscription object in the VMware Cloud Console, on-demand prices will be applied. If you deploy your SDDC using a different AWS Region or host type, or use more hosts, on-demand prices will be applied as well.

Star Hand Avoiding common pitfalls, AWS Certification Exam, Compliance concepts, Division of responsibility, Exams of Microsoft, Landing zone concepts

Purchasing and onboarding – Appendix: Preflight before Onboarding

In this chapter, we will cover the most important configuration items you need when you deploy the SDDC and configure a hybrid cloud environment.

You will find a detailed description of the configuration steps and items from previous chapters of this book.

Purchasing and onboarding

When purchasing the service and preparing for the first SDDC deployment, you need to choose a couple of options. These options may have a large impact on the further operations of the service, so make sure your choices are well thought out, as you will not be able to change some of them moving forward.

Purchasing and funding

When purchasing the service, you can select one of the following options:

  • A direct VMware purchase
  • AWS resell
  • Purchasing through a Managed Service Provider (MSP)

VMware Cloud on AWS supports all three routes to the market. Depending on your purchase strategy, you may find one or other better suited to your needs.

Note

Some services available for VMware Cloud on AWS can only be purchased directly from VMware, for example, Microsoft host-based licenses for workloads on VMware Cloud on AWS.

When purchasing from VMware, you can choose how you want to pay for the service:

  • VMware Purchasing Programs: You can select from a different range of programs, most of them offering so-called Credits. You can use credits toward payment for VMware Cloud on AWS. Consult a VMware sales representative to get more details about available programs. (More details on VMware Purchasing Programs can be found here: https://customerconnect.vmware.com/web/vmware/spp-landing.)
  • Pay by invoice: You can activate pay by invoice using the VMware Cloud Console.
  • Pay with a credit card: Applicable for small purchases up to $25,000.

Consumption options

When deploying VMware Cloud on AWS SDDC, you have a choice between the following:

  • Subscription: Your commitment to buy a certain amount of host capacity for a defined period. When purchasing a subscription, you select the AWS Region, host type, and the number of hosts. You can pay upfront or monthly. If purchasing from VMware or AWS, you can select the following:
    • Flexible subscription: The terms of the subscription (number of hosts, region, host types) can be changed over time (limitations apply)
    • Standard subscription: The terms of the subscription are fixed and cannot be changed
  • On-demand: You can run VMware Cloud on AWS SDDC using on-demand prices. You are free to select the region, host type, and the number of hosts.

Typically, a standard 3-year term subscription is the most cost-effective option, while on-demand prices are the highest. Depending on your use case, one or another option might work better. In our experience, a flexible subscription is the right balance between flexibility and cost savings.

Star Hand AWS Certification Exam, Division of responsibility, Landing zone concepts

FAQ – Knowing the Best Practices, FAQs, and Common Pitfalls

In this section, we will cover the most common questions we get from organizations that are interested in VMware Cloud on AWS. You can also find the comprehensive FAQs list published on the VMware Tech Zone website (https://vmc.techzone.vmware.com/vmware-cloud-aws-frequently-asked-questions).

How is VMware Cloud on AWS different from “just” a vSphere deployment?

VMware Cloud on AWS includes not only vSphere, but also vSAN and NSX, providing an all-in-one solution for organizations’ needs. VMware Cloud on AWS is offered as a service, in contrast to an on-premises vSphere deployment, removing the burden of lifecycle management from IT teams.

How does VMware Cloud on AWS fit into the “public cloud first” strategy?

VMware Cloud on AWS provides enterprises with a quick, secure, and scalable option to mass migrate thousands of applications to the public cloud. VMware Cloud on AWS offers a lot of native public cloud benefits, including elastic capacity, without the need to refactor or rearchitect applications.

What are the key technical differentiators of VMware Cloud on AWS?

VMware Cloud on AWS helps you quickly deploy a vSphere-based SDDC on the public cloud, simplifying hardware and infrastructure management. The ability to flexibly manage capacity with eDRS and provide native AZ resiliency with stretched clusters are key technical differentiators of VMware Cloud on AWS SDDCs.

How does VMware Cloud on AWS enforce security for my workloads?

Migrating enterprise line-of-business applications to a public cloud infrastructure might raise a lot of security questions. VMware Cloud on AWS provides a secure way to deploy, operate, and decommission applications in the public cloud with the help of VMware NSX. VMware Cloud on AWS ensures security on the hardware (encryption in transit, self-encrypted NVMe drives, etc.) and infrastructure level (vSAN datastore encryption is always on, NSX firewalls are activated by default and configured to drop all incoming traffic, etc). VMware Cloud on AWS uses the shared responsibility model (https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/vmc-aws/vmware-shared-responsibility-model-overview-vmware-cloud-on-aws.pdf) to provide transparency in achieving security and compliance for your workload.

How can I get started?

VMware Cloud on AWS is easy to deploy (https://vmc.techzone.vmware.com/vmc-aws-quick-start) – you can create a new SDDC with just a couple of clicks and, in two hours, enjoy full-featured VMware Cloud on AWS SDDC functionality. You can use the free trial program (https://www.vmware.com/products/vmc-on-aws/free-trial.html) to get to know VMware Cloud on AWS right now!

Summary

In this chapter, we focused on defining best practices when planning, designing, and operating a cloud environment based on VMware Cloud on AWS. As well as best practices, it’s also important to learn about and understand examples of suboptimal design choices and their potential influence on the infrastructure. Reviewing the most common questions and answers will help you summarize the most important points about VMware Cloud on AWS.

In the next chapter, we will review some configuration examples.

Star Hand Avoiding common pitfalls, AWS Certification Exam, Exams of Microsoft, Landing zone concepts

Storage – Knowing the Best Practices, FAQs, and Common Pitfalls

Storage resources are crucial for storing an application’s data. You should encompass both capacity and performance requirements while designing, implementing, and operating the infrastructure. We will review the most common misconfigurations and/or suboptimal design choices:

  • Sizing

Storage resources define two different dimensions of resources – storage capacity and storage performance. While sizing an environment, very often only one of these dimensions, in most cases capacity, will be considered. This approach is a direct path to failure. Even if your SDDC will have enough storage to host your workload, the resulting performance in many cases is inadequate and will lead to lengthy and costly escalations.

When sizing storage, make sure to follow the recommendation of VMware Cloud Sizer (https://vmc.vmware.com/sizer) both in terms of capacity and performance. Double-check your sizing assumptions and tweak them using the advanced sizer if needed.

Figure 11.5 – VMware Cloud Sizer – Sizing Assumptions

  • Storage policies

vSAN is very easy and intuitive to manage with storage policies directly in vCenter. There’s no need to work with the storage team, and it’s easy to make changes. However, it could work against you. You could be tempted to use RAID5 for all your workloads and free up more space than you’d get with RAID1. RAID5 has a known performance implication, especially for workloads with predominantly small writes, causing a lot of overhead with RAID5. If the initial sizing has been done with RAID5 configuration, you may not have enough hosts to switch to RAID1 if needed. If you find yourself in this situation, decide whether you can split some of the VMDKs and dedicate small VMDKs to some particular data type – the database transaction log and tempdb are good candidates for such optimizations.

Star Hand AWS Certification Exam, Division of responsibility, Exams of Microsoft, Landing zone concepts

Day 2 operations – Knowing the Best Practices, FAQs, and Common Pitfalls

The Day 2 operations of the infrastructure is one of the key elements of a successful implementation. Often, underestimating Day 2 operations leads to a suboptimal solution design, which is hard to maintain, leading to dissatisfaction. Day 2 operations is the phase when your team will spend most of the time working with the environment.

As a best practice, your architecture should be built with the primary focus on the Day 2 operations:

  • Ensure you engage the IT operations team when presenting key design decisions.
  • Plan to train the IT operations team on the new technologies.
  • Include runbook updates as a part of your design implementation.
  • Explain the key lifecycle management changes when moving to VMware Cloud on AWS.
  • Validate current monitoring/backup/automation tools for compatibility. Recommend updating or switching to other tools if necessary.

VMware Cloud on AWS can streamline the Day 2 operations of the environment:

However, VMware Cloud on AWS also differs from an on-premises vSphere environment in a few key ways:

  • Most of the infrastructure-level settings (ESXi host, vSphere cluster, vCenter) are predefined by VMware and cannot be changed. The settings’ values may be different from what you are using in your environment.
  • The permission model does not allow full access to the environment, including vCenter, ESXi, and NSX manager. This may limit some operations and/or optimization you are performing in your on-premises environment.
  • Backup compatibility: VMware requires each vendor of a backup solution to undergo a certification process to validate the compatibility with VMware Cloud on AWS. Make sure your current backup solution is certified or you will need to plan a transition to a different product/vendor. You can check the following kb article outlining certification for various backup solutions (https://kb.vmware.com/s/article/76753).

Make sure to address key Day 2 operations challenges in the design phase. It’s not helpful if you find out your backup vendor is incompatible after workload migration!

Contract documentation

VMware offers VMware Cloud on AWS as a managed service. As a consumer of cloud services, you should double-check all the relevant contract documentation before making a purchase decision. VMware has simplified and consolidated access to contract documentation on a separate web page (https://www.vmware.com/agreements.html). Use this page to look for terms and agreements for VMware products and services. For VMware Cloud on AWS, we recommend you review the following set of documents: