IBM Cloud for VMware Solutions: Take a look under the hood
Deploy and manage VMware virtualized environments
Take an in-depth look at the architecture of IBM Cloud for VMware Solutions, an IBM Cloud offering that provides deployment and management of VMware virtualized environments. In this tutorial, I'll show you the components of the offering so you can see how they work together to provision and maintain the environment in the public cloud.
Two companies, one streamlined solution
For some time now, users have been deploying VMware virtualized environments to the IBM public cloud, either by themselves or with the help of professional services. Beginning in February 2016, IBM and VMware announced a partnership to automate the process of deploying VMware software and VMware environments in the IBM cloud. One of the early fruits of this partnership was the ability to order a variety of VMware product deployments and licenses from the IBM Cloud portal, and later offering VMware Horizon Air in IBM Cloud. In addition, IBM and VMware worked together to jointly produce a standard reference architecture and deployment prescription for VMware in the IBM public cloud.
“Because you can provision these environments faster than ever before, you can focus your efforts on deploying your applications and solutions on top of them, and on connecting clouds together for disaster recovery or high availability.”
In the fall of 2016, IBM and VMware jointly released IBM Cloud for VMware Solutions. This set of offerings is based on VMware's virtualization technologies, including virtualized compute (VMware vSphere), networking (VMware NSX), and optionally including virtualized storage (VMware vSAN). These environments are aptly called software–defined data centers.
IBM Cloud for VMware Solutions builds on VMware technology to significantly streamline the deployment and management of these software–defined data centers in the IBM public cloud. Using IBM Cloud for VMware Solutions, it is now possible to deploy portions of the standard reference architecture to the IBM Cloud automatically rather than manually. Environments that previously took weeks to deploy and configure can now be provisioned in a matter of hours.
This ease of deployment allows you to focus on implementing solutions on top of VMware rather than building your environment. With environments at your quick disposal, you can build both hybrid cloud solutions spanning your private cloud and the IBM public cloud, as well as cloud native solutions in the IBM public cloud. By combining multiple deployments, you can easily add disaster recovery or high availability capabilities to your solutions.
Now let's take a look under the hood of the IBM Cloud for VMware Solutions architecture. You'll gain an understanding of the different components that are part of the solution, and how they work together to provision and manage your software–defined data center in the IBM Cloud. You'll also learn about the network topology and several options you have for connecting to your environment.
IBM Cloud for VMware Solutions basics
Your software–defined data centers are provisioned and managed using the IBM Cloud for VMware Solutions portal. You log in to this portal using your IBM id. You will also need to associate your IBM id with your IBM Cloud account or create a new IBM Cloud account.
Figure 1. IBM Cloud for VMware Solutions portal
Using this portal, you can provision either of the two featured kinds of virtualization environments:
- A VMware vCenter Server on IBM Cloud instance is a basic virtualization environment that uses VMware vSphere Hypervisor, VMware vCenter Server, and VMware NSX.
- A VMware Cloud Foundation on IBM Cloud instance is a comprehensive software–defined data center that uses VMware Cloud Foundation's SDDC Manager, VMware vSphere Hypervisor, VMware vCenter, VMware vSAN, and VMware NSX.
You can also provision either of these environments with additional add–on services that provide backup, disaster recovery, migration, security, and networking services.
Prior to ordering a Cloud Foundation or vCenter Server instance, you must configure your IBM Cloud infrastructure API key in the IBM Cloud for VMware Solutions portal. To do this, click the Settings link in the left menu of the portal, and enter your user name and API key where prompted for IBM Cloud infrastructure credentials. The system will verify that your API key and account have appropriate permissions and settings to deploy your instance.
Figure 2 shows the top of the order page for a vCenter Server instance. First, you choose a name for your instance. All VMware instances are deployed together with Microsoft Active Directory domain controllers, and for single sign-on purposes, you must designate your instance as either a primary or secondary site. A primary instance is the first (and perhaps only) instance in your single sign-on domain. You can deploy additional secondary instances and associate them with the same single sign-on domain of an existing primary instance. Next, you choose whether to bring your own VMware licenses, or which edition of license you want to rent from IBM Cloud. Finally, you choose the IBM Cloud region and datacenter for your instance, as well as the CPU and memory characteristics for the hosts in your cluster.
Figure 2. Step 1 in the Cloud Foundation instance order process
Figure 3 shows the next part of the order page for a vCenter Server instance. Here, you are prompted for the storage and networking characteristics for your instance. You can choose between vSAN and NFS storage for your cluster, with the ability to choose the size and number of vSAN Flash disks and the vSAN license edition, or the size and count and performance of NFS storage volumes. For networking, you choose the hostname prefix for your hosts as well as the subdomain and domain for the cluster. You have the option of deploying the Active Directory controllers as a single IBM Cloud virtual server instance (VSI) or two virtual machines within your cluster for which you need to provide licensing and activation.
Figure 3. Step 2 in the Cloud Foundation instance order process
Figure 4 shows the remainder of the vCenter Server order page. Here, you can select from a variety of additional services that you can deploy for your VMware instance and which are billed to your IBM Cloud account. Some services require additional configuration, which you specify as part of the order form.
Figure 4. Step 3 in the Cloud Foundation instance order process
The order form calculates and displays a price estimate based on your selections. You have the opportunity to review this estimate as well as various terms and conditions before placing your order.
The order portal presents you with a variety of CPU, memory, and storage options for your instance. New options are made available regularly, so visit the portal for the latest availability information. Note that vCenter Server instances have a choice of vSAN and NFS storage, while VMware Cloud Foundation instances always use vSAN storage.
These instances are deployed using three VLANs: one public and two private. The public VLAN is connected to dual 10GbE interfaces and is largely reserved for your use at your discretion for public connectivity or tunneling for your own workload deployments. However, at deployment time, an NSX Edge Services Gateway pair is deployed on the public VLAN to allow the IBM cloud driver component to connect over the public network. This allows it to communicate with the IBM management systems to perform management of your instance, such as adding nodes to the environment or upgrading system components. The private VLANs are connected to separate dual 10GbE interfaces; the first private VLAN is used for management communications and NSX VTEP, and the second is used for vMotion and for NFS storage traffic.
At the time of this writing, VMware instances can be provisioned in 30 different IBM Cloud data centers. IBM Cloud provisions new data centers from time to time; visit the portal for the latest list of available locations.
When you order a new VMware vCenter or VMware Cloud Foundation instance, you choose the instance location and specification. The IBM Cloud for VMware Solutions portal then uses your previously selected IBM Cloud username and API key to orchestrate the entire process of ordering, installing, and configuring your virtualization environment. This includes:
- Ordering VLANs and subnets for networking.
- Ordering IBM Cloud Bare Metal Servers with vSphere Hypervisor installed.
- Deploying and configuring VMware vCenter Server, Platform Services Controller, and VMware NSX Manager, Controllers, and Edge Services Gateways.
- In the case of VMware Cloud Foundation, deploying VMware Cloud Foundation SDDC Manager.
- Ordering and configuring your cluster storage, including VMware vSAN or IBM Cloud Endurance storage.
- Deploying an IBM management component called the cloud driver.
- Deploying and configuring any addon services that you selected for your instance.
- Validating the installation and configuration of the environment.
You select the IBM Cloud data center where you want to provision your instance. Provided the hardware is available in your selected IBM Cloud data center, the instance provisioning process typically takes less than 24 hours.
Once your instance has been provisioned, if you are connected to your IBM Cloud account through a VPN, you can connect to your vCenter server directly from the IBM Cloud for VMware Solutions portal. Figure 5 shows the vCenter web client view for a Cloud Foundation instance.
Figure 5. Deployed VMware Cloud Foundation instance
Your instance components are typically accessed by their hostnames rather than their IP addresses. In order to connect to and authenticate with vCenter, you should ensure that both the vCenter and Platform Services Controller (PSC) hostnames can be resolved by your workstation by adding them to your workstation's hosts file as shown in Listing 1. You can find the PSC and vCenter hostnames and IP addresses in the portal, on the Access Information tile for your instance. You might also want to add the hostnames and IP addresses for your vSphere hosts to your hosts file.
Listing 1. Hosts file
# VCS49WDC Platform Services Controller (PSC) 10.65.95.197 psc-vcs49wdc.vcs49wdc.vcs.icvs.dev.org # VCS49WDC vCenter Server 10.65.95.196 vcenter.vcs49wdc.vcs.icvs.dev.org
After your instance has been deployed, you can manage it from the portal. The management capabilities include the ability to do each of the following:
- Deploy and remove nodes from your cluster.
- Deploy and remove additional clusters in the same datacenter and pod, or in alternate datacenters and pods.
- Deploy and remove addon services for your instance.
- Upgrade certain license editions for your instance.
- View and apply software updates for your instance, including updates to the IBM components and (only in the case of VMware Cloud Foundation) updates to the VMware components.
Figure 6 shows the instance detail view for a vCenter Server instance. The summary tab includes a link to the vCenter console as well as other details about the instance and management components. The infrastructure tab shows details about the instance's clusters and hosts and allows you to add or remove clusters and hosts. On the update and patch tab, you can upgrade certain license editions as well as apply software updates. On the services tab, you can view and manage the addon services deployed for your instance.
Figure 6. VMware Cloud Foundation instance management
IBM Cloud for VMware Solutions components
A number of different components work together to provision and manage your environment. Most of these components are deployed into your IBM Cloud account. Because the solution depends on all of these components working together, you should not modify or cancel any of these components from your IBM Cloud account. The correct way to remove a running instance is by using the portal rather than cancelling the individual components.
While this is an integrated virtualization environment, the cost of various virtualization components (such as VMware licenses), infrastructure components (bare metal servers, VLANs, subnets, and storage), and management components is itemized in the bill that you receive from IBM Cloud.
The portal component
The portal is part of the IBM Cloud. You log in to the portal to create and manage your instances. This portion of the solution is responsible for the initial ordering and provisioning of your environment, and also for the ongoing management of your environment. Your deployed instances communicate with the portal only by outbound-initiated secure connections through the NSX Edge Services Gateway pair in your instance.
The IBM Cloud Builder component
When you provision a new instance, the portal deploys a temporary virtual server instance (VSI) to your IBM Cloud account. This instance is known as the cloud builder. It performs the ordering of bare metal servers in your IBM Cloud account, the installation and configuration of all of the instance's components, and the validation of the environment. After the provisioning is complete the cloud builder is deleted.
The IBM Cloud Driver component
In addition to installing VMware components such as vCenter Server and Platform Services Controller, the cloud builder deploys a virtual machine (VM) directly into the VMware management cluster known as the cloud driver. Unlike the cloud builder, the cloud driver is a long–lived VM. It communicates with the portal only by outbound-initiated secure connections through the NSX Edge Services Gateway pair in your instance. The cloud driver acts as an agent to maintain your instance; for example, it is responsible for ordering and configuring new bare metal hosts that are added to the cluster, and for applying updates to the instance.
For all instances, vSphere Hypervisor is installed on the bare metal servers.
For a vCenter Server instance, vCenter Server, a Platform Services Controller, an NSX Manager, three NSX Controllers, and two NSX Edge Services Gateway pairs are deployed into the VMware management cluster, together with the cloud driver.
For a Cloud Foundation instance, a vCenter Server, a Platform Services Controller, an NSX Manager, three NSX Controllers, an NSX Edge Services Gateway pair, and a VMware SDDC Manager VM are all deployed into the VMware management cluster. The cloud driver works together with the SDDC Manager to maintain the VMware virtualization environment.
Regardless of how you choose to provide business continuity for your own workloads, IBM Cloud strongly recommends that you backup the management components of your instance. The IBM Cloud portal allows you to deploy an integrated IBM Spectrum Protect Plus backup server or a Veeam Backup & Replication backup server together with your instance. These backup servers are preconfigured to backup the management components of your instance daily. Depending on how many virtual machines you choose to license for backup, you can also use these backup servers to backup your own workloads.
In addition, the cloud builder orders IBM Cloud Endurance Storage, which is used to store these backups.
The cloud builder orders a number of VMware licenses (such as vCenter Server and NSX) in your IBM Cloud account, which correspond to their usage in the instance.
IBM Cloud for VMware Solutions network architecture
Both vCenter Server and Cloud Foundation instances connect to a public VLAN for your use with your deployed workloads. The public VLAN is largely reserved for your use at your discretion, but an NSX Edge Services Gateway pair is connected to the public VLAN allowing the cloud driver to communicate outbound with the portal for the management of your instance.
Both vCenter Server and Cloud Foundation instances have two private VLANs that are trunked together on the private network interface for your hypervisors. The first private VLAN is used for management connectivity (such as vCenter communications with hypervisors), and by NSX for tunneling all VXLAN traffic for your deployed workloads. The second private VLAN is used for vMotion and for storage traffic; the storage traffic can be either NFS or vSAN protocols.
Figure 7 illustrates the network and component architecture for the IBM Cloud components, as well as the components deployed in your IBM Cloud account. This diagram illustrates which VMs run within the ESXi cluster and which run as IBM Cloud VSIs. The communication between the portal and the cloud builder and cloud driver takes place outbound from your cloud builder and cloud driver through the NSX Edge Services Gateway pair in your instance.
Figure 7. Solution and network architecture
Connecting to your instance
You have a number of options for connecting to your instances. You can connect directly to private IP addresses in your instance (for example, vCenter) by using the IBM Cloud VPN. You can also order IBM Cloud network appliances and IBM Cloud hardware or virtual firewalls such as Vyatta and Fortigate for your account. IBM Cloud also offers direct links between your network and the VLANs in your IBM Cloud account.
For access to your deployed VMs, you can apply public IP addresses directly to your VMs. However, you can also use the IBM Cloud network appliance and firewall capabilities to set up more secure public access to your VMs using NAT and firewall. You can also deploy NSX Edge servers, and use these servers to set up VPN or NAT connectivity for your VMs.
In this tutorial, you learned about the basic capabilities of IBM Cloud for VMware Solutions for deploying and managing standardized VMware virtualization environments in the public cloud. Because you can provision these environments faster than ever before, you can focus your efforts on deploying your applications and solutions on top of them, and on connecting clouds together for disaster recovery or high availability.
We explored the various components that are deployed into your IBM Cloud account, which appear on your IBM Cloud billing statement and work together to keep your environment running. Finally, we considered the network architecture of the solution along with some options for establishing connectivity to the environment—either by using a variety of secure connectivity options to keep communications private, or by using various options for public internet connectivity.
Now that you're armed with everything you need to know to get started, go ahead and deploy your next VMware virtualization environment on the IBM Cloud today!
The author would like to express his appreciation to Ajay Apte, Liang Wang, and Rob Warren for their help with this article.
- Announcement of IBM and VMware partnership in February 2016
- Availability of VMware Horizon Air in IBM Cloud
- VMware's Cloud Foundation announcement
- Reference architecture for deploying VMware virtualization environments to the IBM public cloud
- You can provision and manage your VMware software–defined data centers using the IBM Cloud for VMware Solutions portal.
- The IBM Cloud for VMware Solutions portal requires you to sign in using an IBM id. You can register for an IBM id at IBM's website.
- You can use the IBM Cloud VPN to connect to private VLANs in your IBM Cloud account.
- IBM Cloud offers network appliances for you to manage connectivity into and between your IBM Cloud VLANs.
- IBM Cloud offers hardware and virtual firewalls for you to manage connectivity into and between your IBM Cloud VLANs.
- IBM Cloud also offers direct links between your network and the VLANs in your IBM Cloud account.