All Posts in “VMware”

NSX and Securing Multi-tenancy Policy

Discussing security and multi-tenant cloud environments both public and private consumes so much of my time. This time though let’s get into how micro-segmentation and the coolness that is VMware’s NSX. At least it’s a different angle so I don’t get bored writing about it J.

From an Operations perspective I want my environment to be as simple as possible, and consistently deployed. As I add tenants to my infrastructure this becomes even more imperative, right? Think about it this way if you are a car mechanic you can be a mechanic at a dealership and see similar vehicles all day let’s say Audi for example. Or you can work at a boutique shop and see every kind of vehicle. The benefit of the dealership is they can roll through more cars per day on average than a boutique shop because all of the cars are roughly the same lay out and use the same size nuts and bolts etc. Essentially the mechanic has the blueprints for the cars they are servicing.

In Operations if we have the same management stack across everything we have the blueprint and it’s simple. Enter the security team …

In security simple is also important, BUT, we also need to have gates and gate keepers. In a multi-tenant environment regardless of the M&O be it vRA or XStream we need to ensure that one tenant’s data can not corrupt another’s. Equally important we have to make sure that if\when a tenant is compromised (get your head out of the gutter) that compromise doesn’t trickle to my core infrastructure or to other tenants.

“Obvi Mike!”

Yeah I get it but that’s not as obvious to everyone, because think about what this means. First it means you need separate attack surfaces. In VMware terms this means two vCenters, one to manage the core infrastructure and another to manage the tenant infrastructure. This ensures that in the event that you get attacked and your tenants get PWND you still have a layer between the tenants and the core infrastructure that manages it all. It also means you have a stretched network for management. This creates a vulnerability in and of itself because it stretches across the core infrastructure and tenant architectures. However, we do not provide access to this management network from tenants directly rather we create jump servers or dual homed transitional boxes.

In NSX terms: We have controllers spanned across the environment, each tenant has it’s own NSX Edge and it’s own set of VXLANs. The Management network is linked off of whatever the M&O service is and provides visibility into the tenant for management but does not allow tenant traffic to jump across to other tenants. This is done by creating a distributed Firewall with ACLs for specific traffic on one of the M&O VM’s vNICs. It would be possible to also NAT this traffic across the Edge Gateway from tenant to management for the necessary monitoring and orchestration traffic.

If that all sounds good, then your next question is how does this work? Rather than reinventing the wheel I would recommend you read Matt Berry & Anthony Burke’s post on zero trust solution architecture with NSX. I think it best captures the right way to segment environments for security.

What do you think? Is this a little to security crazy or is this the way you would architect your multi-tenant environments?

EVC, Patios, & Oh My!

Ever walk into a datacenter where they have vSphere clusters defined by the processor types? It happens more than you would think, this is because there is a misconception. Recently I saw one where they couldn’t live vMotion between two vSphere 6 clusters because the processors were different generations.

“Umm, turn on Enhanced vMotion Compatibility (EVC)?”, I asked.

The answer was that they didn’t want to limit the capabilities of the cluster. Their initial plan was the newer hardware cluster would handle all of the heavy workload VMs and keep all of the light VMs on the older hardware. They also believed that EVC would drop everything down to the lowest common denominator and limit the faster procs to the slowest speed.

So I showed them the actual vSphere Documentation.

You can use the Enhanced vMotion Compatibility (EVC) feature to help ensure vMotion compatibility for the hosts in a cluster. EVC ensures that all hosts in a cluster present the same CPU feature set to virtual machines, even if the actual CPUs on the hosts differ. Using EVC prevents migrations with vMotion from failing because of incompatible CPUs.

EVC masks only those processor features that affect vMotion compatibility. Enabling EVC does not prevent a virtual machine from taking advantage of faster processor speeds, increased numbers of CPU cores, or hardware virtualization support that might be available on newer hosts.

EVC cannot prevent virtual machines from accessing hidden CPU features in all circumstances. Applications that do not follow CPU vendor recommended methods of feature detection might behave unexpectedly in an EVC environment. VMware EVC cannot be supported with ill-behaved applications that do not follow the CPU vendor recommendations. For more information about creating well-behaved applications, search the VMware Knowledge Base for the article Detecting and Using New Features in CPUs.

Imagine it this way, you are invited to an orgy and there are a mix of folks, old, young, good looking, and ugly. Some of these folks may be left out when it’s time to pair up. But if they all wear masks you limit the impact of bias based on at least one category. EVC also doesn’t restrict the capabilities and instead allows for a everyone to appear to perform the same to the VM’s so it’s like giving the old guys at the party Viagra.

Next I set about tackling the concern of mixed workload environments. Have you ever laid down base rock for a patio? It takes a mix of stone sizes, so that when they compact they interlock and form a smooth, solid surface from which you can build your patio. VMware workloads are very similar, it’s not that there aren’t reasons to restrict workloads to specific hosts, but it’s better if you have a mix to have better utilization. It also ensures that there is a more solid foundation for the entire virtual environment.

Look out VMworld is a comin!

Excuse my grammar I have been binge watching Hell on Wheels.

With that out of the way, VMworld is right around the corner. With so many great sessions it can be hard to decided what to attend.  I figured I would list but a few that I have am excited for:

STO6548-GD – Group Discussion on Hyper-converged Infrastructure – listen to Jase McCarty and others discuss Hyper-converged. Should be entertaining and informative about how infrastructure is evolving.

MGT5318 – Becoming a vRealize Automagician: Why Automation isn’t Automatic – If for nothing else than the title is awesome, but you also get to listen to Steve Kaplan and Jad El-Zein amongst others talk about vRO and vRA integrations. This should help you get smart.

STO5133 – VMware Virtual SAN + HyTrust DataControl: Delivering Encryption Services for Data at Rest and in Motion – Another Jase McCarty session but this time focusing on VSAN and security. If you are running or thinking about running VSAN in an enterprise environment this needs to be a session you catch.

OPT5069 – Enterprise Hybrid Cloud – Federal Case Study – Ok this one is a little self-serving but this is the session I will be presenting along with Travis Howerton from Oak Ridge National Labs. If you are interested in how IT is evolving in the Federal environment and how hybridity helps to solve real IT problems then come and say hi.

INF5539 – Infrastructure Security Panel Discussion – This is one I normally try and catch looking at virtualization security and how that scales, Mike Foley, Greg Hatch, Steve Kaplan, and Davi Ottenheimer.

Don’t forget to use the Schedule Builder to map out your days, but leave some time for networking and socializing.

Aside from these I am looking forward to some of the evening events like the v0dgeball, the vBrisket party and the VMworld closing party at AT&T park. So say hi, stop by and let’s have a drink together and enjoy the fun and excitement that is VMworld.

swagOh and let me know you read the site and get yourself a VirtuallyMike zipper pull, cause who doesn’t like swag?



* Update: Here is the official list of VMworld activities and gatherings