Presenting IBM Cloud IaaS during "Tech Up Tour 2019" to Customers and BPs @ IBM HQ in Rome, Italy
#ibmcloud #digitaltransformation #infrastructuremodernization #multicloud
Unleash Your Potential - Namagunga Girls Coding Club
IBM Cloud Infrastructure as a Service (IaaS)- Feb 2019 by Gianfranco Mollo
1. IBM Cloud
IBM Cloud Tech Up Tour
Live@LAB
Infrastructure as a Service
26 Febbraio, IBM Roma
Gianfranco Mollo
Cloud Technical Sales Leader Italy (IaaS)
7. Security Groups
• Value-added network
security solution
• Define security policies at the
instance level
• No support for bare metal
Dedicated Hardware
Firewall
• 1Gbps, single-tenant
protection for servers that
share the same VLAN
• Provisioned on demand
without service interruptions
FortiGate® Security
Appliance 10Gbps
• Single-tenant firewall
for multiple VLANs on public
and private networks
• Provides access to add-ons
such as intrusion prevention,
anti-virus protection, and
web filtering
Shared Hardware
Firewall
• Protection for single servers
provisioned on demand
without service interruptions.
Network Security Options
17. • Built for customers needing
maximum availability of their
VMware workloads
• Essential to the survival of the
business and cannot be
impacted
• Critical to mitigate outages
affecting customer confidence
and brand integrity
• Covers multiple enterprise services, including network, storage,
resiliency, and tooling for monitoring and troubleshooting cloud-
based applications
• Fully managed, multi-zone
cloud architecture to prevent
downtime for cloud
applications and automate
failovers within a cloud
region
• Architecture supports
targeted aggregate
availability of 99.99%
• Optional DR and backup
services provide additional
layer of protection
• Available today via IBM
Services and IBM Cloud for
VMware Solutions
Mission Critical VMware on IBM Cloud (HA)
Providing Multi-Site Active/Active Infrastructure with Automated Failover
24. Security & Compliance
• Policy-enforced automation tied to the bare metal
chipset for authorizing data and workload access
• Confidence that workloads always boot up on
uncompromised and trusted hardware/software stacks
• Detailed environment reporting to reduce audit risk and
support corporate and regulatory compliance
Solution Benefits
Automated VMware
solutions on trusted bare
metal infrastructure
Hardware-based
security technology to
protect workloads
Policy-enforced data
access controls and
reporting
Data Security & Compliance Readiness
• With operations subject to GDPR compliance - data fencing
• Protect IP or fencing data between depts.
Advocates/Solution Users
• Reduces many security barriers to cloud adoption
Four key principles define IBM’s approach and separate it from other vendor approaches.
Hybrid - enable enterprises across Public, Private, and traditional environments
Multicloud - Manage other vendors’ Clouds, acknowledging the reality that client environments are heterogeneous
Open - Build capabilities that are open by design, enabling client flexibility and reducing vendor “lock in”
Secure - Provide reliability and continuous security for the client’s environment
Management - Consistent service level, support, logging, management and delivery across complete cloud environment
3 networks separate public, private, and internal management networks
55 total data centers around the globe
40 ms of latency onto private networks global
Note: SoftLayer is now referred to as Bluemix
Data Centers:
Building and operating a data center involves more than filling a room with servers. Every aspect of an IBM Cloud data center—from location and accessibility to power density and redundancy—is designed to guarantee its security, resiliency, and efficiency. We build each center to the same spec and equip it to provide the full Bluemix catalog of services. And each is staffed 24x7 with experts to troubleshoot and address the rare issues that can’t be directly resolved through our automated management system.
IBM Bare Metal Servers 3x Faster than AWS
13 Tbps of connectivity between data centers and network points of presence
3 networks separate public, private, and internal management networks
56 total data centers around the globe
40 ms of latency onto private networks global
Note: SoftLayer/Bluemix are now referred to as IBM Cloud
Data Centers:
Building and operating a data center involves more than filling a room with servers. Every aspect of an IBM Cloud data center—from location and accessibility to power density and redundancy—is designed to guarantee its security, resiliency, and efficiency. We build each center to the same spec and equip it to provide the full Bluemix catalog of services. And each is staffed 24x7 with experts to troubleshoot and address the rare issues that can’t be directly resolved through our automated management system.
IBM Bare Metal Servers 3x Faster than AWS
Traffic travels on separate interfaces, securing while streamlining management
Provision and update network resources on demand as your traffic needs fluctuate
Distribute resources to your end users with industry-leading redundancy and software
If your prospect needs enterprise-grade firewall protection, make sure you lead with FortiGate Security Appliance 10Gbps and position its robust add-ons appropriately.
Compute options from high-abstraction to high-control.
Servers are configurable with VMware vSphere 6.0 or 6.5, Red Hat Enterprise Linux 6.7 for SAP HANA, Red Hat Enterprise Linux 6.8 for SAP Applications, Red Hat Enterprise Linux 7.2 for SAP HANA or SUSE Linux Enterprise Server 12 for SAP
Ultimately every IT admin wants to know what storage is a good fit for certain workloads. Let's define and compare...
What is object storage?
Object storage (also referred to as object-based storage) is a general term that refers to the way in which we organize and work with units of storage, called objects. Every object contains three things:
The data itself. The data can be anything you want to store, from a family photo to a 400,000-page manual for assembling an aircraft.
An expandable amount of metadata. The metadata is defined by whoever creates the object storage; it contains contextual information about what the data is, what it should be used for, its confidentiality, or anything else that is relevant to the way in which the data is used.
A globally unique identifier. The identifier is an address given to the object in order for the object to be found over a distributed system. This way, it’s possible to find the data without having to know the physical location of the data (which could exist within different parts of a data center or different parts of the world).
How block storage and object storage differs
With block storage, files are split into evenly sized blocks of data, each with its own address but with no additional information (metadata) to provide more context for what that block of data is. You’re likely to encounter block storage in the majority of enterprise workloads; it has a wide variety of uses (as seen by the rise in popularity of SAN arrays).
Object storage, by contrast, doesn’t split files up into raw blocks of data. Instead, entire clumps of data are stored in, yes, an object that contains the data, metadata, and the unique identifier. There is no limit on the type or amount of metadata, which makes object storage powerful and customizable. Metadata can include anything from the security classification of the file within the object to the importance of the application associated with the information. Anyone who’s stored a picture on Facebook or a song on Spotify has used object storage even if they don’t know it. In the enterprise data center, object storage is used for these same types of storage needs, where the data needs to be highly available and highly durable.
However, object storage generally doesn’t provide you with the ability to incrementally edit one part of a file (as block storage does). Objects have to be manipulated as a whole unit, requiring the entire object to be accessed, updated, then re-written in their entirety. That can have performance implications.
Another key difference is that block storage can be directly accessed by the operating system as a mounted drive volume, while object storage cannot do so without significant degradation to performance. The tradeoff here is that, with object storage, the storage management overhead of block storage (such as remapping volumes) is relatively nonexistent.
What about the tradeoffs?
Object storage has the potential to provide IT departments a great deal of value. It can save money in infrastructure costs by allowing the organization to use less-expensive hardware, it can reduce management time through ease of scalability, as well as provide tremendous flexibility for certain types of storage needs. But, as exciting as it sounds, object storage is not the answer to all your storage problems. Sometimes, block storage is a far better fit. There are use cases where object storage performs beautifully, scales out seamlessly, and solves all sorts of management headaches, but in other situations it outright fails to meet the needs of your application.
Workloads for object versus block storage
Object storage works very well for unstructured data sets where data is generally read but not written-to. Static Web content, data backups and archival images, and multimedia (videos, pictures, or music) files are best stored as objects. Databases in an object storage environment ideally have data sets that are unstructured, where the use cases suggests the data will not require a large number of writes or incremental updates.
Geographically distributed back-end storage is another great use case for object storage. The object storages applications present as network storage and support extendable metadata for efficient distribution and parallel access to objects. That makes it ideal for moving your back-end storage clusters across multiple data centers. In addition, it’s very important to recognize that object storage was not created as a replacement for NAS file access and sharing; it does not support the locking and sharing mechanisms needed to maintain a single accurately updated version of a file. Because block level storage devices are accessible as volumes and accessed directly by the operating system, they can perform well for a variety of use cases. Good examples for block storage use cases are structured database storage, random read/write loads, and virtual machine file system (VMFS) volumes.
We adhere to IBM security standards across the IBM Cloud portfolio. We work with independent auditors and third-party organizations to meet the industry’s most stringent guidelines.
Please visit this web page for more complete info and to see copies of the certificates: https://www.ibm.com/cloud-computing/bluemix/compliance
We will cover the VMWare on IBM Cloud portfolio starting with the strategic partnership that was announced between IBM and VMware in 2016.
This partnership announced that IBM Cloud provides clients the ability to move existing and new VMware workloads to the IBM Cloud, in a compatible, hybrid solution.
The benefits include:
A Dedicated private solution deployed on Single tenant, bare metal infrastructure for improved compatibility with On premises VMware workloads, and for improved security and control that enterprise clients demand
The fact that this solution is compatible with on prem workloads gives the clients the ability to build hybrid environments connecting on prem and cloud and to activate advanced workload portability, moving to and from the cloud with no application rewrites.
This solution also includes the benefits that come from public cloud offerings, such as cloud monthly subscriptions, the flexibility to spin resources up and down, all with no contracts.
- VSS: VMware vSphere on IBM cloud which is build your own
- only need one node and vsphere so less expensive but no automation
- targeted for commercial and digital accounts, other two targeted for enterprise
- more flexible
- vCF: VMware cloud foundation on IBM cloud (vcf automated, ref arch standardized to build automation around it)
- bare min nsx,vsan, vcenter server,vsphere, sddc manager, min 4 nodes cause redundancy requirements with vsan
- 5 vmw licenses
- part of the VMW contract to offer this
- vCS: VMware vCenter server on IBM cloud (vcs automated, ref arch)
- bare min: nsx,vSphere (compute),vcenter server with 3 nodes min so price point higher
- 3 VMW licenses min
-designed by us as most dont want vsan and sddc, dev controlled by us
- have other storage options eg block, netapp
- now offered with Hybridity bundle
Since we've moved to the 6.5 Vsphere + NSX 6.4.1 release we now have VUM (Vmware Update Manager) capability that addresses ESXI updates and NSX 6.4 now also has it's own update manager process to update the entire NSX environment. This is a major improvement compared to our original releases where CloudFoundation had automated update capabilities and VCS had nothing by default.
VUM+NSX do not have the level of automation that LCM does but do provide fine grained control over the update process that LCM does not. The function is definitely not equivalent - LCM has fully automation for the customer with large impact to our DevOps team fixing LCM when it breaks (which is often) compared to VCS customers using VUM+NSX to update everything themselves. So far - most customers have preferred the VUM option that they can control.
IBM Cloud for VMware Solutions is a complete portfolio of solutions that continues to grow, let’s check it out.
First, IBM Cloud Bare Metal Infrastructure. If you don’t know, IBM Cloud, through the 2013 Softlayer acquisition, has been the leader in Hosting Bare Metal infrastructure. Why is that important? Well, for running a full vSphere stack, having root access to the server is required, and hosting on Bare Metal provides just that. Other public clouds are NOT hosted on bare metal and are single tenant by nature, preventing running a fully functional version of VMware on their clouds.
Next, Here we have the Core Platform Services. These are the foundation of what we sell to customers. We have 3 Key solutions to choose from and we’ll go deeper into each of these in our Data Center Extension session. For now, please note that these 3 bundles offer considerable advantages over the original “roll your own” versions that have been sold since 2016.
Benefits of these Core Offerings include Automated Provisioning, Consumption through monthly subscription with no commitment, and all Hardware and software licenses are included in the base price and deployed for the customer.
CLICK -
In addition to these foundational elements, there are additional benefits and purpose-built solutions and services that we offer Including…… Security, Business Continuity Storage and More.
Finally, clients have historically been hesitant to adopt cloud because of both compatibility and difficulties migrating those workloads. The compatibility problem is solved with our offering VMware on Bare metal. These offerings offer a 100% compatible environment for which tor run VMware workloads. BUT what about the migration? We have a solution for that as wel. Hybrid Cloud Manager, seamless workload migration to and from on premises environments.
Visibility down to Intel chipset, Intel TXT and HyTrust secure workloads to authorized trusted hosts that physically reside in authorized locations with compliance readiness
During boot sequence, validate to known signature to ensure no BIOS tampering and establish a root of trust.
Data encryption at-rest, data fencing to prevent unauthorized movement of encrypted data.
All security is white listed. (e.g., can prevent malware from being installed)
Secure encrypted keys at scale with key management from Hytrust
HyTrust DataControl creates multi-cloud security by managing workload encryption with encryption keys in a central location to reduce complexity
HyTrust CloudControl is a VMware vSphere-compatible virtual appliance that sits between the virtual infrastructure and its administrators. Whenever an administrative request is submitted to the infrastructure, the appliance determines whether that request complies with the organization's security policies, before permitting or denying it accordingly.[17] By logging all requests, records are produced that can be used for regulatory compliance and auditing, troubleshooting, and forensic analysis.
virtual data center, which is much smaller physically, and administrators may have unfettered (and unmonitored) access across the entire system. That is where the notion of concentration of risk comes in. That which is easy to access is easy to compromise. Add the possibility for a public cloud where your data is, essentially, outside your direct control, and you have a compact target for attack. So a solution to that challenge needs to be built from the ground up to address both the environment and the threats. That is exactly what HyTrust CloudControl does.
CloudControl supports strong authentication, role-based access control, rule of four eyes (two-person) enforcement, policy enforcement, root password vaulting and infrastructure hardening. It can integrate with Intel's TXT system as well.
Intel TXT: Trusted execution technology: HW tech that authenitcates platform and O/S to ensure authentic O/S starts in trusted envir
IBM Cloud Secure Virtualization, enabled by Intel TXT, operates at the chipset level to ensure only authorized servers in authorized locations are processing data and managing workloads